(19)
(11)EP 4 027 574 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
13.07.2022 Bulletin 2022/28

(21)Application number: 21305022.2

(22)Date of filing:  11.01.2021
(51)International Patent Classification (IPC): 
H04L 9/00(2022.01)
H04L 9/30(2006.01)
(52)Cooperative Patent Classification (CPC):
H04L 2209/046; H04L 9/003; H04L 9/3066
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(71)Applicant: Thales DIS France SA
92190 Meudon (FR)

(72)Inventors:
  • VIGILANT, David
    92190 Meudon (FR)
  • MADEC, Steven
    92190 Meudon (FR)
  • ROUSSELLET, Mylène
    92190 Meudon (FR)

(74)Representative: Bricks, Amélie 
Thales Dis France SA Intellectual Property Department 6, rue de la Verrerie
92190 Meudon
92190 Meudon (FR)

  


(54)METHOD FOR SECURING A MULTIPLE POINT MULTIPLICATION OPERATION AGAINST SIDE-CHANNEL ATTACKS


(57) The present invention relates to a method for securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation computing a multiple points multiplication operation result

with n an integer, n>= 1, di being predetermined scalar values, Pi being points of an elliptic curve over a finite field defined by parameters (F, E, G, N) together with the point addition law where F is a field over which is defined the curve, E is an equation of the curve, G is a base point in E over F and N is the order of the base point G, said method being performed by a cryptographic device and comprising :
- generating (S1) a masking value iRand,
- multiplicatively masking (S2) each predetermined scalar value di with said generated masking value iRand to obtain masked scalars di' with i in {1,...,n},
- computing (S3) a masked multiple points multiplication operation result R'

with i in {1,...,n},
- obtaining (S4) said multiple points multiplication operation result R by unmasking said masked multiple points multiplication operation result R'.




Description

FIELD OF THE INVENTION



[0001] The present invention relates to the field of public key cryptography, and more particularly to a method for securing against side-channel attacks point multiplication operations performed in elliptic curve cryptographic processes.

BACKGROUND OF THE INVENTION



[0002] Cryptographic algorithms are commonly used for ensuring the privacy of communications by encryption, for authentication or for generating a verifiable signature. Examples of such algorithms are AES, DES or DSA.

[0003] Such cryptographic algorithms are sensitive to side-channel attacks (SCA), based on an analysis of the power consumption or electromagnetic signature of the device performing the encryption, as depicted on Figure 1.

[0004] Elliptic curve cryptography (ECC) protocols, such as ECDSA, are particularly vulnerable to SCA. Indeed, such protocols, in addition to a secret key, use other values called nonces for performing a cryptographic operation. For example a nonce may be used as the scalar value to perform a scalar point multiplication. And it has been demonstrated in "Attacking (ec) dsa given only an implicit hint" by J.-. Faugere et al in 2012 and even more recently in "Minerva: The curse of ECDSA nonces" in 2020 by J.Jancar et al that, even when operations manipulating the secret key are protected against SCA, ECC protocols remain sensitive to such attacks: retrieving a few bits of the nonce by a SCA may enable an attacker to retrieve the full secret key by performing a lattice basis reduction attack. Therefore, there is a need for a better protection of ECC protocols against SCA.

[0005] Such a problem of protecting against SCA ECC operations using nonces is particularly important when performing multiple point multiplications which use multiple nonces at the same time in a single operation.

[0006] As a result, there is a need for a method securing ECC processes against side channel attacks. Such a method shall be applicable and efficient when such processes perform multiple point multiplications.

SUMMARY OF THE INVENTION



[0007] For this purpose and according to a first aspect, this invention therefore relates to a method for securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation computing a multiple points multiplication operation result

with n an integer, n>= 1, di being predetermined scalar values, Pi being points of an elliptic curve over a finite field defined by parameters (F, E, G, N) together with the point addition law where F is a field over which is defined the curve, E is an equation of the curve, G is a base point in E over F and N is the order of the base point G, said method being performed by a cryptographic device and comprising :
  • generating a masking value iRand,
  • multiplicatively masking each predetermined scalar value di with said generated masking value iRand to obtain masked scalars di' with i in {1,...,n},
  • computing a masked multiple points multiplication operation result R' =

    with i in {1,...,n},
  • obtaining said multiple points multiplication operation result R by unmasking said masked multiple points multiplication operation result R'.


