The invention relates to a cryptographic method secured against hidden-channel attacks during which, in order to carry out modular exponentiation of type C=AB1 mod N, where A is an operand, B1 a first exponent, N is a modulus and C is a result, the following steps are carried out, consisting of:
Such methods are particularly interesting for asymmetric signature and encryption applications. A can therefore be, according to the application, a message to sign, check, encrypt or decrypt. B1 is a public or private key, according to the application. C is a result, according to the invention, a signed or decrypted message.
Masking the number A by a number s is a known countermeasure for securing modular exponentiation operations, in particular when they are implemented in chip-card type microcircuits, against so-called side-channel or hidden-channel attacks, allowing information to be obtained on the number B1.
A first countermeasure known from document D1 (Timing Attack on Implementations of Diffie-Hellman, RSA, DSS and Other Systems, Paul Kocher, Crypto 1996, LNCS Springer) consists of obtaining a random number s, calculating sB2, where B2 is a private or public key associated with B1, then multiplying sB2 by A (sB2.A), raising the result of the multiplication to the power of B1 ((sB2.A)B1) then reducing modulo N. B1 and B2 being a public key and an associated private key such that B1.B2=1 modulo φ(N), where φ represents the Euler function, such that the result ((sB2.A)B1) modulo N is simplified to give (s.AB1) modulo N. A division by s finally makes it possible to obtain the desired result, C=AB1 modulo N. This solution is certainly efficient, but it is expensive to implement. Indeed, in order for the measure to be effective, it is essential for sB2 to be greater than A. This means that s must be a large number, more precisely larger than the size of A divided by the size of B2. If B2 is small (for example less than seventeen bits), s must be large (for example more than the number of bits of the modulus divided by seventeen). The production of large random numbers requires the use of a large generator which, on the one hand, consumes a considerable amount of power and, on the other hand, requires a considerable amount of time, which is not always compatible with chip-card applications. In addition, a long time might be required to carry out the division.
A second countermeasure, known mainly from document D2 (J. S. Coron, P. Paillier, “Countermeasure method in an electronic component which uses an RSA-type public key cryptographic element” patent number FR 2799851. Publication date Apr. 20, 2001. Int Pub Numb. WO0128153) consists of using two random numbers s1, s2 to carry out the operation (A+s1.N)B1 mod (s2.N). Then, at the end of the calculation, the contribution provided by s1 and s2 is removed. Since s1 and s2 can be small in size, they are easier to obtain. However, this method requires carrying out an operation modulo s2.N. This requires the use of a larger multiplier and is not always compatible with chip-card applications.
One aim of the invention is to provide a solution for carrying out a modular operation of type AB1 mod N that is more interesting than known solutions as it is less expensive to implement.
For this reason, the invention provides for masking the operand A by multiplying the operand A by a parameter in the form Ks.B2, where K is a constant (possibly public) and B2 is a second exponent such that B1.B2=1 mod φ(N).
For the foreseen cryptographic applications, B1 and B2 are naturally associated private and public keys.
During the demasking step after exponentiation, the contribution Ks provided by the random number s is removed.
In the invention, the random number s is, on the one hand, multiplied by B2 and, on the other hand, it placed as an exponent. Thus, the parameter Ks.B2 is large enough to mask the operand A, even when s is small. With the invention, it is not therefore necessary to have a large random-number generator.
Another aim of the invention is to provide a method that is quick to implement.
For this reason, in a preferred embodiment of the invention, the steps of masking E1, exponentiation of E2 and demasking E3 are carried out using a Montgomery multiplier, which has the advantage of carrying out modular multiplications which are particularly quick to execute compared with conventional multipliers and very useful for exponentiation.
Preferably also, the constant K is chosen to be equal to 2p, p being an integer comprised between 0 and n, n being an upper bound of the size of the modulus N. Upper bound of the size of the modulus N is understood here to be a number equal to or slightly larger than the size of n, and typically depending on the choice of implementation of the Montgomery multiplication and/or the hardware capabilities of the processor in which the multiplication is implemented. For example, if N is a 520-bit number, and if the processor used works with 576-bit words, n will advantageously be chosen to be equal to 576 bits.
