Differential power analysis - resistant cryptographic processing

Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Calculating device and method

A calculating device (100) arranged to perform calculations on elements of a ring (R), a ring addition and a ring multiplication being defined on the ring The calculating device comprises an operator module (120) comprising multiple operator units, and a calculation manager (130) arranged to perform a ring multiplication by applying a sequence of the multiple operator units, and perform a ring addition be applying a sequence of the multiple operator units, wherein the sequence for the ring multiplication is the same as the sequence for the ring addition.

SYSTEMS AND METHODS FOR OPERATING SECURE ELLIPTIC CURVE CRYPTOSYSTEMS

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as simple power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem. 1. A secure Elliptic Curve Cryptosystem (ECC) for performing elliptic scalar operations , the ECC comprising:a secure microcontroller that is embedded in a computing system, the secure microcontroller comprising a cryptography circuit configured to implement a countermeasure and prevent secret scalar leakage; and receiving an elliptic point, P/2, and the secret scalar, k;', 'initializing a value Q to the elliptic point that does not include an initial value at an infinity point;', 'processing the secret key bits of the secret scalar in sequential steps, wherein processing comprises doubling the value Q, wherein each step comprises performing elliptic operations comprising at least one of elliptical point subtraction or addition;', 'performing an elliptical point subtraction by subtracting the elliptic point, P/2, from the value Q to compute a product kP; and', 'determining a difference between the value Q and the elliptic point outside of a balanced loop configuration to protect a least ...

COMPUTER DEVICE AND METHOD

РОССИЙСКАЯ ФЕДЕРАЦИЯ (19) RU (11) (13) 2018 125 606 A (51) МПК G06F 21/14 (2013.01) ФЕДЕРАЛЬНАЯ СЛУЖБА ПО ИНТЕЛЛЕКТУАЛЬНОЙ СОБСТВЕННОСТИ (12) ЗАЯВКА НА ИЗОБРЕТЕНИЕ (21)(22) Заявка: 2018125606, 05.12.2016 (71) Заявитель(и): КОНИНКЛЕЙКЕ ФИЛИПС Н.В. (NL) Приоритет(ы): (30) Конвенционный приоритет: 14.12.2015 NL 2015955 (85) Дата начала рассмотрения заявки PCT на национальной фазе: 16.07.2018 R U (43) Дата публикации заявки: 16.01.2020 Бюл. № 2 (72) Автор(ы): ШЕПЕРС Хендрик Ян Йозеф Хубертус (NL), ГОРИССЕН Матиас Хубертус Мехтилдис Антониус (NL), МАРИН Леандро (NL) (86) Заявка PCT: (87) Публикация заявки PCT: WO 2017/102392 (22.06.2017) A Адрес для переписки: 129090, Москва, ул. Б. Спасская, 25, стр. 3, ООО "Юридическая фирма Городисский и Партнеры" R U (57) Формула изобретения 1. Вычислительное устройство (100), выполненное с возможностью выполнения вычислений над элементами кольца (R), сложения в кольце и умножения в кольце, определенных в кольце, причем вычислительное устройство содержит хранилище (110) операндов, выполненное с возможностью хранения закодированных элементов (112, 114, 116; 212) кольца, причем закодированный элемент кольца представляет собой элемент кольца в закодированной форме, модуль (120; 220) операторов, содержащий несколько блоков операторов, по меньшей мере один из блоков операторов является бинарным, блок (122; 222, 224) бинарного оператора, выполненный с возможностью: приема закодированного элемента кольца и параметра, и выполнения фиксированного вычисления над упомянутым закодированным элементом кольца и параметром, тем самым создания нового закодированного элемента кольца, и менеджер (130) вычислений, выполненный с возможностью: приема первого закодированного элемента кольца и второго закодированного элемента кольца, выполнения умножения в кольце путем применения последовательности упомянутых нескольких блоков операторов к первому закодированному элементу кольца с использованием параметров, полученных по меньшей мере из второго ...

Patent RU2018125606A3

`”ВУ“” 2018125606'” АЗ Дата публикации: 16.04.2020 Форма № 18 ИЗИМ-2011 Федеральная служба по интеллектуальной собственности Федеральное государственное бюджетное учреждение ж 5 «Федеральный институт промышленной собственности» (ФИПС) ОТЧЕТ О ПОИСКЕ 1. . ИДЕНТИФИКАЦИЯ ЗАЯВКИ Регистрационный номер Дата подачи 2018125606/28(040526) 05.12.2016 РСТ/ЕР2016/079694 05.12.2016 Приоритет установлен по дате: [ ] подачи заявки [ ] поступления дополнительных материалов от к ранее поданной заявке № [ ] приоритета по первоначальной заявке № из которой данная заявка выделена [ ] подачи первоначальной заявки № из которой данная заявка выделена [ ] подачи ранее поданной заявки № [Х] подачи первой(ых) заявки(ок) в государстве-участнике Парижской конвенции (31) Номер первой(ых) заявки(ок) (32) Дата подачи первой(ых) заявки(ок) (33) Код страны 1. 2015955 14.12.2015 МГ Название изобретения (полезной модели): [Х] - как заявлено; [ ] - уточненное (см. Примечания) ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО И СПОСОБ Заявитель: КОНИНКЛЕЙКЕ ФИЛИПС Н.В., МГ. 2. ЕДИНСТВО ИЗОБРЕТЕНИЯ [Х] соблюдено [ ] не соблюдено. Пояснения: см. Примечания 3. ФОРМУЛА ИЗОБРЕТЕНИЯ: [ ] приняты во внимание все пункты .П [Х] приняты во внимание следующие пункты: 1-14, 16 (см. Примечания) [ ] принята во внимание измененная формула изобретения (см. Примечания) 4. КЛАССИФИКАЦИЯ ОБЪЕКТА ИЗОБРЕТЕНИЯ (ПОЛЕЗНОЙ МОДЕЛИ) (Указываются индексы МПК и индикатор текущей версии) СОбЕ 21/14 (2013.01) СОбЕ 7/00 (2006.01) 5. ОБЛАСТЬ ПОИСКА 5.1 Проверенный минимум документации РСТ (указывается индексами МПК) С06Е 77/00, 77/06, 7/38, 7/46, 7/50, 21/00, 21/10, 21/12, 21/14, НО4Г, 9/00, 9/28 5.2 Другая проверенная документация в той мере, в какой она включена в поисковые подборки: 5.3 Электронные базы данных, использованные при поиске (название базы, и если, возможно, поисковые термины): ВУРАТЕМТЬЗ, ОУУРТ, Е-ГлЬгагу, ЕАРАТТЪУ, ЕВЗСО, Езрасепе Соозе, Сооз]е Ржепб, /- Р]а(Раё, КТРКЪУ, Гех15Мех15, РАТЕМТЗСОРЕ, Ра еагсв, Оцез{е]-ОтЬи, КОРТО, ИЗРТО 6. ...

SPA-resistant Left-to-Right Recoding and Unified Scalar Multiplication Methods

본 발명은 단순전력분석에 안전한 Left-to-Right 리코딩 기법과 통합된 스칼라 곱셈 방법에 관한 것으로, 타원곡선 암호시스템과 페어링을 기반하는 암호시스템에서 사용되는 스칼라 곱셈 방법에 있어서, r진법으로 표현된 n-digit 비밀키(k)의 최상위 digit부터 중복을 허용한 2개의 연속된 원소를 비교하여 L-digit 비밀키(k')가 생성되도록 리코딩하는 단계 및 상기 리코딩된 비밀키(k')를 이용하여 상기 비밀키(k)와 상기 타원곡선 상의 임의의 점 P에 스칼라 곱셈하여 스칼라 곱셈 결과값(Q)을 산출하는 단계로 구성되어, 스칼라 곱셈 알고리즘을 부채널 공격, 특히 단순전력분석 공격에 안전하도록 기수 r진법으로 표현된 비밀키의 표현을 부호화를 이용해 리코딩 단계와 스칼라 곱셈 단계를 동시에 수행할 수 있게 하여 메모리의 제약을 받는 유비쿼터스 컴퓨팅 환경에서 부채널 공격에 안전하면서 메모리의 사용을 최대한 줄일 수 있는 기술적인 해결 방법을 제시한다. The present invention relates to a scalar multiplication method integrated with a left-to-right recording technique that is safe for simple power analysis. In the scalar multiplication method used in an encryption system based on an elliptic curve encryption system and a pairing, it is represented by r comparing the two consecutive elements allowing duplicates from the most significant digit of the n-digit secret key (k) and recording the L-digit secret key (k ') to be generated and recording the recorded secret key (k'). And scalar multiplying the secret key (k) and an arbitrary point P on the elliptic curve to produce a scalar multiplication result (Q). Memory-restricted ubiquitous computing by allowing the encoding and scalar multiplication steps to be performed simultaneously using the representation of the secret key expressed in radix-base notation. The use of memory, while the safety side-channel attack from Sir proposes technical solutions to reduce as much as possible. 타원곡선, 페어링, 암호시스템, 부채널 공격, Left-to-Right 리코딩 Elliptic Curve, Pairing, Cryptosystem, Side Channel Attack, Left-to-Right Recording

