SYSTEM AND METHOD FOR GENERATING AND PROTECTING CRYPTOGRAPHIC KEYS

US 20150333906A1
Filed: 02/09/2012
Published: 11/19/2015
Est. Priority Date: 02/09/2012
Status: Active Grant

First Claim

Patent Images

1. A method of generating public key for an elliptic curve Diffie-Hellman (ECDH) key exchange protocol without disclosing the private key during computation of the public key, the method comprising the steps of:

generating a random number;

interpreting that random number as a linearly transformed random number; and

generating a public key using the transformed number.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the present disclosure, implementations of Diffie-Hellman key agreement are provided that, when embodied in software, resist extraction of cryptographically sensitive parameters during software execution by white-box attackers. Four embodiments are taught that make extraction of sensitive parameters difficult during the generation of the public key and the computation of the shared secret. The embodiments utilize transformed random numbers in the derivation of the public key and shared secret. The traditional attack model for Diffie-Hellman implementations considers only black-box attacks, where attackers analyze only the inputs and outputs of the implementation. In contrast, white-box attacks describe a much more powerful type of attacker who has total visibility into the software implementation as it is being executed.

27 Citations

View as Search Results

33 Claims

1. A method of generating public key for an elliptic curve Diffie-Hellman (ECDH) key exchange protocol without disclosing the private key during computation of the public key, the method comprising the steps of:
- generating a random number;
  
  interpreting that random number as a linearly transformed random number; and
  
  generating a public key using the transformed number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method of claim 1, wherein the linear transformation is {circumflex over (r)}=k₁r+k₂mod n where k₁and k₂are two instance specific, compile time random values and are elements of Z*_n.
  - 3. The method of claim 2 wherein the step of generating a public key computes Ĝ
    - =k₁^−
      
      1G, U₁={circumflex over (r)}Ĝ
      
      , and U₂=(k₁−
      
      k₂)Ĝ and
      
      then Q=U₁+U₂.
  - 4. The method of claim 2 wherein k₂=0.
  - 5. The method of claim 4 wherein the step of generating a public key computes Ĝ
    - =k₁^−
      
      1G, U₁={circumflex over (r)}Ĝ
      
      , and then Q=U₁+G.
  - 6. The method of claim 1 wherein the step of generating a random number generates two random numbers r₁and r₂.
  - 7. The method of claim 6 wherein the step of linearly transforming the random number includes the steps of first applying a linear transform to random numbers r₁and r₂, then applying a second transformation thereto.
  - 8. The method of claim 7 wherein the linear transformation is, r₁=k₁₁r₁+k₁₂mod n and {circumflex over (r)}₂=k₂₁r₂+k₂₂mod n, where k₁₁, k₁₂, k₂₁, k₂₂are instance specific, compile time randomly picked numbers and k₁₁, k₁₂, k₂₁, k₂₂ε
    - Z_n*.
  - 9. The method of claim 8 wherein the second transformation is t₂on the transformed-random numbers {circumflex over (r)}₁and {circumflex over (r)}₂and is defined as {circumflex over ({circumflex over (r)}₁₁=({circumflex over (r)}₁+{circumflex over (r)}₂)mod 2^N, and {circumflex over ({circumflex over (r)}₂₂=({circumflex over (r)}₁+2{circumflex over (r)}₂)mod 2^N.
  - 10. The method of claim 9 wherein is r₁chosen for computing the public key.
  - 11. The method of claim 10 where the step of generating a public key computes Ĝ
    - ₁₁=k₁₁^−
      
      1Ĝ
      
      ;
      
      Ĝ
      
      ₁₂=k₁₁^−
      
      1Ĝ
      
      ₁₁;
      
      u₁₁=(2{circumflex over ({circumflex over (r)}₁₁−
      
      {circumflex over ({circumflex over (r)}₂₂mod 2^N)k₁₁mod n and U₁₂=(k₁₁−
      
      k₁₂)Ĝ
      
      ₁₁and Q=u₁₁Ĝ
      
      ₁₂+U₁₂.
  - 12. The method of claim 9 wherein is r₂chosen for computing the public key.
  - 13. The method of claim 12 where the step of generating a public key computes Ĝ
    - ₂₁=k₂₁^−
      
      1G, Ĝ
      
      ₂₂=k₂₁^−
      
      1Ĝ
      
      ₂₁, u₂₁=({circumflex over ({circumflex over (r)}₂₂−
      
      {circumflex over ({circumflex over (r)}₁₁mod 2^N)k₂₁mod n and U₂₂=(k₂₁−
      
      k₂₂)Ĝ
      
      ₂₁and Q=u₂₁*Ĝ
      
      ₂₂+U₂₂.
  - 14. The method of claim 7 wherein the linear transformation is, {circumflex over (r)}₁=k₁₁r₁and {circumflex over (r)}=k₂₁r₂, where k₁₁, and k₂₁are instance specific, compile time randomly picked numbers, and k₁₁,k₂₁ε
    - Z_n*. Thus, r₁=k₁₁^−
      
      1{circumflex over (r)}₁, and r₂=k₂₁^−
      
      1{circumflex over (r)}₂.
  - 15. The method of claim 14 wherein the second transformation on the transformed-random numbers {circumflex over (r)}₁and {circumflex over (r)}₂is defined as {circumflex over ({circumflex over (r)}₁₁=({circumflex over (r)}₁+{circumflex over (r)}₂)mod 2^N, and {circumflex over ({circumflex over (r)}=({circumflex over (r)}₁+2{circumflex over (r)}₂)mod 2^N.
  - 16. The method of claim 15 wherein is r₁chosen for computing the public key.
  - 17. The method of claim 16 wherein the step of generating a public key computes Ĝ
    - ₁₁=k₁₁^−
      
