CA2796149A1 - Method for strengthening the implementation of ecdsa against power analysis - Google Patents
Method for strengthening the implementation of ecdsa against power analysis Download PDFInfo
- Publication number
- CA2796149A1 CA2796149A1 CA2796149A CA2796149A CA2796149A1 CA 2796149 A1 CA2796149 A1 CA 2796149A1 CA 2796149 A CA2796149 A CA 2796149A CA 2796149 A CA2796149 A CA 2796149A CA 2796149 A1 CA2796149 A1 CA 2796149A1
- Authority
- CA
- Canada
- Prior art keywords
- value
- secret
- cryptographic
- combined
- values
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/724—Finite field arithmetic
- G06F7/725—Finite field arithmetic over elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
- G06F2207/7223—Randomisation as countermeasure against side channel attacks
- G06F2207/7233—Masking, e.g. (A**e)+r mod n
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/723—Modular exponentiation
Abstract
A method of inhibiting the disclosure of confidential information through power analysis attacks on processors in cryptographic systems. The method masks a cryptographic operation using a generator. A secret value is combined with the generator to form a secret generator. The secret value is divided into a plurality of parts. A random value is generated for association with the plurality of parts. Each of the plurality of parts is combined with the random value to derive a plurality of new values such that the new values when combined are equivalent to the secret value. Each of the new values is used in the cryptographic operation, thereby using the secret generator in place of the generator G in the cryptographic operation. The introduction of randomness introduces of noise into algorithms used by cryptographic systems to mask the secret value and protect against power analysis attacks.
Description
1 Method for Strengthening the Implementation of ECDSA Against Power Analysis
2 Field of the Invention
3 This invention relates to a method for minimizing the vulnerability of cryptographic
4 systems to power analysis-type attacks.
Background of the Invention 6 Cryptographic systems generally owe their security to the fact that a particular piece of 7 information is kept secret. When a cryptographic algorithm is designed, it is usually assumed that 8 a potential attacker has access to only the public values. Without the secret information it is 9 computationally infeasible to break the scheme or the algorithm. Once an attacker is in possession of a piece of secret information they may be able to forge the signature of the victim and also 11 decrypt secret messages intended for the victim. Thus it is of paramount importance to maintain 12 the secrecy and integrity of the secret information in the system. The secret information is 13 generally stored within a secure boundary in the memory space of the cryptographic processor, 14 making it difficult for an attacker to gain direct access to the secret information. Manufacturers incorporate various types of tamper-proof hardware to prevent illicit access to the secret 10 information. In order to decide how much tamper proofing to implement in the cryptographic 17 system, the designers must consider the resources available to a potential attacker and the value of 18 the information being protected. The magnitude of these resources is used to determine how 19 much physical security to place within the device to thwart attackers who attempt to gain direct access to the secure memory. Tamper-proof devices can help prevent an attacker who is unwilling 21 or unable to spend large amounts of time and money from gaining direct access to the secret 22 information in the cryptographic system. Typically, the amount of work that is required to defeat 23 tamper proof hardware exceeds the value of the information being protected.
24 However, a new class of attacks has been developed on cryptographic systems that are relatively easy and inexpensive to mount in practice since they ignore the tamper-proof hardware.
26 Recent attacks on cryptographic systems have shown that devices with secure memory may leak 27 information that depends on the secret information, for example in the power usage of a processor 28 computing with private information. Such attacks take advantage of information provided by an 29 insecure channel in the device by using the channel in a method not anticipated by its designers, and so render redundant any tamper proofing in the device. Such insecure channels can be the 31 power supply, electromagnetic radiation, or the time taken to perform operations. At particular 32 risk are portable cryptographic tokens, including smart cards, pagers, personal digital assistants, 33 and the like. Smart cards are especially vulnerable since they rely on an external power supply, 1 whose output may be monitored non-intrusively. Access to the power supply is required for 2 proper functioning of the device and so is not usually prevented with tamper-proof hardware.
3 Further, constrained devices tend not to have large amounts of electromagnetic shielding.
4 Since the device is self-contained and dedicated, the power consumption and electromagnetic radiation of the smart card may be monitored as the various cryptographic algorithms are 6 executed. Thus in a constrained environment, such as a smart card, it may be possible for an 7 attacker to monitor an unsecured channel that leaks secret information. Such monitoring may 8 yield additional information that is intended to be secret which, when exposed, can significantly 9 weaken the security of a cryptographic system.
In response to the existence of such unsecured channels, manufacturers have attempted to 11 minimize the leakage of information from cryptographic devices, However, certain channels leak 12 information due to their physical characteristics and so it is difficult to completely eliminate 13 leakage. A determined attacker may be able to glean information by collecting a very large 14 number of samples and applying sophisticated statistical techniques. In addition, there are severe restrictions on what can be done in hardware on portable cryptographic tokens that are 16 constrained in terms of power consumption and size. As a result, cryptographic tokens are 17 particularly vulnerable to these types of attacks using unsecured channels.
18 The more recent attacks using the power supply that can be performed on these 19 particularly vulnerable devices are simple power analysis, differential power analysis, higher order differential power analysis, and other related techniques. These technically sophisticated 21 and extremely powerful analysis tools may be used by an attacker to extract secret keys from 22 cryptographic devices. It has been shown that these attacks can be mounted quickly and 23 inexpensively, and may be implemented using readily available hardware.
24 The amount of time required for these attacks depends on the type of attack and varies somewhat by device. For example it has been shown that simple power analysis (SPA) typically 26 takes a few seconds per card, while differential power analysis (DPA) can take several hours. In 27 order to perform SPA, the attacker usually only needs to monitor one cryptographic operation. To 28 perform DPA, many operations must be observed. In one method used, in order to monitor the 29 operations, a small resistor is connected in series to smart card's power supply and the voltage across the resistor is measured. The current used can he found by a simple computation based on 31 the voltage and the resistance. A plot of current against time is called a power trace and shows the 32 amount of current drawn by the processor during a cryptographic operation.
Since cryptographic 33 algorithms tend to perform different operations having different power requirements depending l on the value of the secret key, there is a correlation between the value of the secret key and the 2 power consumption of the device.
3 Laborious but careful analysis of end-to-end power traces can determine the fundamental 4 operation performed by the algorithm based on each bit of a secret key and thus, be analyzed to find the entire secret key, compromising the system. DPA primarily uses statistical analysis and 6 error correction techniques to extract information that may be correlated to secret keys, while the 7 SPA attacks use primarily visual inspection to identify relevant power fluctuations. In SPA, a 8 power trace is analyzed for any discernible features corresponding to bits of the secret key. The 9 amount of power consumed varies depending on the executed microprocessor instructions. For example, in a typical "square-and-multiply" algorithm for exponentiation, a bit I in the exponent l 1 will cause the program to perform both squaring and multiply operations, while a bit 0 will cause 12 the multiply operation to be skipped. An attacker may be able to read off the bits of a secret 13 exponent by detecting whether the multiply operation is performed at different bit positions.
A DPA attack attempts to detect more subtle features from the power traces and is more 16 difficult to prevent. To launch a DPA attack, a number of digital signatures are generated and the 17 corresponding power traces are collected. The power trace may be regarded as composed of two 18 distinct parts, namely signal and noise. The patterns that correspond to private key operations 19 tend to remain more or less constant throughout all power traces. These patterns maybe regarded as the signal. The other parts of the computation, which correspond to changing data, result in 21 differing patterns in each power trace. These patterns can be regarded as the noise. Statistical 22 analysis can be performed on all the power traces to separate the signal from the noise. The secret 23 value is then derived using the identified signal.
