Patent Application
20210194669
This application claims priority to FR Patent Application No. 1915071 filed Dec. 20, 2019, the entire contents of which are hereby incorporated by reference.
The present invention relates to the technical field of cryptography.
It relates more specifically to a cryptographic processing method, as well as an associated electronic device and computer program.
When a cryptographic algorithm is implemented by means of an item of software executed in an unsecure environment, particular measures must be taken to avoid a hacker being able to have access to secret data (for example, cryptographic keys) by simply taking control of this environment.
The search for techniques allowing to secure the implementation of a cryptographic algorithm in an unsecure environment is known under the name of white box cryptography.
The article “White Box Cryptography and an AES implementation”, by S. Chow et al., in Post-Proceedings of the 9th Annual Workshop on Selected Areas in Cryptography (SAC'02), 15-16 Aug. 2002 proposes, for example, a technique for producing AES-type algorithms, each adapted to a particular cryptographic key.
In solutions generally proposed within this scope, the cryptographic algorithm is broken down into a series of basic processing events and look-up tables associated respectively with these basic processing events, are used to handle masked data.
These solutions particularly take up a lot of memory, due to the use of these numerous look-up tables.
In this context, the invention proposes a cryptographic processing method transforming an input byte into an output byte, characterized by the following steps:
The operation applied to the two intermediate cryptograms amounts to adding or multiplying corresponding words (in the sense of the homomorphic encryption function) and thus, with hardly any or no additional handling within the abovementioned processing, a Boolean logic combination of two respective bits of these corresponding words.
With the additional handlings (in addition to the application of the abovementioned operation) being limited, the number of necessary look-up tables is less important than in conventional solutions.
It can be provided that, for each intermediate cryptogram, the argument corresponding to this intermediate cryptogram via the homomorphic encryption function comprises a first bit and a second bit, the order (or position) of which is immediately greater than (i.e. immediately above) the first bit and which has a predefined value. In other words, each intermediate cryptogram is the image, by the homomorphic encryption function, of a word comprising a first bit and a second bit, the order (or position) of which is immediately greater than (i.e. immediately above) that of the first bit, and which has this predefined value.
The conversion step can be applied, for example, to words each comprising a first bit equal to one bit of the input byte and a second bit, the order (or position) of which is immediately greater than (i.e. above) the first bit and which has a predefined value (such as the zero value).
The method can possibly comprise a step of determining, by random drawing, a binary word comprising at least one bit; the conversion step can, in this case, be applied to words each comprising said binary word and a given bit equal to one bit of the input byte. The bit having the lowest order (or position) coming from the binary word can thus for example be of order (or position) immediately greater than (i.e. immediately above) the order (or position) of the given bit, or be only of order (position) greater than (i.e. above) the order (or position) of the given bit (a bit of predefined value, for example of zero value, could in this latter case be inserted between said binary word and the given bit equal to the bit of the input byte).
The conversion step can be applied, in practice, to words, each comprising a plurality of bits of the input byte.
The abovementioned processing can comprise, in certain cases, the reading of an associated cryptogram, in a look-up table, to the result of the operation applied to the two intermediate cryptograms. This reading provides, for example, the image cryptogram (by the homomorphic encryption function) of a word obtained by a particular handling (such as a shifting of one bit to the right) from an argument (in the sense of the homomorphic encryption function) of said result of the operation.
The conversion step can further comprise a step of applying the operation to an input cryptogram and to a mask. This mask is, for example, determined randomly beforehand and stored in a storage module.
The obtaining step can comprise a step of combining two input cryptograms by a recombination function according to the Chinese remainder theorem. The cryptograms thus combined can be processed simultaneously, which reduces the number of operations of the second group to be carried out.
The operation is, for example, a multiplication; the second group can be, in practice, a finite field. The second group can moreover be distinct from the first group.
The invention also proposes an electronic device comprising a processor and a memory storing computer program instructions designed to implement the following steps when these instructions are executed by the processor:
The invention also proposes a computer program comprising instructions designed to implement the following steps when these instructions are executed by a processor:
The invention further proposes a computer-readable non-transitory storage medium storing such instructions.
Of course, the different features, variants and embodiments of the invention can be associated with one another according to various combinations insofar as they are not incompatible or exclusive with/from one another.
