Leak-resistant cryptographic method and apparatus

专利摘要:
The present invention provides a method and apparatus for securing cryptographic devices against attacks involving external monitoring and analysis. A “self-healing” property is introduced, enabling security to be continually re-established following partial compromises. In addition to producing useful cryptographic results, a typical leak-resistant cryptographic operation modifies or updates secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system. Exemplary leak-proof and leak-resistant implementations of the invention are shown for symmetric authentication, certified Diffie-Hellman (when either one or both users have certificates), RSA, ElGamal public key decryption, ElGamal digital signing, and the Digital Signature Algorithm.
公开号:US20010002486A1
申请号:US09/737,182
申请日:2000-12-13
公开日:2001-05-31
发明作者:Paul Kocher；Joshua Jaffe
申请人:Cryptography Research Inc；
IPC主号:H04L9-3247

专利说明:
[0001] This application claims the benefit of U.S. Provisional application Ser. No. 60/070,344 filed Jan. 2, 1998, and U.S. Provisional application Ser. No. 60/089,529 filed June 15, 1998. [0001] FIELD OF THE INVENTION
[0002] The method and apparatus of the present invention relate generally to cryptographic systems and, more specifically, to securing cryptographic tokens that must maintain the security of secret information in hostile environments. [0002] BACKGROUND OF THE INVENTION
[0003] Most cryptosystems require secure key management. In public-key based security systems, private keys must be protected so that attackers cannot use the keys to forge digital signatures, modify data, or decrypt sensitive information. Systems employing symmetric cryptography similarly require that keys be kept secret. Well-designed cryptographic algorithms and protocols should prevent attackers who eavesdrop on communications from breaking systems. However, cryptographic algorithms and protocols traditionally require that tamper-resistant hardware or other implementation-specific measures prevent attackers from accessing or finding the keys. [0003]
[0004] If the cryptosystem designer can safely assume that the key management system is completely tamper-proof and will not reveal any information relating to the keys except via the messages and operations defined in the protocol, then previously known cryptographic techniques are often sufficient for good security. It is currently extremely difficult, however, to make hardware key management systems that provide good security, particularly in low-cost unshielded cryptographic devices for use in applications where attackers will have physical control over the device. For example, cryptographic tokens (such as smartcards used in electronic cash and copy protection schemes) must protect their keys even in potentially hostile environments. (A token is a device that contains or manipulates cryptographic keys that need to be protected from attackers. Forms in which tokens may be manufactured include, without limitation, smartcards, specialized encryption and key management devices, secure telephones, secure picture phones, secure web servers, consumer electronics devices using cryptography, secure microprocessors, and other tamper-resistant cryptographic systems.) [0004]
[0005] A variety of physical techniques for protecting cryptographic devices are known, including enclosing key management systems in physically durable enclosures, coating integrated circuits with special coatings that destroy the chip when removed, and wrapping devices with fine wires that detect tampering. However, these approaches are expensive, difficult to use in single-chip solutions (such as smartcards), and difficult to evaluate since there is no mathematical basis for their security. Physical tamper resistance techniques are also ineffective against some attacks. For example, recent work by Cryptography Research has shown that attackers can non-invasively extract secret keys using careful measurement and analysis of many devices' power consumption. Analysis of timing measurements or electromagnetic radiation can also be used to find secret keys. [0005]
[0006] Some techniques for hindering external monitoring of cryptographic secrets are known, such as using power supplies with large capacitors to mask fluctuations in power consumption, enclosing devices in well-shielded cases to prevent electromagnetic radiation, message blinding to prevent timing attacks, and buffering of inputs/outputs to prevent signals from leaking out on I/O lines. Shielding, introduction of noise, and other such countermeasures are often, however, of limited value, since skilled attackers can still find keys by amplifying signals and filtering out noise by averaging data collected from many operations. Further, in smartcards and other tamper-resistant chips, these countermeasures are often inapplicable or insufficient due to reliance on external power sources, impracticality of shielding, and other physical constraints. The use of blinding and constant-time mathematical algorithms to prevent timing attacks is also known, but does not prevent more complex attacks such as power consumption analysis (particularly if the system designer cannot perfectly predict what information will be available to an attacker, as is often the case before a device has been physically manufactured and characterized). [0006]
[0007] The present invention makes use of previously-known cryptographic primitives and operations. For example: U.S. Pat. 5,136,646 to Haber et al. and the pseudorandom number generator used in the RSAREF cryptographic library use repeated application of hash functions; anonymous digital cash schemes use blinding techniques; zero knowledge protocols use hash functions to mask information; and key splitting and threshold schemes store secrets in multiple parts. [0007] SUMMARY OF THE INVETION
[0008] The present invention introduces leak-proof and leak-resistant cryptography, mathematical approaches to tamper resistance that support many existing cryptographic primitives, are inexpensive, can be implemented on existing hardware (whether by itself or via software capable of running on such hardware), and can solve problems involving secrets leaking out of cryptographic devices. Rather than assuming that physical devices will provide perfect security, leak-proof and leak-resistant cryptographic systems may be designed to remain secure even if attackers are able to gather some information about the system and its secrets. This invention describes leak-proof and leak-resistant systems that implement symmetric authentication, Diffie-Hellman exponential key agreement, ElGamal public key encryption, ElGamal signatures, the Digital Signature Standard, RSA, and other algorithms. [0008]
[0009] One of the characteristic attributes of a typical leak-proof or leak-resistant cryptosystem is that it is “self-healing” such that the value of information leaked to an attacker decreases or vanishes with time. Leak-proof cryptosystems are able to withstand leaks of up to L[0009] _MAX bits of information per transaction, where L_MAX is a security factor chosen by the system designer to exceed to the maximum anticipated leak rate. The more general class of leak-resistant cryptosystems includes leak-proof cryptosystems, and others that can withstand leaks but are not necessarily defined to withstand any defined maximum information leakage rate. Therefore, any leak-proof system shall also be understood to be leak-resistant. The leak-resistant systems of the present invention can survive a variety of monitoring and eavesdropping attacks that would break traditional (non-leak-resistant) cryptosystems.
[0010] A typical leak-resistant cryptosystem of the present invention consists of three general parts. The initialization or key generation step produces secure keying material appropriate for the scheme. The update process cryptographically modifies the secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system, thus providing security advantages over systems of the background art. The final process performs cryptographic operations, such as producing digital signatures or decrypting messages. [0010] BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIG. 1 shows an exemplary leak-resistant symmetric authentication method. [0011]
[0012] FIG. 2 shows an exemplary leak-resistant Diffie-Hellman exponential key exchange operation. [0012]
[0013] FIG. 3 shows an exemplary leak-resistant RSA private key operation. [0013]
[0014] FIG. 4 shows an exemplary leak-resistant ElGamal signing operation. [0014] DETAILED DESCRIPTION OF THE INVENTION
[0015] The sections following will describe an introduction to leak-proof/leak-resistant cryptography, followed by various embodiments of the general techniques of the invention as applied to improve the security of common cryptographic protocols. [0015]
[0016] I. Introduction and Terminology [0016]
[0017] The leakage rate L is defined as the number of bits of useful information about a cryptosystem's secrets that are revealed per operation, where an operation is a cryptographic transaction. Although an attacker may be able to collect more than L bits worth of measurement data, by definition this data yields no more than L bits of useful information about the system's secrets. [0017]
[0018] The implementer of a leak-proof system chooses a design parameter L[0018] _MAX, the maximum amount of leakage per operation the system may allow if it is to remain uncompromised. L_MAX should be chosen conservatively, and normally should significantly exceed the amount of useful information known to be leaked to attackers about the system's secrets during each transaction. Designers do not necessarily need to know accurately or completely the quantity and type of information that may leak from their systems; the choice of L_MAX may be made using estimates and models for the system's behavior. General factors affecting the choice of L_MAX include the types of monitoring potentially available to attackers, the amount of error in attacker3 measurements, and engineering constraints that limit L_MAX. (Larger values of L_MAX increase memory and performance requirements of the device, and in some cases may increase L.) To estimate the amount of useful information an attacker could collect by monitoring a device's power consumption, for example, a designer might consider the amount of noise in the device's power usage, the power line capacitance, the useful time resolution for power consumption measurements, as well as the strength of the signals being monitored. Similarly, the designer knows that timing measurements can rarely yield more than a few bits of information per operation, since timing information is normally quantized to an integral number of clock cycles. In choosing L_MAX, the designer should assume that attackers will be able to combine information gleaned from multiple types of attacks. If the leakage rate is too large (as in the extreme case where L equals the key size because the entire key can be extracted during a single transaction), additional design features should be added to reduce L and reduce the value needed for L_MAX. Such additional measures can include known methods, such as filtering the device's power inputs, adding shielding, introducing noise into the timing or power consumption, implementing constant-time and constant execution path algorithms, and changing the device layout. Again, note that the designer of a leak-resistant system does not actually need to know what information is being revealed or how it is leaked; all he or she need do is choose an upper bound for the rate at which attackers might learn information about the keys. In contrast, the designer of a traditional system faces the much harder task of ensuring that no information about the secrets will leak out.
[0019] There are many ways information about secrets can leak from cryptosystems. For example, an attacker can use a high-speed analog-to-digital converter to record a smartcard's power consumption during a cryptographic operation. The amount of useful information that can be gained from such a measurement varies, but it would be fairly typical to gain enough information to guess each of 128 key bits correctly with a probability of 0.7. This information can reduce the amount of effort required for a brute force attack. For example, a brute force attack with one message against a key containing k bits where each bit's value is known with probability p can be completed in [0019] E  ( k , p ) = ∑ i = 0 k     [(k i)  ( 1 - p ) i  p k - i  [ ( ∑ j = 0 i     (k j) ) - 1 2  (k i)]+ 1 2 ]
[0020] operations. The reduction in the effort for a brute force attack is equivalent to shortening the key by L=log[0020] ₂(E(k,{fraction (1/2)})/E(k,p))=log₂(k−E(k,p)−1) bits. (For example, in the case of k=128 and p=0.7, L is estimated to be about 11 bits for the first measurement. With a multiple message attack, the attacker's effort can fall to as low as E  ( k , p ) = 1 p k . )
[0021] Attackers can gain additional information about the keys by measuring additional operations; unless leak-resistance is used, finding the key becomes easy after just a few dozen operations. [0021]
[0022] When choosing L[0022] _MAX, a system designer should consider the signal-to-noise ratio of an attacker's measurements. For example, if the signal and noise are of roughly equivalent magnitude, the designer knows that an attacker's measurements should be incorrect about 25 percent of the time (e.g., p=0.75 if only one observation per key bit is possible). Many measurement techniques, such as those involving timing, may have signal-to-noise ratios of 1:100 or worse. With such systems, L is generally quite small, but attackers who can make a large number of measurements can use averaging or other statistical techniques to recover the entire key. In extreme cases, attackers may be able to obtain all key bits with virtually perfect accuracy from a single transaction (i.e., L=k), necessitating the addition of shielding, noise in the power consumption (or elsewhere), and other measures to reduce p and L. Of course, L_MAX should be chosen conservatively; in the example above where less than 4 useful bits are obtained per operation for the given attack, the designer might select L_MAX =64 for a leak-proof design.
[0023] Leak-proof (and, more generally, leak-resistant) cryptosystems provide system designers with important advantages. When designing a traditional (i.e., non-leak-resistant and non-leak-proof) cryptosystem, a careful cryptosystem designer should study all possible information available to attackers if he or she is to ensure that no analytical techniques could be used to compromise the keys. In practice, many insecure systems are developed and deployed because such analysis is incomplete, too difficult even to attempt, or because the cryptographers working on the system do not understand or cannot completely control the physical characteristics of the device they are designing. Unexpected manufacturing defects or process changes, alterations made to the product by attackers, or modifications made to the product in the field can also introduce problems. Even a system designed and analyzed with great care can be broken if new or improved data collection and analysis techniques are found later. In contrast, with leak-proof cryptography, the system designer only needs to define an upper bound on the maximum rate at which attackers can extract information about the keys. A detailed understanding of the information available to attackers is not required, since leak-proof (and leak-resistant) cryptosystem designs allow for secret information in the device to leak out in (virtually) any way, yet remain secure despite this because leaked information is only of momentary value. [0023]
[0024] In a typical leak-proof design, with each new cryptographic operation i, the attacker is assumed to be able to choose any function F[0024] _i and determine the L_MAX-bit result of computing F_i on the device's secrets, inputs, intermediates, and outputs over the course of the operation. The attacker is even allowed to choose a new function F_i with each new operation. The system may be considered leak-proof with a security factor n and leak rate L_MAX if, after observing a large number of operations, an attacker cannot forge signatures, decrypt data, or perform other sensitive operations without performing an exhaustive search to find an n-bit key or performing a comparable O(2ⁿ) operation. In addition to choosing L_MAX, designers also choose n, and should select a value large enough to make exhaustive search infeasible. In the sections that follow, various embodiments of the invention, as applied to improve the security of common cryptographic operations and protocols, will be described in more detail.
[0025] II. Symmetric Cryptographic Protocols [0025]
[0026] A. Symmetric Authentication [0026]
[0027] An exemplary cryptographic protocol that can be secured using the techniques of the present invention is symmetric authentication. [0027]
[0028] 1. Conventional Symmetric Authentication [0028]
[0029] Assume a user wishes to authenticate herself to a server using an n-bit secret key, K, known to both the server and the user's cryptographic token, but not known to attackers. The cryptographic token should be able to resist tampering to prevent, for example, attackers from being able to extract secrets from a stolen token. If the user's token has perfect tamper resistance (i.e., L=0), authentication protocols of the background art can be used. Typically the server sends a unique, unpredictable challenge value R to the user's token, which computes the value A=H(R||K), where “|” denotes concatenation and H is a one-way cryptographic hash function such as SHA. The user sends A to the server, which independently computes A (using its copy of K) and compares its result with the received value. The user authentication succeeds only if the comparison operation indicates a match. [0029]
[0030] If the function H is secure and if K is sufficiently large to prevent brute force attacks, attackers should not be able to obtain any useful information from the (R,A) values of old authentication sessions. To ensure that attackers cannot impersonate users by replaying old values of A, the server generates values of R that are effectively (with sufficiently high probability) unique. In most cases, the server should also make R unpredictable to ensure that an attacker with temporary possession of a token cannot compute future values of A. For example, R might be a 128-bit number produced using a secure random number generator (or pseudorandom number generator) in the server. The properties of cryptographic hash functions such as H have been the subject of considerable discussion in the literature, and need not be described in detail here. Hash functions typically provide functionality modeled after a random oracle, deterministically producing a particular output from any input. Ideally, such functions should be collision-resistant, non-invertable, should not leak partial information about the input from the output, and should not leak information about the output unless the entire input is known. Hash functions can have any output size. For example, MD5 produces 128-bit outputs and SHA produces 160-bit outputs. Hash functions may be constructed from other cryptographic primitives or other hash functions. [0030]
[0031] While the cryptographic security of the protocol using technology of the background art may be good, it is not leak-proof; even a one-bit leak function (with L=1) can reveal the key. For example, if the leak function F equals bit (R mod n) of K, an attacker can break the system quickly since a new key bit is revealed with every transaction where (R mod n) has a new value. Therefore, there is a need for a leak-proof/leak-resistant symmetric authentication protocol. [0031]
[0032] 2. Leak-Resistant Symmetric Authentication [0032]
[0033] The following is one embodiment of a leak-resistant (and, in fact, also leak-proof) symmetric authentication protocol, described in the context of a maximum leakage rate of L[0033] _MAX bits per transaction from the token and a security factor n, meaning that attacks of complexity O(2ⁿ), such as brute-force attacks against an n-bit key, are acceptable, but there should not be significantly easier attacks. The user's token maintains a counter t, which is initialized to zero, and an (n+2L_MAX)-bit shared secret K_t, which is initialized with a secret K₀. Note that against adversaries performing precomputation attacks based on Hellman's time/memory trade-off, larger values of n may be in order. Note also that some useful protocol security features, such as user and/or server identifiers in the hash operation inputs, have been omitted for simplicity in the protocol description. It is also assumed that no leaking will occur from the server. For simplicity in the protocol description, some possible security features (such as user and/or server identifiers in the hash operation inputs) have been omitted, and it is assumed that the server is in a physically secure environment. However, those skilled in the art will appreciate that the invention is not limited to such assumptions, which have been made as a matter of convenience rather than necessity.
[0034] As in the traditional protocol, the server begins the authentication process by generating a unique and unpredictable value R at step 105. For example, R might be a 128-bit output from a secure random number generator. At step 110, the server sends R to the user's token. At step 112, the token receives R. At step 115, the token increments its counter t by computing t ←t+1. At step 120, the token updates K[0034] _t by computing K_t ←H_K(t ||K_t), where H_K is a cryptographic hash finction that produces an (n+2L_MAX) bit output from the old value of K_t and the (newly incremented) value of t. Note that in the replacement operations (denoted “←”), the token deletes the old values of t and K_t, replacing them with the new values. By deleting the old K_t, the token ensures that future leak functions cannot reveal information about the old (deleted) value. At step 122, the token uses the new values of t and K_t to compute an authenticator A=H_A(K_t||t||R). At step 125, the token sends both t and the authenticator A to the server, which receives them at step 130. At step 135, the server verifies that t is acceptable (e.g., not too large but larger than the value received in the last successful authentication). If t is invalid, the server proceeds to step 175. Otherwise, at step 140, the server initializes its loop counter i to zero and its key register K_t′ to K₀. At step 145, the server compares i with the received value of t, proceeding to step 160 if they are equal. Otherwise, at step 150, the server increments i by computing i←i+1. At step 155, the server computes K_t′←H_K(i||K_t), then proceeds back to step 145. At step 160, the server computes A′=H_A(K_t′||t||R). Finally, at step 165, the server compares A and A′, where the authentication succeeds at step 170 if they match, or fails at 175 if they do not match.
[0035] This design assumes that at the beginning of any transaction the attacker may have L[0035] _MAX bits of useful information about the state of the token (e.g., K_t) that were obtained using the leak function F in a previous operation. During the transaction, the attacker can gain an additional L_MAX bits of useful information from the token. If, at any time, any 2L_MAX (or fewer) bits of useful information about the secret are known to the attacker, there are still (n+2L_MAX)−2L_MAX=n or more unknown bits. These n bits of unknown information ensure that attacks will require O(2ⁿ) effort, corresponding to the desired security factor. However, the attacker should have no more than L_MAX bits of useful information about K_t at the end of the transaction. The property that attackers lose useful information during normal operation of the system is a characteristic of the leak-proof or leak-resistant cryptosystem. In general, this information loss is achieved when the cryptosystem performs operations that convert attackers' useful partial information about the secret into useless information. (Information is considered useless if it gives an attacker nothing better than the ability to test candidate values in an O(2ⁿ) exhaustive search or other “hard” operation. For example, if exhaustive search of X is hard and H is a good hash function, H(X) is useless information to an attacker trying to find X.)