Arithmetic apparatus, elliptic scalar multiplication method of arithmetic apparatus, computer readable recording medium having elliptic scalar multiplication program recorded therein, residue operation method of arithmetic apparatus and computer readable recording medium having residue operation program recorded therein

타원 스칼라 곱셈 kG를 난수 k의 값에 관계없이 일정한 계산 시간에 처리하여, 타원 스칼라 곱셈 kG의 타이밍 해석을 방지할 수 있다. 초기 설정부(121)는 스칼라 곱셈 변수 R에 타원 곡선상의 특정점 G를 설정한다. 스칼라 곱셈부(122)는 난수 k를 나타내는 t비트의 비트열을 상위부터 1비트씩 참조하고, 1비트씩 참조할 때마다 스칼라 곱셈 변수 R을 2배 곱셈해서 획득한 값을 작업 변수 R[0]로 설정하며, 작업 변수 R[0]로 설정한 값에 특정점 G를 가산하여 획득한 값을 작업 변수 R[1]로 설정한다. 그리고, 스칼라 곱셈부(122)는 참조한 비트의 값이 0이면 스칼라 곱셈 변수 R에 작업 변수 R[0]을 설정하고, 참조한 비트의 값이 1이면 스칼라 곱셈 변수 R에 작업 변수 R[1]을 설정한다. 스칼라 곱셈 점 출력부(123)는 스칼라 곱셈 변수 R로부터 정수값 2 t G를 감산하고, 감산해서 획득한 값을 스칼라 곱셈 점 kG으로서 출력한다. It is possible to prevent the timing analysis of the elliptic scalar multiplication kG by processing the elliptic scalar multiplication kG at a constant calculation time irrespective of the value of the random number k. The initial setting unit 121 sets the scalar multiplication variable R to a specific point G on the elliptic curve. The scalar multiplication unit 122 refers to the bit string of t bits representing the random number k one bit at a time from the top, multiplies the scalar multiplication variable R by two times each time one bit is referred to, ], And the value obtained by adding the specific point G to the value set by the work variable R [0] is set to the work variable R [1]. The scalar multiplication unit 122 sets the operation variable R [0] to the scalar multiplication variable R when the value of the referenced bit is 0, and sets the operation variable R [1] to the scalar multiplication variable R if the value of the referenced bit is 1. Setting. The scalar multiplication point output unit 123 subtracts the integer value 2 t G from the scalar multiplication variable R and outputs the value obtained by subtracting it as a scalar multiplication point kG.

Modular multiplication apparatus and method

本发明提供了一种用于以给定模数为模执行第一被乘数和第二被乘数的乘法的模乘设备，所述被乘数中的每一个包括给定数量的数字，每一个数字具有给定的字长。所述模乘设备包括：‑乘法器，其用于使所述第一被乘数中的至少一个数字与所述第二被乘数相乘以产生乘法器输出；‑模约简单元，其被配置为通过扩展模数和整数系数的乘积来约简从所述乘法器输出得到的量，所述扩展模数是所述给定模数与扩展参数的乘积，所述模约简单元提供约简输出，所述约简输出是严格小于所述扩展模数的正整数，其中，所述模乘设备进一步包括选择单元，所述选择单元被配置为选择所述扩展参数以使所述设备执行所述乘法所耗费的时间独立于所述被乘数。

Modular multiplication apparatus and method

本发明提供了一种用于以给定模数为模执行第一被乘数和第二被乘数的乘法的模乘设备，所述被乘数中的每一个包括给定数量的数字，每一个数字具有给定的字长。所述模乘设备包括：‑乘法器，其用于使所述第一被乘数中的至少一个数字与所述第二被乘数相乘以产生乘法器输出；‑模约简单元，其被配置为通过扩展模数和整数系数的乘积来约简从所述乘法器输出得到的量，所述扩展模数是所述给定模数与扩展参数的乘积，所述模约简单元提供约简输出，所述约简输出是严格小于所述扩展模数的正整数，其中，所述模乘设备进一步包括选择单元，所述选择单元被配置为选择所述扩展参数以使所述设备执行所述乘法所耗费的时间独立于所述被乘数。

Accelerating scalar multiplication on elliptic curve cryptosystems over prime fields

A method and apparatus for accelerating scalar multiplication in an elliptic curve cryptosystem (ECC) over prime fields is provided. Multiplication operations within an ECC point operation are identified and modified utilizing an equivalent point representation that inserts multiples of two. Algebraic substitutions of the multiplication operations with squaring operations and other cheaper field operations are performed. Scalar multiplication can also be protected against simple side- channel attacks balancing the number of multiplication operations and squaring operations and providing novel atomic structures to implement the ECC operation. In addition, a new coordinate system is defined to enable more effective operation of ECC to multiprocessor environments.

Patent FR3033965A1

Différents modes de réalisation de l'invention mettent en œuvre des contre-mesures définies de manière à résister à des attaques par des intrus potentiels qui cherchent à récupérer partiellement ou totalement des codes secrets sur courbe elliptique en utilisant des procédés connus qui exploitent des vulnérabilités de système, comportant la différentiation d'opération elliptique, la détection d'opération factice, des attaques de réseau et la détection de première opération réelle. Différents modes de réalisation de l'invention assurent la résistance contre des attaques par canal auxiliaire, telles que l'analyse de consommation simple, provoquées par la détectabilité de valeurs scalaires de fuite d'informations pendant le flux d'opération régulier qui compromettraient sinon la sécurité de système. Dans certains modes de réalisation, l'immunité de système est conservée en exécutant des opérations scalaires sur courbe elliptique qui utilisent un flux d'opérations indépendantes d'un code secret dans un dispositif de cryptage sur courbe elliptique sécurisé. Various embodiments of the invention implement countermeasures defined so as to resist attacks by potential intruders who seek to recover partially or totally secret codes on elliptic curve using known methods that exploit vulnerabilities of system, including elliptical operation differentiation, dummy operation detection, network attacks, and first real-world detection. Various embodiments of the invention provide resistance against aux channel attacks, such as simple consumption analysis, caused by the detectability of scalar information leakage values during the steady-state flow that would otherwise compromise system security. In some embodiments, system immunity is maintained by performing elliptical curve scalar operations that utilize a secret code-independent operation flow in a secure elliptic curve-based encryption device.

CRYPTOGRAPHIC METHOD PROTECTED FROM CACHE-CHANNEL TYPE ATTACKS

L'invention concerne un procédé cryptographique sécurisé contre une attaque à canal caché.Selon l'invention, pour exécuter un bloc d'instructions choisi (Π j) en fonction d'une variable d'entrée (D i) parmi N blocs d'instructions prédéfinis (Π1 ,..., ΠN), on exécute un nombre prédéfini (L j) de fois un bloc élémentaire commun (Γ(k, s)) aux N blocs d'instructions prédéfinis (Π1 ,..., ΠN), le nombre prédéfini (L j) étant associé au bloc d'instructions choisi (Πj).

Data processing method for securing Rivest Shamir Adleman cryptographic algorithms on chip card, involves testing relation between values by comparing values with neutral element of finite group based on internal rule of finite group

The method involves realizing double exponentiation of an element (m) of a finite group by exponents (d, b) for providing corresponding values (R0, R1), where one the exponents is equal to difference between the other exponent and an order or multiple of the finite group (vG). A relation between the values provided by the corresponding exponents is tested by comparing the values with a neutral element (1G) of the finite group based on internal rule of the finite group. An independent claim is also included for a data processing device comprising a double exponentiation calculation unit.

APPARATUS FOR CALCULATING A RESULT OF SCALAR MULTIPLICATION

CRYPTOGRAPHY METHOD COMPRISING AN EXPONENTIATION OPERATION

L'invention concerne un procédé et un dispositif (DV1) protégé contre des attaques à canal caché, pour calculer le résultat de l'exponentiation d'une donnée m par un exposant d. Le procédé et le dispositif sont configurés pour n'exécuter que des multiplications de variables de grande taille identiques en décomposant toute multiplication de variables de grande taille différentes x, y en une combinaison de multiplications de variables de grande taille identiques. The invention relates to a method and a device (DV1) protected against concealed channel attacks, for calculating the result of the exponentiation of a data item m by an exponent d. The method and device are configured to execute only identical large-size multiplications by decomposing any multiplication of large variables x, y into a combination of identical large-size multiplications.