In addition, various other features of the invention emerge from the following description, made in reference to the drawings which illustrate non-limiting embodiments of the invention, and where:
The storage module 6 stores computer program instructions designed to implement a cryptographic processing method such as that described below in reference to
The random access memory 8 can itself store at least some of the elements (in particular, bytes and cryptograms) handled during the various processing events carried out during the method of
The communication module 10 is connected to the processor 4 so as to allow the processor 4 to receive data coming from another electronic device (not represented) and/or to transmit data to another electronic device (not represented).
According to an embodiment possibility, the computer program instructions stored in the storage module 6 have, for example been received (for example, from a remote computer) during an operating phase of the electronic device 2 prior to the method described below in reference to
The invention is applied in particular when the electronic device 2 is not secure and that a hacker can therefore have access to the internal operation of the electronic device 2, and thus to the processing events carried out by the processor 4 and to the data handled during these processing events. (It is the scope of white box cryptography mentioned in the introduction).
Such a method allows to transform an input byte I into an output byte O by means of
Boolean logic operations, as described, for example, in the article “A new combinational logic minimization technique with applications to cryptology”, by J. Boyar and R. Peralta, in International Symposium on Experimental Algorithms, Springer, Berlin, Heidelberg, 2010.
The bits of the input byte I are denoted I. This input byte I is written therefore in binary form:
(IN−1∥IN−2∥ . . . ∥I1∥I0), where ∥ is the concatenation operator, N is the number of bits of the input byte I (here: N=8), IN−1 the bit of highest order (or most-significant bit) of the input byte I and I0 the bit of lowest order (or least-significant bit) of the input byte I. (In other applications, N can have a value different from 8, for example N=128 in the scope of an AES algorithm. N is, for example, comprised between 8 and 256).
The method of
Each of the words Mi comprises at least one bit of the input byte I and constitutes an element of a first (finite) group G. This first group G is an additive group in the example described here, but could in a variant, be a multiplication group, as explained again below.
In practice, it can be provided that each word Mi comprises a first bit equal to one bit Ij of the input byte I and a second bit, the order of which is immediately greater than the first bit and which has a predefined value (here: 0; in a variant: 1).
According to the embodiment described here, each word Mi comprises precisely (for example, as a low-order bit) one bit I, of the input byte I.
The conversion step E2 therefore uses here N words Mi respectively associated with N bits Ii of the input byte I.
The abovementioned predefined value equaling here 0, each word Mi is written in the present case:
M
i=(0∥Ii).
Each word Mi is written in this case on 2 bits.
Furthermore, it could be provided to complete each word Mi by random bits si (determined, for example, randomly during the step E2). In this case, each word Mi is written:
Mi=(sσ∥ . . . ∥s1∥0∥Ii), where σ is the number of random bits used.
In a variant, each word Mi could be constructed as follows (the bit 0 could be inserted during the cleaning step E4 described below):
M
i=(sσ∥ . . . s1∥Ii).
According to another embodiment which can be considered, each word Mi could comprise several bits Ij of the input byte I. Thus, each word Mi could, for example, comprise two bits Ij of the input byte I and be written:
M
i=(0∥I2i+1∥0∥I2i).
In the latter case, the step E2 uses N/2 words Mi.
The homomorphic encryption function B is a function from the first group G to a second group G′ provided with an operation (here referenced by the symbol “.”) and which can be distinct from the first group G.
The homomorphic character of the function B implies that, whatever the elements a and b within the first group G, B(a)·B(b)=B(a+b).
For example, as a homomorphic encryption function B, a modified Benaloh function is used, of the type:
B(a)=yaur mod p,
where p is a prime number, y and u are integers comprised between 1 and p−1, and r is of the form r=2k (k being greater than or equal to 2, preferably greater than or equal to the size in bits of the words Mi applied at the input of the function B), r furthermore dividing the order of the second group G′. Functions of this type are described in the article “Dense probabilistic encryption”, Josh Benaloh, in Proceedings of the Workshop on selected areas of Cryptography, 1994. In this regard, it can be provided that the order of the number y is not equal to the order of the second group G′ divided by r. The length of the number p expressed in bits (that is log2 p) is, for example, comprised between 4 bits and 32 bits (i.e. that, with the high-order bit at 1 for security reasons, p is, for example, comprised between 23 and 232−1).
According to an embodiment possibility, thanks to the properties of the Benaloh function used here, different values of the number u can be used for the different applications of the homomorphic encryption function B to the different words Mi.
