WO2007126049A1 - プログラム難読化システム、プログラム難読化装置及びプログラム難読化方法 - Google Patents
プログラム難読化システム、プログラム難読化装置及びプログラム難読化方法 Download PDFInfo
- Publication number
- WO2007126049A1 WO2007126049A1 PCT/JP2007/059158 JP2007059158W WO2007126049A1 WO 2007126049 A1 WO2007126049 A1 WO 2007126049A1 JP 2007059158 W JP2007059158 W JP 2007059158W WO 2007126049 A1 WO2007126049 A1 WO 2007126049A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- conversion
- input
- program
- multiplication
- information
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 285
- 238000006243 chemical reaction Methods 0.000 claims description 444
- 230000001419 dependent effect Effects 0.000 claims description 70
- 230000009466 transformation Effects 0.000 claims description 65
- 238000004590 computer program Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 3
- 238000009825 accumulation Methods 0.000 claims 1
- 238000012545 processing Methods 0.000 description 342
- 230000008569 process Effects 0.000 description 164
- 238000007792 addition Methods 0.000 description 103
- 238000004364 calculation method Methods 0.000 description 46
- 238000010586 diagram Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 14
- 230000010365 information processing Effects 0.000 description 11
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 10
- 238000003672 processing method Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 5
- 230000014509 gene expression Effects 0.000 description 5
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 244000309464 bull Species 0.000 description 2
- 239000000470 constituent Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 206010011878 Deafness Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Definitions
- Program obfuscation system Program obfuscation system, program obfuscation device and program obfuscation method
- the present invention relates to a computer program obfuscation technique as an information security technique.
- encryption technology is embodied as encryption software which is a computer program, and is used for secret communication, protection of privacy, confirmation of a communication partner, etc.
- obfuscation processing (steps S 9001 to S 9002) is applied to a normal program 9000 prior to obfuscation such as an encryption program for common key encryption and a decryption program. Generate and output a custom program 9002. The details of this obfuscation method are explained below.
- a plurality of program instructions constituting normal program 9000 are divided into processing l to n (n is a natural number) using keys key to key in common key encryption.
- step S9001 And generate a processing division program 9001 including the processing l to n (step S9001).
- step S9001 insert the output value conversion ⁇ and the output value inverse conversion ⁇ 1 ;
- output value conversion ⁇ and output value inverse conversion ⁇ 1 are inserted, and immediately after process 3, the output value
- a table RT is generated by tabulating the process 1 and the output value conversion ⁇ , and the output value is generated.
- a table RT is generated by tabulating the inverse transformation ⁇ 1 , the processing 2 and the output value transformation ⁇ ,
- Program 9002 is generated (step S9002).
- FIG. 40 shows an example of a table generated by the conventional obfuscation method. As shown in the figure, for each input value in included in the set 9011, the intermediate value a is calculated by processing 1
- step S 9003 1 calculation (step S 9003), and for each intermediate value a, it is a random bijective transformation
- Patent Document 1 International Publication WO02Z46890 Pamphlet
- Non-Patent Document 1 Okamoto Takuaki, Yamamoto Hiroshi, “Contemporary Cryptography”, Industrial Books (1997)
- Non-Patent Document 2 H. Cohen, A Course in Computational Algebraic Number Tneory, G f
- the present invention is directed to a program obfuscation system, a program obfuscation apparatus, a program obfuscation method, a program obfuscation program, and a program obfuscation program, in which the difficulty of program analysis is further enhanced in order to respond to the above requests.
- the purpose is to provide a recording medium that
- the present invention is a program obfuscation apparatus for obfuscating an information security program including a security operation that securely or reliably handles target information using key information,
- a plurality of basic operations including a first basic operation requiring a plurality of inputs and a second basic operation requiring only a part of the plurality of inputs are arranged in an order determined by key information so as to be equivalent to security operations.
- Conversion means for arranging the input dependent inverse conversion which is the input dependent conversion and its inverse conversion, and the input dependence immediately before arranged for each second basic operation And a table for generating a table that obtains an operation result equivalent to a set of operations consisting of the second basic operation and the input dependent inverse transformation placed immediately after, and generating a reference instruction that refers to the table. It is characterized by comprising generation means, and output means for outputting an obfuscated program including the generated table and the reference instruction.
- the second basic operation of the first basic operation requiring multiple inputs and the second basic operation requiring only a part of the multiple inputs may be performed before or after the second basic operations.
- An input-dependent conversion that depends on inputs not required in the second basic operation and an input-dependent inverse conversion that is an inverse conversion thereof are arranged to reduce the difference in the number of inputs of the first basic operation and the second basic operation, It is possible to further increase the difficulty of program analysis against attacks due to the difference in the number of inputs.
- the conversion means further needs, in each of the first basic operations included in the information security program, either before or after the first basic operation, or in both of the first basic operations.
- the input dependent transformation which depends on the input and the input dependent inverse transformation which is the inverse transformation may be arranged.
- an input-dependent conversion that depends on an input that is not required in the second basic operation and / or its inverse conversion may be performed either before or after the first basic operation, or both.
- the placement of certain input-dependent inverse transforms can make program analysis more difficult.
- the input dependent conversion is subtraction
- the input dependent inverse conversion is addition
- the conversion means further includes, for each of the other basic operations except for the basic operation placed at the beginning of the information security program, immediately before the basic operation and immediately before the basic operation. Arrangement of a first conversion operation that performs a first conversion on the operation result of the basic operation, and a second conversion operation that performs a second conversion that is the inverse conversion of the first conversion on the operation result of the first conversion operation
- the table generation unit further obtains a table equivalent to a set of operations consisting of a basic operation placed at the beginning of the information security program and a first conversion operation placed immediately after that.
- the conversion means decomposes the basic operation, the subtraction, the addition, the first conversion operation, and the second conversion operation for each digit to generate a plurality of digit operations,
- To obtain the operation result equivalent to the generated digit operation generate a digit operation table, generate a digit operation reference instruction referring to the digit operation table, and generate each basic operation arranged in the middle , Generated so as to obtain an operation result equivalent to a set of operations consisting of the subtraction placed immediately before, the basic operation and the addition placed immediately after, the second conversion operation, and the first conversion operation.
- Equivalent to the digit operation Generates a digit operation table from which an arithmetic result can be obtained, generates a digit operation reference instruction that refers to the digit operation table, and performs a basic operation placed at the end of the information security program and a second conversion placed immediately before that.
- a digit operation reference instruction that generates a digit operation table from which an operation result equivalent to the generated digit operation is obtained so as to obtain an operation result equivalent to a set of operations including operations, and refers to the digit operation table
- the output means may output the obfuscated program including the generated digit operation table and the digit operation reference instruction.
- the table generation unit is configured to generate a predetermined number of digit operation tables. You may select one table from a common table.
- the table generation means selects from a predetermined number of shared tables, the total amount of tables to be held can be reduced.
- the security operation is an exponentiation operation C n mod n on target information C using a secret key d which is key information under the modulus n, and the security operations are arranged in an order determined by the key information
- the plurality of basic operations having different numbers of inputs are equivalent to modular exponentiation operations C n mod n, and each bit of multiplication residue operation, squaring residue operation, and force secret key d as the basic operation by the binary method
- the transformation means is arranged based on the value, and the conversion means is provided one before the multiplication remainder operation or the second remainder operation immediately before and after the multiplication residue operation or the second remainder operation placed in the middle.
- the table generation means arranges the subtraction, the multiplication remainder operation or the remainder operation immediately before for each of the multiplication residue operation or the second remainder operation placed in the middle, Multiplication residue operation and placement immediately after The Choi as to generate a table for obtaining a calculation result of a set of operations equivalent comprising the addition power.
- the security operation is a modular exponentiation operation C n mod n on the target information C using the secret key d which is key information under the modulus n .
- the security is to some extent It is possible to use established RSA cryptographic techniques.
- the security operation is an exponentiation residue operation C n mod n on target information C using the secret key d which is key information under the modulus n, and the number of inputs arranged in the order determined by the key information
- the plurality of different basic operations are based on each bit value of the multiplication residue operation, the square residue operation, and the force secret key d as the basic operation by the binary method so that the plurality of basic operations become equivalent to the exponentiation residue operation C n mod n
- the conversion means decomposes each modular multiplication operation arranged in the middle and arranges the multiplication operation and the modular operation, and immediately before and immediately after the arranged multiplication operation, Subtraction and addition depending on one input value to the multiplication operation are arranged, and each 2nd modular multiplication operation arranged in the middle is decomposed into 2 multiplication operation and remainder operation, and 2 Immediately before and after the multiplication operation, the two multiplication operations are performed.
- said table generating means for each multiplication operation or each square operation, which is disposed intermediate the decrease, which is arranged immediately before A table may be generated to obtain an operation result equivalent to the operation of one ffi ⁇ consisting of an arithmetic operation, the multiplication operation or the squaring operation and the addition immediately after the operation! /.
- the modular multiplication operation and the modular multiplication residue operation in the modular exponentiation operation C n mod n are respectively decomposed to arrange the multiplier operation and modular operation, and the modular multiplication operation and modular multiplication operation. Since the subtraction and addition are arranged immediately before and after the operation, and the subtraction and addition are arranged immediately before and immediately after the 2 multiplication operation, the difficulty of program analysis can be further enhanced. Since the subtraction and addition depending on the input value are arranged, the operation result is equivalent to the case of not arranging.
- FIG. 1 is a diagram showing a conversion from a normal program 5001 to an obfuscated program 5002 in the first embodiment.
- FIG. 2 is a diagram showing the obfuscation mark of multiplication and the obfuscation mark of 2 multiplication in the first embodiment.
- FIG. 3 is a block diagram showing the configuration of an obfuscation system 1 according to a second embodiment.
- FIG. 4 is a view showing the concept of the first obfuscation method by obfuscation system 1;
- FIG. 5 is a diagram showing the configuration of transform multiplication residue processing.
- FIG. 5 (b) shows the case of 2 ⁇ i ⁇ k ⁇ 1
- Fig. 6 shows the configuration of the conversion multiplication residue processing in which input value conversion and output value conversion are inserted when 2 ⁇ i ⁇ k-l.