MODULAR EXPONENTIATION ALGORITHM IN AN ELECTRICAL COMPONENT USING A PUBLIC KEY ENCRYPTION ALGORITHM

Computation of secure power function for cryptographic algorithms, at least a bit or figure of an indexed x power number is iteratively processed

Secure method for an power function calculation of type y = xr, where x is part of a multiplication group and r is a predetermined number. At least a bit or figure (ri) of the number r is iteratively processed, an index (i) for the number being provided. At the end of each iteration the index is incremented or decremented according to the value of the indexed bit or figure (ri) and the bit or figure is reset to zero. At least two computation registers are used to carry out the power function calculation. The value of the indexed bit or figure is used to index at least one of the registers used in the corresponding iteration. The method is designed to be used in electronic devices carrying out calculations of the type with or without results in place. The method is applied to an power function algorithm according to a binary method or k-range with bit or figure number (ri) sweep from left to right. The indexed register is obtained from the value of the indexed bit or figure (ri). The bit sweep for the number r may be from right to left and the indexed register is obtained from the complement of the value of the indexed bit.

METHOD FOR PROTECTING PROGRAMMABLE CRYPTOGRAPHIC CIRCUIT, AND CIRCUIT PROTECTED BY SUCH A METHOD

La présente invention concerne un procédé de protection d'un circuit de cryptographie programmable et un circuit protégé par un tel procédé.Le circuit est composé de cellules à base de mémoire définissant la fonction logique de chaque cellule, intégrant un réseau différentiel apte à effectuer des calculs sur des couples de variables binaires comportant un premier réseau de cellules réalisant des fonctions logiques sur la première composante des couples et un deuxième réseau de cellules duales fonctionnant en logique complémentaire sur la deuxième composante des couple. Une étape de calcul comporte au moins une phase de précharge (41) mettant les variables dans un état connu à l'entrée des cellules suivie d'une phase d'évaluation (43) où un calcul est effectué par les cellules.Une phase de synchronisation des variables (42, 44) est intercalée avant la phase d'évaluation ou de précharge au niveau de chaque cellule apte à recevoir plusieurs signaux véhiculant des variables d'entrée, la synchronisation étant effectuée sur le signal le plus retardé.L'invention s'applique notamment pour protéger ce type de circuit contre les attaques d'analyse différentielle de consommation. The present invention relates to a method for protecting a programmable cryptography circuit and a circuit protected by such a method. The circuit is composed of memory-based cells defining the logical function of each cell, integrating a differential network capable of performing functions. computations on couples of binary variables comprising a first network of cells performing logical functions on the first component of the couples and a second network of dual cells operating in complementary logic on the second component of the pair. A calculation step comprises at least one precharging phase (41) putting the variables in a known state at the input of the cells followed by an evaluation phase (43) where a calculation is performed by the cells. synchronization ...

Integer division in a manner that counters a power analysis attack

In the course of performing an Elliptic Curve Scalar Multiplication operation by Additive Splitting Using Division, a main loop of an integer division operation may be performed. The integer division has a dividend and a divisor. By storing both the divisor and the negative value of the divisor, susceptibility to a Simple Power Analysis Side Channel attack is minimized. A carry bit from a previous iteration of the main loop determines which of the divisor or the negative of the divisor to use. The order of an addition operation and a shift left operations in the main loop is interchanged compared to a known integer division method and there are no negation operations in the main loop.

APPARATUS FOR CALCULATING A RESULT OF SCALAR MULTIPLICATION

Un appareil pour calculer un résultat d'une multiplication scalaire d'un nombre de référence par un point de référence sur une courbe elliptique comprend un sélecteur de point et un processeur. Le sélecteur de point est configuré pour sélectionner de manière aléatoire ou pseudo- aléatoire un point auxiliaire sur la courbe elliptique. Le processeur est configuré pour calculer le résultat de la multiplication scalaire avec un processus `double-and-always-add' à l'aide du point auxiliaire. An apparatus for calculating a result of a scalar multiplication of a reference number by a reference point on an elliptical curve comprises a point selector and a processor. The stitch selector is configured to randomly or pseudorandomly select an auxiliary point on the elliptical curve. The processor is configured to calculate the scalar multiplication result with a double-and-always-add process using the auxiliary point.

SECURE AND COMPACT EXPONENTIATION METHOD FOR CRYPTOGRAPHY

La présente invention concerne un procédé d'exponentiation sécurisée et compacte, avec application notamment dans le domaine de la cryptologie où l'on met en oeuvre des algorithmes cryptographiques dans des dispositifs électroniques tels que les cartes à puce. The present invention relates to a secure and compact exponentiation method, with application particularly in the field of cryptology where cryptographic algorithms are implemented in electronic devices such as smart cards.

CRYPTOGRAPHIC PROCESSING METHOD COMPRISING A MULTIPLICATION OF A POINT OF AN ELLIPTICAL CURVE BY A SCALAR

L'invention concerne un procédé de traitement cryptographique comprenant une multiplication d'un point P d'une courbe elliptique sur un corps de Galois par un scalaire k, la multiplication comprenant des étapes de : mémorisation dans un premier registre d'un point nul du corps de Galois, mise en œuvre d'une boucle comprenant au moins une itération comprenant des étapes de : sélection d'une fenêtre de w bits dans la représentation binaire non-signée du scalaire k, w étant un entier prédéterminé indépendant du scalaire k et strictement supérieur à 1, calcul de points multiples de P, chaque point multiple étant associé à un bit de la fenêtre et de la forme +/-2iP, ajout ou non dans le premier registre de points multiples mémorisés, chaque point multiple étant ajouté ou non dans le premier registre ou non en fonction de la valeur du bit de la fenêtre auquel le point multiple est associé, la boucle prenant fin une fois que chaque bit de la représentation binaire non-signée du scalaire k a été sélectionné, fourniture d'une valeur mémorisée dans le premier registre. Si tous les bits de la fenêtre sélectionnée au cours d'une itération de la boucle sont nuls, l'itération comprend au moins une exécution factice de la fonction d'addition, et/ou si tous les bits de la fenêtre au cours d'une itération de la boucle sont non nuls, les points multiples à ajouter dans le premier registre au cours de l'étape sont déterminés d'après une forme non-adjacente associée à la fenêtre. The invention relates to a cryptographic processing method comprising a multiplication of a point P of an elliptic curve on a Galois body by a scalar k, the multiplication comprising steps of: storing in a first register a null point of the Galois body, implementation of a loop comprising at least one iteration comprising steps of: selecting a window of w bits in the unsigned binary representation of the scalar k, w being a predetermined integer independent ...

Method and apparatus for implementing a decoding mechanism by calculating a standardized modular exponentiation to thwart timing attacks

(57)【要約】 暗号化しているべき乗モジュロＭは、モジュラ乗算X * YmodMによって逐行される。ここで、Ｍは、一時的には安定しているが、瞬間的には非均一な法である。この方法は、反復的に連続するステップから成る。各ステップは、１つまたは２つの第一乗算を実行して第一の結果を発生させ、一つ以上の第二乗算によって第一の結果のサイズを削減させて第二の結果を発生させる。この方法は、さらに、法の所定の多重度の下で、各ステップの最終結果を保つ特徴的な手段を採用している。特に、この方法は、測定に付随する法のいかなる減算も、モジュラべき乗の終端段階に、実質的に移行する。これは、方法に関係している一つ以上のパラメータを、適切な方法により、選択することによって可能となる。これは、更に全体の時相性能を維持する。

Microprocessor resistant to power analysis

A secure microprocessor is designed using quad-coded logic which is similar to dual-rail encoded asynchronous logic except that the '11' state propagates an alarm. The alarm signal obliterates secure data in its path. Quad-coded logic provides resilience to power glitches and single-transistor or single-wire failures. The already low data dependency of the power consumption makes power analysis attacks difficult, and they are made even more difficult by inserting random delays in data and control paths, and by a set-random-carry instruction which enables software to make a non-deterministic choice between equivalent instruction sequences. These features are particularly easy to implement well in quad-coded logic.

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Cryptographic method protected against side channel attacks

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of :representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Accelerating scalar multiplication on elliptic curve cryptosystems over prime fields

A method and apparatus for accelerating scalar multiplication in an elliptic curve cryptosystem (ECC) over prime fields is provided. Multiplication operations within an ECC point operation are identified and modified utilizing an equivalent point representation that inserts multiples of two. Algebraic substitutions of the multiplication operations with squaring operations and other cheaper field operations are performed. Scalar multiplication can also be protected against simple side- channel attacks balancing the number of multiplication operations and squaring operations and providing novel atomic structures to implement the ECC operation. In addition, a new coordinate system is defined to enable more effective operation of ECC to multiprocessor environments.