The image values B(a) are therefore comprised between 1 and p−1 and the second group G′ is therefore here a finite group with (p−1) elements (the operation referenced “.” being the multiplication in (Z/pZ)*).
For example, words Mi are used, having a length in bits equal to the length of the number p expressed in the form of bits (that is log2 p, where log2 is the base-2 logarithm). In the case where random bits are used as described above, thus the following may be taken as an example: σ=(log2 p−1) or σ=(log2 p−2).
It is noted that preferably r is selected, such that it divides (p−1).
In practice, the step E2 is, for example, implemented by means of at least one first look-up table T1, stored for example in the storage module 6.
This first look-up table stores, for each element a of the first group G (i.e. for each possible value of a), the value that is the image of this element a by the homomorphic encryption function B, i.e. the value B(a).
In this case, the step E2 comprises, for each word Mi, the reading of the input cryptogram Ci associated with this word Mi in the first look-up table T1.
In a variant, it can be provided to use a plurality of first look-up tables T1i for the processing of different words Mi, respectively.
Thus, in the case described here where N words Mi is used, N first look-up tables Mi can be used. The different first look-up tables T1i are, for example, formed by using different values of u in the formula defining the function B above (and/or different random bits s1, . . . , sσ in the variants where such random bits are used, as explained above).
In other words, in this case, each first look-up table T1i stores, for each element a of the first group G, the value yauir mod p, the values of u, being different two-by-two for i varying from 0 to N−1.
In this case, the step E2 comprises, for each word Mi of index i, the reading of the input cryptogram Ci associated with this word Mi in the first look-up table T1i of index i.
According to another variant which can be considered, the first look-up table T1 can directly convert a bit Ii of the input byte I into the image B(Mi) of the word Mi (associated with this bit Ii) by the homomorphic encryption function B. (As indicated above, the word Mi can be of the form Mi=(0∥Ii), Mi=(sσ∥ . . . μs1∥Ii) or Mi=(sσ∥ . . . μs1∥0∥Ii).)
Also, in this case, several first look-up tables T1i can be used respectively for the different bits Ii of the input byte I (the different first look-up tables T1i could be constructed with different random bits s1, . . . , sσ as explained above, when such random bits are used).
According to yet another variant, in the case where the words Mi are of the form Mi=(0∥I2i+1∥0∥I2i), the first look-up table T1 can convert a plurality of bits (here 2 bits I2i+1, I2i) of the input byte into the image B(Mi) of the word Mi (associated with these bits I2i+1, I2i) by the homomorphic encryption function B.
Also, in this case, several first look-up tables T1i can be used, respectively for the different bit sets (here bit pairs I2i+1, I2i) of the input byte I (the different first look-up tables T1i could be constructed with different random bits s1, . . . , sσ, as explained above, when such random bits are used).
According to another variant which can be considered, the first look-up table T1 can associate, with any byte (here octet) of the form e7e6 . . . e0 (where ej are bits of this byte), the value B(e7∥e6∥ . . . ∥e1∥0∥e0) or the value Be7 . . . e3 (e2∥e1∥0∥e0), with Be7 . . . e3 the Benaloh function proposed above, wherein the number u is defined as a bit function e7e6 . . . e3.
In this case, during step E2, for each bit Ii of the input byte I, the processor 4 randomly determines a sequence of bits (here, a sequence of 7 bits) α1, . . . , α7 and reads, in the first look-up table T1, the input cryptogram Ci associated with the byte (α7∥ . . . ∥α1∥Ii) comprising the bits α1, . . . , α7 randomly determined and the bit Ii in question of the input byte I.
After step E2, the method of
These successive passages in steps E4, E5 and E6, described below aim, at each passage, to carry out one of the Boolean logic operations provided as indicated above, each of these Boolean logic operations needing to be applied to a bit I, of the input byte I (for the first Boolean logic operations carried out), or to an intermediate bit ai obtained by a preceding Boolean operation, by furthermore possibly using predefined bits (such as bits of a cryptographic key that is sought to be applied, by means of a cryptographic algorithm, to the input byte I).
As explained now, each of these Boolean logic operations is carried out by means of an application of the operation “.” (operation of the second group G′) to cryptograms Ai (each of these cryptograms Ai being either an input cryptogram Ci obtained in step E2, or an intermediate cryptogram derived from the input cryptograms Ci by previous operations).
