[go: up one dir, main page]

WO2002028009A1 - Method and device for calculating a response - Google Patents

Method and device for calculating a response Download PDF

Info

Publication number
WO2002028009A1
WO2002028009A1 PCT/FI2001/000836 FI0100836W WO0228009A1 WO 2002028009 A1 WO2002028009 A1 WO 2002028009A1 FI 0100836 W FI0100836 W FI 0100836W WO 0228009 A1 WO0228009 A1 WO 0228009A1
Authority
WO
WIPO (PCT)
Prior art keywords
multipliers
sliding window
calculation
response
secret key
Prior art date
Application number
PCT/FI2001/000836
Other languages
French (fr)
Inventor
Lauri Paatero
Original Assignee
Setec Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Setec Oy filed Critical Setec Oy
Priority to AU2001291913A priority Critical patent/AU2001291913A1/en
Publication of WO2002028009A1 publication Critical patent/WO2002028009A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the present invention relates to calculation procedures utilizing a sliding window method and a secret key to be protected to ensure that no information that would enable an external attacker to find out the secret key will become known to the external attacker.
  • the present invention can be applied e.g. to smart cards.
  • Secret keys are utilized e.g. for authenticating smart cards.
  • the present invention will thus mainly be described with reference to smart cards although the present invention can also be applied to other contexts wherein calculation procedures utilizing a secret key are to be carried out.
  • a disadvantage of the known solution described above is that the calculation may produce information that makes it easier for an external attacker to find out the secret key when the particular calculation method is used in calculation procedures utilizing a secret key.
  • a way in which the external attacker may try to find out the secret key is a so-called Differential Power Analysis (DPA) attack wherein different inputs are repeatedly (several thou- sands of times) fed e.g. to a smart card while a response obtained from the outlet of the smart card, current consumed by the smart card during calculation, and radiation generated by the smart card during calculation are simultaneously monitored.
  • DPA Differential Power Analysis
  • the problem with the known calculation algorithms utilizing the sliding window method is that the current consumption reveals if predetermined multipliers are utilized in the calculation procedures.
  • the external attacker is able to detect the order in which the calculation procedures are carried out since the current consumption reveals the points in time at which different multipliers are utilized.
  • the external attacker only needs to find out the values of the multipliers, and the secret key is ready for him or her to use.
  • An object of the present invention is to alleviate the problem described above and to provide a solution to make a secret key more difficult to find out when a sliding window method is utilized.
  • This object is achieved by a method of the invention for calculating a response, the method comprising: selecting multipliers to be utilized in a sliding window method, and calculating the response by means of an input, a secret key and a calculation algorithm, the calculation algorithm utilizing said sliding window method and the selected multipliers.
  • the method of the invention is characterized by selecting at least some of the multipliers to be utilized in the sliding window method randomly.
  • the invention further relates to a device for utilizing a method of the invention.
  • the device of the invention comprises an inlet for receiving an input, calculating means for calculating a response by means of the input, a secret key and a calculation algorithm, the calculation algorithm utilizing a sliding window method, and an outlet for forwarding said response.
  • the device of the invention is characterized in that the device further comprises a random number generator to generate at least some of the multipliers utilized by the calculating means in the sliding window method.
  • the idea underlying the invention is that when at least some of the multipliers utilized in the sliding window method are selected randomly, an external attacker no longer benefits from statistical information he or she has possibly compiled during calculation since the new multipliers cause the calculation procedure and e.g.
  • new random multipliers can be used each time a new calculation procedure is to be carried out. This, however, is not necessary but if desired, the same multipliers can be utilized in a couple of successive calculation procedures.
  • the multipliers can also be changed such that only some of the multipliers used are changed at a time. The important point is that the external attacker is unable to compile statistical information on several hundreds or even thousands of successive calculation procedures utilizing the same multipliers.
  • the greatest advantages of the solution of the invention include improved encryption of a secret key, i.e. it is more difficult for an external attacker to find out the secret key.
  • some of the single calculation procedures of the sliding window method are selected randomly to be carried out by a multiplier other than the highest possible one.
  • This embodiment of the invention slightly slows down the calculation procedure. The disadvantage is, however, insignificant since this embodiment increases the randomness in the calculation procedures, making the statistical information compiled by the external attacker even more misleading.
