Attack-resistant implementation method

US 6,986,054 B2
Filed: 12/19/2001
Issued: 01/10/2006
Est. Priority Date: 03/30/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for countering unauthorized decryption comprising a step of scrambling at least one correlation between a data decryption processing in a hardware and at least one respective hardware operational phenomenon by randomly changing at least one arithmetic operation order in the data decryption processing, wherein the correlation is scrambled by an arithmetic operation method implemented by an information processing apparatus comprising the steps of:

for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2,A)=F(K1, A) ◯

F(K2, A) (◯

denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+. . . K[m−

1];

using T(0), T(1), . . . T(m−

1) resulted from rearranging a string of integers 0, 1, . . . m−

1 by permutation T; and

operating on terms F(K[T(0)], A) to F(K[T(m−

1)], A) on the right side of F(K, A)=F(K[T(0)], A) ◯

F(K[T(1)], A) ◯

. . . F(K[T(m−

1)], A) . . . (“

expression 1”

) in an order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−

1)], A) to find F(K, A).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention makes it difficult for unauthorized parties to estimate processing and a secret key based upon the waveforms of power consumption of an IC card chip by changing a processing order in the IC card chip so that it is not estimated by the attackers. In an information processing apparatus comprising storing means having a program storing part for storing programs and a data storing part for storing data, an operation processing unit, means for inputting data to be operated on in the operation processing unit, and means for outputting operation processing results on the data by the operation processing unit, an arithmetic operation method is provided which comprises the steps of: for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2, A)=F(K1, A)◯F(K2, A) (◯ denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+ . . . K[m−1]; using T(0), T(1), . . . T(m−1) resulting from rearranging a string of the m integers 0, 1, . . . m−1 by permutation T (the result corresponds one for one to the integer string 0, 1, . . . m−1); and operating on terms F(K[T(0)], A) to F(K[T(m−1)], A) on the right side of
F(K, A)=F(K[T(0)], A)◯F(K[T(1)], A)◯ . . . F(K[T(m−1)], A) . . . (expression 1)
in the order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−1)], A) to find F(K, A).

89 Citations

View as Search Results

19 Claims

1. A method for countering unauthorized decryption comprising a step of scrambling at least one correlation between a data decryption processing in a hardware and at least one respective hardware operational phenomenon by randomly changing at least one arithmetic operation order in the data decryption processing, wherein the correlation is scrambled by an arithmetic operation method implemented by an information processing apparatus comprising the steps of:
- for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2,A)=F(K1, A) ◯
  
  F(K2, A) (◯
  
  denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+. . . K[m−
  
  1];
  
  using T(0), T(1), . . . T(m−
  
  1) resulted from rearranging a string of integers 0, 1, . . . m−
  
  1 by permutation T; and
  
  operating on terms F(K[T(0)], A) to F(K[T(m−
  
  1)], A) on the right side of F(K, A)=F(K[T(0)], A) ◯
  
  F(K[T(1)], A) ◯
  
  . . . F(K[T(m−
  
  1)], A) . . . (“
  
  expression 1”
  
  ) in an order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−
  
  1)], A) to find F(K, A).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, whereby the permutation processing, the permutation T prevents predicting any post-permutation data from pre-permutation data, or the permutation T is performed based on a dummy random number, and whereby the permutation processing is performed each time the expression 1 is performed.
  - 3. The method according to claim 1, wherein the S is a commutative semigroup in which, for a set consisting of residues by an integer N (N≧
    - 2), the arithmetic operation ◯
      
      of a modular multiplication operation A◯
      
      B=A*B mod N is introduced, and the F satisfies F(K, A)=A^K mod N (A^K denotes the K-th power of A).
  - 4. The method according to claim 1, wherein the information processing apparatus is installed on an IC card, a cellular phone, or a PDA.
  - 5. The method according to claim 3, wherein the integer K is split in a form of K[j]=u*((2^t)^j) (0≦
    - u≦
      
