Nothing Special   »   [go: up one dir, main page]

EP1839125A1 - Secure and compact exponentiation method for cryptography - Google Patents

Secure and compact exponentiation method for cryptography

Info

Publication number
EP1839125A1
EP1839125A1 EP05819349A EP05819349A EP1839125A1 EP 1839125 A1 EP1839125 A1 EP 1839125A1 EP 05819349 A EP05819349 A EP 05819349A EP 05819349 A EP05819349 A EP 05819349A EP 1839125 A1 EP1839125 A1 EP 1839125A1
Authority
EP
European Patent Office
Prior art keywords
exponentiation
group
registers
perform
addition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
EP05819349A
Other languages
German (de)
French (fr)
Inventor
Marc Joye
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Gemplus Card International SA
Gemplus SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gemplus Card International SA, Gemplus SA filed Critical Gemplus Card International SA
Publication of EP1839125A1 publication Critical patent/EP1839125A1/en
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/723Modular exponentiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7261Uniform execution, e.g. avoiding jumps, or using formulae with the same power profile

Definitions

  • the present invention relates to a secure and compact exponentiation method, with particular application in the field of cryptology where cryptographic algorithms are implemented in electronic devices such as smart cards.
  • An electronic device intended to execute such an algorithm must contain in memory on the one hand the executory part to raise x to the power of d, and on the other hand the values of x and d.
  • the electronic component comprises a main central unit and a working memory with at least three registers (RO, R1, R2).
  • the "Square and Multiply" algorithm must include suitable countermeasures, that is, secure, against attacks aimed at discovering information contained and manipulated in processing by the computing device.
  • countermeasures are against hidden channel attacks, simple or differential.
  • a simple or differential hidden channel attack is defined as an attack based on a measurable physical quantity from outside the device, and whose direct analysis (single attack) or statistical analysis (differential attack) allows discover information contained and manipulated in treatments in the device. These attacks can thus reveal confidential information.
  • These attacks have been unveiled by Paul Kocher (Advances in Cryptology - CRYPTO '99, 1966 issue of Notes in Computer Science, pp.388-397, Springer-Verlag, 1999).
  • the method according to the invention has the particularity of performing only multiplication operations. This is particularly interesting in more constrained environments of the smart card type because only the latter operation must be implemented, either software or hardware.
  • the exponentiation method according to the invention is based on the following algorithm.
  • the method according to the invention can be schematized as follows:
  • the addition with the neutral element 0 may behave differently with respect to the hidden channel measurements and consequently generate a weakness.
  • the method according to the invention can easily be adapted.
  • step 1 above requests that the R2 register contains the value of 2.
  • the exponentiation method of the invention and its variants have the advantage of being resistant to SPA - type hidden channel attacks and "Safe - Error” attacks, contrary to the usual exponentiation algorithms which must integrate counter - attacks. measures to resist these attacks

Landscapes

  • Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Complex Calculations (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