Various techniques for preventing these power analysis attacks have been attempted to 26 date. Manufacturers of smart cards and smart card processors have introduced random wait states 27 and address scrambling. Smart card algorithms avoid performing significantly different 28 operations depending on the value of a secret key and also avoid conditional jump instructions.
29 Hardware solutions include providing well-filtered power supplies and physical shielding of processor elements or the addition of noise unrelated to secrets. However, the vulnerabilities to 31 DPA result from transistor and circuit electrical behaviors that propagate to exposed logic gates, 32 microprocessor operation, and ultimately the software implementations, Cryptographic 33 algorithms to date have been designed with the assumption that there is no leakage of secret 34 information, however with the advent of successful power analysis attacks, it is no longer prudent 1 to assume that a cryptographic device which will leak no secret information can be manufactured.
2 Information stored in constrained environments is particularly difficult to protect against leakage 3 through an unsecured channel during cryptographic operations.
Accordingly, there is a need for a system for reducing the risk of a successful power 6 analysis attack and which is particularly applicable to current hardware environments.
8 Summary of the Invention:
9 In accordance with this invention, there is provided a method of inhibiting the disclosure of confidential information through power analysis attacks on processors in cryptographic 11 systems. The method of masking a cryptographic operation using a generator G comprises the 12 steps of.
13 a) generating a secret value, which may be combined with the generator G to form a 14 secret generator;
b) dividing the secret value into a plurality of parts;
16 C) generating a random value for association with the plurality of parts;
17 d) combining each of the plurality of parts with the random value to derive a 18 plurality of new values such that the new values when combined are equivalent 19 to the secret value; and e) using each of the new values in the cryptographic operation, thereby using the 21 secret generator in place of the generator G in the cryptographic operation.
23 The introduction of randomness facilitates the introduction of noise into algorithms used 24 by cryptographic systems so as to mask the secret value and provide protection against power analysis attacks.
28 Brief Description of the Drawings 29 An embodiment of the invention will now be described by way of example only with reference to the accompanying drawings in which:
31 Figure 1 is a schematic diagram of a constrained device;
1 Figure 2 is a schematic representation of steps of a method performed by the device of 2 Figure 1; and 3 Figure 3 is a flow diagram illustrating an embodiment of the invention.
Description of the Preferred Embodiments 6 A mechanism for protection against power analysis attacks on cryptographic systems 7 involves the introduction of random values into existing algorithms employed by cryptographic 8 systems. These random values are intended to introduce noise into the system.
This technique can be applied to a number of cryptographic systems, including 11 encryption algorithms, decryption algorithms, signature schemes, and the like. In the preferred 12 embodiment, the technique is applied to the ECDSA (elliptic curve digital signature algorithm) on 13 a constrained device, typically a smart card, in order to inhibit the leakage of secret information.
In the ECDSA, as described in the ANSI X9.62 standard, the public values are:
16 = The domain parameters: An elliptic curve group E generated by a point G, and a finite 17 field F.
18 = The signer's long-term public key D (corresponding to a long-term private key d).
19 = The signature (r, s).
Figure I shows generally a smart card (10) for use in a cryptographic system.
The smart 21 card incorporates a random number generator (RNG) (11), which may be implemented as 22 hardware or software. The card also includes a cryptographic module (CRYPTO) (14), which 23 may be for example a cryptographic co-processor or specialized software routines. The card 24 includes a memory space (13) for storage needed while making computations, and a parameter storage space (17,18,19,21) for storing the parameters G, G', 01, #, of the system. The card also 26 includes a secure memory space (15,16) for storing its private key it split into two parts d, and d,, 27 and a processor (12) which may be, for example, an arithmetic logic unit, an integrated circuit, or 28 a general purpose processing unit.
29 In order to generate a digital signature using an elliptic curve, the signer first computes an elliptic curve point K = kG, where k is a random number and G is the generating point of the 31 elliptic curve group. The value k is selected as a per-message secret key and the point K serves as 32 the corresponding per-message public key. The values k and K are also referred to as an
Background of the Invention 6 Cryptographic systems generally owe their security to the fact that a particular piece of 7 information is kept secret. When a cryptographic algorithm is designed, it is usually assumed that 8 a potential attacker has access to only the public values. Without the secret information it is 9 computationally infeasible to break the scheme or the algorithm. Once an attacker is in possession of a piece of secret information they may be able to forge the signature of the victim and also 11 decrypt secret messages intended for the victim. Thus it is of paramount importance to maintain 12 the secrecy and integrity of the secret information in the system. The secret information is 13 generally stored within a secure boundary in the memory space of the cryptographic processor, 14 making it difficult for an attacker to gain direct access to the secret information. Manufacturers incorporate various types of tamper-proof hardware to prevent illicit access to the secret 10 information. In order to decide how much tamper proofing to implement in the cryptographic 17 system, the designers must consider the resources available to a potential attacker and the value of 18 the information being protected. The magnitude of these resources is used to determine how 19 much physical security to place within the device to thwart attackers who attempt to gain direct access to the secure memory. Tamper-proof devices can help prevent an attacker who is unwilling 21 or unable to spend large amounts of time and money from gaining direct access to the secret 22 information in the cryptographic system. Typically, the amount of work that is required to defeat 23 tamper proof hardware exceeds the value of the information being protected.
24 However, a new class of attacks has been developed on cryptographic systems that are relatively easy and inexpensive to mount in practice since they ignore the tamper-proof hardware.
26 Recent attacks on cryptographic systems have shown that devices with secure memory may leak 27 information that depends on the secret information, for example in the power usage of a processor 28 computing with private information. Such attacks take advantage of information provided by an 29 insecure channel in the device by using the channel in a method not anticipated by its designers, and so render redundant any tamper proofing in the device. Such insecure channels can be the 31 power supply, electromagnetic radiation, or the time taken to perform operations. At particular 32 risk are portable cryptographic tokens, including smart cards, pagers, personal digital assistants, 33 and the like. Smart cards are especially vulnerable since they rely on an external power supply, 1 whose output may be monitored non-intrusively. Access to the power supply is required for 2 proper functioning of the device and so is not usually prevented with tamper-proof hardware.
3 Further, constrained devices tend not to have large amounts of electromagnetic shielding.
4 Since the device is self-contained and dedicated, the power consumption and electromagnetic radiation of the smart card may be monitored as the various cryptographic algorithms are 6 executed. Thus in a constrained environment, such as a smart card, it may be possible for an 7 attacker to monitor an unsecured channel that leaks secret information. Such monitoring may 8 yield additional information that is intended to be secret which, when exposed, can significantly 9 weaken the security of a cryptographic system.
In response to the existence of such unsecured channels, manufacturers have attempted to 11 minimize the leakage of information from cryptographic devices, However, certain channels leak 12 information due to their physical characteristics and so it is difficult to completely eliminate 13 leakage. A determined attacker may be able to glean information by collecting a very large 14 number of samples and applying sophisticated statistical techniques. In addition, there are severe restrictions on what can be done in hardware on portable cryptographic tokens that are 16 constrained in terms of power consumption and size. As a result, cryptographic tokens are 17 particularly vulnerable to these types of attacks using unsecured channels.