  • the multipliers to be used are selected such that the length of the longest multipliers is about 8 to 128 bits. Not all bits of the multiplier inside a window are then handled in the sliding window method; it is thus necessary to calcu- late the difference of the window and the multiplier and use this in the subsequent calculation procedure.
  • the calculation procedures belonging to the sliding window method are carried out such that the calculation procedures caused by moving the window and the calculation procedures caused by handling the bits contained in the window under examination are carried out in a predetermined order in each calculation procedure.
  • the calculation procedures belonging to the sliding window method can be divided into two main groups: calculation procedures caused by moving the window and calculation procedures caused by handling (utilizing the selected multipliers) the bits contained in the window under examination.
  • the calculation procedure proceeds such that during the calculation, always the most appropriate procedure is selected next. In some cases, however, it is possible for an external attacker to detect e.g. from the current consumption whether the selected procedure is to move the window or handle the bits in the window.
  • the external attacker is able to draw conclusions about the way in which the calculation procedures proceed if such selections are made. If, on the other hand, it is selected to move the window or handle the bits in the window according to a predetermined sequence, e.g. such that every other time the window is moved and every other time the bits in the window are handled, no selection has to be made in the calculating procedures as described above, which means that no additional information about the way in which the calculation procedures proceed will be given to the external attacker. Hence, the present embodiment of the invention makes the calculation procedures even more secure.
  • Figure 1 is a flow diagram showing a first preferred embodi- ment of a method of the invention
  • Figure 2 is a flow diagram showing a second preferred embodiment of the method of the invention.
  • Figure 3 illustrates a first preferred embodiment of a device of the invention
  • Figure 4 is a flow diagram showing a third preferred embodiment of the method of the invention.
  • Figure 1 is a flow diagram showing a first preferred embodiment of a method of the invention.
  • the method of Figure 1 utilizes a sliding window method for carrying out calculation procedures associated with a se- cret key.
  • the sliding window method is a known method for carrying out multiplication and exponentiation procedures in a binary system.
  • an example will be shown for carrying out a multiplication C*B by employing the sliding window method when only addition is used and when an external attacker is to be prevented from being given information that would enable him or her to find out the secret key C.
  • the multipliers to be used in the sliding window method are selected randomly. In the present example, the multipliers selected are 1 (01), 3 (11), 5 (101) and 7 (111). [0019] First, the values of the multipliers are calculated:
  • the result of the above calculation is obtained from the last intermediate result A k , the result thus being 11100011010001.
  • all calculation procedures contributing to the result are carried out utilizing the binary system and addition procedures.
  • the calculation procedures are also indicated utilizing a decimal system and multiplication in order to make it easier to monitor single calculation procedures.
  • multipliers are, according to the invention, selected randomly.
  • the multipliers can be allotted randomly each time a response is calculated or, alternatively, the same multipliers can be used in a couple of successive procedures for calcu- lating a response, after which new random multipliers are selected.
  • the multipliers selected are relatively long ones, the length of the multipliers being about 8 to 128 bits. It is thus even more difficult for an external attacker to find out the multipliers used.
  • block C the response is calculated applying a calculation algorithm utilizing the secret key, the input and the sliding window method.
  • the calculation procedures associated with the sliding window method are thus carried out as shown by the example above, using the random multipliers selected in block B.
  • Figure 2 illustrates a second preferred embodiment of the method of the invention.
  • the method of Figure 2 also utilizes the sliding window method for carrying out the calculation procedures associated with the secret key.
  • the embodiment of Figure 2 differs from the embodiment of Figure 1 in that in the case of Figure 1 , in each single calculation procedure belonging to the sliding window method, always the highest possible multiplier is selected (in order to carry out the calculation procedure as quickly as possible), while in the case of Figure 2, at least some of the single calculation procedures are carried out using, randomly, a multiplier other than the highest possible one. Consequently, the calculation procedures become slightly slower but the calculations proceed in a more "random" manner, which is why less information will be given to the external attacker even if he or she were compiling statistical information e.g. on the power consumption required for cal information e.g. on the power consumption required for carrying out the calculation procedures.
  • the sliding window method can be applied to carrying out the multiplication C*B such that the multipliers used in the calculation procedures are selected randomly and some of the calculation procedures are selected randomly to be carried out using a multiplier other than the highest one.
  • the calculation procedures only employ addition, and during the calculations, the external attacker is to be prevented from being given information that would enable him or her to find out the secret key C.