[0036] Thus, the attacker is assumed to begin with L[0036] _MAX bits of useful information about K_t before the token's K_t←H_K(t||K_t) computation. (Initial information about anything other than K_t is of no value to an attacker because K_t is the only secret value in the token. The function H_K and the value of t are not assumed to be secret.) The attacker's information can be any function of K_t produced from the previous operation's leaks.
[0037] 3. Security Characteristics of Leak-Proof Systems [0037]
[0038] The following section provides a technical discussion of the security characteristics of the exemplary leak-proof system described above. The following analysis is provided as an example of how the design can be analyzed, and how a system may be designed using general assumptions about attackers' capabilities. The discussion and assumptions do not necessarily apply to other embodiments of the invention and should not be construed as limiting the scope or applicability of the invention in any way. [0038]
[0039] During the course of a transaction, the leak function F might reveal up to L[0039] _MAX information about the system and its secrets. The design assumed that any information contained in the system may be leaked by F, provided that F does not reveal useful new information about values of K_t that were deleted before the operation started, and F does not reveal useful information about values of K_t that will be computed in future operations. These constraints are completely reasonable, since real-world leaks would not reveal information about deleted or not-yet-existent data. (The only way information about future K_t values could be leaked would be the bizarre case where the leak function itself included, or was somehow derived from, the function H_K.) In practice, these constraints on F are academic and of little concern, but they are relevant when constructing proofs to demonstrate the security of a leak-proof system.
[0040] If the leak occurs at the beginning of the H[0040] _K computation, it could give the attacker up to 2L_MAX bits of useful information about the input value of K_t. Because K_t contains (2L_MAX+n) bits of secret information and the attacker may have up to 2L_MAX bits of useful information about the initial value of K_t, there remain at least (2L_MAX+n)−2L_MAX=n bits of information in K_t that are secret. The hash function H_K effectively mixes up these n bits to produce a secure new K_t during each transaction such that the attacker's information about the old K_t is no longer useful.
[0041] If the leak occurs at the end of the H[0041] _K computation, it could give an attacker up to L_MAX bits of information about the final value of H_K, yielding L_MAX bits of information about the input to the subsequent transaction. This is not a problem, since the design assumes that attackers have up to L_MAX bits of information about K_t at the beginning of each transaction.
[0042] A third possibility is that the attacker's L[0042] _MAX bits of information might describe intermediates computed during the operation H_K. However, even if the attacker could obtain L_MAX new bits of information about the input to H_K and also L_MAX bits of information about the output from H_K, the system would be secure, since the attacker would never have more than 2L_MAX bits of information about the input K_t or more than L_MAX bits of information about the output K_t. Provided that L_MAX bits of information from within H_K cannot reveal more than L_MAX bits of information about the input, or more than L_MAX bits of information about the output, the system will be secure. This will be true unless H_K somehow compresses the input to form a short intermediate which is expanded to form the output. While hash functions whose internal states are smaller than their outputs should not be used, most cryptographic hash functions are fine.
[0043] A fourth possibility is that part or all of the leak could occur during the A=H[0043] _A(K_t||t||R) calculation. The attacker's total “budget” for observations is L_MAX bits. If L₁ bits of leak occur during the H_K computation, an additional L₂ bits of information can leak during the A=H_A(K_{t||R) operation, where L 2<L MAX}−L_1. If the second leak provides information about K_t, this is no different from leaking information about the result of the H_K computation; the attacker will still conclude the transaction with no more than L_MAX bits of information about K_t because L₁ +L₂<L_MAX. However, the second leak could reveal information about A. To keep A secure against leaks (to prevent, for example, an attacker from using a leak to capture A and using A before the legitimate user can), the size of A should include an extra L_MAX bits (to provide security even if L₂=L_MAX). Like H_K, H_A should not leak information about deleted or future values of K_t that are not used in or produced by the given operation. As with the similar assumptions on leaks from H_K, this limitation is primarily academic and of little practical concern, since real-world leak functions do not reveal information about deleted or not-yet-computed data. However, designers might be cautious when using unusual designs for H_A that are based on or derived from H_K, particularly if the operation H_A(K_t||t||R) could reveal useful information about the result of computing H_K(t||K_t).
[0044] B. Other Leak-Resistant Symmetric Schemes [0044]
[0045] The same basic technique of updating a key (K) with each transaction, such that leakage about a key during one transaction does not reveal useful information about a key in a subsequent (or past) transaction, can be easily extended to other applications besides authentication. [0045]
[0046] 1. Symmetric Data Verification [0046]
[0047] For example and without limitation, leak-resistant symmetric data verification is often useful where a device needs to support symmetrically-signed code, data, content, or parameter updates (all of which will, as a matter of convenience, be denoted as “data” herein). In existing systems, a hash or MAC of the data is typically computed using a secret key and the data is rejected if computed hash or MAC does not match a value received with the data. For example, a MAC may be computed as HMAC(K,data), where HMAC is defined in “RFC 2104, HMAC:Keyed-Hashing for Message Authentication” by H. Krawczyk, M. Bellare, and R. Canetti, 1997. Traditional (non-leak-resistant) designs are often vulnerable to attacks including power consumption analysis of MAC finctions and timing analysis of comparison operations. [0047]
[0048] In an exemplary leak-resistant verification protocol, a verifying device (the “verifier”) maintains a counter t and a key K[0048] _t, which are initialized (for example at the factory) with t←0 and K_t←K₀. Before the transaction, the verifier provides t to the device providing the signed data (the “signer”), which also knows K₀. The signer uses t to compute K_t+1′ (the prime indicating a quantity derived by the signer, rather than at the verifier) from K₀ (or K_t′ or any other available value of K_i′). using the relation K_i′=H_K(i||K_i−1′), computes signature S′=HMAC(K_t+ 1′, data), and sends S′ plus any other needed information (such as data or t) to the verifier. The verifier confirms that the received value of t (if any) matches its value of t, and rejects the signature if it does not. If t matches, the verifier increments t and updates K_t in its nonvolatile memory by computing t←t+1 and K_t←H_K(t||K_t). In an alternative embodiment, if the received value of t is larger than the internal value but the difference is not unreasonably large, it may be more appropriate to accept the signature and perform multiple updates to K_t (to catch up with the signer) instead of rejecting the signature outright. Finally, the verifier computes S=HMAC(K_t, data) and verifies that S=S′, rejecting the signature if S does not equal the value of S′ received with the data.
[0049] 2. Symmetric Encryption [0049]
[0050] Besides authentication and verification, leak-resistant symmetric cryptography can also be tailored to a wide variety of applications and environments. For example, if data encryption is desired instead of authentication, the same techniques as were disclosed above may be used to generate a key K[0050] _t used for encryption rather than verification.
[0051] 3. Variations in Computational Implementation [0051]
[0052] In the foregoing, various applications were disclosed for the basic technique of updating a key K[0052] _t in accordance with a counter and deleting old key values to ensure that future leakage cannot reveal information about the now-deleted key. Those skilled in the art will realize, however, that the exemplary techniques described above may be modified in various ways without departing from the spirit and scope of the invention. For example, if communications between the device and the server are unreliable (for example if the server uses voice recognition or manual input to receive t and A), then small errors in the signature may be ignored. (One skilled in the art will appreciate that many functions may be used to determine whether a signature corresponds—sufficiently closely—to its expected value.) In another variation of the basic technique, the order of operations and of data values may be adjusted, or additional steps and parameters may be added, without significantly changing the invention. In another variation, to save on communication bandwidth or memory, the high order bits or digits of t may not need to be communicated or remembered. In another variation, as a performance optimization, devices need not recompute K_t from K₀ with each new transaction. For example, when a transaction succeeds, the server can discard K₀ and maintain the validated version of K_t. In another variation, if bi-directional authentication is required, the protocol can include a step whereby the server can authenticates itself to the user (or user's token) after the user's authentication is complete. In another variation, if the server needs to be secured against leaks as well (as in the case where the role of “server” is played by an ordinary user), it can maintain its own counter t. In each transaction, the parties agree to use the larger of their two t values, where the device with the smaller t value performs extra updates to K_t to synchronize t. In an alternate embodiment for devices that contain a clock and a reliable power source (e.g., battery), the update operation may be performed periodically, for example by computing K_t←H_K(t||K_t) once per second. The token uses the current K_t to compute A=H_A(K_t||t||R) or, if the token does not have any means for receiving R, it can output A=HA(K_t). The server can use its clock and local copy of the secret to maintain its own version of K_t, which it can use to determine whether received values of A are recent and correct. All of the foregoing show that the method and apparatus of the present invention can be implemented using numerous variations and modifications to the exemplary embodiments described herein, as would be understood by one skilled in the art.
[0053] III. Asymmetric Cryptographic Protocols [0053]
[0054] The foregoing illustrates various embodiments of the invention that may be used with symmetric cryptographic protocols. As will be seen below, still other techniques of the present invention may be used in connection with asymmetric cryptographic operations and protocols. While symmetric cryptosystems are sufficient for some applications, asymmetric cryptography is required for many applications. There are several ways leak resistance can be incorporated into public key cryptosystems, but it is often preferable to have as little impact as possible on the overall system architecture. Most of the exemplary designs have thus been chosen to incorporate leak resistance into widely used cryptosystems in a way that only alters the key management device, and does not affect the certification process, certificate format, public key format, or processes for using the public key. [0054]
[0055] A. Certified Diffie-Heilman [0055]
[0056] Diffie-Hellman exponential key exchange is a widely used asymmetric protocol whereby two parties who do not share a secret key can negotiate a shared secret key. Implementations of Diffie-Hellman can leak information about the secret exponents, enabling attackers to determine the secret keys produced by those implementations. Consequently, a leak-resistant implementation of Diffie-Hellman would be useful. To understand such a leak-resistant implementation, it will be useful to first review a conventional Diffie-Hellman implementation. [0056]
[0057] 1. Conventional Certified Diffie-Hellman [0057]
[0058] Typical protocols in the background art for performing certified Diffie-Hellman exponential key agreement involve two communicating users (or devices) and a certifying authority (CA). The CA uses an asymmetric signature algorithm (such as DSA) to sign certificates that specify a user's public Diffie-Heilman parameters (the prime p and generator g), public key (p[0058] ^x mod g, where x is the user's secret exponent), and auxiliary information (such as the user's identity, a description of privileges granted to the certificate holder, a serial number, expiration date, etc.). Certificates may be verified by anyone with the CA's public signature verification key. To obtain a certificate, user U typically generates a secret exponent (x_u), computes his or her own public key y_u=g^{x _u} mod p, presents y_u along with any required auxiliary identifying or authenticating information (e.g., a passport) to the CA, who issues the user a certificate C_u Depending on the system, p and g may be unique for each user, or they may be system-wide constants (as will be assumed in the following description of Diffie-Hellman using the background art).
[0059] Using techniques of the background art, Alice and Bob can use their certificates to establish a secure communication channel. They first exchange certificates (C[0059] _Alice and C_Bob). Each verifies that the other's certificate is acceptable (e.g., properly formatted, properly signed by a trusted CA, not expired, not revoked, etc.). Because this protocol will assume thatp and g are constants, they also check that the certificate's p and g match the expected values. Alice extracts Bob's public key (y_Bob) from C_Bob and uses her secret exponent (x_Alice) to compute z_{Alice=(Y Bob})^{X _Alice} mod p. Bob uses his secret exponent and Alice's public key to compute Z_Bob=(Y_Alice)^{X _Bob} mod p. If everything works correctly, z_Alice=Z_Bob, since: z Alice =( y Bob ) x Alice  mod     p=( g x Bob ) x Alice  mod     p=( g x Alice ) x Bob  mod     p=( y Alice ) x Bob  mod     p= z Bob .
[0060] Thus, Alice and Bob have a shared key z=z[0060] _Alice=z=_Bob. An attacker who pretends to be Alice but does not know her secret exponent (x_Alice) will not be able to compute z_Alice=(y_Bob)^{x _Alice} mod p correctly. Alice and Bob can positively identify themselves by showing that they correctly found z. For example, each can compute and send the other the hash of z concatenated with their own certificate. Once Alice and Bob have verified each other, they can use a symmetric key derived from z to secure their communications. (For an example of a protocol in the background art that uses authenticated Diffie-Hellman, see “The SSL Protocol Version 3.0” by A. Freier, P. Karlton, and P. Kocher, Mar. 1996.)
[0061] 2. Leak-Resistant Certified Diffie-Hellman [0061]
[0062] A satisfactory leak-resistant public key cryptographic scheme should overcome the problem that, while certification requires the public key be constant, information about the corresponding private key should not leak out of the token that contains it. In the symmetric protocol described above, the design assumes that the leak function reveals no useful information about old deleted values of K[0062] _t or about future values of K_t that have not yet been computed. Existing public key schemes, however, require that implementations repeatedly perform a consistent, usually deterministic, operation using the private key. For example, in the case of Diffie-Hellman, a leak-resistant token that is compatible with existing protocols and implementations should be able to perform the secret key operation y^x mod p, while ensuring that the exponent x remains secret. The radical reshuffling of the secret provided by the hash finction H_K in the symmetric approach cannot be used because the device should be able to perform the same operation consistently.
[0063] The operations used by the token to perform the private key operation are modified to add leak resistance using the following variables: [0063] Register Comment x₁ First part of the secret key (in nonvolatile updateable memory) x₂ Second part of the secret key (in nonvolatile updateable memory) g The generator (not secret). p The public prime, preferably a strong prime (not secret).
[0064] The prime p and generator g may be global parameters, or may be specific to individual users or groups of users (or tokens). In either case, the certificate recipient should be able to obtain p and g securely, usually as built-in constants or by extracting them from the certificate. [0064]
[0065] To generate a new secret key, the key generation device (often but not always the cryptographic token that will contain the key) first obtains or generates p and g, where p is the prime and g is a generator mod p. If p and g are not system-wide parameters, algorithms known in the background art for selecting large prime numbers and generators may be used. It is recommended that p be chosen with (p−1)/2 also prime, or at least that ø(p) not be smooth. (When (p−1)/2 is not prime, information about x[0065] ₁ and x₂ modulo small factors of ø(p) may be leaked, which is why it is preferable that ø(p) not be smooth. Note that ø denotes Euler's totient function.) Once p and g have been chosen, the device generates two random exponents x₁ and x₂. The lowest-order bit of x₁ and of x₂ is not considered secret, and may be set to 1. Using p, g, x₁ and x₂, the device can then compute its public key as g^{x ₁ x ₂} mod p and submit it, along with any required identifying information or parameters needed (e.g., p and g), to the CA for certification.
[0066] FIG. 2 illustrates the process followed by the token to perform private key operations. At step 205, the token obtains the input message y, its own (non-secret) prime p, and its own secret key halves (x[0066] ₁ and x₂). If x₁, x₂, and p are stored in encrypted and/or authenticated form, they would be decrypted or verified at this point. At this step, the token should verify that 1 <y <−1. At step 210, the token uses a random number generator (or pseudorandom number generator) to select a random integer b₀, where 0 < b₀<p. At step 215, the token computes b₁=b₀ ⁻¹ mod p. The inverse computation mod p may be performed using the extended Euclidean algorithm or the formula b₁=b₀ ^ø(p)-1 mod p. At step 220, the token computes b₂ =b₁ ^{x ₁} mod p. At this point, b₁ is no longer needed; its storage space may be used to store b₂. Efficient algorithms for computing modular exponentiation, widely known in the art, may be used to complete step 220. Alternatively, when a fast modular exponentiator is available, the computation b₂ may be performed using the relationship b₂=b₀ ^{ø(p)-x ₁} mod p. At step 225, the token computes b₃=b₂ ^{x ₂} mod p. At this point, b₂ is no longer needed; its storage space may be used to store b₃. At step 230, the token computes z₀=b₀y mod p. At this point,y and b₀ are no longer needed; their space may be used to store r₁ (computed at step 235) and z₀. At step 235, the token uses a random number generator to select a random integer r₁, where 0<r₁<ø(p) and gcd(r₁, ø(p))=1. (If (p−1/2 is known to be prime, it is sufficient to verify that r₁ is odd.) At step 240, the token updates x₁ by computing x₁←x₁r₁ mod ø(p). The old value of x₁ is deleted and replaced with the updated value. At step 245, the token computes r₂=(r₁ ⁻¹) mod ø(p). If (p−1/2 is prime, then r₂ can be found using a modular exponentiator and the Chinese Remainder Theorem. Note that r₁ is not needed after this step, so its space may be used to store r₂. At step 250, the token updates x₂ by computing x₂←x₂r₂ mod ø(p). The old value of x₂ should be deleted and replaced with the updated value. At step 255, the token computes z₁=(z₀)^{x ₁} mod p. Note that z₀ is not needed after this step, so its space may be used to store z₁. At step 260, the token computes z₂=(z₁)^{x ₂} mod p. Note that z₁ is not needed after this step, so its space may be used to store z₂. At step 265, the token finds the exponential key exchange result by computing z=z₂b₃ mod p. Finally, at step 270, the token erases and frees any remaining temporary variables.
[0067] The process shown in FIG. 2 correctly computes z=mod p, where x=x[0067] ₁x₂ mod ø(p), since:z = z 2  b 3  mod     p= ( z 1 x 2  mod     p )  ( b 2 x 2  mod     p )  mod     p= ( ( z 0 x 1  mod     p ) x 2 )  ( ( b 1 x 1  mod     p ) x 2 )  mod     p=( b 0  y     mod     p )x 1  x 2 ( b 0 - 1  mod     p )x 1  x 2 mod     p= y x 1  x 2 mod     p= y x  mod     p .
[0068] The invention is useful for private key owners communicating with other users (or devices) who have certificates, and also when communicating with users who do not. [0068]
[0069] If Alice has a certificate and wishes to communicate with Bob who does not have a certificate, the protocol proceeds as follows. Alice sends her certificate (C[0069] _Alice) to Bob, who receives it and verifies that it is acceptable. Bob extracts y_Alice (along with p_Alice and g_Alice, unless they are system-wide parameters) from C_Alice. Next, Bob generates a random exponent X_BA, where 0 <X_AB<ø(P_Alice). Bob then uses his exponent X_AB and Alice's parameters to calculate Y_BA=(g_Alice ^{x _BA} )mod p_Alice and the session key z=(y_Alice ^{X _BA} )mod p_Alice. Bob sends Y_BA to Alice, who performs the operation illustrated in FIG. 2 to update her internal parameters and derive z from y_BA. Alice then proves that she computed z correctly, for example by sending Bob H(z||C_Alice). (Alice cannot authenticate Bob because he does not have a certificate. Consequently, she does not necessarily need to verify that he computed z successfully.) Finally, Alice and Bob can use z (or, more commonly, a key derived from z) to secure their communications.
[0070] If both Alice and Bob have certificates, the protocol works as follows. First, Alice and Bob exchange certificates (C[0070] _Alice and C_Bob), and each verifies that other's certificate is valid. Alice then extracts the parameters p_Bob, g_Bob, and Y_Bob from C_Bob, and Bob extracts p_Alice, g_Alice, and y_Alice from C_{Alice Alice then generates a random exponent X AB} where 0 <X_AB<ø(p_Bob), computes y_AB=(g_Bob)^{x _AB} mod p_{Bob, and computes z AB}-(Y_Bob. Bob generates a random X_BA where 0<X_BA<ø(p_Alice), computes Y_BA=(g_Alice)^{X _BA} mod p_Alice, and computes Z_BA-(Y_Alice)^{x _BA} mod p_Alice. Bob sen Alice, and Alice sends y_AB to Bob. Alice and Bob each perform the operation shown in FIG. 2, where each uses the prime p from their own certificate and their own secret exponent halves (x₁ and x₂). For the message y in FIG. 2, Alice uses y_BA (received from Bob), and Bob uses y_AB (received from Alice). Using the process shown in FIG. 2, Alice computes z. Using z and z_AB (computed previously), she can find a session key K. This may be done, for example, by using a hash function H to compute K=H(z||z_AB). The value of z Bob obtains using the process shown in FIG. 2 should equal Alice's z_AB, and Bob's z_BA (computed previously) should equal Alice's z. If there were no errors or attacks, Bob should thus be able to find K, e.g., by computing K=H(z_BA||z). Alice and Bob now share K. Alice can prove her identity by showing that she computed K correctly, for example by sending Bob H(K||C_Alice). Bob can prove his identity by sending Alice H(K||C_Bob). Alice and Bob can then secure their communications by encrypting and authenticating using K or a key derived from K.
[0071] Note that this protocol, like the others, is provided as an example only; many variations and enhancements of the present invention are possible and will be evident to one skilled in the art. For example, certificates may come from a directory, more than two parties can participate in the key agreement, key escrow functionality may be added, the prime modulus p may be replaced with a composite number, etc. Note also that Alice and Bob as they are called in the protocol are not necessarily people; they would normally be computers, cryptographic devices, etc. [0071]
