1. Patent Search
  2. Details

CRYPTOGRAPHIC PROCESSING METHOD, RELATED ELECTRONIC DEVICE AND COMPUTER PROGRAM

20210409208 · 2021-12-30

    Inventors

    Cpc classification

    International classification

    Abstract

    A cryptographic processing method comprises the following steps: obtaining a second number determined by adding to a first number the order of a finite group or a multiple of this order; determining a quotient and a remainder by dividing the second number by a random number; obtaining a third element equal to the combination of elements equal to a first element of the finite group and in number equal to the product of the quotient and the random number; obtaining a fourth element equal to the combination of elements equal to the first element and in number equal to the remainder; determining a second element by combining the third element and the fourth element.

    Claims

    1. A cryptographic processing method comprising the determination, in a finite order group provided with an operation and from a first element (M) of this group, of a second element (S.sub.p; P) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to a first number (d.sub.p), wherein said cryptographic processing method comprises the following steps: obtaining (E10; E32) a second number (d″) determined by adding to the first number (d.sub.p) said order or a multiple of said order; determining (E12; E30) a random number (a); determining (E14; E34) a quotient (Q; q) and a remainder (R; r) using the Euclidean division of the second number (d″) by the random number (a); obtaining (E16; E36) a third element (E.sub.1; I) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to the product of the quotient (Q; q) and the random number (a); obtaining (E18; E38) a fourth element (E2; J) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to the remainder (R; r); determining (E20; E40) the second element (Sp; P) by combining the third element (E.sub.1; I) and the fourth element (E.sub.2; J) by means of said operation.

    2. The method according to claim 1, comprising a step of determining another random number, wherein the second number (d″) is obtained by adding to the first number (d.sub.p) the product of the other random number and said order.

    3. The method according to claim 1, implemented within an electronic device (2) comprising a storage module (6), wherein the first number (d.sub.p) is stored in the storage module (6) in masked form.

    4. The method according to claim 1, comprising a step of constructing a mask equal to the sum of a first intermediate number and the product of a second intermediate number by said random number; wherein the step of obtaining the second number (d″) comprises a step of applying the constructed mask and, wherein the quotient (Q; q) is determined using the second intermediate number and wherein the remainder (R; r) is determined using the first intermediate number.

    5. The method according to claim 4, wherein the first intermediate number and the second intermediate number are determined by random drawing.

    6. The method according to claim 4, wherein the first number (d.sub.p) is stored masked by an initial mask and wherein the second intermediate number and the first intermediate number are respectively determined as quotient and remainder of the Euclidean division of the initial mask by a power of two.

    7. The method according to claim 1, wherein said group is the multiplicative group Z/pZ−{0}, where p is a prime number, said order being equal to (p−1).

    8. The method according to claim 1, wherein said group is a subgroup of points of an elliptical curve, said operation being an addition of points of the elliptical curve.

    9. The method according to claim 1, wherein said group is a multiplicative subgroup of Z/pZ−{0}, where p is a prime number, and wherein said order is a divisor of (p−1).

    10. An electronic device (2) comprising a processor (4) and a storage module (6) storing computer program instructions suitable for, when these instructions are executed by the processor (4), determining, in a finite order group provided with an operation and from a first element (M) of this group, a second element (S.sub.p; P) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to a first number (d.sub.p), by means of the following steps: obtaining (E10; E32) a second number (d″) determined by adding to the first number (d.sub.p) said order or a multiple of said order; determining (E12; E30) a random number (a); determining (E14; E34) a quotient (Q; q) and a remainder (R; r) using the Euclidean division of the second number (d″) by the random number (a); obtaining (E16; E36) a third element (E.sub.1; I) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to the product of the quotient (Q; q) and the random number (a); obtaining (E18; E38) a fourth element (E.sub.2; J) equal to the combination, by means of said operation, of elements equal to the first element (M) and in number equal to the remainder (R; r); determining (E20; E40) the second element (S.sub.p; P) by combining the third element (E.sub.1; I) and the fourth element (E.sub.2; J) by means of said operation.

