FR3143243A1 - MESSAGE SIGNATURE AND DECRYPTION SECURED BY DOUBLE RSA-CRT - Google Patents

Abstract

The present invention relates to securing cryptographic processing based on the RSA-CRT algorithm used to sign or decrypt a message m. A double execution of the RSA-CRT algorithm is carried out, followed by a verification of the consistency between the results S and S' obtained, and the emission of one of the results in the event of a positive verification. To protect against a double injection of identical fault, the invention provides that the modular exponentiations of the same module of the two executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using d different modular exhibitors. Typically, S = md mod N using RSA-CRT and S’ = md+1 mod N using the exponents dp+1 and dq+1. If S’=m.S mod N, then the data S is returned as output. Alternatively, S’ = m2d mod N or m2d+1 mod N or m2(d+2) mod N or even (-m2)d mod N. [Fig. 3]

Description

MESSAGE SIGNATURE AND DECRYPTION SECURED BY DOUBLE RSA-CRT FIELD OF INVENTION

The present invention generally concerns the field of cryptography, and more particularly the securing of the RSA – Rivest-Shamir-Adleman – algorithm using the Chinese Remainder Theorem – CRT (for Chinese Remainder Theorem), used for signature or deciphering a message.

BACKGROUND OF THE INVENTION

Public key cryptographic processes, such as RSA encryption, are used to encrypt a message either by the private key to obtain a digital signature S of the message verifiable with the public key, or by the public key to obtain an encrypted message which is decipherable with the private key. They are generally implemented in secure cryptographic systems, such as smart cards, secure elements, secure servers.

The public key is composed of a module N and a public exponent ‘e’. The private key is composed of the module N and a private or secret exponent ‘d’. By construction, d is a modular inverse of e.

The Chinese Remainder Theorem or CRT is used with the RSA algorithm to speed up decryption or signing time. CRT is in fact an algorithm for reducing modular arithmetic calculation with a large module for the same calculation for each factor of the module. The CRT can thus reduce the size of the exponents used in calculations, particularly in the RSA algorithm. RSA encryption in its CRT version is denoted RSA-CRT.

RSA-CRT encryption for signing a message or decrypting an encrypted message relies on private modular exponents d _p and d _q constructed from the private exponent d, in particular d _p = d mod(p- 1) and d _q = d mod(q-1) where p and q are prime numbers forming the module N (N = pq). The RSA-CRT encryption performs two modular exponentiations of the message respectively by the modular exponent d _p based on p and by the modular exponent d _q based on q, then a recombination of the two results. For example in the case of signing an 'm' message or decrypting an encrypted message also denoted 'm':

S _p <- m ^dp mod p

S _q <- m ^dq mod q

S <- CRTRecombine (S _p , S _q , p, q, i _q ) where i _q = q ^-1 mod p.

RSA-CRT encryption is very susceptible to fault injection attacks, typically the so-called Bellcore attack. The Bellcore attack is documented in the publication “On the Importance of Checking Cryptographic Protocols for Faults” (D. Boneh et al., EUROCRYPT ’97, volume 1233 of LNCS, pages 37–51. Springer, 1997).

In particular, the private key used for the RSA-CRT signature is completely exposed from a single erroneous signature obtained by the injection of a fault.

A first level of protection against this attack is possible when the public key is known to the cryptographic encryption system, by simply checking that S^e=m, that is to say (m^d)^e = m.

However, the public exponent e is not always known to the cryptosystem. If it is possible to recalculate the public exponent e by performing the modular inversion of the private exponent d, this calculation is too costly. Nevertheless, publication US 2009/175441 proposes, in , to carry out a less costly inversion of public modular exponents e _p and e _q resulting from the application of the CRT from the private modular exponents d _p and d _q . However, the required modular inversions are generally expensive and difficult to secure against side-channel attacks.

Also, other protections avoiding these exponent inversions have been proposed. Typically, one of them performs the double calculation of the signature and the comparison of their results, before outputting one of the results in the event of a tie. However, as two identical calculations are carried out, this protection mechanism does not protect the encryption against a double injection of the same fault in the two calculations.

There is therefore a need to secure a cryptographic system implementing the RSA-CRT algorithm in a secure manner at low computational cost.