Description

PROCEDE D' EXPONENTIATION SECURISEE ET COMPACTE POUR LA SECURE AND COMPACT EXPONENTIATION METHOD FOR THE
CRYPTOGRAPHIECRYPTOGRAPHY
La présente invention concerne un procédé d' exponentiation sécurisée et compacte, avec application notamment dans le domaine de la cryptologie où l ' on met en oeuvre des algorithmes cryptographiques dans des dispositifs électroniques tels que des cartes à puce .The present invention relates to a secure and compact exponentiation method, with particular application in the field of cryptology where cryptographic algorithms are implemented in electronic devices such as smart cards.
De nombreux algorithmes cryptographiques sont basés sur des calculs d' exponentiation, dans un groupe algébrique, du type xd où x et d sont respectivement un élément et un exposant prédéterminés . Ceci est notamment le cas avec l ' algorithme RSA (Rivest, Shamir et Adleman) , lequel repose sur l' exponentiation dans le groupe multiplicatif de l' anneau des entiers modulo N, où N est le produit de deux grands nombres premiers . Le résultat de l' exponentiation peut correspondre par exemple à un texte chiffré ou déchiffré, une donnée signée ou vérifiée . D' autres algorithmes cryptographiques tels que l' algorithme d' ElGamal ou de Diffie-Hellman reposent sur l' exponentiation dans le groupe multiplicatif d' un corps ou dans le groupe des points d' une courbe elliptique .Many cryptographic algorithms are based on exponentiation calculations, in an algebraic group, of the type x d where x and d are respectively a predetermined element and exponent. This is particularly the case with the RSA algorithm (Rivest, Shamir and Adleman), which is based on the exponentiation in the multiplicative group of the ring of integers modulo N, where N is the product of two large prime numbers. The result of the exponentiation may correspond for example to an encrypted or decrypted text, a signed or verified data item. Other cryptographic algorithms such as the ElGamal or Diffie - Hellman algorithm rely on exponentiation in the multiplicative group of a body or in the group of points of an elliptic curve.
Un dispositif électronique prévu pour exécuter un tel algorithme doit contenir en mémoire d' une part la partie exécutoire pour élever x à la puissance de d, et d' autre part les valeurs de x et d.An electronic device intended to execute such an algorithm must contain in memory on the one hand the executory part to raise x to the power of d, and on the other hand the values of x and d.
Il existe différents types d' algorithmes d' exponentiation . On connaît notamment la méthode binaire de type « élévation au carré et multiplication », plus habituellement connue sous la terminologie anglo-saxonne « Square and Multiply ».There are different types of exponentiation algorithms. The binary method of the "squaring and multiplication" type is more particularly known. usually known in the English terminology "Square and Multiply".
Cet algorithme prend en entrée un élément x et un exposant d dont la représentation binaire est : { d [t-l ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , et retourne l ' élément y = xAd, c ' est-à-dire x . x x (d fois ) .This algorithm takes as input an element x and an exponent d whose binary representation is: {d [tl], d [t-2], ..., d [l], d [0]} with d [i] equal to 0 or 1, and returns the element y = x A d, that is to say x. xx (d times).
L' algorithme « Square and Multiply » peut être schématisé ainsi :The "Square and Multiply" algorithm can be schematized as follows:
1 ) Initialiser le registre RO à 1 et le registre1) Initialize the register RO to 1 and the register
Rl à xRl to x
2 ) Pour i allant de t-1 à 0 , effectuer a) RO = R0A2 [mise au carré] ; b) si d [i] = 1 , alors effectuer RO = RO * Rl [multiplication] ;2) For i ranging from t-1 to 0, perform a) RO = R0 A 2 [squared]; b) if d [i] = 1, then perform RO = RO * Rl [multiplication];
3) Retourner RO .3) Return RO.
D' autres algorithmes connus pour l' exponentiation existent tels que la méthode de Yacobi, dite M, M3, la méthode des fenêtres glissantes , etc . Mais ces algorithmes sont plus complexes à mettre en oeuvre et par conséquent moins adaptés aux composants électroniques contraints du type carte à puce . Dans la suite de la description, le composant électronique comporte une unité centrale principale et une mémoire de travail avec au moins trois registres (RO , Rl , R2 )Other algorithms known for exponentiation exist such as the method of Yacobi, called M, M 3 , the method of sliding windows, etc. But these algorithms are more complex to implement and therefore less suitable for electronic components constrained chip card type. In the following description, the electronic component comprises a main central unit and a working memory with at least three registers (RO, R1, R2).