[0072] For leak resistance to be effective, attackers should not be able to gain new useful information about the secret variables with each additional operation unless a comparable amount of old useful information is made useless. While the symmetric design is based on the assumption that leaked information will not survive the hash operation H[0072] _K, this design uses multiplication operations mod ø(p) to update x₁ and x₂. The most common variety of leaked information, statistical information about exponent bits, is not of use to attackers in this design, as the exponent update process (x₁←x₁r₁ mod ø(p) and x₂←x₂r₂ mod ø(p)) destroys the utility of this information. The only relevant characteristic that survives the update process is that x₁x₂ mod ø(p) remains constant, so the system designer should be careful to ensure that the leak function does not reveal information allowing the attacker to find new useful information about x₁x₂ mod ø(p).
[0073] There is a modest performance penalty, approximately a factor of four, for the leak-resistant design as described. One way to improve performance is to remove the blinding and unblinding operations, which are often unnecessary. (The blinding operations prevent attackers from correlating input values of y with the numbers processed by the modular exponentiation operation.) Alternatively or additionally, it is possible to update and reuse values of b[0073] ₀, b₃, r₁, and r₂ by computing b₀←(b₀) mod p, b₃←(b₃)^v mod p,r₁←(r₁)^w mod ø(p), and r₂←(r₂)^w mod ø(p), where v and w are fairly short random exponents. Note that the relationship b₃←b₀ ^{-x ₁ x ₂} mod p remains true when b₀ and b₃ are both raised to the power v (mod p). The relationship r₂=(r₁ ^-1) mod ø(p) also remains true when r₁ and r₂ are exponentiated (mod ø(p)). Other parameter update operations may also be used, such as exponentiation with fixed exponents (e.g., v=w= 3), or multiplication with random values and their inverses, mod p and ø(p). The time per transaction with this update process is about half that of the unoptimized leak-resistant implementation, but additional storage is required and care should be taken to ensure that b₀, b₃, r₂ will not be leaked or otherwise compromised.
[0074] It should also be noted that with this particular type of certified Diffie-Hellman, the negotiated key is the same every time any given pair of users communicate. Consequently, though the blinding operation performed using b[0074] ₀ and b₃ does serve to protect the exponents, the result K can be leaked in the final step or by the system after the process is complete. If storage is available, parties could keep track of the values of y they have received (or their hashes) and reject duplicates. Alternatively, to ensure that a different result is obtained from each negotiation, Alice and Bob can generate and exchange additional exponents, w_Alice and w_Bob, for example with 0<w<2¹²⁸ (where 2¹²⁸ <<p). Alice sets y=(y_BA)^{w _Alice W _Bob} mod p instead ofjust y=Y_BA, and Bob sets y=(y_AB)^{w _Bob w _Alice} mod p instead of y=y_AB before performing the operation shown in FIG. 2.
[0075] B. Leak-Resistant RSA [0075]
[0076] Another asymmetric cryptographic protocol is RSA, which is widely used for digital signatures and public key encryption. RSA private key operations rely on secret exponents. If information about these secret exponents leaks from an implementation, its security can be compromised. Consequently, a leak-resistant implementation of RSA would be useful. [0076]
[0077] To give RSA private key operations resistance to leaks, it is possible to divide the secret exponent into two halves such that information about either half is destroyed with each operation. These are two kinds of RSA private key operations. The first, private key signing, involves signing a message with one's own private key to produce a digital signature verifiable by anyone with one's corresponding public key. RSA signing operations involve computing S=M[0077] ^d mod n, where M is the message, S is the signature (verifiable using M=S^e mod n), d is the secret exponent and equals e^-1 mod ø(n), and n is the modulus and equals pq, where n and e are public and p and q are secret primes, and ø is Euler's phi finction. An RSA public key consists of e and n, while an RSA private key consists of d and n (or other representations of them). For RSA to be secure, d, ø(n), p, and q should all be secret.
[0078] The other RSA operation is decryption, which is used to recover messages encrypted using one's public key. RSA decryption is virtually identical to signing, since the decrypted message M is recovered from the ciphertext C by computing M=C[0078] ^d mod n, where the ciphertext C was produced by computing C=M^e mod n. Although the following discussion uses variable names from the RSA signing operation, the same techniques may be applied similarly to decryption.
[0079] An exemplary leak-resistant scheme for RSA implementations may be constructed as illustrated in FIG. 3. At step 300, prior to the commencement of any signing or decryption operations, the device is initialized with (or creates) the public and private keys. The device contains the public modulus n and the secret key components d[0079] ₁, d₂, and z, and k, where k is a prime number of medium-size (e.g., 0<k<2¹²⁸) chosen at random, z=kø(n), d₁ is a random number such that 0<d₁<z and gcd(d₁z)=1, and d₂ =(e^-1 mod ø(n))(d₁ ^-1 mod z) mod z. In this invention, d₁ and d₂ replace the usual RSA secret exponent d. Techniques for generating the initial RSA primes (e.g., p and q) and modulus (n) are well known in the background art. At step 305, the device computes a random prime k′ of medium size (e.g., 0<k′<2¹²⁸). (Algorithms for efficiently generating prime numbers are known in the art.)
[0080] At step 303, the device (token) receives a message M to sign (or to decrypt). At step 310, the device updates z by computing z←k′z. At step 315, the device updates z again by computing z←z/k. (There should be no remainder from this operation, since k divides z.) At step 320, k is replaced with k′ by performing k←k′. Because k′will not be used in subsequent operations, its storage space may be used to hold R (produced at step 325). At step 325, the device selects a random R where 0<R<z and gcd(R,z)=1. At step 330, the device updates d[0080] ₁ by computing d₁R mod z. At step 335, the device finds the inverse of R by computing R′←R^-1 mod z using, for example, the extended Euclidean algorithm. Note that R is no longer needed after this step, so its storage space may be erased and used to hold R′. At step 340, the device updates d₂ by computing d₂←d₂R′ mod z. At step 345, the device computes S₀=M^{d ₁} mod n, where M is the input message to be signed (or the message to be decrypted). Note that M is no longer needed after this step, so its storage space may be used for S₀. At step 350, the device computes S=S₀ ^{d ₂} mod n, yielding the final signature (or plaintext if decrypting a message). Leak-resistant RSA has similar security ch Characteristics as normal RSA; standard message padding, post-processing, and key sizes may be used. Public key operations are also performed normally (e.g., M=S^e mod n).
[0081] A simpler RSA leak resistance scheme may be implemented by splitting the exponent d into two halves d[0081] ₁ and d₂ such that d₁+d₂=d. This can be achieved during key generation by choosing d₁ to be a random integer where 0<d₁<d, and choosing d₂ ←d-d₁. To perform private key operations, the device needs d₁ and d₂, but it does not need to contain d. Prior to each private key operation, the cryptographic device identifies which of d₁ and d₂ is larger. If d_{1>d 2}, then the device computes a random integer r where 0<r<d₁, adds r to d₂ (i.e., d₂←d₂+r), and subtracts r from d₁, (i.e., d_{1←d 1}-r). Otherwise, if d_{1<d 2}, then the device chooses a random integer r where 0<r<d₂, adds r to d₁(i.e., d_{1←d 1}+r), and subtracts r from d₂ (i.e., d₂←d₂-r). Then, to perform the private key operation on a message M, the device computes s_1=M ^{d ₁} mod n, s₂=M^{d ₂} modn, and computes the signature S=s₁s₂mod n. While this approach of splitting the exponent into two halves whose sum equals the exponent can also be used with Diffie-Hellman and other cryptosystems, dividing the exponent into the product of two numbers mod ø(p) is usually preferable since the assumption that information about d₁+d₂ will not leak is less conservative than the assumption that information about x₁x₂ mod ø(p) will not leak. In the case of RSA, updates mod ø(n) cannot be done safely, since ø(n) must be kept secret.
[0082] When the Chinese Remainder Theorem is required for performance, it is possible to use similar techniques to add leak resistance by maintaining multiples of the secret primes (p and q) that are updated every time (e.g., multiplying by the new multiple then dividing by the old multiple). These techniques also protect the exponents (dp and dq) as multiples of their normal values. At the end of the operation, the result S is corrected to compensate for the adjustments to dp, dq, p, and q. [0082]
[0083] An exemplary embodiment maintains state information consisting of the values n, B[0083] _i, B_f, _pk, _qk, d_pk, d_qk, _PInv, and f. To convert a traditional RSA CRT private key (consisting of p, q, d_p, and d_q with p<q) into the new representation, a random value for k is chosen, where 0<k<2⁶⁴. The value B_i is chosen at random where 0<B_i<n, and R_l and R₂ are chosen at random where 0<R_l<2⁶⁴ and 0<R₂<2⁶⁴. (Of course, constants such as 2⁶⁴ are chosen as example values. It is possible, but not necessary, to place constraints on random numbers, such as requiring that they be prime.) The leak-resistant private key state is then initialized by setting n←pq,B_f←B_i ^-d p_k mod n,_pk←(k)(p), _qk←(k)(q),d_pk←d_p+(R_l)(p)-R_ld_qk←d_q+(R₂)(q)-R₂, _PInv←k(p ^-1mod q), and f←0.
[0084] To update the system state, first a random value α may be produced where 0<α< 2[0084] ⁶⁴. Then compute p_k←((α)(qk))/k, _PInv←((α)(_PInv))/k,k←αThe exponents d_pk and d_qk may be updated by computing d_pk←d_pk±(R_3p-R₃k) and d_qk←d_qk±(R_4qk-R₄k), where R₃ and R₄ can be random or constant values (even 1). The blinding factors B_i and B_f may be updated by computing B_i=B_i ² mod n and B_f=B_f ² mod n, by computing new blinding factors, by exponentiating with a value other than 2, etc. Update processes should be performed as often as practical, for example before or after each modular exponentiation process. Before the update begins, a failure counter f is incremented, and when the update completes fis set to zero. If f ever exceeds a threshold value indicating too many consecutive failures, the device should temporarily or permanently disable itself. Note that if the update process is interrupted, memory values should not be left in intermediate states. This can be done by using complete reliable memory updates. If the total set of variable changes is too large for a single complete update, it is possible to store α first then do each variable update reliably which keeping track of how many have been completed.
[0085] To perform a private key operation (such as decryption or signing), the input message C is received by the modular exponentiator. Next, the value is blinded by computing C′←(C)(B[0085] _i) mod n. The blinded input message is then used to compute modified CRT intermediates by computing m_pk←(C′)^{d _pk} P_k mod p_k and m_qk←(C′)^{d _qk} mod q_k. Next in the exemplary embodiment, the CRT intermediates are multiplied by k, e.g. m_pk←(k)(m_pk) mod p_k and m_qk←(k)(m_qk) mod qk. The CRT difference is then computed as m_pqk=(m_pk[+qk]-m_{qk) [mod qk], where the addition of qk} and/or reduction mod _qk are optional. (The addition of _qk ensures that the result is non-negative.) The blinded result can be computed as M ′ = ( m pk )  k + p k [ (( p Inv )  ( m pqk ) k )  mod     q k k 2,
[0086] As one of ordinary skill in the art will appreciate, variant forms of the invention are possible. For example, the computational processes can be re-ordered or modified without significantly changing the invention. Some portions (such as the initial and blinding steps) can be skipped. In another example, it is also possible to use multiple blinding factors (for example, instead of or in addition to the value k). [0086]
[0087] In some cases, other techniques may also be appropriate. For example, exponent vector codings may be rechosen frequently using, for example, a random number generator. Also, Montgomery arithmetic may be performed mod j where j is a value that is changed with each operation (as opposed to traditional Montgomery implementations where j is constant with j=2[0087] ^k). The foregoing shows that the method and apparatus of the present invention can be implemented using numerous variations and modifications to the exemplary embodiments described herein, as would be known by one skilled in the art.
[0088] C. Leak-Resistant ElGamal Public Key Encryption and Digital Signatures Sti[0088]
[0089] Still other asymmetric cryptographic protocols that may be improved using the techniques of the invention. For example, ElGamal and related cryptosystems are widely used for digital signatures and public key encryption. If information about the secret exponents and parameters leaks from an ElGamal implementation, security can be compromised. Consequently, leak-resistant implementations of ElGamal would be useful. [0089]
[0090] The private key in the ElGamal public key encryption scheme is a randomly selected secret α where 1 <α<p−2. The non-secret parameters are a prime p, a generator α, and α[0090] ^αmod p. To encrypt a message m, one selects a random k (where 1<k<p−2) and computes the ciphertext (γ, δ) where γ=α^k mod p and δ=m(α^αmod p)^k mod p. Decryption is performed by computing m=δ(γ^p−1α) mod p. (See the Handbook of Applied Cryptography by A. Menezes, P. van Oorschot, and S. Vanstone, 1997, pages 294-298, for a description of ElGamal public-key encryption).
[0091] To make the ElGamal public-key decryption process leak-resistant, the secret exponent (p−1-α) is stored in two halves α[0091] ₁ and α₂, such that α₁α₂=(ø(p)−α) mod ø(p).
[0092] When generating ElGamal parameters for this leak-resistant implementation, it is recommended, but not required, that p be chosen with (p−1)/2 prime so that ø(p)/2 is prime. [0092]
[0093] The variables α[0093] ₁ and α₂ are normally chosen initially as random integers between 0 and ø(p). Alternatively, it is possible. to generate a first, then choose α₁ and α₂, as by selecting a, relatively prime to ø(p) and computing α₂= (α^-1 mod ø(p))(α₁ ^-1 mod ø(p)) mod ø(p).
[0094] FIG. 4 illustrates an exemplary leak-resistant ElGamal decryption process. At step 405, the decryption device receives an encrypted message pair (γ, δ). At step 410, the device selects a random r[0094] ₁ where 1<r₁<ø(p) and gcd(r₁, ø(p))=1. At step 415, the device updates α₁ by computing α←α₁r₁ , mod ø(p), over-writing the old value of α₁ with the new value. At step 420, the device computes the inverse of r₁ by computing r₂ =(r₁)^-1 mod ø(p). Because r₁ is not used after this step, its storage space may be used to hold r_2. Note that if (p−1)/2 is prime, then r₂ may also be found by finding r₂′=r₁ ^(P−1)/2-2 mod (p−1)/2 and using the CRT to find r₂ (mod p−1). At step 425, the device updates a₂ by computing a₂←α₂r₂ mod ø(p). At step 430, the device begins the private key (decryption) process by computing m′=γ^{α ₁} mod p. At step 435, the device computes m=δ(m′)^{α ₂} mod p and returns the message m. If verification is successful, the result equals the original message because: ( δ )  ( m ′ ) a 2  mod     p = ( m  ( α a ) k )  ( γ a 1  mod     p ) a 2  mod     p= ( m     α ak )  ( γ a 1  a 2  mod     φ  ( p ) )  mod     p= ( m     α ak )  ( ( α k  mod     p )- a     mod     φ  ( p ) )  mod     p= ( m     α ak )  ( α - ak )  mod     p= m
[0095] As with the ElGamal public key encryption scheme, the private key for the ElGamal digital signature scheme is a randomly-selected secret α, where 1<α<p−2. The public key is also similar, consisting of a prime p, a generator α, and public parameter y where y=α[0095] ^αmod p. To sign a message m, the private key holder chooses or precomputes a random secret integer k (where 1<k<p−2 and k is relatively prime to p−1) and its inverse, k^-1 mod ø(p). Next, the signer computes the signature (r, s), where r= α^k mod p, s=((k^-1 modø(p))[H(m)−αr])mod ø(p), and H(m) is the hash of the message. Signature verification is performed using the public key (p, α, y) by verifying that 1<r< p and by verifying that y^rr^s mod p=α^h(m) mod p.
[0096] To make the ElGamal digital signing process leak-resistant, the token containing the private key maintains three persistent variables, α[0096] _k, w, and r. Initially, αa_k=α(the private exponent), w=1, and r=α. When a message m is to be signed (or during the precomputation before signing), the token generates a random number b and its inverse b^-1 mod ø(p), where b is relatively prime to ø(p) and 0 <b<ø(p). The token then updates a_k, w, and r by computing a_k←(a_k)(b^-1) mod 526 (p), w←(w)(b^-1) mod ø(p), and r←(r^b) mod p. The signature (r, s) is formed from the updated value of r and s, where s=(w(H(m)−a_kr))modø(p). Note that a_k, w, and r are not randomized prior to the first operation, but should be randomized before exposure to possible attack, since otherwise the first operation may leak more information than subsequent ones. It is thus recommended that a dummy signature or parameter update with a_k←(a_k)(b^-1) mod ø(p), w←(w)(b^-1) mod ø(p), and r←(r^b) mod p be performed immediately after key generation. Valid signatures produced using the exemplary tamper-resistant ElGamal process may be checked using the normal ElGamal signature verification procedure.
[0097] It is also possible to split all or some the ElGamal variables into two halves as part of the leak resistance scheme. In such a variant, α is replaced with α[0097] ₁ and α₂, w with w₁ and w₂, and r with r₁ and r₂. It is also possible to reorder the operations by performing, for example, the parameter updates as a precomputation step prior to receipt of the enciphered message. Other variations and modifications to the exemplary embodiments described herein will be evident to one skilled in the art.
[0098] D. Leak-Resistant DSA [0098]
[0099] Another commonly used asymmetric cryptographic protocol is the Digital Signature Algorithm (DSA, also known as the Digital Signature Standard, or DSS), which is defined in “Digital Signature Standard (DSS),” Federal Information Processing Standards Publication 186, National Institute of Standards and Technology, May 19, 1994 and described in detail in the [0099] Handbook of Applied Cryptography, pages 452 to 454. DSA is widely used for digital signatures. If information about the secret key leaks from a DSA implementation, security can be compromised. Consequently, leak-resistant implementations of DSA would be useful.
[0100] In non-leak-proof systems, the private key consists of a secret parameter α, and the public key consists of (p, q, α, y), where p is a large (usually 512 to 1024 bit) prime, q is a 160-bit prime, α is a generator of the cyclic group of order q mod p, and y=α[0100] ^αmod p. To sign a message whose hash is H(m), the signer first generates (or precomputes) a random integer k and its inverse k^-1 mod q, where 0<k<q. The signer then computes the signature (r, s), where r=(a^k mod p) mod q, and s=(k^-1 mod q)(H(m)+αr) mod q.
[0101] In an exemplary embodiment of a leak-resistant DSA signing process, the token containing the private key maintains two variables in nonvolatile memory, a[0101] _k and k, which are initialized with a_k=αand k=1. When a message m is to be signed (or during the precomputation before signing), the token generates a random integer b and its inverse b^-1 mod q, where 0 <b<q. The token then updates ak and k by computing a_k←(α_kb ^-1 mod q)(k) mod q, followed by k←b. The signature (r, s) is formed from the updated values of a_k and k by computing r=α^k mod p (which may be reduced mod q), and s=[(b^-1H(m) mod q)+(α_kr) mod q] mod q. As indicated, when computing s, b^-1H(m) mod q and (a_kr) mod q are computed first, then combined mod q. Note that a_k and k should be randomized prior to the first operation, since the first update may leak more information than subsequent updates. It is thus recommended that a dummy signature (or parameter update) be performed immediately after key generation. Valid signatures produced using the leak-resistant DSA process may be checked using the normal DSA signature verification procedure.
[0102] IV. Other Algorithms and Applications [0102]
[0103] Still other cryptographic processes can be made leak-proof or leak-resistant, or may be incorporated into leak-resistant cryptosystems. For example, cryptosystems such as those based on elliptic curves (including elliptic curve analogs of other cryptosystems), secret sharing schemes, anonymous electronic cash protocols, threshold signatures schemes, etc. be made leak resistant using the techniques of the present invention. [0103]
[0104] Implementation details of the schemes described may be adjusted without materially changing the invention, for example by re-ordering operations, inserting steps, substituting equivalent or similar operations, etc. Also, while new keys are normally generated when a new system is produced, it is often possible to add leak resistance retroactively while maintaining or converting existing private keys. [0104]
[0105] Leak-resistant designs avoid performing repeated mathematical operations using non-changing (static) secret values, since they are likely to leak out. However, in environments where it is possible to implement a simple function (such as an exclusive OR) that does not leak information, it is possible use this finction to implement more complex cryptographic operations. [0105]
[0106] While the exemplary implementations assume that the leak functions can reveal any information present in the system, designers may often safely use the (weaker) assumption that information not used in a given operation will not be leaked by that operation. Schemes using this weaker assumption may contain a large table of precomputed subkey values, from which a unique or random subset are selected and/or updated for each operation. For example, DES implementations may use indexed permutation lookup tables in which a few table elements are exchanged with each operation. [0106]
[0107] While leak resistance provides many advantages, the use of leak resistance by itself cannot guarantee good security. For example, leak-resistant cryptosystems are not inherently secure against error attacks, so operations should be verified. (Changes can even be made to the cryptosystem and/or leak resistance operations to detect errors.) Similarly, leak resistance by itself does not prevent attacks that extract the entire state out of a device (e.g., L=L[0107] _MAX). For example, traditional tamper resistance techniques may be required to prevent attackers from staining ROM or EEPROM memory cells and reading the contents under a microscope. Implementers should also be aware of interruption attacks, such as those that involve disconnecting the power or resetting a device during an operation, to ensure that secrets will not be compromised or that a single leaky operation will not be performed repeatedly. (As a countermeasure, devices can increment a counter in nonvolatile memory prior to each operation, and reset or reduce the counter value when the operation completes successfully. If the number of interrupted operations since the last successful update exceeds a threshold value, the device can disable itself.) Other tamper resistance mechanisms and techniques, such as the use of fixed-time and fixed-execution path code or implementations for critical operat conjunction with leak resistance, particularly for systems with a relatively low self-healing rate (e.g., L_MAX is small).
[0108] Leak-resistant algorithms, protocols, and devices may be used in virtually any application requiring cryptographic security and secure key management, including without limitation: smartcards, electronic cash, electronic payments, funds transfer, remote access, timestamping, certification, certificate validation, secure e-mail, secure facsimile, telecommunications security (voice and data), computer networks, radio and satellite communications, infrared communications, access control, door locks, wireless keys, biometric devices, automobile ignition locks, copy protection devices, payment systems, systems for controlling the use and payment of copyrighted information, and point of sale terminals. [0108]
[0109] The foregoing shows that the method and apparatus of the present invention can be implemented using numerous variations and modifications to the exemplary embodiments described herein, as would be known by one skilled in the art. Thus, it is intended that the scope of the present invention be limited only with regard to the claims below. [0109]