  • the multipliers to be used in the sliding window method are selected randomly. In the present example, the multipliers selected are 1 (01), 3 (11) and 5 (101). [0029] First, the values of the multipliers are calculated:
  • B 5 B+B+B+B+B.
  • C m+1 )C m+2 > 011
  • a k A k +B 3
  • C m+2 CmlCm + ⁇ lCm + 2 -011 is calculated. If C m
  • C m+2 C m
  • the result of the above calculation is obtained from the last intermediate result A k , the result thus being 11100011010001.
  • all calculation procedures contributing to the result are carried out utilizing the binary system and addition procedures.
  • the calculation procedures are also indicated utilizing a decimal system and multiplication in order to make it easier to monitor single calculation procedures.
  • blocks A' and B' correspond to blocks A and B in Figure 1 , i.e. an input is received in these blocks, after which the multipliers to be used in the calculations are selected randomly.
  • the calculation procedure starts by applying a re- sponse calculation algorithm utilizing the sliding window method.
  • block D' If it is detected in block D' that the next calculation procedure is going to utilize the multiplier selected for the sliding window method, the process moves on to block E'. A random number e.g. between 1 and 10 is then allotted. In block F', it is examined whether the random number is higher than a reference number, e.g. 5, if half of the of the single calculation procedures associated with the sliding window method is to be carried out using the random multiplier. If the random number is higher than the reference number, the process moves on to block H', wherein a multiplier is selected randomly. Alternatively, the process moves on to block G', wherein the highest possible multiplier is selected.
  • a reference number e.g. 5
  • FIG. 3 is a block diagram showing a first preferred embodiment of a device of the invention.
  • the device 1 is a smart card having a secret key stored in its memory M, either as such or, alternatively, in an encoded format (in which case the en- coding is decoded while the key is being read from the memory).
  • the smart card can be authenticated using the particular secret key because only one smart card exists for which the secret key in question has been stored and which, from the input fed to the smart card, thus generates a response dependent on the secret key.
  • the device 1 further comprises a calculator P, which may consist e.g. of a processor which, using a predetermined calculation algorithm, calculates the response to the input fed into an inlet 2 of the device, and forwards the response through an outlet 3. In the calculation, the calculation algorithm utilizes the sliding window method and the secret key of the device 1.
  • the device 1 utilizes multipliers consisting of random numbers generated by a random number generator RND (as described in connection with the flow diagrams of Figures 1 and 2), the multipliers being delivered from the random number generator to the calculator through an internal bus of the device. Furthermore, the device 1 may use the random number generator RND to select some of the single calculation procedures belonging to the sliding window method to be carried out using random multipliers, i.e. using a selected multiplier other than the highest possible one (as described in connection with Figure 2).
  • RND random number generator
  • the device 1 may be a device other than a smart card.
  • the invention can also be applied e.g. to delivering confidential information over an unreliable data transmission channel, such as the Internet. It is then necessary to be able either to encrypt a message such that an outsider is prevented from reading the message, or, alternatively, to equip the message with an electronic signature, thus enabling the receiver of the message to check the origin of the message.
  • An RSA algorithm is a known algorithm utilized for encrypting messages and providing messages with electronic signatures. The RSA algorithm was introduced by Ronald Rivest, Adi Shamir and Leonard Adelman in 1977. In the RSA algorithm, the messages are encrypted using a public key while they are decrypted using a secret key.
  • an electronic signature is produced using a secret key while the correctness of the signature is checked using a public key.
  • the device 1 of Figure 3 may thus be e.g. a computer, which receives a message equipped with an electronic signature, and, utilizing the secret key and the method of the invention, checks the correctness of the electronic signature. The response then consists of information indicating whether or not the signature is correct.
  • FIG. 4 is a flow diagram showing a third preferred embodiment of the method of the invention.
  • the flow diagram of Figure 4 differs from the previous embodiments in that in the case of Figure 4, the secret key necessary for calculating the response is not stored in the memory in an uncoded format. Instead, the secret key is stored in the memory in a format which makes it impossible for an external attacker to benefit from using the secret key in order to obtain information on the secret key, and which makes it extremely simple to utilize the secret key in connection with the sliding window method.
  • the secret key is divided into contributory factors whose sum corresponds to the value of the secret key. At least one of the contributory factors consists of numbers to be multiplied with each other, one such number corresponding to the multiplier selected for the sliding window method. The numbers contained in the contributory factors are stored in the memory.
