Method and apparatus for protecting public key schemes from timing and fault attacks
First Claim
1. In a method of implementing public key schemes containing the non-CRT form of the modular exponentiation operation x d (mod n), the improvement comprising the steps of:
- computing or storing the computed value of t=phi(n), where phi is Euler'"'"'s totient function of the modulus n;
selecting some secret integer i; and
replacing the computation of x d (mod n) by the computation of x (d+i*t) (mod n);
thereby increasing public key scheme resistance to timing attacks without a twofold slowdown in computation time.
1 Assignment
0 Petitions
Accused Products
Abstract
Improved methods and apparatus are provided for protecting public key schemes based on modular exponentiation (including RSA and Diffie-Hellman) from indirect cryptanalytic techniques such as timing and fault attacks. Known methods for making the implementation of number-theoretic schemes resistant to such attacks typically double their running time, whereas the novel methods and apparatus described in this patent add only negligible overhead. This improvement is particularly significant in smart card and software-based implementations, in which the modular exponentiation operation is quite slow, and doubling its time may be an unacceptable solution.
-
Citations
22 Claims
-
1. In a method of implementing public key schemes containing the non-CRT form of the modular exponentiation operation x d (mod n), the improvement comprising the steps of:
-
computing or storing the computed value of t=phi(n), where phi is Euler'"'"'s totient function of the modulus n; selecting some secret integer i; and replacing the computation of x d (mod n) by the computation of x (d+i*t) (mod n); thereby increasing public key scheme resistance to timing attacks without a twofold slowdown in computation time. - View Dependent Claims (2, 3)
-
-
4. In a method of implementing public key schemes containing the CRT form of the modular exponentiation operation x d (mod n) where n=p*q, the improvement comprising the steps of:
-
selecting some secret integer j; computing v-- 1=x (mod j*p), v-- 2=x (mod j*q), d-- 1=d (mod phi(j*p)), d-- 2=d (mod phi(j*q)), w-- 1=v-- 1 d-- 1 (mod j*p), and w-- 2=v-- 2 d-- 2 (mod j*q); aborting the computation if w-- 1 and w-- 2 are not equal modulo j; and otherwise, computing y-- 1=w-- 1 (mod p), y-- 2=w-- 2 (mod q), and combining them by the Chinese Remainder Theorem to obtain the result of x d (mod n); thereby increasing public key scheme resistance to timing and fault attacks without a twofold slowdown in computation time. - View Dependent Claims (5, 6, 7)
-
-
8. In a method of implementing public key schemes containing the CRT form of the modular exponentiation operation x d (mod n) where n=p*q, the improvement comprising the steps of:
-
selecting two secret integers j-- 1 and j-- 2; computing v-- 1=x (mod j-- 1*p), v-- 2=x (mod j-- 2*q), d-- 1=d (mod phi(j-- 1*p)), d-- 2=d (mod phi(j-- 2*q)), w-- 1=v-- 1 d-- 1 (mod j-- 1*p), and w-- 2=v-- 2 d-- 2 (mod j-- 2*q); computing v-- 3=x (mod j--
1), v-- 4=x (mod j--
2), d-- 3=d (mod j--
1), d-- 4=d (mod j--
2), w-- 3=v-- 3 d-- 3 (mod j--
1), and w-- 4=v-- 4 d-- 4 (mod j--
2);aborting the computation if w-- 3 is not equal to w-- 1 modulo j-- 1, or if w-- 4 is not equal to w-- 2 modulo j-- 2; and otherwise, computing y-- 1=w-- 1 (mod p), y-- 2=w-- 2 (mod q), and combining them by the Chinese Remainder Theorem to obtain the result of x d (mod n); thereby increasing public key scheme resistance to timing and fault attacks without a twofold slowdown in computation time. - View Dependent Claims (9, 10, 11)
-
-
12. In an apparatus for implementing public key schemes containing the non-CRT form of the modular exponentiation operation x d (mod n), the improvement comprising:
-
means for computing or storing the computed value of t=phi(n), where phi is Euler'"'"'s totient function of the modulus n; means for selecting some secret integer i; and means for replacing the computation of x d (mod n) by the computation of x (d+i*t) (mod n); thereby increasing public key scheme resistance to timing attacks without a twofold slowdown in computation time. - View Dependent Claims (13, 14)
-
-
15. In an apparatus for implementing public key schemes containing the CRT form of the modular exponentiation operation x d (mod n) where n=p*q, the improvement comprising:
-
means for selecting some secret integer j; means for computing v-- 1=x (mod j*p), v-- 2=x (mod j*q), d-- 1=d (mod phi(j*p)), d-- 2=d (mod phi(j*q)), w-- 1=v-- 1 d-- 1 (mod j*p), and w-- 2=v-- 2 d-- 2 (mod j*q); means for aborting the computation if w-- 1 and w-- 2 are not equal modulo j; and otherwise, means for computing y-- 1=w-- 1 (mod p), y-- 2=w-- 2 (mod q), and combining them by the Chinese Remainder Theorem to obtain the result of x d (mod n); thereby increasing public key scheme resistance to timing and fault attacks without a twofold slowdown in computation time. - View Dependent Claims (16, 17, 18)
-
-
19. In an apparatus for implementing public key schemes containing the CRT form of the modular exponentiation operation x d (mod n) where n=p*q, the improvement comprising:
-
means for selecting two secret integers j-- 1 and j-- 2; means for computing v-- 1=x (mod j-- 1*p), v-- 2=x (mod j-- 2*q), d-- 1=d (mod phi(j-- 1*p)), d-- 2=d (mod phi(j-- 2*q)), w-- 1=v-- 1 d-- 1 (mod j-- 1*p), and w-- 2=v-- 2 d-- 2 (mod j-- 2*q); means for computing v-- 3=x (mod j--
1), v-- 4=x (mod j--
2), d-- 3=d (mod j--
1), d-- 4=d (mod j--
2), w-- 3=v-- 3 d-- 3 (mod j--
1), and w-- 4=v-- 4 d-- 4 (mod j--
2);means for aborting the computation if w-- 3 is not equal to w-- 1 modulo j-- 1, or if w-- 4 is not equal to w-- 2 modulo j-- 2; and otherwise, means for computing y-- 1=w-- 1 (mod p), y-- 2=w-- 2 (mod q), and combining them by the Chinese Remainder Theorem to obtain the result of x d (mod n); thereby increasing public key scheme resistance to timing and fault attacks without a twofold slowdown in computation time. - View Dependent Claims (20, 21, 22)
-
Specification