      (2^t)−
      
      1, t=1, 2, . . . ).
  - 6. The method according to claim 5, whereby the permutation processing, the permutation T is performed based on an information source prevents predicting any post-permutation data from pre-permutation data, or the permutation T is performed based on a dummy random number, and whereby the permutation processing is performed each time the expression 1 is performed.
  - 7. The method according to claim 5, wherein the integer K is split in a form of K[j]=u*((2^t)^j) (0≦
    - u≦
      
      (2^t)−
      
      1, t=1, 2, . . . ).
  - 8. The method according to claim 1, wherein the S is a Mordell-Weil group on an elliptic curve E defined on a finite field GF(p) (p is a prime number) or GF(2^n) (n is an integer equal to or greater than 1), and an expression F(K,A)=KA is satisfied, wherein the A denotes a point on the elliptic curve E, the KA denotes the arithmetic operation ◯
    - performed on K number of As such that the KA denotes A◯
      
      A◯
      
      A . . . ◯
      
      A (K number) when the K is positive, or (−
      
      A)◯
      
      (−
      
      A)◯
      
      (−
      
      A) . . . ◯
      
      (−
      
      A) (|K|number) when the K is negative, and 0 (the point at infinity) on the E when the K is 0, the ◯
      
      denotes an addition operation in the Mordell-Weil group, and the −
      
      A is an inverse in the Mordell-Weil group of the A.
  - 9. The method according to claim 8, wherein the information processing apparatus is installed on an IC card.
  - 10. The method according to claim 8, wherein the integer K is split in a form of K[j]=u*((2^t)^j) (0≦
    - u≦
      
      (2^t)−
      
      1, t=1, 2, . . . ).
  - 11. The method according to claim 10, wherein the information processing apparatus is installed on an IC card.

12. A method for calculating a value F(K, A) of a function F satisfying F(K1+K2, A)=F(K1, A) ◯
- F(K2, A) for two integers K1 and K2 in an encryption or decryption process of a cryptosystem by means of an information processing device which comprises a processing unit and a memory device, wherein ◯
  
  denotes an arithmetic operation in a commutative semigroup S, K designates an integer, and A designates an element of S, the method comprising;
  
  decomposing the value K in the processing unit to m integers K[0], K[1], . . . , K[m−
  
  1] each of which is a value of a n-bit unit of a binary representation of the value K, wherein the binary representation of the value K is w bit, m*n equals w; and
  
  calculating F(K[T(0)]*(2^n)^(m−
  
  1T[0]), A) ◯
  
  F(K[T(1)]*(2^n)^(m−
  
  1−
  
  T[1]), A) ◯
  
  , . . . F(K[T(m−
  
  1)]*(2^n)^(m−
  
  1−
  
  T[m−
  
  1]), A) in the processing unit in an order of F(K[T(0])*(2^n)^(m−
  
  1−
  
  T[0]), A), F(K[T(1)]*(2^n)^(m−
  
  1−
  
  T[1]), A), . . . F(K[T(m−
  
  1)*(2^n)^(m−
  
  1T[m−
  
  1]), A) defined by a string of integers T(0), T(1), . . . T(m−
  
  1) which is a random permutation of a string of integers 0, 1, . . . m−
  
  1.
- View Dependent Claims (13, 14, 15)
- - 13. The method according to claim 12, the permutation being performed based on a dummy random number each time the F(K[T(0)]*(2^n)^(m−
    - 1−
      
      T[0]), A) ◯
      
      F(K[T(1)]*(2^n)^(m−
      
      1−
      
      T[1]), A) ◯
      
      , . . . F(K[T(m−
      
      1)]*(2^n)^(m−
      
      1−
      
      T[m−
      
      1]), A) is calculated.
  - 14. The method according to claim 12,wherein the commutative semigroup S is a Mordell-Weil group on an elliptic curve E defined on a finite field GF(p) or GF(2^n),wherein p is a prime number, n is an integer equal to or greater than 1, and an expression F(K,A)=KA is satisfied, andwherein the value A denotes a point on the elliptic curve E, the value KA denotes the arithmetic operation ◯
    - performed on K number of As such that the value KA denotes A◯
      
      A◯
      
      A . . . ◯
      
      A when the value K is positive, or (−
      
      A)◯
      
      (−
      
      A)◯
      
      (−
      
      A) . . . ◯
      
      (−
      
      A) when the value K is negative, or 0 on the elliptic curve E when the value K is 0, the symbol ◯
      
      denotes an addition operation in the Mordell-Weil group, and the value (−
      
      A) is an inverse in the Mordell-Weil group of the value A.
  - 15. The method according to claim 12, wherein the information processing device is an IC card.