    11. A computer program comprising instructions suitable for implementing a method according to claim 1 when these instructions are executed by a processor (4).

    12. A non-transitory processor-readable recording medium, comprising a computer program stored thereon, which comprises instructions for performing a method according to claim 1, when the instructions are executed by a processor.

    Description

    [0043] In addition, various other features of the invention emerge from the appended description made with reference to the drawings which illustrate non-limiting embodiments of the invention and where:

    [0044] FIG. 1 schematically shows an electronic device in accordance with the invention,

    [0045] FIG. 2 is a flowchart representing the main steps of a cryptographic processing method in accordance with the invention,

    [0046] FIG. 3 is a flowchart representing steps implemented during the cryptographic processing method of FIG. 2, and

    [0047] FIG. 4 is a flowchart representing a cryptographic processing method according to another embodiment of the invention.

    [0048] FIG. 1 schematically shows an electronic device 2 comprising a processor 4 (for example a microprocessor), a storage module 6, a random access memory 8 and a communication module 10.

    [0049] The storage module 6 stores computer program instructions designed to implement a cryptographic processing method such as at least one of those described below with reference to FIGS. 2, 3 and 4 when these instructions are executed by the processor 4. The storage module 6 is for example in practice a hard disk or a non-volatile memory (optionally rewritable).

    [0050] The random access memory 8 can in turn store at least some of the elements handled during the various processing operations carried out during this cryptographic processing method.

    [0051] The communication module 10 is connected to the processor 4 so as to allow the processor 4 to receive data from another electronic device (not shown) and/or to emit data to another electronic device (not shown).

    [0052] FIG. 2 shows the main steps of a cryptographic processing method according to a first embodiment of the invention.

    [0053] This method begins at step E2 by receiving a message M by the processor 4 and via the communication module 10. In the context described here, the message M has a length of at least 1024 bits, for example a size of 1024 bits, 2048 bits, 3072 bits or 4096 bits (that is to say here a length comprised between 1024 bits and 4096 bits).

    [0054] The method of FIG. 2 aims at determining the signature S of the message M by means of an RSA CRT type algorithm. (Alternatively, the message M could be an encrypted message and the application of the RSA CRT type algorithm of FIG. 2 would then allow the decryption of the encrypted message M into a decrypted message S.)

    [0055] For this purpose, the storage module 6 stores data representative of the elements p, q, d.sub.p, d.sub.q, i.sub.q of the private key to be used (with the notations usually used for the RSA CRT algorithm and i.sub.q=q.sup.−1 mod p), where p and q are prime numbers. Each of the elements here has a length in bits equal to half the size of the message M, or here a length in bits of at least 512 bits, for example comprised between 512 bits and 2048 bits.

    [0056] In the example described here, these elements are stored (in the storage module 6) in masked form, that is to say that the storage module 6 stores:


    p′=p+m.sub.p


    q′=q+m.sub.q


    d.sub.p′=d.sub.p+m.sub.dp


    d.sub.q′=d.sub.q+m.sub.dq


    i.sub.q′=i.sub.q+m.sub.iq

    [0057] as well as the masks m.sub.d, m.sub.q, m.sub.dp, md.sub.q, m.sub.iq.

    [0058] Each mask here has a length equal to that of the element it masks, that is to say here a length of at least 512 bits, for example comprised between 512 bits and 2048 bits. Each masked value in turn requires 1 bit more for its storage than the concerned element and mask (to store a possible carry) and therefore has a length of at least 513 bits here, for example comprised between 513 bits and 2049 bits.

    [0059] The method of FIG. 2 comprises a step E4 of determining a first partial result S.sub.p such that S.sub.p=M.sup.dp mod p.

    [0060] In the case where the values are handled masked as described here, the step E4 of determining the first partial result determines in practice S.sub.p′=M.sup.dp mod k.sub.p.p, where k.sub.p is a random number and where k.sub.p.p is determined by the operation k.sub.p.p′−k.sub.p.m.sub.p. This step E4 is implemented in accordance with the method described below with reference to FIG. 3.