[0008] Such a method enables to protect the predetermined scalar values in a way that allows an easy unmasking of the multiple points multiplication operation result after point multiplications have been summed up.

[0009] In an embodiment,
  • the step of generating a masking value iRand comprises generating a random value Rand and computing the masking value iRand by inverting the random value Rand (iRand = 1/Rand mod N); and
  • the step of unmasking said masked multiple points multiplication operation result R' comprises multiplying said masked multiple points multiplication operation result R' with said generated random value Rand.


[0010] By doing so, the masking can be cancelled by a single operation at the end of the computation process.

[0011] In an embodiment, the step of computing the masked multiple points multiplication operation result R' comprises:
  • precomputing all possible sums

    for ai in [0, 2w-1], with w a predetermined integer w >=1,
  • initializing an intermediate value A at the infinity point,
  • for an integer j from 0 to |B|-w by steps w, with B a number of bits of the predetermined scalar values:
    1. a. multiplying said intermediate value A by 2w
    2. b. selecting a sum Rm among said precomputed possible sums Rk such that:

      with di'j the jth bit of di',
    3. c. adding said selected sum Rm to said intermediate value A.


[0012] Such a method enables to minimize the computation time and effort by relying on precomputed values, while constantly protecting the predetermined scalars di against side channel attacks.

[0013] Said random value size may be 32 or 64 bits. Such a reduced size of the random value limits the cost of unmasking without reducing the size of the masking value iRand.

[0014] According to a second aspect, this invention therefore relates also to a computer program product directly loadable into the memory of at least one computer, comprising software code instructions for performing the steps of the methods according to the first aspect when said product is run on the computer.

[0015] According to a third aspect, this invention therefore relates also to a non-transitory computer readable medium storing executable computer code that when executed by a cryptographic device comprising a processing system having at least one hardware processor performs the steps of the methods according to the first aspect.

[0016] According to a fourth aspect, this invention therefore relates also to a cryptographic device comprising :
  • at least one Non Volatile Memory and/or a read-only memory,
  • a processing system having at least one hardware processor configured to execute the steps of the method according to the first aspect.


[0017] To the accomplishment of the foregoing and related ends, one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims.

BRIEF DESCRIPTION OF THE DRAWINGS



[0018] The following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the embodiments may be employed. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed embodiments are intended to include all such aspects and their equivalents.
  • Figure 1 is a schematic illustration of a system comprising a cryptographic device according to an embodiment of the present invention;
  • Figure 2 illustrates schematically a method for securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation according to an embodiment of the present invention;
  • Figure 3 illustrates schematically an example of implementation of a method for securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation according to an embodiment of the present invention (when n=2 and w=1).

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION



[0019] The invention aims at securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation.

[0020] Such a process may be performed by a cryptographic device 100 a schematic illustration of which is given on Figure 1. The cryptographic device 100 may include a processor 101 connected via a bus 102 to a random access memory (RAM) 103, a read-only memory (ROM) 104, and/or a non-volatile memory (NVM) 105. The cryptographic device 100 may further include a communication interface 106 by which the cryptographic device 100 may be connected to a network. Such an interface may be a wireless interface connected to an antenna and may be used to connect the cryptographic device 100 to various forms of wireless networks, e.g., wide-area networks, WiFi networks, or mobile telephony networks. Alternatively, such an interface may be a wired interface such as an Ethernet internet. The cryptographic device 100 may also include input/output means 107 providing interfaces to the user of the cryptographic device 100, such as one or more screens, loudspeakers, a mouse, tactile surfaces, a keyboard etc...

[0021] Such a cryptographic device may for example be a smartcard, a mobile telephone, a tablet, or a personal computer. It may also be a smartchip embedded in an identity document such as a passport, or a Hardware Security Module (HSM).

[0022] The elliptic curve cryptographic process performed by the cryptographic device may for example be ECDSA protocol which performs multiple point multiplications in protocols.

