Patent RU2018125606A3

`”ВУ“” 2018125606'” АЗ Дата публикации: 16.04.2020 Форма № 18 ИЗИМ-2011 Федеральная служба по интеллектуальной собственности Федеральное государственное бюджетное учреждение ж 5 «Федеральный институт промышленной собственности» (ФИПС) ОТЧЕТ О ПОИСКЕ 1. . ИДЕНТИФИКАЦИЯ ЗАЯВКИ Регистрационный номер Дата подачи 2018125606/28(040526) 05.12.2016 РСТ/ЕР2016/079694 05.12.2016 Приоритет установлен по дате: [ ] подачи заявки [ ] поступления дополнительных материалов от к ранее поданной заявке № [ ] приоритета по первоначальной заявке № из которой данная заявка выделена [ ] подачи первоначальной заявки № из которой данная заявка выделена [ ] подачи ранее поданной заявки № [Х] подачи первой(ых) заявки(ок) в государстве-участнике Парижской конвенции (31) Номер первой(ых) заявки(ок) (32) Дата подачи первой(ых) заявки(ок) (33) Код страны 1. 2015955 14.12.2015 МГ Название изобретения (полезной модели): [Х] - как заявлено; [ ] - уточненное (см. Примечания) ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО И СПОСОБ Заявитель: КОНИНКЛЕЙКЕ ФИЛИПС Н.В., МГ. 2. ЕДИНСТВО ИЗОБРЕТЕНИЯ [Х] соблюдено [ ] не соблюдено. Пояснения: см. Примечания 3. ФОРМУЛА ИЗОБРЕТЕНИЯ: [ ] приняты во внимание все пункты .П [Х] приняты во внимание следующие пункты: 1-14, 16 (см. Примечания) [ ] принята во внимание измененная формула изобретения (см. Примечания) 4. КЛАССИФИКАЦИЯ ОБЪЕКТА ИЗОБРЕТЕНИЯ (ПОЛЕЗНОЙ МОДЕЛИ) (Указываются индексы МПК и индикатор текущей версии) СОбЕ 21/14 (2013.01) СОбЕ 7/00 (2006.01) 5. ОБЛАСТЬ ПОИСКА 5.1 Проверенный минимум документации РСТ (указывается индексами МПК) С06Е 77/00, 77/06, 7/38, 7/46, 7/50, 21/00, 21/10, 21/12, 21/14, НО4Г, 9/00, 9/28 5.2 Другая проверенная документация в той мере, в какой она включена в поисковые подборки: 5.3 Электронные базы данных, использованные при поиске (название базы, и если, возможно, поисковые термины): ВУРАТЕМТЬЗ, ОУУРТ, Е-ГлЬгагу, ЕАРАТТЪУ, ЕВЗСО, Езрасепе Соозе, Сооз]е Ржепб, /- Р]а(Раё, КТРКЪУ, Гех15Мех15, РАТЕМТЗСОРЕ, Ра еагсв, Оцез{е]-ОтЬи, КОРТО, ИЗРТО 6. ...

PROCEDURE AND DEVICE FOR THE EXECUTION OF A SCALAR MULTIPLICATION ON AN ELLIPTICAL CURVE OF MEANS DIVISION

SECURE SLIDING WINDOW EXPONENTIATION

COMBINATION OF NESTING WITH FIXSEQUENZFENSTERUNG IN A SCALAR MULTIPLICATION ON AN ELLIPTICAL CURVE

INTEGER DIVISION METHOD WHICH IS SECURE AGAINST COVERT CHANNEL ATTACKS

POWER ANALYSIS COUNTERMEASURE FOR THE ECMQV KEY AGREEMENT ALGORITHM

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE

Dans un composant électronique, on exécute un calcul cryptographique comprenant une étape d'obtention d'un point P(X1Y) à partir d'au moins un paramètre t, sur une courbe elliptique vérifiant l'équation : Y2 = f (X); et à partir de polynômes Xi(t), X2(t) et U(t) vérifiant l'égalité suivante : -f(X1(t)).f(X2(t)) = U(t)2 dans le corps fini Fq, quel que soit le paramètre t, q vérifiant l'équation q = 3 mod 4. On obtient une valeur du paramètre t. Puis, on détermine le point P en effectuant les sous étapes suivantes : /i/ calculer X1= X1(t), X2= X2(t) et U=U(t) (étape 1 1 ) /ii/ tester (12) si le terme f(X-1) est un terme au carré dans le corps fini Fq et dans ce cas, calculer (13) la racine carré du terme f(X1), le point P ayant pour abscisse X1 et pour ordonnée Y1 la racine carré du terme f(X1). /iii/ sinon calculer (14) la racine carré du terme f(X2), le point P ayant pour abscisse X2 et pour ordonnée Y2 la racine carré du terme f(X2). Ensuite, on peut utiliser ce point P dans une application ...

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE

A cryptographic calculation is carried out in an electronic component, comprising a step of obtaining a point P(X,Y) from at least one parameter t, on an elliptical curve satisfying the equation: Y2 = f(X) and from polynomials Xi(t), X2(t) and U(t) satisfying the following equality: -f(X1(t)).f(X2(t)) = U(t)2 in the finite body Fq, irrespective of the parameter t, q satisfying the equation q = 3 mod 4. A value of the parameter t is obtained and then the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t) and U=U(t) are calculated (step 11); (ii) it is tested (step 12) whether the term f(X-1) is a squared term in the finite body Fq and, if so, the square root of the term f(X1) is calculated (step 13), the point P having X1 as abscissa and Y1, the square root of the term f(X1), as ordinate; (iii) otherwise, the square root of the term f(X2) is calculated (step 14), the point P having X2, as abscissa and Y2, the square root of the term f(X2), as ordinate. This point P can then be used in an encryption or scrambling or signature or authentication or identification cryptographic application.

EXPONENTIATION METHOD USING MULTIBASE NUMBER REPRESENTATION

A method of scalar multiplication for use in elliptic curve-based cryptosystems (ECC) is provided. Scalars are represented using a generic multibase form combined with the non-adjacency property, which greatly reduces the nonzero density in the representation. The method allows for flexibly selecting an unrestricted number of bases and their weight in the representation according to the particular characteristics of a setting, in such a way that computing costs are minimized. A simple, memory-friendly conversion process from binary to multibase representation and an inexpensive methodology to protect the multibase scalar multiplication against simple-side channel attacks are also provided.

TIMING ATTACK RESISTANT CRYPTOGRAPHIC SYSTEM

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of :representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

For the implementation of a two-channel attacks the efficiency of the simplified method and apparatus

PROCEEDED OF UNIVERSAL CALCULATION APPLIES HAS POINTS Of an ELLIPTIC CURVE

PROCESS OF SECURITY Of a CALCULATION Of EXPONENTIATION IN a DISPOSITIFELECTRONIQUE

Cryptographic method for countering DFA using ECC fast Montgomery power ladder algorithm

ECC 패스트 몽고매리 전력 래더 알고리즘을 이용하여 DFA에 대응하는 암호화 방법이 개시된다. 본 발명의 실시예에 따른 암호화 방법은 타원 곡선 상의 기본 포인트 P와 스칼라 k를 수신하고 상기 기본 포인트 P를 이용하여 복수의 일차변수들(P1, P2)을 초기화하는 단계, 상기 복수의 일차변수들 P1, P2에 대응되는 복수의 이차변수들 T1, T2을 설정한 후, 상기 스칼라 k에 응답하여 상기 복수의 일차변수들 P1, P2 및 이차변수들 T1, T2을 반복 연산함으로써 상기 기본 포인트 P와 상기 스칼라 k의 곱인 스칼라 곱 Q(=kP)을 계산하며, 상기 스칼라 k에 응답하여 상기 복수의 일차변수들 P1, P2 및 이차변수들 T1, T2을 이용하여 폴트가 유입되었는지 체크하는 단계, 및 상기 폴트가 유입되지 않은 경우 상기 스칼라 곱 Q을 출력하는 단계를 구비한다. 본 발명의 실시예에 따른 암호화 방법은 암호시스템의 수행능력을 감소시키지 않으면서도 다양한 암호시스템에 적용하며 폴트를 이용한 다양한 공격에 대응할 수 있는 할 수 있는 장점이 있다. An encryption method corresponding to DFA is disclosed using an ECC fast Mongolian power ladder algorithm. An encryption method according to an embodiment of the present invention comprises receiving a base point P and a scalar k on an elliptic curve and initializing a plurality of primary variables P1 and P2 using the base point P, wherein the plurality of primary variables After setting a plurality of secondary variables T1 and T2 corresponding to P1 and P2, the primary point P and the second variable P1 and P2 and the secondary variables T1 and T2 are repeatedly calculated in response to the scalar k. Calculating a scalar product Q (= kP) that is a product of the scalar k, and checking whether a fault is introduced using the plurality of primary variables P1, P2 and secondary variables T1, T2 in response to the scalar k, and And outputting the scalar product Q when the fault does not flow. The encryption method according to the embodiment of the present invention has an advantage in that it can be applied to various encryption systems without reducing the performance of the encryption system and can cope with various attacks using faults.

MODULAR EXPONENTIAL ALGORITHM IN AN ELECTRONIC COMPONENT USING A PUBLIC KEY ENCRYPTION ALGORITHM

The invention concerns an anti-SPA (Simple Power Attack) modular exponential algorithm in an electronic component using a public key encryption algorithm.

Fault-resistant exponentiation algorithm

A method for performing a m-ary right-to-left exponentiation using a base x, a secret exponent d and a modulus N, wherein m is a power of 2. A device having a processor and m+1 registers R[0]R[m] in at least one memory: initializes register R[0] to h for a chosen value h, wherein the order of the value h is a divisor of m*(m1)/2, register R[m] to x(m1) and the registers other than R[0] and R[m] to the value h; updates register R[r] to R[r] times x, wherein r is the remainder of a division of d by (m1) mod N; obtains a working exponent q that is the quotient of the division of d by (m1); performs l iterations, starting at i=0, of: setting R[qi] to R[qi] times R[m] and raising R[m] to the power of m, where l is the length of q in base m and qi is the i-th digit of the representation of q in base m and ql1 is non-zero; verifies the correctness of the result by checking that R[m] equals the product of registers R[0]-R[m1] to the power of m1; and outputs the product of R[j]j, where 1jm1, only ...

ARITHMETICAL DEVICE, ARITHMETICAL DEVICE ELLIPTICAL SCALAR MULTIPLICATION METHOD AND ELLIPTICAL SCALAR MULTIPLICATION PROGRAM, ARITHMETICAL DEVICE MULTIPLICATIVE OPERATION METHOD AND MULTIPLICATIVE OPERATION PROGRAM, AS WELL AS ARITHMETICAL DEVICE ZERO DETERMINATION METHOD AND ZERO DETERMINATION PROGRAM

An elliptic scalar multiplication kG can be processed in a fixed amount of computation time regardless of the value of a random number k, and timing analysis of the elliptic scalar multiplication kG can be prevented. An initial setting unit 121 sets a specific point G on an elliptic curve in a scalar multiplication variable R. A scalar multiplication unit 122 references a t-bit bit sequence representing a random number k one bit at a time from the most significant bit, and each time one bit is referenced, sets in a work variable R[0] a value obtained by doubling the scalar multiplication variable R, and sets in a work variable R[1] a value obtained by adding the specific point G to the value set in the work variable R[0]. Then, the scalar multiplication unit 122 sets the work variable R[0] in the scalar multiplication variable R if the value of the referenced bit is 0, and sets the work variable R[1] in the scalar multiplication variable R if the value of the referenced bit is 1. A scalar ...

