The invention relates to an electronic calculating device, an electronic calculating method, and a computer readable medium.
In secure computing, especially in white-box cryptography, numbers are often encoded in the Residue Number System (RNS) representation. In a Residue Number System (RNS), a modulus m is a product m=m1 . . . mk of relatively prime smaller moduli mi, and integers y∈[0, m) are uniquely represented by their list of residues (y1, . . . , yk), where yi=|y|m
The RNS representation is advantageous, since arithmetic on RNS represented numbers can often be done separately on the RNS digits. For example, to add or multiply to number in RNS representation it suffices to add or multiply the corresponding components modulo the corresponding moduli. In this way, the problem of carry has to a large extent disappeared. Especially in white-box cryptography the RNS representation is advantageous.
In white-box computations are done on encoded data, using tables that represent the result of the computations. Although even in white-box it is possible to correctly take carry into account, using RNS can simplify computations considerably. Moreover, the presence or absence of a carry is hard to hide and can be a side-channel through which a white-box implementation can be attacked, e.g., a white-box implementation of a cryptographic algorithm depending on a secret key, such as a block cipher, etc.
Nevertheless, it is sometimes required to represent a number in radix representation. The most basic type of radix representation is also called the b-ary representation, for some integer b. Given the positive integer b, the b-ary representation of an integer y∈[0, bs) writes y in the form y=d0+d1b+ . . . +ds−1bs−1 with b-ary (integer) digits d1∈[0, b) for all i. For example, an integer may represent a result, e.g., an output of a computation. The result may have to be reported, e.g., to a user, who is not used to seeing numbers in RNS representation. The result may have to be further processed by some algorithm that does not expect an RNS number. For example, the result is to be further rendered, or further processed, possibly in a non-secure routine. For example, a digit-based algorithm, such as the digit-based Montgomery multiplication, needs a Radix representation as input.
The inventors found that known algorithms for converting RNS representation to a Radix representation do not convert well to secure computing, in particular to white-box computing. In a white-box computation, also during a RNS to Radix conversion, the software should not leak information on the encoding used to protect the software. However, as will be further detailed below this is not the case.
The inventors found that during conversion of RNS represented numbers to radix representation some of the intermediate values tend to become smaller and smaller. This has therefore the opportunity to leak information regarding the way small numbers are encoded in the system. It is considered undesired to give an attacker the opportunity to obtain information on the encoding. Such information may be leveraged in attacks on other parts of the system.
An electronic calculating device is provided arranged to convert an input number represented in a residue number system (RNS) to an output number represented in a radix representation, as defined in the claims. Obfuscation added during the updating of the intermediate number counters the decreasing of the intermediate number. The attacker thus cannot obtain information on small numbers by observing the intermediate values.
Possible applications of the conversion are to report the result of an earlier computation done in RNS, e.g., to the user, or in an electronic report of some kind, or to render the result. Conversion may also be needed as part of digit-based algorithms, since the algorithm can work entirely with pseudo-residues. RNS systems are widely used, for example in digital signal processing and cryptography. The method is well-suited to be used in white-box applications since it can work with small data elements only, so that all arithmetic can be done by table lookup.
A method according to the invention may be implemented on a computer as a computer implemented method, or in dedicated hardware, or in a combination of both. Executable code for a method according to the invention may be stored on a computer program product. Examples of computer program products include memory devices, optical storage devices, integrated circuits, servers, online software, etc. Preferably, the computer program product comprises non-transitory program code stored on a computer readable medium for performing a method according to the invention when said program product is executed on a computer.
In a preferred embodiment, the computer program comprises computer program code adapted to perform all the steps of a method according to the invention when the computer program is run on a computer. Preferably, the computer program is embodied on a computer readable medium.
Another aspect of the invention provides a method of making the computer program available for downloading. This aspect is used when the computer program is uploaded into, e.g., Apple's App Store, Google's Play Store, or Microsoft's Windows Store, and when the computer program is available for downloading from such a store.
Further details, aspects, and embodiments of the invention will be described, by way of example only, with reference to the drawings. Elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. In the Figures, elements which correspond to elements already described may have the same reference numerals. In the drawings,
While this invention is susceptible of embodiment in many different forms, there are shown in the drawings and will herein be described in detail one or more specific embodiments, with the understanding that the present disclosure is to be considered as exemplary of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
In the following, for the sake of understanding, elements of embodiments are described in operation. However, it will be apparent that the respective elements are arranged to perform the functions being described as performed by them.
Further, the invention is not limited to the embodiments, and the invention lies in each and every novel feature or combination of features described herein or recited in mutually different dependent claims.
Integers can be represented in a number of different ways. This application is concerned with radix representations and residue number system representations (RNS).
Radix representations come in a number of flavors. The most basic type of radix representation is also called the b-ary representation, for some integer b. Given the positive integer b, the b-ary representation of an integer y∈[0, bs) writes y in the form y=d0+d1b+ . . . +ds−1bs−1 with b-ary (integer) digits di∈[0,b) for all i. More general, given numbers b0, . . . , bs−1, a Mixed Radix (MR) Representation writes an integer y in the form y=d0+d1b0+ . . . +ds−1b0 bs−2+qb0 bs−1 with integer MR-digits di∈[0, bi) for all i, for some integer q. In some applications, a correction term q may be allowed. If y is small enough a correction term is not needed.
