1. Field of the Invention
The present invention relates to cryptographic systems, and in particular to apparatus and methods for determining a result of a modular exponentiation within a cryptosystem.
2. Description of the Related Art
Particularly in algorithms for the digital signature or also in other cryptographic applications, it is necessary to protect secret data, such as a private key of the RSA algorithm, from so-called side-channel attacks. Such attacks are based on an analysis of the current, power, or radiation profile of a circuit processing the algorithm. On the basis of an evaluation of such a power profile of the circuit it is possible to make statements about the secret key.
The basic concept of the digital signature on the basis of the RSA algorithm is illustrated on the basis of FIG. 6, as it is described in the “Handbook of Applied Cryptography” by Menezes, van Oorschot, Vanstone, CRC Press, 1996, chapter 11.3. For executing the digital signature 60, an entity A signs a message m. Thereby, each entity B may verify the signature of the entity A and recover the message m from the signature.
In the signature generation, as it is illustrated at 60 in FIG. 6, the entity A calculates the modular exponentiation with the basis m for the signature, with the secret key d and the modulus N according to the equation illustrated in block 60. As it is known, a public key e required by an entity B for verification, as it is illustrated at 62 in FIG. 6, belongs to the secret key d. The entity B takes the public key e belonging to d as exponent and exponentiates the signature S generated by the entity A with the public key. After a concluding reduction with reference to the modulus N, a verified message m′ results. If the non-signed message has been known to the entity B, it may determine whether the signature S in fact originated from the entity A or not due to a comparison of m′ and m. In other words, it means that the entity B may determine whether the private key d used for the signature in fact belongs to the public key e. If the entity B, for other reasons, knows that the entity A is authentic, the verification, i.e. the modular exponentiation of the signature with the public key as exponent, immediately yields the message m, since the second condition at 62 in FIG. 6 is then certainly met.
An attacker might wish to determine the secret key d of the entity A, which is used for the signature at 60 in FIG. 6. To this end, the attacker could perform a power analysis or a similar side-channel attack. For warding off such an attack on the basis of a statistical side-channel attack (DPA, EMA), usually randomization e.g. of the exponent is employed in the RSA signature establishment. s=md mod N is to be replaced by s=md′ mod N, with the result supposed to be the same, but the exponent d′ different in each calculation with the same key d. In general, the secret key in the RSA algorithm consists of the pair (d, N). The public key consists of the pair (e, N). Typically, the modulus is known so that the only secret information is the exponent d. Furthermore, it is known that the product of d and e satisfies the following equation:d×e=1modλ(N)λ(N) is the known Carmichael function. Thus, the randomized exponent cannot be arbitrary. Hence, usually a multiple of the Carmichael function λ(N) is required for the randomization of the exponent. But usually this is not given.
Furthermore, it is known to use the Chinese remainder theorem (CRT) for the signature establishment, which is also described in the Handbook of Applied Cryptography in chapter 14.5. In particular, a special form of the CRT is used, which is known by the designation of Garner's algorithm. The Chinese remainder theorem serves to put down the entire exponentiation to two exponentiations modulo p and q. The Chinese remainder theorem is particularly interesting since the two exponentiations are formed with exponents having only half the length of the original exponents (d or e). It is disadvantageous, however, that the Chinese remainder theorem can only be applied when additional parameters p, q are present, wherein the product of p and q yields the modulus N. For making the signature calculation using the Chinese remainder theorem safe, it is necessary to make both exponentiations safe, i.e. provide them with a randomization, in order to inhibit side-channel attacks. The Carmichael functions read λ(p)=p−1 and λ(q)=q−1. These two Carmichael functions, however, have to be specially calculated.
Independent of whether the RSA algorithm is employed with the Chinese remainder theorem or without the Chinese remainder theorem, it is little desirable to employ no randomization of the exponents, since with this a security problem might arise. For this reason, it has been proposed to perform randomization of the exponents using Euler's Phi function phi(N). Randomization using Euler's phi function, however, requires knowledge of phi(N). Normally, phi is not given and thus has to be specially calculated when this randomization method is to be employed.
An alternative procedure consists in using the Carmichael λ function λ(N), which is smaller with reference to the numerical value, instead of Euler's phi function. This method has the advantage that the randomized exponent becomes shorter at equal security, so that computation time advantages arise as compared with the use of Euler's phi function. It is again disadvantageous in this method that λ(N) is required. The Carmichael function λ(N) thus has to be specially calculated and is not present a priori.
An alternative randomization consists in the randomized exponent being split in two exponents. This has the advantage that no additional information is required. On the other hand, a disadvantage consists in the calculation taking double the time as the other alternatives described, which use Euler's phi function or the Carmichael λ function.