    [0061] The method of FIG. 2 also comprises a step E6 of determining a second partial result S.sub.q such that S.sub.q=M.sup.dq mod q.

    [0062] In the case where the values are handled masked as described here, the step E6 of determining the second partial result determines in practice S.sub.q′=M.sup.dq mod k.sub.q.q, where k.sub.q is a random number and where k.sub.q.q is determined by the operation k.sub.q.q′−k.sub.q.m.sub.q.

    [0063] This step E6 can be implemented by a method similar to that described below with reference to FIG. 3 (by replacing p by q, d.sub.p by d.sub.q and therefore k.sub.p by k.sub.q, p′ by q′, d.sub.p′ by d.sub.q′, m.sub.p by m.sub.q and m.sub.dp by m.sub.dq in the description of FIG. 3).

    [0064] The method of FIG. 2 then comprises a step E8 of determining the result S of the RSA CRT algorithm (that is to say here of determining the signature S) by combining the first partial result S.sub.p and the second partial result S.sub.q in accordance with the Chinese Remainder Theorem: S=S.sub.q+q.[i.sub.q.(S.sub.p−S.sub.q) mod p].

    [0065] In the implementation used here where the elements of the private key are stored masked as indicated above, the result S is obtained as follows: [0066] first W=(S.sub.p′−S.sub.q′).i.sub.q′−(S.sub.p′−S.sub.p′).m.sub.iq mod k.sub.p.p is determined; [0067] then S is determined by S=W.q′−W.m.sub.q+S.sub.q′ mod N, where N=(k.sub.p.p.k.sub.q.q)/(k.sub.p.k.sub.q).

    [0068] FIG. 3 shows the steps of a cryptographic processing method according to the invention. This method aims at achieving the modular exponentiation of a value M to the power d.sub.p modulo p. The number d.sub.p is referred to below as “exponent”. In the example described here, it is applied to perform step E4 (or step E6) described above, as already indicated. However, this method could be applied in other cases where a modular exponentiation is used.

    [0069] The modular exponentiation M.sup.dp mod p amounts, in the multiplicative group Z/pZ−{0}, to combine, by means of the modular multiplication modulo p, elements equal to the element M and in number equal to the exponent d.sub.p. The order of the multiplicative group Z/pZ−{0} is equal to (p−1).

    [0070] The method of FIG. 3 begins with a step E10 for updating the exponent d.sub.p by adding the order (p−1) thereto.

    [0071] In the example described here where the prime number p and the exponent d.sub.p are stored in masked form as already indicated, the processor 4 adds during step E10 the masked order (p′−1) to the masked exponent d.sub.p′ and stores the result as the current exponent d.sub.p″. Moreover, so that the current exponent d.sub.p″ is also masked by the mask m.sub.dp, here the value of the mask m.sub.p is further subtracted from the current exponent d.sub.p″ value.

    [0072] This current exponent dp″ is therefore equal to d.sub.p′+(p′−1)−m.sub.p=[d.sub.p+(p−1)]+m.sub.dp.

    [0073] In practice, the current exponent dp″ can be stored instead of the exponent dp′ in the storage module 6 (for use during subsequent implementations of the cryptographic processing method), or only stored in the random access memory 8 (for use only during the present implementation of the method).

    [0074] Anyway, if some implementations provide that the user can choose the value of the exponent d.sub.p (and that an attacker can thus choose an exponent d.sub.p with a small value as explained in the introduction), the value of the prime number p, on the contrary, cannot be parameterized and is chosen sufficiently high by the designers of the system (the value of p being coded on at least 512 bits). The current exponent d.sub.p″ used in the following will therefore necessarily have a high value.