The choice of the constant K=2P makes it possible advantageously to use the properties of the Montgomery multipliers to speed up the calculations while guaranteeing the security of the method. The choice of a number p=n such that K=2n is optimum as will be seen below.
The invention also relates to a cryptoprocessor comprising in particular a Montgomery multiplier for implementing a method such as described above.
The invention finally relates to a chip card comprising a cryptoprocessor such as described above.
The invention will be better understood and further characteristics and advantages of the invention will appear clearly from the description provided below, by way of non-limiting example, of the preferred embodiment of the invention.
As mentioned above, the invention relates to a secured cryptographic method during which, in order to carry out modular exponentiation of type C=AB1 mod N, where A is an operand, B1 a first exponent, N is a modulus and C is a result, the following steps are carried out, consisting of:
According to the invention, during step E1 of masking the operand A, the operand A is multiplied by a parameter in form Ks.B2, where K is a constant and B2 is a second exponent such that B1.B2=1 mod φ(N). In this way, a masked operant is obtained, A′=Ks.B2.A. The exponentiation of A′ (step E2) by B1 produces the masked result C′=Ks.AB1 mod N. Finally, during step E3, the contribution Ks provided by the random number s is removed to obtain the desired result C.
The invention is preferably implemented using a Montgomery multiplier.
Before providing a more complete description of the method of the invention, it is convenient to remember certain known properties of a Montgomery multiplier, described for example in document D3 (P. L. Montgomery, Modular Multiplication without trial division, Mathematics of computation, 44(170) pp 519-521, April 1985).
A Montgomery multiplier makes it possible to carry out multiplications of type Mgt(A,B,N)=A.B.R−1 mod N. One advantage of this multiplier is its calculation speed. One disadvantage of this multiplier is that it introduces a constant R, called Montgomery constant, to the calculation. R is a power of 2 coprime with N: R=2 with n such that GCD(R, N)=1.
The Montgomery constant is intrinsic in the multiplier and it is necessary to remove its contribution in the early stages of the calculation, during the calculation or at the end. Thus, to calculate C=A.B mod N, it is possible for example first to calculate A.R then Mgt(A.R,B,N)=A.B mod N. It is also possible to carry out a first multiplication C0=Mgt(A.R, B.R, N)=A.B.R mod N followed by a second multiplication of type C=Mgt(1, C0, N)=A.B mod N.
The Montgomery multiplier also makes it possible to carry out modular exponentiations of type C=MgtExp(A,B,N)=AB.R−(B−1) mod N or C=MgtExp(A.R,B,N)=AB.R mod N (in this case the constant R−B introduced by the calculation is compensated by multiplying A by R in the early stages of the calculation). Concretely, to carry out a Montgomery exponentiation, an algorithm such as that commonly referred to as “square and multiply” is executed, consisting, in a loop indexed by i varying between q−1 and 0, q being the size of the number B, of a succession of multiplications of type Ui=Mgt(Ui-1, Ui-1, N) and possibly Mgt(Ui, A, N) (or Mgt(Ui, A.R, N)), according to the value of a bit Bi of B associated with the index i, Ui being a loop variable initialised at the value Uq=R. This exponentiation is explained in greater detail in document D4 (Handbook of Applied Cryptography by A. Menezes, P. Van Oorschot and S. Vanstone, CRC Press 1996, chapter 14, algorithm 14.94). This exponentiation calculation has the advantage of being particularly quick.
Montgomery operations have the following main characteristics, which will be used subsequently:
Mgt(A,B,N)=A.B.R−1 mod N
Mgt(A.R,B.R,N)=A.B.R mod N
Mgt(1,1,N)=Mgt(N−1,N−1,N)=R−1 mod N
Mgt(A,1,N)=Mgt(N−A,N−1,N)=A.R−1 mod N
MgtExp(A.R,B,N)=AB.R mod N
In the preferred embodiment of the method of the invention, Montgomery multiplications and exponentiations are used to speed up the calculation of exponentiation masked by the random number Ks.B2.