Be used to carry out the method and apparatus of the simplification of efficient preventing side-channel attack

本发明名称为“用于执行有效率的抗侧信道攻击的简化的方法和设备”。提供用于执行保护防止基于高速缓存和基于分支的攻击的模简化的时间不变方法和设备。所述模简化技术不添加性能惩罚并且是抗侧信道的。通过使用进位位的惰性评估、消除数据依赖的分支以及对于所有存储器引用使用平均高速缓存访问来提供侧信道抵抗性。

System and method for calculating a result from a division

Encryption processing apparatus, encryption processing method, and computer program

An encryption processing apparatus (100) for performing a scalar multiplication of kP + IQ based on two points P and Q on an elliptic curve and scalar values k and I or a scalar multiplication of kD 1 + ID 2 based on divisors D 1 and D 2 and scalar values k and I includes a scalar value controller (101) configured to generate joint regular form of (k, I), k = <k n , ...k 0 > and I = <I n , ...I 0 >, which are set so that all the bits of the scalar values k and I are represented by 0, +1, or -1, and the combination (k i , I i ) of bits at positions corresponding to the scalar values k and I is set to satisfy (k i , l i ) = (0, ±1) or (±1, 0); and a computation execution section configured (102) to perform a process for computing a scalar multiplication of kP + IQ or kD 1 + ID 2 .

METHOD FOR PROTECTING PROGRAMMABLE CRYPTOGRAPHIC CIRCUIT, AND CIRCUIT PROTECTED BY SUCH A METHOD

La présente invention concerne un procédé de protection d'un circuit de cryptographie programmable et un circuit protégé par un tel procédé.Le circuit est composé de cellules à base de mémoire définissant la fonction logique de chaque cellule, intégrant un réseau différentiel apte à effectuer des calculs sur des couples de variables binaires comportant un premier réseau de cellules réalisant des fonctions logiques sur la première composante des couples et un deuxième réseau de cellules duales fonctionnant en logique complémentaire sur la deuxième composante des couple. Une étape de calcul comporte au moins une phase de précharge (41) mettant les variables dans un état connu à l'entrée des cellules suivie d'une phase d'évaluation (43) où un calcul est effectué par les cellules.Une phase de synchronisation des variables (42, 44) est intercalée avant la phase d'évaluation ou de précharge au niveau de chaque cellule apte à recevoir plusieurs signaux véhiculant des variables d'entrée, la synchronisation étant effectuée sur le signal le plus retardé.L'invention s'applique notamment pour protéger ce type de circuit contre les attaques d'analyse différentielle de consommation. The present invention relates to a method for protecting a programmable cryptography circuit and to a circuit protected by such a method. The circuit is composed of memory-based cells defining the logic function of each cell, integrating a differential network capable of performing calculations on pairs of binary variables comprising a first network of cells performing logic functions on the first component of the couples and a second network of dual cells operating in complementary logic on the second component of the couples. A calculation step comprises at least one preload phase (41) putting the variables in a known state at the input of the cells followed by an evaluation phase (43) where a calculation is performed by the cells. synchronization of the variables ...

Power analysis countermeasure for the ecmqv key agreement algorithm

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

Algorithm of module exponentiation for protecting against decoding public key by producing variable i from 0 to k-1, which is the binary representation of lower weight Y(O) toward of larger weight bit Y(k-1)

For every Y(i) bit of a binary representation of Y, it is produced a variable i from 0 to k-1, which is the binary representation of a lower weight Y(O) toward the bit of weight strong Y(k-1). Z=Z<2> operation is calculated and if I=0 it is performed R2=R1 asterisk Z or if I=1, it is calculated R1=R2 asterisk Z. Then Y(i)=O, then I remains unchanged and if Y(i)=1, then I is complemented. An Independent claim is included for: (a) an electronic terminal

Power signature attack resistant cryptography

This invention provides a method of computing a multiple k of a point P on an elliptic curve defined over a field, the method including the steps of representing the number k as binary vector k 1 , forming an ordered pair of point P 1 and P 2 , wherein the points P 1 and P 2 differ at most by P, and selecting each of the bits k i in sequence, and for each of the k i , upon k i being a 0, computing a new set of points P 1 ′, P 2 ′ by doubling the first point P 1 to generate the point P 1 ′ and adding the points P 1 and P 2 to generate the point P 2 ′ or upon k i being a 1, computing a new set of points P 1 ′, P 2 ′ by doubling the second point P 2 to generate the point P 2 ′ and adding the points P 1 and P 2 to produce the point P 1 ′, whereby the doubles or adds are always performed in the same order for each of the bits b i , thereby minimizing a timing attack on the method. An embodiment of the invention applies to both multiplicative and additive groups.

Power signature attack resistant cryptographic system

A method of computing a multiple k of a point P on an elliptic curve defined over a field in a processor which generates distinct power signatures for adding and doubling operations, the method comprising the steps of representing the number k as a binary vector of bits k i; forming an ordered pair of points P1 and P2, wherein the points P1 and P2, differ at most by P; and selecting each of the bits k i in sequence. Upon k i being a zero, a new set of points P1', P2' is computed by first doubling the first point P1 to generate the point P1' and produce a first power signature. The points P1 and P2 are added to generate the point P2' and produce a second power signature distinct from the first power signature. Upon k i being a new one, a new set of points P1', P2' is computed by first doubling the second point P2 to generate the point P2' and produce the first power signature. The points P1 and P2 are added to produce the point P1', and produce the second power signature. The doubles or adds are performed in the same order for each of the bits k I, and produce a consistent power signature waveform.

Elliptic curve cryptography

Изобретение относится к способу и устройству выполнения криптографического преобразования в электронном компоненте. Технический результат заключается в повышении безопасности установки соединений с аутентификацией пароля за счет повышения эффективности выполнения криптографического преобразования. В способе выполняют получение точки P(X,Y) исходя из параметра t на эллиптической кривой, удовлетворяющей выражению Y 2 =f(X), и исходя из многочленов X 1 (t), X 2 (t), Х 3 (t) и U(t), удовлетворяющих равенству f(X 1 (t)).f(X 2 (t)).f(X 3 (t))=U(t) 2 в Fq, при этом q=3 mod 4, далее получают значение параметра t и определяют точку Р путем выполнения подэтапов, на которых (i) вычисляют Х 1 =X 1 (t), X 2 =X 2 (t), Х 3 =Х 3 (t) и U=U(t), (ii) если элемент f(X 1 ).f(X 2 ) является квадратом, то проверяют, является ли элемент f(X 3 ) квадратом в Fq, и если является, то вычисляют квадратный корень из элемента f(X 3 ), чтобы получить точку Р(Х 3 ), (iii) иначе проверяют, является ли элемент f(X 1 ) квадратом, и если является, вычисляют квадратный корень из f(X 1 ), чтобы получить точку P(X 1 ), (iv) иначе вычисляют квадратный корень элемента f(X 2 ), чтобы получить точку P(X 2 ), и далее эту точку Р используют в криптографическом приложении. 2 н. и 6 з.п. ф-лы, 3 ил. РОССИЙСКАЯ ФЕДЕРАЦИЯ (19) RU (11) (13) 2 520 379 C2 (51) МПК G06F 21/30 (2013.01) G06F 21/72 (2013.01) H04L 9/28 (2006.01) G06F 17/10 (2006.01) ФЕДЕРАЛЬНАЯ СЛУЖБА ПО ИНТЕЛЛЕКТУАЛЬНОЙ СОБСТВЕННОСТИ (12) ОПИСАНИЕ (21)(22) Заявка: ИЗОБРЕТЕНИЯ К ПАТЕНТУ 2012101253/08, 15.06.2010 (24) Дата начала отсчета срока действия патента: 15.06.2010 (72) Автор(ы): ИКАР Тома (FR), КОРОН Жан-Себастьен (FR) (73) Патентообладатель(и): МОРФО (FR) Приоритет(ы): (30) Конвенционный приоритет: R U 16.06.2009 FR 0954053 (43) Дата публикации заявки: 27.07.2013 Бюл. № 21 (45) Опубликовано: 27.06.2014 Бюл. № 18 2 5 2 0 3 7 9 (56) Список документов, цитированных в отчете о поиске: EP 1014617 A3, 28.06.2000 . WO 2000005837 A1, 03.02.2000 . RU ...