The inventors found that even the mixed radix representation may be further generalized. In the generalized mixed radix representation (GMR), a number is represented as y=e0+e1b0+ . . . +es−1b0 . . . bs−2−εs−1b0 . . . bs−1=e−εs−1b0 . . . bs−1. A difference with the mixed radix representation is that the digits ei are not required to be chosen from the interval [0, bi), but are allowed to be pseudo-residues modulo bi. An integer p is a pseudo-residue of the integer x modulo m if p=x mod m and 0≤p<φm, for some predetermined integer φ. The integer φ is called the expansion bound, and limits the growth of the pseudo-residues. If φ=1, the pseudo-residue is a regular residue.
It is possible, to further loosen the restriction on pseudo residues, e.g., by merely requiring that −φm<p<φm. For convenience of presentation we will not make this loosened assumption, but it is understood that the discussion below could easily be adapted to take the less restrictive bound into account.
If φ>1 there is more than once choice for a digit in generalized MR representation. As a result, the representation in generalized MR representation is typically not unique. The inventors found that in many applications in which an MR representation is employed as an input, often a generalized MR representation can also be used. This is advantageous as computing a generalized MR representation may be done more efficiently and with better obfuscation options. For example, if the MR representation is used as input for a digit-based Montgomery multiplication algorithm, then the generalized MR representation can be used. By setting φ=1 in embodiments below a regular MR representation may be obtained though. By setting bi=b for all i, and φ=1 in embodiments below, a b-arry representation is obtained.
In a Residue Number System (RNS), a modulus m is a product m=m1 . . . mk of relatively prime smaller moduli mi, and integers y∈[0, m) are uniquely represented by their list of residues (y1, . . . , yk), where yi=|y|m
Conversion is the operation of converting a number in RNS representation to a radix type representation. In secured applications, typically both the b-ary digits (or MR-digits) of a large integer and its pseudo-residues are given in encoded form, e.g., with multiple representations possible by encoding with a state, and conversion should be done without leaking any information about these digits. Conventional algorithms typically use a form of modular arithmetic modulo the bi to determine the MR-digits. See, for more information on white-box, the paper by Chow et al “A White-Box DES Implementation for DRM Applications”. See, for more information on white-box, and in particular on encoding using states the application “Computing device configured with a table network”, published under number WO2014096117. See also, “Computing device comprising a table network”, published under number WO2014095772, for information on how to represent computer programs in white box form.
In embodiments, a conversion is computed from, e.g., a pseudo-RNS representation, employing pseudo-residues only, in a way suitable for secure implementations. Embodiments use modular arithmetic modulo the bi, but note that some embodiments do not require exact residues, but instead pseudo-residues. Embodiments prevent the leaking of information inherent in conventional conversion. Moreover, since the algorithm can work entirely with pseudo-residues, the representation obtained from our conversion algorithm can also be used in digit-based algorithms, when implemented in RNS.
In an embodiment, the system is implemented using white-box cryptography. Data is represented in encoded form, possibly together with a state. States are redundant variables so that the encoding is not unique. For example, a (possibly very large) integer y may be represented by its list of residues (y1, . . . , yk), in encoded form. That is, every residue yi is given in the form
During conversion in white-box, the MR digits of an integer must be obtained in encoded form from the encoded residues. Conventional RNS to MR conversions algorithms have various drawbacks, especially in the context of white-box implementations.
For example, conversion methods based on the Chinese Remainder Theorem (CRT) involve direct computations with very large integers, and hence will involve some form of add-with-carry algorithms. Such methods are less suitable in white-box applications since the carries even in encoded form will probably leak information. White-box prefers methods that do computations with relatively small (encoded) data; large integers will be represented by a list of (encoded) digits. For example, the encoded data may be about byte size.
In a Residue Number System (RNS), an integer y is represented by its list of residues (y1=|y|n
In the discussion below, we will further assume that the moduli are relatively prime; this will make the presentation easier to follow. However, the embodiments below may be adapted to the case when not all moduli are relatively, prime, e.g., if that are at least two moduli mi and mj that have a common divisor larger than 1.
We continue with m=m1 . . . mk, and the assumption that the moduli are all pairwise prime. Using the Chinese Remainder Theorem (CRT) an integer y with 0≤y<m can be recovered uniquely from its list of residues (y1, . . . , yk) based on the fact that
y=Σ
i=1
k
y
i|(m/mi)−1|m
for some integer q. In applications, it is often required to be able to recover y from its list of residues (y1, . . . , yk) in a fast way. Methods based on MR conversion attempt to write a given integer y with 0≤y<m into Mixed-Radix form as
y=d
0
+d
1
b
0
+ . . . +d
s−1
b
0
. . . b
s−2
+qb
0
. . . b
s−1
=d
0
B
0
+d
1
B
1
+ . . . +d
s−1
B
s−1
+qB (2)
for integer-valued b-ary MR-digits d0, ds−1 with 0≤di<bi and integer q; here Bi=b0 . . . bi−1 for all i (and B0=1), and B=Bs=b0 . . . bs−1. Such representations will be referred to as Mixed-Radix (MR) representations. A typical example is the case where b0=b1= . . . =bs−1=b, giving a b-ary representation.