КРИПТОГРАФИЯ НА ЭЛЛИПТИЧЕСКОЙ КРИВОЙ

Изобретение относится к способу и устройству выполнения криптографического преобразования в электронном компоненте. Технический результат заключается в повышении безопасности установки соединений с аутентификацией пароля за счет повышения эффективности выполнения криптографического преобразования. В способе выполняют получение точки P(X,Y) исходя из параметра t на эллиптической кривой, удовлетворяющей выражению Y 2 =f(X), и исходя из многочленов X 1 (t), X 2 (t), Х 3 (t) и U(t), удовлетворяющих равенству f(X 1 (t)).f(X 2 (t)).f(X 3 (t))=U(t) 2 в Fq, при этом q=3 mod 4, далее получают значение параметра t и определяют точку Р путем выполнения подэтапов, на которых (i) вычисляют Х 1 =X 1 (t), X 2 =X 2 (t), Х 3 =Х 3 (t) и U=U(t), (ii) если элемент f(X 1 ).f(X 2 ) является квадратом, то проверяют, является ли элемент f(X 3 ) квадратом в Fq, и если является, то вычисляют квадратный корень из элемента f(X 3 ), чтобы получить точку Р(Х 3 ), (iii) иначе проверяют, является ли элемент f(X 1 ) квадратом, и если является, вычисляют квадратный корень из f(X 1 ), чтобы получить точку P(X 1 ), (iv) иначе вычисляют квадратный корень элемента f(X 2 ), чтобы получить точку P(X 2 ), и далее эту точку Р используют в криптографическом приложении. 2 н. и 6 з.п. ф-лы, 3 ил. РОССИЙСКАЯ ФЕДЕРАЦИЯ (19) RU (11) (13) 2 520 379 C2 (51) МПК G06F 21/30 (2013.01) G06F 21/72 (2013.01) H04L 9/28 (2006.01) G06F 17/10 (2006.01) ФЕДЕРАЛЬНАЯ СЛУЖБА ПО ИНТЕЛЛЕКТУАЛЬНОЙ СОБСТВЕННОСТИ (12) ОПИСАНИЕ (21)(22) Заявка: ИЗОБРЕТЕНИЯ К ПАТЕНТУ 2012101253/08, 15.06.2010 (24) Дата начала отсчета срока действия патента: 15.06.2010 (72) Автор(ы): ИКАР Тома (FR), КОРОН Жан-Себастьен (FR) (73) Патентообладатель(и): МОРФО (FR) Приоритет(ы): (30) Конвенционный приоритет: R U 16.06.2009 FR 0954053 (43) Дата публикации заявки: 27.07.2013 Бюл. № 21 (45) Опубликовано: 27.06.2014 Бюл. № 18 2 5 2 0 3 7 9 (56) Список документов, цитированных в отчете о поиске: EP 1014617 A3, 28.06.2000 . WO 2000005837 A1, 03.02.2000 . RU ...

КРИПТОГРАФИЯ НА ЭЛЛИПТИЧЕСКОЙ КРИВОЙ

... 1. Способ выполнения криптографического преобразования в электронном компоненте, включающий в себя этап получения точки P(X,Y), исходя по меньшей мере из одного параметра t, на эллиптической кривой, удовлетворяющей выражению:Y=f(Х); иисходя из многочленов X(t), X(t), X(t) и U(t), удовлетворяющих следующему равенству Скальба:f(X(t))·f(X(t))·f(X(t))=U(t)в конечном поле Fнезависимо от параметра t, при этом q удовлетворяет равенству q=3 mod 4;при этом выполняют следующие этапы:/1/ получают значение параметра t;/2/ определяют точку Р путем выполнения следующих подэтапов:/i/ вычисляют X=X(t), X=X(t), Х=X(t) и U=U(t),/ii/ если элемент f(X)·f(X) является квадратом в конечном поле F, то проверяют, является ли элемент f(X) квадратом в конечном поле F, и вычисляют квадратный корень из элемента f(X), при этом абсциссой точки Р является Х, а квадратный корень из f(X) является ординатой точки Р;/iii/ в противном случае, проверяют, является ли элемент f(X) квадратом в конечном поле F, и если является, ...

SECURED MODULÄRE EXPONENTIATION WITH LEAKAGE MINIMIZATION FOR SMART CARDS AND OTHER KRYPTOSYSTEME

PROTECTION OF A CRYPTOGRAPHIC COMPUTATION IN AN INTEGRATED CIRCUIT

PROCEDURE FOR THE SCALAR MULTIPLICATION IN GROUPS OF ELLIPTICAL CURVES OVER PRIME BODIES FOR CO-CHANNEL-ATTACK-STEADY KRYPTOSYSTEME

CLOCK-ATTACK-RESISTANT CRYPTOGRAPHIC SYSTEM

PROCEDURE FOR THE INTEGER DIVISION AGAINST ATTACKS AT HIDDEN CHANNELS

SYSTEM AND METHOD FOR CALCULATING A RESULT FROM A DIVISION

POWER ANALYSIS ATTACK COUNTERMEASURE FOR THE ECDSA

Execution of the Elliptic Curve Digital Signature Algorithm (ECDSA) requires determination of a signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECDSA vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long term cryptographic key. By modifying the sequence of operations involved in the determination of the signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long term cryptographic key.

PROCESSING METHOD COMPRISING A MULTIPLICATION OF A POINT OF AN ELLIPTIC CURVE BY A SCALAR

método de execução de um cálculo de criptografia em um componente eletrônico e aparelho eletrônico.

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE

A cryptographic calculation is carried out in an electronic component, comprising a step of obtaining a point P(X,Y) from at least one parameter t, on an elliptical curve satisfying the equation: Y2 = f(X) and from polynomials Xi(t), X2(t) and U(t) satisfying the following equality: -f(X1(t)).f(X2(t)) = U(t)2 in the finite body Fq, irrespective of the parameter t, q satisfying the equation q = 3 mod 4. A value of the parameter t is obtained and then the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t) and U=U(t) are calculated (step 11); (ii) it is tested (step 12) whether the term f(X-1) is a squared term in the finite body Fq and, if so, the square root of the term f(X1) is calculated (step 13), the point P having X1 as abscissa and Y1, the square root of the term f(X1), as ordinate; (iii) otherwise, the square root of the term f(X2) is calculated (step 14), the point P having X2, as abscissa and Y2, the square root of the term f(X2), as ordinate.

SECURE AND COMPACT EXPONENTIATION METHOD FOR CRYPTOGRAPHY

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

EXPONENTIATION METHOD RESISTANT AGAINST SIDE-CHANNEL AND SAFE-ERROR ATTACKS

An exponentiation method resistant against side-channel attacks and safe- error attacks. Input to the method is g in a multiplicatively written group G and a /-digit exponent d with a radix m>1 and output is z = gd-1. (d -1 ) is expressed as a series of (/-1 ) non-zero digits, d*0... d*I-2, in the set {m-1,...,2m-2} and an extra digit d*I-1 that is equal to dI-1-1, where dI-1represents the most significant radix-m digit of d, and gd-1 is evaluated through a m-ary exponentiation algorithm on input g and (d-1 ) represented by d*0... d*I-1. Also provided are an apparatus and a computer program product.

INFORMATION SECURITY DEVICE

An information security device for performing computation for secret communication or authentication in a shorter time than conventional. The information security device computes the raised value X^d from subject data X and a secret value d by the window method to perform secret communication or authentication. At the process of computing the raised value X^d, squaring a random number R appearing as a result of multiplication is repeated predetermined times, for example, 256 times; and the result of the squaring of the random number R is canceled by multiplication immediately after the repetition of the squaring by using a random number removal number S (=R^(-2^256). Thus, need for the conventional canceling is obviated.

Processor with differential power analysis attack protection

A device including a processor to perform an operation yielding a result, the processor including a register including bit storage elements and including a first and second section, each element being operative to store a bit value, and a power consumption mask module to determine whether the whole result can be completely written in half or less than half of the register, determine a balancing entry if the result can be completely written in half or less than half of the register, a write module to perform a single write operation to the register including writing the result and the balancing entry to the first and second section, respectively, if the result can be completely written in half or less than half of the register else writing the result of the operation across at least part of the first and second section. Related apparatus and methods are also described.

КРИПТОГРАФИЯ НА УПРОЩЕННОЙ ЭЛЛИПТИЧЕСКОЙ КРИВОЙ

... 1. Способ выполнения криптографического преобразования в электронном компоненте, включающий в себя этап получения точки P(X, Y), исходя по меньшей мере из одного параметра t, на эллиптической кривой, удовлетворяющей выражению:Y=f(X); иисходя из многочленов X(t), X(t) и U(t), удовлетворяющих следующему равенству:-f(X(t))·f(X(t))=U(t)в конечном поле Fнезависимо от параметра t, при этом q удовлетворяет равенству q=3 mod 4;при этом выполняют следующие этапы:/1 / получают значение параметра t;/2/ определяют точку P путем выполнения следующих подэтапов:/i/ вычисляют (11) X=X(t), X=X(t) и U=U(t),/ii/ проверяют (12), является ли элемент f(X) квадратом в конечном поле F, и если является, вычисляют (13) квадратный корень из элемента f(X), абсциссой точки P является X, а квадратный корень из элемента f(X) является ординатой Yточки P;/iii/ если указанное условие не выполняется, вычисляют (14) квадратный корень из элемента f(X), абсциссой точки P является X, а квадратный корень из f(X) является ординатой ...

Digital signal value calculation method for cryptography calculates scalar product from natural number and point along elliptical curve

The calculation method provides a scalar product from a natural number above 1, which is stored as a binary representation and a point along an elliptical curve, with calculation of the scalar product via an electronic calculator having a processor, e.g. a smart card microprocessor, without data-dependent current and/or power requirement.

AGAINST CURRENT CONSUMPTION SIGNATURE ACCUMULATION STEADY CRYPTOGRAPHY

PROCEDURE, DEVICE AND SYSTEM FOR VERIFYING POINTS DETERMINED ON AN ELLIPTICAL CURVE

AGAINST BRANCH CANAL ATTACKS OF GESCHUTZTES CRYPTOGRAPHIC PROCEDURE

PROCEDURE, DEVICE AND COMPUTER PROGRAMME SUPPORT FOR the REGELMÄßIGEN UMKODIERUNG POSITIVES a WHOLE NUMBER

ELLIPTICAL SCALAR MULTIPLICATION PROCEDURE AGAINST PERFORMANCE ANALYSIS ATTACKS

DISTURBANCE DETECTION IN A CRYPTOGRAPHIC COMPUTATION

COMBINING INTERLEAVING WITH FIXED-SEQUENCE WINDOWING IN AN ELLIPTIC CURVE SCALAR MULTIPLICATION

An Elliptic Curve scalar multiplication product involving a scalar and a base point is determined in a manner that acts as a countermeasure to side channel attacks. A key splitting strategy called Additive Splitting Using Division involves selecting a random integer and determining an integer quotient and a remainder by dividing the scalar by the random integer. The product may then be expressed as a sum of scalar multiplications, which may be evaluated using a combination of a fixed-sequence window method with the known Interleaving method. When the integer quotient and remainder are odd, major collisions may be avoided when determining the product. Accordingly, the random integer that determines whether the integer quotient and remainder are odd may be subject to some control.

METHOD AND APPARATUS FOR PERFORMING ELLIPTIC CURVE SCALAR MULTIPLICATION IN A MANNER THAT COUNTERS POWER ANALYSIS ATTACKS

When multiplicative splitting is used to hide a scalar in an Elliptic Cur ve scalar Multiplication ECSM operation, the associated modular division ope ration employs the known Almost Montgomery Inversion algorithm. By including dummy operations in some of the branches of the main iteration loop of the Almost Montgomery Inversion algorithm, all branches of the algorithm may be viewed, from the perspective of a Power Analysis-based attack, as equivalent and, accordingly, devoid of information useful in determining the value of the scalar, which may be a cryptographic private key.

CRYPTOGRAPHY ON AN ELLIPTIC CURVE SIMPLIFIEE.

Dans un composant électronique, on exécute un calcul cryptographique comprenant une étape d'obtention d'un point P(X,Y) à partir d'au moins un paramètre t, sur une courbe elliptique vérifiant l'équation : Y = f(X) ; et à partir de polynômes X (t), X (t) et U(t) vérifiant l'égalité suivante : -f(X (t)).f(X (t))=U(t) dans le corps fini F , quel que soit le paramètre t, q vérifiant l'équation q = 3 mod 4. On obtient une valeur du paramètre t. Puis, on détermine le point P en effectuant les sous étapes suivantes : /i/ calculer X = X (t), X = X (t) et U=U(t) (étape 11) /ii/ tester (12) si le terme f(X ) est un terme au carré dans le corps fini F et dans ce cas, calculer (13) la racine carré du terme f(X ), le point P ayant pour abscisse X et pour ordonnée Y la racine carré du terme f(X ) ; /iii/ sinon calculer (14) la racine carré du terme f(X ), le point P ayant pour abscisse X et pour ordonnée Y la racine carré du terme f(X ). Ensuite, on peut utiliser ce point P dans une application cryptographique de chiffrement ou de hachage ou de signature ou d'authentification ou d'identification. In an electronic component, a cryptographic calculation is performed comprising a step of obtaining a point P (X, Y) from at least one parameter t, on an elliptic curve satisfying the equation: Y = f (X ); and from polynomials X (t), X (t) and U (t) satisfying the following equality: -f (X (t)). f (X (t)) = U (t) in the finite field F, whatever the parameter t, q satisfying the equation q = 3 mod 4. We obtain a value of the parameter t. Then, the point P is determined by performing the following substeps: / i / calculate X = X (t), X = X (t) and U = U (t) (step 11) / ii / test (12) if the term f (X) is a term squared in the finite field F and in this case, calculate (13) the square root of the term f (X), the point P having for abscissa X and for ordinate Y the square root of term f (X); / iii / otherwise calculate (14) the square root of the term f (X), ...