[0023] A multiple points multiplication operation computes a multiple points multiplication operation result

with n an integer, n>= 1, di being predetermined scalar values, Pi being points of an elliptic curve over a finite field defined by parameters (F, E, G, N) together with the point addition law where F is a field over which is defined the curve, E is an equation of the curve, G is a base point in E over F and N is the order of the base point G. The symbol "." represents the point multiplication, where d.P means calculating d times the point addition group law P+P+...+P, whereas the symbol "*" represents a multiplication between integers. The calculation of the rest after a Euclidian division by some integer, also called modulo, is noted "mod".

[0024] The predetermined scalar values di to be used for such a computation are called nonces. As introduced above, such nonces shall be protected from Side Channel Attacks in order to protect the secret key of the cryptographic process.

[0025] The main idea of the invention is to protect the nonces from being guessed by an attacker from SCA traces by applying a multiplicative masking to these nonces before performing the multiple points multiplication operation. A problem is then to be able to remove the masking from the multiple points multiplication operation output in order to obtain the unmasked multiple points multiplication operation result

In order to do so, the method according to the invention uses a single mask for masking all the nonces to be used in the same multiple points multiplication operation. By doing so, this mask can be factorized from the multiple points multiplication operation output and the masking can be easily removed by a single operation.

[0026] The following paragraphs describe with more details the steps of a method according to the invention securely computing a multiple points multiplication operation result

as depicted on Figure 2.

[0027] In a first step S1, the cryptographic device generates a masking value iRand. Such a value may be randomly generated, for example by a Pseudo-Random Number Generator PRNG 108 included in the cryptographic device.

[0028] In a second step S2, the cryptographic device multiplicatively masks each predetermined scalar value di with said generated masking value iRand to obtain masked scalars di' with i in {1,...,n}: di' = iRand * di mod N.

[0029] In a third step S3, the cryptographic device computes a masked multiple points multiplication operation result

with i in {1,... ,n}. The computation of this result R' is the computation of the result

to be computed, except that each predetermined scalar value di has been replaced by its masked value di'.

[0030] In a fourth step S4, the cryptographic device obtains said multiple points multiplication operation result R by unmasking said masked multiple points multiplication operation result R'. Since the same masking value iRand is used to mask all terms di.Pi it can be easily factorized and cancelled.

[0031] In one embodiment, in the first step S1, generating a masking value iRand comprises generating a random value Rand and computing the masking value iRand by inverting the random value Rand : iRand = 1/Rand mod N. Such a random value may have a size of 32 bits or 64 bits for example.

[0032] In such an embodiment, in the fourth step S4, unmasking said masked multiple points multiplication operation result R' comprises multiplying said masked multiple points multiplication operation result R' with said generated random value Rand. Indeed, Rand.R' = Rand.







[0033] Unmasking the masked multiple points multiplication operation result R' in such a way and using a limited size random value Rand minimizes the cost of the operations performed at the fourth step and ensures a good performance.

[0034] The following paragraphs described an exemplary embodiment for computing the masked multiple points multiplication operation result R' in the third step S3. The idea of this embodiment is to compute the result by chunks of a predetermined length w bits of the masked predetermined scalars di', and to precompute all the possible chunks to avoid performing any point multiplication at the time the multiple points multiplication computation is requested.

[0035] In a first substep S31, all possible sums

for ai in [0, 2w-1], with w a predetermined integer w >=1 are precomputed. Said otherwise, a sum Rk is computed for each possible value of the array (a1, ..., ai, ..., an) where each ai, with i in {1, ..., n}, can be equal to any value in [0, 2w-1]. The number of precomputed sums Rk is equal to 2n*w.

[0036] Such a precomputation may be performed before performing any other step of the method since it does not depend on the predetermined scalar values di. It may be performed by the cryptographic device itself or performed by another device such as a server and the computed sums may be transferred to the cryptographic device.

[0037] In a second substep S32, the cryptographic device initializes an intermediate value A at the infinity point.

[0038] In a third substep S33, the cryptographic device :
  • multiplies the intermediate value A by 2w:

  • selects the sum Rm among the precomputed possible sums Rk such that:

    with di'j the jth bit of the masked predetermined scalar di'.
    In this formula (di'j| ... |di'j+w-1) represents the mathematical evaluation in base 2 of the string formed by concatenating bits j to j+w-1 of di' expressed in base 2. At the first execution of this step, the index j is equal to 0.
  • adds the selected sum Rm to the intermediate value A

  • increases j by w.