Consider the following reference method for conversion in a RNS, which does not comprise the feature of adding an obfuscating number. Given an RNS based on moduli m1, . . . , mk with dynamical range m=m1 . . . mk, for converting an integer y∈[0, m) from RNS to radix, proceed as follows.
1. Set y(0)=y
2. for t=0, . . . , s−1, compute
(a) dt=|y(t)|b
(b) y(t+1)=(y(t)−dt)/bt (exact division).
Then y(t)=dt+dt+1bt+ . . . +ds−1bt . . . bs−2 for all t and, in particular, y=y(0)=d0+d1b0+ . . . +ds−1b0 . . . bs−2, with digits dt∈[0, bt). We can compute an RNS representation (yt+1,1, . . . , yt+1,k) for y(t+1) from the RNS representation (yt,1, . . . , yt,k) of y(t) by using that
y
t+1,i≡(yt,i−dt)bt−1W mod mi
provided that bt and m, are relatively prime; if not, then we can use, e.g., base extension, e.g., using a method employing mixed-radix conversion (See, Garner, The Residue Number System, Ire Transactions On Electronic Computers, June 1959, pp 140-147) or a method using a redundant-modulus (See, A. P. Shenoy and R Kumaresan. Fast base extension using a redundant modulus in RNS. Computers, IEEE Transactions on, 38(2):292-297, 1989) to determine the new residue. Also, to determine dt, if bt is equal to some modulus mi, then dt=yt,i; if not, then dt may again be determined by base extension.
A disadvantage of the reference algorithm described above is that the numbers y(t)=dt+dt+1bt+ . . . +ds−1bt . . . bs−2 get smaller and smaller, which is undesirable in white-box applications. Because of the decreasing entropy in the y(t), this may leak information. For example, it is known that the last y(s−1)=dt is small, but is encoded in the full (encoded) RNS system. As a consequence, information about the encoding of “small” numbers is leaked. An attacker can thus build a list of encoded small numbers.
The leaked encoding of small numbers can be leverage by an attacker in different ways. For example, by analyzing the output of individual modular addition tables when given as input these small numbers, an attacker may be able to obtain the value of small numbers from their encoded versions. By further analysis, the attacker may then even undo the encodings for all numbers and thus obtain the values of variables if the program is run. Moreover, these same small numbers may be repeated elsewhere in the white-box implementation. The attacker can now recognize the occurrence of small numbers everywhere in the white-box implementation. This information may be leveraged in attacking other parts of the implementation. Although, this could be mitigated by using different encodings in different parts of the white-box implementation, this would require many more tables for doing computations, i.e., one for each encoding, and thus increase the hardware footprint of the implementation. To avoid separate encoding for each part of the program, it is thus desirable to limit leakage in all parts as much as possible.
A further disadvantage of the above reference algorithm is that it cannot work with pseudo-residues since it assumes that in the t-th iteration, the digit dt can be determined exactly.
As further detailed below, in contrast, in an embodiment, with a suitable choice of the ft it can be ensured that the ŷ(t) are spread over their full range, and thus do not leak information. Also, the algorithm can work with pseudo-residues instead of residues, except that in the base extensions, the arithmetic modulo the redundant modulus m0≥φ(k−1) has to be exact. Note, that the redundant modulus may be the product of relatively prime small moduli so that the redundant modulus does not place a constraint on the possible size k of the RNS. In some embodiments, obfuscating, e.g., random, integers, e.g. ft are used to increase the entropy of the intermediate results, and to allow the possibility by varying these obfuscating integers to have a different version of the algorithm with every run, even with different encodings in the white-box case. In some embodiments, the algorithm operates with pseudo-residues instead of residues, with the possible exception of the redundant modulus arithmetic, which in an embodiment is exact. By introducing requirements on the redundant modulus, embodiments may use base extension using pseudo-residues instead of simply residues.
Embodiments of the calculating device according to the inventions are illustrated with respect to
The calculating device 100 shown in
Calculating device 100 comprises an input interface 110 arranged to receive the input number (y) represented in the residue number system. The input interface may be selected from various alternatives. For example, input interface 110 may be a network interface to a local or wide area network, e.g., the Internet, a storage interface to an internal or external data storage, a keyboard, etc. The interface may be an application program interface (API). Computing device 150 may share the processor circuit and memory. Computing device 150 may use calculating device 100 by starting to execute the appropriate code, e.g., retrieving and applying the tables needed to the conversion algorithm.
For example, input interface 110 may obtain the input number y as a sequence of encoded integers. The encoded integers represent the residues modulo the moduli m, of the RNS. For example, input interface 110 may obtain the encoded integers in the form of pointers to said encoded integers, etc.
Calculating device 100 comprises a processor circuit 120. The processor circuit may be a single core, or may have multiple cores. The processor circuit may be distributed over two, possibly physically separated, processor circuits, e.g., sub-circuits. Calculating device 100 comprises a memory 130. The memory may comprise a volatile and a non-volatile part. The latter is optional, for example, in an embodiment constant parts of the data, e.g., processor instructions, tables or data constants, may be downloaded before the conversion is started. The volatile part of memory may store any one of input data, intermediate data, and output data, etc., on which processor circuit 120 acts. Processor circuit 120 may be a general-purpose computer processor arranged to execute programming instructions stored in a memory. Processor circuit 120 may also be, possibly in part, a specialized circuit arranged to execute a method according to the invention. For example, processor circuit 120 may comprise hardware arranged to retrieve and/or apply a look-up table.