Thus, to implement a Boolean logic operation between a first bit ai and a second bit bi, the processor 4 carries out in step E5, the operation Ai·Bi between the image, by the homomorphic encryption function B, of a first word, here (0∥ai), comprising the first bit ai, and the image, by the homomorphic encryption function B, of a second word, here (0∥bi), comprising the second bit bi (i.e. Ai=B(0∥ai) and Bi=B(0∥bi)).
Each intermediate cryptogram is thus the image, by the homomorphic encryption function B, of a word comprising a given bit ai; bi (defining what this word represents) and another bit, the order of which is immediately greater than that of the given bit (i.e. the position of which is immediately above that of the given bit), and which has the predefined value. As explained below, a cleaning step is implemented if needed to ensure this.
As already indicated, the images Ai, Bi involved in this operation are either input cryptograms C, obtained in step E2, or the results of previous passages in steps E4 to E6, or cryptograms stored in the storage module 6 (and which represent respectively the abovementioned predefined bits, for example bits of a cryptographic key).
Indeed, the inventors have noted that, thanks to the homomorphism property, regardless of ai and bi:
B(0∥ai).B(0∥bi)=B[(0∥ai)+(0∥bi)]=B(ai AND bi∥ai XOR bi),
where AND and XOR are respectively the Boolean logic operations “and” and “exclusive or”.
(This observation remains valid in the variant described above where the words Mi comprise several bits Ij of the input byte I as a result of:
B(0∥ai+1∥0∥ai).B(0∥bi+1∥0∥bi)=B(ai+1 ANDbi+1∥ai+1X0Rbi+1∥aiANDbi∥aiX0Rbi). Likewise, this observation remains valid in the variants where the cryptograms are generated in step E2 by using high-order random bits, since these high order bits do not participate in the operations between low-order bits, which are carried out as has just been described.
The processing event to be applied (possibly) to the product thus obtained is explained below, to select, as the value to be used following the processing event (depending on the Boolean logic operation to be carried out by the current passage in steps E4 to E6), either the value (ai AND bi, or the value (ai XOR bi).
The processing of step E5 thus produces a cryptogram Ai.Bi=B(ai AND bi∥ai XOR bi) which is the image by the homomorphic encryption function B of a word including the Boolean logic combination (here by “and” or by “exclusive or”) of two bits ai, bi comprised respectively in two words (0∥ai) and (0∥bi) that are arguments, for the homomorphic encryption function B, of said two intermediate cryptograms Ai, Bi.
It is noted that the bits ai, bi are never handled as such, but always by means of the operation of the second group G′ (referenced here: “.”) on the intermediate cryptograms Ai, Bi which represent these bits ai, bi.
According to the logic operation to be carried out (on the bits ai, bi) during the current passage in steps E4 to E6, the processor 4 possibly moreover implements additional steps, namely here a step E4 of cleaning the cryptograms Ai, Bi (corresponding respectively to bits ai, bi to be processed) and a step E6 of formatting the cryptogram Ai·Bi obtained in step E5.
Indeed, in certain cases, no additional step E4, E6 is necessary; the cryptograms Ai, Bi can be directly processed in step E5 and the cryptogram produces Ai·Bi obtained can be directly used for subsequent processing, i.e. either to carry out a new Boolean operation in step E5, or to generate the output byte in step E10 (described below).
In the example described here, no processing is implemented in additional steps E4, E6 when the Boolean logic operation to be carried out by the current iteration (i.e. the current passage in steps E4 to E6) is an “exclusive or” operation.
Indeed, as explained above, the low-order bit of the argument (ai AND bi∥ai XOR bi) of the cryptogram Ai·Bi in this case equals (ai XOR bi) and the cryptogram Ai·Bi obtained in step E5 can therefore be used as representative of a new intermediate bit, equal to ai XOR bi, during a subsequent passage to step E5 (or during the generation of the output byte in step E10).
Furthermore, it is noted in this regard, that in the example described here, it is not necessary, before carrying out step E5 to carry out an “exclusive or” Boolean logic operation, to ensure that the arguments of the cryptograms Ai, Bi processed during this step E4 are of the form (0∥ai), (0∥bi). Indeed, whatever the values of x and of y, (x∥ai)(y ∥bi)=(z∥ai XOR bi , where z itself depends on x and y.