18 The more recent attacks using the power supply that can be performed on these 19 particularly vulnerable devices are simple power analysis, differential power analysis, higher order differential power analysis, and other related techniques. These technically sophisticated 21 and extremely powerful analysis tools may be used by an attacker to extract secret keys from 22 cryptographic devices. It has been shown that these attacks can be mounted quickly and 23 inexpensively, and may be implemented using readily available hardware.
24 The amount of time required for these attacks depends on the type of attack and varies somewhat by device. For example it has been shown that simple power analysis (SPA) typically 26 takes a few seconds per card, while differential power analysis (DPA) can take several hours. In 27 order to perform SPA, the attacker usually only needs to monitor one cryptographic operation. To 28 perform DPA, many operations must be observed. In one method used, in order to monitor the 29 operations, a small resistor is connected in series to smart card's power supply and the voltage across the resistor is measured. The current used can he found by a simple computation based on 31 the voltage and the resistance. A plot of current against time is called a power trace and shows the 32 amount of current drawn by the processor during a cryptographic operation.
Since cryptographic 33 algorithms tend to perform different operations having different power requirements depending l on the value of the secret key, there is a correlation between the value of the secret key and the 2 power consumption of the device.
3 Laborious but careful analysis of end-to-end power traces can determine the fundamental 4 operation performed by the algorithm based on each bit of a secret key and thus, be analyzed to find the entire secret key, compromising the system. DPA primarily uses statistical analysis and 6 error correction techniques to extract information that may be correlated to secret keys, while the 7 SPA attacks use primarily visual inspection to identify relevant power fluctuations. In SPA, a 8 power trace is analyzed for any discernible features corresponding to bits of the secret key. The 9 amount of power consumed varies depending on the executed microprocessor instructions. For example, in a typical "square-and-multiply" algorithm for exponentiation, a bit I in the exponent l 1 will cause the program to perform both squaring and multiply operations, while a bit 0 will cause 12 the multiply operation to be skipped. An attacker may be able to read off the bits of a secret 13 exponent by detecting whether the multiply operation is performed at different bit positions.
A DPA attack attempts to detect more subtle features from the power traces and is more 16 difficult to prevent. To launch a DPA attack, a number of digital signatures are generated and the 17 corresponding power traces are collected. The power trace may be regarded as composed of two 18 distinct parts, namely signal and noise. The patterns that correspond to private key operations 19 tend to remain more or less constant throughout all power traces. These patterns maybe regarded as the signal. The other parts of the computation, which correspond to changing data, result in 21 differing patterns in each power trace. These patterns can be regarded as the noise. Statistical 22 analysis can be performed on all the power traces to separate the signal from the noise. The secret 23 value is then derived using the identified signal.
Various techniques for preventing these power analysis attacks have been attempted to 26 date. Manufacturers of smart cards and smart card processors have introduced random wait states 27 and address scrambling. Smart card algorithms avoid performing significantly different 28 operations depending on the value of a secret key and also avoid conditional jump instructions.
29 Hardware solutions include providing well-filtered power supplies and physical shielding of processor elements or the addition of noise unrelated to secrets. However, the vulnerabilities to 31 DPA result from transistor and circuit electrical behaviors that propagate to exposed logic gates, 32 microprocessor operation, and ultimately the software implementations, Cryptographic 33 algorithms to date have been designed with the assumption that there is no leakage of secret 34 information, however with the advent of successful power analysis attacks, it is no longer prudent 1 to assume that a cryptographic device which will leak no secret information can be manufactured.
2 Information stored in constrained environments is particularly difficult to protect against leakage 3 through an unsecured channel during cryptographic operations.
Accordingly, there is a need for a system for reducing the risk of a successful power 6 analysis attack and which is particularly applicable to current hardware environments.
8 Summary of the Invention:
9 In accordance with this invention, there is provided a method of inhibiting the disclosure of confidential information through power analysis attacks on processors in cryptographic 11 systems. The method of masking a cryptographic operation using a generator G comprises the 12 steps of.
13 a) generating a secret value, which may be combined with the generator G to form a 14 secret generator;
b) dividing the secret value into a plurality of parts;
16 C) generating a random value for association with the plurality of parts;
17 d) combining each of the plurality of parts with the random value to derive a 18 plurality of new values such that the new values when combined are equivalent 19 to the secret value; and e) using each of the new values in the cryptographic operation, thereby using the 21 secret generator in place of the generator G in the cryptographic operation.
23 The introduction of randomness facilitates the introduction of noise into algorithms used 24 by cryptographic systems so as to mask the secret value and provide protection against power analysis attacks.
28 Brief Description of the Drawings 29 An embodiment of the invention will now be described by way of example only with reference to the accompanying drawings in which:
31 Figure 1 is a schematic diagram of a constrained device;
1 Figure 2 is a schematic representation of steps of a method performed by the device of 2 Figure 1; and 3 Figure 3 is a flow diagram illustrating an embodiment of the invention.
Description of the Preferred Embodiments 6 A mechanism for protection against power analysis attacks on cryptographic systems 7 involves the introduction of random values into existing algorithms employed by cryptographic 8 systems. These random values are intended to introduce noise into the system.
This technique can be applied to a number of cryptographic systems, including 11 encryption algorithms, decryption algorithms, signature schemes, and the like. In the preferred 12 embodiment, the technique is applied to the ECDSA (elliptic curve digital signature algorithm) on 13 a constrained device, typically a smart card, in order to inhibit the leakage of secret information.
In the ECDSA, as described in the ANSI X9.62 standard, the public values are:
16 = The domain parameters: An elliptic curve group E generated by a point G, and a finite 17 field F.
18 = The signer's long-term public key D (corresponding to a long-term private key d).
19 = The signature (r, s).
Figure I shows generally a smart card (10) for use in a cryptographic system.
The smart 21 card incorporates a random number generator (RNG) (11), which may be implemented as 22 hardware or software. The card also includes a cryptographic module (CRYPTO) (14), which 23 may be for example a cryptographic co-processor or specialized software routines. The card 24 includes a memory space (13) for storage needed while making computations, and a parameter storage space (17,18,19,21) for storing the parameters G, G', 01, #, of the system. The card also 26 includes a secure memory space (15,16) for storing its private key it split into two parts d, and d,, 27 and a processor (12) which may be, for example, an arithmetic logic unit, an integrated circuit, or 28 a general purpose processing unit.
29 In order to generate a digital signature using an elliptic curve, the signer first computes an elliptic curve point K = kG, where k is a random number and G is the generating point of the 31 elliptic curve group. The value k is selected as a per-message secret key and the point K serves as 32 the corresponding per-message public key. The values k and K are also referred to as an
5 1 ephemeral private key and an ephemeral public key respectively. 't'hese values are used to 2 generate a signature (r, s) wherein:
3 K=kG;
4 r = K, mod it, where K.. is the x coordinate of K and n is the order of the generating point G: and
3 K=kG;
4 r = K, mod it, where K.. is the x coordinate of K and n is the order of the generating point G: and
6 s = k "(e + dr) mod it, where e is the message to be signed.
7 The ANSI X9.62 standard provides techniques for interpreting the bit strings
8 corresponding to finite field elements as integers in the above calculations. The standard also
9 provides some guidelines on what elliptic curve groups and finite fields can be used.