PROCEEDED OF UNIVERSAL CALCULATION APPLIES HAS POINTS Of an ELLIPTIC CURVE

The invention relates to a universal calculation method that is applied to points on an elliptical curve which is defined by a Weierstrass equation. According to the invention, identical programmed computing means are used to perform an operation involving the addition of points and an operation involving the doubling of points. The computing means comprise, in particular, a central unit (2) which is connected to a storage unit (4, 6, 8). Said invention can be used for cryptographic calculations, for example in a chip card.

CRYPTOGRAPHY ON AN ELLIPTIC CURVE.

On exécute un calcul cryptographique dans un composant électronique comprenant l'obtention d'un point P(X,Y) à partir de t, sur une courbe elliptique d'équation : Y = f (X) ; et à partir de polynômes X (t), X (t), X (t) et U(t) vérifiant l'égalité: f(X (t)).f(X (t)).f(X (t))=U (t) dans F , avec q = 3 mod 4. On obtient tout d'abord une valeur du paramètre t. Puis, on détermine le point P en effectuant les sous étapes suivantes : /i/ calculer X = X (t), X = X (t), X = X (t) et U=U(t) /ii/ si le terme f(X ).f(X ) est un carré alors tester si le terme f(X ) est un carré dans F et calculer la racine carré de f(X ), pour obtenir le point P(X , √f/(X )) ; /iii/ sinon tester si le terme f(X ) est un carré et, calculer la racine carré de f(X ), pour obtenir le point P(X , √f(X )) ; /iv/ sinon calculer la racine carré de f(X ), pour obtenir le point P (X , √f-(X )) Ensuite, on peut utiliser ce point P dans une application cryptographique. A cryptographic calculation is performed in an electronic component comprising obtaining a point P (X, Y) from t on an elliptic curve of equation: Y = f (X); and from polynomials X (t), X (t), X (t) and U (t) satisfying the equality: f (X (t)). f (X (t)). f (X (t) )) = U (t) in F, with q = 3 mod 4. We obtain first a value of the parameter t. Then, the point P is determined by performing the following substeps: / i / calculate X = X (t), X = X (t), X = X (t) and U = U (t) / ii / if the term f (X) .f (X) is a square then test if the term f (X) is a square in F and calculate the square root of f (X), to obtain the point P (X, √f / ( X)); / iii / otherwise test whether the term f (X) is a square and, calculate the square root of f (X), to obtain the point P (X, √f (X)); / iv / otherwise calculate the square root of f (X), to obtain the point P (X, √f- (X)) Then, we can use this point P in a cryptographic application.

Computation of secure power function for cryptographic algorithms, at least a bit or figure of an indexed x power number is iteratively processed

Secure method for an power function calculation of type y = xr, where x is part of a multiplication group and r is a predetermined number. At least a bit or figure (ri) of the number r is iteratively processed, an index (i) for the number being provided. At the end of each iteration the index is incremented or decremented according to the value of the indexed bit or figure (ri) and the bit or figure is reset to zero. At least two computation registers are used to carry out the power function calculation. The value of the indexed bit or figure is used to index at least one of the registers used in the corresponding iteration. The method is designed to be used in electronic devices carrying out calculations of the type with or without results in place. The method is applied to an power function algorithm according to a binary method or k-range with bit or figure number (ri) sweep from left to right. The indexed register is obtained from the value of the indexed bit or figure (ri). The bit sweep for the number r may be from right to left and the indexed register is obtained from the complement of the value of the indexed bit.

SECURE DECRYPTION METHOD

The invention relates to a method of determining a plaintext M on the basis of a cipher C and using a secret key d, wherein the secret key d is used in binary form, wherein the plaintext M is determined in each iteration step i for the corresponding bit di and a security variable Mn is determined in parallel therewith, and then a verification variable x is determined by means of a bit-compatible exponent of the secret key d.

Apparatus for performing a fault detection operation and method thereof

An apparatus for performing a fault detection operation and methods thereof are provided. The example apparatus may include a first-coordinate computing unit receiving a first point and a second point in a binary finite field, the first and second points established based on a basic point within a given elliptic curve, each of the first and second points including a first coordinate value and a second coordinate value, the first-coordinate computing unit performing a first addition operation on the first point and the second point to compute a third coordinate value and a second-coordinate computing unit performing a second addition operation on the first and second points to compute a fourth coordinate value, the first and second addition operations computed based on at least one of a difference between the first coordinate values of the first and second points and a difference between the second coordinate values of the first and second points.

Cryptography on a elliptical curve

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y 2 =f(X); and from polynomials X 1 (t), X 2 (t), X 3 (t) and U(t) satisfying: f(X 1 (t))·f(X 2 (t))·f(X 3 (t))=U(t) 2 in Fq, with q=3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by: (i) calculating X 1 =X 1 (t), X 2 =X 2 (t), X 3 =X 3 (t) and U=U(t); (ii) if the term f(X 1 )·f(X 2 ) is a square, then testing whether the term f(X 3 ) is a square in F q and if so calculating the square root of f(X 3 ) in order to obtain the point P(X 3 ); (iii) otherwise, testing whether the term f(X 1 ) is a square and, if so, calculating the square root of f(X 1 ) in order to obtain the point P(X 1 ); (iv) otherwise, calculating the square root of f(X 2 ) in order to obtain the point P(X 2 ). This point P is useful in a cryptographic application.

ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО И СПОСОБ

РОССИЙСКАЯ ФЕДЕРАЦИЯ (19) RU (11) (13) 2018 125 606 A (51) МПК G06F 21/14 (2013.01) ФЕДЕРАЛЬНАЯ СЛУЖБА ПО ИНТЕЛЛЕКТУАЛЬНОЙ СОБСТВЕННОСТИ (12) ЗАЯВКА НА ИЗОБРЕТЕНИЕ (21)(22) Заявка: 2018125606, 05.12.2016 (71) Заявитель(и): КОНИНКЛЕЙКЕ ФИЛИПС Н.В. (NL) Приоритет(ы): (30) Конвенционный приоритет: 14.12.2015 NL 2015955 (85) Дата начала рассмотрения заявки PCT на национальной фазе: 16.07.2018 R U (43) Дата публикации заявки: 16.01.2020 Бюл. № 2 (72) Автор(ы): ШЕПЕРС Хендрик Ян Йозеф Хубертус (NL), ГОРИССЕН Матиас Хубертус Мехтилдис Антониус (NL), МАРИН Леандро (NL) (86) Заявка PCT: (87) Публикация заявки PCT: WO 2017/102392 (22.06.2017) A Адрес для переписки: 129090, Москва, ул. Б. Спасская, 25, стр. 3, ООО "Юридическая фирма Городисский и Партнеры" R U (57) Формула изобретения 1. Вычислительное устройство (100), выполненное с возможностью выполнения вычислений над элементами кольца (R), сложения в кольце и умножения в кольце, определенных в кольце, причем вычислительное устройство содержит хранилище (110) операндов, выполненное с возможностью хранения закодированных элементов (112, 114, 116; 212) кольца, причем закодированный элемент кольца представляет собой элемент кольца в закодированной форме, модуль (120; 220) операторов, содержащий несколько блоков операторов, по меньшей мере один из блоков операторов является бинарным, блок (122; 222, 224) бинарного оператора, выполненный с возможностью: приема закодированного элемента кольца и параметра, и выполнения фиксированного вычисления над упомянутым закодированным элементом кольца и параметром, тем самым создания нового закодированного элемента кольца, и менеджер (130) вычислений, выполненный с возможностью: приема первого закодированного элемента кольца и второго закодированного элемента кольца, выполнения умножения в кольце путем применения последовательности упомянутых нескольких блоков операторов к первому закодированному элементу кольца с использованием параметров, полученных по меньшей мере из второго ...

PROCEDURE FOR THE SCALAR MULTIPLICATION IN GROUPS OF ELLIPTICAL CURVES OVER BINARY POLYNOMIAL BODIES FOR CO-CHANNEL-ATTACK-STEADY KRYPTOSYSTEME

DECODING PROCEDURE

INTEGRAL DIVISION AGAINST A PERFORMANCE ANALYSIS ATTACK

PROCEDURE AND DEVICE FOR THE PRODUCTION PUBLIC KEYS AGAINST PERFORMANCE ANALYSIS ATTACKS

Integer division method against covert channel attacks

Modular exponential algorithm in an electronic component using a public key encryption algorithm

PROCEEDED OF DIVISION ENTIERE MADE SAFE AGAINST THE ATTACKS HAS CHANNELS MASKS

CRYPTOGRAPHY ON A ELLIPTICAL CURVE

A cryptographic calculation is performed in an electronic component, comprising the step of obtaining a point P(X,Y) from a parameter t on an elliptical curve of equation: Y2 = f(X); and from polynomials X1(t), X2(t), X3(t) and U(t) satisfying the equality: f(X1(t)).f(X2(t)).f(X3(t))=U(t)2 in Fq, with q = 3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t), X3= X3(t) and U=U(t) are calculated; (ii) if the term f(X1).f(X2) is a square, then it is tested whether the term f(X3) is a square in Fq and if so the square root of f(X3) is calculated, in order to obtain the point P(X3); (iii) otherwise, it is tested whether the term f(Xι) is a square and, if so, the square root of f(X1) is calculated, in order to obtain the point P(X1,); (iv) otherwise, the square root of f(X2) is calculated in order to obtain the point P(X2). This point P can then be used in a cryptographic application.

A METHOD FOR SCALAR MULTIPLICATION IN ELLIPTIC CURVE GROUPS OVER BINARY POLYNOMIAL FIELDS FOR SIDE-CHANNEL ATTACK-RESISTANT CRYPTOSYSTEMS

A method for transforming data with a secret parameter in an elliptic curve cryptosystem based on an elliptic curve defined over an underlying binary polynomial field, the method comprising multiplying a point of the elliptic curve, representing the data to be transformed, by a scalar representing the secret parameter, wherein the multiplying includes performing at least one point addition operation and at least one point doubling operation on points of the elliptic curve. The point addition operation comprises a first sequence of elementary field operations, and the point doubling operation comprises a second sequence of elementary field operations, both the first and the second sequences of elementary field operations including a field inversion of coordinates of the elliptic curve points. A representation of the elliptic curve points in affine coordinates is provided and the first and second sequences of elementary field operations are balanced. The field inversion of coordinates is performed by the Extended Euclidean Algorithm and the balancing includes balancing the Extended Euclidean Algorithm by adding at least one dummy operation. In particular, the balancing of the Extended Euclidean Algorithm includes: after comparing respective degrees of two binary polynomials being iteratively processed in the algorithm, performing a same sequence of operations regardless of the result of said comparing. A device (305) is also provided, for transforming data with a secret parameter, comprising an integrated circuit (315) adapted to perform the above mentioned method. Circuit (315) implements a cryptosystem (317) including a scalar multiplication unit (320), includes in turn four subunits: a point addition unit (325), a point doubling unit (330), a field arithmetic unit (335), and a control unit (340).

Tamper-proof elliptic encryption with private key

An encryption device ( 10 ) for performing elliptic encryption processing with a private key, includes: randomizing means ( 16 ) for setting, into an initial elliptic point V₀, an elliptic point R on an elliptic curve that is generated in accordance with a random value; operation means ( 20 ) for performing a first operation of summing the initial elliptic point V₀ and a scalar multiple of a particular input elliptic point A on the elliptic curve, V₁=V₀+dA, in accordance with a bit sequence of a particular scalar value d for the elliptic encryption processing; de-randomizing means ( 22 ) for performing a second operation of subtracting the initial elliptic point V₀ from the sum V₁ determined by the first operation, V=V₁-V₀; and means ( 24 ) for providing, as an output, the elliptic point V determined by the de-randomization unit.

Cryptography method including a modular exponentiation operation

L'invention concerne un procédé de calcul itératif d'exponentiation d'une donnée de grande taille, le procédé étant mis en oeuvre dans un dispositif électronique (DV1) et comprenant des calculs d'élévation au carré et de multiplication de variables de grande taille effectués en parallèle, par des blocs d'élévation au carré (SB1) et de multiplication (SM1), le procédé comprenant, des étapes consistant à : tant qu'une mémoire tampon de stockage temporaire n'est pas pleine de carrés non utilisés, déclencher un calcul par le bloc d'élévation au carré pour un bit de l'exposant, lorsque le bloc d'élévation au carré est inactif, stocker chaque carré fourni par le bloc d'élévation au carré dans la mémoire tampon, si le bit de l'exposant correspondant est à 1, et tant que la mémoire tampon contient un carré non utilisé, déclencher un calcul par le bloc de multiplication portant sur le carré non utilisé, lorsque le bloc de multiplication est inactif.