Initially, during step E1 of masking the operand A, the following substeps are carried out, which consist of:
Then, during the step of exponentiation of the masked operand A′, the following substep is carried out:
Finally, during step E3 of demasking the masked result, the following substeps are carried out:
As mentioned previously, Montgomery multiplications and exponentiations introduce a contribution in the result which depends on the Montgomery constant R. This constant can be eliminated at the end of each multiplication, for example by carrying out a Montgomery multiplication by R2 after a calculation. When this is possible, and in particular for the exponentiations, it is easier to compensate the constant R in an earlier stage, by multiplying the operand by the constant R, rather than compensating a power of R (especially a negative power of R) at the end.
Likewise, a correct choice of the constant K makes it possible further to increase the speed of the calculation, in particular in step E31 of the calculation of K−s. More precisely, choosing a constant K=2p (p being comprised between 0 and n) with the same form as the Montgomery constant R=2n, makes it possible to simplify the calculations. The following appears in particular:
The calculation of the inverse of K and then K−s is thus facilitated.
After various simplifications following the choice of K=2p, a method is finally obtained comprising all the following steps.
E0: initialisation:
E1: masking A as A′
E2: calculating C′=A′B1 mod N
E3: finding C based on C′
It should be noted that, when implementing the above method in a cryptoprocessor, the same register or part of the memory can be used to store intermediate variables, with names containing the same letter: M1, M2 can be stored in succession in a register M, the same goes for variables I1, I2, which can be stored in the same register I, and variables U1, U2, U3, U4 can be stored in the same register U.
The particular choice of K=2n makes it possible further to speed up the calculation since the fact that K=R allows further simplifications.
After simplification, the following method is obtained:
E0: initialisation:
E1: masking A as A′
E2: calculating C′=A′B1 mod N
E3: finding C based on C′
Compared with the general case where K=2p, the following simplifications have been made:
Evidently, in the method described above, certain steps can be moved or switched around. For example, in the initialisation step E0, the substeps can be carried out in a different order.
As was seen above, the invention can advantageously be implemented to carry out the exponentiation C=AB1 mod N in the following three steps:
The invention can also be advantageously combined with the Chinese Remainder Theorem to speed up the exponentiation calculation. This is commonly referred to as RSA-CRT.
According to the Chinese Remainder Theorem (CRT), known from document D5 (Cryptography Theory and Practice, chapter 4, Douglas R. Stinson, 1995, CRC Press), a conventional exponentiation calculation C=AB1 mod N can be broken down as follows:
where
Applied to this CRT breakdown, the invention leads to the following method:
Preferably, for an easier calculation, K2 is calculated first, and then (K2)−s.
In one variation, it is also possible to carry out the following:
In a preferred embodiment of the invention, a constant K=2max(size(p), size(q))=2r is chosen, where r is the largest size between the size of p and the size of q. This choice allows simplifications when implementing the method using a Montgomery processor.
It is then noted that in step E3 the value K2 in (K2)−s is suitable for modular Montgomery operations on the module N knowing that the size of N is less than or equal to the sum of the sizes of p and q, size(N)≦size(p)+size(q)≦2*max(size(p),size(q)).
It should be noted finally that the method of the invention can be combined with previous methods to further increase the security of the method.
For example, in addition to masking A by Ks.B2, it is also possible to use a random number s2 to mask N, as described in document D2 and the prior art of the present document. If the Chinese Remainder Theorem is used, it is also possible to mask p and q by s2.
Number | Date | Country | Kind |
---|---|---|---|
05 13305 | Dec 2005 | FR | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2006/070206 | 12/22/2006 | WO | 00 | 6/16/2008 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2007/074149 | 7/5/2007 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
6064740 | Curiger et al. | May 2000 | A |
6304658 | Kocher et al. | Oct 2001 | B1 |
6748410 | Gressel et al. | Jun 2004 | B1 |
7787620 | Kocher et al. | Aug 2010 | B2 |
20060023873 | Joye | Feb 2006 | A1 |
20090092245 | Fumaroli et al. | Apr 2009 | A1 |
20110131424 | Vigilant | Jun 2011 | A1 |
20110216900 | Yoon et al. | Sep 2011 | A1 |
20110246789 | Feix et al. | Oct 2011 | A1 |
Number | Date | Country |
---|---|---|
1 327 932 | Jul 2003 | EP |
WO 0128153 | Apr 2001 | WO |
2005-048008 | May 2005 | WO |
Number | Date | Country | |
---|---|---|---|
20100014656 A1 | Jan 2010 | US |