Several algorithms, using both direct and indirect methods, may be used to compute kG
11 in order to obtain the elliptic curve point K. Algorithms to compute signature components are 12 potentially vulnerable to power analysis attacks since they perform different operations 13 depending on the bits in the secret values. Repeated iterations of the algorithm use the same 14 secret values, and so their power traces are statistically correlated to the secret values.
In order to mask a private key or other secret value to improve resistance to DPA-like 16 attacks, a random value is introduced into the algorithm as shown in Figure 2. This random value 17 avoids repeated use of a secret value in order to eliminate correlation among the power traces.
18 There will be no signal to differentiate from the background noise since no operation is repeated 19 on subsequent iterations of the algorithm.
In the ease of a long-term private key, the private key d is split into two parts d, and d, 21 such that d = d, + d,. As seen in figure 2, the card generates its private key d (110), then computes 22 the public key dG (112). The public key is sent to the server (114), which keeps it in a directory 23 for future use. A smart card is initialized with a private key d being split into the values 24 d, = d (1 18) and d, = 0 (116) as is illustrated in Figure 2. The initialization is performed either by embedding the private key at manufacture or by instructing the smart card to generate its own 26 private key. These initial values d; and C12 are stored in the device instead of storing the value for 27 d. Each time a digital signature is generated, a random value A is generated using the hardware 28 random number generator 11 and d, and d2 are updated as follows:
29 d, = d, ro,dt + A (mod n). and d, = dz (,,,d) - A (mod it).
The formula fors, one component of the digital signature, then becomes:
31 .c=k-'(e+(d,r4 d,r))modit.
1 When computing the above formula, the quantities d, and d, are essentially random 2 values because of the random quantity A that is introduced after each signature. When comparing 3 subsequent signatures, there is no correlation in the side channels to either the calculation of d,r 4 or d,r corresponding to the secret key d since the quantities d, and d2 are randomized in each successive signature but only together does the correlation to d emerge and this changes every 6 time. As a result, leakage of the private key d is minimized when computing the components of 7 the digital signature. However, the component r of the digital signature is also calculated using 8 the private key k and the calculation of r has still in the past been vulnerable to power analysis 9 type attacks. In order to compute r, the signer must compute kG and so information about the value of the secret key k may leak during the repeated group operations.
11 In order to protect the per-message secret key k during computation of r, the signer 12 modifies the group generator used. In order to mask the value of k, a random value /3 is 13 introduced and stored for each smart card such that G'=/3G where /3 is a random number 14 generated for each smart card. The point G' can be used as a secret generating point for each user, thus using the random value 0 to hide some information about k.
16 It is recognized that the sigmer's effective per-message secret key is kQ , corresponding 17 to the public key k/I G. The security is thus based on the secrecy of the derived value k,8, 18 which could be computed from k and P, both of which are secret. It is also recognized that the 19 per-message secret key may be regarded as k and the per-message public key as kG'. However, unless the point G' were shared publicly, knowledge of k alone would not permit the 21 computation of shared keys based on k(;'.
22 During smart card personalization, when the private/public key pair is generated on the 23 smart card, the point G' is computed. The introduction UP in the calculation of a digital 24 signature means the formula still contains a constant value, making it vulnerable to power analysis type attacks. In order to overcome these attacks, /3 is split into two parts /3, and 12.. and 26 those parts are updated by a random value it every time a signature is generated. This process is 27 detailed in Figure 3.
28 Qi =A (old) + 7r.
29 A = A (old) ~r.
in order to verify signatures produced in this manner, the verifier uses standard ECDSA
31 verification from ANSI X9.62 since the signer's secret key remains unchanged when using this 32 technique.
1 Thus the formulae for the ECDSA signature scheme in the preferred embodiment are:
2 K = kG';
3 r = K, mod n, where K,, is the x coordinate of K and n is the order of the point G'; and 4 s = (k(3, + k/37)-' (e + (d,r + d,r)) mod n.
Using these formulae to compute ECDSA signatures reduces the vulnerability of the (i algorithm to power analysis attacks. It is recognized that similar techniques may be applied to 7 other signatures. For example, ECNR or any other signature form could be used. These 8 techniques may also be used individually, not necessarily in combination.
Also, the ECDSA
9 signature equation is not a necessary component of these techniques.
Figure 3 shows the generation of a digital signature in accordance with the above 11 protocol. First, the signer generates a random private session key k (200), and stores k (210) for 12 future use in the algorithm. The signer updates the values Q1 (224) and /32 (226) as described 13 above by generating a random 7(222) and then computes the public session key r (220). The 14 signer then obtains the input message e or hash thereof (250). The signer then computes the signature s (260). The signer updates the private key parts d, (264) and d, (266) as described 16 earlier by generating a random A (262).
17 The inverse algorithm used in the generation of the digital signature to compute k1 is also 18 potentially vulnerable to power analysis attacks since it performs repeated operations on the 19 secret key every time a signature is generated. This vulnerability is reduced in a further embodiment by introducing a random it, and computing (kw)' instead of w'. The signing formula 21 works since k-' = w (ktv)'.
22 Thus the formulae for the ECDSA signature scheme in this embodiment are:
23 K=kG;
24 r = K, mod n, where K, is the x coordinate of K and n is the order of the point G ; and s = w(kw/3, + kw/32)"' (e -~= (d,r + d,r)) mod n.
26 Updating the parts of the private key may occur before or atler the generation of the 27 random w.
28 In a further embodiment, since G' . fl1G +f,G, the value of kG' can be computed as 29 (k/3,)G -,-(k/32 )G. In this way, the value of k is masked when computing kG', even if the value of /
is determined. The formula for K then becomes: K = (k,6, )G +(k,132 )G.
1 Although the invention has been described with reference to certain specific 2 embodiments, various modifications thereof will be apparent to those skilled in the art without 3 departing from the spirit and scope of the invention as outlined in the claims appended hereto. For 4 example, it is not necessary that there be two components combining to make the private key.
Several algorithms, using both direct and indirect methods, may be used to compute kG
11 in order to obtain the elliptic curve point K. Algorithms to compute signature components are 12 potentially vulnerable to power analysis attacks since they perform different operations 13 depending on the bits in the secret values. Repeated iterations of the algorithm use the same 14 secret values, and so their power traces are statistically correlated to the secret values.
In order to mask a private key or other secret value to improve resistance to DPA-like 16 attacks, a random value is introduced into the algorithm as shown in Figure 2. This random value 17 avoids repeated use of a secret value in order to eliminate correlation among the power traces.
18 There will be no signal to differentiate from the background noise since no operation is repeated 19 on subsequent iterations of the algorithm.
In the ease of a long-term private key, the private key d is split into two parts d, and d, 21 such that d = d, + d,. As seen in figure 2, the card generates its private key d (110), then computes 22 the public key dG (112). The public key is sent to the server (114), which keeps it in a directory 23 for future use. A smart card is initialized with a private key d being split into the values 24 d, = d (1 18) and d, = 0 (116) as is illustrated in Figure 2. The initialization is performed either by embedding the private key at manufacture or by instructing the smart card to generate its own 26 private key. These initial values d; and C12 are stored in the device instead of storing the value for 27 d. Each time a digital signature is generated, a random value A is generated using the hardware 28 random number generator 11 and d, and d2 are updated as follows:
29 d, = d, ro,dt + A (mod n). and d, = dz (,,,d) - A (mod it).
The formula fors, one component of the digital signature, then becomes:
31 .c=k-'(e+(d,r4 d,r))modit.