A method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems

A method for transforming data with a secret parameter in an elliptic curve cryptosystem based on an elliptic curve defined over an underlying binary polynomial field, the method comprising multiplying a point of the elliptic curve, representing the data to be transformed, by a scalar representing the secret parameter, wherein the multiplying includes performing at least one point addition operation and at least one point doubling operation on points of the elliptic curve. The point addition operation comprises a first sequence of elementary field operations, and the point doubling operation comprises a second sequence of elementary field operations, both the first and the second sequences of elementary field operations including a field inversion of coordinates of the elliptic curve points. A representation of the elliptic curve points in affine coordinates is provided and the first and second sequences of elementary field operations are balanced. The field inversion of coordinates is performed by the Extended Euclidean Algorithm and the balancing includes balancing the Extended Euclidean Algorithm by adding at least one dummy operation. In particular, the balancing of the Extended Euclidean Algorithm includes: after comparing respective degrees of two binary polynomials being iteratively processed in the algorithm, performing a same sequence of operations regardless of the result of said comparing. A device (305) is also provided, for transforming data with a secret parameter, comprising an integrated circuit (315) adapted to perform the above mentioned method. Circuit (315) implements a cryptosystem (317) including a scalar multiplication unit (320), includes in turn four subunits: a point addition unit (325), a point doubling unit (330), a field arithmetic unit (335), and a control unit (340).

METHOD FOR PROCESSING DATA INVOLVING EXPONENTIATION AND ASSOCIATED DEVICE

Cryptographic processor

Ein Kryptographieprozessor umfasst eine zentrale Verarbeitungseinheit und einen Coprozessor, wobei der Coprozessor eine Mehrzahl von Teilrechenwerken sowie eine einzige Steuereinheit, die mit jedem der Mehrzahl von Teilrechenwerken gekoppelt ist, aufweist. Eine kryptographische Operation wird durch die Steuereinheit auf die einzelnen Teilrechenwerke in Form von Teiloperationen aufgeteilt. Die zentrale Verarbeitungseinheit, die Mehrzahl von Teilrechenwerken und die Steuereinheit sind auf einem einzigen Chip integriert, wobei der Chip einen gemeinsamen Versorgungsstromzugang zum Versorgen der Mehrzahl von Teilrechenwerken und der Steuereinheit mit Strom aufweist. Durch die parallel Anordnung der Teilrechenwerke wird einerseits der Durchsatz des Kryptographieprozessors erhöht. Andererseits wird jedoch auch das Stromprofil, das an dem Versorgungsstromzugang erfasst werden kann, derart zufällig gemacht, dass ein Angreifer nicht mehr auf in den einzelnen Teilrechenwerken verarbeitete Zahlen rückschließen kann. <IMAGE>

Power analysis countermeasure for the ecmqv key agreement algorithm

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of :representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Apparatus and method for converting, and adder circuit

An apparatus and method for converting a dual-rail input. The apparatus combines two useful operand bits and two auxiliary operand bits so that, in a data mode, two output operands of three output operands have a value which is different from that of the third output operand. In a preparation mode, the three output operands of the apparatus have the same value. The apparatus and method may preferably be employed in a three-operands adder as an interface between a dual-rail three-bits half adder and a sum-carry stage of a two-bits full adder so to achieve the same level of security as a full implementation of the three-operands adder in dual-rail technology, despite the two-bits full adder being implemented in single-rail technology.

Method of obscuring cryptographic computations

Obscuring cryptographic computations may be accomplished by performing modular exponentiation of an exponent in a cryptographic computation such that memory accesses are independent of the exponent bit pattern, thereby deterring timing attacks.

Arithmetical device, arithmetical device elliptical scalar multiplication method and elliptical scalar multiplication program, arithmetical device multiplicative operation method and multiplicative operation program, as well as arithmetical device zero determination method and zero determination program

不管随机数k的值如何都能够在恒定的计算时间内处理椭圆标量乘法kG，防止椭圆标量乘法kG的定时解析。初始设定部121对标量乘法变量R设定椭圆曲线上的特定点G。标量乘法部122针对表示随机数k的t比特的比特串从上位逐个比特进行参照，每当参照一个比特时，对作业变量R[0]设定对标量乘法变量R进行2倍乘法而得到的值，对作业变量R[1]设定对作业变量R[0]设定的值加上特定点G而得到的值。然后，在标量乘法部122中，如果所参照的比特的值是0，则对标量乘法变量R设定作业变量R[0]，如果所参照的比特的值是1，则对标量乘法变量R设定作业变量R[1]。标量倍点输出部123从标量乘法变量R减去常数值2 t G，将进行减法而得到的值作为标量倍点kG输出。

Acceleration and security enhancements for elliptic curve and rsa coprocessors

This invention discloses apparatus and methods for accelerating processing, loading (10) and unloading (30) of data from and to a plurality of memory addresses in a CPU (1300) having an accumulator, and to a memory-mapped coprocessing device for continuous integer computations.

How to request data safely

MICROPROCESSOR RESISTANT TO ENERGY ANALYSIS

Method and apparatus for performing elliptic curve scalar multiplication in a manner that counters power analysis attacks

When multiplicative splitting is used to hide a scalar in an Elliptic Curve scalar Multiplication ECSM operation, the associated modular division operation employs the known Almost Montgomery Inversion algorithm. By including dummy operations in some of the branches of the main iteration loop of the Almost Montgomery Inversion algorithm, all branches of the algorithm may be viewed, from the perspective of a Power Analysis-based attack, as equivalent and, accordingly, devoid of information useful in determining the value of the scalar, which may be a cryptographic private key.

CRYPTOGRAPHY ON AN ELLIPTICAL CURVE.

On exécute un calcul cryptographique dans un composant électronique comprenant l'obtention d'un point P(X,Y) à partir de t, sur une courbe elliptique d'équation : Y = f (X) ; et à partir de polynômes X (t), X (t), X (t) et U(t) vérifiant l'égalité: f(X (t)).f(X (t)).f(X (t))=U (t) dans F , avec q = 3 mod 4. On obtient tout d'abord une valeur du paramètre t. Puis, on détermine le point P en effectuant les sous étapes suivantes : /i/ calculer X = X (t), X = X (t), X = X (t) et U=U(t) /ii/ si le terme f(X ).f(X ) est un carré alors tester si le terme f(X ) est un carré dans F et calculer la racine carré de f(X ), pour obtenir le point P(X , √f/(X )) ; /iii/ sinon tester si le terme f(X ) est un carré et, calculer la racine carré de f(X ), pour obtenir le point P(X , √f(X )) ; /iv/ sinon calculer la racine carré de f(X ), pour obtenir le point P (X , √f-(X )) Ensuite, on peut utiliser ce point P dans une application cryptographique. A cryptographic calculation is performed in an electronic component comprising obtaining a point P (X, Y) from t on an elliptic curve of equation: Y = f (X); and from polynomials X (t), X (t), X (t) and U (t) satisfying the equality: f (X (t)). f (X (t)). f (X (t) )) = U (t) in F, with q = 3 mod 4. We obtain first a value of the parameter t. Then, the point P is determined by performing the following substeps: / i / calculate X = X (t), X = X (t), X = X (t) and U = U (t) / ii / if the term f (X) .f (X) is a square then test if the term f (X) is a square in F and calculate the square root of f (X), to obtain the point P (X, √f / ( X)); / iii / otherwise test whether the term f (X) is a square and, calculate the square root of f (X), to obtain the point P (X, √f (X)); / iv / otherwise calculate the square root of f (X), to obtain the point P (X, √f- (X)) Then, we can use this point P in a cryptographic application.

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE.

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y2=f(X) and from polynomials satisfying: &minus;f(X1(t)).f(X2(t))=U(t)2 in the finite body Fq, irrespective of the parameter t, q=3 mod 4. A value of the parameter t is obtained and the point P is determined by: (i) calculating X1=X1(t), X2=X2(t) and U=U(t); (ii) testing whether the term f(X&minus;1) is a squared term in the finite body Fq and, if so, calculating the square root of the term f(X1), the point P having X1 as abscissa and Y1, the square root of the term f(X1), as ordinate; (iii) otherwise, calculating the square root of the term f(X2), the point P having X2, as abscissa and Y2, the square root of the term f(X2), as ordinate. The point P is useful in encryption, scrambling, signature, authentication or identification cryptographic applications.

Method and device for calculating a result of an exponentiation

For calculating the result of an exponentiation B d , B being a base and d being an exponent which can be described by a binary number from a plurality of bits, a first auxiliary quantity X is at first initialized to a value of 1. Then a second auxiliary quantity Y is initialized to the base B. Then, the bits of the exponent are sequentially processed by updating the first auxiliary quantity X by X 2 or by a value derived from X 2 and by updating the second auxiliary quantity Y by X*Y or by a value derived from X*Y, if a bit of the exponent equals 0. If a bit of the exponent equals 1, the first auxiliary quantity X is updated by X*Y or by a value derived from X*Y and the second auxiliary quantity Y is updated by Y 2 or by a value derived from Y 2 . After sequentially processing all the bits of the exponent, the value of the first auxiliary quantity X is used as the result of the exponentiation. Thus a higher degree of security is obtained by homogenizing the time and current profiles. In addition, an increase in performance is enabled by a possible parallel performance of operations.