  • the secret key C is divided into contributory fac- tors in the following manner:
  • the secret key is divided into contribu- tory factors whose sum constitutes the secret key C.
  • the contributory factors consist of numbers or products of numbers.
  • Some of the numbers are randomly selected multipliers K1 to Kn, which can be changed in connection with each calculation procedure in a manner to be described below.
  • the rest of the numbers X1 to Xn are binary numbers, whose single bits are used for indicating when a multiplier preceding a number is to be utilized.
  • the multipliers K1 to Kn and numbers X0 to Xn are thus stored in the memory. If the de- vice in question is a new smart card or the like to be manufactured, the multipliers and numbers are stored for the first time while the smart card is being manufactured.
  • the advantage achieved by storing the numbers in the memory as described above is that at no point in time does the secret key C have to be handled in an uncoded format when it is stored in the memory, read from the memory or when the response is calculated, but it is the above numbers and multipliers that are retrieved from the memory to be handled instead.
  • the present representation makes the response easier to calculate using the sliding window method, as will be described below.
  • block B the process waits for an input, in response to which an output should be produced.
  • the process then moves on to block C" wherein the numbers stored in the memory are retrieved, after which in block D", the response is calculated utilizing the retrieved numbers and the sliding window method.
  • block D the response is calculated utilizing the retrieved numbers and the sliding window method.
  • the random multipliers can be changed each time a response has been generated after a predetermined number of re- sponses has been generated using the same multipliers, or, alternatively, it can be allotted each time a response has been generated whether the multipliers are changed or whether the same multipliers are still to be used. [0054] If the multipliers are changed, the process moves on to block F". When new random multipliers are to be selected, the selection will be carried out in the following manner. Assume that a secret key has been stored in the memory when the new random multipliers were being selected, using numbers X0 to X3 and K1 to K3, which means that the value of the secret key is the sum of four contributory factors as follows:
  • a new number X2' is selected such that: (K2' * X2') ⁇ X0 + (K2 * X2) + (K3 * X3)
  • X0' X0 + (K2 * X2) + (K3 *X3) - (K2' * X2') - (K3' * X3').
  • the secret key C can thus be stored using the numbers contained in the following contributory factors:
  • the new numbers and the unchanged numbers are stored in the memory in block A", which means that they can be utilized in future calculation procedures until the multipliers are to be changed again.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)
  • Investigating Or Analysing Biological Materials (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a device comprising an inlet (2) for receiving an input, calculating means (P) for calculating a response by means of the input, a secret key and a calculation algorithm, the calculation algorithm utilizing a sliding window method, and an outlet (3) for forwarding said response. In order to make the secret key even more difficult for an external attacker to find out, the device further comprises a random number generator (RND) to generate at least some of the multipliers utilized by the calculating means (P) in the sliding window method.

Description

METHOD AND DEVICE FOR CALCULATING A RESPONSE
[0001] The present invention relates to calculation procedures utilizing a sliding window method and a secret key to be protected to ensure that no information that would enable an external attacker to find out the secret key will become known to the external attacker.
[0002] The present invention can be applied e.g. to smart cards. Secret keys are utilized e.g. for authenticating smart cards. In the following, the present invention will thus mainly be described with reference to smart cards although the present invention can also be applied to other contexts wherein calculation procedures utilizing a secret key are to be carried out.
[0003] It is previously known to utilize a sliding window method for carrying out multiplication or exponentiation procedures to enable multiplication to be replaced by addition, or exponentiation by multiplication. In the known solutions, calculation procedures apply the sliding window method by utilizing predetermined multipliers whose binary value lengths determine the width of the windows to be used. Usually, a couple of predetermined multipliers are used, for instance 1 (window width 1 bit), 3 (window width 2 bits), 5 (window width 3 bits) and 7 (window width 3 bits). The values of the multipliers to be used are selected in advance and in such a manner that they enable the calculation to be as fast as possible. In the known solutions, the highest possible multiplier is selected to be used in single calculation procedures of the sliding window method. This is to ensure that the calculation can be carried out as quickly as possible.