L' algorithme « Square and Multiply » (et les algorithmes cités ci-dessus ) doivent inclure des contre- mesures adaptées , c' est-à-dire sécurisées , contre des attaques visant à découvrir des informations contenues et manipulées dans des traitements effectués par le dispositif de calcul . Notamment, des contre-mesures sont prévues contre les attaques dites à canaux cachés , simples ou différentielles . On entend par attaque à canal caché simple ou différentielle, une attaque basée sur une grandeur physique mesurable de l ' extérieur du dispositif, et dont l ' analyse directe (attaque simple) ou l ' analyse selon une méthode statistique (attaque différentielle) permet de découvrir des informations contenues et manipulées dans des traitements dans le dispositif . Ces attaques peuvent ainsi permettre de découvrir des informations confidentielles . Ces attaques ont notamment été dévoilées par Paul Kocher (Advances in Cryptology - CRYPTO ' 99, vol . 1966 de Lecture Notes in Computer Science, pp.388-397. Springer-Verlag, 1999) . Parmi les grandeurs physiques qui peuvent être exploitées à ces fins , on peut citer la consommation en courant, le champ électromagnétique ... Ces attaques sont basées sur le fait que la manipulation d' un bit, c ' est à dire son traitement par une instruction particulière a une empreinte particulière sur la grandeur physique considérée selon sa valeur .The "Square and Multiply" algorithm (and the algorithms cited above) must include suitable countermeasures, that is, secure, against attacks aimed at discovering information contained and manipulated in processing by the computing device. In particular, countermeasures are against hidden channel attacks, simple or differential. A simple or differential hidden channel attack is defined as an attack based on a measurable physical quantity from outside the device, and whose direct analysis (single attack) or statistical analysis (differential attack) allows discover information contained and manipulated in treatments in the device. These attacks can thus reveal confidential information. These attacks have been unveiled by Paul Kocher (Advances in Cryptology - CRYPTO '99, 1966 issue of Notes in Computer Science, pp.388-397, Springer-Verlag, 1999). Among the physical quantities that can be exploited for these purposes are the current consumption, the electromagnetic field ... These attacks are based on the fact that the manipulation of a bit, that is to say its treatment by a particular instruction has a particular imprint on the physical quantity considered according to its value.
Les algorithmes d' exponentiation précités ont dû inclure des contre-mesures pour empêcher ces attaques de prospérer . Par exemple, l ' algorithme « Square and Multiply Always », selon la terminologie anglo-saxonne, et qui signifie « élever au carré et multiplier touj ours », est une variante sécurisée de l ' algorithme « Square and Multiply » dans lequel l ' opération était conditionnelle à la valeur du bit en cours de traitement, donc permettant des attaques à canaux cachés . Cet algorithme prend en entrée un élément x et un exposant d dont la représentation binaire est :The aforementioned exponentiation algorithms had to include countermeasures to prevent these attacks from flourishing. For example, the "Square and Multiply Always" algorithm, which means "squaring and multiplying always", is a secure variant of the "Square and Multiply" algorithm in which the "Square and Multiply Always" algorithm is used. operation was conditional on the value of the bit being processed, thus allowing for hidden channel attacks. This algorithm takes as input an element x and an exponent d whose binary representation is:
{ d [t-l ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , et retourne l ' élément y = xAd, c ' est à dire x . x x (d fois ) .{d [tl], d [t-2], ..., d [l], d [0]} with d [i] equal to 0 or 1, and returns the element y = x A d, that is x. xx (d times).
L' algorithme « Square and Multiply Always » peut être schématisé ainsi :The "Square and Multiply Always" algorithm can be schematized as follows:
