JP7206324B2 - 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 - Google Patents
暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 Download PDFInfo
- Publication number
- JP7206324B2 JP7206324B2 JP2021090958A JP2021090958A JP7206324B2 JP 7206324 B2 JP7206324 B2 JP 7206324B2 JP 2021090958 A JP2021090958 A JP 2021090958A JP 2021090958 A JP2021090958 A JP 2021090958A JP 7206324 B2 JP7206324 B2 JP 7206324B2
- Authority
- JP
- Japan
- Prior art keywords
- mod
- exponentiation
- cryptographic
- message
- accumulator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
- G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
- G06F7/544—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices for evaluating functions by calculation
- G06F7/556—Logarithmic or exponential functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7261—Uniform execution, e.g. avoiding jumps, or using formulae with the same power profile
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Pure & Applied Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mathematical Optimization (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Description
C=Me mod n
M=Cd(mod n)
S=Md(mod n)
Sp=Mp dp mod p
Sq=Mq dp mod q
ここで、dp=d mod (p-1)かつdq=d mod (q-1)であり、
Mp=M mod pかつMq=M mod qである。
- Spの計算(計算の約45%)
- Sqの計算(計算の約45%)
- SpおよびSqからSを再結合(計算の約10%)
- Shamirの技法はAumullerおよびVigilantの技法の元となった技法であり、べき乗の前に、法に小さな乱数を乗算することを含む。この新しい数を法としてべき乗が行われ、べき乗の後に、この小さな乱数を法として、いくらかの無矛盾性チェックを行うことができる。再結合の後に、全体的な無矛盾性チェックが行われる。全体的な無矛盾性チェックの結果が正常でない場合は、フォールト攻撃が検出されたことになる。
- Giraudの技法は、モンゴメリ・ラダーのべき乗アルゴリズムの使用を含み、このアルゴリズムは、Xy mod Zを計算するとき、(X(y-1) mod Z, Xy mod Z)を出力する。
dp=d mod (p-1)
dq=d mod (q-1)
iq=q-1 mod p
ここで、dpおよびdqは、次のバイナリ表現で記述される。
dp=[dpn-1,dpn-2,....,dp2,dp1,dp0]
かつ
dq=[dqn-1,dqn-2,...,dq2,dq1,dq0]
S=Sq+q*(iq*(Sp-Sq) mod p
m:復号されるメッセージ
qおよびp:乗算するとnになる2つの大きな素数
iq=q-1 mod p
mq=1+q*iq*(m-1) mod n
mp=1+(1-q*iq)*(m-1) mod n
mq mod p=1
mq mod q=m mod q
mp mod q=1
mp mod p=m mod p
dp=d mod (p-1)
dq=d mod (q-1)
Si mod p=m(dp0 dp1 dp2...dpi) mod p
Si mod q=m(dq0 dq1 dq2...dqi) mod q
- ステップ615でmを乗算するとき、nはn=pqと定められているので、アキュムレータの乗算A*mはモジュロp*qをとられる。
- ステップ611でmpを乗算するとき、その乗算は1 modulo qであるからアキュムレータの乗算A*mpはA*m modulo pに等しく、その結果、qに起因するAの変化はない。
- ステップ613でmqを乗算するとき、その乗算は1 modulo pであるから、アキュムレータの乗算A*mqはA*m modulo qに等しく、その結果、pに起因するAの変化はない。
- ステップ609で1を乗算するとき、乗算A*1の乗算はΑ*1 modulo p and qであり、その結果、モジュロpまたはモジュロqのどちらに起因する変化もない。
Sp=Sk mod p=mdp mod p
Sq=Sk mod q=mdq mod q
Sp=S mod p
Sq=S mod q
したがって、
S=Sk=Aである。
Claims (3)
- べき乗演算Xを有する復号操作を行う暗号装置によって行われる方法であって、
べき乗演算S=md mod nと等価な暗号操作を行う対象であるメッセージmを受け取り、
dp=d mod (p-1)かつdq=d mod (q-1)であるようなdpおよびdqであって、pおよびqが、n=pqであるような素数であるように、べき指数dから2つのべき指数dpおよびdqを決定し、
底mを、底mから決定される2つのサブ底mpおよびmqに分割し、ここで、mp=1+q*iq*(m-1) mod nかつ mq=1+(1-q*iq)*(m-1) mod nであって、iq=q -1 mod pであり、
べき乗演算Xと等価な結果Sを生成するように、dpおよびdqの各ビットの値に応じて、アキュムレータAにm、mp、mqまたは1を乗算し、乗算した結果をnで割った余りをアキュムレータAに代入する繰り返しをすべてのビットに対して行い、
アキュムレータAの最終値を値Sとして返すことを含む、方法。 - dpおよびdqが0からkによりインデックス付けされたビットdpiおよびdqiを有し、繰り返しが、計算:
A=A*A mod n
IF (dpi=0 && dqi=0)
A=A*1 mod n
IF (dpi=1 && dqi=0)
A=A*mp mod n
IF (dpi=0 && dqi=1)
A=A*mq mod n
IF (dpi=1 && dqi=1)
A=A*m mod nを
0からkまで行う繰り返しである、請求項1に記載の方法。 - フォールト攻撃から保護される電子デバイスであって、中央処理ユニット、メモリ、および命令ストレージを備え、請求項1または2の方法を中央処理ユニットに実行させる命令を命令ストレージが含む、電子デバイス。
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP14306393.1A EP2996033A1 (en) | 2014-09-10 | 2014-09-10 | System and method for one-time Chinese-remainder-theorem exponentiation for cryptographic algorithms |
EP14306393.1 | 2014-09-10 | ||