1 When computing the above formula, the quantities d, and d, are essentially random 2 values because of the random quantity A that is introduced after each signature. When comparing 3 subsequent signatures, there is no correlation in the side channels to either the calculation of d,r 4 or d,r corresponding to the secret key d since the quantities d, and d2 are randomized in each successive signature but only together does the correlation to d emerge and this changes every 6 time. As a result, leakage of the private key d is minimized when computing the components of 7 the digital signature. However, the component r of the digital signature is also calculated using 8 the private key k and the calculation of r has still in the past been vulnerable to power analysis 9 type attacks. In order to compute r, the signer must compute kG and so information about the value of the secret key k may leak during the repeated group operations.
11 In order to protect the per-message secret key k during computation of r, the signer 12 modifies the group generator used. In order to mask the value of k, a random value /3 is 13 introduced and stored for each smart card such that G'=/3G where /3 is a random number 14 generated for each smart card. The point G' can be used as a secret generating point for each user, thus using the random value 0 to hide some information about k.
16 It is recognized that the sigmer's effective per-message secret key is kQ , corresponding 17 to the public key k/I G. The security is thus based on the secrecy of the derived value k,8, 18 which could be computed from k and P, both of which are secret. It is also recognized that the 19 per-message secret key may be regarded as k and the per-message public key as kG'. However, unless the point G' were shared publicly, knowledge of k alone would not permit the 21 computation of shared keys based on k(;'.
22 During smart card personalization, when the private/public key pair is generated on the 23 smart card, the point G' is computed. The introduction UP in the calculation of a digital 24 signature means the formula still contains a constant value, making it vulnerable to power analysis type attacks. In order to overcome these attacks, /3 is split into two parts /3, and 12.. and 26 those parts are updated by a random value it every time a signature is generated. This process is 27 detailed in Figure 3.
28 Qi =A (old) + 7r.
29 A = A (old) ~r.
in order to verify signatures produced in this manner, the verifier uses standard ECDSA
31 verification from ANSI X9.62 since the signer's secret key remains unchanged when using this 32 technique.
1 Thus the formulae for the ECDSA signature scheme in the preferred embodiment are:
2 K = kG';
3 r = K, mod n, where K,, is the x coordinate of K and n is the order of the point G'; and 4 s = (k(3, + k/37)-' (e + (d,r + d,r)) mod n.
Using these formulae to compute ECDSA signatures reduces the vulnerability of the (i algorithm to power analysis attacks. It is recognized that similar techniques may be applied to 7 other signatures. For example, ECNR or any other signature form could be used. These 8 techniques may also be used individually, not necessarily in combination.
Also, the ECDSA
9 signature equation is not a necessary component of these techniques.
Figure 3 shows the generation of a digital signature in accordance with the above 11 protocol. First, the signer generates a random private session key k (200), and stores k (210) for 12 future use in the algorithm. The signer updates the values Q1 (224) and /32 (226) as described 13 above by generating a random 7(222) and then computes the public session key r (220). The 14 signer then obtains the input message e or hash thereof (250). The signer then computes the signature s (260). The signer updates the private key parts d, (264) and d, (266) as described 16 earlier by generating a random A (262).
17 The inverse algorithm used in the generation of the digital signature to compute k1 is also 18 potentially vulnerable to power analysis attacks since it performs repeated operations on the 19 secret key every time a signature is generated. This vulnerability is reduced in a further embodiment by introducing a random it, and computing (kw)' instead of w'. The signing formula 21 works since k-' = w (ktv)'.
22 Thus the formulae for the ECDSA signature scheme in this embodiment are:
23 K=kG;
24 r = K, mod n, where K, is the x coordinate of K and n is the order of the point G ; and s = w(kw/3, + kw/32)"' (e -~= (d,r + d,r)) mod n.
26 Updating the parts of the private key may occur before or atler the generation of the 27 random w.
28 In a further embodiment, since G' . fl1G +f,G, the value of kG' can be computed as 29 (k/3,)G -,-(k/32 )G. In this way, the value of k is masked when computing kG', even if the value of /
is determined. The formula for K then becomes: K = (k,6, )G +(k,132 )G.
1 Although the invention has been described with reference to certain specific 2 embodiments, various modifications thereof will be apparent to those skilled in the art without 3 departing from the spirit and scope of the invention as outlined in the claims appended hereto. For 4 example, it is not necessary that there be two components combining to make the private key.
Claims (14)
1. A method of masking a cryptographic operation using a generating point G, said method comprising the steps of:
a) generating a secret value;
b) generating a masking value for association with said secret value;
c) applying said masking value to said secret value and said generating point G to obtain a new value corresponding to the combination of said secret value, said generating point G and said masking value for use as a session public key; and, d) using said new value in said cryptographic operation, thereby using a secret generating point corresponding to a combination of said masking value and said generating point G
in place of said generating point G in said cryptographic operation.
a) generating a secret value;
b) generating a masking value for association with said secret value;
c) applying said masking value to said secret value and said generating point G to obtain a new value corresponding to the combination of said secret value, said generating point G and said masking value for use as a session public key; and, d) using said new value in said cryptographic operation, thereby using a secret generating point corresponding to a combination of said masking value and said generating point G
in place of said generating point G in said cryptographic operation.
2. The method claim 1, wherein said masking value is divided into a plurality of parts and each of said parts is combined with a random value to provide a plurality of further values such that when said further values are combined a value equivalent to a session private key corresponding to said session public key is obtained.
3. The method of claim 1 or 2, wherein said further values are updated by said random value each time a digital signature is generated.
4. The method of claim 2 or claim 3, wherein said masking value, when divided into first and second parts, has said random value added said first part and subtracted from said second part such that the sum of said first and second parts and said associated random value is equivalent to said original secret value.
5. The method of claim 1, wherein said cryptographic system is an elliptic curve digital signature algorithm.
6. A computer readable medium comprising computer executable instructions for performing the method according to anyone of claims 1 to 5.
7. A cryptographic processor configured to perform the method according to anyone of claims 1 to 5.
8. A method of computing a public key corresponding to a private key d in a cryptosystem, wherein the cryptosystem uses a generator G, said method comprising the steps of:
a) representing a masking value 8 as a plurality of values which may be combined to obtain said masking value;
b) combining each of said plurality of values with said private key to obtain a plurality of private key components;
c) combining each of said plurality of private key components with said generator to obtain a plurality of public key components; and, d) combining said public key components to obtain said public key.
a) representing a masking value 8 as a plurality of values which may be combined to obtain said masking value;
b) combining each of said plurality of values with said private key to obtain a plurality of private key components;
c) combining each of said plurality of private key components with said generator to obtain a plurality of public key components; and, d) combining said public key components to obtain said public key.
9. A method according to claim 8, wherein said plurality of public key components are combined by addition.
10. A method according to claim 8, wherein said plurality of values are combined with said private key by multiplication.
11. A method according to claim 8, wherein said plurality of private key components are combined with said generator G by exponentiation.
12. A method according to claim 8, wherein said public key is computed as (d.beta.1)G +(d.beta.2)G, wherein .beta.1 .beta.2 correspond to said plurality of values which may be combined to obtain said masking value.
13. A computer readable medium comprising computer executable instructions for performing the method according to anyone of claims 8 to 12.