However, when the current iteration of the steps E4 to E6 aims to carry out an “and” Boolean logic operation, the following processing events must be applied to the cryptograms Ai, Bi, Ai·Bi:
The cleaning step E4 therefore aims to keep any cryptogram Ai, Bi which can be written B(0∥di), i.e. any cryptogram which is the image by the homomorphic encryption function of a word of which the high-order bit has the predefined value (here 0), and to transform into a new cryptogram B(0∥di) any cryptogram Ai, Bi which can be written B(1∥di), i.e. any cryptogram which is the image by the homomorphic encryption function of a word of which the high-order bit does not have the predefined value.
The cleaning step E4 is, for example, implemented by means of a second look-up table T2 which, for any di, associates to any cryptogram of the form B(0∥di) a cryptogram of the form B(0∥di), possibly identical to the cryptogram input to the second look-up table T2, and to any cryptogram of the form B(1∥di) a cryptogram of the form B(0∥di).
This second look-up table T2 is, for example, stored in the storage module 6.
In this case, when it is sought to process by the Boolean logic operation in question (here, “and”) a bit ai represented at the input by a cryptogram Ai and a bit bi represented at the input by a cryptogram Bi, the processor 4 reads in the cleaning step E4, a cryptogram A′i associated with the cryptogram Ai in the second look-up table T2, and a cryptogram B′i associated with the cryptogram Bi in the second look-up table T2.
The cryptograms A′i and B′i thus obtained at the output of step E4 are those used for the processing by the operation “.” during step E5 as described above.
The formatting step E6 aims, as indicated above, to transform the cryptogram B(ai AND bi∥ai XOR bi) (obtained by means of step E5 as indicated above) into a cryptogram B(x∥ai AND bi), where x is any bit.
In other words, the formatting step E6 amounts to apply to the cryptogram in question, the inverse of the homomorphic encryption function, to shift the word obtained by one bit to the right, and to apply again the homomorphic encryption function.
In practice, the formatting step E6 can be implemented by means of a third look-up table T3 which to any cryptogram of the form B(di∥zi) (i.e. to any cryptogram corresponding to an argument with a high-order bit di via the homomorphic encryption function B) associates a cryptogram of the form B(x∥di) (i.e. a cryptogram corresponding, via the homomorphic encryption function B, to an argument with a low-order bit equal to di).
This third look-up table T3 is, for example, stored in the storage module 6.
In this case, at the formatting step E6, the processor 4 reads, in the third look-up table T3, the cryptogram associated with the cryptogram obtained in step E5, the cryptogram read being used to represent the new intermediate bit (ai AND bi) in the further processing.
After the formatting step E6, the processor 4 determined in step E8 if the processing carried out involves at least one other Boolean logic operation (implemented here by means of the application of the operation “.” to the cryptograms). It is reminded that the processor 4 is programmed to produce a sequence of Boolean logic operations, as described, for example, in the abovementioned article “A new combinational logic minimization technique with applications to cryptology”.
If at least one Boolean logic operation remains to be carried out, the method loops to step E4 for the implementation of a new iteration of steps E4 to E6.
If all the Boolean logic operations have been carried out, the method continues in step E10 now described.
In step E10, the processor 4 generates the output byte O based on intermediate cryptograms obtained during preceding passages through steps E4 to E6 and which represent the different bits Oi of the output byte O.
The intermediate cryptograms used as an output cryptogram C′i, i.e. to represent the bits Oi of the output byte O, are determined according to the sequence of Boolean logic operations that are sought to be implemented (each intermediate cryptogram representing an intermediate bit handled during this sequence of Boolean logic operations).
The processor 4 determines the bits Oi of the output byte O by applying respectively to these output cryptograms C′i an inverse function B−1 of the homomorphic encryption function B.
In practice, the application of this inverse function can be implemented by means of a fourth look-up table T4, stored for example in the storage module 6.
This fourth look-up table T4 stores, for each possible value Z for a cryptogram, the word B−1(Z), i.e. the argument corresponding to Z via the homomorphic encryption function B.
The processor 4 determines in this case, each bit Oi of the output byte O by reading, in the fourth look-up table T4, of the word B−1(C′i) associated with the output cryptogram C′i in question, the bit Oi of the output byte O being a predetermined bit (here, the low-order bit) of the word B−1(C′i).
In a variant, the fourth look-up table T4 could directly associate, to each possible value Z for a cryptogram, the low-order bit of the word B−1(Z) that is the argument corresponding to this value Z via the homomorphic encryption function B.