A device and a computer program product for calculating additionsof points on elliptic curves in Edwards form

A device (100) for calculations on elliptic curves. The elliptic curve in generalized Edwards form is projected on a projective form so that a point P = ( x 1 , y 1 ) on the elliptic curve is represented by the tuple ( x 1 Z 1 : y 1 Z 1 : Z 1 ) for any Z 1 ≠ 0. An addition of two projective points ( X 1 : Y 1 : Z 1 ) and ( X 2 : Y 2 : Z 2 ) is given by X 3 = Z 1 Z 2 ( X 1 Y 2 + X 2 Y 1 ) M , Y 3 = Z 1 Z 2 ( Y 1 Y 2 - e X 1 X 2 ) N , and Z 3 = MN , where M = f Z 1 2 Z 2 2 - d X 1 X 2 Y 1 Y 2 and N = f Z 1 2 Z 2 2 + d X 1 X 2 Y 1 Y 2 . By rewriting X 1 Y 2 + X 2 Y 1 as ( X 1 + Y 1 )( X 2 + Y 2 ) - X 1 Y 1 - X 2 Y 2 , this costs 10 M + 1 S + 1 d + 1 e + 1 f where M denotes a field multiplication, S denotes a field squaring, and d , e , f denote respectively a multiplication by constants d, e, f . Also provided is a special doubling formula, a method, and a computer program (140).

METHOD FOR SECURING AN ELECTRONIC ASSEMBLY OF SECRET KEY CRYPTOGRAPHY AGAINST ATTACKS BY PHYSICAL ANALYSIS

GOOD PROCEDURE

Data processing method and device

(57)【要約】 データの暗号化および／または復号方法に関する。ここで暗号化用または復号用データは複数の択一手段と同値の暗号化ステップまたは復号ステップから選択されるか、および／または順次に動作する複数の暗号化ステップまたは復号ステップから形成される。その際に、選択された暗号化ステップまたは復号ステップはランダムに選択されているか、および／または暗号化ステップまたは復号ステップはランダムに変更されている。

Acceleration and security enhancements for elliptic curve and rsa coprocessors

This invention discloses apparatus and methods for accelerating processing, loading (10) and unloading (30) of data from and to a plurality of memory addresses in a CPU (1300) having an accumulator, and to a memory-mapped coprocessing device for continuous integer computations.

Modular exponential algorithm in an electronic component using a public key encryption algorithm

The invention concerns an anti-SPA (Simple Power Attack) modular exponential algorithm in an electronic component using a public key encryption algorithm.

Apparatus and method for calculating the result of division

Exponentiation method using multibase number representation

A method of scalar multiplication for use in elliptic curve-based cryptosystems (ECC) is provided. Scalars are represented using a generic multibase form combined with the non-adjacency property, which greatly reduces the nonzero density in the representation. The method allows for flexibly selecting an unrestricted number of bases and their weight in the representation according to the particular characteristics of a setting, in such a way that computing costs are minimized. A simple, memory-friendly conversion process from binary to multibase representation and an inexpensive methodology to protect the multibase scalar multiplication against simple-side channel attacks are also provided.

Safe sliding window exponentiation

Secure and compact exponentiation method for cryptography

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

Cryptography on a elliptical curve

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y 2 =f(X); and from polynomials X 1 (t), X 2 (t), X 3 (t) and U(t) satisfying: f(X 1 (t))·f(X 2 (t))·f(X 3 (t))=U(t) 2 in Fq, with q=3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by: (i) calculating X 1 =X 1 (t), X 2 =X 2 (t), X 3 =X 3 (t) and U=U(t); (ii) if the term f(X 1 )·f(X 2 ) is a square, then testing whether the term f(X 3 ) is a square in F q and if so calculating the square root of f(X 3 ) in order to obtain the point P(X 3 ); (iii) otherwise, testing whether the term f(X 1 ) is a square and, if so, calculating the square root of f(X 1 ) in order to obtain the point P(X 1 ); (iv) otherwise, calculating the square root of f(X 2 ) in order to obtain the point P(X 2 ). This point P is useful in a cryptographic application.

Method and device for calculating a result of an exponentiation

Encryption computing device

Exponentiation system

A method for computation, including defining a sequence of n bits that encodes an exponent d , such that no more than a specified number of successive bits in the sequence are the same, initializing first and second registers using a value of a base x that is to be exponentiated, whereby the first and second registers hold respective first and second values, which are successively updated during the computation, successively, for each bit in the sequence computing a product of the first and second values, depending on whether the bit is one or zero, selecting one of the first and second registers, and storing the product in the selected one of the registers, whereby the first and second registers hold respective first and second final values upon completion of the sequence, and returning x d based on the first and second final values. Related apparatus and methods are also described.

SECURE ELLIPTICAL CURVE ENCRYPTION DEVICE CONTROL DEVICE AND METHODS

Différents modes de réalisation mettent en œuvre des contre-mesures conçues de manière à résister à des attaques par des intrus potentiels qui cherchent à extraire partiellement ou totalement de clés secrètes sur courbe elliptique en utilisant des procédés connus qui exploitent des vulnérabilités de système, comportant la différentiation d'opération elliptique, la détection d'opérations inopérantes, des attaques de réseau et la détection de première opération réelle. Différents modes de réalisation de l'invention assurent la résistance contre des attaques de canal latéral, telle que l'analyse de consommation simple, provoquée par la possibilité de détection de valeurs scalaires à partir d'informations qui ont produit une fuite au cours d'une opération normale qui pourraient sinon compromettre la sécurité du dispositif. Dans certains modes de réalisation, l'immunité du dispositif est conservée par l'exécution d'opérations scalaires elliptiques qui utilisent un flux d'opérations indépendantes de la clé secrète dans un dispositif de cryptage sur courbe elliptique sécurisé. Various embodiments implement countermeasures designed to resist attacks by potential intruders seeking to partially or fully extract elliptic curve secret keys using known methods that exploit system vulnerabilities, including the elliptical operation differentiation, inoperative operation detection, network attacks and first real operation detection. Various embodiments of the invention provide resistance against side channel attacks, such as simple power analysis, caused by the ability to detect scalar values from information that leaked during normal operation that could otherwise compromise the safety of the device. In some embodiments, device immunity is maintained by performing elliptical scalar operations that utilize a flow of secret key-independent operations in a secure elliptic curve encryption device.

Apparatus and method for calculating a representation of a result operand

An apparatus for calculating a representation of a result operand of the non-linear logical operation between a first operand and a second operand includes a first logic gate and a second logic gate. Each operand is represented by two auxiliary operands, which, when linearly combined together result in the respective operand. The first and second logic gates are designed such that an average energy consumption of the first or second logic gate is substantially equal to a plurality of combinations of auxiliary operands at the beginning of a first operation cycle and auxiliary operands at the beginning of a second operating cycle, the average energy being derivable from a plurality of different orders of occurrences of the first to fourth auxiliary operands.

Cryptographic processor

Ein Kryptographieprozessor umfasst eine zentrale Verarbeitungseinheit und einen Coprozessor, wobei der Coprozessor eine Mehrzahl von Teilrechenwerken sowie eine einzige Steuereinheit, die mit jedem der Mehrzahl von Teilrechenwerken gekoppelt ist, aufweist. Eine kryptographische Operation wird durch die Steuereinheit auf die einzelnen Teilrechenwerke in Form von Teiloperationen aufgeteilt. Die zentrale Verarbeitungseinheit, die Mehrzahl von Teilrechenwerken und die Steuereinheit sind auf einem einzigen Chip integriert, wobei der Chip einen gemeinsamen Versorgungsstromzugang zum Versorgen der Mehrzahl von Teilrechenwerken und der Steuereinheit mit Strom aufweist. Durch die parallel Anordnung der Teilrechenwerke wird einerseits der Durchsatz des Kryptographieprozessors erhöht. Andererseits wird jedoch auch das Stromprofil, das an dem Versorgungsstromzugang erfasst werden kann, derart zufällig gemacht, dass ein Angreifer nicht mehr auf in den einzelnen Teilrechenwerken verarbeitete Zahlen rückschließen kann. A cryptography processor includes a central processing unit and a coprocessor, the coprocessor having a plurality of sub-processors and a single controller coupled to each of the plurality of sub-processors. A cryptographic operation is divided by the control unit to the individual sub-processors in the form of sub-operations. The central processing unit, the plurality of sub-processors and the control unit are integrated on a single chip, the chip having a common supply current access for powering the plurality of sub-processors and the control unit. On the one hand, the throughput of the cryptography processor is increased by the parallel arrangement of the partial calculation units. On the other hand, however, the current profile which can be detected at the supply current access is also made random so that an attacker can no longer infer numbers processed in the individual partial computations.