For example, memory 130 may store look-up tables that are configured to act upon encoded data. For example, memory 130 may store variables, e.g., intermediate data, on which the tables act. For example, processor circuit 120 may retrieve a table form memory 130 and apply it to one or more data items that are also retrieved from memory 130. The result may be stored in memory 130, and may be later used to form the input for yet further table operations. Part of memory 130 may be a read-only memory, e.g., to store programming instructions, or tables.
Memory 130 in particular stores an intermediate number (ŷ) represented in the residue number system. The intermediate number may initially be the number y received at the input of calculating device 100. The intermediate number may also be obtained from the input number after optional additional processing, e.g., additional obfuscation, a further encoding, an encoding translation, etc. In the latter step, an encoding used in computing device 150 is changed to an encoding used in calculating device 100.
Processor circuit 120 is configured to iteratively update the intermediate number ŷ. The representation of the intermediate number remains in the residue number system, preferably in encoded form. Each iteration produces a digit of the digits e0, e1, . . . , es−1 in the radix representation with respect to the bases b0, b1, . . . , bs−1 of the radix representation. An iteration comprises
More details of the computing and updating step are provided below with respect to
Calculating device 200 comprises a variable storage 235. Calculating device 200 stores intermediate data on which calculating device 200 acts. In particular, variable storage 235 stores the intermediate number represented in RNS. The input number y may also be stored in variable storage. For example, the input interface may be implemented by storing the input number in variable storage 235, possibly in combination with initiating the conversion process.
Calculating device 200 also comprises a constant storage 230. Constant storage 230 may be implemented as a read-only memory. For a white-box implementation constant storage 230 comprises look-up tables for operating on encoded data. Constant storage 230 may also, or instead, comprise programming instructions for operating on (encoded) data, etc. Constant storage 230 may also comprise the bases b0, b1, . . . , bs−1 of the radix representation and/or the moduli mi of the RNS system. However, in an embodiment these numbers are implicit in the tables used, and need not be explicitly listed, not even in encoded form.
Calculating device 200 comprises a digit forming unit 210. Digit forming unit 210 is configured to compute the intermediate number modulo a base (bt) of the radix representation to obtain a digit (et=ŷb
Calculating device 200 is configured to iterate the digit forming unit 210. The iterations produce the digits (e0, e1, . . . , es−1) in the radix representation with respect to the bases (b0, b1, . . . , bs−1) of the radix representation. The digits produced by digit forming unit 210 may be stored in a digit storage 240. Digit storage 240 may be combined with variable storage 235. Digital storage 240 may thus contain the output of calculating device 200. The content of digit storage 240 may be used by further algorithms, e.g., for rendering, for reporting, etc.
In what follows, we will need the notion of a pseudo-residue. A pseudo-residue of an integer x modulo a modulus m is an integer p for which p≡x mod m. We will write p=xm to to denote an (unspecified) pseudo-residue. We speak of pseudo-residues with (integer) expansion factor φ if the pseudo-residues p=xm satisfy 0≤p<φm. A pseudo-residue allows more freedom than an exact residue for which it is required that it lies exactly in the interval [0, m), that it 0≤p<m. On the other hand, ensuring that all variables are pseudo-residues avoids unrestricted growth of the variables. The additional freedom of using pseudo-residues allows more efficient algorithms, e.g., for the modular arithmetic, even when taking into account that the residue has to conform to the expansion factor. For exact residues, we write p=|x|m, in this case 0≤p<m.
We now present a new method suitable for white-box for conversion, such as conversion from a Residue Number System (RNS) to a Radix type representation. The algorithm is suitable to receive the input in pseudo-residues, and to employ mostly pseudo-residues during computations.
Let m=m1 . . . mk with the mi relatively prime positive integers. In the RNS based on the moduli m1, . . . , mk, an integer y in the range [0, m), that is, with 0≤y<m, is represented by its list of residues (y1, . . . , yk), where yi=ymi may be pseudo-residues or exact residues. By the Chinese Remainder Theorem (CRT), every integer in the range [0, m) can be recovered uniquely from its list of pseudo-residues. We refer to the representation of y∈[0, m) by its list of (pseudo) residues (y1, . . . , yk) as a Residue Number System (RNS) representation of y. We will use the term pseudo-RNS representation to emphasize that in the RNS type representation pseudo residues for the components yi are allowed. As exact residues are a special case of pseudo residues, so is exact RNS a special case of a pseudo-RNS. The algorithms may be adapted to use only exact residues by setting the expansion factor φ to 1.
Let b0, . . . , bs−1 be positive integers. The Mixed-Radix (MR) presentation of an integer y with respect to (b0, . . . , bs−1) writes y as
y=d
0
+d
1
b
0
+d
2
b
0
b
1
+ . . . +d
s−1
b
0
. . . b
s−2
+qb
0
. . . b
s−1, (4)
with integer digits d0, . . . ds−1 for which di∈[0, bi) and with an integer q. In applications, the value of q may be restricted, possibly even to q=0, if the size of y is known because of the application which produced y. For convenience, we will assume q=0.