[0039] This substep S33 is repeated for the new value of the index j until j reaches |B|-w, which is the last value of j for which the substep is performed, with B the numbers of bits of di'. When |B| is not a multiple of w, when j becomes bigger than |B| -w, this substep is repeated one last time after replacing w by |B| -j. This enables to take into account the last bits of the predetermined scalars when there are less than w bits left to be taken into account.

[0040] Figure 3 shows an example of implementation when n=2 and w=1.

[0041] In this case, the multiple points multiplication result to be obtained is R = d1.P1 + d2.P2.

[0042] In the first substep S31, the all possible sums

for ai in [0, 1], are precomputed. In this case, it means precomputing sums for (a1; a2) = (0;0); (0;1), (1;0) and (1;1) which only amounts to computing P1 + P2 since the sum for the other combinations are already known.

[0043] In the first step S1, the cryptographic device generates a random value Rand and computes the masking value iRand by inverting the random value Rand.

[0044] In the second step S2, the cryptographic device multiplicatively masks the predetermined scalar value d1 and d2 with the generated masking value iRand to obtain masked scalars d1' = iRand * d1 mod N and d2' = iRand * d2 mod N.

[0045] In the third step S3, the cryptographic device computes the masked multiple points multiplication operation result

by repeating the third substep S33 for each value of j in {0, ..., B-1} and selecting at each iteration the precomputed value to be added to the intermediate value A, depending on the value of the bits di'j.

[0046] In the fourth step S4, the cryptographic device multiplies the masked multiple points multiplication operation result R' with the generated random value Rand to obtain the multiple points multiplication operation result R.

[0047] As a result, the method described above enables to compute securely a multiple points multiplication operation, without exposing to side channel attacks the nonces used as scalars for the point multiplications.


Claims

1. A method for securing against side channel attacks an execution of an elliptic curve cryptographic process comprising a multiple points multiplication operation computing a multiple points multiplication operation result R =

with n an integer, n>= 1, di being predetermined scalar values, Pi being points of an elliptic curve over a finite field defined by parameters (F, E, G, N) together with the point addition law where F is a field over which is defined the curve, E is an equation of the curve, G is a base point in E over F and N is the order of the base point G,
said method being performed by a cryptographic device (100) and comprising:

- generating (S1) a masking value iRand,

- multiplicatively masking (S2) each predetermined scalar value di with said generated masking value iRand to obtain masked scalars di' with i in {1,...,n},

- computing (S3) a masked multiple points multiplication operation result R'

with i in {1,...,n},

- obtaining (S4) said multiple points multiplication operation result R by unmasking said masked multiple points multiplication operation result R'.


 
2. The method of claim 1,

- wherein generating a masking value iRand comprises generating a random value Rand and computing the masking value iRand by inverting the random value Rand (iRand = 1/Rand mod N); and

- wherein unmasking said masked multiple points multiplication operation result R' comprises multiplying said masked multiple points multiplication operation result R' with said generated random value R and.


 
3. The method of claim 1 or 2, wherein computing the masked multiple points multiplication operation result R' comprises:

- precomputing (S31) all possible sums

for ai in [0, 2w-1], with w a predetermined integer w >=1,

- initializing (S32) an intermediate value A at the infinity point,

- for an integer j from 0 to |B|-w by steps w (S33), with B a number of bits of the predetermined scalar values:

a. multiplying said intermediate value A by 2w

b. selecting a sum Rm among said precomputed possible sums Rk such that :

with di'j the jth bit of di',

c. adding said selected sum Rm to said intermediate value A.


 
4. The method of any of claims 2 to 3, wherein said random value size is 32 or 64 bits.
 
5. A computer program product directly loadable into the memory of at least one computer, comprising software code instructions for performing the steps of any of claims 1 to 4, when said product is run on the computer.
 
6. A non-transitory computer readable medium storing executable computer code that when executed by a cryptographic device (100) comprising a processing system having at least one hardware processor performs the steps of any of claims 1 to 4.
 
7. Cryptographic device (100) comprising :

- a processing system having at least one hardware processor (101) configured to execute the steps of any of claims 1 to 4,

- at least one Non Volatile Memory (105) and/or a read-only memory (104).


 




Drawing













Search report









Search report




Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Non-patent literature cited in the description