- Fig. 6 (b) shows The configuration of multiplication and remainder processing after division in the case of ⁇ i ⁇ k ⁇ 1 is shown.
- FIG. 8 shows a configuration of a conversion multiplication process divided into each digit when 2 ⁇ i ⁇ k-1.
- Fig. 8 (a) shows the transform multiplication process before division
- Fig. 8 (b) shows the transform multiplication process after division.
- FIG. 10 shows the configuration of each addition process in the case of division by digit.
- FIG. 11 shows the configuration of divided conversion remainder processing.
- FIG. 12 shows the configuration of multiplication processing in the case where each digit is further divided.
- FIG. 14 is a diagram showing the configuration of multiplication processing 1002 divided for RT.
- FIG. 15 is a diagram showing the configuration of multiplication processing 1002 divided for RT. On the drawing
- FIG. 16 is a diagram showing the configuration of multiplication processing 1004 divided for RT (2 ⁇ i ⁇ k ⁇ l).
- FIG. 17 shows a configuration of multiplication processing 1004 divided for RT (2 ⁇ i ⁇ k ⁇ l).
- input value conversion and output value conversion are clarified.
- FIG. 18 is a diagram showing the configuration of multiplication processing 1009 divided for RT.
- FIG. 19 is a diagram showing the configuration of multiplication processing 1009 divided for RT. On the drawing k
- FIG. 20 A configuration of divided remainder processing 1005 is shown. Continue to Figure 21.
- FIG. 21 shows the configuration of divided remainder processing 1005. Continue to Figure 22.
- FIG. 22 shows the configuration of divided remainder processing 1005. Continue to Figure 23.
- FIG. 23 The structure of the divided remainder processing 1005 is shown. Continue from Figure 22.
- FIG. 25 A specific example of the table of RM shown in Fig. 17 for RT (2 ⁇ i ⁇ k-l) is shown.
- Figures 26 (a), 26 (b), 26 (c) and 26 (d) show the conversion in RM shown in Figure 17 for RT. (2 ⁇ i ⁇ k-1) respectively.
- FIG. 27 The details of RM shown in Fig. 19 are shown for RT.
- FIG. 28 A specific example of RM table shown in Fig. 19 is shown for RT.
- Fig. 29 Fig. 29 (a), Fig. 29 (b), Fig. 29 (c) and Fig. 29 (d) are each for RT in Fig.
- FIG. 30 Details of RA shown in Fig. 15 for RT.
- FIG. 31 A specific example of the table of RA shown in Fig. 15 for RT is shown.
- Fig. 32 [Fig. 32] Fig. 32 (a), Fig. 32 (b) and Fig. 32 (c) show the R shown in Fig. 15 for RT.
- Fig. 33 is a diagram illustrating the configuration of the obfuscation device 100.
- FIG. 34 is a diagram showing the configuration of a cryptographic processing device 300.
- FIG. 35 is a flowchart showing an operation at the time of obfuscation processing by the obfuscation device 100.
- FIG. 36 is a flowchart showing an operation of decryption processing by the cryptographic processing device 300.
- FIG. 37 is a flowchart showing an operation of a signature generation process by the cryptographic processing device 300.
- FIG. 38 A flowchart showing an operation of the table by the obfuscation device 100.
- ⁇ 39 is a diagram showing a procedure of processing of a conventional obfuscation method.
- FIG. 40 is a view showing an example of a table of a conventional obfuscated reading method.
- FIG. 41 Details of RM shown in Fig. 15 for RT.
- Figs. 42 (a), 42 (b) and 42 (c) show the R shown in Fig. 15 for RT respectively.
- FIG. 43 A specific example of the RM table shown in Fig. 15 for RT is shown.
- a secret key d which is a positive integer is used to calculate M which is a decrypted text of a ciphertext C.
- Such an operation may be called a security operation.
- n is a product of a prime number p and a prime number q
- ⁇ indicates a power of X
- X mod Y is a value when X is divided by Y. It shows the remainder.
- the normal program 5001 before obfuscation which is a decryption program of RSA encryption, includes 2 multiplication S5011, multiplication S5012, ⁇ , multiplication S5013! /.
- the order in which multiplication and 2 multiplication are applied depends on the value of the secret key d.
- the secret key d is n bits long, and as an example, the secret key d is "01 ⁇ ⁇ ⁇ 1".
- This obfuscation method uses the output value conversion ⁇ S 5031 and the output value inverse immediately after the operation KS 5011).
- Output value inverse transform ⁇ 1 is inserted, and immediately after operation 3, output value transform ⁇ and output value inverse transform ⁇
- this obfuscation method is taped with calculation XI (S5011) and output value conversion ⁇ S5031
- Norei ⁇ is generated to generate the tape Nore RT 5021, the output value reverse conversion ⁇ — 1 S 5032, operation X 2 (S 501
- output value conversion and output value inverse conversion are inserted as a set before and after an operation on the way except for the first and last operations.
- the first operation and output value conversion are tabulated.
- the output value inverse conversion, the operation and the output value inverse conversion are tabulated.
- the output value reverse conversion and the corresponding Make calculations and calculations are inserted as a set before and after an operation on the way except for the first and last operations.
- the input values to be used are different between multiplication and 2 multiplication. That is, as shown in FIG. 2 (a), in the multiplication, the second input value in1 is multiplied by the second input value in2, as shown in FIG. 2 (b). In multiplication, only the first input value inl is used to perform 2 multiplication of the first input value inl.
- the output of the multiplication table depends on both inl and in2, and the output of the 2-multiplication table depends only on inl.
- the order of multiplication and 2 multiplication may be inferred, and as a result, the value of the secret key may be known.
- the second embodiment shown below is intended to solve the problems according to the first embodiment and to prevent an attack due to the difference in the number of inputs between multiplication and 2 multiplication.
- the configuration of the obfuscation system 1 according to the second embodiment is shown in FIG.
- the obfuscation system 1 receives the secret key d as an input value, generates an obfuscation program with the input value, and outputs the obfuscated program generated, and a medium for recording the obfuscated program output. 200 and read obfuscated program from medium 200 and execute obfuscated program read out And a cryptographic processing device 300 which generates a decrypted text from the ciphertext or generates signature data from the message.
- the obfuscation apparatus 100 performs obfuscation to calculate X ′ ′ d mod n for the secret key d and the target data X used for decryption of the RSA encryption and signature generation.
- the program is generated, and the generated obfuscation program is recorded on the medium 200.
- the cryptographic processing device 300 reads the obfuscated program recorded on the medium 200, and the obfuscated reading is performed by the CPU included in the cryptographic processing device 300.
- the decrypted text is generated from the ciphertext, or the message strength also generates the signature data.
- the public key and the secret key are calculated as follows.
- L is mutually prime (the greatest common divisor with L is 1) and smaller than L, and a natural number e is randomly selected.
- GCD (e, L) indicates the greatest common divisor of e and L.
- the ciphertext c is calculated by performing the following cryptographic operation on the plaintext m using the public key integer e and the integer n. However, the plaintext m is smaller than the integer n.
- the RSA encryption method is described in detail on pages 110 to 113 of Non-Patent Document 1.
- the key generation method is the same as the RSA encryption method.
- the signature value S is calculated by raising the hash value h to the power of d.
- the value encrypted by RSA encryption is the signature data S.
- Hash (D) is calculated, and S'e mod n ( Calculate the signature data S (corresponding to the value decrypted by RSA encryption). Next, it is checked whether Hash (D) and S'e mod n are equal. If they are equal, the signature data S is accepted as the correct signature. If not equal, it is rejected as the signature data S is an incorrect signature.
- the RSA signature is described in detail on pages 175 to 176 of Non-Patent Document 1.
- the normal program before obfuscation to be obfuscated by the obfuscator 100 includes an instruction to calculate a power value X "d mod n for the target data X.
- Such a modular exponentiation is used for security. Sometimes called operation.
- This normal program uses a binary exponentiation operation as the exponentiation operation.
- the power operation by the binary method is a method of calculating the value of an expression (generally called power surplus) such as X "d mod n by repeating multiplication and 2 multiplication. Details of the binary method The method is described in Non-Patent Document 2 below.
- the normal program 400 before obfuscation is converted into an intermediate program 420 (step S 401), and obfuscation is further performed. It is converted into the computer program 440 (step S402).
- the normal program 400 before obfuscation shown in FIG. 4 includes an instruction block 401 that performs a modular exponentiation operation according to the binary method, and the instruction block 401 includes instructions 411, 412 and 413.
- Such a normal program 400 may be called an information security program.
- variable X has a value that is the target data of modular exponentiation operation. Is stored in the variable len, and the total bit length of the secret key d is stored in the variable len. The result value in the middle of calculation is stored in the variable Y. Also, the variable i indicates the bit position of interest in the secret key d. Here, it is assumed that the least significant bit of the bit of the secret key d is the 0th bit, and the bits are counted from the lower order.
- variable X is substituted into variable Y.
- variable len stores the total bit length of the secret key d.
- variable Y is multiplied by 2 in modulus n and the result is stored in the variable Y.
- instruction 415 look at the bit indicated by the value of variable i in secret key d, and if the value of that bit is “1”, further multiply variable Y by variable X in modulus n and execute the result as a variable Store in Y
- variable Y stores the value obtained by raising the variable X to the power of d in the modulus n.
- each bit of the secret key d is viewed, and only 2 multiplication is performed when the value of the bit is "0", and 2 multiplication when "1". And multiply. Therefore, the secret key d can be recovered if it is divided whether the power with only 2 multiplication or 2 multiplication and multiplication is performed. Therefore, in the obfuscation process, it is necessary to distinguish between 2 multiplication and multiplication in the process corresponding to each bit of the secret key d.
- multiplication arrangement information 421 is generated, which includes initialization instruction 422, one or more 2-fold remainder instructions, and one or more 2-fold remainder instructions and a set of instructions that also become multiplication residue instructions.
- the 2 multiplication residue instruction and the multiplication residue instruction may be called basic residue operations or simply basic operations.
- the 2 multiplication residue instruction and the multiplication residue instruction may be referred to as a second basic operation and a first basic operation, respectively.