14. A cryptographic processor configured to perform the method according to anyone of claims 8 to 12.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/119,803 | 2002-04-11 | ||
US10/119,803 US7599491B2 (en) | 1999-01-11 | 2002-04-11 | Method for strengthening the implementation of ECDSA against power analysis |
CA2424484A CA2424484C (en) | 2002-04-11 | 2003-04-04 | Method for strengthening the implementation of ecdsa against power analysis |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2424484A Division CA2424484C (en) | 2002-04-11 | 2003-04-04 | Method for strengthening the implementation of ecdsa against power analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2796149A1 true CA2796149A1 (en) | 2003-10-11 |
CA2796149C CA2796149C (en) | 2015-01-13 |
Family
ID=28789988
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2796149A Expired - Lifetime CA2796149C (en) | 2002-04-11 | 2003-04-04 | Method for strengthening the implementation of ecdsa against power analysis |
CA2424484A Expired - Lifetime CA2424484C (en) | 2002-04-11 | 2003-04-04 | Method for strengthening the implementation of ecdsa against power analysis |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2424484A Expired - Lifetime CA2424484C (en) | 2002-04-11 | 2003-04-04 | Method for strengthening the implementation of ecdsa against power analysis |
Country Status (2)
Country | Link |
---|---|
US (3) | US7599491B2 (en) |
CA (2) | CA2796149C (en) |
Families Citing this family (69)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7555122B2 (en) * | 2002-12-04 | 2009-06-30 | Wired Communications LLC | Method for elliptic curve point multiplication |
FR2856538B1 (en) * | 2003-06-18 | 2005-08-12 | Gemplus Card Int | COUNTERMEASURE METHOD IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHIC ALGORITHM OF THE PUBLIC KEY TYPE |
KR20060127921A (en) * | 2004-01-27 | 2006-12-13 | 코닌클리즈케 필립스 일렉트로닉스 엔.브이. | Protection against power analysis attacks |
EP1714420B1 (en) | 2004-02-13 | 2010-12-01 | Certicom Corp. | One way authentication |
FR2867635B1 (en) * | 2004-03-11 | 2006-09-22 | Oberthur Card Syst Sa | SECURE DATA PROCESSING METHOD, BASED IN PARTICULAR ON A CRYPTOGRAPHIC ALGORITHM |
WO2005103908A1 (en) * | 2004-04-26 | 2005-11-03 | Matsushita Electric Industrial Co., Ltd. | Computer system and computer program executing encryption or decryption |
FR2874440B1 (en) * | 2004-08-17 | 2008-04-25 | Oberthur Card Syst Sa | METHOD AND DEVICE FOR PROCESSING DATA |
US8467535B2 (en) * | 2005-01-18 | 2013-06-18 | Certicom Corp. | Accelerated verification of digital signatures and public keys |
WO2006076800A1 (en) | 2005-01-18 | 2006-07-27 | Certicom Corp. | Accelerated verification of digital signatures and public keys |
CA2594670C (en) * | 2005-01-21 | 2014-12-23 | Certicom Corp. | Elliptic curve random number generation |
US8825556B2 (en) * | 2005-01-28 | 2014-09-02 | Cardinalcommerce Corporation | System and method for conversion between Internet and non-Internet based transactions |
CN101185105A (en) * | 2005-05-31 | 2008-05-21 | Nxp股份有限公司 | Electronic circuit arrangement and method of operating such electronic circuit arrangement |
CA2542556C (en) | 2005-06-03 | 2014-09-16 | Tata Consultancy Services Limited | An authentication system executing an elliptic curve digital signature cryptographic process |
EP1899803A2 (en) * | 2005-06-29 | 2008-03-19 | Koninklijke Philips Electronics N.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
US8738927B2 (en) * | 2005-06-29 | 2014-05-27 | Irdeto B.V. | Arrangement for and method of protecting a data processing device against an attack or analysis |
KR101194837B1 (en) * | 2005-07-12 | 2012-10-25 | 삼성전자주식회사 | Cryptographic apparatus and method for fast computation of blinding-exponent DPA countermeasure |
US8656175B2 (en) * | 2005-10-31 | 2014-02-18 | Panasonic Corporation | Secure processing device, secure processing method, encrypted confidential information embedding method, program, storage medium, and integrated circuit |
KR101421202B1 (en) * | 2006-02-28 | 2014-07-22 | 써티콤 코포레이션 | System and method for product registration |
FR2902951B1 (en) * | 2006-06-23 | 2008-09-12 | Sagem Defense Securite | ELLIPTICAL CURVED CRYPTOGRAPHY |
EP2122899B1 (en) * | 2007-03-06 | 2011-10-05 | Research In Motion Limited | Integer division in a manner that counters a power analysis attack |
US8027466B2 (en) * | 2007-03-07 | 2011-09-27 | Research In Motion Limited | Power analysis attack countermeasure for the ECDSA |
US8160245B2 (en) | 2007-03-07 | 2012-04-17 | Research In Motion Limited | Methods and apparatus for performing an elliptic curve scalar multiplication operation using splitting |
US8219820B2 (en) | 2007-03-07 | 2012-07-10 | Research In Motion Limited | Power analysis countermeasure for the ECMQV key agreement algorithm |
EP2168299A4 (en) * | 2007-07-17 | 2011-10-05 | Certicom Corp | Method of compressing a cryptographic value |
JP5121930B2 (en) * | 2007-07-17 | 2013-01-16 | サーティコム コーポレーション | How to provide a textual representation of cryptographic values |
FR2924879B1 (en) * | 2007-12-07 | 2009-12-18 | Sagem Securite | METHOD OF ENCODING A SECRET FORMED BY A DIGITAL VALUE |
US8422685B2 (en) | 2008-02-26 | 2013-04-16 | King Fahd University Of Petroleum And Minerals | Method for elliptic curve scalar multiplication |
US20090214023A1 (en) * | 2008-02-26 | 2009-08-27 | Al-Somani Turki F | Method for elliptic curve scalar multiplication |
US8165286B2 (en) * | 2008-04-02 | 2012-04-24 | Apple Inc. | Combination white box/black box cryptographic processes and apparatus |
FR2941343B1 (en) * | 2009-01-20 | 2011-04-08 | Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst | CIRCUIT OF CRYPTOGRAPHY, PROTECTS IN PARTICULAR AGAINST ATTACKS BY OBSERVATION OF LEAKS OF INFORMATION BY THEIR ENCRYPTION. |
US10691860B2 (en) | 2009-02-24 | 2020-06-23 | Rambus Inc. | Secure logic locking and configuration with camouflaged programmable micro netlists |
US10476883B2 (en) | 2012-03-02 | 2019-11-12 | Inside Secure | Signaling conditional access system switching and key derivation |
CA2767189C (en) * | 2009-09-29 | 2015-02-10 | Silverbrook Research Pty Ltd | Communication system, method and device with limited encryption key retrieval |
US8775813B2 (en) * | 2010-02-26 | 2014-07-08 | Certicom Corp. | ElGamal signature schemes |
EP2553866B1 (en) * | 2010-03-31 | 2018-11-21 | Irdeto B.V. | System and method for protecting cryptographic assets from a white-box attack |
JP2012083542A (en) * | 2010-10-12 | 2012-04-26 | Renesas Electronics Corp | Encryption processing device and control method of encryption processing circuit |
US8705730B2 (en) * | 2010-12-23 | 2014-04-22 | Morega Systems Inc. | Elliptic curve cryptography with fragmented key processing and methods for use therewith |