Cryptography on a elliptical curve

A cryptographic calculation is performed in an electronic component, comprising the step of obtaining a point P(X,Y) from a parameter t on an elliptical curve of equation: Y2 = f(X); and from polynomials X1(t), X2(t), X3(t) and U(t) satisfying the equality: f(X1(t)).f(X2(t)).f(X3(t))=U(t)2 in Fq, with q = 3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t), X3= X3(t) and U=U(t) are calculated; (ii) if the term f(X1).f(X2) is a square, then it is tested whether the term f(X3) is a square in Fq and if so the square root of f(X3) is calculated, in order to obtain the point P(X3); (iii) otherwise, it is tested whether the term f(X?) is a square and, if so, the square root of f(X1) is calculated, in order to obtain the point P(X1,); (iv) otherwise, the square root of f(X2) is calculated in order to obtain the point P(X2). This point P can then be used in a cryptographic application.

Universal calculation method applied to points on an elliptic curve

Side channel aware automatic place and route

System and method for one-time Chinese-remainder-theorem exponentiation for cryptographic algorithms

A system, method and computer-readable storage medium with instructions for protecting an electronic device against fault attack. The technology includes operating the electronic device to determine two half-size exponents, dp and dq , from the exponent d ; to split the base m into two sub-bases mp and mq determined from the base m ; and to iteratively compute a decryption result S by repeatedly multiplying an accumulator A by m , mp, mq or 1 depending on the values of the i -th bit of dp and dq for each iteration i . Other systems and methods are disclosed.

Elliptic curve cryptosystem apparatus, method and program

Cryptographic methods including montgomery power ladder algorithms

A cryptographic method of countering differential fault analysis (DFA) using elliptic curve cryptography (ECC) fast Montgomery power ladder algorithm (MPLA) is provided. The cryptographic method may include receiving a basic point P on an elliptic curve and a scalar k, initializing a plurality of primary variables (P 1 and P 2 ) with the basic point P, iterating through a plurality of operations using a repetitive operation variable i, where i is an integer. The plurality of operations may include setting a plurality of secondary variables (T 1 and T 2 ) corresponding to the plurality of primary variables (P 1 and P 2 ), resetting the plurality of primary variables (P 1 and P 2 ) and secondary variables (T 1 and T 2 ) based on a portion of the scalar k, and calculating a scalar product Q equal to the product of the basic point P and the scalar k. The method may further include identifying a fault using the plurality of primary variables (P 1 and P 2 ) and secondary variables (T 1 and T 2 ) based on a portion of the scalar k, and outputting the scalar product Q if there is no fault identified. The cryptographic method may be applied to a variety cryptographic systems without degrading the performance of the cryptographic systems, and may counter a variety of attacks using faults and/or fault analysis.

Cryptography on a simplified elliptical curve

A cryptographic calculation is carried out in an electronic component, comprising a step of obtaining a point P(X,Y) from at least one parameter t, on an elliptical curve satisfying the equation: Y2 = f(X) and from polynomials Xi(t), X2(t) and U(t) satisfying the following equality: -f(X1(t)).f(X2(t)) = U(t)2 in the finite body Fq, irrespective of the parameter t, q satisfying the equation q = 3 mod 4. A value of the parameter t is obtained and then the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t) and U=U(t) are calculated (step 11); (ii) it is tested (step 12) whether the term f(X-1) is a squared term in the finite body Fq and, if so, the square root of the term f(X1) is calculated (step 13), the point P having X1 as abscissa and Y1, the square root of the term f(X1), as ordinate; (iii) otherwise, the square root of the term f(X2) is calculated (step 14), the point P having X2, as abscissa and Y2, the square root of the term f(X2), as ordinate. This point P can then be used in an encryption or scrambling or signature or authentication or identification cryptographic application.

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Method for securely encrypting or decrypting a message

A method for securely encrypting or decrypting a message or for generating or verifying a digital signature in a message, in which the message is subjected, with the aid of a processor, to a mathematical operation using a key (k) which can be represented in the form of a binary number with a sequence of bits, and computational operations are sequentially carried out on auxiliary variables for each bit. The dependence of the computational result on the values of individual bits is taken into account by reading the memory addresses from the auxiliary variables and assigning them to address variables. The difference between the addresses is calculated and, depending on the respective current bit, is added to, or subtracted from, the computer addresses. The assignment of the auxiliary variables to the address variables can thus be interchanged. As a result, the order and selection of the computational operations is controlled on the basis of bits without the program sequence having to contain jump instructions.

transfer device

Vorrichtung zum Speichern eines Signalpaares, mit folgenden Merkmalen: einer Vorrichtung (102; 302; 402) zum Erzeugen eines Signalpaares aus einem Datensignal gemäß einer, von einem Umstellungssignalwert abhängigen Umstellungsvorschrift, mit einem ersten Datensignaleingang (112) zum Empfangen eines ersten Datensignals (152; 352); einem ersten Umstellungssignaleingang (116) zum Empfangen eines ersten Umstellungssignals (158; 358; 458); einem ersten Signalausgang (122) zum Ausgeben eines ersten Signals (162; 362); und einem ersten Komplementärsignalausgang (124) zum Ausgeben eines ersten Komplementärsignals (164; 364), wobei das erste Signal und das erste Komplementärsignal ein erstes Signalpaar bilden; wobei die Vorrichtung zum Erzeugen eines Signalpaares ausgebildet ist, um gemäß der Umstellungsvorschrift das erste Datensignal als erstes Signal und ein komplementäres erstes Datensignal als erstes Komplementärsignal auszugeben, wenn das erste Umstellungssignal einen ersten Wert aufweist, und das erste Datensignal als erstes Komplementärsignal und das komplementäre erste Datensignal als erstes Signal auszugeben, wenn das erste Umstellungssignal einen... A device for storing a signal pair, having the following features: a device (102; 302; 402) for generating a signal pair from a data signal in accordance with a conversion rule dependent on a conversion signal value, with a first data signal input (112) for receiving a first data signal (152; 352); a first switch signal input (116) for receiving a first switch signal (158; 358; 458); a first signal output (122) for outputting a first signal (162; 362); and a first complementary signal output (124) for outputting a first complementary signal (164; 364), the first signal and the first complementary signal forming a first signal pair; The device for generating a signal pair is designed to output the first data signal as the first signal and a complementary first data signal as the first complementary signal in accordance ...

Pseudo random number generator, stream encrypting device, and program

Integer division method which is secure against covert channel attacks

本发明涉及一种加密方法，包括类型为q＝a div b和r＝a mod b的整数除法，其中q为商，a为m位的数，b为n位的数，n小于或等于m，并且b n-1 不为零，b n-1 是b的最高有效位，在该方法期间的每次迭代中，循环下标i在1和m-n+1之间改变，执行数a的n位字A除以数b的部分除法，以便获得商q的位。根据本发明，在每次迭代中执行相同的操作，而不管获得的商位值是多少。在本发明的不同的实施例中，在每个迭代中执行下列操作之一：将数b加到字A/从字A减去数b；将数b或者数b的补数 加到字A；或在将更新的数据加到字A之后，以2 n 对更新数据 或者哑数据

Signal transmission device for data path operation performing device, has output transmitting complementary signal, where device transmits data signal as signal/complementary signal based on value of switching signal

The device has an output (124) that transmits a complementary signal (164). The device transmits a data signal as a signal (162) and a complementary data signal as the complementary signal, when a switching signal (158) has one value. The device transmits the data signal as the complementary signal and the complementary data signal as the signal (162), when the switching signal has another value. An independent claim is also included for a device for performing an operation on data path including a signal transmission device.

Information security device

本发明的目的在于提供一种信息安全装置，与现有技术相比可以减少进行秘密通信或认证时应运算的幂运算的处理时间。在该信息安全装置中，通过根据对象数据X和秘密的值d使用窗口法算出乘幂值X^d，来进行秘密通信或认证，在算出乘幂值X^d的过程中，在对基于乘法的运算中出现的随机数R重复了预定次数例如256次二次幂运算之后的乘法中，使用随机数去除数S(＝R^(－2^256))，来取消对随机数R的二次幂运算所得到的运算结果，从而不需要现有技术的取消处理。

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE.