For this purpose, the invention proposes a new method for securing the RSA-CRT algorithm to protect the private modular exponents d _p and d _q either during message signing or during decryption of an encrypted message. It therefore relates to a signature or decryption method, based on the RSA-CRT algorithm, of an initial message m in an electronic device, using a private key comprising two modular exponents d _p and d _q associated with two distinct prime numbers p and q, the RSA-CRT algorithm comprising a first modular exponentiation of module p and a second modular exponentiation of module q, the method comprising the following steps:

generate a first piece of data, S, by a first execution of the RSA-CRT algorithm on m,

generate a second piece of data, S’, by a second execution of the RSA-CRT algorithm on m, and

emit an output message based on S or S’, if S is consistent with S’.

The invention relies on the mathematical properties of the RSA algorithm to perform a second RSA-CRT calculation that is different and therefore resistant to double injection of the same fault. For this purpose, it is characterized in that the modular exponentiations of the same module of the first and second executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using different modular exponents.

Indeed, the choice of a modification, between the two executions, of the message on which the modular exponentiations are carried out or of the modular exponents used guarantees different executions and therefore resistant to a double injection of the same fault. At the same time, it makes it possible to verify, via the consistency between the two data S and S' obtained, that no fault has been injected without the need for modular inverse calculations (in particular to obtain the public exponent e or its modular exponents e _p and e _q ) resource-intensive.

Correlatively, the invention relates to an electronic device for signature or decryption, based on the RSA-CRT algorithm, of an initial message m using a private key comprising two modular exponents d _p and d _q associated with two distinct prime numbers p and q, the RSA-CRT algorithm comprising a first modular exponentiation of module p and a second modular exponentiation of module q, the electronic device comprising a processor configured to:

generate a first piece of data, S, by a first execution of the RSA-CRT algorithm on m,

generate a second piece of data, S’, by a second execution of the RSA-CRT algorithm on m, and

emit an output message based on S or S’, if S is consistent with S’,

the electronic device being characterized in that the modular exponentiations of the same module of the first and second executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using different modular exponents.

The electronic device is a cryptographic system which can preferably be implemented by computer. Also, the invention also relates to a non-transitory computer-readable medium storing a program which, when executed by a processor of an electronic cryptographic processing device, causes the electronic cryptographic processing device to perform the above method .

Optional features of embodiments of the invention are defined in the appended claims. Some of these characteristics are explained below with reference to a process, while they can be translated into device characteristics.

In one embodiment, the first and second executions of the RSA-CRT algorithm call the same RSA-CRT encryption computer function taking, as inputs, different messages based on m and/or modular exponents of the same module which are different. This arrangement advantageously makes it possible to secure the RSA-CRT algorithm without modifying an existing implementation of this algorithm, and consequently without the need to requalify or re-test a new function.

In one embodiment, the modular exponentiations of the same execution are carried out on an identical message .

Likewise, in one embodiment, the modular exponents of the two modular exponentiations of each of the executions are obtained by the same function (or transformation) applied respectively to d _p and d _q . Also, a function/transformation is used for the first execution, for example the Identity function making it possible to apply d _p and d _q , and a different function/transformation is used for the second execution as explained subsequently .

In one embodiment, the message for the modular exponentiations of the first execution is m. This makes it possible to construct the output message from the first data S resulting from the first execution of the RSA-CRT algorithm.

In a particular embodiment, the modular exponents of the two modular exponentiations of the first execution are respectively worth d _p and d _q , and the output message is worth S. In this case, the first execution corresponds to the signature or decryption of m using said private key.

In a variant, the modular exponents of the two modular exponentiations of the first execution are respectively worth d_p-α and d_q-α, with α a positive or zero integer, and the output message is S.m^α mod N. The output message is thus not directly exposed from the first execution.

In one embodiment, the message for the modular exponentiations of the second execution is (-1) ^j .m ^k , with j and k positive integers, k not zero. In this case, the message to be encrypted/decrypted is modified during the second execution of the RSA-CRT algorithm.

In particular, the message for the modular exponentiations of the second execution can be worth m². Alternatively, the message for the modular exponentiations of the second execution is -(m)². These configurations advantageously offer low computational complexity (thanks to the low chosen values of j and k) for a notable security gain.

In one embodiment, the modular exponents of the two modular exponentiations of the second execution are respectively worth β.d _p +γ and β.d _q +γ, where β is a non-zero positive integer and γ an integer. In this case, the modular exponents for p and q are changed during the second execution of the RSA-CRT algorithm.

In particular, it can be chosen that β=1 and γ=1. These low values advantageously offer low computational complexity for a significant security gain. Of course, other low values can be used, for example β= 1 or 2 and γ= 0, 1 or 2.