权利要求:
Claims (71)
[1" id="US-20010002486-A1-CLM-00001] 1. A method for implementing RSA with the Chinese Remainder Theorem for use in a cryptographic system, with resistance to leakage attacks against said cryptographic system, comprising the steps of:
(a) obtaining a representation of an RSA private key corresponding to an RSA public key, said private key characterized by secret factors p and q;
(b) storing said representation of said private key in a memory;
(c) obtaining a message for use in an RSA cryptographic operation;
(d) computing a first modulus, corresponding to a multiple of p, where the value of said multiple of p and the value of said multiple of p divided by p are both unknown to an attacker of said cryptographic system;
(e) reducing said message modulo said first modulus;
(f) performing modular exponentiation on the result of step (e);
(g) computing a second modulus, corresponding to a multiple of q, where the value of said multiple of q and the value of said multiple of q divided by q are both unknown to an attacker of said cryptographic system;
(h) reducing said message modulo said second modulus;
(i) performing modular exponentiation on the result of step (h);
(j) combining the results of said steps (e) and (h) to produce a result which, if operated on with an RSA public key operation using said RSA public key, yields said message; and
(k) repeating steps (c) through 0) a plurality of times using different values for said multiple of p and for said multiple of q.
[2" id="US-20010002486-A1-CLM-00002] 2. The method of
claim 1 where:
(i) said step (b) includes storing an exponent d_p of said RSA private key in said memory as a plurality of parameters;
(ii) an arithmetic fimction of at least one of said plurality of parameters is congruent to d_p, modulo (p−1);
(iii) none of said parameters comprising said stored d_p is equal to d_p;
(iv) an exponent used in said step (f) is at least one of said parameters;
(v) at least one of said parameters in said memory changes with said repetitions of said steps (c) through (j).
[3" id="US-20010002486-A1-CLM-00003] 3. The method of
claim 2 where said plurality of parameters includes a first parameter equal to said d_p plus a multiple of phi(p), and also includes a second parameter equal to a multiple of phi(p), where phi denotes Euler's totient function.
[4" id="US-20010002486-A1-CLM-00004] 4. The method of
claim 1 where the value of said multiple of p divided by p is equal to the value of said multiple of q divided by q.
[5" id="US-20010002486-A1-CLM-00005] 5. The method of
claim 1 where said multiple of p and said multiple of q used in said steps (c) through (j) are updated and modified in said memory after said step (b).
[6" id="US-20010002486-A1-CLM-00006] 6. The method of
claim 1 performed in a smart card.
[7" id="US-20010002486-A1-CLM-00007] 7. The method of
claim 1 where at least two of said steps are performed in an order other than (a) through (k).
[8" id="US-20010002486-A1-CLM-00008] 8. A method for implementing RSA for use in a cryptographic system, with resistance to leakage attacks against said cryptographic system, comprising the steps of:
(a) obtaining an RSA private key corresponding to an RSA public key, said RSA public key having an RSA modulus n;
(b) storing said private key in a memory in a form whereby a secret parameter of said key is stored as an arithmetic combination of phi(x) and a first at least one key masking parameter, where
(i) an operand x in said phi(x) is an exact multiple of at least one factor of said modulus n of said RSA public key; and
(ii) said first key masking parameter is unknown to an attacker of said cryptosystem;
(iii) a representation of said first key masking parameter is stored in said memory;
(iv) phi denotes Euler's totient function;
(c) receiving a message;
(d) deriving an RSA input from said message;
(e) performing modular exponentiation to raise said RSA input to a power dependent on said secret parameter, modulo an RSA modulus stored in said memory, to produce an RSA result such that said RSA result raised to the power of the public exponent of said RSA public key, modulo the modulus of said RSA public key, equals said RSA input;
(f) updating said secret parameter in said memory by:
(i) modifing said first key masking parameter to produce a new key masking parameter, where said modification is performed in a manner such that an attacker with partial useful information about said first key masking parameter has less useful information about said new key masking parameter; and
(ii) using said new key masking parameter to update said secret parameter in said memory;
(g) repeating steps (d) through (f) a plurality of times, where the power used for each of said modular exponentiation steps (e) is different.
[9" id="US-20010002486-A1-CLM-00009] 9. The method of
claim 8 where said operand x in said phi(x) corresponds to said RSA modulus n of said RSA public key.
[10" id="US-20010002486-A1-CLM-00010] 10. The method of
claim 8 where said operand x in said phi(x) corresponds to a prime factor of said RSA modulus n of said RSA public key, and where said modular exponentiation of said step (e) is performed using the Chinese Remainder Theorem.
[11" id="US-20010002486-A1-CLM-00011] 11. A method for implementing exponential key exchange for use in a cryptographic system, with resistance to leakage attacks against said cryptographic system, comprising the steps of:
(a) obtaining, and storing in a memory, exponential key exchange parameters g and p, and a plurality of secret exponent parameters on which an arithmetic relationship may be computed to produce an exponent x;
(b) using a key update transformation to produce a plurality of updated secret exponent parameters while maintaining said arithmetic relationship thereamong;
(c) receiving a public value y from a party with whom said key exchange is desired;
(d) using said updated secret exponent parameters to perform a cryptographic computation yielding an exponential key exchange result z=y x mod p;
(e) using said result z to secure an electronic communication with said party; and
(f) performing said steps (b), (c), (d), and (e) in a plurality of transactions.
[12" id="US-20010002486-A1-CLM-00012] 12. The method of
claim 11 where each of said transactions involves a different said party.
[13" id="US-20010002486-A1-CLM-00013] 13. The method of
claim 11 where said arithmetic relationship is such that said exponential key exchange result is a product of certain of said secret exponent parameters, both before and after said step (b).
[14" id="US-20010002486-A1-CLM-00014] 14. The method of
claim 11 where said key update transformation includes choosing a random key update value r; and where said step (b) includes multiplying one of said secret exponent parameters by r and another of said secret exponent parameters by an inverse of r, said multiplication being performed modulo phi(p), where phi is Euler's totient function.
[15" id="US-20010002486-A1-CLM-00015] 15. The method of
claim 11 where said key update transformation includes choosing a random key update value r; and where said step (b) includes adding r to one of said secret exponent parameters and subtracting r from another of said secret exponent parameters.
[16" id="US-20010002486-A1-CLM-00016] 16. The method of
claim 15 where said secret exponent parameters include two values x₁ and x₂ such that x₁+x₂ is congruent to x, modulo phi(p), where phi is Euler's totient function, and where said step of performing said cryptographic computation yielding said exponential key exchange result includes computing z₁=yx₁ mod p, Z₂=yx₂ mod p, and z=z₁z₂ mod p.
[17" id="US-20010002486-A1-CLM-00017] 17. A cryptographic token configured to perform cryptographic operations using a secret key in a secure manner, comprising:
(a) an interface configured to receive power from a source external to said token;
(b) a memory containing said secret key;
(c) a processor:
(i) configured to receive said power delivered via said interface;
(ii) configured to perform said processing using said secret key from said memory;
(d) said token having a power consumption characteristic:
(i) that is externally measurable; and
(ii) that varies over time in a manner measurably correlated with said cryptographic operations; and
(e) a source of unpredictable information usable in said cryptographic operations to make determination of said secret key infeasible from external measurements of said power consumption characteristic.
[18" id="US-20010002486-A1-CLM-00018] 18. The cryptographic token of
claim 17 , in the form of a secure microprocessor.
[19" id="US-20010002486-A1-CLM-00019] 19. The cryptographic token of
claim 17 , in the form of a smart card.
[20" id="US-20010002486-A1-CLM-00020] 20. The cryptographic token of
claim 19 , wherein said cryptographic operations performed by said smart card enable a holder thereof to decrypt an encrypted communication received via a computer network.
[21" id="US-20010002486-A1-CLM-00021] 21. The cryptographic token of
claim 19 , wherein said smart card is configured to store value in an electronic cash scheme.
[22" id="US-20010002486-A1-CLM-00022] 22. The cryptographic token of
claim 21 , wherein said cryptographic operations include authenticating that a balance of said stored value has been decreased.
[23" id="US-20010002486-A1-CLM-00023] 23. The cryptographic token of
claim 17 , wherein said cryptographic operations include asymmetric private key operations.
[24" id="US-20010002486-A1-CLM-00024] 24. The cryptographic token of
claim 23 wherein said cryptographic operations include exponential key agreement operations.
[25" id="US-20010002486-A1-CLM-00025] 25. The cryptographic token of
claim 23 , wherein said cryptographic operations include DSA signing operations.
[26" id="US-20010002486-A1-CLM-00026] 26. The cryptographic token of
claim 23 , wherein said cryptographic operations include ElGamal private key operations.
[27" id="US-20010002486-A1-CLM-00027] 27. The cryptographic token of
claim 23 , wherein said asymmetric private key operations include RSA private key operations.
[28" id="US-20010002486-A1-CLM-00028] 28. The cryptographic token of
claim 27 wherein said private key operations include Chinese Remainder Theorem operations.
[29" id="US-20010002486-A1-CLM-00029] 29. The cryptographic token of
claim 17 , wherein said cryptographic operations include symmetric encryption operations.
[30" id="US-20010002486-A1-CLM-00030] 30. The cryptographic token of
claim 17 , wherein said cryptographic operations include symmetric decryption operations.
[31" id="US-20010002486-A1-CLM-00031] 31. The cryptographic token of
claim 17 , wherein said cryptographic operations include symmetric authentication operations using said secret key.
[32" id="US-20010002486-A1-CLM-00032] 32. The cryptographic token of
claim 17 , wherein said cryptographic operations include authenticating a payment.
[33" id="US-20010002486-A1-CLM-00033] 33. The cryptographic token of
claim 17 , wherein said cryptographic operations include securing a broadcast communications signal.
[34" id="US-20010002486-A1-CLM-00034] 34. The cryptographic token of
claim 33 , wherein said cryptographic operations include decrypting a satellite broadcast.
[35" id="US-20010002486-A1-CLM-00035] 35. A method for securely managing and using a private key in a computing environment where information about said private key may leak to attackers, comprising the steps of:
(a) using a first private key, complementary to a public key, to perform first asymmetric cryptographic operation;
(b) reading at least a portion of said first private key from a memory;
(c) transforming said read portion of said first private key to produce a second private key:
(i) said second private key usable to perform a subsequent asymmetric cryptographic operation in a manner that remains complementary to said public key, and
(ii) said transformation enabling said asymmetric cryptographic operations to be performed in a manner such that information leaked during said first asymmetric cryptographic operation does not provide incrementally useful information about said second private key;
(d) obtaining a datum;
(e) using said second private key to perform said subsequent asymmetric cryptographic operation on said datum.
[36" id="US-20010002486-A1-CLM-00036] 36. The method of
claim 35 where said asymmetric cryptographic operation includes a digital signing operation.
[37" id="US-20010002486-A1-CLM-00037] 37. The method of
claim 36 where said signing operation is an RSA operation.
[38" id="US-20010002486-A1-CLM-00038] 38. The method of
claim 36 where said signing operation is an DSA operation.
[39" id="US-20010002486-A1-CLM-00039] 39. The method of
claim 36 where said signing operation is an ElGamal operation.
[40" id="US-20010002486-A1-CLM-00040] 40. The method of
claim 35 where said asymmetric cryptographic operation includes a decryption operation.
[41" id="US-20010002486-A1-CLM-00041] 41. The method of
claim 40 where said decryption operation is an RSA operation.
[42" id="US-20010002486-A1-CLM-00042] 42. The method of
claim 40 where said decryption operation is an ElGamal operation.
[43" id="US-20010002486-A1-CLM-00043] 43. The method of
claim 35 where at least two of said steps are performed in an order different than (a), (b), (c), (d), (e).
[44" id="US-20010002486-A1-CLM-00044] 44. The method of
claim 35 further com prising the step, after at least said step (c), of replacing said private key in said memory with said second private key.
[45" id="US-20010002486-A1-CLM-00045] 45. The method of
claim 35 , performed in a smart card.
[46" id="US-20010002486-A1-CLM-00046] 46. The method of
claim 35 , further comprising the steps of: prior to at least said step (c), incrementing a counter stored in a nonvolatile memory and verifying that said counter has not exceeded a threshold value; and after at least said step (c) has completed successfully, decreasing a value of said counter.
[47" id="US-20010002486-A1-CLM-00047] 47. A method for performing cryptographic transactions while protecting a stored cryptographic key against compromise due to leakage attacks, comprising the steps of:
(a) retrieving a stored private cryptographic key stored in a memory, said stored key having been used in a previous cryptographic transaction;
(b) using a first cryptographic function to derive from said stored key an updated key, about which useful information about said stored key obtained through monitoring of leaked information is effectively uncorrelated to said updated key;
(c) replacing said stored key in said memory with said updated key;
(d) using an asymmetric cryptographic function, cryptographically processing a datum with said updated key; and
(e) sending said cryptographically processed datum to an external device having a public key corresponding to said stored key.
[48" id="US-20010002486-A1-CLM-00048] 48. The method of
claim 47 where said stored key includes a first plurality of parameters, and where said updated key includes a second plurality of parameters.
[49" id="US-20010002486-A1-CLM-00049] 49. The method of
claim 48 where no secret value within said first plurality of parameters is included within said second plurality of parameters.
[50" id="US-20010002486-A1-CLM-00050] 50. The method of
claim 49 where said first plurality of parameters is different than said second plurality of parameters, yet a predetermined relationship among said first plurality of parameters is also maintained among said second plurality of parameters.
[51" id="US-20010002486-A1-CLM-00051] 51. The method of
claim 50 where said relationship among said plurality of parameters is an arithmetic finction involving at least two of said plurality of parameters.
[52" id="US-20010002486-A1-CLM-00052] 52. The method of
claim 51 where said arithmetic fuinction is the sum of said parameters.
[53" id="US-20010002486-A1-CLM-00053] 53. The method of
claim 51 where said relationship includes a bitwise combination of said parameters.
[54" id="US-20010002486-A1-CLM-00054] 54. The method of
claim 53 where said bitwise combination is an exclusive OR.
[55" id="US-20010002486-A1-CLM-00055] 55. The method of
claim 47 where said step (b) includes using pseudorandomness to derive said updated key.
[56" id="US-20010002486-A1-CLM-00056] 56. A method for implementing a private key operation for an asymmetric cryptographic system with resistance to leakage attacks against said cryptographic system, comprising the steps of:
(a) encoding a portion of a private key as at least two component parts, such that an arithmetic function of said parts yields said portion;
(b) modifing said component parts to produce updated component parts, but where said arithmetic function of said updated parts still yields said private key portion;
(c) obtaining a message for use in an asymmetric private key cryptographic operation;
(d) separately applying said component parts to said message to produce an intermediate result;
(e) deriving a final result from said intermediate result such that said final result is a valid result of applying said private key to said message;
and
(f) repeating steps (b) through (e) a plurality of times.
[57" id="US-20010002486-A1-CLM-00057] 57. The method of
claim 56 where said private key portion includes an exponent, and where said intermediate result represents the result of raising said message to the power of said exponent, modulo a second key portion.
[58" id="US-20010002486-A1-CLM-00058] 58. The method of
claim 57 where said private key operation is configured for 2 use with an RSA cryptosystem.
[59" id="US-20010002486-A1-CLM-00059] 59. The method of
claim 57 where said private key operation is configured for 2 use with an ElGamal cryptosystem.
[60" id="US-20010002486-A1-CLM-00060] 60. The method of
claim 56 where said private key operation is configured for use with a DSA cryptosystem.
[61" id="US-20010002486-A1-CLM-00061] 61. The method of
claim 60 where said private key is represented by secret parameters ak and k whose product, modulo a predetermined DSA prime q for said private key, yields said private key portion.
[62" id="US-20010002486-A1-CLM-00062] 62. The method of
claim 56 implemented in a smart card.
[63" id="US-20010002486-A1-CLM-00063] 63. The method of
claim 56 where said private key is configured for use with an elliptic curve cryptosystem.
[64" id="US-20010002486-A1-CLM-00064] 64. A method for performing cryptographic transactions in a cryptographic token while protecting a stored cryptographic key against compromise due to leakage attacks, including the steps of:
(a) retrieving said stored key from a memory;
(b) cryptographically processing said key, to derive an updated key, by executing a cryptographic update finction that:
(i) prevents partial information about said stored key from revealing useful information about said updated key, and
(ii) also prevents partial information about said updated key from revealing useful information about said stored key;
(c) replacing said stored key in said memory with said updated key;
(d) performing a cryptographic operation using said updated key; and
(e) repeating steps (a) through (d) a plurality of times.
[65" id="US-20010002486-A1-CLM-00065] 65. The method of
claim 64 where said cryptographic update function of said step (b) includes a one-way hash operation.
[66" id="US-20010002486-A1-CLM-00066] 66. The method of
claim 64 where said cryptographic operation of said step (d) is a symmetric cryptographic operation; and comprising the further step of sending a result of said cryptographic operation to a party capable of rederiving said updated key.
[67" id="US-20010002486-A1-CLM-00067] 67. The method of
claim 64 further comprising the step, prior to said step (a), of receiving from a second party a symmetric authentication code and a parameter; and said where said step (b) includes iterating a cryptographic transformation a number of times determined from said parameter; and where said step (d) includes performing a symmetric message authentication code verification operation.
[68" id="US-20010002486-A1-CLM-00068] 68. The method of
claim 66 where said step (d) of performing said cryptographic operation includes using said updated key to encrypt a datum.
[69" id="US-20010002486-A1-CLM-00069] 69. The method of
claim 66 where said updated key contains unpredictable information such that said updated key is not stored in its entirety anywhere outside of said cryptographic token; and where the result of said step (d) is independent of said unpredictable information.
[70" id="US-20010002486-A1-CLM-00070] 70. The method of
claim 64 where said step (c) of replacing said stored key includes:
(i) explicitly erasing a region of said memory containing said stored key; and
(ii) storing said updated key in said region of memory.
[71" id="US-20010002486-A1-CLM-00071] 71. The method of
claim 64 performed within a smart card.