Verfahren und Vorrichtung zum Multiplizieren und Verfahren und Vorrichtung zum Addieren auf einer elliptischen Kurve

The invention relates to a method for multiplication of a number with a point on an elliptical curve y<2> x<3> + a * x + b, within a cryptographic algorithm, whereby x is a first co-ordinate of the elliptical curve, y is a second co-ordinate of the elliptical curve and the third elliptical curve is defined by a body with a characteristic greater than 3. According to the invention, an iterative algorithm is applied, in which one position of the number is sequentially processed after the other. When the position of the number is = 1, a first updated auxiliary point equal to double the original first auxiliary point is applied and a second updated auxiliary point the same as the sum of the original first and original second auxiliary points is applied (22) and, should the position of the number comprise a 1 (14), the first updated auxiliary point, the same as the sum of the original first and the original second auxiliary point is applied (16) and the updated second auxiliary point the same ...

Processor with differential power analysis attack protection

A device including a processor to perform an operation yielding a result, the processor including a register including bit storage elements and including a first and second section, each element being operative to store a bit value. When the result is being written into the register a power consumption mask module determines a balancing entry to be written to the second section when writing the result to the first section. The balancing entry is created to ensure that the total number of bits which transition from zero to one or one to zero (also known as the hamming distance) during the write operation number equals a predetermined masking number. The predetermined masking number may be fixed or may vary with each operation or periodically based upon a certain pattern, a random pattern or a pseudo-random pattern.

METHOD AND DEVICE FOR MULTIPLICATION AND METHOD AND DEVICE FOR ADDITION TO AN ELLIPTICAL CURVE

Tamper-resistant encryption using individual key

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

ACCELERATING SCALAR MULTIPLICATION ON ELLIPTIC CURVE CRYPTOSYSTEMS OVER PRIME FIELDS

A method and apparatus for accelerating scalar multiplication in an elliptic curve cryptosystem (ECC) over prime fields is provided. Multiplication operations within an ECC point operation are identified and modified utilizing an equivalent point representation that inserts multiples of two. Algebraic substitutions of the multiplication operations with squaring operations and other cheaper field operations are performed. Scalar multiplication can also be protected against simple side- channel attacks balancing the number of multiplication operations and squaring operations and providing novel atomic structures to implement the ECC operation. In addition, a new coordinate system is defined to enable more effective operation of ECC to multiprocessor environments.

METHOD AND APPARATUS FOR GENERATING A PUBLIC KEY IN A MANNER THAT COUNTERS POWER ANALYSIS ATTACKS

A public key for an Elliptic Curve Cryptosystem is generated in a manner that acts as a countermeasure to power analysis attacks. In particular, a known scalar multiplication method is enhanced by, in one aspect, performing a right shift on the private key. The fixed-sequence window method includes creation and handling of a translated private key. Conveniently, as a result of the right shift, the handling of the translated private key is made easier and more efficient.

CRYPTOGRAPHY METHOD COMPRISING A MODULAR EXPONENTIATION OPERATION

L'invention concerne un procédé de calcul itératif d'exponentiation d'une donnée de grande taille, le procédé étant mis en œuvre dans un dispositif électronique (DV1) et comprenant des calculs d'élévation au carré et de multiplication de variables de grande taille effectués en parallèle, par des blocs d'élévation au carré (SB1) et de multiplication (SM1), le procédé comprenant, des étapes consistant à : tant qu'une mémoire tampon de stockage temporaire n'est pas pleine de carrés non utilisés, déclencher un calcul par le bloc d'élévation au carré pour un bit de l'exposant, lorsque le bloc d'élévation au carré est inactif, stocker chaque carré fourni par le bloc d'élévation au carré dans la mémoire tampon, si le bit de l'exposant correspondant est à 1, et tant que la mémoire tampon contient un carré non utilisé, déclencher un calcul par le bloc de multiplication portant sur le carré non utilisé, lorsque le bloc de multiplication est inactif.

CRYPTOGRAPHIC PROCESS PROTECTS FROM THE ATTACKS OF THE TYPE HAS CHANNEL HIDES

ALGORITHM Of MODULAR EXPONENTIATION IN a COMPONENT ELECTRONIQUEMETTANT IN WORK an ENCRYPTION ALGORITHM HAS KEY PUBLIC

Systems and methods for operating secure elliptic curve cryptosystems

Différents modes de réalisation de l'invention mettent en œuvre des contre-mesures définies de manière à résister à des attaques par des intrus potentiels qui cherchent à récupérer partiellement ou totalement des codes secrets sur courbe elliptique en utilisant des procédés connus qui exploitent des vulnérabilités de système, comportant la différentiation d'opération elliptique, la détection d'opération factice, des attaques de réseau et la détection de première opération réelle. Différents modes de réalisation de l'invention assurent la résistance contre des attaques par canal auxiliaire, telles que l'analyse de consommation simple, provoquées par la détectabilité de valeurs scalaires de fuite d'informations pendant le flux d'opération régulier qui compromettraient sinon la sécurité de système. Dans certains modes de réalisation, l'immunité de système est conservée en exécutant des opérations scalaires sur courbe elliptique qui utilisent un flux d'opérations indépendantes d'un code secret dans un dispositif de cryptage sur courbe elliptique sécurisé. Various embodiments of the invention implement countermeasures defined so as to resist attacks by potential intruders who seek to recover partially or totally secret codes on elliptic curve using known methods that exploit vulnerabilities of system, including elliptical operation differentiation, dummy operation detection, network attacks, and first real-world detection. Various embodiments of the invention provide resistance against aux channel attacks, such as simple consumption analysis, caused by the detectability of scalar information leakage values during the steady-state flow that would otherwise compromise system security. In some embodiments, system immunity is maintained by performing elliptical curve scalar operations that utilize a secret code-independent operation flow in a secure elliptic curve-based encryption device.

CALCULATING DEVICE AND METHOD

a presente invenção refere-se a um dispositivo de cálculo (100) disposto de modo a executar cálculos em elementos de um anel (r), uma adição de anel e uma multiplicação de anel sendo definida no anel, sendo que o dispositivo de cálculo compreende um módulo de operador (120) que compreende múltiplas unidades de operador e um gerenciador de cálculo (130) disposto de modo a executar uma multiplicação de anel mediante a aplicação de uma sequência das múltiplas unidades de operador e executar uma adição de anel mediante a aplicação de uma sequência das múltiplas unidades de operador, sendo que a sequência para a multiplicação de anel é igual à sequência para a adição de anel. The present invention relates to a calculating device (100) arranged to perform calculations on elements of a ring (r), a ring addition and a ring multiplication being defined in the ring, the calculating device comprising an operator module (120) comprising multiple operator units and a computation manager (130) arranged to perform a ring multiplication by applying a sequence of multiple operator units and performing a ring addition by applying of a sequence of multiple operator units, wherein the sequence for ring multiplication is the same as the sequence for ring addition.

METHOD OF SECURING A CALCULATION OF AN EXPONENTIATION OR A MULTIPLICATION BY A SCALAR IN AN ELECTRONIC DEVICE

The invention relates to a method for calculating a multiplication of an element (P) of an additively denoted group (G) by a scalar (K). According to an embodiment of the invention, one carries out a step of initializing two registers R0 and R1, a step of iterating over the components ki of the scalar k, in which if ki equals 0, then one calculates 2. R1+ R0 and one replaces R1 by this value, and if ki equals 1, one calculates 2. R0 + R1 and one replaces R0 by this value. At the end of the algorithm, the value of the register R0 is then returned. This method possesses the advantage of carrying out a calculation of multiplying by a scalar by carrying out only doubling and adding operations of the type 2.A + B.

A METHOD AND DEVICE FOR EXECUTING A DECRYPTING MECHANISM THROUGH CALCULATING A STANDARDIZED MODULAR EXPONENTIATION FOR THWARTING TIMING ATTACKS

An encrypting exponentiation modulo M is effected by a modular multiplication X*YmodM, where M is a temporally steady but instance-wise non-uniform modulus. The method involves an iterative series of steps. Each step executes one or two first multiplications to produce a first result, and a trim-down reduction of the size of the first result by one or more second multiplications to produce a second result. The method furthermore takes a distinctive measure for keeping the final result of each step below a predetermined multiplicity of the modulus. In particular, the method postpones substantially any subtraction of the modulus as pertaining to the measure to a terminal phase of the modular exponentiation. This is possible through choosing in an appropriate manner one or more parameters figuring in the method. This further maintains overall temporal performance.

SECURE MODULAR EXPONENTIATION WITH LEAK MINIMIZATION FOR SMARTCARDS AND OTHER CRYPTOSYSTEMS

L'invention concerne des procédés et des appareils pour la protection de systèmes cryptographiques contre les attaques de surveillance externes, par la réduction de la quantité (et du rapport signal-bruit) d'informations utiles perdues pendant le traitement. Pour ce faire, des opérations critiques sont généralement mises en oeuvre au moyen de sous-programmes à chemin d'exécution fixe ou sans branchement, le chemin d'exécution ne variant d'aucune manière pouvant révéler de nouvelles informations sur la clé secrète au cours d'opérations ultérieures. Plus spécifiquement, dans divers modes de réalisation de l'invention: une exponentiation modulaire sans sauts conditionnels dépendant d'une clé est assurée; une exponentiation modulaire à modèles d'accès en mémoire fixe est assurée; une multiplication modulaire sans opération de multiplication par un sensible aux pertes; et une multiplication minimisant les pertes est assurée (ainsi que d'autres opérations) pour les systèmes de cryptage à courbe ...

CRYPTOGRAPHIC METHOD PROTECTED AGAINST COVERT CHANNEL TYPE ATTACKS

The invention relates to a cryptographic method secured against a covert channel attack. According to the invention, in order to carry out a selected block of instructions (?j) as a function of an input variable (D1) amongst N predefined instruction blocks (?1,, ?N), a common block (Γ (k,s)) is carried out on the predefined N instruction blocks (?1,, ?N), a predefined number (Lj) of times, the predefined number (Lj) being associated with the selected instruction block (?j).

Cryptographic system and method for encrypting input data

A cryptographic system for encrypting input data in accordance with an encryption algorithm having a repeated-round structure may include an encryption unit updating and storing encrypted data in accordance with the encryption algorithm in each given round, and outputting the encrypted data after executing the encryption for a given number of rounds. The system may include a compensation unit generating and storing compensation data so that a sum of a Hamming distance for the updated and stored data and a Hamming distance of the compensation data is maintained at a constant value.

METHOD AND APPARATUS FOR GENERATING A PUBLIC KEY IN A MANNER THAT COUNTERS POWER ANALYSIS ATTACKS

Fault-resistant exponentiation algorithm

A method for performing a m-ary right-to-left exponentiation using a base x, a secret exponent d and a modulus N, wherein m is a power of 2. A device (100) having a processor (120) and m+1 registers R[0]-R[m] in at least one memory (130): initializes register R[0] to h for a chosen value h, wherein the order of the value h is a divisor of m*(m-1)/2, register R[m] to x(m-1) and the registers other than R[0] and R[m] to the value h; updates register R[r] to R[r] times x, wherein r is the remainder of a division of d by (m-1) mod N; obtains a working exponent q that is the quotient of the division of d by (m-1); performs l iterations, starting at i=0, of: setting R[qi] to R[qi] times R[m] and raising R[m] to the power of m, where l is the length of q in base m and qi is the i-th digit of the representation of q in base m and ql-1 is non-zero; verifies the correctness of the result by checking that R[m] equals the product of registers R[0]-R[m-1] to the power of m-1; and outputs the product ...

rchgeführten Berechnung

Secure modular exponentiation with leak minimization for smartcards and other cryptosystems

ELLIPTIC CURVE CRYPTOSYSTEM APPARATUS, STORAGE MEDIUM STORING ELLIPTIC CURVE CRYPTOSYSTEM PROGRAM, AND ELLIPTIC CURVE CRYPTOSYSTEM ARITHMETIC METHOD

A scalar multiplication can be performed on an elliptic curve cryptosystem at a high speed. P is set as an initial value of Q[0], and 2 x P is set as an initial value of Q[1]. An elliptic curve doubling ECDBL of Q[d[i]] is performed, and an arithmetic result is stored in Q[2]. An elliptic curve addition ECADD of Q[0] and Q[1] is performed, and an arithmetic result is stored in Q[1]. Q [2- d[i]] is stored in Q[0]. Q[1 + d[i]] is stored in Q[1]. The elliptic curve addition ECADD and the elliptic curve doubling ECDBL are concurrently performed in the respective processors.

