The invention concerns a method for cryptographically processing a message by means of a secret key.
In cryptography, messages are commonly processed by means of a secret key, which is stored in a microcircuit card, for example. Such processing is carried out in the context of the holder of the secret key (i.e. the cardholder) signing the message, for example, or in the context of decrypting the message if it is sent to the holder of the secret key (in which case the message has been encrypted beforehand, for example by means of a public key associated with the secret key).
Processing the message generally consists in performing a calculation in which the message and the secret key are considered as numbers. Thus the RSA algorithm applies the secret key to the message by means of a modular exponentiation operation.
Because of this, this type of operation is the target of attacks by malicious users seeking to discover the secret key, generally with a view to using it fraudulently.
Countermeasures have therefore been adopted to combat attacks that can be envisaged, for example masking the numbers used as described in patent application FR 2 675 355 in the context of implementing the RSA algorithm using the Chinese remainder theorem (CRT).
To combat fault generation attacks that disrupt the execution of the cryptographic algorithm in order to attempt thereby to deduce information regarding the secret key, it has been proposed to verify correct execution of the cryptographic algorithm by carrying out a complementary calculation, as described in patent application FR 2 867 635, for example.
In the context of the RSA algorithm, such verification can be carried out, after exponentiation by the secret key, by applying exponentiation by the associated public key in order to verify that the original message is obtained. This technique is somewhat inefficient from the calculation time point of view, however, and necessitates a knowledge of the public key, which is not always the case.
This is why it is proposed, in patent application FR 2 884 004, to update two complementary variables throughout the modular exponentiation calculation and to verify a relationship normally existing at all times between those two variables at the end of the calculation in order to be sure that no fault has occurred.
The inventors of the present invention have noted, however, that the proximity of these two variables enables attacks that do not call into question the existing relationship between them, for example by modifying the secret key during the modular exponentiation calculation.
To address this problem in particular, the invention proposes a method for cryptographic processing of a message by means of a secret key, characterized in that it comprises the following steps:
This provides assurance not only as to the consistency of the result of the calculation but also as to the integrity of the data (the second data item) derived from the secret key, which is beneficial in particular if the relationship is independent of the secret key.
To further strengthen protection against attacks, there can be provided a step of reading the second data item in a nonvolatile memory between the determination step and the verification step. Thus the verification step is carried out with a second data item that has been read anew, for example in non-volatile memory.
In the embodiment described hereinafter, the third data item can be used as a result in the event of positive verification in the verification step.
In this embodiment, the calculation of the third data item and the fourth data item comprises at least one step of modifying the third data item or the fourth data according to whether a bit of the second data item has the value 0 or 1.
There can then further be provision for modifying the data item representing the second data item in each modification step in such a manner as to store the bit of the second data item used in the step concerned.
The representative data item can be modified in such a manner as to store said bit after the modification step using said bit, for example, which stores the bit actually used.
In practice, there can be provision for the representative data item to be modified by multiplication by two followed by addition of said bit.
In one possible embodiment, the representative data item can be stored in the register storing the second data item, in particular because space is freed up in that register as and when the modification steps are iterated.
The verification relationship is one of modular equality between said combination and the product of the third data item and the message, for example.
Moreover, the combination can be an exclusive-OR operation, which is particularly practical to use.
The process as a whole can comprise steps conforming to the Chinese remainder theorem (CRT), as explained hereinafter.
The invention also proposes a method for cryptographic processing of a message by means of a secret key, comprising a step of:
The method described hereinabove is particularly advantageous against an attack aiming to modify the values entered as parameters on calling the routine (or sub-program).
The optional features envisaged hereinabove apply in a similar manner here and will therefore not be repeated here.
The invention further proposes a method that is novel in itself for cryptographic processing of a message by means of a secret key, in which at least one processing step depends on a group of at least one bit of the secret key, characterized by the following steps:
An a posteriori verification therefore provides assurance that the bits used during processing corresponded to those of the secret key, which prevents a fault generation attack.
As already mentioned hereinabove, to strengthen the verification referred to above, there can further be provision for a step of reading at least a portion of the secret key in non-volatile memory between the modification step and the comparison step.