- the first basic operation, the multiplication residue instruction requires a plurality of inputs
- the second basic operation, the second multiplication operation requires only a part of the plurality of inputs.
- the initial instruction 422 is arranged at the head, and then, the combinations of one or more 2 multiplication residue instructions and one or more 2 multiplication residue instructions and multiplication residue instructions are used.
- a command is placed according to the value of the secret key d.
- the order of arrangement of these instructions in the multiplication arrangement information 421 defines the execution order of the initialization instruction 422, the 2 multiplication remainder instruction and the multiplication remainder instruction.
- the intermediate program 420 in FIG. 4 shows a state where the secret key d is "101 ⁇ ⁇ ⁇ 01".
- the multiplication allocation information 421 is composed of an initialization instruction 422, a combination instruction 423, a 2 multiplication residue instruction 42 4, a combination instruction 425, ⁇ , a 2 multiplication residue instruction 426 and a combination instruction 427, arranged in this order .
- the multiplication remainder is multiplication followed by a remainder (mod) calculation
- the second multiplication remainder is a calculation after squaring and then a remainder calculation.
- variables obtained by converting the intermediate value Y into all 2 multiplication residue instructions and all multiplication residue instructions contained in the multiplication arrangement information 421 in the intermediate program 420 Z and target data X as input and variable Z as output 2 input 1 output processing Converts the management table (RT, ⁇ ⁇ ⁇ , RT) into an instruction that refers to it.
- RT is the ith
- initial instruction 422 is converted into an initial instruction 442 that substitutes the value of the variable X into the variable Z.
- an initialization instruction 442 a table reference instruction 443, 4
- a method of obfuscation processing by the obfuscator 100 (second obfuscation method) will be described.
- step S401 the normal program 400 before obfuscation is converted into an intermediate program 420 (step S401). Up to this point, it is the same as the first obfuscation method.
- the 2 multiplication remainder instruction and multiplication remainder instruction in multiplication arrangement information 421 of intermediate program 420 are referred to as operation instructions, and k number of operation instructions are arranged in multiplication arrangement information 421.
- operation instructions the 2 multiplication remainder instruction and multiplication remainder instruction in multiplication arrangement information 421 of intermediate program 420
- k number of operation instructions are arranged in multiplication arrangement information 421.
- the output value conversion ⁇ is a conversion using the intermediate value ⁇ ⁇ ⁇ , which is the output of the operation instruction of the preceding stage, and the target data X.
- input value conversion ⁇ 1 is the output of the corresponding output value conversion ⁇ Conversion using the intermediate value z and the target data X.
- the input value conversion is the same conversion as the inverse conversion of the output value conversion ⁇ .
- the output value conversion ⁇ 473 is inserted immediately after the i-th operation instruction 472.
- input value conversion ⁇ 1 471 is inserted immediately before the operation instruction 472 of the eye.
- the operation instruction 472 and the output value conversion ⁇ 473 are put together to form one table RT 470, and an instruction referring to the table RT 470 is generated.
- a method of obfuscation processing by the obfuscator 100 (third obfuscation method) will be described.
- the first obfuscation method and the second obfuscation method are used.
- the ordinary program 400 before obfuscation is converted into an intermediate program 420.
- this obfuscation processing method (third obfuscation method), in the same way as the second obfuscation method, the output value conversion and the input value conversion are carried out in the multiplication arrangement information 421 of the intermediate program 420. Make an insertion. Up to this point, it is the same as the second method.
- the transformation ⁇ 1 is an inverse transformation of the transformation ⁇
- the transformation ⁇ 1 and the transformation ⁇ are respectively
- input dependent value subtraction is an operation that subtracts f (X) obtained by subjecting the target data X to conversion f, and input dependent value addition adds f (X) obtained by subjecting the target data X to conversion f. Is the operation to be performed.
- input dependent value addition is an inverse conversion of input dependent value subtraction.
- intermediate value Z and target data X are integers of 1024 bits, for example, one table size It becomes 2 2Q48 X (the size of the table output byte size) bytes, which is very large and difficult to implement.
- a process that takes as input a small value (for example, a 4-bit or 8-bit integer) as the post-conversion multiplication residue processing and the post-conversion 2-multiplication residue processing. It divides into (It is called division processing) and it makes a table.
- a small value for example, a 4-bit or 8-bit integer
- a method of obfuscation processing by the obfuscator 100 (a fourth obfuscation method) will be described.
- the obfuscation processing method (the fourth obfuscation method), as in the third obfuscation method, Perform expansion of arithmetic instruction. Up to this point, it is the same as the third obfuscation method.
- the output value conversion A513 is inserted immediately after the multiplication 512.
- the output value conversion A513 is composed of an input dependent value addition 513a and a conversion ⁇ 513b.
- a transformation ⁇ ⁇ 1 514 is inserted immediately before the remainder operation 515, and a transformation ⁇ ; 516 is inserted immediately after the remainder operation 515.
- the transformation ⁇ - 1 is an inverse transformation of the transformation ⁇ .
- the arithmetic 821 exists alone, that is, no transformation is inserted.
- the conversion a 513 b on the multiplication processing side is offset by the conversion ⁇ _1 514 on the remainder operation processing side, so the processing in the entire division processing is the same as before conversion It can be seen that
- the processing including the conversion multiplication processing, including the conversion ⁇ - ⁇ 14, the remainder operation 515, and the conversion ⁇ 516, is called conversion residue processing.
- conversion multiplication processing and conversion residue processing are further divided into processing for each intermediate value ⁇ and each digit of the target data X.
- Z is divided from the least significant digit into Z, Z, Z, ... every 4 bits each, X is the bottom
- the conversion ⁇ , the conversion ⁇ , and the conversion f are conversions that can be restored to the conversion before division when the conversion of each digit is combined.
- the transformation ⁇ uses a bijective transformation ⁇ that also converts 4-bit numbers into 4-bit numbers.
- conversions include conversion by logical operation such as logical AND or logical sum or bitwise exclusive OR with a predetermined value.
- logical operation such as logical AND or logical sum or bitwise exclusive OR with a predetermined value.
- these conversions be random permutations rather than logical operations such as logical product, logical sum, and exclusive logical sum.
- FIG. Fig. 8 shows a state of division of the conversion multiplication process in the case of 2 ⁇ i ⁇ k-1
- Fig. 8 (a) shows the conversion multiplication process before the division.
- a transform and multiplication process 520 shown in FIG. 8 (b) is obtained.
- the processing of each digit is divided and converted so that the value after each addition processing is output. This takes advantage of the fact that a large number of multiplications is the sum of a small number of multiplications.
- the conversion table RM, '.', RM of each digit can be obtained as follows.
- Equation 531 results in Equation 531
- expressions that are grouped in two 4 results in Equation 532 corresponds to the conversion of the first digit
- the expression to be grouped in two 8 2 Equation 533 is obtained, which corresponds to conversion of the digit.
- 4 bits are grouped into 4 bits each.
- an equation corresponding to the conversion of each digit up to the most significant digit is obtained. In these formulas, omit the index i for simplicity! /.
- the corresponding tables to be converted are RM 521, RM 522, RM 523, ⁇ ⁇ ⁇ .
- addition processing 1 for each digit, since it is necessary to reflect the carry from the lower digit, in order to calculate the value of the first digit or more, in addition to the calculation by each conversion table RM, It is necessary to perform addition processing 1 (551) shown. Furthermore, as a result of performing addition processing 1 (551), additional carry may occur, so addition processing 2 (552) shown in FIG. 10 is performed to calculate the value of the second and subsequent digits. There is a need. In addition processing 1 (551) and addition processing 2 (551), as shown in FIG. 10, the inverse conversion to remove the conversion applied to the input including the input dependent value subtraction and the input dependent value addition is used as the input value conversion.
- FIG. 8 summarizes the above.
- the lower 4 bits of the RM 521 output are the 0th digit output value of the conversion multiplication process 520.
- the upper 4 bits of the output of RM 523 are output to addition processing 1 not shown.
- the lower 4 bits of the output of addition processing 1 (541) are the output of the first digit of the corresponding conversion multiplication processing 520. It becomes a value, and the upper 4 bits of the output of addition process 1 (541) are output to addition process 2 (543).
- the lower 4 bits of the output of addition processing 1 (542) are output to addition processing 2 (543), and the upper 4 bits of the output of addition processing 1 (542) are output to addition processing 2 (not shown) .
- a conversion multiplication processing 851 is obtained. Similar to FIG. 8, in FIG. 9, the process of each digit is divided and converted so that the value after each addition process is output. This takes advantage of the fact that a large number of multiplications is the sum of a small number of multiplications.
- the lower 4 bits of the output of the RM 861 are the 0-th output value of the conversion multiplication processing 851.
- the lower 4 bits of the output of addition processing 1 (871) become the output value of the first digit of the conversion multiplication processing 851, and the upper 4 bits of the output of addition processing 1 (871) are addition processing 2 (873 Output to).
- the lower 4 bits of the output of addition processing 1 (872) are output to addition processing 2 (873), and the upper 4 bits of the output of addition processing 1 (872) are output to addition processing 2 (not shown). .
- the input is 202 4-bit integers
- the tape size for the 100th digit is 2 ⁇ X (the size of the table output size) bytes.
- one table size is 2 2 Q 48 X (the size of the output byte of the table) bytes, so tape noise can be reduced.
- the power conversion residue processing shown for the conversion multiplication processing can be divided as shown in FIG. 11 by the same substitution and expansion processing.
- ⁇ in Figure 11 Denotes the power in transform multiplication residue processing RT ; in ⁇ ; index i is omitted for simplicity.
- the number of digits of the input Z of the conversion remainder processing is 2 Xb ⁇ one digit.
- the reason is as follows.
- the input Z of transform residue processing is the result of transform multiplication processing.
- an operation of the output result of the previous stage table and the target data X is performed.
- the output result of the previous stage table is mod n in the previous stage table, it must have a number of digits less than b-1 and the target data X must have a value less than or equal to n in RSA encryption.
- Multiplication between b-l digits takes 2 Xb-2 digit operation results, and a carry of one digit may occur. Also add up to 2 Xb-maximum input after conversion processing. It is one digit.