JP2017513499A JP2017526981A (ja) | 2014-09-10 | 2015-08-31 | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2017513499A Division JP2017526981A (ja) | 2014-09-10 | 2015-08-31 | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 |
Publications (2)
Publication Number | Publication Date |
---|---|
JP2021144239A JP2021144239A (ja) | 2021-09-24 |
JP7206324B2 true JP7206324B2 (ja) | 2023-01-17 |
Family
ID=52232049
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2017513499A Pending JP2017526981A (ja) | 2014-09-10 | 2015-08-31 | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 |
JP2021090958A Active JP7206324B2 (ja) | 2014-09-10 | 2021-05-31 | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2017513499A Pending JP2017526981A (ja) | 2014-09-10 | 2015-08-31 | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 |
Country Status (5)
Country | Link |
---|---|
US (1) | US10277393B2 (ja) |
EP (2) | EP2996033A1 (ja) |
JP (2) | JP2017526981A (ja) |
ES (1) | ES2729874T3 (ja) |
WO (1) | WO2016037885A1 (ja) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11418334B2 (en) * | 2017-10-18 | 2022-08-16 | Cryptography Research, Inc. | Protecting modular inversion operation from external monitoring attacks |
FR3088452B1 (fr) * | 2018-11-08 | 2023-01-06 | Idemia France | Procede de verification d'integrite d'une paire de cles cryptographiques et dispositif cryptographique |
CN116830076A (zh) | 2022-01-28 | 2023-09-29 | 辉达公司 | 用于高效模除法和模求逆的技术、设备和指令集架构 |
WO2023141935A1 (en) * | 2022-01-28 | 2023-08-03 | Nvidia Corporation | Techniques, devices, and instruction set architecture for balanced and secure ladder computations |
WO2023141934A1 (en) | 2022-01-28 | 2023-08-03 | Nvidia Corporation | Efficient masking of secure data in ladder-type cryptographic computations |
US11930114B1 (en) * | 2023-08-02 | 2024-03-12 | Thomas Michael Kremen | Message encryption through identification of a sequential prime number |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008114315A1 (ja) | 2007-03-19 | 2008-09-25 | Fujitsu Limited | Fault攻撃対策機能を搭載した組み込み装置 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5991414A (en) | 1997-09-12 | 1999-11-23 | International Business Machines Corporation | Method and apparatus for the secure distributed storage and retrieval of information |
EP2605444A1 (en) * | 2011-12-16 | 2013-06-19 | Gemalto SA | Method for signing or deciphering a message using CRT RSA resisting Differential Side-Channel Analysis |
US8861718B2 (en) * | 2012-02-10 | 2014-10-14 | Electronics And Telecommunications Research Institute | Method of preventing fault-injection attacks on Chinese Remainder Theorem-Rivest Shamir Adleman cryptographic operations and recording medium for storing program implementing the same |
EP2738973A1 (en) * | 2012-11-30 | 2014-06-04 | Gemalto SA | System and method for cryptography using multiplicative masking using simultaneous exponentiation techniques |
-
2014
- 2014-09-10 EP EP14306393.1A patent/EP2996033A1/en not_active Withdrawn
-
2015
- 2015-08-31 WO PCT/EP2015/069867 patent/WO2016037885A1/en active Application Filing
- 2015-08-31 JP JP2017513499A patent/JP2017526981A/ja active Pending
- 2015-08-31 US US15/509,310 patent/US10277393B2/en active Active
- 2015-08-31 EP EP15756174.7A patent/EP3191936B1/en active Active
- 2015-08-31 ES ES15756174T patent/ES2729874T3/es active Active
-
2021
- 2021-05-31 JP JP2021090958A patent/JP7206324B2/ja active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008114315A1 (ja) | 2007-03-19 | 2008-09-25 | Fujitsu Limited | Fault攻撃対策機能を搭載した組み込み装置 |
Non-Patent Citations (1)
Title |
---|