US8892908B2 (en) | 2010-12-23 | 2014-11-18 | Morega Systems Inc. | Cryptography module for use with fragmented key and methods for use therewith |
WO2012086076A1 (en) * | 2010-12-24 | 2012-06-28 | 三菱電機株式会社 | Signature generating device, method of generating signature, and recording medium |
US8627091B2 (en) * | 2011-04-01 | 2014-01-07 | Cleversafe, Inc. | Generating a secure signature utilizing a plurality of key shares |
US11418580B2 (en) | 2011-04-01 | 2022-08-16 | Pure Storage, Inc. | Selective generation of secure signatures in a distributed storage network |
US10298684B2 (en) | 2011-04-01 | 2019-05-21 | International Business Machines Corporation | Adaptive replication of dispersed data to improve data access performance |
US8525545B1 (en) | 2011-08-26 | 2013-09-03 | Lockheed Martin Corporation | Power isolation during sensitive operations |
US8624624B1 (en) | 2011-08-26 | 2014-01-07 | Lockheed Martin Corporation | Power isolation during sensitive operations |
GB2494731B (en) | 2011-09-06 | 2013-11-20 | Nds Ltd | Preventing data extraction by sidechannel attack |
US8745376B2 (en) | 2011-10-14 | 2014-06-03 | Certicom Corp. | Verifying implicit certificates and digital signatures |
EP2820546B1 (en) * | 2012-03-02 | 2019-07-31 | INSIDE Secure | Blackbox security provider programming system permitting multiple customer use and in field conditional access switching |
JP5689571B2 (en) * | 2013-02-28 | 2015-03-25 | パナソニックIpマネジメント株式会社 | Cryptographic processing device |
JP6178142B2 (en) * | 2013-07-12 | 2017-08-09 | 株式会社東芝 | Generator, method, and program |
FR3010210B1 (en) * | 2013-08-29 | 2017-01-13 | Stmicroelectronics Rousset | PROTECTION OF CALCULATION AGAINST HIDDEN CHANNEL ATTACKS |
US9081968B2 (en) | 2013-12-11 | 2015-07-14 | International Business Machines Corporation | Quantitative analysis of information leakage vulnerabilities |
US10396984B2 (en) | 2014-05-02 | 2019-08-27 | Barclays Services Limited | Apparatus and system having multi-party cryptographic authentication |
JP6058245B2 (en) * | 2015-01-15 | 2017-01-11 | 三菱電機株式会社 | Random number expansion apparatus, random number expansion method and random number expansion program |
EP3437248A4 (en) * | 2016-03-30 | 2019-11-06 | The Athena Group, Inc. | Key update for masked keys |
US9800411B1 (en) | 2016-05-05 | 2017-10-24 | ISARA Corporation | Using a secret generator in an elliptic curve cryptography (ECC) digital signature scheme |
EP3376705A1 (en) | 2017-03-17 | 2018-09-19 | Koninklijke Philips N.V. | Elliptic curve point multiplication device and method in a white-box context |
GB201707168D0 (en) * | 2017-05-05 | 2017-06-21 | Nchain Holdings Ltd | Computer-implemented system and method |
CN107968710B (en) * | 2017-11-27 | 2020-08-25 | 武汉理工大学 | SM9 digital signature separation interaction generation method and system |
FR3085215B1 (en) * | 2018-08-21 | 2020-11-20 | Maxim Integrated Products | DEVICES AND METHODS FOR MASKING ECC CRYPTOGRAPHY OPERATIONS |
US10432405B1 (en) | 2018-09-05 | 2019-10-01 | Accelor Ltd. | Systems and methods for accelerating transaction verification by performing cryptographic computing tasks in parallel |
US10404473B1 (en) | 2018-09-05 | 2019-09-03 | Accelor Ltd. | Systems and methods for processing transaction verification operations in decentralized applications |
US10333694B1 (en) | 2018-10-15 | 2019-06-25 | Accelor Ltd. | Systems and methods for secure smart contract execution via read-only distributed ledger |
KR20200046481A (en) * | 2018-10-24 | 2020-05-07 | 삼성전자주식회사 | A random number generator, an encryption device including the same and a operating method thereof |
US11228448B2 (en) * | 2018-11-20 | 2022-01-18 | Iot And M2M Technologies, Llc | Mutually authenticated ECDHE key exchange for a device and a network using multiple PKI key pairs |
US11194933B2 (en) * | 2019-06-04 | 2021-12-07 | Intel Corporation | Circuits supporting improved side channel and fault injection attack resistance |
CN110299998B (en) * | 2019-07-04 | 2020-09-04 | 武汉理工大学 | SM9 digital signature collaborative generation method and system by means of intermediate parameters |
JP2021128261A (en) * | 2020-02-14 | 2021-09-02 | 株式会社野村総合研究所 | Device for multi-party calculation of secret dispersion base |
CN116522351A (en) * | 2022-01-20 | 2023-08-01 | 瑞昱半导体股份有限公司 | Method for reducing success rate, cryptographic system processing circuit and electronic device |
CN117614608B (en) * | 2024-01-22 | 2024-04-16 | 南京航空航天大学 | NTT (network time Table) defense method for resisting energy analysis attack |
Family Cites Families (42)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4519036A (en) | 1983-01-05 | 1985-05-21 | Emi Limited | Program storage hardware with security scheme |
EP0383985A1 (en) | 1989-02-24 | 1990-08-29 | Claus Peter Prof. Dr. Schnorr | Method for subscriber identification and for generation and verification of electronic signatures in a data exchange system |
US5202995A (en) | 1989-10-12 | 1993-04-13 | International Business Machines Corporation | Method for removing invariant branches from instruction loops of a computer program |
FR2672402B1 (en) | 1991-02-05 | 1995-01-27 | Gemplus Card Int | METHOD AND DEVICE FOR THE GENERATION OF UNIQUE PSEUDO-RANDOM NUMBERS. |
US5666296A (en) | 1991-12-31 | 1997-09-09 | Texas Instruments Incorporated | Method and means for translating a data-dependent program to a data flow graph with conditional expression |
US5524222A (en) | 1992-03-27 | 1996-06-04 | Cyrix Corporation | Microsequencer allowing a sequence of conditional jumps without requiring the insertion of NOP or other instructions |
JPH08504962A (en) | 1992-12-22 | 1996-05-28 | テルストラ・コーポレイション・リミテッド | Encryption method |
JPH06314203A (en) | 1993-04-28 | 1994-11-08 | Fujitsu Ltd | Method and device for optimizing compiler |
US5825880A (en) * | 1994-01-13 | 1998-10-20 | Sudia; Frank W. | Multi-step digital signature method and system |
CA2129203C (en) | 1994-07-29 | 2010-01-12 | Gordon B. Agnew | Public key cryptography utilizing elliptic curves |
CA2167631A1 (en) * | 1995-01-20 | 1996-07-21 | W. Dale Hopkins | Method and apparatus for user and security device authentication |
US5675645A (en) | 1995-04-18 | 1997-10-07 | Ricoh Company, Ltd. | Method and apparatus for securing executable programs against copying |
US5768389A (en) * | 1995-06-21 | 1998-06-16 | Nippon Telegraph And Telephone Corporation | Method and system for generation and management of secret key of public key cryptosystem |
US5764772A (en) | 1995-12-15 | 1998-06-09 | Lotus Development Coporation | Differential work factor cryptography method and system |
US5778069A (en) * | 1996-04-10 | 1998-07-07 | Microsoft Corporation | Non-biased pseudo random number generator |