1 ) Initialiser les registres RO et Rl à 1 et le registre R2 à x ;1) Initialize the registers RO and R1 to 1 and the register R2 to x;
2 ) Pour i allant de t-1 à 0 , effectuer a) RO = R0A2 [mise au carré] ; b) b = 1 - d [i] ; Rb = Rb * R22) For i ranging from t-1 to 0, perform a) RO = R0 A 2 [squared]; b) b = 1 - d [i]; Rb = Rb * R2
[multiplication] ; 3) Retourner RO .[multiplication]; 3) Return RO.
L ' algorithme du « Square and Multiply Always » résiste contre certaines attaques simples (dites de type SPA pour « Simple Power Analysis » selon la terminologie anglo-saxonne) mais demande un registre supplémentaire . Il est important de remarquer que le registre Rl est inutile au calcul lui-même ; il est utilisé pour effectuer une multiplication factice lorsque à l ' itération i le bit d [i] de l ' exposant d est égal à 0 (et par conséquent b=l ) de sorte que quelle que soit la valeur du bit de l ' exposant d, une itération i consiste en une étape de mise au carré suivie d' une multiplication .The "Square and Multiply Always" algorithm is resistant to certain simple attacks (so-called SPA for "Simple Power Analysis" in the English terminology) but requires an additional registry. It is important to notice that the register R1 is useless to the calculation itself; it is used to perform a dummy multiplication when at iteration i the bit d [i] of the exponent d is equal to 0 (and consequently b = 1) so that whatever the value of the bit of the exponent d, an iteration i consists of a squaring step followed by a multiplication.
Malheureusement, bien que résistant aux attaques de type SPA, l ' introduction d' opérations factices engendre un autre type de faiblesse . Une classe d' attaques (appelées selon la terminologie anglo-saxonne « safe- error attacks ») a été introduite par Sung-Ming Yen et Marc Joye (« Checking before output may not be enough against fault-based cryptanalysis », IEEE Transactions on Computers , vol . 49, pages 967-970 , 2000 ) . Appliquée à l ' algorithme du « Square and Multiply Always », l ' idée consiste à induire une faute durant l ' opération de multiplication (Etape 2b) à l ' itération i . Si le résultat de l ' exponentiation y = xAd est correct, cela signifie que cette opération de multiplication était factice et par conséquent que le bit correspondant de d est égal à 0 (i . e . , d [i] = 0 ) . Au contraire, si le résultat de l ' exponentiation est incorrect, cela signifie que le bit correspondant de d est égal à 1 (i . e . , d [i] = 1 ) . Un attaquant peut ainsi retrouver bit à bit la valeur de l ' exposant d.Unfortunately, although resistant to SPA attacks, the introduction of dummy operations creates another type of weakness. A class of attacks (called "safe-error attacks") has been introduced by Sung-Ming Yen and Marc Joye ("Checking before output may not be enough"). against fault-based cryptanalysis ", IEEE Transactions on Computers, Vol. 49, pp. 967-970, 2000). Applied to the "Square and Multiply Always" algorithm, the idea is to induce a fault during the multiplication operation (Step 2b) at iteration i. If the result of the exponentiation y = x A d is correct, this means that this multiplication operation was dummy and therefore the corresponding bit of d is equal to 0 (i e, d [i] = 0). . On the contrary, if the result of the exponentiation is incorrect, it means that the corresponding bit of d is equal to 1 (i, e, d [i] = 1). An attacker can thus find bit by bit the value of the exponent d.
Dans l ' invention, on s ' intéresse à un procédé d' exponentiation possédant les mêmes avantages que l ' algorithme du « Square and Multiply Always », à savoir la résistance contre les attaques de type SPA, mais , contrairement à celui-ci, en n ' effectuant aucune opération factice .In the present invention, an exponentiation method having the same advantages as the "Square and Multiply Always" algorithm, namely the resistance against SPA type attacks, is of interest, but, unlike the latter, by not performing any dummy operation.
En outre, de façon remarquable, le procédé selon l' invention possède la particularité de n ' effectuer que des opérations de multiplications . Cela est particulièrement intéressant dans les environnements plus contraints du type carte à puce car seule cette dernière opération doit être implémentée, soit de façon logicielle, soit de façon matérielle .In addition, remarkably, the method according to the invention has the particularity of performing only multiplication operations. This is particularly interesting in more constrained environments of the smart card type because only the latter operation must be implemented, either software or hardware.