类似技术:

---

公开号 | 公开日 | 专利标题

---

US6304658B1|2001-10-16|Leak-resistant cryptographic method and apparatus

---

US10262141B2|2019-04-16|Secure processor with resistance to external monitoring attacks

---

US7853012B2|2010-12-14|Authentication system executing an elliptic curve digital signature cryptographic process

---

US7047408B1|2006-05-16|Secure mutual network authentication and key exchange protocol

---

US6757825B1|2004-06-29|Secure mutual network authentication protocol

---

Young et al.1997|The prevalence of kleptographic attacks on discrete-log based cryptosystems

---

JP2008252299A|2008-10-16|Encryption processing system and encryption processing method

---

NZ550786A|2009-02-28|Computationally asymmetric cryptographic systems

---

JP2004304800A|2004-10-28|Protection of side channel for prevention of attack in data processing device

---

JP2015534419A|2015-11-26|Method and system for anti-glitch cryptographic discrete log-based signature

---

US9800418B2|2017-10-24|Signature protocol

---

JP2011530093A|2011-12-15|Solutions to protect power-based encryption

---

US20090016523A1|2009-01-15|Masking and Additive Decomposition Techniques for Cryptographic Field Operations

---

EP1691501B1|2009-04-22|Leak-resistant cryptography method an apparatus

---

Tapiador et al.2011|Cryptanalysis of Song's advanced smart card based password authentication protocol

---

Jeong et al.2002|Provably secure encrypt-then-sign composition in hybrid signcryption

---

Kwon2002|Virtual software tokens-a practical way to secure PKI roaming

---

Jung et al.2016|Cryptanalysis and improvement of efficient password-based user authentication scheme using hash function

---

CA2278754A1|1998-08-13|A method of using transient faults to verify the security of a cryptosystem

---

AU7659598A|1998-11-27|Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing

---

Ahmed2018|Authentication Mechanisms in Computer Network Protocols

---

Van Der Merwe et al.2020|Security in banking.

---

Kwon2003|Robust Software Tokens—Yet another method for securing user’s digital identity

---

Wang et al.2006|Cryptanalysis of timestamp-based password authentication schemes using smart cards

---

Biswal et al.2012|A Novel Blind Signature Scheme Based On Discrete Logarithm Problem With Un-traceability

同族专利:

---

公开号 | 公开日

---

US7506165B2|2009-03-17|

---

EP1050133B1|2006-05-03|

---

EP1050133B2|2009-05-27|

---

US20080104400A1|2008-05-01|

---

US6304658B1|2001-10-16|

---

US20030028771A1|2003-02-06|

---

EP1050133A1|2000-11-08|

---

AU2557399A|1999-07-26|

---

CA2316227A1|1999-07-15|

---

US6381699B2|2002-04-30|

---

DE69834431D1|2006-06-08|

---

DE69840782D1|2009-06-04|

---

EP1050133A4|2005-05-04|

---

DE69834431T3|2009-09-10|

---

DE69834431T2|2007-04-19|

---

WO1999035782A1|1999-07-15|

---

AT429748T|2009-05-15|

---

US7792287B2|2010-09-07|

---

CA2316227C|2009-08-11|

---

AT325478T|2006-06-15|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

US20020089725A1|2000-10-04|2002-07-11|Wave7 Optics, Inc.|System and method for communicating optical signals upstream and downstream between a data service provider and subscribers|

---

US20030016692A1|2000-10-26|2003-01-23|Wave7 Optics, Inc.|Method and system for processing upstream packets of an optical network|

---

US20030046547A1|2001-05-30|2003-03-06|Jakobsson Bjorn Markus|Secure distributed computation in cryptographic applications|

---

US20030044014A1|2001-09-06|2003-03-06|Pierre-Yvan Liardet|Method for scrambling a calculation with a secret quantity|

---

US20030044003A1|2001-08-14|2003-03-06|International Business Machines Corporation|Space-efficient, side-channel attack resistant table lookups|

---

US20030072059A1|2001-07-05|2003-04-17|Wave7 Optics, Inc.|System and method for securing a communication channel over an optical network|

---

US20030152218A1|2000-04-18|2003-08-14|Jean-Sebastien Coron|Cryptography method on elliptic curves|

---

US20030200218A1|2002-04-23|2003-10-23|International Business Machines Corporation|Content management system and methodology featuring query conversion capability for efficient searching|

---

US20030200256A1|2002-04-23|2003-10-23|International Business Machines Corporation|Method and apparatus of parameter passing of structured data for stored procedures in a content management system|

---

US20030200224A1|2002-04-23|2003-10-23|International Business Machines Corporation|Content management system and methodology employing a tree-based table hierarchy featuring arbitrary information retrieval from different locations in the hierarchy|

---

US20030200202A1|2002-04-23|2003-10-23|International Business Machines Corporation|Content management system and methodology employing non-transferable access tokens to control data access|

---

US20030204537A1|2002-04-23|2003-10-30|International Business Machines Corporation|Content management system and methodology for implementing a complex object using nested/recursive structures|

---

US20030223750A1|2001-07-05|2003-12-04|Farmer James O.|Method and system for providing a return path for signals generated by legacy terminals in an optical network|

---

US20040131357A1|2001-07-05|2004-07-08|Wave7 Optics, Inc.|Method and system for supporting multiple services with a subscriber optical interface located outside a subscriber's premises|

---

WO2003098429A3|2002-05-16|2004-07-15|Giesecke & Devrient Gmbh|Modular inversion that is protected against espionage|

---

US20040141747A1|2001-07-05|2004-07-22|Wave7 Optics, Inc.|Method and system for supporting multiple service providers within a single optical network|

---

US20040151310A1|2003-01-31|2004-08-05|Fu Kevin E.|Method and system for relating cryptographic keys|

---

US20040179680A1|2001-04-30|2004-09-16|Pierre-Yvan Liardet|Method for encrypting a calculation using a modular function|

---

US20050018842A1|2003-07-21|2005-01-27|Fu Kevin E.|Windowed backward key rotation|

---

US20050053350A1|2002-10-15|2005-03-10|Wave7 Optics, Inc.|Reflection suppression for an optical fiber|

---

US20050081041A1|2003-10-10|2005-04-14|Jing-Jang Hwang|Partition and recovery of a verifiable digital secret|

---

US20050125837A1|2001-07-05|2005-06-09|Wave7 Optics, Inc.|Method and system for providing a return path for signals generated by legacy video service terminals in an optical network|

---

US20050160432A1|2004-01-16|2005-07-21|International Business Machines Corporation|Parameter passing of data structures where API and corresponding stored procedure are different versions/releases|

---

US6938050B2|2002-04-23|2005-08-30|International Business Machines Corporation|Content management system and methodology employing a tree-based table hierarchy which accomodates opening a dynamically variable number of cursors therefor|

---

US6947948B2|2002-04-23|2005-09-20|International Business Machines Corporation|Version-enabled, multi-typed, multi-targeting referential integrity relational database system and methodology|

---

US6973271B2|2000-10-04|2005-12-06|Wave7 Optics, Inc.|System and method for communicating optical signals between a data service provider and subscribers|

---

US20060020975A1|2001-07-05|2006-01-26|Wave7 Optics, Inc.|System and method for propagating satellite TV-band, cable TV-band, and data signals over an optical network|

---

US20060039699A1|2004-08-10|2006-02-23|Wave7 Optics, Inc.|Countermeasures for idle pattern SRS interference in ethernet optical network systems|

---

US20060075428A1|2004-10-04|2006-04-06|Wave7 Optics, Inc.|Minimizing channel change time for IP video|

---

US7039329B2|2001-07-05|2006-05-02|Wave7 Optics, Inc.|System and method for increasing upstream communication efficiency in an optical network|

---

US20060092251A1|2004-11-04|2006-05-04|Hewlett-Packard Development Company, L.P.|Inkjet compositions|

---

US20060159457A1|2001-07-05|2006-07-20|Wave7 Optics, Inc.|System and method for communicating optical signals between a data service provider and subscribers|

---

US20060187863A1|2004-12-21|2006-08-24|Wave7 Optics, Inc.|System and method for operating a wideband return channel in a bi-directional optical communication system|

---

US20060248336A1|2005-04-28|2006-11-02|Secure Data In Motion, Inc.|Mediated key exchange between source and target of communication|

---

US20060269285A1|2002-01-08|2006-11-30|Wave7 Optics, Inc.|Optical network system and method for supporting upstream signals propagated according to a cable modem protocol|

---

US7146104B2|2001-07-05|2006-12-05|Wave7 Optics, Inc.|Method and system for providing a return data path for legacy terminals by using existing electrical waveguides of a structure|

---

US20070043945A1|2005-08-19|2007-02-22|Choi Jin-Hyeock|Method for performing multiple pre-shared key based authentication at once and system for executing the method|

---

US7184664B2|2001-07-05|2007-02-27|Wave7 Optics, Inc.|Method and system for providing a return path for signals generated by legacy terminals in an optical network|

---

US20070047959A1|2005-08-12|2007-03-01|Wave7 Optics, Inc.|System and method for supporting communications between subcriber optical interfaces coupled to the same laser transceiver node in an optical network|

---

US20070077069A1|2000-10-04|2007-04-05|Farmer James O|System and method for communicating optical signals upstream and downstream between a data service provider and subscribers|

---

US7218855B2|2001-07-05|2007-05-15|Wave7 Optics, Inc.|System and method for communicating optical signals to multiple subscribers having various bandwidth demands connected to the same optical waveguide|

---

US7254600B2|2002-09-20|2007-08-07|Stmicroelectronics S.A.|Masking of factorized data in a residue number system|

---

EP1815411A2|2004-09-30|2007-08-08|American Express Travel Related Services Company, Inc.|System and method for authenticating a rf transaction using a radio frequency identification device including a transactions counter|

---

US20070212070A1|2003-03-14|2007-09-13|Farmer James O|Method and system for providing a return path for signals generated by legacy terminals in an optical network|

---

US20070223928A1|2001-08-03|2007-09-27|Farmer James O|Method and system for providing a return path for signals generated by legacy terminals in an optical network|

---

US20070253551A1|2003-10-06|2007-11-01|Canal + Technologies|Portable Security Module Pairing|

---

US20070263577A1|2004-08-20|2007-11-15|Paolo Gallo|Method for Enrolling a User Terminal in a Wireless Local Area Network|

---

US20070292133A1|2002-05-20|2007-12-20|Whittlesey Paul F|System and method for communicating optical signals to multiple subscribers having various bandwidth demands connected to the same optical waveguide|

---

US20080082824A1|2006-09-28|2008-04-03|Ibrahim Wael M|Changing of shared encryption key|

---

US20080085117A1|2004-08-19|2008-04-10|Farmer James O|System and method for communicating optical signals between a data service provider and subscribers|

---

US7392246B2|2003-02-14|2008-06-24|International Business Machines Corporation|Method for implementing access control for queries to a content management system|

---

US20080219450A1|2007-03-07|2008-09-11|Nevine Maurice Nassif Ebeid|Methods And Apparatus For Performing An Elliptic Curve Scalar Multiplication Operation Using Splitting|

---

WO2008106792A1|2007-03-06|2008-09-12|Research In Motion Limited|Methods and apparatus for performing an elliptic curve scalar multiplication operation using splitting|

---

US20090003606A1|2007-06-28|2009-01-01|Samsung Electronics Co., Ltd.|Changing the order of public key cryptographic computations|

---

US7477741B1|2004-10-01|2009-01-13|The United States Of America As Represented By The Administrator Of The National Aeronautics And Space Administration|Analysis resistant cipher method and apparatus|

---

US20090052657A1|2005-10-28|2009-02-26|Telecom Italia S.P.A.|Method for Scalar Multiplication in Elliptic Curve Groups Over Binary Polynomial Fields for Side-Channel Attack-Resistant Cryptosystems|

---

US20090164796A1|2007-12-21|2009-06-25|Daon Holdings Limited|Anonymous biometric tokens|

---

US7764785B2|2004-11-08|2010-07-27|King Fahd University Of Petroleum And Minerals|Method for communicating securely over an insecure communication channel|

---

US20100299266A1|2009-05-20|2010-11-25|M-Dot, Inc.|Digital Incentives Issuance, Redemption, and Reimbursement|

---

US20100296654A1|2009-05-19|2010-11-25|Terence Wilson|Configuring a network connection|

---

US8059814B1|2007-09-28|2011-11-15|Emc Corporation|Techniques for carrying out seed or key derivation|

---

US20120082307A1|2009-06-16|2012-04-05|Morpho|Cryptography on a elliptical curve|

---

CN103221917A|2010-09-29|2013-07-24|纳格拉影像股份有限公司|Protecting modular exponentiation in cryptographic operations|

---

US20130218937A1|2010-12-27|2013-08-22|Mitsubishi Electric Corporation|Arithmetic apparatus, elliptic scalar multiplication method of arithmetic apparatus, elliptic scalar multiplication program, residue operation method of arithmetic apparatus, and residue operation program|

---

US8539254B1|2010-06-01|2013-09-17|Xilinx, Inc.|Method and integrated circuit for protecting against differential power analysis attacks|

---

US8583944B1|2010-08-04|2013-11-12|Xilinx, Inc.|Method and integrated circuit for secure encryption and decryption|

---

US8650408B2|2010-09-08|2014-02-11|Xilinx, Inc.|Protecting against differential power analysis attacks on decryption keys|

---

US8712038B2|2009-06-16|2014-04-29|Morpho|Cryptography on a simplified elliptical curve|

---

US20140129604A1|2012-11-07|2014-05-08|Inside Secure|Cryptographic method comprising a modular exponentiation operation|

---

US8832462B2|2010-09-08|2014-09-09|Xilinx, Inc.|Protecting against differential power analysis attacks on sensitive data|

---

US20140331051A1|2002-10-08|2014-11-06|Koolspan, Inc.|Localized network authentication and security using tamper-resistant keys|

---

US8909941B1|2011-03-31|2014-12-09|Xilinx, Inc.|Programmable integrated circuit and a method of enabling the detection of tampering with data provided to a programmable integrated circuit|

---

US8966253B1|2010-06-01|2015-02-24|Xilinx, Inc.|Method and apparatus for authenticating a programmable device bitstream|

---

US20150222422A1|2014-01-31|2015-08-06|Google Inc.|Systems and methods for faster public key encryption using the associated private key portion|

---

CN104917608A|2015-05-19|2015-09-16|清华大学|Key anti-power attack method|

---

US20160134419A1|2014-11-11|2016-05-12|Ned M. Smith|Technologies for trusted device on-boarding|

---

US20160323097A1|2015-04-30|2016-11-03|Nxp B.V.|Securing a cryptographic device|

---

US20170063556A1|2002-07-26|2017-03-02|Koninklijke Philips N.V.|Secure authenticated distance measurement|