POWER SIGNATURE ATTACK RESISTANT CRYPTOGRAPHIC SYSTEM

A method of computing a multiple k of a point P on an elliptic curve defined over a field in a processor which generates distinct power signatures for adding and doubling operations, the method comprising the steps of representing the number k as a binary vector of bits k i; forming an ordered pair of points P1 and P2, wherein the points P1 and P2, differ at most by P; and selecting each of the bits k i in sequence. Upon k i being a zero, a new set of points P1', P2' is computed by first doubling the first point P1 to generate the point P1' and produce a first power signature. The points P1 and P2 are added to generate the point P2' and produce a second power signature distinct from the first power signature. Upon k i being a new one, a new set of points P1', P2' is computed by first doubling the second point P2 to generate the point P2' and produce the first power signature. The points P1 and P2 are added to produce the point P1', and produce the second power signature. The doubles or adds are performed in the same order for each of the bits k I, and produce a consistent power signature waveform.

PROCESS OF CRYPTOGRAPHY INCLUDING/UNDERSTANDING an OPERATION Of EXPONENTIATION

SYSTEMS AND METHODS FOR OPERATING SECURE ELLIPTIC CURVE CRYPTOSYSTEMS

Différents modes de réalisation mettent en œuvre des contre-mesures conçues de manière à résister à des attaques par des intrus potentiels qui cherchent à extraire partiellement ou totalement de clés secrètes sur courbe elliptique en utilisant des procédés connus qui exploitent des vulnérabilités de système, comportant la différentiation d'opération elliptique, la détection d'opérations inopérantes, des attaques de réseau et la détection de première opération réelle. Différents modes de réalisation de l'invention assurent la résistance contre des attaques de canal latéral, telle que l'analyse de consommation simple, provoquée par la possibilité de détection de valeurs scalaires à partir d'informations qui ont produit une fuite au cours d'une opération normale qui pourraient sinon compromettre la sécurité du dispositif. Dans certains modes de réalisation, l'immunité du dispositif est conservée par l'exécution d'opérations scalaires elliptiques qui utilisent un flux d'opérations indépendantes ...

PROCESSING METHOD COMPRISING A MULTIPLICATION OF A POINT OF AN ELLIPTIC CURVE BY A SCALAR

L'invention concerne un procédé de traitement cryptographique comprenant une multiplication d'un point P d'une courbe elliptique sur un corps de Galois par un scalaire k, la multiplication comprenant des étapes de : mémorisation dans un premier registre d'un point nul du corps de Galois, mise en œuvre d'une boucle comprenant au moins une itération comprenant des étapes de : sélection d'une fenêtre de w bits dans la représentation binaire non-signée du scalaire k, w étant un entier prédéterminé indépendant du scalaire k et strictement supérieur à 1, calcul de points multiples de P, chaque point multiple étant associé à un bit de la fenêtre et de la forme +/-2iP, ajout ou non dans le premier registre de points multiples mémorisés, chaque point multiple étant ajouté ou non dans le premier registre ou non en fonction de la valeur du bit de la fenêtre auquel le point multiple est associé, la boucle prenant fin une fois que chaque bit de la représentation binaire non-signée du scalaire k a été sélectionné, fourniture d'une valeur mémorisée dans le premier registre. Si tous les bits de la fenêtre sélectionnée au cours d'une itération de la boucle sont nuls, l'itération comprend au moins une exécution factice de la fonction d'addition, et/ou si tous les bits de la fenêtre au cours d'une itération de la boucle sont non nuls, les points multiples à ajouter dans le premier registre au cours de l'étape sont déterminés d'après une forme non-adjacente associée à la fenêtre. The invention relates to a cryptographic processing method comprising a multiplication of a point P of an elliptic curve on a Galois body by a scalar k, the multiplication comprising steps of: storing in a first register a null point of the Galois body, implementation of a loop comprising at least one iteration comprising steps of: selecting a window of w bits in the unsigned binary representation of the scalar k, w being a predetermined integer independent ...

CRYPTOGRAPHIC SYSTEM FOR SECURING AGAINST SIDE CHANNEL ATTACKS USING HAMMING DISTANCE BY USING COMPENSATION DATA AND METHOD THEREOF

PURPOSE: A cryptographic system for securing against side channel attacks using a hamming distance and a method thereof are provided to keep the hamming distance constant by updating/storing compensation data for compensating a current change according to the hamming distance when encoded data is updated/stored in the cryptographic system having a repeated round structure for each round. CONSTITUTION: An encoder(210) updates and stores the encoded data for each round by using an encoding algorithm, and outputs the encoded data after performing encoding as many as the number of rounds. A compensator(230) compensates the updated/stored data by generating the compensation data. The compensation data makes a sum of the hamming distance of the updated/stored data and the compensation data constant. The encoder includes an input part receiving the data to be encoded by responding to the number of rounds, a register storing the data output from the input part by responding to a clock signal, an ...

Method for scalar multiplication in elliptic curve groups over binary polynomial fields for side-channel attack-resistant cryptosystems

A method for transforming data with a secret parameter in an elliptic curve cryptosystem based on an elliptic curve defined over an underlying binary polynomial field, includes multiplying a point of the elliptic curve, and representing the data to be transformed by a scalar representing the secret parameter, wherein the multiplying includes performing at least one point addition operation and at least one point doubling operation on points of the elliptic curve. The point addition operation includes a first sequence of elementary field operations, and the point doubling operation includes a second sequence of elementary field operations, both the first and the second sequences of elementary field operations including a field inversion of coordinates of the elliptic curve points. A representation of the elliptic curve points in affine coordinates is provided and the first and second sequences of elementary field operations are balanced. The field inversion of coordinates is performed by ...

DECRYPTION METHOD

TIMING ATTACK RESISTANT CRYPTOGRAPHIC SYSTEM

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of: representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Verfahren zum sicheren Ver- oder Entschlüsseln einer Nachricht

Ein Verfahren zum sicheren Ver- oder Entschlüsseln einer Nachricht oder zum Erzeugen oder Verifizieren einer digitalen Signatur einer Nachricht, bei dem prozessorgestützt eine mathematische Operation mit einem Schlüssel (k) auf die Nachricht angewendet wird, der als binäre Zahl mit einer Sequenz von Bits (b¶i¶) darstellbar ist, werden sequentiell für jedes Bit Rechenoperationen auf Hilfsgrößen (z¶0¶, z¶1¶, R, S) ausgeführt. Die Abhängigkeit des Rechenergebnisses von den Werten einzelner Bits (b¶i¶) wird berücksichtigt, indem von den Hilfsgrößen die Speicheradressen ausgelesen und Adressvariablen (r, s) zugeordnet werden. Es wird die Differenz (d) der Adressen berechnet und vom jeweils aktuellen Bit (b¶i¶) abhängig zu den Rechneradressen addiert oder substrahiert. Die Zuordnung der Hilfsgrößen (z¶0¶, z¶1¶, R, S) zu den Adressvariablen (r, s) kann somit ausgetauscht werden. Dadurch wird die Reihenfolge und Auswahl von Rechenoperationen bitabhängig gesteuert, ohne dass Sprunganweisungen im ...

VORRICHTUNG UND VERFAHREN ZUM BERECHNEN EINES ERGEBNISSES AUS EINER DIVISION

CIRCUIT AND METHOD FOR CARRYING OUT A CALCULATION

POWER SIGNATURE ATTACK RESISTANT CRYPTOGRAPHIC SYSTEM

A method of computing a multiple k of a point P on an elliptic curve defined over a field in a processor which generates distinct power signatures for adding and doubling operations, the method comprising the steps of representing the number k as a binary vector of bits k i; forming an ordered pair of points P1 and P2, wherein the points P1 and P2, differ at most by P; and selecting each of the bits k i in sequence. Upon k i being a zero, a new set of points P1', P2' is computed by first doubling the first point P1 to generate the point P1' and produce a first power signature. The points P1 and P2 are added to generate the point P2' and produce a second power signature distinct from the first power signature. Upon k i being a new one, a new set of points P1', P2' is computed by first doubling the second point P2 to generate the point P2' and produce the first power signature. The points P1 and P2 are added to produce the point P1', and produce the second power signature. The doubles or adds are performed in the same order for each of the bits k I, and produce a consistent power signature waveform.

TIMING ATTACK RESISTANT CRYPTOGRAPHIC SYSTEM

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of :representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

CRYPTOGRAPHY ON A ELLIPTICAL CURVE

A cryptographic calculation is performed in an electronic component, comprising the step of obtaining a point P(X,Y) from a parameter t on an elliptical curve of equation: Y2 = f(X); and from polynomials X1(t), X2(t), X3(t) and U(t) satisfying the equality: f(X1(t)).f(X2(t)).f(X3(t))=U(t)2 in Fq, with q = 3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by carrying out the following substeps: (i) X1= X1(t), X2= X2(t), X3= X3(t) and U=U(t) are calculated; (ii) if the term f(X1).f(X2) is a square, then it is tested whether the term f(X3) is a square in Fq and if so the square root of f(X3) is calculated, in order to obtain the point P(X3); (iii) otherwise, it is tested whether the term f(X?) is a square and, if so, the square root of f(X1) is calculated, in order to obtain the point P(X1,); (iv) otherwise, the square root of f(X2) is calculated in order to obtain the point P(X2). This point P can then be used in a cryptographic application.

Calculating device and method

A calculating device (100) arranged to perform calculations on elements of a ring (R), a ring addition and a ring multiplication being defined on the ring The calculating device comprises an operator module (120) comprising multiple operator units, and a calculation manager (130) arranged to perform a ring multiplication by applying a sequence of the multiple operator units, and perform a ring addition be applying a sequence of the multiple operator units, wherein the sequence for the ring multiplication is the same as the sequence for the ring addition.

SYSTEMS AND METHODS FOR OPERATING SECURE ELLIPTIC CURVE CRYPTOSYSTEMS

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as simple power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem. 1. A secure Elliptic Curve Cryptosystem (ECC) for performing elliptic scalar operations , the ECC comprising:a secure microcontroller that is embedded in a computing system, the secure microcontroller comprising a cryptography circuit configured to implement a countermeasure and prevent secret scalar leakage; and receiving an elliptic point, P/2, and the secret scalar, k;', 'initializing a value Q to the elliptic point that does not include an initial value at an infinity point;', 'processing the secret key bits of the secret scalar in sequential steps, wherein processing comprises doubling the value Q, wherein each step comprises performing elliptic operations comprising at least one of elliptical point subtraction or addition;', 'performing an elliptical point subtraction by subtracting the elliptic point, P/2, from the value Q to compute a product kP; and', 'determining a difference between the value Q and the elliptic point outside of a balanced loop configuration to protect a least ...

SPA-resistant Left-to-Right Recoding and Unified Scalar Multiplication Methods

본 발명은 단순전력분석에 안전한 Left-to-Right 리코딩 기법과 통합된 스칼라 곱셈 방법에 관한 것으로, 타원곡선 암호시스템과 페어링을 기반하는 암호시스템에서 사용되는 스칼라 곱셈 방법에 있어서, r진법으로 표현된 n-digit 비밀키(k)의 최상위 digit부터 중복을 허용한 2개의 연속된 원소를 비교하여 L-digit 비밀키(k')가 생성되도록 리코딩하는 단계 및 상기 리코딩된 비밀키(k')를 이용하여 상기 비밀키(k)와 상기 타원곡선 상의 임의의 점 P에 스칼라 곱셈하여 스칼라 곱셈 결과값(Q)을 산출하는 단계로 구성되어, 스칼라 곱셈 알고리즘을 부채널 공격, 특히 단순전력분석 공격에 안전하도록 기수 r진법으로 표현된 비밀키의 표현을 부호화를 이용해 리코딩 단계와 스칼라 곱셈 단계를 동시에 수행할 수 있게 하여 메모리의 제약을 받는 유비쿼터스 컴퓨팅 환경에서 부채널 공격에 안전하면서 메모리의 사용을 최대한 줄일 수 있는 기술적인 해결 방법을 제시한다. The present invention relates to a scalar multiplication method integrated with a left-to-right recording technique that is safe for simple power analysis. In the scalar multiplication method used in an encryption system based on an elliptic curve encryption system and a pairing, it is represented by r comparing the two consecutive elements allowing duplicates from the most significant digit of the n-digit secret key (k) and recording the L-digit secret key (k ') to be generated and recording the recorded secret key (k'). And scalar multiplying the secret key (k) and an arbitrary point P on the elliptic curve to produce a scalar multiplication result (Q). Memory-restricted ubiquitous computing by allowing the encoding and scalar multiplication steps to be performed simultaneously using the representation of the secret key expressed in radix-base notation. The use of memory, while the safety side-channel attack from Sir proposes technical solutions to reduce as much as possible. 타원곡선, 페어링, 암호시스템, 부채널 공격, Left-to-Right 리코딩 Elliptic Curve, Pairing, Cryptosystem, Side Channel Attack, Left-to-Right Recording

