Abstract: A public-key encryption system. Encryption of a k-bit plaintext m is performed by picking a random generating ciphertext and outputting the ciphertext. N is a non-prime integer (preferably the product of two primes p and q), y is an element in multiplicative group of integers modulo N, and k is an integer larger than 1, Decryption of ciphertext c using private key is performed by recovering such that holds and outputting plaintext m, wherein denotes the 2k-th power residue symbol modulo p, which is defined. Also provided are an encryption device and a decryption device. The encryption scheme provides better bandwidth than the Goldwasser-Micali encryption scheme.

Abstract: Means for checking the correctness of a cryptographic operation on an elliptic curve E(Z/pZ), including fault-resistant computation of Q=kP on elliptic curve E(Z/pZ). Elliptic curve E^(Z/pr2Z)?E(Z/pZ)×E(Z/r2Z) is given by Chinese remaindering and where r is an integer. A point P^=CRT(P (mod p), R (mod r2)) is formed in E^(Z/pr2Z); P^ reduces to P in E(Z/pZ), and to R in E1(Z/r2Z). Q^=kP^ in E^(Z/pr2Z) is computed (130). It is then verified whether Q^?kR (mod r2) in E1(Z/r2Z), and if so, Q=Q^ mod p is output, whereas “error” is returned if this is not the case. Also provided are an apparatus and a computer program product.

Abstract: A method for performing a m-ary right-to-left exponentiation using a base x, a secret exponent d and a modulus N, wherein m is a power of 2.

Abstract: A modular exponentiation comprising iterative modular multiplications steps and taking as input a first modulus N, a secret exponent d and a base x. During at least one modular multiplication step aiming at computing a result c from two values a, b and the first modulus N so that c=a·b mod N, a processor takes as input the two values a, b and the first modulus N from which are obtained two operands a?, b? and a second modulus N? using operations with at most linear complexity—at least one of the two operands a?, b? is different from the two values a, b, and the two operands a?, b? are different when a is equal to b—so that the modular multiplication c=a·b mod N from a side-channel viewpoint behaves like a modular squaring except for when a? equals b?.

Abstract: The invention relates to a cryptographic method involving an integer division of type q=a div b and r=a mod b, wherein a is a number of m bits, b is a number of n bits, with n being less than or equal to m, and bn?1 being non-null and the most significant bit of b. In addition, each iteration of a loop subscripted by i, which varies between 1 and m?n+1, involves a partial division of a word A of n bits of number a by number b in order to obtain one bit of quotient q. According to the invention, the same operations are performed with each iteration, regardless of the value of the quotient bit obtained. In different embodiments of the invention, one of the following is also performed with each iteration: the addition and subtraction of number b to/from word A; the addition of number b or a complementary number /b of b to word A; or a complement operation at 2n of an updated datum (b or /b) or a dummy datum (c or /c) followed by the addition of the datum updated with word A.

Abstract: A method of generating a signature ? for a message m, the method enabling online/offline signatures. Two random primes p and q are generated, with N=pq; two random quadratic residues g and x are chosen in Z*N, and, for an integer z, h=g?z mod N is calculated. This gives the public key {g, h, x, N} and the private key {p, q, z}. Then, an integer t and a prime e are chosen. The offline signature part y may then be calculated as y=(xg?t)1/eb mod N where b is an integer bigger than 0, predetermined in the signature scheme. The online part k of the signature on message m is then calculated as k=t+mz and the signature ? on message m is generated as ?=(k, y, e) and returned. To verify the signature, it is checked that 1) e is an odd IE-bit integer, 2) k is an IK-bit integer, and 3) yebgkhm?x(mod N). An advantage of the method is that it may be performed without hashing. Also provided are a signing device, a verification device, and computer program supports.

Abstract: Method and device for generating factors of a RSA modulus N with a predetermined portion Nh, the RSA modulus comprising at least two factors. A first prime p is generated; a value Nh that forms a part of modulus N is obtained; a second prime q is generated in an interval dependent from p and Nh so that pq is a RSA modulus that shares Nh; and information enabling the calculation of the modulus/V is outputted.

Abstract: An exponentiation method resistant against skipping attacks. A main idea of the present invention is to evaluate, in parallel with the exponentiation such as y=gd, a value based on the exponent, e.g. f=d·1. These evaluations are performed using the same exponentiation algorithm by “gluing” together the group operations underlying the computation of y and f so that a perturbation to one operation also perturbs the other. This makes it possible to verify that f indeed equals d before returning the result. Also provided are an apparatus and a computer program product.

Abstract: At CRYPTO 2003, Rubin and Silverberg introduced the concept of torus-based cryptography over a finite field. The present invention extends their setting to the ring of integers modulo N, thus obtaining compact representations for cryptographic systems that base their security on the discrete logarithm problem and the factoring problem. This can result in small key sizes and substantial savings in memory and bandwidth. However, unlike the case of finite field, analogous trace-based compression methods cannot be adapted to accommodate the extended setting of the invention when the underlying systems require more than a mere exponentiation. The invention finds particular application in a torus-based implementation of the ACJT group signature scheme. Also provided is a processor.

Abstract: A method for generating a compressed RSA modulus, allowing up to two thirds of the bits of a modulus N to be fixed. N has a predetermined portion NH, which comprises two parts Nh and Nm. A candidate RSA modulus that shares the Nh part is generated, and the candidate is then modified using Euclidian-type computations until it shares both Nh and Nm. Also provided is an apparatus for calculating compressed RSA moduli according to the method and a computer program product.