In various applications, we want to compute the digits d0, . . . , ds−1 of the MR representation of y∈[0, m) from its (pseudo) residues (y1, . . . , yk). Note that, for example, in the case where b0= . . . ==bs−1=b, the di are just the b-ary digits of y, and in the case where s=k and bi=mi+1 with q=0, this is the Mixed-Radix (MR) representation with respect to the moduli m1, . . . , mk.
To find the MR representation of a number y=d0+d1b0+ . . . +ds−1b0 . . . bs−2, given in RNS representation (note that q is assumed to be 0), or an approximation thereto, we propose the following algorithm, with parts 1, and 2, the latter having subparts 2a and 2b:
1. Set ŷ(0)=y;
2. for t=0, . . . , s−1, do
(a) et=ŷ(t)b
(b) ŷ(t+1)=(ŷ(t)−et+b0 . . . bs−1ft)/bt.
Here f0, . . . , fs−1 are (possibly data dependent) obfuscating constants, subject to certain conditions to be discussed below; they could be changed for each new run of the algorithm. We may refer to the b0 . . . bs−1ft as obfuscating number Ft. If all obfuscating numbers are equal, we may also refer to F, without the subscript indicating the iteration. The obfuscating number Ft or the numbers ft may be precomputed and stored in constant storage 230.
In part 1 an intermediate number ŷ is set equal to the input number y. In iterated parts 2a and 2b, a digit of the MR representation is determined (part 2a), and the intermediate number ŷ is updated (part 2b). Note that for clarity the subsequent values of the intermediate number ŷ are given indices t to distinguish them. However, in an embodiment the intermediate number may be overwritten with a new value when it is available.
Note also that the MR digit computed in part 2a is a pseudo-residue, but if the expansion factor is 1, this is the same as an exact residue. If the expansion factor is larger than 1, then some pseudo-residue may not be exact residues. In this case a digit of the conventional Mixed Radix representation is obtained. However, if the expansion factor is more than 1, the digit computed in part 2a could be different from the exact residue. In this case, we obtain the generalized mixed radix representation. Note that the expansion factor is under control of the implementer, e.g., by selecting the modular arithmetic that is used. A higher expansion factor allows the designer more freedom and is often preferred, but an expansion factor of 1 is also possible. In an embodiment, the pseudo-residue used in step 2a may not be an exact residue, for example, in an embodiment, at least one of the digits et is larger or equal than the base bt of the radix representation. In case more general pseudo residues are used, it can also happen that at least one of the digits et is less than 0. Some of the integer factors ft may be zero, but at least some of them are positive.
In part 2b the obfuscating number b0 . . . bs−1ft may be replaced by bt . . . bs−1ft. This has the advantage that a larger range of choices for ft is available to choose from. For example, in an embodiment the obfuscating number is a multiple of the product of the bases (b0, b1, . . . , bs−1) used in the next iterations, e.g., Ft=bt+1 . . . bs−1ft. If the obfuscating number is not a multiple of bt then the obfuscating number may be added after the division, this is less preferred.
In the above algorithm, a pseudo-RNS representation for the intermediate number ŷ(t) modulo m=m1 . . . mk is maintained. The digit et may be computed using base extension as is further explained below. The pseudo-residues satisfy the integer expansion bound φ. That is, we have that et=|ŷ(t)|b
Define
The algorithm has the following properties: for 0≤t≤s, there are integers εt with ε−1=0 by definition and 0≤εt≤θ so that
ŷ
(t)
=d
t
+d
t+1
b
t
+ . . . +d
s−1
b
t
. . . b
s−2
+f
0
b
t
. . . b
s−1
+f
1
b
t
. . . b
s−1
b
0
+ . . . +f
t−1
b
t
. . . b
s−1
b
0
. . . b
t−2−εt−1; 1.
e
t
=d
t−εt−1+εtbt. 2.
The statements 1 and 2 may be proven by mathematical induction.
In other words, the integers Et indicate the distance between the exact residue dt and the pseudo residue et. As a consequence, we have that
ŷ
(s)
=f
0
+f
1
b
0
+ . . . +f
s−1
b
0
. . . b
s−2−εs−1=f−εs−1; 1.
y=e
0
+e
1
b
0
+ . . . +e
s−1
b
0
. . . b
s−2−εs−1b0 . . . bs−1=e−εs−1b0 . . . bs−1. 2.
Note that expression 2 is a generalized mixed radix representation for y. Surprisingly, of the ‘error’-integers εt, only the final one, εs−1 occurs in this expression. All others cancel.
There are several ways in which εs−1 may be computed if desired. In an embodiment, the value f is computed, e.g., as a further part of the iteration, using formula 1. For example, one could compute f iteratively by starting f at f=0, and adding the terms of formula 1, as soon as each new term ft is available. One can then determine εs−1 from the computed RNS representation of ŷ(s) and the known (RNS representation of) f
Alternatively, one could obtain εs−1 from a fixed exact residue off modulo a small modulus m0≥θ+1, e.g., a redundant modulus, combined with the RNS representation of ŷ(s).