Ainsi, il en résulte : - soit un gain en taille de mémoire code (de typeThus, the result is: - either a gain in code memory size (of type
ROM ou EEPROM par exemple) pour une implémentation logicielle,ROM or EEPROM for example) for a software implementation,
- soit un gain de taille de circuit pour une implémentation matérielle, parce que l ' opération de mise au carré n ' est pas nécessaire .- a gain in circuit size for a hardware implementation, because the squaring operation is not necessary.
On rappellera que sur un ensemble noté additivement, tel le groupe des points d' une courbe elliptique, l ' exponentiation s ' écrit Q = d. P, où P et Q sont des éléments de l' ensemble noté additivement (courbe elliptique) et d est un exposant . Ceci est également le cas lorsqu' on travaille dans le groupe additif d' un anneau ou d' un corps . Dans la suite, on se place dans le cas général, conventionnel, ce qui veut dire que l ' on utilisera la notation multiplicative, sauf mention explicite contraire .It will be recalled that on a set noted additively, such as the group of points of an elliptic curve, the exponentiation is written Q = d. P, where P and Q are elements of the set noted additively (elliptic curve) and d is an exponent. This is also the case when working in the additive group of a ring or a body. In the following, one places oneself in the general, conventional case, which means that one will use the multiplicative notation, except explicit mention opposite.
De façon plus détaillée, le procédé d' exponentiation selon l ' invention repose sur l ' algorithme suivant .In more detail, the exponentiation method according to the invention is based on the following algorithm.
Cet algorithme prend en entrée un élément x et un exposant d dont la représentation binaire est : { d [t-l ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , et retourne l ' élément y = xAd, c ' est à dire x . x x (d fois ) .This algorithm takes as input an element x and an exponent d whose binary representation is: {d [tl], d [t-2], ..., d [l], d [0]} with d [i] equal to 0 or 1, and returns the element y = x A d, ie x. xx (d times).
En notation multiplicative, le procédé selon l' invention peut être schématisé de la façon suivante :In multiplicative notation, the method according to the invention can be schematized as follows:
1 ) Initialiser le registre RO à 1 et les registres1) Initialize the RO register to 1 and the registers
Rl et R2 à x ;R1 and R2 to x;
2 ) Pour i allant de 0 à t-1 , effectuer a) b = 1 - d [i] ; b) Rb = Rb * R2 [ lère multiplication] ; c) R2 = RO * Rl [2nde multiplication] ;2) For i ranging from 0 to t-1, perform a) b = 1 - d [i]; b) Rb = Rb * R2 [l multiplication era]; c) R2 = RO * R1 [2 n of multiplication];
3) Retourner RO .3) Return RO.
L ' algorithme précédent peut évidemment s ' écrire de façon additive . Comme précédemment, il prend en entrée un élément P et un exposant d dont la représentation binaire estThe preceding algorithm can obviously be written additively. As before, it takes as input an element P and an exponent d whose binary representation is
{ d [t-l ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , et retourne l ' élément Q = d . P, c ' est à dire P + P ... + P (d fois ) .{d [t-1], d [t-2], ..., d [1], d [0]} with d [i] equal to 0 or 1, and return the element Q = d. P, ie P + P ... + P (d times).
Dans ce cas , en notation additive, le procédé selon l' invention peut être schématisé de la façon suivante :In this case, in additive notation, the method according to the invention can be schematized as follows:
1 ) Initialiser le registre RO à 0 et les registres1) Initialize the RO register to 0 and the registers
Rl et R2 à P ;R1 and R2 to P;
2 ) Pour i allant de 0 à t-1 , effectuer a) b = 1 - d [i] ; b) Rb = Rb + R2 [ lère addition] ; c) R2 = RO + Rl [2nde addition] ;2) For i ranging from 0 to t-1, perform a) b = 1 - d [i]; b) Rb = Rb + R2 [l addition era]; c) R2 = RO + Rl [2 nd addition];
3) Retourner RO .3) Return RO.