16. An information processing device for calculating a value F(K,A) of a function F satisfying F(K1+K2, A)=F(K1, A) ◯
- F(K2, A) for two integers K 1 and K2 in an encryption or decryption process of a cryptosystem, wherein ◯
  
  denotes an arithmetic operation in a commutative semigroup S, K designates an integer, and A designates an element of S, the information processing device comprising;
  
  a processing unit; and
  
  a memory device,wherein the processing unit is adapted to decompose the value K to m integers K(0], K[1], . . . , K[m−
  
  1], each of which is a value of a n-bit unit of a binary representation of the value K, wherein the binary representation of the value K is w bit, m*n equals w, andthe processing unit is further adapted to calculate F(K[T(0)]*(2^n)^(m−
  
  1−
  
  T[0]), A) ◯
  
  F(K[T(1)*(2^n)^(m−
  
  1−
  
  T[1]), A) ◯
  
  , . . . F(K[T(m−
  
  1)]*(2^n)^(m−
  
  1−
  
  T[m−
  
  1]), A) in an order of F(K[T(0))*(2^n)^(m−
  
  1−
  
  T[0]), A), F(K[T(1)1*(2^n)^(m−
  
  1−
  
  T)[1], A), . . . F(K[T(m−
  
  1)]*(2^n)^(m−
  
  1−
  
  T[m−
  
  1]), A) defined by a string of integers T(0), T(1), . . . T(m−
  
  1) which is a random permutation of a string of integers 0, 1, . . . m−
  
  1.
- View Dependent Claims (17, 18, 19)
- - 17. The information processing device according to claim 16, wherein the processing unit is adapted to perform the to permutation based on a dummy random number each time the F(K[T(0)]*(2^n)^(m−
    - 1T[0]), A) ◯
      
      F(K[T(1)]*(2^n)^(m−
      
      1−
      
      T[1]), A) ◯
      
      , . . . F(K[T(m−
      
      1)]*(2^n)^(m−
      
      1−
      
      T[m−
      
      1]), A) is calculated.
  - 18. The information processing device according to claim 16,wherein the commutative semigroup S is a Mordell-Weil group on an elliptic curve E defined on a finite field GF(p) or GF(2^n),wherein p is a prime number and n is an integer equal to or greater than 1, and an expression F(K,A)=KA is satisfied, and p1 wherein the value A denotes a point on the elliptic curve E, the value KA denotes the arithmetic operation ◯
    - performed on K number of As such that the value KA denotes A◯
      
      A◯
      
      A . . . ◯
      
      A when the value K is positive, or (−
      
      A) ◯
      
      (−
      
      A)◯
      
      (−
      
      A) . . . ◯
      
      (−
      
      A) when the value K is negative, or 0 on the elliptic curve E when the value K is 0, the symbol ◯
      
      denotes an addition operation in the Mordell-Weil group, and the value (−
      
      A) is an inverse in the Mordell-Weil 25 group of the value A.
  - 19. The information processing device according to claim 16, wherein the information processing device is an IC card.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Watanabe, Takashi, Endo, Takashi, Kaminaga, Masahiro
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US10/021,042
Publication Number

US 20020178371A1
Time in Patent Office

1,483 Days
Field of Search

713/193, 713/194, 713/171, 380/28, 380/30, 380/44, 380/277, 380/279
US Class Current

713/193
CPC Class Codes

G06F 2207/7252   of operation order, e.g. st...

G06F 7/723   Modular exponentiation G06F...

G06F 7/725   over elliptic curves

H04L 2209/043   of tables, e.g. lookup, sub...

H04L 9/002   Countermeasures against att...

H04L 9/3013   involving the discrete loga...

H04L 9/302   involving the integer facto...

H04L 9/3066   involving algebraic varieti...

Attack-resistant implementation method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Attack-resistant implementation method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links