Once we know εs−1, we have a GMR representation for y with digits et satisfying 0≤et<φbt for all t and 0≤εs−1≤θ. As explained above, the GRM is often good enough to be employed in a digit-based algorithm. We refer to εs−1 as a correction term. For example, the correction term εs−1 may also be exported as output, e.g., stored in digit storage 240. Note that the et can be larger than the corresponding base, which is compensated for by subtracting the term εs−1b0 bs−1.
In case that the pseudo-residues et are in fact known to be exact residues (that is, if εt=0 is known for all t), the algorithm delivers et=dt, so in fact the exact MR digits are determined. If in addition ft=0 for all t, then the algorithm reduces to the reference algorithm described above to determine MR digits. In an embodiment, the integers ft are chosen to be small enough to still allow an RNS representation of the intermediate values y(t). The latter may be accomplished if the range of possible intermediate values y(t) has size at most m.
In an embodiment, the modular arithmetic is done using lookup tables. In the case where some or all of the bt are too big to allow the implementation of the modular arithmetic by lookup tables, the required modular arithmetic may be implemented, for example, using Montgomery multiplication or similar methods. See, e.g., Jean-François Dehm. Design of an efficient public-key cryptographic library for RISC-based smart cards. PhD thesis, Université Catholique de Louvain, 1998, for a discussion of a number of modular arithmetic algorithms, in particular, modular multiplication, more in particular Montgomery multiplication. Interestingly, modular arithmetic methods typically deliver the result as a pseudo-residue. Extra efforts are required to obtain the exact residue. In general, an exact residue cannot even be determined without leaving the RNS representation domain. However, in such a situation, the method described herein enables a form of digit-determination entirely within the RNS realm, employing pseudo-residues instead of exact residues.
For example, the Montgomery algorithm in Dehm (section 2.2.6) has as the final two steps that “if Un>N then U=Un−N else U=Un” omitting this extra reduction step would give a modular reduction algorithm in which the output is a pseudo residue with expansion factor 2. Modular multiplication algorithms with a larger expansion factor, even as high as a few hundred may be used in the algorithm.
Below an RNS implementation suitable for the conversion is further detailed. Suppose that y is given by its (redundant) RNS representation (y0, y1, . . . yk) with respect to the RNS moduli m1, . . . , mk and redundant modulus m0; write m=m1 . . . mk to denote the dynamical range of the RNS. The moduli m0, m1, . . . mk are relatively prime positive integers. Moreover, arithmetic modulo m0 is exact, so that residues modulo m0 are not pseudo-residues but true residues. For example, the arithmetic modulo m0 could be implemented by table lookup. Arithmetic modulo the other moduli could also be done through table look up, but may also use an implementation of a modular algorithm, e.g., Montgomery multiplication, etc.
The residues modulo m0 is referred to as a redundant modulus. Alternatively, the redundant modulus could be the product of multiple moduli; in this case computation is done with exact residues for the multiple moduli. Moreover, in an embodiment we will make the usual condition that m0≥k to enable base extension, or, when working with pseudo-residues with expansion factor φ, we require that m0≥kφ. In the implementation of the algorithm, we will maintain an RNS representation (ŷt,0, ŷt,1, . . . , ŷt,k) for ŷ(t), where ŷt,i=y(t)m
In what follows, we describe the RNS implementation of the algorithm for the case where b0= . . . =bs−1=b=mk; it is easily understood how to proceed in a more general case. The iteration step of the algorithm may now be implemented as follows. For t=1, . . . , k, we have et=ŷ(t)b; since we assumed mk=b, we can take et=ŷt,k. Then, for i≠k, we can immediately compute
ŷ
t+1,i=(ŷt,i−et+ftbs)
where
ηi=ŷt+1,i|(m/(mimk))−1|)m
then we have that
provided that ŷ(t+1)<m/mk, the dynamical range of the “reduced” RNS based on the mi with i≠0, k. Now the (exact) value of q is computed from the redundant residue ŷt+1,0 modulo m0 as
Once q is determined, we can compute ŷt+1,k as
The constants in these expressions can be precomputed and can be assumed to be exact residues.
The modular operations required to compute the above expression for ŷt+1,k could be implemented by ordinary operations, followed by a final reduction modulo mk, e.g. using postponed reduction. Since we work with pseudo-residues here, we only have that ηi<φmi (where φ is the expansion factor). Since 0<ŷ(t)<m/mk is assumed, we have that 0<q<(k−1)φ; so in order to be able to determine the value of q as above, we must require that m0≥(k−1)φ.
The above algorithm is suitable to be implemented in a white-box encoded system, e.g., using either an RNS with exact residues, with the modular arithmetic implemented by table lookup, or an RNS using pseudo residues, etc.
The obfuscating numbers ft can be chosen in various ways. If the algorithm is used in the context of an RNS with moduli m1, . . . , mk with dynamical range m=m1 . . . mk, then the integers f0, . . . , fs−1 must be small enough to ensure that ŷ(t)<m to prevent overflow. For example, provided that bs≤m, it is sufficient if we require 0≤ft<bt. Apart from that, we can choose the ft in an arbitrary way, provided that at the end we can compute the desired representation of f needed to compute εs−1. Note that by choosing an ft smaller than indicated, e.g., ft=0, a later ft′ (t′>t) may be chosen larger than indicated. A particular advantageous choice, is to take ft=et.