Error processing is carried out in the event of a negative verification in the comparison step, for example.
In one embodiment, the processing step can be executed for each bit of the secret key. In this case, the control variable is modified after each processing step by multiplication by two followed by addition of the bit used during the processing step concerned, for example, which is a practical way to store the various bits used during the iteration of the processing steps.
The invention further proposes a method for cryptographic processing of a message by means of a secret key in an electronic entity comprising a non-volatile memory, characterized by the following steps (which are preferably executed in this order, especially with regard to the steps of reading non-volatile memory):
As already indicated, the optional characteristics envisaged hereinabove with regard to the first cryptographic processing method referred to apply in a similar manner to the other processing methods referred to and will therefore not be repeated here.
Other features and advantages of the invention will become apparent in the light of the following description, given with reference to the appended drawings, in which:
The cryptographic processing method whose steps are represented in
The message m is represented in numeric form and for the purposes of cryptographic processing is treated as a number. The message m is received via the communication interface of the microcircuit card, for example, and stored in a random access memory thereof.
The exponent d is a secret key stored in a non-volatile memory of the microcircuit card, for example, which is an electrically erasable programmable read-only memory (EEPROM), for example. Hereinafter di denotes the bits that form the secret key, from dk-1, the most significant bit, to d0, the least significant bit (with k=2048, for example).
The modulus n is generally stored in non-volatile memory. The secret key d and the modulus n are transferred into random access memory when they are used in a calculation.
The method represented in
The step E102 represented in
The microprocessor then commands an initialization step E104 during which the message m is copied into a register (or memory) a0. Similarly, a register a1 is set to the value m2 mod n, a register eCtrl is set to 1 and a register with the index i is set to the value k-2.
A loop on the value of i then begins in the step E106. On each iteration of the loop, the value a0·a1 mod n is written (overwritten) in the register a
During the step E106 the value 2·eCtrl+di is written (overwritten) in the register eCtrl.
There follows the step E108 in which the index i is decremented.
The step E110 tests if i is negative, in which case the process exits the loop in the step E112. On the other hand, if i is positive or zero, there is a loop to the step E106.
Thus the aforementioned loop executes the iteration step E106 for i varying from k-2 to zero, which at the end of the loop produces in the register a0 the value md mod n, in the register a1 the value m·a0 mod n, and a value eCtrl each bit whereof corresponds to the bit di actually used during processing and that, in the final analysis, is therefore equal during processing with no faults to the input value of the secret key d.
The value eCtrl is stored in a specific register, for example. Alternatively, it could be stored in the same register as the secret key d, because the bit di used in each iteration is not used subsequently and can therefore be overwritten. In this case the leftward shift generated by multiplying eCtrl by 2 can in this case be used to work through the bits of the secret key d (instead of the index i mentioned above).
As indicated hereinabove, the exit from the loop is effected in the step E112, in which the sub-program described here returns to the main program that called it, on the one hand, the value of the register a0 and, on the other hand, the combination by an exclusive-OR (XOR) operator of the value of the register a1 and the value of the register eCtrl. These return values enable the main program to verify execution without fault in the
d⊕B=m·A mod n.
Note that this verification not only provides assurance as to the consistency of the data a0 and a1 calculated in the
This technique could be used in a similar way in elliptical curve asymmetrical key cryptography.
To effect this verification under particularly secure operating conditions, the main program reads the secret key d again in the non-volatile memory of the microcircuit card before the verification of the relationship referred to above, as described next with reference to
In the step E202, the microprocessor of the microcircuit card receives the message m to be processed.
The message m is then processed as described hereinafter in the steps E204 to E216. Although the steps E204 to E215 are represented in two branches in
The method to be described hereinafter obtains the signature of the message m by applying a private key (d, p, q) in accordance with the RSA algorithm.
If the message m were an encrypted message, a method analogous to that to be described would decrypt the message m using this private key.
The numbers p and q are integers that constitute the prime factors of the public modulus (or public key modulus) n. These numbers are used as moduli in the intermediate calculations using the Chinese remainder theorem without masking.