US5892899A (en) | 1996-06-13 | 1999-04-06 | Intel Corporation | Tamper resistant methods and apparatus |
US6526456B1 (en) | 1996-07-01 | 2003-02-25 | David Ian Allan | Distribution and controlled use of software products |
JP3625340B2 (en) | 1996-09-19 | 2005-03-02 | 株式会社東芝 | Security system |
US5937066A (en) * | 1996-10-02 | 1999-08-10 | International Business Machines Corporation | Two-phase cryptographic key recovery system |
CA2228185C (en) * | 1997-01-31 | 2007-11-06 | Certicom Corp. | Verification protocol |
US5991415A (en) | 1997-05-12 | 1999-11-23 | Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science | Method and apparatus for protecting public key schemes from timing and fault attacks |
US6307940B1 (en) * | 1997-06-25 | 2001-10-23 | Canon Kabushiki Kaisha | Communication network for encrypting/deciphering communication text while updating encryption key, a communication terminal thereof, and a communication method thereof |
US6411715B1 (en) * | 1997-11-10 | 2002-06-25 | Rsa Security, Inc. | Methods and apparatus for verifying the cryptographic security of a selected private and public key pair without knowing the private key |
US6279110B1 (en) * | 1997-11-10 | 2001-08-21 | Certicom Corporation | Masked digital signatures |
US6334189B1 (en) | 1997-12-05 | 2001-12-25 | Jamama, Llc | Use of pseudocode to protect software from unauthorized use |
ATE429748T1 (en) | 1998-01-02 | 2009-05-15 | Cryptography Res Inc | LEAK RESISTANT CRYPTOGRAPHIC METHOD AND APPARATUS |
US6404890B1 (en) * | 1998-04-08 | 2002-06-11 | Citibank, Na | Generating RSA moduli including a predetermined portion |
AU5203899A (en) * | 1998-06-03 | 1999-12-20 | Cryptography Research, Inc. | Using unpredictable information to minimize leakage from smartcards and other cryptosystems |
JP2002519722A (en) * | 1998-06-03 | 2002-07-02 | クリプターグラフィー リサーチ インコーポレイテッド | Improved DES and other cryptographic processes for smart cards and other cryptographic systems to minimize leakage |
CA2259089C (en) | 1999-01-15 | 2013-03-12 | Robert J. Lambert | Method and apparatus for masking cryptographic operations |
US6298135B1 (en) * | 1999-04-29 | 2001-10-02 | Motorola, Inc. | Method of preventing power analysis attacks on microelectronic assemblies |
US6804782B1 (en) | 1999-06-11 | 2004-10-12 | General Instrument Corporation | Countermeasure to power attack and timing attack on cryptographic operations |
US6419159B1 (en) * | 1999-06-14 | 2002-07-16 | Microsoft Corporation | Integrated circuit device with power analysis protection circuitry |
KR100373669B1 (en) * | 1999-09-29 | 2003-02-26 | 가부시키가이샤 히타치세이사쿠쇼 | The device for processing secret information, recording medium for storing program and system therefor |
US6724894B1 (en) * | 1999-11-05 | 2004-04-20 | Pitney Bowes Inc. | Cryptographic device having reduced vulnerability to side-channel attack and method of operating same |
DE19963408A1 (en) * | 1999-12-28 | 2001-08-30 | Giesecke & Devrient Gmbh | Portable data carrier with access protection by key division |
FR2809893B1 (en) * | 2000-06-02 | 2002-11-15 | Gemplus Card Int | COUNTER-MEASUREMENT METHOD IN AN ELECTRONIC COMPONENT USING A PUBLIC KEY CRYPTOGRAPHY ALGORITHM ON AN ELLIPTICAL CURVE |
JP2002328845A (en) * | 2001-05-07 | 2002-11-15 | Fujitsu Ltd | Semiconductor integrated circuit and method for protecting security of ic card |
JP4596686B2 (en) * | 2001-06-13 | 2010-12-08 | 富士通株式会社 | Secure encryption against DPA |
US7142670B2 (en) * | 2001-08-14 | 2006-11-28 | International Business Machines Corporation | Space-efficient, side-channel attack resistant table lookups |
KR100720726B1 (en) * | 2003-10-09 | 2007-05-22 | 삼성전자주식회사 | Security system using ??? algorithm and method thereof |
JP4680876B2 (en) * | 2006-12-11 | 2011-05-11 | ルネサスエレクトロニクス株式会社 | Information processing apparatus and instruction fetch control method |
-
2002
- 2002-04-11 US US10/119,803 patent/US7599491B2/en not_active Expired - Lifetime
-
2003
- 2003-04-04 CA CA2796149A patent/CA2796149C/en not_active Expired - Lifetime
- 2003-04-04 CA CA2424484A patent/CA2424484C/en not_active Expired - Lifetime
-
2009
- 2009-06-30 US US12/495,429 patent/US8280048B2/en not_active Expired - Lifetime
-
2012
- 2012-09-14 US US13/619,557 patent/US8621239B2/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CA2424484A1 (en) | 2003-10-11 |
US8280048B2 (en) | 2012-10-02 |
US20030194086A1 (en) | 2003-10-16 |
US7599491B2 (en) | 2009-10-06 |
CA2424484C (en) | 2013-01-29 |
US20090262930A1 (en) | 2009-10-22 |
US8621239B2 (en) | 2013-12-31 |
CA2796149C (en) | 2015-01-13 |
US20130073867A1 (en) | 2013-03-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8621239B2 (en) | Method for strengthening the implementation of ECDSA against power analysis | |
US10902156B2 (en) | Asymmetrically masked multiplication | |
Barenghi et al. | Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures | |
US8402287B2 (en) | Protection against side channel attacks | |
Vigilant | RSA with CRT: A new cost-effective solution to thwart fault attacks | |
EP2332040B1 (en) | Countermeasure securing exponentiation based cryptography | |
Walter | Simple power analysis of unified code for ECC double and add | |
US20210152331A1 (en) | Protecting polynomial hash functions from external monitoring attacks | |
JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
JP2010164904A (en) | Elliptic curve arithmetic processing unit and elliptic curve arithmetic processing program and method | |
TWI512610B (en) | Modular reduction using a special form of the modulus | |
CA2259089C (en) | Method and apparatus for masking cryptographic operations | |
Gupta et al. | Impact of side channel attack in information security | |
EP3698262B1 (en) | Protecting modular inversion operation from external monitoring attacks | |
US11824986B2 (en) | Device and method for protecting execution of a cryptographic operation | |
JP2017526981A5 (en) | ||
Muir | Techniques of side channel cryptanalysis | |
Walter | Some security aspects of the MIST randomized exponentiation algorithm | |
Batina et al. | SCA-secure ECC in software–mission impossible? | |
JP2004310752A (en) | Error detection in data processor | |
KR100772550B1 (en) | Enhanced message blinding method to resistant power analysis attack | |
Spadavecchia | A network-based asynchronous architecture for cryptographic devices | |
Pontie et al. | Dummy operations in scalar multiplication over elliptic curves: a tradeoff between security and performance | |
Smart | Physical side‐channel attacks on cryptographic systems | |
Mahanta et al. | Modular exponentiation with inner product to resist higher-order DPA attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request |
Effective date: 20121119 |
|
MKEX | Expiry |
Effective date: 20230404 |
|
MKEX | Expiry |
Effective date: 20230404 |