Arithmetic apparatus, elliptic scalar multiplication method of arithmetic apparatus, computer readable recording medium having elliptic scalar multiplication program recorded therein, residue operation method of arithmetic apparatus and computer readable recording medium having residue operation program recorded therein

타원 스칼라 곱셈 kG를 난수 k의 값에 관계없이 일정한 계산 시간에 처리하여, 타원 스칼라 곱셈 kG의 타이밍 해석을 방지할 수 있다. 초기 설정부(121)는 스칼라 곱셈 변수 R에 타원 곡선상의 특정점 G를 설정한다. 스칼라 곱셈부(122)는 난수 k를 나타내는 t비트의 비트열을 상위부터 1비트씩 참조하고, 1비트씩 참조할 때마다 스칼라 곱셈 변수 R을 2배 곱셈해서 획득한 값을 작업 변수 R[0]로 설정하며, 작업 변수 R[0]로 설정한 값에 특정점 G를 가산하여 획득한 값을 작업 변수 R[1]로 설정한다. 그리고, 스칼라 곱셈부(122)는 참조한 비트의 값이 0이면 스칼라 곱셈 변수 R에 작업 변수 R[0]을 설정하고, 참조한 비트의 값이 1이면 스칼라 곱셈 변수 R에 작업 변수 R[1]을 설정한다. 스칼라 곱셈 점 출력부(123)는 스칼라 곱셈 변수 R로부터 정수값 2 t G를 감산하고, 감산해서 획득한 값을 스칼라 곱셈 점 kG으로서 출력한다. It is possible to prevent the timing analysis of the elliptic scalar multiplication kG by processing the elliptic scalar multiplication kG at a constant calculation time irrespective of the value of the random number k. The initial setting unit 121 sets the scalar multiplication variable R to a specific point G on the elliptic curve. The scalar multiplication unit 122 refers to the bit string of t bits representing the random number k one bit at a time from the top, multiplies the scalar multiplication variable R by two times each time one bit is referred to, ], And the value obtained by adding the specific point G to the value set by the work variable R [0] is set to the work variable R [1]. The scalar multiplication unit 122 sets the operation variable R [0] to the scalar multiplication variable R when the value of the referenced bit is 0, and sets the operation variable R [1] to the scalar multiplication variable R if the value of the referenced bit is 1. Setting. The scalar multiplication point output unit 123 subtracts the integer value 2 t G from the scalar multiplication variable R and outputs the value obtained by subtracting it as a scalar multiplication point kG.

Modular multiplication apparatus and method

本发明提供了一种用于以给定模数为模执行第一被乘数和第二被乘数的乘法的模乘设备，所述被乘数中的每一个包括给定数量的数字，每一个数字具有给定的字长。所述模乘设备包括：‑乘法器，其用于使所述第一被乘数中的至少一个数字与所述第二被乘数相乘以产生乘法器输出；‑模约简单元，其被配置为通过扩展模数和整数系数的乘积来约简从所述乘法器输出得到的量，所述扩展模数是所述给定模数与扩展参数的乘积，所述模约简单元提供约简输出，所述约简输出是严格小于所述扩展模数的正整数，其中，所述模乘设备进一步包括选择单元，所述选择单元被配置为选择所述扩展参数以使所述设备执行所述乘法所耗费的时间独立于所述被乘数。

Modular multiplication apparatus and method

本发明提供了一种用于以给定模数为模执行第一被乘数和第二被乘数的乘法的模乘设备，所述被乘数中的每一个包括给定数量的数字，每一个数字具有给定的字长。所述模乘设备包括：‑乘法器，其用于使所述第一被乘数中的至少一个数字与所述第二被乘数相乘以产生乘法器输出；‑模约简单元，其被配置为通过扩展模数和整数系数的乘积来约简从所述乘法器输出得到的量，所述扩展模数是所述给定模数与扩展参数的乘积，所述模约简单元提供约简输出，所述约简输出是严格小于所述扩展模数的正整数，其中，所述模乘设备进一步包括选择单元，所述选择单元被配置为选择所述扩展参数以使所述设备执行所述乘法所耗费的时间独立于所述被乘数。

CRYPTOGRAPHIC METHOD PROTECTED FROM CACHE-CHANNEL TYPE ATTACKS

L'invention concerne un procédé cryptographique sécurisé contre une attaque à canal caché.Selon l'invention, pour exécuter un bloc d'instructions choisi (Π j) en fonction d'une variable d'entrée (D i) parmi N blocs d'instructions prédéfinis (Π1 ,..., ΠN), on exécute un nombre prédéfini (L j) de fois un bloc élémentaire commun (Γ(k, s)) aux N blocs d'instructions prédéfinis (Π1 ,..., ΠN), le nombre prédéfini (L j) étant associé au bloc d'instructions choisi (Πj).

Data processing method for securing Rivest Shamir Adleman cryptographic algorithms on chip card, involves testing relation between values by comparing values with neutral element of finite group based on internal rule of finite group

The method involves realizing double exponentiation of an element (m) of a finite group by exponents (d, b) for providing corresponding values (R0, R1), where one the exponents is equal to difference between the other exponent and an order or multiple of the finite group (vG). A relation between the values provided by the corresponding exponents is tested by comparing the values with a neutral element (1G) of the finite group based on internal rule of the finite group. An independent claim is also included for a data processing device comprising a double exponentiation calculation unit.

APPARATUS FOR CALCULATING A RESULT OF SCALAR MULTIPLICATION

CRYPTOGRAPHY METHOD COMPRISING AN EXPONENTIATION OPERATION

L'invention concerne un procédé et un dispositif (DV1) protégé contre des attaques à canal caché, pour calculer le résultat de l'exponentiation d'une donnée m par un exposant d. Le procédé et le dispositif sont configurés pour n'exécuter que des multiplications de variables de grande taille identiques en décomposant toute multiplication de variables de grande taille différentes x, y en une combinaison de multiplications de variables de grande taille identiques. The invention relates to a method and a device (DV1) protected against concealed channel attacks, for calculating the result of the exponentiation of a data item m by an exponent d. The method and device are configured to execute only identical large-size multiplications by decomposing any multiplication of large variables x, y into a combination of identical large-size multiplications.

Integer division in a manner that counters a power analysis attack

In the course of performing an Elliptic Curve Scalar Multiplication operation by Additive Splitting Using Division, a main loop of an integer division operation may be performed. The integer division has a dividend and a divisor. By storing both the divisor and the negative value of the divisor, susceptibility to a Simple Power Analysis Side Channel attack is minimized. A carry bit from a previous iteration of the main loop determines which of the divisor or the negative of the divisor to use. The order of an addition operation and a shift left operations in the main loop is interchanged compared to a known integer division method and there are no negation operations in the main loop.

APPARATUS FOR CALCULATING A RESULT OF SCALAR MULTIPLICATION

Un appareil pour calculer un résultat d'une multiplication scalaire d'un nombre de référence par un point de référence sur une courbe elliptique comprend un sélecteur de point et un processeur. Le sélecteur de point est configuré pour sélectionner de manière aléatoire ou pseudo- aléatoire un point auxiliaire sur la courbe elliptique. Le processeur est configuré pour calculer le résultat de la multiplication scalaire avec un processus `double-and-always-add' à l'aide du point auxiliaire. An apparatus for calculating a result of a scalar multiplication of a reference number by a reference point on an elliptical curve comprises a point selector and a processor. The stitch selector is configured to randomly or pseudorandomly select an auxiliary point on the elliptical curve. The processor is configured to calculate the scalar multiplication result with a double-and-always-add process using the auxiliary point.

SECURE AND COMPACT EXPONENTIATION METHOD FOR CRYPTOGRAPHY

La présente invention concerne un procédé d'exponentiation sécurisée et compacte, avec application notamment dans le domaine de la cryptologie où l'on met en oeuvre des algorithmes cryptographiques dans des dispositifs électroniques tels que les cartes à puce. The present invention relates to a secure and compact exponentiation method, with application particularly in the field of cryptology where cryptographic algorithms are implemented in electronic devices such as smart cards.

Method and apparatus for implementing a decoding mechanism by calculating a standardized modular exponentiation to thwart timing attacks

(57)【要約】 暗号化しているべき乗モジュロＭは、モジュラ乗算X * YmodMによって逐行される。ここで、Ｍは、一時的には安定しているが、瞬間的には非均一な法である。この方法は、反復的に連続するステップから成る。各ステップは、１つまたは２つの第一乗算を実行して第一の結果を発生させ、一つ以上の第二乗算によって第一の結果のサイズを削減させて第二の結果を発生させる。この方法は、さらに、法の所定の多重度の下で、各ステップの最終結果を保つ特徴的な手段を採用している。特に、この方法は、測定に付随する法のいかなる減算も、モジュラべき乗の終端段階に、実質的に移行する。これは、方法に関係している一つ以上のパラメータを、適切な方法により、選択することによって可能となる。これは、更に全体の時相性能を維持する。

Timing attack resistant cryptographic system

A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element. In a final step, performing the group operation on the intermediate value and the inverse element if the last selected bit is a zero; and replacing the intermediate element therewith, to obtain the result, whereby each of the bits of the integral is processed with substantially equal operations thereby minimizing timing attacks on the cryptographic system.

Cryptographic method protected against side channel attacks

Accelerating scalar multiplication on elliptic curve cryptosystems over prime fields

A method and apparatus for accelerating scalar multiplication in an elliptic curve cryptosystem (ECC) over prime fields is provided. Multiplication operations within an ECC point operation are identified and modified utilizing an equivalent point representation that inserts multiples of two. Algebraic substitutions of the multiplication operations with squaring operations and other cheaper field operations are performed. Scalar multiplication can also be protected against simple side- channel attacks balancing the number of multiplication operations and squaring operations and providing novel atomic structures to implement the ECC operation. In addition, a new coordinate system is defined to enable more effective operation of ECC to multiprocessor environments.

Be used to carry out the method and apparatus of the simplification of efficient preventing side-channel attack

本发明名称为“用于执行有效率的抗侧信道攻击的简化的方法和设备”。提供用于执行保护防止基于高速缓存和基于分支的攻击的模简化的时间不变方法和设备。所述模简化技术不添加性能惩罚并且是抗侧信道的。通过使用进位位的惰性评估、消除数据依赖的分支以及对于所有存储器引用使用平均高速缓存访问来提供侧信道抵抗性。

System and method for calculating a result from a division

Encryption processing apparatus, encryption processing method, and computer program

An encryption processing apparatus (100) for performing a scalar multiplication of kP + IQ based on two points P and Q on an elliptic curve and scalar values k and I or a scalar multiplication of kD 1 + ID 2 based on divisors D 1 and D 2 and scalar values k and I includes a scalar value controller (101) configured to generate joint regular form of (k, I), k = <k n , ...k 0 > and I = <I n , ...I 0 >, which are set so that all the bits of the scalar values k and I are represented by 0, +1, or -1, and the combination (k i , I i ) of bits at positions corresponding to the scalar values k and I is set to satisfy (k i , l i ) = (0, ±1) or (±1, 0); and a computation execution section configured (102) to perform a process for computing a scalar multiplication of kP + IQ or kD 1 + ID 2 .

Power analysis countermeasure for the ecmqv key agreement algorithm

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

Algorithm of module exponentiation for protecting against decoding public key by producing variable i from 0 to k-1, which is the binary representation of lower weight Y(O) toward of larger weight bit Y(k-1)

For every Y(i) bit of a binary representation of Y, it is produced a variable i from 0 to k-1, which is the binary representation of a lower weight Y(O) toward the bit of weight strong Y(k-1). Z=Z<2> operation is calculated and if I=0 it is performed R2=R1 asterisk Z or if I=1, it is calculated R1=R2 asterisk Z. Then Y(i)=O, then I remains unchanged and if Y(i)=1, then I is complemented. An Independent claim is included for: (a) an electronic terminal

Power signature attack resistant cryptography

This invention provides a method of computing a multiple k of a point P on an elliptic curve defined over a field, the method including the steps of representing the number k as binary vector k 1 , forming an ordered pair of point P 1 and P 2 , wherein the points P 1 and P 2 differ at most by P, and selecting each of the bits k i in sequence, and for each of the k i , upon k i being a 0, computing a new set of points P 1 ′, P 2 ′ by doubling the first point P 1 to generate the point P 1 ′ and adding the points P 1 and P 2 to generate the point P 2 ′ or upon k i being a 1, computing a new set of points P 1 ′, P 2 ′ by doubling the second point P 2 to generate the point P 2 ′ and adding the points P 1 and P 2 to produce the point P 1 ′, whereby the doubles or adds are always performed in the same order for each of the bits b i , thereby minimizing a timing attack on the method. An embodiment of the invention applies to both multiplicative and additive groups.