- the remainder operation is performed by adding the outputs of these tables using an addition table.
- FIG. 11 a process indicating Z X2 4i mod n for i ⁇ b is expressed as RD. Note that In FIG. 11, the force of adding "+" between each divided processing RD ; this addition is divided into each digit in the same way as the addition used in the division of post-conversion multiplication processing. In addition processing after division, processing to add input value conversion and output value conversion is shown.
- the processing when the processing is divided, if the 0th digit (least significant digit) or the 1st digit, the number of inputs (the number of 4-bit integers) is small, The table size is not too big. However, as the digit increases, the size of the table increases.
- the processing is further divided for each digit.
- Figure 12 shows a further division of the second digit process.
- the input of R M 602 is Z, Z, Z, X, X and X.
- the process 601 has four inputs of Z, Z, X, and X, and the process 621 of Z and X
- processing 621 is a pattern in which the addition result of the index value is equal to the number of digits.
- the volume itself is the same as in the case of 4 inputs.
- the input values in 4 inputs include input values that are identical to each other, so they can be combined into 2 inputs.
- the other columns are also divided into tables in the same manner as this. For example, the table in column 5 is split into a table with the following inputs:
- RM (5, 0): Z, Z, X, X
- RM (5, 1): Z, Z, X, X
- index ( ⁇ , ⁇ ) attached to RM indicates the digit number of the first X
- the second ⁇ indicates the minimum value of the index of the input.
- one tape size becomes 2 16 ⁇ (the output byte size of the table) bytes, and the table can be reduced. Note that the same division is possible also for 2 multiplication. The division method is omitted since it is almost the same as multiplication.
- FIG. 13 shows the sharing of the RM divided table 657 and the sharing of the RS divided table 658.
- RS is processing indicating 2 multiplication.
- tapee Nore 661 and Tape nore 662 are tables whose index is 2 ⁇ i, i (i ⁇ 0). Tables whose index is 2 xi, i (i ⁇ 0) can be made common, and it becomes possible to use one and the same table instead of a plurality of tables.
- table 663 and table 664 respectively perform the same processing for the input.
- Tape Nore 663 and Tape Nore 664 have the index i, 0 (i ⁇ 0). Commonality is possible for these tables.
- table 665 and table 656 each have the same processing for the input! These tables can also be shared!
- each table can be classified into the following four cases depending on the combination of indexes.
- a table whose index is i, 0 (i ⁇ 0) and a table having other indexes differ only in whether or not g (X) is added to the output. Also, for a table with index 0,0 and a table with index 2 X i, i (i) 0), g (X.) (if index is 0, 0, g (X The only difference is whether or not) is added. That is,
- the second table of Ndettas is different from the other ones, and g (X) or g (X) is output.
- Tables 681 and 682 are tables of index power 2 xi, i (i ⁇ 0). Tape index with index 2 X i, i (i ⁇ 0) is It can be made common, and it becomes possible to use one and the same table instead of a plurality of tables.
- the table 683 and the table 684 respectively perform the same processing for the input.
- Tape Nore 683 and Tape Nore 684 have the index i, 0 (i ⁇ 0). Commonality is possible for these tables.
- the table 685 and the table 686 respectively perform the same processing for the input.
- each table can be classified into the above four cases depending on the combination of indexes as described above.
- the obfuscation device 100 executes obfuscation by performing commonality when input value conversion, output value conversion, processing division, and divided processing are performed.
- multiplication arrangement information arrangement information of the multiplication residue and the second multiplication residue of FIG. 4
- multiplication arrangement information arrangement information of the multiplication residue and the second multiplication residue of FIG. 4
- division processing arrangement information information indicating this processing and the arrangement of tables
- the obfuscation device 100 generates multiplication arrangement information, and then generates division processing arrangement information. After that, determine the input value conversion and output value conversion to be used in the division processing arrangement information, and generate a table based on it.
- the table is generated, for example, by calculating and associating values calculated in the post-conversion process when the input value is input to the input value.
- multi-dimensional array can be considered.
- read instruction order information indicating the order of the table read instruction is generated based on the division processing arrangement information. Thereafter, by combining the generated read instruction order information with the generated table, the obfuscated ⁇ program is completed.
- the obfuscated deaf program generated by obfuscated deaf device 100 may include the above-mentioned read instruction order information and commands and data other than the table.
- the division processing arrangement information may be provided to the obfuscation device 100 in advance.
- RT is a multiplication process for the division of RT, which is the conversion in the first digit of the secret key d
- Figure 14 shows the configuration of the multiplication process 1002 divided for RT
- FIG. 1 A first figure.
- ⁇ , ⁇ , ⁇ and ⁇ are values obtained by dividing ⁇ and X into 3 bits each.
- the multiplication processing is divided into each digit based on the above-mentioned method, and the multiplication processing 1002 is, as shown in FIG. 14, RM 1121, RM 1122, RM 1123, color calculation processing RA 1124, R
- RA 1131 is included.
- RM 1121 is the calculation of the 0-th digit of RT, and after dividing with Z and X as inputs,
- RM 1122 is the first digit calculation of RT, and Z, Z, X and X are input.
- RM 1123 is the second digit calculation of RT, and Z 1, X 1
- Each output of RM, RM, RM is subjected to addition processing RA, RA,..., RA
- the result obtained by adding 0 1 2 1 2 5 is the converted value of the multiplication result of Z and X.
- A,..., RA are input to each of them similarly to addition processing 1 and addition processing 2 shown in FIG. Value conversion and output value conversion included!
- 0 1 2 1 2 3 is a plurality of outputs (for RM, since there are 3 digits of output, there is also a middle part, 3
- the output value is in the range of “0” to “56”, and the output value is
- the upper 3 bits of are input to RA 1124 and the lower 3 bits are the output of multiplication process 1002.
- RM 1121 also have their respective “[0, 7]”
- the multiplication processing 1002 outputs, as final output values, the 3-bit output values 1142a, 1142b, 1142c, 1142d, and 1142e described at the bottom of FIG. This f column is input, multiplication processing 1002 is input, 6-bit ⁇ and X are input, and a 15-bit value is output.
- RM 1121, RM 1122, RM 112 which constitute multiplication processing 1002 of FIG.
- RA 1124 includes the input value conversion j8- ⁇ immediately after the upper input value
- the input value conversion ⁇ 4124a is included, and the output value of the input value conversion ⁇ 4124b and the output value of the input value conversion 8124 4a are added.
- the output value include the output value conversion ⁇ 1124 e and add 11
- the RM 1121 performs multiplication 1121 a on the input value on the upper side and the input value on the lower side.
- FIG. 16 is a diagram showing a configuration of multiplication processing 1004 divided for RT (2 ⁇ i ⁇ k ⁇ 1). Also in this example, the bit size of n is 6 bits, and 6-bit data is divided into 2 digits. Each digit consists of 3 bits.
- the multiplication process is divided at each digit, as in the multiplication process for RT.
- RM 1181 is multiplication processing after division with ⁇ ⁇ and X as inputs
- RM 1182 is multiplication processing after division with ⁇ ⁇ and X as inputs
- 0 0 0 1 is the post-division multiplication processing with ⁇ , ⁇ , ⁇ , ⁇ as inputs, and RM 1183 is Z, X
- the calculated result 3 ⁇ 4 is the converted value of the multiplication result of X.
- RM RM
- RM RM
- RM RM
- RM RM
- RM RM
- M, RM, RA, RA, ⁇ ⁇ ⁇ , RA is an upper portion including a range of negative values, positive
- the range of values for the upper part and the lower part of the output is the value before output value conversion, and after output value conversion, the value does not necessarily fall within this range. For example, above the output of RM
- the order part is [1, 7] before output value conversion, but after output value conversion, it will be [0, 8] etc. for easy handling.
- 6-bit Z and X are input in the multiplication process, and a 16-bit value (the most significant digit includes sign information) is output!
- FIG. 18 is a diagram showing the configuration of multiplication processing 1009 divided for RT.
- multiplication processing 1009 includes RM 1331, RM 1332 and RM 1333 as shown in FIG.
- RM 1331 is multiplication processing after division with Z and X as inputs
- RM 1332 is multiplication processing after division with Z and X as inputs
- 0 0 0 1 is the post-division multiplication processing with Z, Z, X, X as inputs, and RM 1333 is Z, X
- RM 1331, RM 1332 and RM 133 which constitute the multiplication processing 1009 of FIG.
- FIG. 15 An example of the table corresponding to RM 1122 shown in FIG. 15 for RT is shown in FIG.
- FIG 41 shows the details of RM 1122, shown in Figure 15, for RT.
- RM is 4 pieces
- the input value group (inl, in2, in3, in4) consisting of the input values inl, in2, in3 and in4 of 1 1 1 is subjected to conversion using the table 1421 shown in FIG.
- Output value group (out1, out2, out3) composed of the output values outl, out2 and out3.
- the table 1421 includes a plurality of input value groups (inl, in2, in3, in4), and a plurality of output value groups (outl, out2, each corresponding to the plurality of input value groups). It consists of out3) and.
- the table 1421 includes only a plurality of input value groups (i nl, in2, in3, in4) and a plurality of output value groups (outl, out2, out3) as described above. Being done Be careful, because
- FIGS. 42 (a), 42 (b) and 42 (c) respectively show the RMs shown in FIG. 15 for RT.
- FIG. 24 shows details of RM 1182 shown in FIG. 17 for RT (2 ⁇ i ⁇ k ⁇ l).
- i 1 1 performs conversion using an input value group (inl, in2, in3, in4) composed of four input values inl, in2, in3 and in4 using the table 1360 shown in FIG. 3 output values out
- the table 1360 shows a plurality of input value groups (inl, in2, in3, in4), and a plurality of output value groups (out1, out2) respectively corresponding to the plurality of input value groups. , Out3) and consists of.
- the intermediate values in the middle of the calculation also include the described force.
- the table 1360 includes a plurality of input value groups ( It should be noted that it consists only of i nl, in2, in3, in4) and multiple output value groups (outl, out2, out3).