In one embodiment, the method includes a step of verifying the consistency of S' with S by comparing S and S', the comparison comparing:

S' to (-1) ^{j( γ + β )} .(Sm ^α ) ^{k . β} .m ^{k . γ} mod N, with N=pq, when the message for the modular exponentiations of the first execution is worth m and that for the modular exponentiations of the second execution is worth (-1) ^j .m ^k , the modular exponents of the two modular exponentiations of the first execution are respectively worth d _p -α and d _q -α and those of the two modular exponentiations of the second execution are respectively worth β.d _p +γ and β.d _q +γ, if γ positive, or

S'.m ^{- k. γ} mod N to (-1) ^{j( γ +} β ⁾ .(Sm ^α ) ^{k . β} mod N, if γ negative.

It should be noted that the expression (-1) ^{j ( γ + β )} is equivalent to (-1) ^{j ( γ + β. d)} with d the private exponent of the RSA-CRT encryption key (therefore corresponding to d _p and d _q ), to the extent that d is odd.

In a particular embodiment, the method comprises a step of calculating a value T=Sm ^α , and

in which the comparison compares S' to (-1) ^{j( γ +β)} .T ^{k . β} .m ^{k. γ} mod N, if γ positive, or S'.m ^{- k. γ} mod N to (-1) ^j(γ+β) .T ^{k . β} mod N, if γ negative,
and the step of transmitting an output message includes the step of transmitting the T value.

This configuration makes it possible to reduce computational costs.

In a particular embodiment, the comparison comprises:

drawing a random integer Rand,

calculating a verification value by adding one of the two terms to be compared to Rand followed by subtraction of the other term to be compared, and

the comparison of the verification value with Rand, the comparison being positive in case of equality.

This configuration secures the comparison by avoiding a comparison with 0.

At least part of the methods according to the invention can be implemented by computer. Consequently, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment (comprising firmware, resident software, microcodes, etc.) or an embodiment combining software and hardware aspects which can all be collectively called here "circuit", "module" or "system". Additionally, the present invention may take the form of a computer program product embodied in any tangible expression medium having computer-usable program code embodied in the medium.

Other particularities and advantages of the invention will appear further in the description below, illustrated by the attached figures which illustrate examples of embodiment devoid of any limiting character.

There schematically illustrates the main elements of a possible embodiment for a microcircuit card or “smart card”.

There illustrates the general physical appearance of the microcircuit card of the .

There illustrates, from a flowchart, general steps for encrypting (signing) or decrypting a message according to embodiments of the invention.

There illustrates an embodiment of the method of calling the same RSA-CRT encryption computer function.

There illustrates a first exemplary embodiment separately calculating S=m ^d mod N and S'=m ^d+1 mod N.

There illustrates a second embodiment separately calculating S=m ^d mod N and S'=m ^2d mod N.

There illustrates a third embodiment separately calculating S=m ^d mod N and S'=(-m ² ) ^d mod N.

There illustrates a fourth embodiment separately calculating S=m ^d mod N and S'=m ^2(d+1) mod N.

There illustrates a fifth embodiment separately calculating S=m ^d mod N and S'=m ^2d+1 mod N.

There illustrates a sixth embodiment separately calculating S=m ^d-1 mod N and S'=m ^2(d+1) mod N.

DETAILED DESCRIPTION

The present invention relates to securing cryptographic processing based on the RSA-CRT algorithm, for Rivest-Shamir-Adleman and Chinese Remainder Theorem.

In known manner, the RSA-CRT algorithm is an asymmetric key signature/encryption algorithm, based on a public key (e, N) and a private key (p, q, d _p , d _q , i _q ) where :

the module N is worth the product of the large prime numbers p and q: N=p.q,

e is the public exponent, chosen between 1 and Φ=(p-1).(q-1),

d is the private exponent calculated by modular inversion of e with the module Φ: d=e ^-1 mod Φ, that is to say ed is equivalent to 1 mod Φ,

d _p and d _q are the modular exponents based on p and q respectively: d _p = d mod(p-1) and d _q = d mod(q-1), and

i _q = q ^-1 mod p.

This algorithm can be used to encrypt a message or sign it.