      1G;
      
      Ĝ
      
      ₁₂=k₁₁^−
      
      1Ĝ
      
      ₁₁;
      
      u₁₁=(2{circumflex over ({circumflex over (r)}₁₁−
      
      {circumflex over ({circumflex over (r)}₂₂mod 2^N)k₁₁mod n; and
      
      Q=u₁₁Ĝ
      
      ₁₂+G.
  - 18. The method of claim 15 wherein is r₂chosen for computing the public key.
  - 19. The method of claim 18 wherein the step of generating a public key computes Ĝ
    - ₂₁=k₂₁^−
      
      1G;
      
      Ĝ
      
      ₂₂=k₂₁^−
      
      1Ĝ
      
      ₂₁;
      
      u₂₁=({circumflex over ({circumflex over (r)}₂₂−
      
      {circumflex over ({circumflex over (r)}₁₁mod 2^N)k₂₁mod n; and
      
      Q=u₂₁*Ĝ
      
      ₂₂+G.
  - 20. The method of claim 1 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random number.
  - 21. The method of claim 3 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random number.
  - 22. The method of claim 21 wherein the step of deriving the shared secret computes points {circumflex over (Q)}_B₁=k_1(A)⁻
    - 1Q_B;
      
      {circumflex over (Q)}_B₂={circumflex over (r)}_A{circumflex over (Q)}_B₁; and
      
      {circumflex over (Q)}_B₃=(k_1(A)−
      
      k_2(A)){circumflex over (Q)}_B₁and then P={circumflex over (Q)}_B₂+{circumflex over (Q)}_B₃where the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random number and party B'"'"'s public key.
  - 23. The method of claim 5 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random number.
  - 24. The method of claim 23 wherein the step of deriving the shared secret computes points {circumflex over (Q)}_B₁=k_1(A)⁻
    - 1Q_B; and
      
      {circumflex over (Q)}_B₂={circumflex over (r)}_A{circumflex over (Q)}_B₁and then P={circumflex over (Q)}_B₂+Q where the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random number and party B'"'"'s public key.
  - 25. The method of claim 11 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random numbers.
  - 26. The method of claim 25 wherein the step of deriving the shared secret computes {circumflex over (Q)}_B₁₁=k_11(A)⁻
    - 1Q_B;
      
      {circumflex over (Q)}_B₁₂=(2{circumflex over ({circumflex over (r)}_11(A)−
      
      {circumflex over ({circumflex over (r)}_22(A)mod 2^N){circumflex over (Q)}_B₁₁; and
      
      {circumflex over (Q)}_B₁₃=(k_11(A)−
      
      k_12(A)){circumflex over (Q)}_B₁₁and then P={circumflex over (Q)}_B₁₂+{circumflex over (Q)}_B₁₃where the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random numbers and party B'"'"'s public key.
  - 27. The method of claim 13 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random numbers.
  - 28. The method of claim 27 wherein the step of deriving the shared secret computes {circumflex over (Q)}_B₂₁=k_21(A)⁻
    - 1Q_B;
      
      {circumflex over (Q)}_B₂₂({circumflex over ({circumflex over (r)}−
      
      _22(A)−
      
      {circumflex over ({circumflex over (r)}_11(A)mod 2^N){circumflex over (Q)}_B₂₁; and
      
      {circumflex over (Q)}_B₂₃=(k_21(A)−
      
      k_22(A)){circumflex over (Q)}_B₂₁and then P={circumflex over (Q)}_B₂₂+{circumflex over (Q)}_B₂₃where the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random numbers and party B'"'"'s public key.
  - 29. The method of claim 17 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random number.
  - 30. The method of claim 29 wherein the step of deriving the shared secret computes {circumflex over (Q)}_B₁₁=k_11(A)⁻
    - 1Q_B; and
      
      {circumflex over (Q)}_B₁₂=(2{circumflex over ({circumflex over (r)}_11(A)−
      
      {circumflex over ({circumflex over (r)}_22(A)mod 2^N){circumflex over (Q)}_B₁₁; and
      
      then P={circumflex over (Q)}_B₁₂+Q_Bwhere the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random number and party B'"'"'s public key.
  - 31. The method of claim 19 further comprising the steps of receiving a public key from another party and deriving a shared secret therefrom using the transformed random number.
  - 32. The method of claim 31 wherein the step of deriving the shared secret computes {circumflex over (Q)}_B₂₁=k_21(A)⁻
    - 1Q_B; and
      
      {circumflex over (Q)}_B₂₂=({circumflex over ({circumflex over (r)}_22(A)−
      
      {circumflex over ({circumflex over (r)}_11(A)mod 2^N){circumflex over (Q)}_B₂₁; and
      
      then P={circumflex over (Q)}_B₂₂+Q_Bwhere the shared secret is Z=x_Pwhere x_Pis the x-coordinate of P, party A uses its transformed random numbers and party B'"'"'s public key.
  - 33. The method of any claim 1, wherein some values are computed off-line.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Irdeto B.V. (MultiChoice Group Ltd.)
Original Assignee
Irdeto Canada Corporation (MultiChoice Group Ltd.)
Inventors
RAHMAN, SK MD Mizanur, MUIR, James

Granted Patent

US 9,503,259 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 7/58   Random or pseudo-random num...

G06F 7/72   using residue arithmetic

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

H04L 9/3066   involving algebraic varieti...

SYSTEM AND METHOD FOR GENERATING AND PROTECTING CRYPTOGRAPHIC KEYS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR GENERATING AND PROTECTING CRYPTOGRAPHIC KEYS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links