The number d is the exponent of the private key that is linked to the exponent e of the public key by the following relationship: d.e=1 mode [(p−1) (q−1)].
In the example shown in
In a similar way, three integers λ2, μ2, τ2 used for the processing relating to the modulus q are determined in the step E206. As indicated with regard to the integers λ1, μ1, τ1, the integers λ2, μ2, τ2 can be obtained by drawing random numbers.
The elements p and dp of the secret key (where dp=d mod(p−1)) are then read in the non-volatile memory in the step E207. There follows the step E208 that groups together the operations for masking the values used for modular exponentiation in relation to the modulus p.
To this end, the first step is to calculate a first masked message m1 from the formula m1=(m+μ1·p)mod(λ1·p).
Note that this operation consists on the one hand in masking the message itself by adding to it an integer multiple of the modulus p (μ1p) and on the other hand in masking the modulus p itself by multiplying it by an integer λ1.
It is therefore clear that, as indicated hereinabove, using integers λ1 and μ1 obtained by drawing random numbers makes masking more effective and thereby enhances the security of the system.
The step E208 also includes an operation of calculating a masked exponent d1=dp+τ1·(p−1).
This latter operation masks the exponent used during modular exponentiation, as indicated hereinafter.
The elements q and dq (where dq=d mode(q−1)) are then read in the non-volatile memory in the step E209 and there follows the step E210 that performs calculations analogous to those of the step E208, here with reference to the module q:
Once the values used in the modular exponentiation calculations have been determined in the steps E208 and E210, those calculations can be carried out, as described in detail next.
The step E212 includes modular exponentiation of the masked modular residue m1 by means of the masked exponent d1 previously determined, using the masked modulus (λ1·p) as before, and calling on the sub-program described above with reference to
S
p=(m1)d
whereas the second value Cp returned verifies the following relationship in the event of normal execution:
d
1
⊕C
p
=m
1
·S
p mod(λ1·p).
Note that, the integer λ1 being a random number, the masked modular result S1 is also random, which enhances security.
The masked modular result Sq is calculated in a similar way in the step E214 by calling the
This yields (Sq, Cq), where: Sq=(m2)d
These operations therefore use the masked modular residue m2 and the masked exponent d2 determined in the step E210 as well as the masked modulus (λ2·q).
The modular results Sp and Sq having been obtained as explained hereinabove for each of the moduli p and q using the masked moduli (λ1·p) and (λ2·q), the signature S is obtained in the step E216 by linear recombination of the modular results according to the following formula, in which Apq is the modular inverse of p modulo q defined by p·Apq=1 mod q:
S=[(λ2·q+Sq−Sq)·Apq mod(q)]·p+Sp.
The recombination formula is of the type just indicated, but could be different from the formula given hereinabove; the following formula could be used instead, for example, where Bqp is the modular inverse of q modulo p, such that q·Bqp=1 mod p:
S=[(λ1p+Sp−Sq)·Bqpmode(p)]·q+Sq.
Elements of the secret key (here all its elements, namely p, q, dp and dq) are then read again in non-volatile memory, after which the elements d1 and d2 are recalculated as in steps E208 and E210, which verifies the calculations as described hereinafter with the values actually stored in non-volatile memory.
There follows in the step E220 the calculation of a value C such that:
C=[(λ2·q+(d2⊕Cq)−(d1⊕Cp))·Apq mod q]·p+(d1⊕Cp).
Given the properties of the values returned by the
This relationship is therefore verified in the step B222. In the event of a positive verification, the process is considered to have been executed without fault (and therefore without attack) and the value S is returned as the result, for example sent to the exterior of the microcircuit card (step E226).
On the other hand, if the relationship is not verified in the step E222, an error is noted (step E224) and no information on the data used in the process is sent to the exterior when the error is the result of a fault generation attack. An error message that gives no information on the data processed can naturally be sent, however.
The embodiments that have just been described are merely possible examples of implementation of the invention, which is not limited to them.
Number | Date | Country | Kind |
---|---|---|---|
0754912 | May 2007 | FR | national |