- FIG. 26 (a), FIG. 26 (b), FIG. 26 (c) and FIG. 26 (d) respectively show the RT in FIG.
- FIG. 19 An example of a table corresponding to RM 1332 shown in FIG. 19 for RT is shown in FIG.
- FIG. 27 shows the details of RM 1332 shown in FIG. 19 for RT.
- RM uses the table 1390 shown in FIG. 28 for the input value group (inl, in2, in3, in4) consisting of four k 1 1 input values inl, in2, in3 and in4. It outputs an output value group (outl, out2, out3) composed of three output values outl, out2 and out3.
- the table 1390 includes a plurality of input value groups (inl, in2, in3, in4), and a plurality of output value groups (outl, out2, each corresponding to the plurality of input value groups). It consists of out3) and.
- Table 1390 shows only the input values (inl, in2, in3, in4) and the output values (outl, out2, out3) from the intermediate values. Be careful because they are configured.
- FIGS. 29 (a), 29 (b), 29 (c) and 29 (d) are respectively shown in FIG. 19 for RT.
- FIG. 15 An example of a table corresponding to RA 1124 shown in FIG. 15 for RT is shown in FIG.
- FIG. 30 shows the details of RA 1124 shown in FIG. 15 for RT.
- Two RAs are shown in FIG. 30 for RT.
- a conversion using table 1410 shown in FIG. 31 is performed on an input value group (inl, in2) composed of 1 1 1 input values inl and in2 to obtain two output values outl and out2. Output the set of output values (outl, out2).
- the table 1410 includes a plurality of input value groups (inl, in2) and a plurality of output value groups (outl, out2) respectively corresponding to the plurality of input value groups.
- the table 1410 in order to facilitate understanding of the calculation process, in addition to a plurality of input value groups (inl, in 2) and a plurality of output value groups (outl, out2), intermediate values during calculation are about Also, as described above, as described above, the table 1410 is composed of only a plurality of input value groups (inl, in2) and a plurality of output value groups (outl, out2).
- FIGS. 32 (a), 32 (b) and 29 (c) respectively show the RA shown in FIG. 15 for RT.
- the divided remainder processing 1005 is, as shown in FIGS. 20-23, remainder calculation RD 1201, RD 1
- RA, RA, RA, ⁇ ⁇ ⁇ is a digit-wise addition or addition to reflect a carry
- remainder processing 1005 is modulo integer n:
- RA 1202 respectively receive three 3-bit input values Z, Z, Z
- Remainder RD 1201 adds the upper 3 bits and the lower 3 bits of the operation result, respectively.
- Addition RA 1203 is the top 1 bit of the operation result.
- the lower three bits are output to the additions RA 1205 and RA 1204, respectively.
- a 1202 adds the upper 1 bit and the lower 3 bits of the operation result to each other, RA 12
- Addition RA 1204 is the upper 1 bit of the operation result
- Remainder RD 1206 accepts one 3-bit input value Z input, and the operation result
- the upper 3 bits and the lower 3 bits of are output to additions RA 1208 and RA 1207, respectively
- Addition RA 1208 adds the upper 1 bit and the lower 3 bits of the operation result, respectively.
- RA 1209 adds the upper 1 bit and the lower 3 bits of the operation result to each other, RA 1
- the RA 1210 adds 1 bit of the operation result.
- Remainder RD 1212 accepts one 4-bit input value Z input and the operation result
- the upper 3 bits and the lower 3 bits of are output to addition RA 1214 and RA 1213 respectively
- Addition RA 1214 adds the upper 1 bit and the lower 3 bits of the operation result, respectively.
- Addition RA 1213 is the top 1 of the result of the operation.
- the RA 1215 adds the upper 1 bit and the lower 3 bits of the operation result to each other, RA 1 Output to 217 and RA 1220.
- Addition RA 1217 adds 1 bit of the operation result to
- Addition RA 1216 multiplies two bits of the operation result.
- the operation shown in FIG. 23 performs the remainder processing.
- the calculation result of the operation shown in Fig. 23 may also have three digits, in which case further residue processing is required.
- Addition RA 1220 adds the upper 1 bit and the lower 3 bits of the operation result respectively.
- One bit is added to RA 1221 and the lower 3 bits of the operation result are output as the final output.
- Addition RA 1221 outputs the upper one bit of the operation result to calculation RA 1222 and
- Addition RA 1222 is one bit of the operation result
- n is a 6-bit value and is small. Therefore, when the multiplication process is divided up to each digit, if the bit size is large, The processing may be further divided as in “division of processing (part 2)”.
- FIG. 33 is a diagram showing the configuration of the obfuscation device 100. As shown in FIG.
- the obfuscation device 100 generates the multiplication arrangement information indicating the order of multiplication processing and 2 multiplication processing from the secret key d, and an input unit 101 for receiving the input of the secret key d.
- Information generation unit 102, and processing divided from multiplication processing and 2 multiplication processing The division processing arrangement information generation unit 103 that generates division processing arrangement information that is arrangement information of one or more input value conversions and one or more output value conversions to be added to the input value conversion and output value conversion.
- the conversion generation unit 104 generates a function to be shown, the table generation unit 105 generates a table using division processing arrangement information, input value conversion and output value conversion, multiplication arrangement information and division processing arrangement information.
- the read information arrangement unit 106 generates the read instruction sequence information indicating the arrangement of the instruction to read the table
- the program generation unit 107 generates the obfuscated program using the table and the read instruction sequence information, and the obfuscated program.
- a medium recording unit 108 for recording on the body.
- the input unit 101 receives the secret key d as an input.
- the multiplication arrangement information generation unit 102 generates multiplication arrangement information indicating the order of processing of multiplication remainder processing and 2 multiplication remainder processing from the secret key d. This corresponds to the process shown in step S401 of FIG.
- multiplication arrangement information 421 is information indicating an order such as ⁇ 2 multiplication residue, multiplication residue, 2 multiplication residue, 2 multiplication residue, multiplication residue ⁇ .
- Division processing arrangement information generation section 103 performs processing obtained by dividing multiplication remainder processing and 2 multiplication remainder processing according to an arrangement method given in advance, and one or more input value conversions to be added thereto and one or more The division processing arrangement information which is the arrangement information of the output value conversion of is generated.
- the information generated here is only the placement information for each process or conversion, and no function corresponding to the process or conversion is generated.
- the conversion generation unit 104 generates a function for the arranged input value conversion and output value conversion with reference to the division processing arrangement information.
- the method of generating functions for input value conversion and output value conversion is as described above in “2.3 Obfuscation performed by obfuscation device 100”.
- the table generation unit 105 generates a table using the division processing arrangement information, the input value conversion, and the output value conversion.
- the table generation method is as described above in “2.3 Obfuscation performed by the obfuscation device 100”.
- the read information arrangement unit 106 generates read instruction order information in which the instructions for reading the table are arranged in order using the multiplication arrangement information and the division processing arrangement information. Specifically, using the division processing arrangement information, it is possible to use each of in converted post multiplication residue processing and in post converted 2 multiplication residue processing.
- a table read instruction group is generated by arranging table read instructions corresponding to the process in order, and table read instruction groups corresponding to those in converted post multiplication remainder processing and post conversion 2 multiplication remainder processing are multiplied arrangement information Place the table read command by placing using.
- the program generation unit 107 generates an obfuscated program in which the read instruction order information and the table are combined.
- the medium recording unit 108 records the obfuscation program on the medium 200.
- FIG. 34 shows the configuration of the cryptographic processing apparatus 300. As shown in FIG. 34
- the cryptographic processing device 300 has an input unit 301 for inputting encrypted data or message data, an output unit 302 for outputting decryption data or signature data, and a data memory 303.
- a program memory 304, a CPU 305, and a medium reading unit 306 for reading an obfuscation program from the medium 200 are provided.
- the input unit 301 receives, as inputs, encrypted data at the time of decryption processing described later, and message data at the time of signature generation processing.
- the output unit 302 outputs decryption data at the time of decryption processing described later and signature data at the time of signature generation processing.
- the data memory 303 stores input decryption data and message data, and intermediate value data when executing the obfuscation program.
- the program memory 304 stores obfuscated and unread programs.
- the CPU 305 executes an instruction described in the obfuscated program.
- the medium reading unit 306 reads the obfuscation program from the medium 200 and stores the obfuscation program in the program memory 304.
- the operation of the obfuscation system 1 generates an obfuscation program in the obfuscation device 100 and records the obfuscation processing on the medium 200, and the operation of the encryption processing device 300 on the medium 200.
- the input unit 101 of the obfuscation device 100 receives the secret key d (step S1101), and the multiplication arrangement information generation unit 102 generates multiplication arrangement information (step S1102), and the division processing arrangement information generation unit 103
- the division processing arrangement information is generated (step S 1103), the conversion generation unit 104 generates functions for input value conversion and output value conversion (step S 1104), and the table generation unit 105 generates a table (step S 1103).
- the read information arrangement unit 106 generates the read instruction order information (step S1106)
- the program generation unit generates the obfuscation program (step S1107)
- the medium recording unit of the obfuscation apparatus 100 108 records the obfuscation program on the medium 200 (step S1108).
- the input unit 301 of the cryptographic processing apparatus 300 receives the encrypted data as input and stores it as the target data X in the data memory (step S1201), and the medium reading unit 306 performs the obfuscation program for the medium 200 as well.
- the data is read and stored in the program memory 304 (step S 1202).
- the CPU 305 uses the data memory 303 in accordance with the obfuscation program stored in the program memory 304 and calculates the power value of the target data X: Td mod n
- the data is stored in the data memory 303 (step S1203), and the output unit 302 outputs the value V (the power value of the target data) stored in the data memory 303 as decoded data (step S1204).
- V the power value of the target data
- the input unit 301 of the cryptographic processing device 300 receives the message data as an input, and stores it as the target data X in the data memory (step S1301).
- the obfuscated reading program is read from 0 and stored in the program memory 304 (step SI 302).
- the CPU 305 uses the data memory 303 in accordance with the obfuscation program stored in the program memory 304 to power the target data X Value: Td mod n is calculated and stored in the data memory 303 (step S 1303).
