1. Field of the Invention
The invention relates in general to the technical domain of cryptography and more particularly to a technique for modular inversion provided for cryptographic purposes. The invention is provided in particular for use in portable data carriers, which can be configured e.g. as smart cards in various constructional forms or as chip modules.
2. Description of the Related Art
In the domain of cryptography methods for modular inversion are employed, for example, in generating a pair of keys for the RSA encoding or signature method described in U.S. Pat. No. 4,405,829. The RSA method uses a public key (e, m) and a secret private key d, wherein the value m is the product of two large prime numbers p and q. To calculate the key pair, firstly the values p, q and e are established. The private key d is then calculated as the modular inverse of e in relation to the module (p−1)(q−1). This means that the number d fulfils the equation 1=ed mod (p−1)(q−1). In the calculation the private key d and the module (p−1)(q−1) must remain secret.
In general for two given whole numbers a and n the modular inverse of a in relation to the module n is defined as the number b to which 0≦b<n and 1=ab mod n applies. A number b of this kind exists if a and n are relatively prime. Algorithms for calculating the modular inverse of a given value a in relation to a given module n are known per se. For example, the extended Euclidian algorithm is described on pages 325 to 327 of the book by Donald E. Knuth, “The Art of Computer Programming”, Vol. 2, second edition, Addison-Wesley, 1981. A modification of the extended Euclidian algorithm particularly advantageous in connection with binary numbers is Stein's method, described on pages 321 to 324 of said book in connection with exercise 35 on page 339 and the solution to it on page 606.
In the two methods mentioned there is the problem, however, that in direct implementation of the algorithm as a program the processed program code and therefore also physical parameters such as running time or power consumption depend to a large extent on the input data. Therefore, by analysis of the power consumption curve, the program running time or other measured values conclusions can be drawn as to the input values a and n. Examples of these and other opportunities for attack in connection with portable data carriers are described in section 8.2.4.1 (pages 482 to 499) of the book “Handbuch der Chipkarten” by W. Rankl and W. Effing, third edition, Hanser, 1999. Presumably corresponding opportunities for attack are also possible in other methods for modular inversion than those described above as examples.
If at least one of the input values a or n has to be kept secret, opportunities for attack like those mentioned above pose a security risk. For instance, in the already described example of generating key pairs for the RSA method there is a danger that during calculation of the modular inversion of e in relation to the module (p−1)(q−1) an attacker will spy out either the module (p−1)(q−1) to be kept secret or directly the result of the calculation, namely the private key d.
Said security problems are particularly critical if the method for modular inversion is executed by a processor of a portable data carrier, a smart card, for example, or a chip module. A first reason for this is that portable data carriers of this kind are often used for applications where security is critical, e.g. in connection with financial transactions, access control or the signature of legally binding documents. Secondly, portable data carriers are typically in the possession of the attacker while the method is being executed, so the attacker has all the access and analysis opportunities for spying out the values to be kept secret.