In an embodiment, the ft are fixed constants,
In an embodiment, the ft may vary with every new application of the algorithm. For example, conversion may be used multiple times in an application, e.g., some larger computation, each such conversion may have different, but fixed, obfuscation numbers. This is especially attractive in a white-box application.
In an embodiment, the obfuscating numbers ft depend only on the input number y. This has the advantage that different runs with different inputs use different obfuscating numbers, thus making it harder to correlate two different runs with each other. But in runs with the same input, the entire computation is the same, as it depends only on the input number. Thus, performing multiple runs with the same input cannot give additional information to attack the system. For example, the obfuscating numbers ft may be a, possibly varying, function of the input, possibly indirectly by depending on, other data in the program. For example, we could take ft=et for all t, or even ft=|et+ct|bt for constants ct that could, e.g., vary with every application of the algorithm. These choices add to the leak-resistance of the method.
In an embodiment, the conversion is part of a larger application. The larger application may calculate on multiple numbers in RNS representation thus producing a resulting number in RNS representation. The resulting number needs converting to a radix representation as the input number. The data on which the larger application operates can be used as a random source for the obfuscation number. For example, the multiple ft may depend on one or more of the multiple numbers in RNS representation.
As mentioned above, the moduli should be chosen in such a way that ŷ(t)<m, the dynamical range, for all t. If we use the algorithm for example with digit base m1, . . . , mk and with ft=et where the et are pseudo-residues (so with possibly et≥mt), then to ensure that indeed ŷ(t)<m, we can add a few moduli mk+1, . . . , mk+r to the RNS. Equivalently, we can restrict the number y by assuming that y<m1 . . . m1, and then replace part 2(b) of the algorithm with
ŷ
(t+1)=(ŷ(t)−et+m1. . . mrft)/bt.
In other words, we apply the algorithm with digit base b0=m1, . . . br−1=mr (so with s=r) in order to prevent overflow during the run of the algorithm.
If we use the algorithm with bi=b, fixed, and with ft<b for all t, then ŷ(t)<bs for all t. Typically, we have that b is equal to one of the moduli, say mk=b. In that case, we have to determine dt=ŷt,k by base extension with respect to the RNS formed by the moduli m1, . . . , mk−1. In that case, the condition on the dynamical range is that bs≤m/mk. In the case where b is relatively prime to all the mi, we must determine dt=ŷ(t)b by base extension using the full RNS; in that case, the requirement is that bs≤m.
In part 2b of the algorithm, given above as ŷ(t+1)=(ŷ(t)−et+b0 . . . bs−1ft)/bt, the obfuscating part may be generalized. Instead of adding b0 . . . bs−1ft, it is also possible to add bt . . . bs−1ft. This gives more choices for ft. Instead of adding bt . . . bs−1ft before the division one could also add bt+1 . . . bs−1ft after the division.
In an embodiment, the algorithm is run with digit base bt=b for all t=0, . . . , s−1, with ft=|et+ct|b for constants ct, in combination with an RNS with moduli m1, . . . , mk with mk=b, applying “redundant modulus” base extension as above when required.
Below the modifications are indicated to adapt for an embodiment in which not all moduli m1, . . . , mk are relatively prime. Consider=(x1, . . . xk) mod (m1, . . . , mk). We have that xi=xj mod gcd(mi, mj) for all pairs i and j. Using this, the Generalized Chinese Remainder Theorem (GCRT) states that there is a unique x mod m, with m=lcm(m1, . . . , mk). This number can be recovered as follows. Determine constants c1, . . . , ck such that
c
1(m/m1)+ . . . +ck(m/mk)=1 mod m.
Such constants always exist, in fact one may even require that 0<=ci<mi. The constants ci take over the role of the constants |(m/mi){circumflex over ( )}{−1}|m
Using this representation, we can do everything that we could do with the regular RNS, including base extension using a redundant modulus. In fact from the latter equation we get that ei=|xici|m
with 0≤q<k as usual.
Typically, the calculating device 200 comprises a microprocessor (not separately shown in
In an embodiment, calculating device 200 comprises a digit forming circuit, an updating circuit, an obfuscating circuit, a constant storage, a variable storage and a digit store. The circuits implement the corresponding units described herein. The circuits may be a processor circuit and storage circuit, the processor circuit executing instructions represented electronically in the storage circuits. The circuits may also be, FPGA, ASIC or the like.
Below a detailed example of an embodiment during operation is given. We now give an example of our method for an RNS with k=3 and moduli m1=13, m2=11, m3=7 and redundant modulus m0=4, with digit base b0=b1=7, so with s=2, and with taking ft=et, and with pseudo-residues with εt<φ=2 for all t (so using pseudo-residues with expansion factor φ=2). Note that for every t, the number ŷ(t) will have the form a+7b with a, b<2·7=14, so that ŷ(t)≤13+13·7=8·13<m1·m2, so that base extension using the reduced RNS with moduli m1, m2 to determine the residue modulo m3=7 is feasible. Moreover, we have that m0≥(k−1)φ=2·2=4 as required.
Let us take y=2+5·7=37 (assumed to be unknown), represented by the (known) residues (1; 11,4,2) modulo (4; 13,11,7). Running our algorithm, we obtain the following.
1. ŷ(0)=y˜(1;11,4,2);
2. e0=ŷ(0)7=ŷ0,3+1·7=9 (pseudo-residue), so ε0=1; the RNS of e0 equals (1;9,9,2).