During encryption, Alice encrypts the message m using the RSA algorithm with Bob's public key (N, e): S = m ^e mod N. The encrypted message S is decrypted by Bob using the RSA algorithm with its own private key (p, q, d _p , d _q , i _q ): m = S ^d mod N. The Chinese Remainder Theorem makes it possible to accelerate the time of this decryption by using d _p and d _q . A possible implementation of the RSA-CRT function is the following, denoted RSA-CRT(S, (p, q, d _p , d _q , i _q )):

m _p = S ^dp mod p

m _q = S ^dq mod q

m = CRTRecombine ( _mp , m _q , p, q, i _q ). Typically, CRTRecombine ( _mp , m _q , p, q, i _q ) = m _q + q.(i _q .(m _p -m _q ) mod p).

Symmetrically for the signature of message m, Alice signs message m using the RSA algorithm with her own private key (p, q, d _p , d _q , i _q ): S = m ^d mod N. The Theorem of Chinese Remainders makes it possible to speed up the signature calculation time by using d _p and d _q , for example by calling the RSA-CRT function (m, (p, q, d _p , d _q , i _q )) :

S _p = m ^dp mod p

S _q = m ^dq mod q

S = CRTRecombine (S _p , S _q , p, q, i _q ). Typically, CRTRecombine (S _p , S _q , p, q, i _q ) = S _q + q.(i _q .(S _p -S _q ) mod p).

The signature S is verified by Bob using the RSA algorithm with Alice's public key (N, e) to calculate a message m': m' = S ^e mod N, then compare m and m'.

Subsequently, the explanations and illustrations are provided primarily in connection with the operation of signing the message m. Given processing symmetry, these also apply to the decryption of an RSA-encrypted message.

The invention aims to secure the RSA-CRT algorithm executed by an electronic device against fault injection attacks, typically Bellcore attacks. This execution is obtained by a double execution of the RSA-CRT algorithm in which the modular exponentiations of the same module (p or q) of the two executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using different modular exponents.

This can be illustrated by two calls to the RSA-CRT function defined above where the parameters are different.

The two results obtained by the two executions are checked for consistency, and if so, one of the results is used to generate an output message representing the desired signature (or decrypted message).

The consistency between the two results must be understood to mean that these two results are linked by a formula. This ensures that no identical single attacks or double attacks took place on these executions.

There represents, schematically, an electronic data processing device 40 forming a cryptographic system in which the present invention can be implemented. This device 40 comprises a microprocessor 10, with which is associated on the one hand a RAM 60, for example by means of a bus 70, and on the other hand a non-volatile memory 20 (for example of the EEPROM type), for example through a 50 bus.

The data processing device 40, and precisely the microprocessor 10 which it incorporates, can exchange data with external devices by means of a communication interface 30.

We have schematically represented on the the transmission of an input data m received from an external device (not shown) and transmitted from the communication interface 30 to the microprocessor 10. In a similar manner, the transmission of an output data S from the microprocessor 10 to the communication interface 30 intended for an external device. This output data S comes from the data processing by the microprocessor 10, on the input data m using a secret key 80 internal to the system, in particular the private key (p, q, d), i.e. (p, q, d _p , d _q , i _q ) in its CRT form, and stored in memory.

Although, for the illustration, the input data and the output data appear on two different arrows, the physical means which allow communication between the microprocessor 10 and the interface 30 could be produced by unique means, for example a serial communications port or bus.

The microprocessor 10 is able to execute software (or computer program) which allows the data processing device 40 to execute a method according to the invention, examples of which are given below. The software is composed of a series of instructions for controlling the microprocessor 10 which are for example stored in the memory 20.

Alternatively, the microprocessor assembly 10 - non-volatile memory 20 - random access memory 60 can be replaced by a specific application circuit which then comprises means for implementing the different stages of the method according to the invention.

There represents a microcircuit card which constitutes an example of a cryptographic system according to the invention as represented in . The communication interface 30 is in this case produced by means of the contacts of the microcircuit card. The microcircuit card incorporates a microprocessor 10, a RAM 60 and a non-volatile memory 20 as shown in the figure. .

This microcircuit card complies, for example, with the ISO 7816 standard and is equipped with a secure microcontroller which brings together the microprocessor (or CPU) 20 and the RAM 60.

Alternatively, the cryptographic system can be included in a secure element SE (for “Secure Element” in English), a USB key, a document or a paper information carrier comprising in one of its sheets a microcircuit associated with contactless means of communication. It is preferably a portable or pocket electronic entity. Of course, the invention also applies to a cryptographic system equipping a personal computer, a mobile device (smart phone, tablet, IOT type connected object, or equivalent) or a server.