Abstract: An exponentiation method resistant against side-channel attacks and safe-error attacks. Input to the method is g in a multiplicatively written group G and a /-digit exponent d with a radix m>1 and output is z=(d?1) is expressed as a series of (/?1) non-zero digits, d*0 . . . d*1-2, in the set {m?1, . . . , 2m?2} and an extra digit d*I-1 that is equal to dI-1?1, where dI-1 represents the most significant radix-m digit of d, and gd-1 is evaluated through a m-ary exponentiation algorithm on input g and (d?1) represented by d*0 . . . d*I-1. Also provided are an apparatus and a computer program product.

Abstract: A cryptographic operation includes calculating a multiplication of an element of an additively denoted group by a scalar. After two registers R0+R1, are initialized, iterations are carried out over the components Ki of the scalar K. If Ki of the scalar equals 0, then the value in register R1 is replaced by 2(R0+R1) If Ki equals 1, the value in register R0 is replaced by 2(R0+R1). At the end of the algorithm, the value of the register R0 is returned as the calculated result. This method poses the advantage of carrying out a calculation of multiplying by a scalar by carrying out only doubling and adding operations of the type 2(A+B).

Abstract: A method of generating a signature ? for a message m, the method enabling online/offline signatures. Two random primes p and q are generated, with N=pq; two random quadratic residues g and x are chosen in Z*N, and, for an integer z, h=g?z mod N is calculated. This gives the public key {g, h, x, N} and the private key {p, q, z}. Then, an integer t and a prime e are chosen. The offline signature part y may then be calculated as y=(xg?t)1/eb mod N where b is an integer bigger than 0, predetermined in the signature scheme. The online part k of the signature on message m is then calculated as k=t+mz and the signature ? on message m is generated as ?=(k, y, e) and returned. To verify the signature, it is checked that 1) e is an odd IE-bit integer, 2) k is an IK-bit integer, and 3) yebgkhm?x(mod N). An advantage of the method is that it may be performed without hashing. Also provided are a signing device, a verification device, and computer program supports.

Abstract: A method for distributing content in a content distribution system is disclosed which comprises the steps of: encrypting at a Content Packager a content using a content encryption key to generate an encrypted content; sending the content encryption key to a Licensing Authority; receiving from the Licensing Authority a distribution key containing an encryption of the content decryption key (Kc) for a given set of authorized devices; creating a secure link between the content encryption key (Kc) and the content protected by this content encryption key using a signature of the content; and distributing the encrypted content together with the signature of the content. A method for receiving content distributed according to the above-mentioned method in a device able to play back the content is also disclosed where the content signature is checked before any play back of the content.

Abstract: A method for the secure application of a cryptographic algorithm of the RSA type in an electronic component obtains the value of a public exponent e from a given set of probable values, without a priori knowledge of that value. Having determined the value for the public exponent e, the application of countermeasures using the value of e, to block error attacks and side channel attacks, particularly of the DPA and SPA type, are carried out on the application of a private operation of the cryptographic algorithm.

Abstract: A device and a method for calculating a multiple of a point on an elliptic curve from the right to the left by repeated point doubling and point addition. Each point doubling is evaluated with an extended set of coordinates and each point addition is evaluated by taking as input a restricted set of the extended set of coordinates. The at least one coordinate of the extended set that is not part of the restricted set is stored in a memory between each iteration of the point doubling. This can enable speeding up the calculations as compared to prior art solutions. Also provided is a computer program product.

Abstract: Means for checking the correctness of a cryptographic operation on an elliptic curve E(Z/pZ), including fault-resistant computation of Q=kP on elliptic curve E(Z/pZ). Elliptic curve E?(Z/pr2Z)?E(Z/pZ)×E(Z/r2Z) is given by Chinese remaindering and where r is an integer. A point P?=CRT(P (mod p), R (mod r2)) is formed in E?(Z/pr2Z); P? reduces to P in E(Z/pZ), and to R in E1(Z/r2Z). Q?=kP? in E?(Z/pr2Z) is computed (130). It is then verified whether Q??kR (mod r2) in E1(Z/r2Z), and if so, Q=Q? mod p is output, whereas “error” is returned if this is not the case. Also provided are an apparatus and a computer program product.

Abstract: The public exponent e of an RSA key is embedded in a RSA key object that lacks this exponent. During exponentiation, the public exponent e may be extracted and used to verify that the result of the exponentiation is correct. The result is output only if this is the case. The invention counters fault-attacks. Also provided are an apparatus and a computer program product.

Abstract: Hashing onto elements of a group, in particular onto points of an elliptic curve. An input message is run through a “regular” hashing algorithm, such as e.g. SHA-1 and MD5, and used as a scalar in multiplication with an element of the group. The result is necessarily also an element of the group. An advantage is that the security of the hashing algorithm is the same as that of the underlying “regular” hashing algorithm. Also provided is a device.

Abstract: The invention relates to a cryptographic method secured against a covert channel attack. According to the invention, in order to carry out a selected block of instructions as a function of an input variable amongst N predefined instruction blocks, a common block is carried out on the predefined N instruction blocks, a predefined number of times, the predefined number being associated with the selected instruction block.