---

EP2201718A4|2007-10-08|2017-07-19|Microsoft Technology Licensing, LLC|An efficient certified email protocol|

---

US20170237780A1|2016-02-17|2017-08-17|Nagravision S.A.|Methods and systems for enabling legal-intercept mode for a targeted secure element|

---

US20170244551A1|2016-02-22|2017-08-24|Eshard|Method of protecting a circuit against a side-channel analysis|

---

WO2017152056A1|2016-03-03|2017-09-08|Cryptography Research, Inc.|Converting a boolean masked value to an arithmetically masked value for cryptographic operations|

---

US9773111B2|2012-08-14|2017-09-26|Empire Technology Development Llc|Software-based side-channel attack prevention|

---

US9866371B2|2009-06-16|2018-01-09|Morpho|Cryptography on a simplified elliptical curve|

---

US10027483B2|2009-06-16|2018-07-17|Morpho|Cryptography on an elliptical curve|

---

CN109379176A|2018-12-10|2019-02-22|湖北工业大学|A kind of certifiede-mail protocol method of anti-password leakage|

---

US10397269B2|2014-03-21|2019-08-27|Sun Patent Trust|Security key derivation in dual connectivity|

---

US10642962B2|2015-07-28|2020-05-05|Western Digital Technologies, Inc.|Licensable function for securing stored data|

---

US10686598B2|2017-02-27|2020-06-16|Cord3 Innovation Inc.|One-to-many symmetric cryptographic system and method|

---

US10986626B2|2017-04-21|2021-04-20|Netgear, Inc.|Robust control plane for management of a multi-band wireless networking system|

---

US11063743B2|2017-03-21|2021-07-13|Thales Dis France Sa|Method of RSA signature of decryption protected using assymetric multiplicative splitting|US2733432A||1956-01-31||Breckman |

---

FR561910A|1922-02-11|1923-10-30|||

---

US4214126A|1945-04-30|1980-07-22|Rca Corporation|Cadence suppression system|

---

US2632058A|1946-03-22|1953-03-17|Bell Telephone Labor Inc|Pulse code communication|

---

US3816762A|1973-01-02|1974-06-11|Fairchild Camera Instr Co|Noise suppression circuit|

---

US4243890A|1976-08-23|1981-01-06|Miller Bruce J|Isolator/switching assembly for data processing terminal|

---

US4107458A|1976-08-23|1978-08-15|Constant James N|Cipher computer and cryptographic system|

---

US4139839A|1977-03-18|1979-02-13|Nasa|Digital data reformatter/deserializer|

---

US4295041A|1977-08-26|1981-10-13|Compagnie Internationale Pour L'informatique Cii-Honeywell Bull |Device for the protection of access to a permanent memory of a portable data carrier|

---

FR2401459B1|1977-08-26|1980-04-25|Cii Honeywell Bull||

---

US4200770A|1977-09-06|1980-04-29|Stanford University|Cryptographic apparatus and method|

---

US4202051A|1977-10-03|1980-05-06|Wisconsin Alumni Research Foundation|Digital data enciphering and deciphering circuit and method|

---

CH623271A5|1977-11-15|1981-05-29|Hasler Ag||

---

US4203166A|1977-12-05|1980-05-13|International Business Machines Corporation|Cryptographic file security for multiple domain networks|

---

US4405829A|1977-12-14|1983-09-20|Massachusetts Institute Of Technology|Cryptographic communications system and method|

---

US4309569A|1979-09-05|1982-01-05|The Board Of Trustees Of The Leland Stanford Junior University|Method of providing digital signatures|

---

US4369332A|1979-09-26|1983-01-18|Burroughs Corporation|Key variable generator for an encryption/decryption device|

---

US4268898A|1980-03-20|1981-05-19|Lorain Products Corporation|Semiconductor switching circuit with clamping and energy recovery features|

---

DE3127843A1|1981-07-15|1983-05-26|AEG-Telefunken Nachrichtentechnik GmbH, 7150 Backnang|METHOD FOR PREVENTING "COMPROMISING RADIATION" IN PROCESSING AND TRANSMITTING SECRET DATA INFORMATION|

---

JPH0113766B2|1982-04-26|1989-03-08|Nippon Telegraph & Telephone||

---

US4605921A|1983-06-20|1986-08-12|Riddle Herbert S|Digital word-framing technique and system|

---

US4569052A|1983-07-14|1986-02-04|Sperry Corporation|Coset code generator for computer memory protection|

---

US4759063A|1983-08-22|1988-07-19|Chaum David L|Blind signature systems|

---

US4776011A|1983-10-24|1988-10-04|Sony Corporation|Recursive key schedule cryptographic system|

---

US4605820A|1983-11-10|1986-08-12|Visa U.S.A. Inc.|Key management system for on-line communication|

---

US4570084A|1983-11-21|1986-02-11|International Business Machines Corporation|Clocked differential cascode voltage switch logic systems|

---

US4799258A|1984-02-13|1989-01-17|National Research Development Corporation|Apparatus and methods for granting access to computers|

---

NL8401989A|1984-06-22|1986-01-16|Nederlanden Staat|VIDEO ENTRY STATION WITH IMAGE LINE SCRAPE.|

---

JPS61102167A|1984-10-23|1986-05-20|Yokogawa Hokushin Electric Corp|Dc/dc converter|

---

US4661658A|1985-02-12|1987-04-28|International Business Machines Corporation|Offline PIN validation with DES|

---

US4686392A|1985-10-30|1987-08-11|International Business Machines Corporation|Multi-functional differential cascode voltage switch logic|

---

GB8608172D0|1986-04-03|1986-05-08|Walker S M|Computer security devices|

---

FR2600183B1|1986-06-13|1990-10-12|Eurotechnique Sa|INTEGRATED CIRCUIT FOR CONFIDENTIALLY STORING AND PROCESSING INFORMATION COMPRISING AN ANTI-FRAUD DEVICE|

---

US4937866A|1986-08-13|1990-06-26|U.S. Philips Corporation|System for decoding transmitted scrambled signals|

---

JPH0565059B2|1986-09-12|1993-09-16|Nippon Electric Co||

---

US5341423A|1987-02-06|1994-08-23|General Electric Company|Masked data transmission system|

---

FR2617976B1|1987-07-10|1989-11-10|Thomson Semiconducteurs|BINARY LOGIC LEVEL ELECTRIC DETECTOR|

---

JPH0583959B2|1987-10-29|1993-11-30|Toppan Printing Co Ltd||

---

JP2698588B2|1987-11-13|1998-01-19|株式会社東芝|Portable electronic devices|

---

US5412379A|1988-05-27|1995-05-02|Lectron Products, Inc.|Rolling code for a keyless entry system|

---

JPH022475A|1988-06-15|1990-01-08|Omron Tateisi Electron Co|Ic card|

---

NO165698C|1988-07-05|1991-03-20|System Sikkerhet As|DIGITAL EQUIPMENT PROTECTION SYSTEM.|

---

DE3825880C1|1988-07-29|1995-12-21|Siemens Ag|Key device|

---

GB8819767D0|1988-08-19|1989-07-05|Ncr Co|Public key diversification method|

---

US4932057A|1988-10-17|1990-06-05|Grumman Aerospace Corporation|Parallel transmission to mask data radiation|

---

US4905176A|1988-10-28|1990-02-27|International Business Machines Corporation|Random number generator circuit|

---

FR2638869B1|1988-11-10|1990-12-21|Sgs Thomson Microelectronics|SECURITY DEVICE AGAINST UNAUTHORIZED DETECTION OF PROTECTED DATA|

---

US5293029A|1989-01-17|1994-03-08|Kabushiki Kaisha Toshiba|System for mutually certifying an IC card and an IC card terminal|

---

SE462935B|1989-01-30|1990-09-17|Cominvest Res Ab|KEEPING AND DEVICE PROVIDING EXTERNAL DETECTION OF SIGNAL INFORMATION|

---

US5181243A|1989-05-19|1993-01-19|Syntellect, Inc.|System and method for communications security protection|

---

US5086467A|1989-05-30|1992-02-04|Motorola, Inc.|Dummy traffic generation|

---

FR2651347A1|1989-08-22|1991-03-01|Trt Telecom Radio Electr|SINGLE NUMBER GENERATION METHOD FOR MICROCIRCUIT BOARD AND APPLICATION TO COOPERATION OF THE BOARD WITH A HOST SYSTEM.|

---

US5412730A†|1989-10-06|1995-05-02|Telequip Corporation|Encrypted data transmission system employing means for randomly altering the encryption keys|

---

US5136643A|1989-10-13|1992-08-04|Fischer Addison M|Public/key date-time notary facility|

---

IT1238529B|1989-11-10|1993-08-18|Data Protection Srl|PROTECTIVE DEVICE FOR COMPUTERS AND SIMILAR, TO PREVENT THE CAPTURE, REGISTRATION AND UNDUE USE OF DATA FROM THE SAME DURING THEIR FUNCTIONING AND TO PROTECT THEM FROM TRANSITIONAL DISTURBANCES, WITH HIGH LEVEL ENERGY CONTENT, VERIFYING ON THE MAINS NETWORK POWER SUPPLY.|

---

US5249294A|1990-03-20|1993-09-28|General Instrument Corporation|Determination of time of execution of predetermined data processing routing in relation to occurrence of prior externally observable event|

---

US5177430A|1990-04-19|1993-01-05|Moshe Mohel|Circuit for securing a power supply|

---

CA2044051A1|1990-06-29|1991-12-30|Paul C. Wade|System and method for error detection and reducing simultaneous switching noise|

---

JPH0778975B2|1990-09-27|1995-08-23|インターナシヨナル・ビジネス・マシーンズ・コーポレーシヨン|Optical disk drive|

---

FR2667715B1|1990-10-09|1994-12-30|Gemplus Card Int||

---

US5144667A|1990-12-20|1992-09-01|Delco Electronics Corporation|Method of secure remote access|

---

US5136646A|1991-03-08|1992-08-04|Bell Communications Research, Inc.|Digital document time-stamping with catenate certificate|

---

US5149992A|1991-04-30|1992-09-22|The State Of Oregon Acting By And Through The State Board Of Higher Education On Behalf Of Oregon State University|MOS folded source-coupled logic|

---

US5241598A|1991-05-22|1993-08-31|Ericsson Ge Mobile Communications, Inc.|Rolling key resynchronization in cellular verification and validation system|

---

SE500276C2|1991-06-24|1994-05-24|Shield Research In Sweden Ab|Method and apparatus for preventing external detection of signal information|

---

US5159632A|1991-09-17|1992-10-27|Next Computer, Inc.|Method and apparatus for public key exchange in a cryptographic system|

---

WO1993006695A1|1991-09-23|1993-04-01|Z-Microsystems|Enhanced security system for computing devices|

---

JP3083187B2|1991-09-30|2000-09-04|富士通株式会社|Key management method of electronic wallet system|

---

EP0558133B1|1992-02-27|1997-06-18|Koninklijke Philips Electronics N.V.|CMOS integrated circuit|

---

JP2821306B2|1992-03-06|1998-11-05|三菱電機株式会社|Authentication method and system between IC card and terminal|

---

US5600324A|1992-05-11|1997-02-04|Rockwell International Corporation|Keyless entry system using a rolling code|

---

US5297201A|1992-10-13|1994-03-22|J.D. Technologies, Inc.|System for preventing remote detection of computer data from tempest signal emissions|

---

FR2704081B1|1993-04-16|1995-05-19|France Telecom|Method for updating a memory card and memory card for implementing this method.|

---

NZ266054A|1993-05-05|1997-05-26|Zunquan Liu|Text encryption/decryption|

---

US5297207A|1993-05-24|1994-03-22|Degele Steven T|Machine generation of cryptographic keys by non-linear processes similar to processes normally associated with encryption of data|

---

CN1096648C|1993-06-02|2002-12-18|惠普公司|System and method for revaluation of stored tokens in IC cards|

---

US5483598A†|1993-07-01|1996-01-09|Digital Equipment Corp., Patent Law Group|Message encryption using a hash function|

---

US5914471A|1993-07-20|1999-06-22|Koninklijke Ptt Nederland N.V.|Method and apparatus for recording usage data of card operated devices|

---

JP2750072B2|1993-07-27|1998-05-13|松下電工株式会社|Power converter|

---

US5399996A|1993-08-16|1995-03-21|At&T Global Information Solutions Company|Circuit and method for minimizing electromagnetic emissions|

---

JP2828218B2|1993-09-20|1998-11-25|インターナシヨナル・ビジネス・マシーンズ・コーポレーシヨン|Method and system for changing an authorized password or key in a distributed communication network|

---

US5369706A|1993-11-05|1994-11-29|United Technologies Automotive, Inc.|Resynchronizing transmitters to receivers for secure vehicle entry using cryptography or rolling code|

---

US5515438A|1993-11-24|1996-05-07|International Business Machines Corporation|Quantum key distribution using non-orthogonal macroscopic signals|

---

FR2713419B1|1993-12-02|1996-07-05|Gemplus Card Int|Method for generating DSA signatures with low cost portable devices.|

---

EP0656708A1|1993-12-03|1995-06-07|International Business Machines Corporation|System and method for the transmission and validation of an updated encryption key between two users|

---

US5404402A|1993-12-21|1995-04-04|Gi Corporation|Clock frequency modulation for secure microprocessors|

---

JP3029381B2|1994-01-10|2000-04-04|富士通株式会社|Data converter|

---

US5434919A|1994-01-11|1995-07-18|Chaum; David|Compact endorsement signature systems|

---

US5631492A|1994-01-21|1997-05-20|Motorola|Standard cell having a capacitor and a power supply capacitor for reducing noise and method of formation|

---

US5412723A|1994-03-01|1995-05-02|International Business Machines Corporation|Mechanism for keeping a key secret from mobile eavesdroppers|

---

US5420925A|1994-03-03|1995-05-30|Lectron Products, Inc.|Rolling code encryption process for remote keyless entry system|

---

JPH07322602A|1994-05-23|1995-12-08|Fujitsu Ltd|Power supply device|

---

US5551013A|1994-06-03|1996-08-27|International Business Machines Corporation|Multiprocessor for hardware emulation|

---

US5414614A|1994-06-06|1995-05-09|Motorola, Inc.|Dynamically configurable switched capacitor power supply and method|

---

US5506905A|1994-06-10|1996-04-09|Delco Electronics Corp.|Authentication method for keyless entry system|

---

EP0693836A1|1994-06-10|1996-01-24|Sun Microsystems, Inc.|Method and apparatus for a key-management scheme for internet protocols.|

---

US5546463A|1994-07-12|1996-08-13|Information Resource Engineering, Inc.|Pocket encrypting and authenticating communications device|

---

US5511123A|1994-08-04|1996-04-23|Northern Telecom Limited|Symmetric cryptographic system for data encryption|

---

US5557346A|1994-08-11|1996-09-17|Trusted Information Systems, Inc.|System and method for key escrow encryption|

---

US5600273A|1994-08-18|1997-02-04|Harris Corporation|Constant delay logic circuits and methods|

---

US5514982A|1994-08-18|1996-05-07|Harris Corporation|Low noise logic family|

---

BE1008699A3|1994-09-09|1996-07-02|Banksys|Method and arrangement for selective give access to a security system.|

---

US5663896A|1994-09-22|1997-09-02|Intel Corporation|Broadcast key distribution apparatus and method using Chinese Remainder|

---

US5559887A|1994-09-30|1996-09-24|Electronic Payment Service|Collection of value from stored value systems|

---

US5633930A|1994-09-30|1997-05-27|Electronic Payment Services, Inc.|Common cryptographic key verification in a transaction network|

---

US5544086A|1994-09-30|1996-08-06|Electronic Payment Services, Inc.|Information consolidation within a transaction network|

---

US5636157A|1994-10-03|1997-06-03|International Business Machines Corporation|Modular 64-bit integer adder|

---

US5737419A|1994-11-09|1998-04-07|Bell Atlantic Network Services, Inc.|Computer system for securing communications using split private key asymmetric cryptography|

---

JP2825064B2|1994-12-19|1998-11-18|株式会社日本自動車部品総合研究所|Encryption device|

---

MX9704961A|1994-12-30|1997-10-31|Thomson Consumer Electronics|Modem with automatic callback provisions.|

---

US5602917A|1994-12-30|1997-02-11|Lucent Technologies Inc.|Method for secure session key generation|

---

US5625692A|1995-01-23|1997-04-29|International Business Machines Corporation|Method and system for a public key cryptosystem having proactive, robust, and recoverable distributed threshold secret sharing|

---

US5483182A|1995-03-06|1996-01-09|Motorola, Inc.|Method and apparatus for a DC-DC converter an current limiting thereof|

---

DE19511298B4|1995-03-28|2005-08-18|Deutsche Telekom Ag|Procedure for issuing and revoking the authorization to receive broadcasts and decoders|

---

US5710834A|1995-05-08|1998-01-20|Digimarc Corporation|Method and apparatus responsive to a code signal conveyed through a graphic image|

---

US5638444A|1995-06-02|1997-06-10|Software Security, Inc.|Secure computer communication method and system|

---

US5778074A|1995-06-29|1998-07-07|Teledyne Industries, Inc.|Methods for generating variable S-boxes from arbitrary keys of arbitrary length including methods which allow rapid key changes|

---

CA2179971C|1995-06-30|2001-10-30|Takahisa Yamamoto|An adaptable communication apparatus and an adaptable communication system|

---

US5727062A|1995-07-06|1998-03-10|Ritter; Terry F.|Variable size block ciphers|

---

FR2738971B1|1995-09-19|1997-10-10|Schlumberger Ind Sa|METHOD FOR DETERMINING AN ENCRYPTION KEY ASSOCIATED WITH AN INTEGRATED CIRCUIT|

---

NL1001659C2|1995-11-15|1997-05-21|Nederland Ptt|Method for writing down an electronic payment method.|

---

US5727063A|1995-11-27|1998-03-10|Bell Communications Research, Inc.|Pseudo-random generator|

---

JPH09163469A|1995-12-11|1997-06-20|Alpha Corp|Device and method for remote control|

---

JP3504050B2|1996-01-26|2004-03-08|株式会社東芝|Power-residue calculation method and apparatus|

---

US6453296B1|1996-01-31|2002-09-17|Canon Kabushiki Kaisha|Electronic credit system and communication apparatus|

---

FR2745135B1|1996-02-15|1998-09-18|Cedric Colnot|METHOD FOR AUTHORIZING ACCESS BY A SERVER TO A SERVICE FROM PORTABLE MEMORY CARD TYPE ELECTRONIC MICROCIRCUIT DEVICES|

---

FR2745099B1|1996-02-19|1998-03-27|Sgs Thomson Microelectronics|METHOD FOR SEQUENCING AN INTEGRATED CIRCUIT|

---

US5761306A|1996-02-22|1998-06-02|Visa International Service Association|Key replacement in a public key cryptosystem|