There illustrates, from a flowchart, general steps for encrypting (signing) or decrypting a message according to embodiments of the invention. The method can be implemented by an electronic device or cryptographic system as described above to output an encrypted (signature) or decrypted message, or be implemented by a software module inside the electronic device or cryptographic system for providing the encrypted (signature) or decrypted message to another software module within the electronic device or cryptographic system.

The process begins at step 300 with the message m to be signed and the private key (p,q,d _p ,d _q ,i _q ). The explanations below are valid for a message m to be decrypted.

Step 310 consists of a first execution of the RSA-CRT algorithm by the electronic device to obtain a first signature S. The message used for the modular exponentiations of this first execution is worth m.

The first modular exponentiation of modulo p 312 uses the exponent d _p -α where α is a positive integer (0 or more): S _p = m ^{dp - α} mod p.

The second modular exponentiation of modulo q 314 uses the exponent d _q -α: S _q = m ^{dq - α} mod q.

The two exponentiations can be carried out in parallel, or in the reverse order of the figure. The modular exponentiations of the same execution are carried out on an identical message, here m. Likewise, the modular exponents of the two modular exponentiations of each of the executions are obtained by the same function or transformation applied respectively to d _p and d _q , here by the subtraction of α.

A first piece of data S is then obtained in step 316 by CRT recombination of the two results S _p and S _q of the modular exponentiations 312 and 314. For example, S = S _q + q.(i _q .(S _p -S _q ) mod p).

This first data S is worth S = m ^{d- α} mod N.

Similarly, step 320 consists of a second execution of the RSA-CRT algorithm by the electronic device to obtain a second signature S'. According to the invention, the modular exponentiations of this second execution use different messages based on m and/or different modular exponents compared to the first execution 310.

Generally speaking, the message for the modular exponentiations of this second execution 320 is worth (-1) ^j .m ^k , with j and k integers, k not zero. Typically j can take either the value 0 equivalent to any even value of j, or the value 1 equivalent to any odd value of j. k is preferentially positive, but not necessarily.

To ensure that the messages and/or modular exponents used during the two executions 310 and 320 are different, the following trivial case is avoided: j=0 (or even), k=1, α=-γ, β= 1.

The first modular exponentiation of modulo p 322 uses the exponent β.d _p +γ where β is a non-zero positive integer and γ an integer (0 or more): S' _p = ((-1) ^j .m ^k ) ^{β. dp + γ} mod p.

The second modular exponentiation of modulo q 324 uses the exponent β.d _q +γ: S' _q = ((-1) ^j .m ^k ) ^{β. dq + γ} mod q.

The two exponentiations can be carried out in parallel, or in the reverse order of the figure. The modular exponentiations of the same execution are carried out on an identical message, here (-1) ^j .m ^k . Likewise, the modular exponents of the two modular exponentiations of each of the executions are obtained by the same function applied respectively to d _p and d _q , here by the function g(d)= β.d+γ.

A second piece of data S' is then obtained in step 326 by CRT recombination of the two results S' _p and S' _q of the modular exponentiations 322 and 324. For example, S' = S' _q + q.(i _q .( S' _p -S' _q ) mod p).

This second data S' is worth S' = ((-1) ^j .m ^k ) ^{β.d+ γ} mod N.

The two executions of the RSA-CRT algorithm 310 and 320 can be carried out in parallel, or in the reverse order of the figure.

Step 330 consists of checking the consistency between the two data obtained S and S' to ensure that no fault injection has taken place during the two executions 310 and 320 of the RSA-CRT algorithm by the device electronic. Coherence can be checked by comparing S and S’ according to a coherence function linked to the parameters j, k, α, β and γ used. Indeed, the proposed modifications of message and/or exponents between the two executions rely on the mathematical properties of the RSA-CRT algorithm in order to allow a final mathematical verification.

In one embodiment, the verification includes the comparison of:

S' to (-1) ^{j( γ + β )} .(Sm ^α ) ^{k. β} .m ^{k. γ} mod N, if γ positive, or

S'.m ^{- k. γ} mod N to (-1) ^{j ( γ + β )} .(Sm ^α ) ^{k. β} mod N, if γ negative.

In one embodiment, the value T=Sm ^α is calculated prior to this verification and is used in the comparison.