- the output unit 302 outputs the value (power value of the target data) stored in the data memory 303 as signature data ( Step S 1304).
- the operation of the signature generation process ends.
- the table generation unit 105 of the obfuscation device 100 includes: RM 1121, RM 1122, RM 1123, RA 1124, RA 1125, RA 1126, RA 11
- the table generation unit 105 initially stores only these connection relationships, and the RM 1121, the RM 1122, the RM 1123, the RA 1124, the RA 1125, the RA 1126, and the RA.
- the table generation unit 105 stores in advance 40 different multiplication pattern tables.
- These multiplication pattern tables are tables of 2 inputs and 2 outputs which convert 2 input values into 2 output values, each input value is 3 bits in length, and each output value is 3 It is a bit length.
- Steps shown in FIG. 38 in steps S1401 to S1404! Show RM 1121, RM 1122 and RM 1123 [Hot! / Feel, each of the above 40 types
- One multiplication pattern table is selected at random from the multiplication pattern table (step S 1402), and these RMs 1121, RM 1122, and RM 1123 [this selected multiplication note is selected.
- a run table is allocated (step S1403).
- the multiplication pattern table selected once is selected so that the same multiplication pattern table is not selected for different RMs. Do not select in the next selection, as in the case of exclusion from selection.
- table generation unit 105 repeats the following for each path from the input value strength at the top of multiplication process 1002 to the final output value.
- an example of the path leading to the input value strength at the head of the multiplication processing 1002 and the final output value is also the input value 1141a power, the output value 1142 through the multiplication 1211a of the RM 1121, the conversion 1121b.
- a path leading to a and an example of another path is the input value 1141 b power, etc., the power of RM 1121
- the path is a path from the 3-bit input value to the 3-bit output value via one RM and at least one RA.
- the table generation unit 105 stores in advance the position on the path where the conversion should be arranged.
- the position where the conversion is to be placed is, in FIG.
- the table generation unit 105 sequentially selects, one by one, the position at which the conversion is arranged from the top of each path.
- step S1406 If the next to the selected position is the final output value (YES in step S1406), the table generation unit 105 selects one conversion and places the selected conversion in the position (step S1 409), End the processing on this route.
- step S1406 the table The generation unit 105 selects one conversion and places the selected conversion at the corresponding position.
- step S1407 when a conversion is selected before, a conversion different from the previously selected conversion is selected.
- step S1408 the inverse transformation of the transformation placed in step S1407 is placed (step S1408), and then the process returns to step S1406 to repeat the processing.
- the attacker analyzes the output, and the input power is S dummy. It is possible to prevent an attack that distinguishes multiplication by multiplication from multiplication by 2
- the input value conversion and the output value conversion as described above are arranged by dividing the processing of each digit into a 4-input 1-output and 2-input 1-output table both for multiplication and 2 multiplication. Easy to do, take a configuration like that. [0176] In this way, with respect to processing in which multiplication and 2-multiplication processing are divided into each digit, the same number of arguments are input in both multiplication and 2-multiplication, and each input affects the output. Since it is possible to generate such a table, it can not be distinguished from the way of division of the table whether it is multiplication by force or 2 multiplication. That is, it is possible to prevent an attack that analyzes the table and distinguishes whether it is multiplication processing or 2 multiplication processing. Therefore, the processing of multiplication and 2 multiplication can be distinguished by the attacker, and the present invention is effective.
- the table size required for one multiplication processing or 2 multiplication processing is 2 2048 X (table output Neute size) bytes.
- (256 X 256) Z2 X 2 16 X (table output byte size) 2 31 X ( The size can be reduced to the size of the canopies of the table.
- Table size power required for one multiplication process or 2 multiplication process 2 X 2 16 X (table output byte size) + 2 X 2 8 X (table output byte size) 131, 584 X (table output It can be reduced to the byte size).
- table size can be reduced by dividing and sharing tables.
- the present invention can be implemented on a computer. It is possible to generate a source code obfuscated program of a new RSA cipher.
- the brute force attack of a bijective map is an attack in which all possible bijective map noliers also hit the correct bijective map.
- a table is generated for each bijective mapping, and comparison with the table actually included in the program determines whether it is a correct bijective mapping. In the case of a correct bijective map, all the values in the table match.
- each table contains the bijective mapping of g and ⁇ described above, and for both tables, the corresponding positive, mapping of each table The attack on the table is not successful! The attack on the table is not successful! ⁇
- 16! 2 44
- the target processing of table conversion is multiplication residue processing and 2 multiplication residue processing in RSA encryption, and the power of unifying these inputs is not limited to this.
- the processing of elliptic curve addition (input of the coordinates of two points) and elliptic curve doubling (input of the coordinates of one point) of the elliptic curve cryptosystem may be a target of table.
- the distinction between the elliptic curve addition and the elliptic curve double addition becomes a force of fraud analysis, so it can not be distinguished as in the present invention. By doing this, it is effective to prevent attacks.
- the present invention includes a processing that includes processings that differ in the number of inputs that are not related to only processing related to encryption and that if each processing is differentiated, it will become a means of fraud analysis S Needless to say, it is applicable and effective for any program.
- a set of one input value is the other input, such as a combination of a first process whose input value is X, Y and a second process whose input value is Y, ⁇ . Even if the set of values is not completely included, obfuscation can be performed.
- a process dependent on the input value ⁇ ⁇ ⁇ ⁇ (corresponding to the input-dependent addition and subtraction in the second embodiment) is added to the first process, and then the table is displayed, and the second process is started. Can be tabulated after adding processing depending on the input value X.
- decryption processing of RSA encryption method or signature generation processing of RSA signature method is executed using an obfuscated decryption program! Anything that contains an exponentiation process with as the power value may be used.
- the signature scheme of the RSA-PSS signature scheme may be used
- the decryption process of the RSA-OAEP encryption scheme may be used
- the decryption procedure of the RS ⁇ scheme may be used.
- decryption processing of ElGamal encryption method may be used.
- a cryptographic processing apparatus stores the obfuscated program which has read the medium power as well as the medium power into the program memory. This is divided into several times and stored in the program memory while reading. It may be executed by the CPU each time.
- the input message is the target data, and the power of the target data is calculated using the power message m.
- X Hash (m). Let's calculate it.
- Hash represents a hash function
- Hash (m) represents a hash value of message m.
- the hash function to use is, for example, SHA—1, SHA—224, SHA—256, SHA— 384, SHA— 512, MD5, WHIRLPOOL RIP RIPEMD 128, RIPEMD 160
- the obfuscation program may be recorded on a medium and distributed, and may be transmitted using a communication channel.
- the input value conversion includes the input dependent subtraction
- the output value conversion includes the input dependent subtraction.
- the present invention is not limited to this.
- the input dependent subtraction and the input dependent addition arrangement may be reversed.
- a combination of multiplication and division may be used instead of subtraction and addition. That is, as long as conversion dependent on the target data X is performed, any combination of conversions may be used. However, if you want to reduce the size of the table by dividing the table in the manner described above, it is desirable to combine addition and subtraction U ,.
- Embodiment 2 after addition of input-dependent addition and input-dependent subtraction to both multiplication processing and 2-multiplication processing, the power used to perform table selection is limited to this. It is not a thing. That is, in the present invention, if conversion (input-dependent addition) depending on the target data X is included in at least 2 multiplication processing, even if the relationship between the input and output values of each table is analyzed, the multiplication table and the 2 multiplication table It may be difficult to distinguish them.
- the method applying the conventional method of converting the processing into a random table includes multiplication and multiplication and multiplication. There is a problem that the attacker can analyze it using this because the number of inputs is different. More specifically, there is a problem that it is possible to distinguish whether the table performs multiplication or 2 multiplication from the number of inputs to each table.
- the same number of arguments are input to the multiplication and 2-multiplication processing.
- the present invention provides a source code obfuscation system, apparatus and method for preventing attacks due to different numbers of inputs of multiplication and 2 multiplication.
- the present invention takes, as an input, a first process of calculating first process output information of one or more powers from the first process input information of one or more numbers.
- a obfuscated device for outputting one table, and first conversion means for converting first conversion input information of one or more numbers into first conversion output information of one or more numbers;
- first table generation means for generating the first table indicating the correspondence between the first table input information having one or more powers and the first table output information having one or more powers;
- the first table input information includes the number included in the first processing input information or the first conversion input information, and the number power included in one or more number of additional input information, the first table
- the output information is the first processing output information or the first conversion output information.
- the obfuscation apparatus further includes second conversion means for converting second conversion input information having one or more powers into second conversion output information having one or more powers.
- the first table input information includes the number included in the first conversion input information and the number included in the additional input information, and the first process input information is the conversion output information
- the second conversion input information includes at least one number, and the first table output information includes the second conversion output information. It may be
- the conversion by the first conversion means may be a conversion based on the first table input information.
- the obfuscation apparatus calculates second processing output information including one or more numbers from second processing input information including one or more numbers in addition to the first processing.
- Processing The information processing apparatus may further include additional input information determination means which uses, as the additional input information, a number not included in the first process input information among the second process input information.
- the second process is performed by multiplying the product of the first number and the second number from the second process input information including the first number and the second number.
- the second process output information is calculated, and the first process is a process of calculating the first number of squares from the first process input information of the first number. Even if it is a process that calculates the process output information of.
- the obfuscation device may be a third process input information including one or more, or at least one second intermediate value information, in addition to the first process and the second process.
- an obfuscation apparatus for outputting the first table and the second table by using as input a third process for calculating third process output information having one or more numbers, and one or more numbers.
- a third conversion means for converting the third conversion input information into the third conversion output information with one or more numbers, the second table input information with one or more numbers, and one or more numbers A second table generating unit for generating the second table indicating correspondence of the second table output information, and a third conversion input information including one or more number powers; And third conversion means for converting into the conversion output information of Information includes at least one of the first table output information, the third transformation input information includes at least one of the first table output information, and the second table output information includes the first table output information.
- the three process output information may be included.
- the obfuscator according to the fourth process input information that is one or more of several powers is one or more in number.