    [0075] As a variant for step E10, it is possible to update the exponent d.sub.p by adding a multiple of the order (p−1) thereto. Step E10 in this case comprises, for example, drawing a random number a′ and updating the exponent d.sub.p by adding thereto the product of the random number a′ and the order (p−1). The length in bits of the random number a′ is for example comprised between 32 bits and 128 bits. In the embodiment described here storing the elements of the private key in masked form, so that the current exponent d.sub.p″ (obtained after updating the masked exponent d.sub.p′) is also masked by the mask m.sub.dp, here the product of the random number a′ and the value of the mask m.sub.p is further subtracted from the current exponent dp″.

    [0076] The current exponent dp″ obtained in step E10 is therefore valid in this case:


    d.sub.p′+a′.(p′−1)−a′.m.sub.p=[d.sub.p+a′.(p−1)]+m.sub.dp.

    [0077] The method of FIG. 3 continues in step E12 wherein the processor 4 determines a number a (for example having a length k greater than 16 bits, here a length k of 32 bits) by random drawing.

    [0078] The processor 4 then determines in step E14 the quotient Q′ and the remainder R′ of the Euclidean division of the current exponent dp″ by the random number a. Therefore, we have:


    d.sub.p′=Q′.a+R′.

    [0079] In the example described here where the current exponent dp″ is masked, the masking is furthermore removed by subtracting m.sub.dp/a from the masked quotient Q′ so as to obtain the unmasked quotient Q, and by subtracting (m.sub.dp mod a) to the masked remainder R′ to obtain the unmasked remainder R:


    Q=Q′−m.sub.dp/a


    R=R′−m.sub.dp mod a.

    [0080] In the case where the remainder R is negative (R<0), the processor 4 further performs a corrective step during which the random value a is added to the remainder R and the quotient Q is decremented by one unit.

    [0081] Then we have: Q.a+R=d″.sub.p−m.sub.dp=d.sub.p.

    [0082] The processor 4 can thus determine in step E16 a first modular exponent E.sub.1 by performing the modular exponentiation modulo p (or modulo k.sub.p.p in the case of the use of masked values as indicated above) of the element M to the power Q.a (that is to say to a power equal to the product of the quotient Q and the random number a):

    [0083] E.sub.1=M.sup.Q,a mod p (or E.sub.1=M.sup.Q,a mod k.sub.p.p in the case of using masked values).

    [0084] In the multiplicative group Z/pZ−{0}, this modular exponentiation operation amounts to combining, by means of the modular multiplication modulo p (or modulo k.sub.p.p in the case of using masked values), elements equal to the element M and in number equal to the product of the quotient Q and the random number a.

    [0085] The processor 4 can thus determine in step E18 a second modular exponent E.sub.2, by performing the modular exponentiation modulo p (or modulo k.sub.p.p in the case of the use of masked values) of the element M to the power R:

    [0086] E.sub.2=M.sup.R mod p (or E.sub.2=M.sup.R mod k.sub.p.p in the case of masked values)

    [0087] In the multiplicative group Z/pZ−{0}, this modular exponentiation operation amounts to combining, by means of the modular multiplication modulo p (or modulo k.sub.p.p in the case of masked values), elements equal to the element M and in number equal to the remainder R.

    [0088] The processor then determines in step E20 the desired result S.sub.p (S.sub.p=M.sup.dp mod p, or S.sub.p′=M.sup.dp mod k.sub.p.p in the case of the use of masked values) by combining the first modular exponent E.sub.1 and the second modular exponent E.sub.2 by modular multiplication modulo p (or modulo k.sub.p.p in the case of masked values): S.sub.p=E.sub.1.E.sub.2 mod p (or S.sub.p′=E.sub.1.E.sub.2 mod k.sub.p.p).

    [0089] Two variants are now described which allow to avoid having to calculate the value m.sub.dp/a in step E14.

    [0090] According to a first variant, step E12 is simultaneous or prior to step E10 and comprises, in addition to determining the number a by random drawing, determining two numbers a.sub.Q, a.sub.R by random drawing and the construction of a replacement mask m′ equal to the sum of the random number a.sub.R and the product of the random number a and the random number a.sub.Q: m′=a.sub.R+a.a.sub.Q.