Dans certains groupes algébriques , l ' addition avec l ' élément neutre 0 (respectivement la multiplication avec l ' élément neutre 1 en notation multiplicative) peut se comporter différemment par rapport aux mesures à canaux cachés et par conséquent engendrer une faiblesse . Dans ce cas , le procédé selon l ' invention peut être facilement adapté . Nous illustrons la technique pour un groupe noté de façon additive, comme par exemple l ' ensemble des points d' une courbe elliptique . L ' algorithme commence à l ' itération i=l de sorte qu ' aucun des registres n ' est initialisé avec la valeur 0 (appelé point à l ' infini pour une courbe elliptique) de la façon suivante .In some algebraic groups, the addition with the neutral element 0 (respectively the multiplication with the neutral element 1 in multiplicative notation) may behave differently with respect to the hidden channel measurements and consequently generate a weakness. In this case, the method according to the invention can easily be adapted. We illustrate the technique for a group noted additively, such as the set of points of an elliptic curve. The algorithm starts at the iteration i = 1 so that none of the registers is initialized with the value 0 (called point at infinity for an elliptic curve) in the following manner.
En conservant la notation additive, il existe une variante selon l' invention qui peut être schématisée de la façon suivante : 1 ) Initialiser le registre RO et Rl à P et le registre R2 à 2. P ;Keeping the additive notation, there is a variant according to the invention which can be schematized as follows: 1) Initialize the register RO and R1 to P and the register R2 to 2. P;
2 ) Pour i allant de 1 à t-1 , effectuer a) b = 1 - d [i] ; b) Rb = Rb + R2 [ lère addition] ; c) R2 = RO + Rl [2nde addition] ;2) For i ranging from 1 to t-1, perform a) b = 1 - d [i]; b) Rb = Rb + R2 [l addition era]; c) R2 = RO + Rl [2 nd addition];
3) Si d [ 0 ] = 0 alors effectuer RO = RO - P ;3) If d [0] = 0 then perform RO = RO - P;
4 ) Retourner RO .4) Return RO.
On notera que l ' initialisation de cette varianteNote that the initialization of this variant
(étape 1 ci-dessus ) demande que le registre R2 contient la valeur de 2. P . Cette valeur peut être soit précalculée, soit calculée au moment de l ' exponentiation Q=d. P . Dans ce dernier cas , si aucune routine de doublement n ' est disponible, l ' évaluation de 2. P peut se faire à partir d' addition uniquement en effectuant ( (P+T) + (P-T) ) où T est un élément connu, distinct de P, du groupe sous-j acent, typiquement un élément de la clé publique .(step 1 above) requests that the R2 register contains the value of 2. P. This value can be either precalculated or calculated at the time of exponentiation Q = d. P. In the latter case, if no doubling routine is available, the evaluation of 2. P can be done from addition only by performing ((P + T) + (PT)) where T is a known element. , distinct from P, from the underlying group, typically an element of the public key.
Le procédé d' exponentiation de l' invention et ses variantes présentent l ' avantage d' être résistants aux attaques à canaux cachés de type SPA et aux attaques « Safe-Error », contrairement aux algorithmes d' exponentiation habituels qui doivent intégrer des contre-mesures pour résister à ces attaquesThe exponentiation method of the invention and its variants have the advantage of being resistant to SPA - type hidden channel attacks and "Safe - Error" attacks, contrary to the usual exponentiation algorithms which must integrate counter - attacks. measures to resist these attacks
De plus , et de manière remarquable, le procédé d' exponentiation de l' invention et ses variantes présentent l' avantage supplémentaire de ne réaliser que des opérations de multiplication (ou d' addition en notation additive) . On comprendra que l ' invention se prête à de nombreuses variantes de mise en oeuvre .In addition, and remarkably, the exponentiation method of the invention and its variants have the additional advantage of only performing multiplication operations (or additive addition). It will be understood that the invention lends itself to many variants of implementation.
La description a été donnée dans le cadre d' un environnement de type carte à puce . Il est cependant clair que les enseignements se transposent à d' autres applications , telles que dans les terminaux informatiques, de communication sur réseau ou autres , et à tout autre dispositif électronique qui fait appel à des calculs cryptographiques . The description was given in the context of a smart card type environment. However, it is clear that the teachings are transposed to other applications, such as in computer terminals, network communication or other, and any other electronic device that uses cryptographic calculations.