METHOD FOR PROCESSING DATA INVOLVING EXPONENTIATION AND ASSOCIATED DEVICE

Power analysis countermeasure for the ecmqv key agreement algorithm

Execution of the ECMQV key agreement algorithm requires determination of an implicit signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long-term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECMQV key agreement algorithm vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long-term cryptographic key. By modifying the sequence of operations involved in the determination of the implicit signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long-term cryptographic key.

Method of obscuring cryptographic computations

Obscuring cryptographic computations may be accomplished by performing modular exponentiation of an exponent in a cryptographic computation such that memory accesses are independent of the exponent bit pattern, thereby deterring timing attacks.

Arithmetical device, arithmetical device elliptical scalar multiplication method and elliptical scalar multiplication program, arithmetical device multiplicative operation method and multiplicative operation program, as well as arithmetical device zero determination method and zero determination program

不管随机数k的值如何都能够在恒定的计算时间内处理椭圆标量乘法kG，防止椭圆标量乘法kG的定时解析。初始设定部121对标量乘法变量R设定椭圆曲线上的特定点G。标量乘法部122针对表示随机数k的t比特的比特串从上位逐个比特进行参照，每当参照一个比特时，对作业变量R[0]设定对标量乘法变量R进行2倍乘法而得到的值，对作业变量R[1]设定对作业变量R[0]设定的值加上特定点G而得到的值。然后，在标量乘法部122中，如果所参照的比特的值是0，则对标量乘法变量R设定作业变量R[0]，如果所参照的比特的值是1，则对标量乘法变量R设定作业变量R[1]。标量倍点输出部123从标量乘法变量R减去常数值2 t G，将进行减法而得到的值作为标量倍点kG输出。

Acceleration and security enhancements for elliptic curve and rsa coprocessors

This invention discloses apparatus and methods for accelerating processing, loading (10) and unloading (30) of data from and to a plurality of memory addresses in a CPU (1300) having an accumulator, and to a memory-mapped coprocessing device for continuous integer computations.

Method and apparatus for performing elliptic curve scalar multiplication in a manner that counters power analysis attacks

When multiplicative splitting is used to hide a scalar in an Elliptic Curve scalar Multiplication ECSM operation, the associated modular division operation employs the known Almost Montgomery Inversion algorithm. By including dummy operations in some of the branches of the main iteration loop of the Almost Montgomery Inversion algorithm, all branches of the algorithm may be viewed, from the perspective of a Power Analysis-based attack, as equivalent and, accordingly, devoid of information useful in determining the value of the scalar, which may be a cryptographic private key.

CRYPTOGRAPHY ON A SIMPLIFIED ELLIPTICAL CURVE.

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y2=f(X) and from polynomials satisfying: &minus;f(X1(t)).f(X2(t))=U(t)2 in the finite body Fq, irrespective of the parameter t, q=3 mod 4. A value of the parameter t is obtained and the point P is determined by: (i) calculating X1=X1(t), X2=X2(t) and U=U(t); (ii) testing whether the term f(X&minus;1) is a squared term in the finite body Fq and, if so, calculating the square root of the term f(X1), the point P having X1 as abscissa and Y1, the square root of the term f(X1), as ordinate; (iii) otherwise, calculating the square root of the term f(X2), the point P having X2, as abscissa and Y2, the square root of the term f(X2), as ordinate. The point P is useful in encryption, scrambling, signature, authentication or identification cryptographic applications.

Method and device for calculating a result of an exponentiation

For calculating the result of an exponentiation B d , B being a base and d being an exponent which can be described by a binary number from a plurality of bits, a first auxiliary quantity X is at first initialized to a value of 1. Then a second auxiliary quantity Y is initialized to the base B. Then, the bits of the exponent are sequentially processed by updating the first auxiliary quantity X by X 2 or by a value derived from X 2 and by updating the second auxiliary quantity Y by X*Y or by a value derived from X*Y, if a bit of the exponent equals 0. If a bit of the exponent equals 1, the first auxiliary quantity X is updated by X*Y or by a value derived from X*Y and the second auxiliary quantity Y is updated by Y 2 or by a value derived from Y 2 . After sequentially processing all the bits of the exponent, the value of the first auxiliary quantity X is used as the result of the exponentiation. Thus a higher degree of security is obtained by homogenizing the time and current profiles. In addition, an increase in performance is enabled by a possible parallel performance of operations.

A device and a computer program product for calculating additionsof points on elliptic curves in Edwards form

A device (100) for calculations on elliptic curves. The elliptic curve in generalized Edwards form is projected on a projective form so that a point P = ( x 1 , y 1 ) on the elliptic curve is represented by the tuple ( x 1 Z 1 : y 1 Z 1 : Z 1 ) for any Z 1 ≠ 0. An addition of two projective points ( X 1 : Y 1 : Z 1 ) and ( X 2 : Y 2 : Z 2 ) is given by X 3 = Z 1 Z 2 ( X 1 Y 2 + X 2 Y 1 ) M , Y 3 = Z 1 Z 2 ( Y 1 Y 2 - e X 1 X 2 ) N , and Z 3 = MN , where M = f Z 1 2 Z 2 2 - d X 1 X 2 Y 1 Y 2 and N = f Z 1 2 Z 2 2 + d X 1 X 2 Y 1 Y 2 . By rewriting X 1 Y 2 + X 2 Y 1 as ( X 1 + Y 1 )( X 2 + Y 2 ) - X 1 Y 1 - X 2 Y 2 , this costs 10 M + 1 S + 1 d + 1 e + 1 f where M denotes a field multiplication, S denotes a field squaring, and d , e , f denote respectively a multiplication by constants d, e, f . Also provided is a special doubling formula, a method, and a computer program (140).

GOOD PROCEDURE

Acceleration and security enhancements for elliptic curve and rsa coprocessors

This invention discloses apparatus and methods for accelerating processing, loading (10) and unloading (30) of data from and to a plurality of memory addresses in a CPU (1300) having an accumulator, and to a memory-mapped coprocessing device for continuous integer computations.

Apparatus and method for calculating the result of division

Exponentiation method using multibase number representation

A method of scalar multiplication for use in elliptic curve-based cryptosystems (ECC) is provided. Scalars are represented using a generic multibase form combined with the non-adjacency property, which greatly reduces the nonzero density in the representation. The method allows for flexibly selecting an unrestricted number of bases and their weight in the representation according to the particular characteristics of a setting, in such a way that computing costs are minimized. A simple, memory-friendly conversion process from binary to multibase representation and an inexpensive methodology to protect the multibase scalar multiplication against simple-side channel attacks are also provided.

Safe sliding window exponentiation

Secure and compact exponentiation method for cryptography

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

Method and device for calculating a result of an exponentiation

Encryption computing device

Exponentiation system

A method for computation, including defining a sequence of n bits that encodes an exponent d , such that no more than a specified number of successive bits in the sequence are the same, initializing first and second registers using a value of a base x that is to be exponentiated, whereby the first and second registers hold respective first and second values, which are successively updated during the computation, successively, for each bit in the sequence computing a product of the first and second values, depending on whether the bit is one or zero, selecting one of the first and second registers, and storing the product in the selected one of the registers, whereby the first and second registers hold respective first and second final values upon completion of the sequence, and returning x d based on the first and second final values. Related apparatus and methods are also described.

SECURE ELLIPTICAL CURVE ENCRYPTION DEVICE CONTROL DEVICE AND METHODS

Différents modes de réalisation mettent en œuvre des contre-mesures conçues de manière à résister à des attaques par des intrus potentiels qui cherchent à extraire partiellement ou totalement de clés secrètes sur courbe elliptique en utilisant des procédés connus qui exploitent des vulnérabilités de système, comportant la différentiation d'opération elliptique, la détection d'opérations inopérantes, des attaques de réseau et la détection de première opération réelle. Différents modes de réalisation de l'invention assurent la résistance contre des attaques de canal latéral, telle que l'analyse de consommation simple, provoquée par la possibilité de détection de valeurs scalaires à partir d'informations qui ont produit une fuite au cours d'une opération normale qui pourraient sinon compromettre la sécurité du dispositif. Dans certains modes de réalisation, l'immunité du dispositif est conservée par l'exécution d'opérations scalaires elliptiques qui utilisent un flux d'opérations indépendantes de la clé secrète dans un dispositif de cryptage sur courbe elliptique sécurisé. Various embodiments implement countermeasures designed to resist attacks by potential intruders seeking to partially or fully extract elliptic curve secret keys using known methods that exploit system vulnerabilities, including the elliptical operation differentiation, inoperative operation detection, network attacks and first real operation detection. Various embodiments of the invention provide resistance against side channel attacks, such as simple power analysis, caused by the ability to detect scalar values from information that leaked during normal operation that could otherwise compromise the safety of the device. In some embodiments, device immunity is maintained by performing elliptical scalar operations that utilize a flow of secret key-independent operations in a secure elliptic curve encryption device.

Universal calculation method applied to points on an elliptic curve

System and method for one-time Chinese-remainder-theorem exponentiation for cryptographic algorithms

A system, method and computer-readable storage medium with instructions for protecting an electronic device against fault attack. The technology includes operating the electronic device to determine two half-size exponents, dp and dq , from the exponent d ; to split the base m into two sub-bases mp and mq determined from the base m ; and to iteratively compute a decryption result S by repeatedly multiplying an accumulator A by m , mp, mq or 1 depending on the values of the i -th bit of dp and dq for each iteration i . Other systems and methods are disclosed.

Elliptic curve cryptosystem apparatus, method and program

Cryptographic methods including montgomery power ladder algorithms

A cryptographic method of countering differential fault analysis (DFA) using elliptic curve cryptography (ECC) fast Montgomery power ladder algorithm (MPLA) is provided. The cryptographic method may include receiving a basic point P on an elliptic curve and a scalar k, initializing a plurality of primary variables (P 1 and P 2 ) with the basic point P, iterating through a plurality of operations using a repetitive operation variable i, where i is an integer. The plurality of operations may include setting a plurality of secondary variables (T 1 and T 2 ) corresponding to the plurality of primary variables (P 1 and P 2 ), resetting the plurality of primary variables (P 1 and P 2 ) and secondary variables (T 1 and T 2 ) based on a portion of the scalar k, and calculating a scalar product Q equal to the product of the basic point P and the scalar k. The method may further include identifying a fault using the plurality of primary variables (P 1 and P 2 ) and secondary variables (T 1 and T 2 ) based on a portion of the scalar k, and outputting the scalar product Q if there is no fault identified. The cryptographic method may be applied to a variety cryptographic systems without degrading the performance of the cryptographic systems, and may counter a variety of attacks using faults and/or fault analysis.

Method for securely encrypting or decrypting a message

A method for securely encrypting or decrypting a message or for generating or verifying a digital signature in a message, in which the message is subjected, with the aid of a processor, to a mathematical operation using a key (k) which can be represented in the form of a binary number with a sequence of bits, and computational operations are sequentially carried out on auxiliary variables for each bit. The dependence of the computational result on the values of individual bits is taken into account by reading the memory addresses from the auxiliary variables and assigning them to address variables. The difference between the addresses is calculated and, depending on the respective current bit, is added to, or subtracted from, the computer addresses. The assignment of the auxiliary variables to the address variables can thus be interchanged. As a result, the order and selection of the computational operations is controlled on the basis of bits without the program sequence having to contain jump instructions.

Pseudo random number generator, stream encrypting device, and program

Integer division method which is secure against covert channel attacks

本发明涉及一种加密方法，包括类型为q＝a div b和r＝a mod b的整数除法，其中q为商，a为m位的数，b为n位的数，n小于或等于m，并且b n-1 不为零，b n-1 是b的最高有效位，在该方法期间的每次迭代中，循环下标i在1和m-n+1之间改变，执行数a的n位字A除以数b的部分除法，以便获得商q的位。根据本发明，在每次迭代中执行相同的操作，而不管获得的商位值是多少。在本发明的不同的实施例中，在每个迭代中执行下列操作之一：将数b加到字A/从字A减去数b；将数b或者数b的补数 加到字A；或在将更新的数据加到字A之后，以2 n 对更新数据 或者哑数据

Information security device

本发明的目的在于提供一种信息安全装置，与现有技术相比可以减少进行秘密通信或认证时应运算的幂运算的处理时间。在该信息安全装置中，通过根据对象数据X和秘密的值d使用窗口法算出乘幂值X^d，来进行秘密通信或认证，在算出乘幂值X^d的过程中，在对基于乘法的运算中出现的随机数R重复了预定次数例如256次二次幂运算之后的乘法中，使用随机数去除数S(＝R^(－2^256))，来取消对随机数R的二次幂运算所得到的运算结果，从而不需要现有技术的取消处理。

Arithmetic apparatus, elliptic scalar multiplication method of arithmetic apparatus, elliptic scalar multiplication program, residue operation method of arithmetic apparatus, and residue operation program

A scalar multiplication unit references a t-bit sequence representing a random number k one bit at a time from the most significant bit, and upon each referencing, sets in a work variable R[0] a value obtained by doubling a specific point G on an elliptic curve set in a scalar multiplication variable R, and sets in a work variable R[1] a value obtained by adding the specific point G to the work variable R[0]. The scalar multiplication unit 122 sets the work variable R[0] in the scalar multiplication variable R if the value of the referenced bit is 0, and sets the work variable R[1] in the scalar multiplication variable R if the value of the referenced bit is 1. A scalar multiple point output unit 123 outputs as a scalar multiple point kG a value obtained by subtracting a constant value 2tG from the scalar multiplication variable R.