---

FR2745924B1|1996-03-07|1998-12-11|Bull Cp8|IMPROVED INTEGRATED CIRCUIT AND METHOD FOR USING SUCH AN INTEGRATED CIRCUIT|

---

US5778069A|1996-04-10|1998-07-07|Microsoft Corporation|Non-biased pseudo random number generator|

---

CA2177622A1|1996-05-29|1997-11-30|Thierry Moreau|Cryptographic data integrity apparatus and method based on pseudo-random bit generators|

---

US5764766A†|1996-06-11|1998-06-09|Digital Equipment Corporation|System and method for generation of one-time encryption keys for data communications and a computer program product for implementing the same|

---

US5859548A|1996-07-24|1999-01-12|Lg Semicon Co., Ltd.|Charge recycling differential logic circuit and devices using the same|

---

US5745577A|1996-07-25|1998-04-28|Northern Telecom Limited|Symmetric cryptographic system for data encryption|

---

EP0831433A1|1996-09-24|1998-03-25|Koninklijke KPN N.V.|Method of making recoverable smart card transactions, a method of recovering such a transaction, as well as a smart card allowing recoverable transactions|

---

EP0840477B1|1996-10-31|2012-07-18|Panasonic Corporation|Secret key transfer method which is highly secure and can restrict the damage caused when the secret key is leaked or decoded|

---

GB9624127D0|1996-11-20|1997-01-08|British Telecomm|Transaction system|

---

DE19649292A1|1996-11-28|1998-06-04|Deutsche Telekom Ag|Access protection method for pay television|

---

US5848159A|1996-12-09|1998-12-08|Tandem Computers, Incorporated|Public key cryptographic apparatus and method|

---

US5821775A|1996-12-27|1998-10-13|Intel Corporation|Method and apparatus to interface monotonic and non-monotonic domino logic|

---

US5892829A|1997-01-08|1999-04-06|Bell Communications Research, Inc.|Method and apparatus for generating secure hash functions|

---

US6690795B1|1997-03-04|2004-02-10|Lucent Technologies Inc.|Multiple keys for decrypting data in restricted-access television system|

---

US6049613A|1997-03-07|2000-04-11|Jakobsson; Markus|Method and apparatus for encrypting, decrypting, and providing privacy for data values|

---

WO1998040982A1|1997-03-12|1998-09-17|Visa International|Secure electronic commerce employing integrated circuit cards|

---

GB9707349D0|1997-04-11|1997-05-28|Univ Waterloo|A dynamic current mode logic family|

---

US6748410B1|1997-05-04|2004-06-08|M-Systems Flash Disk Pioneers, Ltd.|Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication|

---

ES2293677T3|1997-05-04|2008-03-16|Sandisk Il Ltd|IMPROVED APPLIANCE AND METHOD FOR MODULAR MULTIPLICATION AND EXPOSURE BASED ON MONTGOMERY MULTIPLICATION.|

---

US5991415A|1997-05-12|1999-11-23|Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science|Method and apparatus for protecting public key schemes from timing and fault attacks|

---

US5917754A|1997-05-21|1999-06-29|Atmel Corporation|Semiconductor memory having a current balancing circuit|

---

US5905399A|1997-06-30|1999-05-18|Sun Microsystems, Inc.|CMOS integrated circuit regulator for reducing power supply noise|

---

AUPO799197A0|1997-07-15|1997-08-07|Silverbrook Research Pty Ltd|Image processing method and apparatus |

---

US6003014A|1997-08-22|1999-12-14|Visa International Service Association|Method and apparatus for acquiring access using a smart card|

---

US6128391A|1997-09-22|2000-10-03|Visa International Service Association|Method and apparatus for asymetric key management in a cryptographic system|

---

US6064740A|1997-11-12|2000-05-16|Curiger; Andreas|Method and apparatus for masking modulo exponentiation calculations in an integrated circuit|

---

US6041412A|1997-11-14|2000-03-21|Tl Technology Rerearch Sdn. Bhd.|Apparatus and method for providing access to secured data or area|

---

US6345359B1|1997-11-14|2002-02-05|Raytheon Company|In-line decryption for protecting embedded software|

---

US6090153A|1997-12-05|2000-07-18|International Business Machines Corporation|Multi-threshold-voltage differential cascode voltage switch circuits|

---

US6046608A|1997-12-08|2000-04-04|Intel Corporation|Differential precharge circuit|

---

US6448981B1|1997-12-09|2002-09-10|International Business Machines Corporation|Intermediate user-interface definition method and system|

---

US6107835A|1997-12-11|2000-08-22|Intrinsity, Inc.|Method and apparatus for a logic circuit with constant power consumption|

---

US6185685B1|1997-12-11|2001-02-06|International Business Machines Corporation|Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same|

---

US6069497A|1997-12-11|2000-05-30|Evsx, Inc.|Method and apparatus for a N-nary logic circuit using 1 of N signals|

---

US6066965A|1997-12-11|2000-05-23|Evsx, Inc.|Method and apparatus for a N-nary logic circuit using 1 of 4 signals|

---

US6046931A|1997-12-11|2000-04-04|Evsx, Inc.|Method and apparatus for a RAM circuit having N-nary output interface|

---

US6211456B1|1997-12-11|2001-04-03|Intrinsity, Inc.|Method and apparatus for routing 1 of 4 signals|

---

DE69834431T3|1998-01-02|2009-09-10|Cryptography Research Inc., San Francisco|LIQUID RESISTANT CRYPTOGRAPHIC PROCESS AND DEVICE|

---

US7587044B2|1998-01-02|2009-09-08|Cryptography Research, Inc.|Differential power analysis method and apparatus|

---

US6226750B1|1998-01-20|2001-05-01|Proact Technologies Corp.|Secure session tracking method and system for client-server environment|

---

US6101477A|1998-01-23|2000-08-08|American Express Travel Related Services Company, Inc.|Methods and apparatus for a travel-related multi-function smartcard|

---

US6041122A|1998-02-27|2000-03-21|Intel Corporation|Method and apparatus for hiding crytographic keys utilizing autocorrelation timing encoding and computation|

---

FR2776445A1|1998-03-17|1999-09-24|Schlumberger Ind Sa|Cryptographic algorithm security technique|

---

FR2776410B1|1998-03-20|2002-11-15|Gemplus Card Int|DEVICES FOR MASKING THE OPERATIONS CARRIED OUT IN A MICROPROCESSOR CARD|

---

US6336188B2|1998-05-01|2002-01-01|Certicom Corp.|Authenticated key agreement protocol|

---

CN100530025C|1998-05-29|2009-08-19|西门子公司|Method and device for processing data|

---

WO1999063696A1|1998-06-03|1999-12-09|Cryptography Research, Inc.|Using unpredictable information to minimize leakage from smartcards and other cryptosystems|

---

AT548819T|1998-06-03|2012-03-15|Cryptography Res Inc|SYMMETRIC CRYPTOGRAPHIC ACTION PROCESS AND DEVICE FOR LOSS MINIMIZATION IN CHIP CARDS AND OTHER ENCRYPTION SYSTEMS|

---

JP2002519722A|1998-06-03|2002-07-02|クリプターグラフィーリサーチインコーポレイテッド|Improved DES and other cryptographic processes for smart cards and other cryptographic systems to minimize leakage|

---

AU6381799A|1998-06-03|2000-01-10|Cryptography Research, Inc.|Secure modular exponentiation with leak minimization for smartcards and other cryptosystems|

---

US5998978A|1998-06-29|1999-12-07|Motorola, Inc.|Apparatus and method for reducing energy fluctuations in a portable data device|

---

US6075865A|1998-07-01|2000-06-13|Tecsec Incorporated|Cryptographic communication process and apparatus|

---

DE69935913T2|1998-07-02|2008-01-10|Cryptography Research Inc., San Francisco|LACK RESISTANT UPGRADE OF AN INDEXED CRYPTOGRAPHIC KEY|

---

GB2371460B|2001-01-19|2004-12-22|Pixelfusion Ltd|Computer graphics|JPH08263438A|1994-11-23|1996-10-11|Xerox Corp|Distribution and use control system of digital work and access control method to digital work|

---

US6963859B2|1994-11-23|2005-11-08|Contentguard Holdings, Inc.|Content rendering repository|

---

US6233684B1|1997-02-28|2001-05-15|Contenaguard Holdings, Inc.|System for controlling the distribution and use of rendered digital works through watermaking|

---

US6748410B1|1997-05-04|2004-06-08|M-Systems Flash Disk Pioneers, Ltd.|Apparatus and method for modular multiplication and exponentiation based on montgomery multiplication|

---

DE69834431T3|1998-01-02|2009-09-10|Cryptography Research Inc., San Francisco|LIQUID RESISTANT CRYPTOGRAPHIC PROCESS AND DEVICE|

---

US7587044B2|1998-01-02|2009-09-08|Cryptography Research, Inc.|Differential power analysis method and apparatus|

---

FR2776445A1|1998-03-17|1999-09-24|Schlumberger Ind Sa|Cryptographic algorithm security technique|

---

CN1174347C|1998-05-18|2004-11-03|德国捷德有限公司|Access-controlled data storage medium|

---

JP2002519722A|1998-06-03|2002-07-02|クリプターグラフィーリサーチインコーポレイテッド|Improved DES and other cryptographic processes for smart cards and other cryptographic systems to minimize leakage|

---

DE69935913T2|1998-07-02|2008-01-10|Cryptography Research Inc., San Francisco|LACK RESISTANT UPGRADE OF AN INDEXED CRYPTOGRAPHIC KEY|

---

CA2243761C|1998-07-21|2009-10-06|Certicom Corp.|Timing attack resistant cryptographic system|

---

JP4317607B2|1998-12-14|2009-08-19|株式会社日立製作所|Information processing equipment, tamper resistant processing equipment|

---

US6578143B1|1998-12-18|2003-06-10|Qualcomm Incorporated|Method for negotiating weakened keys in encryption systems|

---

US7092523B2|1999-01-11|2006-08-15|Certicom Corp.|Method and apparatus for minimizing differential power attacks on processors|

---

US7599491B2|1999-01-11|2009-10-06|Certicom Corp.|Method for strengthening the implementation of ECDSA against power analysis|

---

KR20020007303A|1999-02-12|2002-01-26|맥 힉스|System and method for providing certification-related and other services|

---

FR2790890B1|1999-03-08|2001-04-27|Gemplus Card Int|COUNTER-MEASUREMENT METHOD IN AN ELECTRONIC COMPONENT USING A SECRET KEY CRYPTOGRAPHY ALGORITHM|

---

US6298135B1|1999-04-29|2001-10-02|Motorola, Inc.|Method of preventing power analysis attacks on microelectronic assemblies|

---

FR2793904B1|1999-05-21|2001-07-27|St Microelectronics Sa|METHOD AND DEVICE FOR MANAGING AN ELECTRONIC CIRCUIT|

---

FR2794592B1|1999-06-04|2001-08-24|France Telecom|BIT GENERATOR FOR ESTABLISHING A SECRET ENCRYPTION KEY AND CORRESPONDING METHOD|

---

US6804782B1|1999-06-11|2004-10-12|General Instrument Corporation|Countermeasure to power attack and timing attack on cryptographic operations|

---

FI115259B|1999-07-16|2005-03-31|Setec Oy|Procedure for generating a response|

---

IL137993D0|1999-09-02|2001-10-31|Compaq Computer Corp|Autokey initialization of cryptographic devices|

---

US20020029200A1|1999-09-10|2002-03-07|Charles Dulin|System and method for providing certificate validation and other services|

---

JP2003521763A|1999-09-24|2003-07-15|メアリー マッケンニー|System and method for providing settlement service in electronic commerce|

---

FR2799851B1|1999-10-14|2002-01-25|Gemplus Card Int|COUNTER-MEASUREMENT METHOD IN AN ELECTRONIC COMPONENT USING A RSA-TYPE PUBLIC KEY CRYPTOGRAPHY ALGORITHM|

---

FR2800478B1|1999-10-28|2001-11-30|Bull Cp8|METHOD FOR SECURING AN ELECTRONIC CRYPTOGRAPHY ASSEMBLY BASED ON MODULAR EXPONENTIATION AGAINST ATTACKS BY PHYSICAL ANALYSIS|

---

DE59914370D1|1999-11-03|2007-07-19|Infineon Technologies Ag|coding|

---

US6724894B1|1999-11-05|2004-04-20|Pitney Bowes Inc.|Cryptographic device having reduced vulnerability to side-channel attack and method of operating same|

---

TW548940B|1999-11-29|2003-08-21|Gen Instrument Corp|Generation of a mathematically constrained key using a one-way function|

---

DE19963407A1|1999-12-28|2001-07-12|Giesecke & Devrient Gmbh|Portable data carrier with access protection through message alienation|

---

DE19963408A1|1999-12-28|2001-08-30|Giesecke & Devrient Gmbh|Portable data carrier with access protection by key division|

---

US6973570B1|1999-12-31|2005-12-06|Western Digital Ventures, Inc.|Integrated circuit comprising encryption circuitry selectively enabled by verifying a device|

---

US6983366B1|2000-02-14|2006-01-03|Safenet, Inc.|Packet Processor|

---

JP3926532B2|2000-03-16|2007-06-06|株式会社日立製作所|Information processing apparatus, information processing method, and card member|

---

US6732175B1|2000-04-13|2004-05-04|Intel Corporation|Network apparatus for switching based on content of application data|

---

DE50010164D1|2000-05-22|2005-06-02|Infineon Technologies Ag|Security data processing unit and associated method|

---

KR100377172B1|2000-06-13|2003-03-26|주식회사 하이닉스반도체|Key Scheduller of encryption device using data encryption standard algorithm|

---

FR2810481B1|2000-06-20|2003-04-04|Gemplus Card Int|CONTROL OF ACCESS TO A DATA PROCESSING MEANS|

---

FI112013B|2000-07-11|2003-10-15|Setec Oy|Procedure for processing a secret key and device|

---

WO2002015464A1|2000-08-14|2002-02-21|Gien Peter H|System and method for secure smartcard issuance|

---

US7743259B2|2000-08-28|2010-06-22|Contentguard Holdings, Inc.|System and method for digital rights management using a standard rendering engine|

---

US8832852B2|2000-08-28|2014-09-09|Contentguard Holdings, Inc.|Method and apparatus for dynamic protection of static and dynamic content|

---

FR2813468B1|2000-08-29|2003-01-10|Gemplus Card Int|SECURITY OF ACCESS BY SECRET CODE TO A DATA PROCESSING MEANS|

---

AU9072501A|2000-09-08|2002-04-22|Guy S Tallent Jr|System and method for providing authorization and other services|

---

WO2002021409A1|2000-09-08|2002-03-14|Tallent Guy S|System and method for transparently providing certificate validation and other services within an electronic transaction|

---

US7620832B2|2000-09-20|2009-11-17|Mips Technologies, Inc.|Method and apparatus for masking a microprocessor execution signature|

---

FI112708B|2000-09-29|2003-12-31|Setec Oy|Method and apparatus for calculating a response|

---

FI112707B|2000-09-29|2003-12-31|Setec Oy|A method for handling a secret key|

---

US6769062B1|2000-10-25|2004-07-27|Ericsson Inc.|Method and system of using an insecure crypto-accelerator|

---

US7343324B2|2000-11-03|2008-03-11|Contentguard Holdings Inc.|Method, system, and computer readable medium for automatically publishing content|

---

FR2818846B1|2000-12-22|2004-03-05|Gemplus Card Int|COUNTER-MEASUREMENT METHOD IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHIC ALGORITHM|

---

US6912294B2|2000-12-29|2005-06-28|Contentguard Holdings, Inc.|Multi-stage watermarking process and system|

---

US8069116B2|2001-01-17|2011-11-29|Contentguard Holdings, Inc.|System and method for supplying and managing usage rights associated with an item repository|

---

US7028009B2|2001-01-17|2006-04-11|Contentguardiholdings, Inc.|Method and apparatus for distributing enforceable property rights|

---

FR2820576B1|2001-02-08|2003-06-20|St Microelectronics Sa|ENCRYPTION METHOD PROTECTED AGAINST ENERGY CONSUMPTION ANALYSIS, AND COMPONENT USING SUCH AN ENCRYPTION METHOD|

---

JP4651212B2|2001-03-22|2011-03-16|大日本印刷株式会社|Portable information storage medium and authentication method thereof|

---

US7516325B2|2001-04-06|2009-04-07|Certicom Corp.|Device authentication in a PKI|

---

US6895503B2|2001-05-31|2005-05-17|Contentguard Holdings, Inc.|Method and apparatus for hierarchical assignment of rights to documents and documents having such rights|

---

US6876984B2|2001-05-31|2005-04-05|Contentguard Holdings, Inc.|Method and apparatus for establishing usage rights for digital content to be created in the future|

---

US7725401B2|2001-05-31|2010-05-25|Contentguard Holdings, Inc.|Method and apparatus for establishing usage rights for digital content to be created in the future|

---

US7774279B2|2001-05-31|2010-08-10|Contentguard Holdings, Inc.|Rights offering and granting|

---

US8099364B2|2001-05-31|2012-01-17|Contentguard Holdings, Inc.|Digital rights management of content when content is a future live event|

---

US8275709B2|2001-05-31|2012-09-25|Contentguard Holdings, Inc.|Digital rights management of content when content is a future live event|

---

US8275716B2|2001-05-31|2012-09-25|Contentguard Holdings, Inc.|Method and system for subscription digital rights management|

---

US8001053B2|2001-05-31|2011-08-16|Contentguard Holdings, Inc.|System and method for rights offering and granting using shared state variables|

---

US7318145B1|2001-06-01|2008-01-08|Mips Technologies, Inc.|Random slip generator|

---

US7774280B2|2001-06-07|2010-08-10|Contentguard Holdings, Inc.|System and method for managing transfer of rights using shared state variables|

---

CN1539117A|2001-06-07|2004-10-20|康坦夹德控股股份有限公司|Method and apparatus for supporting multiple trust zones in digital rights management system|

---

DE10143728B4|2001-09-06|2004-09-02|Infineon Technologies Ag|Device and method for calculating a result of a modular exponentiation|

---

FR2830146B1|2001-09-24|2003-10-31|Gemplus Card Int|METHOD FOR IMPLEMENTING, IN AN ELECTRONIC COMPONENT, A CRYPTOGRAPHIC ALGORITHM AND CORRESPONDING COMPONENT|

---

WO2003042799A2|2001-11-14|2003-05-22|International Business Machines Corporation|Device and method with reduced information leakage|

---

US7974923B2|2001-11-20|2011-07-05|Contentguard Holdings, Inc.|Extensible rights expression processing system|

---

US7840488B2|2001-11-20|2010-11-23|Contentguard Holdings, Inc.|System and method for granting access to an item or permission to use an item based on configurable conditions|

---

AU2002350209A1|2001-11-20|2003-06-10|Contentguard Holdings, Inc.|An extensible rights expression processing system|

---

US7243853B1|2001-12-04|2007-07-17|Visa U.S.A. Inc.|Method and system for facilitating memory and application management on a secured token|