Claims

REVENDICATIONS
1. Procédé destiné à réaliser des calculs d' exponentiation dans un groupe algébrique noté de façon multiplicative, du type x puissance d (xd) , où x est un élément dudit groupe et d un exposant prédéterminé dont la représentation binaire est { d [t- 1 ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , destiné à un composant électronique comportant une unité centrale principale et une mémoire de travail avec au moins trois registres (RO , Rl , R2 ) , procédé caractérisé en ce qu' il retourne l ' élément y tel que yA method for performing exponentiation calculations in a multiplicatively noted algebraic group of the type x power d (x d ), where x is an element of said group and a predetermined exponent whose binary representation is {d [ t-1], d [t-2], ..., d [1], d [0]} with d [i] equal to 0 or 1, for an electronic component comprising a main CPU and a working memory with at least three registers (RO, R1, R2), characterized in that it returns the element y such that y
= xAd, c ' est-à-dire x . x x (d fois ) , et en ce qu ' il comprend les étapes suivantes := x A d, that is x. xx (d times), and in that it comprises the following steps:
1 ) Initialiser le registre RO à 1 et les registres Rl et R2 à x ;1) Initialize the register RO to 1 and the registers R1 and R2 to x;
2 ) Pour i allant de 0 à t-1 , effectuer : a) b = 1 - d [i] ; b) Rb = Rb * R2 [ lère multiplication] ; c) R2 = RO * Rl [2nde multiplication] ; 3) Retourner RO .2) For i ranging from 0 to t-1, perform: a) b = 1 - d [i]; b) Rb = Rb * R2 [l multiplication era]; c) R2 = RO * R1 [2 n of multiplication]; 3) Return RO.
2. Procédé d' exponentiation dans un groupe algébrique noté de façon additive, du type d fois P (d. P) , où P est un élément dudit groupe et d un exposant prédéterminé dont la représentation binaire est { d [t- 1 ] , d [t-2 ] , ... , d [ l ] , d [ 0 ] } avec d [i] égal à 0 ou à 1 , destiné à un composant électronique comportant une unité centrale principale et une mémoire de travail comportant au moins trois registres (RO , Rl , R2 ) , procédé caractérisé en ce qu' il retourne l ' élément Q tel que Q = d. P, c ' est-à-dire P + P ... + P (d fois) , et en ce qu ' il comprend les étapes suivantes : :2. A method of exponentiation in an additively denoted algebraic group, of the d-time type P (d, P), where P is an element of said group and a predetermined exponent whose binary representation is {d [t-1] , d [t-2], ..., d [1], d [0]} with d [i] equal to 0 or 1, for an electronic component comprising a main central unit and a working memory comprising at least three registers (RO, R1, R2), characterized in that it returns the element Q such that Q = d. P, that is P + P ... + P (d times), and in that it comprises the following steps:
1 ) Initialiser le registre RO à 0 et les registres Rl et R2 à P ; 2 ) Pour i allant de 0 à t-1 , effectuer : a) b = 1 - d [i] ; b) Rb = Rb + R2 [ lère addition] ; c) R2 = RO + Rl [2nde addition] ; 3) Retourner RO .1) Initialize the register RO to 0 and the registers R1 and R2 to P; 2) For i ranging from 0 to t-1, perform: a) b = 1 - d [i]; b) Rb = Rb + R2 [l addition era]; c) R2 = RO + Rl [2 nd addition]; 3) Return RO.
3. Procédé d' exponentiation selon la revendication 2 , caractérisé en ce qu' il comporte les étapes suivantes :3. Process for exponentiation according to claim 2, characterized in that it comprises the following steps:
1 ) Initialiser le registre RO à P et les registres Rl et R2 à 2. P ;1) Initialize the register RO to P and the registers R1 and R2 to 2. P;
2 ) Pour i allant de 1 à t-1 , effectuer a) b = 1 - d [i] ; b) Rb = Rb + R2 [ lère addition] ; c) R2 = RO + Rl [2nde addition] ; 3) Si d [ 0 ] = 0 alors effectuer RO = RO - P ;2) For i ranging from 1 to t-1, perform a) b = 1 - d [i]; b) Rb = Rb + R2 [l addition era]; c) R2 = RO + Rl [2 nd addition]; 3) If d [0] = 0 then perform RO = RO - P;
4 ) Retourner RO .4) Return RO.
4. Procédé d' exponentiation selon la revendication 3, caractérisé en ce que l' évaluation du double de l' élément P (2. P) dans le dit groupe se fait à partir d' additions uniquement ( (P+T) + (P-T) ) en additionnant un premier élément (P+T) formé de la somme dudit élément P et d' un autre élément connu T, distinct de P, dudit groupe et un second élément (P-T) formé de la différence dudit élément P et dudit élément T .4. Exponentiation method according to claim 3, characterized in that the evaluation of the double of the element P (2. P) in said group is made from additions only ((P + T) + ( PT)) by adding a first element (P + T) formed of the sum of said element P and of another known element T, distinct from P, of said group and a second element (PT) formed by the difference of said element P and said element T.
5. Procédé d' exponentiation selon la revendication 1 , caractérisé en ce que ledit groupe algébrique est le groupe multiplicatif d' un anneau ou d' un corps .5. Process for exponentiation according to claim 1, characterized in that said algebraic group is the multiplicative group of a ring or a body.
6. Procédé d' exponentiation selon l' une quelconque des revendications 2 à 4 , caractérisé en ce que ledit groupe algébrique est le groupe additif d' un anneau ou d' un corps . 6. Process for exponentiation according to any one of claims 2 to 4, characterized in that said algebraic group is the additive group of a ring or a body.
7. Procédé d' exponentation selon l' une quelconque des revendications 2 à 4 , caractérisé en ce que ledit groupe algébrique est le groupe des points d' une courbe elliptique .7. Exponentation method according to any one of claims 2 to 4, characterized in that said algebraic group is the group of points of an elliptical curve.
55
8. Procédé d' exponentiation selon la revendication 4 , appliqué à la cryptographie à clé publique et caractérisé en ce que l' élément connu (T) est un élément de la clé publique .8. Exponentiation method according to claim 4, applied to public key cryptography and characterized in that the known element (T) is an element of the public key.
1010
9. Procédé d' exponentiation selon l' une quelconque des revendications précédentes , caractérisé en ce qu' il est mis en oeuvre dans un composant électronique .9. Process for exponentiation according to any one of the preceding claims, characterized in that it is implemented in an electronic component.
15 10. Procédé d' exponentiation selon la revendication 9, caractérisé en ce que ledit composant électronique est une carte à puce . 10. Process for exponentiation according to claim 9, characterized in that said electronic component is a smart card.
EP05819349A 2004-12-23 2005-12-09 Secure and compact exponentiation method for cryptography Ceased EP1839125A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0453168A FR2880148A1 (en) 2004-12-23 2004-12-23 SECURE AND COMPACT EXPONENTIATION METHOD FOR CRYPTOGRAPHY
PCT/EP2005/056663 WO2006067057A1 (en) 2004-12-23 2005-12-09 Secure and compact exponentiation method for cryptography