Protection of a calculation performed by an integrated circuit

Tamper-resistant encryption using a private key

Apparatus and method for calculating a result from a division

Eine Vorrichtung zum Berechnen eines Ergebnisses oder eines ganzzahligen Vielfachen des Ergebnisses (Q) aus einer Division eines Zählers (A) durch einen Nenner (N) umfaßt eine Einrichtung (12) zum Bereitstellen eines Faktors, der so gewählt ist, daß ein Produkt aus dem Faktor und dem Nenner größer als das Ergebnis ist. Die Vorrichtung umfaßt ferner eine Einrichtung (14) zum modularen Reduzieren eines ersten Produkts aus dem Zähler und dem Faktor unter Verwendung eines Moduls, der gleich einer Summe aus einem zweiten Produkt des Nenners und des Faktors und einer ganzen Zahl ist, um eine Hilfsgröße zu erhalten, die das Ergebnis aufweist. Eine Einrichtung (16) wird verwendet, um das Ergebnis oder das ganzzahlige Vielfache des Ergebnisses aus der Hilfsgröße zu extrahieren. Eine Division wird somit auf eine modulare Reduktion und eine rechenunaufwendige Extraktion zurückgeführt, so daß insbesondere bei Langzahl-Divisionsaufgaben die Schnelligkeit einerseits und die Sicherheit andererseits erhöht sind. A device for calculating a result or an integer multiple of the result (Q) from dividing a numerator (A) by a denominator (N) comprises means (12) for providing a factor which is selected so that a product of the Factor and the denominator is greater than the result. The apparatus further comprises means (14) for modularly reducing a first product of the numerator and the factor using a module that is equal to a sum of a second product of the denominator and the factor and an integer to obtain an auxiliary quantity that has the result. A device (16) is used to extract the result or the integer multiple of the result from the auxiliary variable. A division is thus traced back to a modular reduction and a computationally uncomplicated extraction, so that the speed on the one hand and security on the other hand are increased, in particular in the case of long-number division tasks.

Fault-resistant exponentiation algorithm

A m -ary right-to-left exponentiation using a base x and an exponent d is performed in a device (100) having a processor (120) and m +1 registers R[0]-R[ m ] in a memory (130), by initializing register R[ m ] to x a ( m -1) for a chosen integer a; initializing the registers other than R[ m ] to a value h , that advantageously is of a small order; updating register R[ r ] to R[ r ] times x , wherein r is the remainder of a division of d by a ·( m -1) and the product of the registers (R[0]-R[m- 1 ]) raised to ( m -1) equals R[ m ]; modifying the exponent d to a working exponent q that is the quotient of the division of d by a ·( m -1), the working exponent q = ( q l-1 , ... q 0 ) being represented in base m and having a most significant non-zero digit followed by l -1 further digits; performing l iterations, starting at i =0, of raising R[ m ] to the power of m and setting R[ q i ] to R[ q i ] times R[ m ]; verifying the correctness of the result by checking that R[ m ] equals the product of registers R[0]-R[ m -1] to the power of m -1; and outputting the product of R[ J ] j , where 1≤ j ≤ m -1 if the correctness is successfully verified. The exponentiation can save on memory or make the exponentiation faster. Also provided are a device (100) and a computer program product (140).

Systems and methods for controlling secure elliptic curve-based encryption devices

Method of Performing Secure and Compact Exponentiation for Cryptography

The invention relates to a method for secure and compact exponentiation. The inventive method can be applied in the field of cryptology where cryptographic algorithms are used in electronic devices such as chip cards.

Pseudo-random number generation device, stream encryption device and program

A pseudo-random number generation device having a resistance against attack methods that use the number of operations of an LFSR, a stream encryption device, and a program are provided. The stream encryption device has: means (delay means 811 to 81 N) which exclusively operate with each LFSR ( 801 to 80 N) in the pseudo-random number generator, that is of a clock control type, and makes uniform the generation processing time or the power consumption of one output unit; or means which randomizes the generation processing time or the power consumption power of one output unit.

Modular power algorithm for electronic components using public key cryptography algorithms

Protection of a calculation performed by an integrated circuit

A method and a circuit for protecting a digital quantity over a first number of bits, in an algorithm executing at least one modular exponentiation of data by the quantity, the steps including at least one squaring up and at least one multiplication and implementing, for each bit of the quantity, different calculation steps according to the state of the bit, a same number of multiplications being performed whatever the state of the bit and all the calculation steps using a multiplication being taken into account to calculate a final result.

Modular multiplication operation using lookup tables

各实施例涉及一种编码有用于由处理器执行的用于执行模幂运算的指令的非瞬时机器可读介质以及方法、系统，所述非瞬时机器可读介质包括：用于迭代地计算模幂b d mod n的指令，包括：用于将工作值c平方的指令；以及用于根据指数d的比特有条件地将工作值c乘以底数值b的指令，包括：用于将所述工作值c无条件地乘以与所述底数值相关联的查找表条目的指令。

Method of testing the resistance of a circuit to a side channel analysis

The present invention relates to a test method comprising: acquiring a plurality of value sets (Ci), each comprising values of a physical quantity or of logic signals, linked to the activity of a circuit to be tested when executing distinct cryptographic operations applied to a same secret data, for each value set, counting occurrence numbers of the values of the set, for each operation and each of the possible values of a part of the secret data, computing a partial result of operation, computing sums of occurrence numbers, each sum being obtained by adding the occurrence numbers corresponding to the operations which when applied to a same possible value of the part of the secret data, provide a partial operation result having a same value, and analyzing the sums of occurrence numbers to determine the part of the secret data.

Method of testing the resistance of a circuit to a side channel analysis

Encryption computing device

초타원 암호 처리에서의 안전하고 또한 고속의 연산을 실현하는 장치 및 방법을 실현한다. 초타원곡선 암호에 의거한 스칼라배산 처리에서의 베이스 포인트(D)와, 스칼라배산의 실행 알고리즘으로서의 윈도우법에서의 사전산출 데이터를, 초타원곡선의 종수(g)(genus)보다 작은 웨이트의 인자인 퇴화인자로 하고, 윈도우법을 적용한 스칼라배산 처리에서의 가산 처리를 퇴화인자+비퇴화인자의 가산 처리에 의해 실행한다. 본 구성에 의해 고속 연산이 실현되고, 또한, 연산에서의 키 해석 등의 일체 양태인 SPA 해석 등에 대한 내성도 손상되지 않는 안전하고 고속의 연산이 실현된다. An apparatus and method for realizing a safe and high speed operation in super elliptic cryptographic processing are realized. Factor of the weight of the base point (D) in the scalar-variance processing based on the super-elliptic curve cipher and the precomputed data in the window method as the execution algorithm of the scalar-variation is smaller than the number of the super-elliptic curve (g) (genus) As phosphorus degenerate factor, the addition process in the scalar multiplication process to which the window method is applied is performed by the addition process of degenerate factor + non-degenerate factor. This configuration realizes a high speed operation, and realizes a safe and high speed operation in which tolerance against SPA analysis, which is an integral aspect such as key analysis in the operation, and the like is not impaired. 암호 처리 연산 Cryptographic operations

Elliptic curve cryptosystem apparatus, storage medium storing elliptic curve cryptosystem program and elliptic curve cryptosystem arithmetic method

A scalar multiplication can be performed on an elliptic curve cryptosystem at a high speed. P is set as an initial value of Q[0], and 2×P is set as an initial value of Q[1]. An elliptic curve doubling ECDBL of Q[d[i]] is performed, and an arithmetic result is stored in Q[2]. An elliptic curve addition ECADD of Q[0] and Q[1] is performed, and an arithmetic result is stored in Q[1]. Q[2−d[i]] is stored in Q[0]. Q[1+d[i]] is stored in Q[1]. The elliptic curve addition ECADD and the elliptic curve doubling ECDBL are concurrently performed in the respective processors.

Modular exponentiation and device resistant against side-channel attacks

An iterative modular exponentiation method. A device (100) takes as input a base x , an exponent d and the modulus N . During each iteration of the modular exponentiation algorithm, the device (100) takes two values a, b and the modulus N , and performs a modular multiplication between the two values using a modular multiplication formula comprising a modular multiplication wherein at least one of the two operands is derived from at least one of the two values a, b so that the values of the two operands being multiplied in the modular multiplication formula are different when a is equal to b . The device (100) then outputs a result of the modular exponentiation method. Also provided is an apparatus (100) and a computer program product (140).

Method and apparatus for modular operation

The modular operation apparatus of the present invention that enables to improve the tamper resistance to the side channel attacks includes an operator that carries out a Montgomery multiplication according to one of a first multiplicand and a second multiplicand, a multiplier, and a divisor, a first multiplicand register that stores an operation result of the Montgomery multiplication as the first multiplicand, a subtractor that subtracts the divisor from the operation result of the Montgomery multiplication, a second multiplicand register that stores a subtraction result of the subtractor as the second multiplicand, and a selector that outputs one of a value of the first multiplicand register and a value of the second multiplicand register according to a comparison result between the operation result of the Montgomery multiplication and the divisor.

Modular multiplication using look-up tables

各实施例涉及一种编码有用于由处理器执行的用于执行模幂运算的指令的非瞬时机器可读介质以及方法、系统，所述非瞬时机器可读介质包括：用于迭代地计算模幂b d mod n的指令，包括：用于将工作值c平方的指令；以及用于根据指数d的比特有条件地将工作值c乘以底数值b的指令，包括：用于将所述工作值c无条件地乘以与所述底数值相关联的查找表条目的指令。

Resisting cache timing based attacks

Executing a program on a processor based system, the program including an implementation of an algorithm including one or more modular multiplication operations and one or more modular squaring operations, such that the program performs the execution of each of the one or more modular multiplication operations in a first thread of execution, and performs the execution of each of the one or more modular squaring operations in a second thread of execution distinct from the first thread.

Cryptographic method protected against covert channel type attacks

The invention relates to a cryptographic method secured against a covert channel attack. According to the invention, in order to carry out a selected block of instructions (<j) as a function of an input variable (D1) amongst N predefined instruction blocks (?1,, ?N), a common block ( GAMMA (k,s)) is carried out on the predefined N instruction blocks (?1,, ?N), a predefined number (Lj) of times, the predefined number (Lj) being associated with the selected instruction block (?j).

Cryptographic processing apparatus, cryptographic processing method, and computer program

CRYPTOGRAPHY METHOD COMPRISING A MODULAR EXPONENTIATION OPERATION

A device, method and a computer program product for calculating additions of points on elliptic curves in edwards form

A device (100) for calculations on elliptic curves. The elliptic curve in generalized Edwards form is projected on a projective form so that a point P = (x1, y1) on the elliptic curve is represented by the tuple (x1Z1 : y1Z1: Z1) for any Z1 ≠ 0. An addition of two projective points (X1 : V1 : Z1) and (X2 : V2 : Z2) is given by X3 = Z1Z2(X1 Y2 + X2Y1)M, Y3 = Z1Z2(Y1 Y2 - e X1X2)N, and Z3 = MN, where M = f Z12Z22 - d X1X2Y1Y2 and N = f Z12Z22 + d X1X2Y1 Y2. By rewriting X1 Y2 + X2Y1 as (X1+ Y1)(X2 + Y2) - X1 Y1 - X2Y2, this costs 10M+ 1 S + 1 d + 1 e + 1 f where M denotes a field multiplication, S denotes a field squaring, and d, e, f denote respectively a multiplication by constants d, e, f. Also provided is a special doubling formula, a method, and a computer program (140).

Exponentiation method using multibase number representation

A method of scalar multiplication for use in elliptic curve-based cryptosystems (ECC) is provided. Scalars are represented using a generic multibase form combined with the non-adjacency property, which greatly reduces the nonzero density in the representation. The method allows for flexibly selecting an unrestricted number of bases and their weight in the representation according to the particular characteristics of a setting, in such a way that computing costs are minimized. A simple, memory-friendly conversion process from binary to multibase representation and an inexpensive methodology to protect the multibase scalar multiplication against simple-side channel attacks are also provided.