Dans un composant électronique, on exécute un calcul cryptographique comprenant une étape d'obtention d'un point P(X,Y) à partir d'au moins un paramètre t, sur une courbe elliptique vérifiant l'équation : Y = f(X) ; et à partir de polynômes X (t), X (t) et U(t) vérifiant l'égalité suivante : -f(X (t)).f(X (t))=U(t) dans le corps fini F , quel que soit le paramètre t, q vérifiant l'équation q = 3 mod 4. On obtient une valeur du paramètre t. Puis, on détermine le point P en effectuant les sous étapes suivantes : /i/ calculer X = X (t), X = X (t) et U=U(t) (étape 11) /ii/ tester (12) si le terme f(X ) est un terme au carré dans le corps fini F et dans ce cas, calculer (13) la racine carré du terme f(X ), le point P ayant pour abscisse X et pour ordonnée Y la racine carré du terme f(X ) ; /iii/ sinon calculer (14) la racine carré du terme f(X ), le point P ayant pour abscisse X et pour ordonnée Y la racine carré du terme f(X ). Ensuite, on peut utiliser ce point P dans une application cryptographique de chiffrement ou de hachage ou de signature ou d'authentification ou d'identification. In an electronic component, a cryptographic calculation is performed comprising a step of obtaining a point P (X, Y) from at least one parameter t, on an elliptic curve satisfying the equation: Y = f (X ); and from polynomials X (t), X (t) and U (t) satisfying the following equality: -f (X (t)). f (X (t)) = U (t) in the finite field F, whatever the parameter t, q satisfying the equation q = 3 mod 4. We obtain a value of the parameter t. Then, the point P is determined by performing the following substeps: / i / calculate X = X (t), X = X (t) and U = U (t) (step 11) / ii / test (12) if the term f (X) is a term squared in the finite field F and in this case, calculate (13) the square root of the term f (X), the point P having for abscissa X and for ordinate Y the square root of term f (X); / iii / otherwise calculate (14) the square root of the term f (X), ...

Power analysis countermeasure for the ecmqv key agreement algorithm

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

Microprocessor resistant to power analysis

Arithmetic apparatus, elliptic scalar multiplication method of arithmetic apparatus, elliptic scalar multiplication program, residue operation method of arithmetic apparatus, and residue operation program

A scalar multiplication unit references a t-bit sequence representing a random number k one bit at a time from the most significant bit, and upon each referencing, sets in a work variable R[0] a value obtained by doubling a specific point G on an elliptic curve set in a scalar multiplication variable R, and sets in a work variable R[1] a value obtained by adding the specific point G to the work variable R[0]. The scalar multiplication unit 122 sets the work variable R[0] in the scalar multiplication variable R if the value of the referenced bit is 0, and sets the work variable R[1] in the scalar multiplication variable R if the value of the referenced bit is 1. A scalar multiple point output unit 123 outputs as a scalar multiple point kG a value obtained by subtracting a constant value 2tG from the scalar multiplication variable R.

Protection of a calculation performed by an integrated circuit

Tamper-resistant encryption using a private key

Apparatus and method for calculating a result from a division

Eine Vorrichtung zum Berechnen eines Ergebnisses oder eines ganzzahligen Vielfachen des Ergebnisses (Q) aus einer Division eines Zählers (A) durch einen Nenner (N) umfaßt eine Einrichtung (12) zum Bereitstellen eines Faktors, der so gewählt ist, daß ein Produkt aus dem Faktor und dem Nenner größer als das Ergebnis ist. Die Vorrichtung umfaßt ferner eine Einrichtung (14) zum modularen Reduzieren eines ersten Produkts aus dem Zähler und dem Faktor unter Verwendung eines Moduls, der gleich einer Summe aus einem zweiten Produkt des Nenners und des Faktors und einer ganzen Zahl ist, um eine Hilfsgröße zu erhalten, die das Ergebnis aufweist. Eine Einrichtung (16) wird verwendet, um das Ergebnis oder das ganzzahlige Vielfache des Ergebnisses aus der Hilfsgröße zu extrahieren. Eine Division wird somit auf eine modulare Reduktion und eine rechenunaufwendige Extraktion zurückgeführt, so daß insbesondere bei Langzahl-Divisionsaufgaben die Schnelligkeit einerseits und die Sicherheit andererseits erhöht sind. A device for calculating a result or an integer multiple of the result (Q) from dividing a numerator (A) by a denominator (N) comprises means (12) for providing a factor which is selected so that a product of the Factor and the denominator is greater than the result. The apparatus further comprises means (14) for modularly reducing a first product of the numerator and the factor using a module that is equal to a sum of a second product of the denominator and the factor and an integer to obtain an auxiliary quantity that has the result. A device (16) is used to extract the result or the integer multiple of the result from the auxiliary variable. A division is thus traced back to a modular reduction and a computationally uncomplicated extraction, so that the speed on the one hand and security on the other hand are increased, in particular in the case of long-number division tasks.

Fault-resistant exponentiation algorithm

A m -ary right-to-left exponentiation using a base x and an exponent d is performed in a device (100) having a processor (120) and m +1 registers R[0]-R[ m ] in a memory (130), by initializing register R[ m ] to x a ( m -1) for a chosen integer a; initializing the registers other than R[ m ] to a value h , that advantageously is of a small order; updating register R[ r ] to R[ r ] times x , wherein r is the remainder of a division of d by a ·( m -1) and the product of the registers (R[0]-R[m- 1 ]) raised to ( m -1) equals R[ m ]; modifying the exponent d to a working exponent q that is the quotient of the division of d by a ·( m -1), the working exponent q = ( q l-1 , ... q 0 ) being represented in base m and having a most significant non-zero digit followed by l -1 further digits; performing l iterations, starting at i =0, of raising R[ m ] to the power of m and setting R[ q i ] to R[ q i ] times R[ m ]; verifying the correctness of the result by checking that R[ m ] equals the product of registers R[0]-R[ m -1] to the power of m -1; and outputting the product of R[ J ] j , where 1≤ j ≤ m -1 if the correctness is successfully verified. The exponentiation can save on memory or make the exponentiation faster. Also provided are a device (100) and a computer program product (140).

Systems and methods for controlling secure elliptic curve-based encryption devices

Power signature attack resistant cryptographic system

A method of computing a multiple k of a point P on an elliptic curve defined over a field in a processor which generates distinct power signatures for adding and doubling operations, the method comprising the steps of representing the number k as a binary vector of bits k i; forming an ordered pair of points P1 and P2, wherein the points P1 and P2, differ at most by P; and selecting each of the bits k i in sequence. Upon k i being a zero, a new set of points P1', P2' is computed by first doubling the first point P1 to generate the point P1' and produce a first power signature. The points P1 and P2 are added to generate the point P2' and produce a second power signature distinct from the first power signature. Upon k i being a new one, a new set of points P1', P2' is computed by first doubling the second point P2 to generate the point P2' and produce the first power signature. The points P1 and P2 are added to produce the point P1', and produce the second power signature. The doubles or adds are performed in the same order for each of the bits k I, and produce a consistent power signature waveform.

Two coded input operand`s logic function evaluating circuit for safety-relevant application, has summoning circuit terminating memorizing when two dual rail signals have data values and coding signal has coding values

The circuit has a logic circuit determining coded output values based on logic function from data values of two inputs and coding values and outputting the output values in a computation cycle. A summoning circuit (102) memorizes summoning values in an output if the summoning values are detected at the output or terminates the memorizing when two dual rail signals have data values and a dual rail coding signal has coding values. An independent claim is also included for a method of evaluating a logic function of a two coded input operand.

Method of Performing Secure and Compact Exponentiation for Cryptography

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

Pseudo-random number generation device, stream encryption device and program

A pseudo-random number generation device having a resistance against attack methods that use the number of operations of an LFSR, a stream encryption device, and a program are provided. The stream encryption device has: means (delay means 811 to 81 N) which exclusively operate with each LFSR ( 801 to 80 N) in the pseudo-random number generator, that is of a clock control type, and makes uniform the generation processing time or the power consumption of one output unit; or means which randomizes the generation processing time or the power consumption power of one output unit.

Differential power analysis - resistant cryptographic processing

Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Modular power algorithm for electronic components using public key cryptography algorithms

UNIVERSAL CALCULATION METHOD APPLIED TO POINTS OF AN ELLIPTICAL CURVE

The invention relates to a universal calculation method that is applied to points on an elliptical curve which is defined by a Weierstrass equation. According to the invention, identical programmed computing means are used to perform an operation involving the addition of points and an operation involving the doubling of points. The computing means comprise, in particular, a central unit (2) which is connected to a storage unit (4, 6, 8). Said invention can be used for cryptographic calculations, for example in a chip card.

Protection of a calculation performed by an integrated circuit

A method and a circuit for protecting a digital quantity over a first number of bits, in an algorithm executing at least one modular exponentiation of data by the quantity, the steps including at least one squaring up and at least one multiplication and implementing, for each bit of the quantity, different calculation steps according to the state of the bit, a same number of multiplications being performed whatever the state of the bit and all the calculation steps using a multiplication being taken into account to calculate a final result.