Publications (1)

Publication Number Publication Date
EP1839125A1 true EP1839125A1 (en) 2007-10-03

Family

ID=34954156

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05819349A Ceased EP1839125A1 (en) 2004-12-23 2005-12-09 Secure and compact exponentiation method for cryptography

Country Status (5)

Country Link
US (1) US20080130877A1 (en)
EP (1) EP1839125A1 (en)
JP (1) JP2008525834A (en)
FR (1) FR2880148A1 (en)
WO (1) WO2006067057A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2169535A1 (en) * 2008-09-22 2010-03-31 Thomson Licensing Method, apparatus and computer program support for regular recoding of a positive integer
EP2504757B1 (en) 2010-01-28 2013-11-06 NDS Limited Exponentiation system
JP5926655B2 (en) * 2012-08-30 2016-05-25 ルネサスエレクトロニクス株式会社 Central processing unit and arithmetic unit
CN108242994B (en) 2016-12-26 2021-08-13 阿里巴巴集团控股有限公司 Key processing method and device
WO2022271163A1 (en) * 2021-06-23 2022-12-29 Pqsecure Technologies, Llc Computer processing architecture and method for supporting multiple public-key cryptosystems based on exponentiation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2810178B1 (en) * 2000-06-13 2004-10-29 Gemplus Card Int CRYPTOGRAPHIC CALCULATION PROCESS INCLUDING A MODULAR EXPONENTIATION ROUTINE
DE10127195A1 (en) * 2001-06-05 2002-12-19 Infineon Technologies Ag Processor with internal memory configuration allowing register memory to store as many as possible operands with remainder of memory capacity used for storing other data
DE10143728B4 (en) * 2001-09-06 2004-09-02 Infineon Technologies Ag Device and method for calculating a result of a modular exponentiation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2006067057A1 *

Also Published As

Publication number Publication date
JP2008525834A (en) 2008-07-17
US20080130877A1 (en) 2008-06-05
FR2880148A1 (en) 2006-06-30
WO2006067057A1 (en) 2006-06-29

Similar Documents

Publication Publication Date Title
US8402287B2 (en) Protection against side channel attacks
EP1358732B2 (en) Secure encryption method and component using same
US20170187529A1 (en) Modular multiplication device and method
EP2380306A1 (en) Cryptography circuit protected against observation attacks, in particular of a high order
EP2005291A2 (en) Decryption method
WO2000059156A1 (en) Countermeasure procedures in an electronic component implementing an elliptical curve type public key encryption algorithm
EP1381936B1 (en) Countermeasure method in an electronic component using a public key cryptographic algorithm on an elliptic curve
JP2008542802A (en) Modular reciprocal determination
FR3095709A1 (en) MASKING PROCESS AND SYSTEM FOR CRYPTOGRAPHY
WO2006067057A1 (en) Secure and compact exponentiation method for cryptography
EP1904921A1 (en) Cryptographic method for securely implementing an exponentiation and related component
EP1994465A1 (en) Method of securing a calculation of an exponentiation or a multiplication by a scalar in an electronic device
EP1421473A1 (en) Universal calculation method applied to points on an elliptical curve
WO2003014916A1 (en) Secure method for performing a modular exponentiation operation
Kim et al. Message blinding method requiring no multiplicative inversion for RSA
EP1254408B1 (en) Modular exponential algorithm in an electronic component using a public key encryption algorithm
Park et al. An improved side channel attack using event information of subtraction
WO2004111831A2 (en) Method for countermeasuring by masking the accumulator
FR2856538A1 (en) COUNTERMEASURE METHOD IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHIC ALGORITHM OF THE PUBLIC KEY TYPE
WO2004017193A2 (en) Method for universal calculation applied to points of an elliptic curve
US20230344616A1 (en) Protection against side-channel attacks using a square masking
FR2825863A1 (en) Computation of secure power function for cryptographic algorithms, at least a bit or figure of an indexed x power number is iteratively processed
WO2002093411A1 (en) Device used to perform exponentiation calculations applied to points on an elliptical curve
EP4404501A1 (en) Protection against side-channel attacks of a cryptographic algorithm involving a substitution table
FR2854997A1 (en) Chip card counter measure having two random numbers providing isomorphic elliptical curve/point coordinates and exponential algorithm applied providing second point coordinates

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20070723

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20080707

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: GEMALTO SA

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED

18R Application refused

Effective date: 20100625