For security reasons, a random value, denoted Rand, is used to hide this comparison. Typically, in embodiments, the comparison 330 includes:

drawing a random integer Rand,

the calculation of a verification value by the addition of one of the two terms to be compared to Rand followed by the subtraction of the other term to be compared. For example, we calculate

Verif = S' + Rand - (-1) ^{j( γ + β )} .(Sm ^α ) ^{k. β} .m ^{k. γ} mod N, if γ positive, or

Verif =S'.m ^{- k. γ} mod N + Rand - (-1) ^{j ( γ + β )} .(Sm ^α ) ^{k. β} mod N, if γ negative, and

the comparison of the Verif verification value with Rand, the comparison being positive in case of equality.

In the event of inconsistency (negative comparison), an execution fault is therefore detected, possibly due to fault injection, in which case an error is raised at step 350. This error may consist of the absence of emission of output data resulting from calculations 310 and 320. It can also include the sending of a simple error code.

In case of consistency (positive comparison), the encrypted (signature) or decrypted message is output in step 340. Generally, the output message is based on S or S'.

Preferably, the output message is worth Sm ^α mod N. In one embodiment, the output message is T previously calculated. Advantageously, when α = 0, the first data S is directly worth the output message (signature or decrypted message).

This method according to the invention protects the RSA-CRT algorithm against single faults due to the two executions 310 and 320, but also identical double faults (one in each execution) due to the different messages or modular exponents used during the two executions 310 and 320.

Protection against the malicious modification of a few bits of an intermediate value (typically a byte or a machine word) to a random value being obtained by a conventional double calculation, it is also obtained by the method of the invention.

Protection against malicious modification of all bits of an intermediate value at 0 or 1 (for example 0x00 or 0xFF) is now obtained by the method of the invention. Indeed, as the inputs to the RSA-CRT algorithm are different (the message or the modular exponents used), the intermediate values are different, and therefore the same fault on the two RSA-CRT executions necessarily leads to a different fault on the two data S and S'.

Also, protection against malicious modification of a pointer so that it points to a certain address in RAM is now obtained by the method of the invention. Indeed, even if the modification manages to distort the pointer of an input parameter of the RSA-CRT encryption computer function called, for example that of the message to use or that of the modular exponents to use, such that it points to the same value for the two modular exponentiations of the same module (p or q) during the two executions 310 and 320, the two data S and S' will not be consistent because the two executions will be carried out on the same message or with the same modular exponents, and no longer with different messages or modular exponents between the two executions.

It should be noted that conventional protection against execution on a null message (m = 0) can be provided, by detection prior to the RSA-CRT algorithm or by additional verification on m at the start of the algorithm.

The computational costs of the process according to the invention remain contained. This costs the cost of modifying the message m and/or the modular exponents, plus twice the cost of an RSA-CRT execution and the cost of the consistency check, for example the calculation of S' and (- 1) ^{j( γ + β )} .(Sm ^α ) ^{k. β} .m ^{k. γ} mod N. These costs can be kept negligible when the parameters k, α, β and γ are small.

This is the case for example of the embodiments described below, in which the first and second executions of the RSA-CRT algorithm call the same RSA-CRT encryption computer function taking, as inputs, different messages based on m and/or different modular exponents of the same module. This function is denoted RSA-CRT(m, (p, q, d _p , d _q , i _q )), an implementation of which is described above.

These embodiments have the advantage of being able to rely on an already existing RSA-CRT function, thus reducing the need for qualification or function testing.

These embodiments are illustrated generically by the . The first execution 410 calls the RSA-CRT function with the following input data (m, (p,q,d _p -α,d _q -α,i _q ). By this first call, the first modular exponentiation 312 is calculated, followed by the second modular exponentiation 314 and the CRT recombination 316. The first data S obtained is therefore identical to that obtained in .

Then the second execution 420 calls the RSA-CRT function with the following input data ((-1) ^j .m ^k , (p,q,β.d _p +γ,β.d _q +γ,i _q ) ). By this other call to the function, the first modular exponentiation 322 is calculated, followed by the second modular exponentiation 324 and the CRT recombination 326. The second data S' obtained is therefore identical to that obtained in .

The verification 430 remains unchanged, as well as the data output in step 440 or the emission of an error in step 450.

Of course, other implementations than calling the same function can be considered. This means that other embodiments of the invention may provide different implementations of the RSA-CRT algorithm for the two executions required according to the invention. In particular, different implementations can already include the parameters j, k, α, β and γ such that the two called functions take the same values as inputs, namely (m, (p, q, d _p , d _q , i _q )). Other intermediate implementations (eg some parameters are already fixed in the implementations, others are indicated in the input values) can be considered.