- the fourth process of calculating the fourth process output information as an input is an input, and the second table input information includes: a number included in at least one of the first table output information; and a second additional input
- the second additional input information determining means may include information, and the number of the fourth process input information not included in the third process input information as the second additional input information. May be
- the obfuscation device may further perform conversion by the first conversion means and the third conversion means in the third process among the numbers included in the first process input information. On The conversion may be based on the number included in the force information.
- the obfuscation apparatus includes fourth conversion means for converting fourth conversion input information which is one or more powers into fourth conversion output information which is one or more powers, Conversion input information includes at least one number of the third process output information, and the second table output information includes the third process output information instead of the fourth process output information May be included.
- the obfuscation device receives, as an input, a fifth process of calculating fifth process output information of one or more numbers from the fifth process input information of one or more numbers.
- the above-mentioned fifth processing calculates the processing output information of one number from the processing input information consisting of four numbers.
- One or more of four inputs and one output processing, and two number powers of processing input information one There are processing division means for dividing processing output information consisting of numbers into 1 or more 2-input 1-output processing, and at least one of the 4-input 1-output processing and the 2-input 1-output processing is the first processing
- at least one of the four-input one-output processing and the two-input one-output processing may be used as the third processing.
- a first process of calculating first process output information of one or more numbers from one or more first process input information of several powers is used as an input.
- An obfuscation method for outputting a table comprising: a first conversion step for converting first conversion input information of one or more numbers into first conversion output information of one or more numbers; A first table generation step of generating the first table indicating correspondence between the first table input information which is also number power and the first table output information which is also number power or more, and the first table
- the input information includes the number included in the first processing input information or the first conversion input information, and the number power included in the additional input information including one or more number powers, and the first table output information includes Including the first processing output information or the first conversion output information Chiyoi Te.
- the obfuscation method further includes a second conversion step of converting the second conversion input information having one or more powers into second conversion output information having one or more powers.
- the first table input information includes the number included in the first conversion input information and the number included in the additional color input information, and the first processing input information includes the conversion output information.
- the second conversion input information includes at least one number of the first processing output information, and the first table output information includes the second conversion output information. It may be included.
- the conversion by the first conversion step is a conversion based on the first table input information.
- a second process output information including one or more numbers is calculated from second process input information including one or more numbers. It is also possible to have an additional input information determination step in which processing is used as the input and the number of the second processing input information not included in the first processing input information is used as the additional input information.
- the second processing includes the product of the first number and the second number from the second processing input information including the first number and the second number.
- the second process output information is calculated, and the first process is a process of calculating the first number of squares from the first process input information of the first number. Even if it is a process that calculates the process output information of.
- the obfuscation method may be a third process input information including one or more, or at least one second intermediate value information in addition to the first process and the second process. And an obfuscation method for outputting the first table and the second table by using a third process of calculating third process output information of one or more numerical powers as one or more numbers.
- the table input information includes at least one of the first table output information, the third conversion input information includes at least one of the first table output information, and the second table output information is The third process output information may be included.
- the obfuscation method includes one or more numbers from the fourth process input information including one or more number powers in addition to the first process, the second process, and the third process.
- Fourth place The fourth process of calculating the physical output information is an input, and the second table input information includes the number included in at least one of the first table output information and the second additional input information.
- a second additional input information determination step may be performed in which a number not included in the third processing input information among the fourth processing input information is used as the second additional input information.
- the conversion by the first conversion step and the third conversion step may be performed by using the first conversion input data among the numbers included in the first process input information.
- the conversion may be based on the number included in the processing input information of 3).
- the obfuscation method includes: a fourth conversion step of converting fourth conversion input information which is also one or more powers into fourth conversion output information which is one or more powers;
- the conversion input information includes at least one number of the third process output information, and the second table output information includes the fourth process output information instead of including the third process output information. May be included.
- the obfuscation method takes, as an input, a fifth process of calculating fifth process output information of one or more numbers from the fifth process input information of one or more numbers.
- the above-mentioned fifth processing calculates the processing output information of one number from the processing input information consisting of four numbers.
- One or more of four inputs and one output processing, and two number powers of processing input information one
- the process division step of dividing into 1 or more 2-input 1-output processing to calculate processing output information consisting of a number, and at least one of the 4-input 1-output processing and the 2-input 1-output processing is the first processing.
- the third process may be at least one of the four-input one-output process and the two-input one-output process.
- the present invention is an information processing system including the obfuscation device, a program, and an information processing device that executes the program, wherein the program uses the first table. And a process of calculating the first table output information from the first table input information.
- the present invention is a program in an information processing system including the obfuscation device, a program, and an information processing device that executes the program, the first table using the first table.
- First table output information from input information Includes processing to calculate information.
- the first process may be part of the decryption process!,.
- the first process may be part of a signature generation process.
- the present invention is a recording medium recording the program.
- the present invention is an information processing apparatus in an information processing system including the obfuscation apparatus, a program, and an information processing apparatus that executes the program, wherein the program uses the first table. And calculating the first table output information from the first tape notch input information.
- the present invention relates to the first process in which the first process output information including one or more numbers is calculated from the first process input information including one or more numbers.
- First conversion means for converting the first conversion input information, which is an integrated circuit of the obfuscation device for outputting a table, which is one or more powers, into the first conversion output information, which is one or more powers
- first table generation means for generating the first table showing correspondence between first table input information having one or more numbers and first table output information having one or more numbers.
- the first table input information is the number included in the first processing input information or the first conversion input information, and the number power included in the one or more number input powers of the additional input information.
- the output information includes the first processing output information or the first conversion output information. .
- the present invention is an integrated circuit of an information processing apparatus that performs information processing including the first processing, and a table holding unit that holds the first table, and the first table input unit. And output value calculation means for receiving the information and outputting the first table output information.
- the obfuscator outputs a program instead of the first table, and the obfuscator further includes the first table and one or more program instruction powers.
- the program instruction generation unit may generate the program, and the program instruction group may include processing for receiving the first table input information and outputting the corresponding first table output information.
- the present invention also provides a process using a first input value group, which is a set of one or more input values. Obfuscation and obfuscation of a program including a first process to be performed and a second process to perform a process using a second input value group that is a set including more input values than the first process.
- An obfuscated reading device for generating a computerized program, a second table in which the second input value group is associated with the second processing result, and an input unit for receiving the program;
- Table generation means for generating a first table in which an input value group and an additional input value group are associated with a processing result of the first processing after conversion; and the first processing in the program, The first input value group is replaced with processing for taking out the processing result from the first table, and the second processing is performed using the second input value group.
- the process 1 is a process in which a process using the additional input value group is added to the first process.
- Each of the above devices is specifically a computer system comprising a microprocessor, a ROM, a RAM, a hard disk unit, a display unit, a keyboard, a mouse and the like.
- a computer program is stored in the RAM or the hard disk unit.
- Each device achieves its function by operating according to the microprocessor program.
- the computer program is configured by combining a plurality of instruction codes indicating instructions for the computer in order to achieve a predetermined function.
- the system LSI is a super-multifunctional LSI manufactured by integrating a plurality of components on one chip, and more specifically, is a computer system including a microprocessor, ROM, RAM and the like. is there. A computer program is stored in the RAM. Microprocessor Power The system LSI achieves its functions by operating according to the computer program. [0214] In addition, each part of the constituent elements constituting each of the above-described devices may be individually provided in one chip, or may be provided in one chip so as to include part or all.
- the system LSI is sometimes referred to as an IC, an LSI, a super LSI, or an ultra LSI depending on the degree of force integration.
- the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible.
- FPGA field programmable gate array
- reconfigurable 'processor that can reconfigure connection and setting of circuit cells in the LSI.
- a part or all of the constituent elements of each device described above may be configured as a removable IC card or a single module power of each device.
- the IC card or the module is a computer system including a microprocessor, a ROM, a RAM, and the like.
- the IC card or the module may include the above-described super-multifunctional LSI.
- the IC card or the module achieves its functions by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant!
- the present invention may be methods shown above.
- the present invention may be a computer program that realizes these methods by a computer, or may be a digital signal that also has the computer program power.
- the present invention relates to a computer readable recording medium that can read the computer program or the digital signal, such as a flexible disk, a hard disk, a CD-ROM, a MO, a DVD, a DVD, a ROM, a DVD, a RAM, and a BD. It may be recorded on a Blu-ray Disc), a semiconductor memory or the like. Also, the digital signal may be recorded on these recording media.
- a computer readable recording medium such as a flexible disk, a hard disk, a CD-ROM, a MO, a DVD, a DVD, a ROM, a DVD, a RAM, and a BD. It may be recorded on a Blu-ray Disc), a semiconductor memory or the like. Also, the digital signal may be recorded on these recording media.
- the present invention relates to the computer program or the digital signal, a communication line, a wireless or wired communication line, a network represented by the Internet, a network It may be transmitted via data broadcasting or the like.
- the present invention is a computer system comprising a microprocessor and a memory, wherein the memory stores the computer program, and the microprocessor operates according to the computer program. It is also good.
- the present invention may be a combination of the above-described embodiment and modification.
- Each apparatus constituting the present invention treats the information as a secret so as not to be known to a third party by encrypting and decrypting the information, applies a digital signature to the information, and performs a signature verification. It can be used managerially, continuously and repeatedly in any industry where information needs to be handled safely and securely, such as preventing information tampering and spoofing by others.