Pablo Rauzy, Sylvain Guilley,A Formal Proof of Countermeasures Against Fault Injection Attacks on CRT-RSA,Cryptology ePrint Archive,2014年01月,Report 2013/506,Ver. 20140130171541,pp. 1-22,https://eprint.iacr.org/2013/506/20140130:171541,[2019年4月18日検索],インターネット |
Also Published As
Publication number | Publication date |
---|---|
EP2996033A1 (en) | 2016-03-16 |
EP3191936A1 (en) | 2017-07-19 |
US20170257211A1 (en) | 2017-09-07 |
WO2016037885A1 (en) | 2016-03-17 |
JP2017526981A (ja) | 2017-09-14 |
JP2021144239A (ja) | 2021-09-24 |
EP3191936B1 (en) | 2019-03-13 |
ES2729874T3 (es) | 2019-11-06 |
US10277393B2 (en) | 2019-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7206324B2 (ja) | 暗号アルゴリズム向けのワンタイムの中国剰余定理のべき乗のためのシステムおよび方法 | |
EP3091690B1 (en) | Rsa decryption using multiplicative secret sharing | |
US20190034170A1 (en) | Homogenous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography | |
US10367637B2 (en) | Modular exponentiation with transparent side channel attack countermeasures | |
JP2017526981A5 (ja) | ||
US11290272B2 (en) | Elliptic curve point multiplication device and method in a white-box context | |
US11824986B2 (en) | Device and method for protecting execution of a cryptographic operation | |
US8639944B2 (en) | Zero divisors protecting exponentiation | |
RU2579990C2 (ru) | Защита от пассивного сниффинга | |
JP2004304800A (ja) | データ処理装置におけるサイドチャネル攻撃防止 | |
US9992013B2 (en) | System and method for providing defence to a cryptographic device against side-channel attacks targeting the extended euclidean algorithm during decryption operations | |
EP2738973A1 (en) | System and method for cryptography using multiplicative masking using simultaneous exponentiation techniques | |
US10673610B2 (en) | System and method for protecting a cryptographic device against fault attacks while performing cryptographic non-linear operations using linear error correcting codes | |
WO2017114739A1 (en) | System and method for hiding a cryptographic secret using expansion | |
US10361855B2 (en) | Computing a secure elliptic curve scalar multiplication using an unsecured and secure environment | |
EP3166013B1 (en) | Modular exponentiation using randomized addition chains | |
US9755829B2 (en) | Generation of cryptographic keys | |
WO2018148819A1 (en) | Cryptographic scheme with fault injection attack countermeasure | |
US20170012769A1 (en) | Imbalanced montgomery ladder | |
Shukla et al. | A Comparative analysis of the attacks on public key RSA cryptosystem |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A621 | Written request for application examination |
Free format text: JAPANESE INTERMEDIATE CODE: A621 Effective date: 20210607 |
|
A521 | Request for written amendment filed |
Free format text: JAPANESE INTERMEDIATE CODE: A523 Effective date: 20210628 |
|
A131 | Notification of reasons for refusal |
Free format text: JAPANESE INTERMEDIATE CODE: A131 Effective date: 20220607 |
|
A601 | Written request for extension of time |
Free format text: JAPANESE INTERMEDIATE CODE: A601 Effective date: 20220905 |
|
A521 | Request for written amendment filed |
Free format text: JAPANESE INTERMEDIATE CODE: A523 Effective date: 20221121 |
|
TRDD | Decision of grant or rejection written | ||
A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 Effective date: 20221206 |
|
A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20230104 |
|
R150 | Certificate of patent or registration of utility model |
Ref document number: 7206324 Country of ref document: JP Free format text: JAPANESE INTERMEDIATE CODE: R150 |