    [0091] In this case, step E10 comprises, in addition to the operations described above, the replacement of the mask m.sub.dp by the replacement mask m′: the current exponent dp″ is then equal to d.sub.p′+(p′−1)−m.sub.p+m′−m.sub.dp=[d.sub.p+(p−1)]+m′.

    [0092] By noting as above Q′=d.sub.p″/a and R′=d.sub.p″ mod a (that is to say d.sub.p″=Q′.a+R′), obtaining the unmasked quotient Q and of the unmasked remainder R in step E14 can then be carried out by: Q=Q′−a.sub.Q and R=R′−a.sub.R.

    [0093] According to a second variant, step E12 is simultaneous or prior to step E10 and comprises, in addition to determining the number a by random drawing, determining a first number m.sub.R equal to m.sub.dp mod 2.sup.k and a second number m.sub.Q equal to m.sub.dp/2.sup.k (where k is as already indicated the length in bits of the random number a), and the construction of a replacement mask m′ equal to the sum of the first number m.sub.R and the product of the random number a and the second number m.sub.Q: m′=m.sub.R+a.m.sub.Q. (Compared to the first variant, this second variant avoids the drawing of two random numbers; moreover, the division by a power of 2 used here is inexpensive in computing time since it can be carried out by a shift of k bits to the right of the mask m.sub.dp).

    [0094] As for the first variant, step E10 then comprises, in addition to the operations described above, the replacement of the mask m.sub.dp by the replacement mask m′: the current exponent dp″ is then equal to d.sub.p′+(p′−1)−m.sub.p+m′−m.sub.dp=[d.sub.p+(p−1)]+m′.

    [0095] Obtaining the unmasked quotient Q and the unmasked remainder R in step E14 can then be carried out by: Q=Q′−m.sub.Q and R=R′−m.sub.R (still with Q′=d.sub.p″/a and R′=d.sub.p″ mod a).

    [0096] FIG. 4 represents a cryptographic processing method according to a second embodiment of the invention.

    [0097] This method implements operations in a finite group G of order n provided with an operation noted here “*”. This group G is for example a subgroup of finite order n of points of an elliptic curve E and the operation * is in this case the addition of two points of the elliptic curve E.

    [0098] The method of FIG. 4 aims at determining, from a first element M of the group G (here from a point M of the elliptical curve E), a second element P equal to the combination, by means of the operation *, of elements (of the group G) equal to the first element M and in number equal to an integer d. The first element M can be for example a portion at least of a message.

    [0099] In the case described here where the group G is a subgroup of points of an elliptical curve E, this is noted: P=[d] M.

    [0100] A second element P is sought for example to be determined in this way in the context of an exchange of Diffie-Hellman type keys (the integer d then acting as a private key), in particular:

    [0101] when the first element M is a generator of the group G, the second element P then being transmitted (here via the communication module 10) to a communication partner (with which the key exchange is carried out);

    [0102] when the first element M is received (here via the communication module 10) from a communication partner (with which the key exchange is carried out), the second element P then being the shared secret.

    [0103] The storage module 6 stores the number d in masked form, that is to say that the masked number d′ and the mask m.sub.d are stored in the storage module 6 such that d′=d+m.sub.d.

    [0104] The order n, the number d and the mask m.sub.d have for example a length (in bits) of at least 160 bits, for example comprised between 160 bits and 512 bits (the masked number having a length increased by 1 bit relative to the length of the number d and of the mask m.sub.d in order to be able to store a possible carry, that is to say a length of at least 161 bits, for example comprised between 161 bits and 513 bits).

    [0105] The method of FIG. 4 begins with a step E30 of determining a number a by random drawing.

    [0106] The method of FIG. 4 continues with a step E32 of determining a number d″ by adding to the number d (here in practice in its masked version d′) the order n.

    [0107] Thus, even when the considered implementation allows to choose d and an attacker could deliberately choose a low value for d, the number d″ will be high (the order n being high and in general not modifiable by the user).