---

KR100431286B1|2002-01-14|2004-05-12|한국정보보호진흥원|Method for preventing the CRT-based fault attack and apparatus thereof|

---

US7076059B1|2002-01-17|2006-07-11|Cavium Networks|Method and apparatus to implement the data encryption standard algorithm|

---

KR100431047B1|2002-02-26|2004-05-12|주홍정보통신주식회사|Digital signature method using RSA public-key cryptographic based on CRT and apparatus therefor|

---

US7805371B2|2002-03-14|2010-09-28|Contentguard Holdings, Inc.|Rights expression profile system and method|

---

US20040015426A1|2002-03-14|2004-01-22|Bijan Tadayon|System and method for expressing usage rights with sound signals|

---

JP2003296680A|2002-03-29|2003-10-17|Hitachi Ltd|Data processor|

---

CN1666207A|2002-04-29|2005-09-07|康坦夹德控股股份有限公司|Rights management system using legality expression language|

---

DE10230098A1|2002-07-04|2004-02-19|Siemens Ag|Method for authenticating a first object to at least one further object, in particular a vehicle to at least one key|

---

FR2842052B1|2002-07-05|2004-09-24|France Telecom|CRYPTOGRAPHIC METHOD AND DEVICES FOR REDUCING CALCULATION DURING TRANSACTIONS|

---

US7343011B2|2002-07-15|2008-03-11|Conexant, Inc.|Secure telecommunications system for wireless local area networks|

---

US20060233364A1|2002-07-29|2006-10-19|Jan Camenisch|Fine-grained forward-secure signature scheme|

---

US20040139021A1|2002-10-07|2004-07-15|Visa International Service Association|Method and system for facilitating data access and management on a secure token|

---

WO2004032557A1|2002-10-07|2004-04-15|Telefonaktiebolaget Lm Ericsson |Security and privacy enhancements for security devices|

---

US7574731B2|2002-10-08|2009-08-11|Koolspan, Inc.|Self-managed network access using localized access management|

---

US7725933B2|2003-10-07|2010-05-25|Koolspan, Inc.|Automatic hardware-enabled virtual private network system|

---

US7607015B2|2002-10-08|2009-10-20|Koolspan, Inc.|Shared network access using different access keys|

---

US7934005B2|2003-09-08|2011-04-26|Koolspan, Inc.|Subnet box|

---

US7325134B2|2002-10-08|2008-01-29|Koolspan, Inc.|Localized network authentication and security using tamper-resistant keys|

---

KR100441397B1|2002-10-31|2004-07-23|소프트포럼 주식회사|message encryption and authentication method|

---

DK1556992T3|2002-10-31|2017-01-09|ERICSSON TELEFON AB L M |Safety performance and use of device-specific safety data|

---

US7895443B2|2002-11-05|2011-02-22|Safenet, Inc.|Secure authentication using hardware token and computer fingerprint|

---

DE10304451B3|2003-02-04|2004-09-02|Infineon Technologies Ag|Modular exponentiation with randomized exponent|

---

US20060179305A1|2004-03-11|2006-08-10|Junbiao Zhang|WLAN session management techniques with secure rekeying and logoff|

---

KR20050116821A|2003-03-14|2005-12-13|톰슨 라이센싱|Wlan session management techniques with secure rekeying and logoff|

---

GB2399904B|2003-03-28|2005-08-17|Sharp Kk|Side channel attack prevention in data processing apparatus|

---

US7551737B2|2003-03-31|2009-06-23|International Business Machines Corporation|Cryptographic keys using random numbers instead of random primes|

---

EP1629382A4|2003-06-02|2011-12-21|Liquid Machines Inc|Managing data objects in dynamic, distributed and collaborative contexts|

---

US7685642B2|2003-06-26|2010-03-23|Contentguard Holdings, Inc.|System and method for controlling rights expressions by stakeholders of an item|

---

FR2858496B1|2003-07-31|2005-09-30|Gemplus Card Int|METHOD FOR SECURELY IMPLEMENTING AN RSA-TYPE CRYPTOGRAPHY ALGORITHM AND CORRESPONDING COMPONENT|

---

WO2005015557A2|2003-08-08|2005-02-17|Koninklijke Philips Electronics N.V.|Reproducing encrypted content using region keys|

---

US8489452B1|2003-09-10|2013-07-16|Target Brands, Inc.|Systems and methods for providing a user incentive program using smart card technology|

---

US7389530B2|2003-09-12|2008-06-17|International Business Machines Corporation|Portable electronic door opener device and method for secure door opening|

---

US20050089190A1|2003-10-23|2005-04-28|Eyal Shavit|Recording content distribution information into an adjunct to content|

---

WO2005057507A2|2003-12-02|2005-06-23|Koolspan, Inc|Remote secure authorization|

---

JP4626148B2|2004-01-07|2011-02-02|株式会社日立製作所|Calculation method of power-residue calculation in decryption or signature creation|

---

US7457964B2|2004-02-04|2008-11-25|Microsoft Corporation|Trusted path for transmitting content thereon|

---

EP1757006A2|2004-06-01|2007-02-28|Ben-Gurion University of the Negev Research and Development Authority|Structure preserving database encryption method and system|

---

WO2006015182A2|2004-07-29|2006-02-09|Infoassure, Inc.|Object access level|

---

KR100652377B1|2004-08-06|2007-02-28|삼성전자주식회사|A modular exponentiation algorithm, a record device including the algorithm and a system using the algorithm|

---

WO2006027430A1|2004-08-16|2006-03-16|France Telecom|Method for carrying out authentication between entities communicating with one another over a telecommunications network|

---

JP4326443B2|2004-10-08|2009-09-09|フェリカネットワークス株式会社|Information processing apparatus, information processing method, and program|

---

CN102170351B|2004-11-11|2014-02-19|塞尔蒂卡姆公司|Custom static Diffie-Hellman groups|

---

WO2006051404A2|2004-11-11|2006-05-18|Certicom Corp.|Secure interface for versatile key derivation function support|

---

US8660961B2|2004-11-18|2014-02-25|Contentguard Holdings, Inc.|Method, system, and device for license-centric content consumption|

---

FR2879866B1|2004-12-22|2007-07-20|Sagem|METHOD AND DEVICE FOR PERFORMING A CRYPTOGRAPHIC CALCULATION|

---

US8467535B2|2005-01-18|2013-06-18|Certicom Corp.|Accelerated verification of digital signatures and public keys|

---

EP1842128B1|2005-01-18|2011-11-09|Certicom Corp.|Accelerated verification of digital signatures and public keys|

---

FR2882209A1|2005-02-11|2006-08-18|France Telecom|METHOD OF AUTHENTICATING AN ELECTRONIC LABEL USING A CRYPTOGRAPHIC ALGORITHM WITH A PUBLIC KEY|

---

US20060210071A1|2005-03-16|2006-09-21|Chandran Gayathiri R|Encryption of security-sensitive data|

---

US8200972B2|2005-03-16|2012-06-12|International Business Machines Corporation|Encryption of security-sensitive data by re-using a connection|

---

FR2884004B1|2005-03-30|2007-06-29|Oberthur Card Syst Sa|DATA PROCESSING METHOD INVOLVING MODULAR EXPONENTIATION AND ASSOCIATED DEVICE|

---

JP4180094B2|2005-04-28|2008-11-12|松下電器産業株式会社|Program conversion apparatus, cryptographic processing apparatus, and cryptographic processing method|

---

FR2887351A1|2005-06-16|2006-12-22|St Microelectronics Sa|PROTECTION OF A MODULAR EXPONENTIATION CALCULATION CARRIED OUT BY AN INTEGRATED CIRCUIT|

---

FR2889349A1|2005-07-26|2007-02-02|St Microelectronics Sa|METHOD AND DEVICE FOR SECURING AN INTEGRATED CIRCUIT, IN PARTICULAR A MICROPROCESSOR CARD|

---

US8041032B2|2005-08-19|2011-10-18|Cardiac Pacemakers, Inc.|Symmetric key encryption system with synchronously updating expanded key|

---

JP2009505148A|2005-08-19|2009-02-05|エヌエックスピービーヴィ|Circuit arrangement and method for performing inversion operation in encryption operation|

---

WO2007020564A2|2005-08-19|2007-02-22|Nxp B.V.|Circuit arrangement and method for rsa key generation|

---

FR2890267B1|2005-08-26|2007-10-05|Viaccess Sa|METHOD FOR ESTABLISHING A SESSION KEY AND UNITS FOR IMPLEMENTING THE METHOD|

---

FR2890269A1|2005-09-01|2007-03-02|France Telecom|Electronic object e.g. radio frequency identifier type electronic label, authenticating method, involves encrypting number using one-way function, and determining cryptogram from secret identifier, of encrypted number and variable|

---

US7720767B2|2005-10-24|2010-05-18|Contentguard Holdings, Inc.|Method and system to support dynamic rights and resources sharing|

---

FR2895609A1|2005-12-26|2007-06-29|Gemplus Sa|Cryptographic method for forming modular exponentiation, involves masking operand with random number, and forming modular exponentiation of operand masked by exponent using Montgomery multiplier|

---

KR100850202B1|2006-03-04|2008-08-04|삼성전자주식회사|Cryptographic method for countering DFA using ECC fast Montgomery power ladder algorithm|

---

US7971058B2|2006-03-27|2011-06-28|Kyocera Corporation|System and method for generating a plaintext / cyphertext database for use in device authentication|

---

US8301890B2|2006-08-10|2012-10-30|Inside Secure|Software execution randomization|

---

US7613907B2|2006-08-11|2009-11-03|Atmel Corporation|Embedded software camouflage against code reverse engineering|

---

US7984301B2|2006-08-17|2011-07-19|Inside Contactless S.A.|Bi-processor architecture for secure systems|

---

US7554865B2|2006-09-21|2009-06-30|Atmel Corporation|Randomizing current consumption in memory devices|

---

US7822207B2|2006-12-22|2010-10-26|Atmel Rousset S.A.S.|Key protection mechanism|

---

US8391479B2|2007-03-07|2013-03-05|Research In Motion Limited|Combining interleaving with fixed-sequence windowing in an elliptic curve scalar multiplication|

---

US8243919B2|2007-03-07|2012-08-14|Research In Motion Limited|Method and apparatus for performing elliptic curve scalar multiplication in a manner that counters power analysis attacks|

---

US8280041B2|2007-03-12|2012-10-02|Inside Secure|Chinese remainder theorem-based computation method for cryptosystems|

---

EP1998491A1|2007-05-31|2008-12-03|Thomson Licensing|Method for calculating compressed RSA moduli|

---

US7907735B2|2007-06-15|2011-03-15|Koolspan, Inc.|System and method of creating and sending broadcast and multicast data|

---

US7936871B2|2007-06-28|2011-05-03|Samsung Electronics Co., Ltd.|Altering the size of windows in public key cryptographic computations|

---

US8290151B2|2007-10-12|2012-10-16|Infineon Technologies Ag|Device and method for determining an inverse of a value related to a modulus|

---

WO2009055906A1|2007-11-02|2009-05-07|Certicom Corp.|Signed montgomery arithmetic|

---

CN100488099C|2007-11-08|2009-05-13|西安西电捷通无线网络通信有限公司|Bidirectional access authentication method|

---

ES2366753T3|2007-12-13|2011-10-25|Oberthur Technologies|METHOD OF CRYPTOGRAPHIC DATA PROCESSING, IN PARTICULAR WITH THE HELP OF AN S BOX, DEVICE AND ASSOCIATED PROGRAMS.|

---

AU2009205675B2|2008-01-18|2014-09-25|Identrust, Inc.|Binding a digital certificate to multiple trust domains|

---

US20090184800A1|2008-01-22|2009-07-23|Harris Scott C|Cellular phone Entry Techniques|

---

FR2926651B1|2008-01-23|2010-05-21|Inside Contactless|COUNTERMEASURE METHOD AND DEVICES FOR ASYMMETRIC CRYPTOGRAPHY|

---

US8312534B2|2008-03-03|2012-11-13|LenovoPte. Ltd.|System and method for securely clearing secret data that remain in a computer system memory|

---

WO2009136361A1|2008-05-07|2009-11-12|Koninklijke Philips Electronics N.V.|Exponent obfuscation|

---

FR2935059B1|2008-08-12|2012-05-11|Groupe Des Ecoles De Telecommunications Get Ecole Nationale Superieure Des Telecommunications Enst|METHOD FOR DETECTING ANOMALIES IN A DIFFERENTIAL LOGIC-PROTECTED CRYPTOGRAPHIC CIRCUIT AND CIRCUIT USING SUCH A METHOD|

---

CN103560880B|2008-08-19|2017-04-12|Nxp股份有限公司|Method for generating a cipher-based message authentication code|

---

EP2169535A1|2008-09-22|2010-03-31|Thomson Licensing|Method, apparatus and computer program support for regular recoding of a positive integer|

---

JP5407352B2|2009-01-19|2014-02-05|富士通株式会社|Decoding processing device, decoding processing program, and decoding processing method|

---

EP2222013A1|2009-02-19|2010-08-25|Thomson Licensing|Method and device for countering fault attacks|

---

WO2010096902A1|2009-02-27|2010-09-02|Certicom Corp.|System and method for performing exponentiation in a cryptographic system|

---

US8245959B1|2009-06-30|2012-08-21|Emc Corporation|Powered card and method of disposing of the same|

---

EP2290872B1|2009-08-27|2014-06-18|Nxp B.V.|Device for generating a message authentication code for authenticating a message|

---

CN102725737B|2009-12-04|2016-04-20|密码研究公司|The encryption and decryption of anti-leak can be verified|

---

US8775813B2|2010-02-26|2014-07-08|Certicom Corp.|ElGamal signature schemes|

---

KR101610917B1|2010-03-08|2016-04-11|삼성전자주식회사|Decryption method of crypto algorithm and crypto system having its|

---

DE102010010851A1|2010-03-10|2011-09-15|Giesecke & Devrient Gmbh|Spying protection when executing an operation sequence in a portable data carrier|

---

IT1401937B1|2010-09-16|2013-08-28|St Microelectronics Srl|METHOD OF GENERATION OF A DIGITAL SIGNATURE|

---

EP2466523B1|2010-12-16|2015-04-29|BlackBerry Limited|Method and apparatus for securing a computing device|

---

US9300475B2|2010-12-24|2016-03-29|Mitsubishi Electric Corporation|Signature generation by calculating a remainder modulo public information|

---

US8745376B2|2011-10-14|2014-06-03|Certicom Corp.|Verifying implicit certificates and digital signatures|

---

US8635467B2|2011-10-27|2014-01-21|Certicom Corp.|Integrated circuit with logic circuitry and multiple concealing circuits|

---

US8334705B1|2011-10-27|2012-12-18|Certicom Corp.|Analog circuitry to conceal activity of logic circuitry|

---

EP2608445A1|2011-12-20|2013-06-26|Gemalto SA|Method to protect a binary GCD computation against SPA attacks|

---

CN102664732B|2012-03-07|2016-06-22|南相浩|The anti-quantum computation attack of CPK public key system realize method and system|

---

US9106405B1|2012-06-25|2015-08-11|Amazon Technologies, Inc.|Multi-user secret decay|

---

JP6366595B2|2012-11-12|2018-08-01|クリプトグラフィ リサーチ， インコーポレイテッド|Method and system for anti-glitch cryptographic discrete log-based signature|

---

US9009495B2|2013-06-28|2015-04-14|Envieta, LLC|High speed cryptographic combining system, and method for programmable logic devices|

---

FR3015726B1|2013-12-24|2016-01-08|Morpho|SECURE COMPARATIVE PROCESSING METHOD|

---

US10680816B2|2014-03-26|2020-06-09|Continental Teves Ag & Co. Ohg|Method and system for improving the data security during a communication process|

---

US10013363B2|2015-02-09|2018-07-03|Honeywell International Inc.|Encryption using entropy-based key derivation|

---

US10594471B2|2015-03-20|2020-03-17|Cryptography Research, Inc.|Multiplicative blinding for cryptographic operations|

---

US10181944B2|2015-06-16|2019-01-15|The Athena Group, Inc.|Minimizing information leakage during modular exponentiation and elliptic curve point multiplication|

---

US10255462B2|2016-06-17|2019-04-09|Arm Limited|Apparatus and method for obfuscating power consumption of a processor|

---

US10708073B2|2016-11-08|2020-07-07|Honeywell International Inc.|Configuration based cryptographic key generation|

---

EP3337086A1|2016-12-15|2018-06-20|Gemalto Sa|Method for synchronized signature with additive rsa key splitting using a sliding window|

---

US10997322B2|2017-05-22|2021-05-04|Arm Limited|Efficient power distribution|

---

US10924261B2|2017-05-22|2021-02-16|Arm Limited|Efficient power distribution|

---

US10826694B2|2018-04-23|2020-11-03|International Business Machines Corporation|Method for leakage-resilient distributed function evaluation with CPU-enclaves|

---

WO2020072413A1|2018-10-02|2020-04-09|Capital One Services, Llc|Systems and methods for cryptographic authentication of contactless cards|

法律状态:
2002-04-12| STCF| Information on status: patent grant|Free format text: PATENTED CASE |

---

2005-05-04| FPAY| Fee payment|Year of fee payment: 4 |

---

2009-09-22| FPAY| Fee payment|Year of fee payment: 8 |

---

2011-04-29| AS| Assignment|Owner name: CRYPTOGRAPHY RESEARCH, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KOCHER, PAUL C.;JAFFE, JOSHUA M.;REEL/FRAME:026204/0649 Effective date: 19981228 |

---

2013-10-30| FPAY| Fee payment|Year of fee payment: 12 |

优先权:

---

申请号 | 申请日 | 专利标题

---

US7034498P| true| 1998-01-02|1998-01-02||

---

US8952998P| true| 1998-06-15|1998-06-15||

---

US09/224,682|US6304658B1|1998-01-02|1998-12-31|Leak-resistant cryptographic method and apparatus|

---

US09/737,182|US6381699B2|1998-01-02|2000-12-13|Leak-resistant cryptographic method and apparatus|US09/737,182| US6381699B2|1998-01-02|2000-12-13|Leak-resistant cryptographic method and apparatus|

---

US10/005,105| US7587044B2|1998-01-02|2001-12-03|Differential power analysis method and apparatus|

---

US10/136,012| US7506165B2|1998-01-02|2002-04-29|Leak-resistant cryptographic payment smartcard|

---

US11/643,349| US7634083B2|1998-01-02|2006-12-21|Differential power analysis|

---

US11/978,364| US7599488B2|1998-01-02|2007-10-29|Differential power analysis|

---

US11/981,495| US7792287B2|1998-01-02|2007-10-30|Leak-resistant cryptographic payment smartcard|

---

US12/637,565| US8879724B2|1998-01-02|2009-12-14|Differential power analysis—resistant cryptographic processing|

---

US14/530,905| US9419790B2|1998-01-02|2014-11-03|Differential power analysis—resistant cryptographic processing|

---

US15/236,739| US20170099134A1|1998-01-02|2016-08-15|Differential power analysis - resistant cryptographic processing|