Also, according to another variant, the first look-up table T1 could be used by the processor 4 to apply the inverse function B−1 to the output cryptograms C′i.
In the example which has just been described, the first group G is an additive group using a Benaloh-type cryptosystem to define the homomorphic encryption function B.
Still in the case of a first additive group, as a variant, a Paillier-type cryptosystem can be used, as introduced in the article, “Public-key cryptosystems based on composite degree residuosity classes”, Pascal Paillier, in International Conference on the Theory and Application of Cryptographic Techniques, Springer, Berlin, Heidelberg, 1999.
According to another variant, the first group G can be a multiplication group.
In the scope of this variant, for example a homomorphic encryption function is used (referenced E in this variant) based on an EIGamal-type cryptosystem, described in the article, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms”, Taher ElGamal, in Crypto, Springer, 1984.
Thanks to the homomorphism property of this type of encryption function, regardless of the bits a, b: E(1∥a)·E(1∥b)=E(a XOR b∥a AND b); therefore, either of the two “and” and “exclusive or” Boolean logic operations can also be carried out in this variant, by means of an operation (here, also multiplicative) within the second group G′.
According to another variant, which can possibly be combined with those described above, the cryptograms handled are masked by a random mask t (here, multiplicative). This random mask is, for example, determined (by random drawing) during a phase for preparing the electronic device 2 and stored in the storage module 6.
To do this, during step E2, the processor applies the random mask t to the cryptograms Ci by means of the operation “. ”. The following steps are thus applied to the cryptogram thus masked, namely t·Ci.
According to an embodiment possibility, a plurality of random masks ti (a priori distinct two-by-two) can be respectively applied to the different cryptograms Ci produced during step E2.
In the two cases, the application of the mask t, ti can be carried out, at the same time as the application of the homomorphic encryption function B, by means of the first look-up table T1. In other words, the first look-up table T1 stores in this case, for each possible value within the first group G, the associated cryptogram t·B(a).
The other look-up tables T2, T3, T4 are moreover adapted (before their storage in the storage module 6) to consider the mask applied. It can be provided in this case that second and third look-up tables T2, T3 are provided respectively for each Boolean operation implemented by means of the operation “.” in order to consider the mask t used.
Now, another variant is described according to which the input cryptograms Ci are combined two-by-two by means of a recombination function according to the Chinese Remainder Theorem.
In this case, certain cryptograms (for example, those corresponding to the even-order bits of the input byte I, these cryptograms being referenced due to this, C2i) are obtained as indicated above by applying the homomorphic encryption function B, having values in the second group G′ with (p−1) elements, to the corresponding word (0∥I2i).
Other cryptograms (for example, those corresponding to the odd-order bits of the input byte, these cryptograms being referenced due to this, C2i+1) are obtained by applying another homomorphic encryption function B′, having values in a third group G″ with (q−1) elements, to the corresponding word (0∥I2i+1), with q, a prime number different from p.
The function B′ is, for example, defined by: B′(b)=yb·ur mod q.
The input cryptograms are thus combined two-by-two by means of a recombination function according to the Chinese Remainder Theorem (CRT). Here, the input cryptograms C2i and C2i+1 are combined as follows:
A
i
=CRT(C2i, C2i+1)=C2i·q·iq+C2i+1·p·ip
where ip and iq are such that q·iq=1 mod p and p·ip=1 mod q (and q·iq=0 mod q and p·ip=0 mod p).
The cryptograms Ai obtained by this combination are those which are handled during the successive passages through steps E4 and E6.
Thus, the product Ai.Bi of two cryptograms Ai, Bi (Ai representing the cryptograms X and X′: Ai=CRT(X, X′) and B, representing the cryptograms Y and Y′: Bi=CRT(Y, Y′)) allows to carry out operations on the two bits represented by each of these cryptograms Ai, Bi.
Indeed: Ai·Bi mod p=(X·q·iq+X′·p·ip)·(Y·q·iq+Y′·p·ip) mod p=X·Y.
Likewise: Ai·Bi mod q=(X·q·iq+X′·p·ip)·(Y·q·iq+Y′·p·ip) mod q=X′·Y′.
Thus, the products X·Y and X′·Y′ can be found (corresponding to those obtained in step E5 in the embodiment described above) by determining respectively the modulo-p remainder and the modulo-q remainder of the product Ai·Bi.
| Number | Date | Country | Kind |
|---|---|---|---|
| 1915071 | Dec 2019 | FR | national |