Figures 5 to 9 illustrate embodiments where the first execution 310 directly calculates the expected encrypted (signature) or decrypted message: S = m ^d mod N. In these embodiments, the message for the modular exponentiations of the first execution and the modular exponents of the two modular exponentiations of the first execution are respectively worth m, d _p and d _q . Also, the output message is worth S. These embodiments therefore differ by the parameters j, k, β and γ used during the second execution 320.

In the example of the , the second execution 520 of the RSA-CRT algorithm by the electronic device calculates S' = m ^d+1 mod N.

This corresponds to the embodiment j=0, k=1, α=0, β=1 and γ=1.

The data S and S’ are therefore linked by the formula m.S mod N = S’. The latter is therefore verified in step 530 for example in the form of comparison between, on the one hand, m.S mod N + Rand – S’ and, on the other side, Rand.

In the example of the , the second execution 620 of the RSA-CRT algorithm by the electronic device calculates S' = m ^2d mod N.

This corresponds to the embodiment j=0, k=2, α=0, β=1 and γ=0. Note that the same data S and S’ are obtained with the following parameters j=0, k=1, α=0, β=2 and γ=0. We thus see that k and β are redundant. In a simplified embodiment, k can be omitted. However, preferred embodiments retain k and β in order to allow a modification of the message taken by the RSA-CRT algorithm between the two executions 310, 320.

The data S and S' of the embodiment of the are therefore linked by the formula S² mod N = S'. The latter is therefore verified in step 630 for example in the form of comparison between, on the one hand, S² mod N + Rand – S' and, on the other hand, Rand.

In the example of the , the second execution 720 of the RSA-CRT algorithm by the electronic device calculates S' = (-m ² ) ^d mod N. It should be noted that in embodiments using only positive values (to facilitate binary representation ), -m can be manipulated as Nm or m.(N-1).

This example corresponds to the embodiment j=1, k=2, α=0, β=1 and γ=0.

The data S and S’ are also linked by the formula S² mod N = S’. The latter is therefore verified in step 730 for example in the form of a comparison between, on the one hand, S² mod N + Rand + S’ and, on the other hand, Rand.

In the example of the , the second execution 820 of the RSA-CRT algorithm by the electronic device calculates S' = m ^{2 ( d +1)} mod N.

This example corresponds to the embodiment j=0, k=2, α=0, β=1 and γ=1. Note that the same data S and S’ are obtained with the following parameters j=0, k=1, α=0, β=2 and γ=2.

The data S and S’ are also linked by the formula (m.S)² mod N = S’. The latter is therefore verified in step 830 for example in the form of comparison between, on the one hand, (m.S)² mod N + Rand – S’ and, on the other hand, Rand.

In the example of the , the second execution 920 of the RSA-CRT algorithm by the electronic device calculates S' = m ^2d+1 mod N.

This example corresponds to the embodiment j=0, k=1, α=0, β=2 and γ=1.

The data S and S’ are also linked by the formula m.S² mod N = S’. The latter is therefore verified in step 930 for example in the form of comparison between, on the one hand, m.S² mod N + Rand – S’ and, on the other side, Rand.

There illustrates an embodiment where the first execution 310 does not directly calculate the expected encrypted (signature) or decrypted message, but an intermediate data linked to the expected message by the formula: Sm ^α mod N.

In the example of the , the first execution 1010 of the RSA-CRT algorithm by the electronic device calculates S = m ^d-1 mod N, that is to say α=1, and the second execution 1020 of the RSA-CRT algorithm calculates S' = m ^{2(d +1 )} mod N.

This example corresponds to the embodiment j=0, k=2, α=1, β=1 and γ=1. Note that the same data S and S’ are obtained with the following parameters j=0, k=1, α=1, β=2 and γ=2.

Of course, other values of α can be used. Likewise, any other combination of j, k, β and γ (for example those in Figures 5 to 9 ) can be used for the second execution.

The data S and S' of the example of the are therefore linked by the formula m².(mS)² mod N = S'. The latter is therefore verified in step 1030 for example in the form of comparison between, on the one hand, m ⁴ .S² mod N + Rand – S' and, on the other side, Rand.

In one embodiment, the value T=mS (more generally m ^α .S) can be calculated in step 1025, before comparison 1030. The latter can then consist of checking m².T² mod N = S', by example by comparing, on one side, m².T² mod N + Rand – S' and, on the other side, Rand.

Of course, the present invention is not limited to the embodiments described above by way of examples; it extends to other variants. Other achievements are possible.