- each of the devices constituting the present invention can be manufactured and sold in the electric appliance manufacturing industry on a commercial basis and continuously and repeatedly.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007800154489A CN101432755B (zh) | 2006-04-28 | 2007-04-27 | 程序难破解化系统、程序难破解化装置及程序难破解化方法 |
JP2008513289A JP4938766B2 (ja) | 2006-04-28 | 2007-04-27 | プログラム難読化システム、プログラム難読化装置及びプログラム難読化方法 |
US12/297,929 US8479018B2 (en) | 2006-04-28 | 2007-04-27 | System for making program difficult to read, device for making program difficult to read, and method for making program difficult to read |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006125926 | 2006-04-28 | ||
JP2006-125926 | 2006-04-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007126049A1 true WO2007126049A1 (ja) | 2007-11-08 |
Family
ID=38655570
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2007/059158 WO2007126049A1 (ja) | 2006-04-28 | 2007-04-27 | プログラム難読化システム、プログラム難読化装置及びプログラム難読化方法 |
Country Status (5)
Country | Link |
---|---|
US (1) | US8479018B2 (ja) |
JP (1) | JP4938766B2 (ja) |
KR (1) | KR20080113277A (ja) |
CN (1) | CN101432755B (ja) |
WO (1) | WO2007126049A1 (ja) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011513787A (ja) * | 2008-03-05 | 2011-04-28 | イルデト・コーポレート・ビー・ヴイ | ホワイトボックス実装 |
JP2014109641A (ja) * | 2012-11-30 | 2014-06-12 | Kddi Corp | プログラムの変換装置及びプログラム |
JP2015504279A (ja) * | 2012-01-09 | 2015-02-05 | コーニンクレッカ フィリップス エヌ ヴェ | 鍵駆動の難読化を用いる仮想マシンデバイス及び方法 |
JP2015537298A (ja) * | 2012-11-07 | 2015-12-24 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | 演算子のないコンパイラ |
JP2017533458A (ja) * | 2014-09-30 | 2017-11-09 | コーニンクレッカ フィリップス エヌ ヴェKonink | 難読化された算術を実行するための電子計算装置 |
JP2020510879A (ja) * | 2017-03-17 | 2020-04-09 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | 楕円曲線点乗算デバイス及び方法 |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104335218B (zh) * | 2012-03-30 | 2017-08-11 | 爱迪德技术有限公司 | 使用基函数编码来保护可访问的系统 |
CN104798075A (zh) * | 2012-09-28 | 2015-07-22 | 惠普发展公司,有限责任合伙企业 | 应用随机化 |
BR112015014470A2 (pt) * | 2012-12-21 | 2017-07-11 | Koninklijke Philips Nv | compilador configurado para compilar um programa de computador, dispositivo de computação configurado para executar um programa de computador compilado por um compilador, método para executar um programa de computador compilado por um compilador e programa de computador |
FR3011354A1 (fr) * | 2013-10-01 | 2015-04-03 | Commissariat Energie Atomique | Procede d'execution par un microprocesseur d'un code binaire polymorphique d'une fonction predeterminee |
US10412054B2 (en) * | 2014-06-24 | 2019-09-10 | Nxp B.V. | Method for introducing dependence of white-box implementation on a set of strings |
JP6368051B2 (ja) | 2014-12-12 | 2018-08-01 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | 電子生成装置 |
EP3238366B1 (en) | 2014-12-22 | 2019-03-13 | Koninklijke Philips N.V. | Electronic calculating device |
US10235506B2 (en) * | 2015-05-05 | 2019-03-19 | Nxp B.V. | White-box modular exponentiation |
US10372886B2 (en) * | 2015-05-05 | 2019-08-06 | Nxp B.V. | Protecting the input/output of modular encoded white-box RSA/ECC |
TWI580243B (zh) | 2015-10-06 | 2017-04-21 | 瑞昱半導體股份有限公司 | 解密裝置、方法及電路 |
TWI575924B (zh) * | 2015-10-06 | 2017-03-21 | 瑞昱半導體股份有限公司 | 解密裝置、方法及電路 |
CN106569778B (zh) * | 2015-10-13 | 2019-06-07 | 华为技术有限公司 | 一种数据处理的方法及电子设备 |
US11362824B2 (en) * | 2018-05-25 | 2022-06-14 | Intertrust Technologies Corporation | Content management systems and methods using proxy reencryption |
US10289816B1 (en) * | 2018-06-08 | 2019-05-14 | Gsfm Llc | Methods, systems, and devices for an encrypted and obfuscated algorithm in a computing environment |
US11509454B2 (en) * | 2019-05-22 | 2022-11-22 | Crypto Lab Inc. | Apparatus for processing modular multiply operation and methods thereof |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002046890A2 (en) * | 2000-12-08 | 2002-06-13 | Cloakware Corporation | System and method for protecting computer software from a white box attack |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19831884C2 (de) * | 1998-07-17 | 2001-09-20 | Ibm | System und Verfahren zum Schutz gegen analytisches Ausspähen von geheimen Informationen |
US7430670B1 (en) * | 1999-07-29 | 2008-09-30 | Intertrust Technologies Corp. | Software self-defense systems and methods |
CN1162783C (zh) * | 2001-11-09 | 2004-08-18 | 汪文虎 | 一种信息安全方法 |
JP2005049925A (ja) * | 2003-07-29 | 2005-02-24 | Nara Institute Of Science & Technology | プログラム難読化装置、プログラム難読化プログラム及びプログラム難読化方法 |
US7739521B2 (en) * | 2003-09-18 | 2010-06-15 | Intel Corporation | Method of obscuring cryptographic computations |
US7415618B2 (en) * | 2003-09-25 | 2008-08-19 | Sun Microsystems, Inc. | Permutation of opcode values for application program obfuscation |
US7587616B2 (en) * | 2005-02-25 | 2009-09-08 | Microsoft Corporation | System and method of iterative code obfuscation |
-
2007
- 2007-04-27 JP JP2008513289A patent/JP4938766B2/ja active Active
- 2007-04-27 WO PCT/JP2007/059158 patent/WO2007126049A1/ja active Application Filing
- 2007-04-27 KR KR1020087027105A patent/KR20080113277A/ko not_active Application Discontinuation
- 2007-04-27 CN CN2007800154489A patent/CN101432755B/zh active Active
- 2007-04-27 US US12/297,929 patent/US8479018B2/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002046890A2 (en) * | 2000-12-08 | 2002-06-13 | Cloakware Corporation | System and method for protecting computer software from a white box attack |
Non-Patent Citations (3)
Title |
---|
PLASMANS M.: "White-Box Cryptography for Digital Content Protection", MASTER'S THESIS FOR DEPARTMENT OF MATHEMATICS AND COMPUTER SCIENCE, TECHNISCHE UNIVERSITEIT EINDHOVEN, May 2005 (2005-05-01), pages 28 - 41, XP003019136, Retrieved from the Internet <URL:http://www.alexandria.tue.nl/extral/afstvers1/wsk-i.plasmans2005.pdf> * |
SHAND M. ET AL.: "Fast Implementations of RSA Cryptography", IEEE, 1993, pages 252 - 259, XP000419946, Retrieved from the Internet <URL:http://www.ieeexplore.ieee.org/iel2/3022/8615/00378085.pdf> * |
TYMA P.: "The New Obfuscation", JAVA.NET, 22 October 2004 (2004-10-22), pages 1 - 5, XP003019135, Retrieved from the Internet <URL:http://www.today.java.net/pub/a/today/2004/10/22/obfuscation.html> * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011513787A (ja) * | 2008-03-05 | 2011-04-28 | イルデト・コーポレート・ビー・ヴイ | ホワイトボックス実装 |
US8670559B2 (en) | 2008-03-05 | 2014-03-11 | Irdeto Corporate B.V. | White-box implementation |
JP2015504279A (ja) * | 2012-01-09 | 2015-02-05 | コーニンクレッカ フィリップス エヌ ヴェ | 鍵駆動の難読化を用いる仮想マシンデバイス及び方法 |
JP2015537298A (ja) * | 2012-11-07 | 2015-12-24 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | 演算子のないコンパイラ |
JP2014109641A (ja) * | 2012-11-30 | 2014-06-12 | Kddi Corp | プログラムの変換装置及びプログラム |
JP2017533458A (ja) * | 2014-09-30 | 2017-11-09 | コーニンクレッカ フィリップス エヌ ヴェKonink | 難読化された算術を実行するための電子計算装置 |
JP2020510879A (ja) * | 2017-03-17 | 2020-04-09 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | 楕円曲線点乗算デバイス及び方法 |
JP7123959B2 (ja) | 2017-03-17 | 2022-08-23 | コーニンクレッカ フィリップス エヌ ヴェ | 楕円曲線点乗算デバイス及び方法 |
Also Published As
Publication number | Publication date |
---|---|
KR20080113277A (ko) | 2008-12-29 |
US8479018B2 (en) | 2013-07-02 |
JP4938766B2 (ja) | 2012-05-23 |
CN101432755A (zh) | 2009-05-13 |
US20090228717A1 (en) | 2009-09-10 |
CN101432755B (zh) | 2011-01-12 |
JPWO2007126049A1 (ja) | 2009-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2007126049A1 (ja) | プログラム難読化システム、プログラム難読化装置及びプログラム難読化方法 | |
Josefsson et al. | Edwards-curve digital signature algorithm (EdDSA) | |
US6658569B1 (en) | Secret key cryptographic process for protecting a computer system against attacks by physical analysis | |
EP3632032B1 (en) | Cryptographic device and method | |
EP3596876B1 (en) | Elliptic curve point multiplication device and method for signing a message in a white-box context | |
CN109661792B (zh) | 计算分组密码的设备和方法 | |
JP3583555B2 (ja) | 暗号通信法 | |
WO2007074836A1 (ja) | 署名生成装置、署名生成方法及び署名生成プログラム | |
TW201044334A (en) | Encryption device, encryption method, and computer program | |
Josefsson et al. | RFC 8032: Edwards-curve digital signature algorithm (EdDSA) | |
US11502846B2 (en) | Whitebox computation of keyed message authentication codes | |
CN107204846A (zh) | 数字签名生成方法、系统、节点模块及共同随机数协商确定方法 | |
US20200097256A1 (en) | A calculation device for encoded addition | |
JP6502945B2 (ja) | 安全なデータ変換 | |
KR101440680B1 (ko) | 중국인 나머지 정리에 기반한 준동형 암복호화 방법 및 이를 이용한 장치 | |
JP5436373B2 (ja) | 秘匿性増強処理演算装置およびこれを備えた量子暗号通信端末 | |
JP2019504343A (ja) | 計算デバイス及び方法 | |
WO2016102445A1 (en) | Electronic calculating device | |
KR101153880B1 (ko) | 갈로아 변환을 이용한 키 생성 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07742593 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2008513289 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200780015448.9 Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020087027105 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12297929 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07742593 Country of ref document: EP Kind code of ref document: A1 |