    [0108] In the implementation with masking described here, we therefore have: d″=d′+n.

    [0109] According to an alternative embodiment of step E32, it is possible to add to the number d (or here to its masked version d′) a multiple of the order n. This multiple can optionally be determined by drawing a random number a′ (of length for example comprised between 32 bits and 128 bits) and multiplying the order n by this random number a′ (the multiple being equal in this case to a′.n).

    [0110] The method of FIG. 4 continues with a step E34 of determining a quotient q and a remainder r by using the Euclidean division of the number d′ obtained in step E32 by the random number a.

    [0111] In the example described here, to take masking into account, this step comprises, for example, the following operations:


    c=1 if (d″ mod a)<(m.sub.d mod a), otherwise c=0


    q=d″/a−m.sub.d/a−c


    r=(d″ mod a)−(m.sub.d mod a)+c.a

    [0112] The use of the variable c allows to avoid having in certain cases a negative remainder r because of the unmasking operation (that is to say of subtraction of m.sub.d mod a).

    [0113] The method of FIG. 4 then comprises a step E36 of obtaining (that is to say here of determining) a third element I equal to the combination, by means of the operation *, of elements equal to the first element M and in number equal to the product q.a of the quotient q and the random number a.

    [0114] In the case described here (where the group G is a subgroup of points of an elliptical curve E), the third element I is therefore equal to: [q.a] M.

    [0115] The method of FIG. 4 then comprises a step E38 of obtaining (that is to say here of determining) a fourth element J equal to the combination, by means of the operation *, of elements equal to the first element M and in number equal to the remainder r.

    [0116] In the case described here (where the group G is a subgroup of points of an elliptical curve E), the fourth element J is therefore equal to: [r] M.

    [0117] The method of FIG. 4 then ends with a step E40 of determining the second element P by combining the third element I and the fourth element J by means of the operation *. In other words, the second element P is determined such that P=I*J.

    [0118] According to a variant that can be considered for the method which has just been described, in order to avoid the calculation of m.sub.d/a during step E34, it is possible to replace the mask m.sub.d by a mask m′ equal to the sum of a first intermediate number r′ and the product of a second intermediate number q′ by the random number a.

    [0119] The replacement of the mask is for example carried out during the determination of the number d″ in step E32. The operation performed during this step is in this case:


    d″=d′+n+m′−m.sub.d.

    [0120] According to a first possibility, the first intermediate number r′ and the second intermediate number q′ can be determined (for example during step E30) by random drawing.

    [0121] According to a second possibility, the first intermediate number r′ is determined (for example during step E30) as equal to (m.sub.d mod 2.sup.k) and the second intermediate number q′ is determined (for example during the step E30) as equal to m.sub.d/2.sup.k (this division by 2.sup.k can be carried out by k shifts of one bit to the right of the binary representation of m.sub.d), where k is the length in bits of the random number a.

    [0122] According to the variant proposed here (whether the first possibility or the second possibility which have just been mentioned is used), the quotient q is determined in step E34 by using the second intermediate number q′ (to remove masking), here by subtracting the second intermediate number q′ from the masked quotient d″/a; the remainder r, in turn, is determined using the first intermediate number r′ (to remove the masking), here by subtracting the first intermediate number r′ from the masked remainder (d″ mod a). In other words, we determine here during step E34:


    q=d″/a−q′


    r=(d″ mod a)−r′.

    [0123] The second embodiment in the case where the group G is a subgroup of points of an elliptical curve E (group whose operation * is the addition of two points of the elliptical curve E) has been described above.

    [0124] Alternatively, the group G could be for example a multiplicative subgroup of Z/pZ−{0}, a subgroup whose order n is a divisor of (p−1), where p is a prime number. The operation * is in this case the modular multiplication modulo p.

    [0125] According to another variant, the group G could be the multiplicative group Z/pZ−{0}, where p is a prime number, the order of the group G being in this case equal to (p−1). The operation * is in this case the modular multiplication modulo p.