Claims (12)

Method for signing or decrypting, based on the RSA-CRT algorithm, an initial message m in an electronic device, using a private key comprising two modular exponents d _p and d _q associated with two distinct prime numbers p and q, the RSA-CRT algorithm comprising a first modular exponentiation (312, 322) of module p and a second modular exponentiation (314, 324) of module q, the method comprising the following steps:
generate a first piece of data, S, by a first execution (310, 410, 510, 610, 710, 810, 910, 1010) of the RSA-CRT algorithm on m,
generate a second piece of data, S', by a second execution (320, 420, 520, 620, 720, 820, 920, 1020) of the RSA-CRT algorithm on m, and
emit (340, 440, 540, 640, 740, 840, 940, 1040) an output message based on S or S', if S is consistent with S',
characterized in that the modular exponentiations (312, 322; 314, 324) of the same module of the first and second executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using exponents different modular ones. Method according to claim 1, in which the first and second executions of the RSA-CRT algorithm call the same RSA-CRT encryption computer function taking, as inputs, different messages based on m and/or modular exponents of the same module which are different. Method according to claim 1 or 2, in which the modular exponentiations of the same execution are carried out on an identical message . Method according to one of the preceding claims, in which the modular exponents of the two modular exponentiations of each of the executions are obtained by the same function applied respectively to d _p and d _q . Method according to one of the preceding claims, in which the message for the modular exponentiations of the first execution is worth m, the modular exponents of the two modular exponentiations of the first execution are respectively worth d _p -α and d _q -α, with α a positive integer or zero, and the output message is Sm ^α mod N. Method according to one of the preceding claims, in which the message for the modular exponentiations of the second execution is worth (-1) ^j .m ^k , with j and k positive integers, k not zero. In this case, the message to be encrypted/decrypted is modified during the second execution of the RSA-CRT algorithm. Method according to one of the preceding claims, in which the modular exponents of the two modular exponentiations of the second execution are respectively worth β.d _p +γ and β.d _q +γ, where β is a non-zero positive integer and γ an integer . Method according to one of the preceding claims, comprising a step of verifying (330, 430, 530, 630, 730, 830, 930, 1030) the consistency of S' with S by comparing S and S', the comparison comparing:
S' to (-1) ^{j( γ + β )} .(Sm ^α ) ^{k. β} .m ^{k. γ} mod N, with N=pq, when the message for the modular exponentiations of the first execution is worth m and that for the modular exponentiations of the second execution is worth (-1) ^j .m ^k , the modular exponents of the two modular exponentiations of the first execution are respectively worth d _p -α and d _q -α and those of the two modular exponentiations of the second execution are respectively worth β.d _p +γ and β.d _q +γ, if γ positive, or
S'.m ^{- k. γ} mod N to (-1) ^j(γ+ β ⁾ .(Sm ^α ) ^{k. β} mod N, if γ negative. Method according to the preceding claim, comprising a step of calculating a value T=Sm ^α , and
in which the comparison compares S' to (-1) ^{j( γ +β)} .T ^{k . β} .m ^{k. γ} mod N, if γ positive, or S'.m ^{- k. γ} mod N to (-1) ^j(γ+β) .T ^{k . β} mod N, if γ negative,
and the step of transmitting an output message includes the step of transmitting the T value. Method according to the preceding claim, in which the comparison comprises:
drawing a random integer Rand,
calculating a verification value by adding one of the two terms to be compared to Rand followed by subtracting the other term to be compared, and
comparing the check value with Rand, the comparison being positive in case of equality. Electronic device (40) for signing or decrypting, based on the RSA-CRT algorithm, an initial message m using a private key comprising two modular exponents d _p and d _q associated with two distinct prime numbers p and q, the RSA-CRT algorithm comprising a first modular exponentiation (312, 322) of module p and a second modular exponentiation (314, 324) of module q, the electronic device comprising a processor (10) configured to:
generate a first piece of data, S, by a first execution of the RSA-CRT algorithm on m,
generate a second piece of data, S', by a second execution of the RSA-CRT algorithm on m, and
emit an output message based on S or S', if S is consistent with S',
the electronic device being characterized in that the modular exponentiations of the same module of the first and second executions of the RSA-CRT algorithm are carried out on different messages based on m and/or using different modular exponents. A non-transitory computer-readable medium storing a program which, when executed by a processor of an electronic cryptographic processing device, causes the electronic cryptographic processing device to perform the method according to one of claims 1 to 10.