ŷ(1)=(ŷ(0)+9·(72−1)/7=67 ≡(3;2,1,4); since 7−1˜(3; 2,8,−), we indeed find that
(a) (ŷ1,0;ŷ1,1, ŷ1,2, ŷ1,3)≡((1; 11,4,2)−(1; 9,9,2))*(3; 2,8, −)+(9·7;9·7,9·7,9·7)≡(3;2,1, −),
so we might obtain ŷ1,0=3 and the pseudo-residues ŷ1,1=2+1·13=15 and ŷ1,2=1+0·11=1;
(b) η1=15·|11−1|1313≡2·613 ≡12 mod 13; so, for example, η1=25;
(c) η2=1·|13−1|1111≡1·6≡6 mod 11; so, for example η2=17;
(d) so ŷ(1)=25·11+17·13−q·13·11;
(e) From the redundant residue, we get 3≡1·3+1·1−q1·3≡−3q mod 4, hence q=3;
(f) Hence ŷ1,3=25·|11|7+17·|13|7+3|(−13·11)|77≡4 mod 7, so for example ŷ1,3=11.
(g) So now we have ŷ(1)˜(3; 15,1,11);
3. e1=ŷ1,3=11 (pseudo-residue), so ε1=1; we see that y=e−1·72 with e=9+11·7=86;
ŷ(2)=ŷ(1)+e1((72−1))/7=(67−11)/7+11·7=85≡(1; 7,8,1); indeed, we find that
(a) (ŷ2,0; ŷ2,1, ŷ2,2, ŷ2,3)≡((3; 15,1,11)−(3; 11,0,4))*(3; 2,8, −)+(11·7; 11·7,11·7,11·7)≡(1; 7,8, −),
so, we might obtain ŷ2,0=1 and the pseudo-residues ŷ2,1=7+0·13=7 and) ŷ1,2=8+0·11=8;
(b) η1=7·|11−1|1313≡(7·6)13≡3 mod 13; so, for example η1=3;
(c) η2=8·|13−1|1111≡8·6≡4 mod 11; so, for example η2=4;
(d) so ŷ(2)=3·11+4·13−q·13·11;
(e) From the redundant residue, we get 1≡3·3+4·1−q·1·3≡1−3q mod 4, hence q=0;
(f) Hence ŷ1,3=3·|11|7+4·|13|7+0|(−13·11)|77≡1 mod 7, so for example) ŷ1,3=8.
(g) So now we have ŷ(2)˜(1; 7,8,8);
We have f=e=86˜(2; −, −, −) while ŷ(2)=e−ε1˜(1; −, −, −); so, from the redundant modulus, we conclude that ε1=1.
Since y=e−ε172, we find the (approximate) GMR representation
y=9+11·7−1·72.
Note also that d0=2 and d1=5, so that 9=e0=d0+1·7, so ε0=1, and 11=e1=5−1+1·7, so that indeed ε1=1.
The parts 320 and 330 are iterated so that the iterations produce the digits (e0, e1, . . . , es−1) in the radix representation with respect to the bases (b0, b1, . . . , bs−1) of the radix representation.
Many different ways of executing the method are possible, as will be apparent to a person skilled in the art. For example, the order of the steps can be varied or some steps may be executed in parallel. Moreover, in between steps other method steps may be inserted. The inserted steps may represent refinements of the method such as described herein, or may be unrelated to the method. For example, some parts may be executed, at least partially, in parallel. Moreover, a given step may not have finished completely before a next step is started.
A method according to the invention may be executed using software, which comprises instructions for causing a processor system to perform method 300. Software may only include those steps taken by a particular sub-entity of the system. The software may be stored in a suitable storage medium, such as a hard disk, a floppy, a memory, an optical disc, etc. The software may be sent as a signal along a wire, or wireless, or using a data network, e.g., the Internet. The software may be made available for download and/or for remote usage on a server. A method according to the invention may be executed using a bitstream arranged to configure programmable logic, e.g., a field-programmable gate array (FPGA), to perform the method.
It will be appreciated that the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source, and object code such as partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention. An embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the processing steps of at least one of the methods set forth. These instructions may be subdivided into subroutines and/or be stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer executable instructions corresponding to each of the means of at least one of the systems and/or products set forth.
For example, in an embodiment, the calculating device may comprise a processor circuit and a memory circuit, the processor being arranged to execute software stored in the memory circuit. For example, the processor circuit may be an Intel Core i7 processor, ARM Cortex-R8, etc. The memory circuit may be an ROM circuit, or a non-volatile memory, e.g., a flash memory. The memory circuit may be a volatile memory, e.g., an SRAM memory. In the latter case, the calculating device may comprise a non-volatile software interface, e.g., a hard drive, a network interface, etc., arranged for providing the software.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb “comprise” and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article “a” or “an” preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
In the claims references in parentheses refer to reference signs in drawings of exemplifying embodiments or to formulas of embodiments, thus increasing the intelligibility of the claim. These references shall not be construed as limiting the claim.
Number | Date | Country | Kind |
---|---|---|---|
16197707.9 | Nov 2016 | EP | regional |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2017/077835 | 10/30/2017 | WO | 00 |