[0004] A disadvantage of the known solution described above is that the calculation may produce information that makes it easier for an external attacker to find out the secret key when the particular calculation method is used in calculation procedures utilizing a secret key. A way in which the external attacker may try to find out the secret key is a so-called Differential Power Analysis (DPA) attack wherein different inputs are repeatedly (several thou- sands of times) fed e.g. to a smart card while a response obtained from the outlet of the smart card, current consumed by the smart card during calculation, and radiation generated by the smart card during calculation are simultaneously monitored. By compiling statistical information on the input, current consumption, radiation and response, it can be possible for the external at- tacker to find out the secret key of the smart card. The problem with the known calculation algorithms utilizing the sliding window method is that the current consumption reveals if predetermined multipliers are utilized in the calculation procedures. In other words, by compiling statistical information on the current consumption, the external attacker is able to detect the order in which the calculation procedures are carried out since the current consumption reveals the points in time at which different multipliers are utilized. Next, the external attacker only needs to find out the values of the multipliers, and the secret key is ready for him or her to use.
[0005] An object of the present invention is to alleviate the problem described above and to provide a solution to make a secret key more difficult to find out when a sliding window method is utilized. This object is achieved by a method of the invention for calculating a response, the method comprising: selecting multipliers to be utilized in a sliding window method, and calculating the response by means of an input, a secret key and a calculation algorithm, the calculation algorithm utilizing said sliding window method and the selected multipliers. The method of the invention is characterized by selecting at least some of the multipliers to be utilized in the sliding window method randomly.
[0006] The invention further relates to a device for utilizing a method of the invention. The device of the invention comprises an inlet for receiving an input, calculating means for calculating a response by means of the input, a secret key and a calculation algorithm, the calculation algorithm utilizing a sliding window method, and an outlet for forwarding said response. The device of the invention is characterized in that the device further comprises a random number generator to generate at least some of the multipliers utilized by the calculating means in the sliding window method. [0007] The idea underlying the invention is that when at least some of the multipliers utilized in the sliding window method are selected randomly, an external attacker no longer benefits from statistical information he or she has possibly compiled during calculation since the new multipliers cause the calculation procedure and e.g. the current consumption required by the proce- dure to change. According to the invention, new random multipliers can be used each time a new calculation procedure is to be carried out. This, however, is not necessary but if desired, the same multipliers can be utilized in a couple of successive calculation procedures. The multipliers can also be changed such that only some of the multipliers used are changed at a time. The important point is that the external attacker is unable to compile statistical information on several hundreds or even thousands of successive calculation procedures utilizing the same multipliers. The greatest advantages of the solution of the invention include improved encryption of a secret key, i.e. it is more difficult for an external attacker to find out the secret key.
[0008] In a first preferred embodiment of the method of the inven- tion, some of the single calculation procedures of the sliding window method are selected randomly to be carried out by a multiplier other than the highest possible one. This embodiment of the invention slightly slows down the calculation procedure. The disadvantage is, however, insignificant since this embodiment increases the randomness in the calculation procedures, making the statistical information compiled by the external attacker even more misleading. [0009] In a third preferred embodiment of the method of the invention, the multipliers to be used are selected such that the length of the longest multipliers is about 8 to 128 bits. Not all bits of the multiplier inside a window are then handled in the sliding window method; it is thus necessary to calcu- late the difference of the window and the multiplier and use this in the subsequent calculation procedure.
[0010] In a fourth preferred embodiment of the method of the invention, the calculation procedures belonging to the sliding window method are carried out such that the calculation procedures caused by moving the window and the calculation procedures caused by handling the bits contained in the window under examination are carried out in a predetermined order in each calculation procedure. In other words, the calculation procedures belonging to the sliding window method can be divided into two main groups: calculation procedures caused by moving the window and calculation procedures caused by handling (utilizing the selected multipliers) the bits contained in the window under examination. In the known solutions, the calculation procedure proceeds such that during the calculation, always the most appropriate procedure is selected next. In some cases, however, it is possible for an external attacker to detect e.g. from the current consumption whether the selected procedure is to move the window or handle the bits in the window. Consequently, the external attacker is able to draw conclusions about the way in which the calculation procedures proceed if such selections are made. If, on the other hand, it is selected to move the window or handle the bits in the window according to a predetermined sequence, e.g. such that every other time the window is moved and every other time the bits in the window are handled, no selection has to be made in the calculating procedures as described above, which means that no additional information about the way in which the calculation procedures proceed will be given to the external attacker. Hence, the present embodiment of the invention makes the calculation procedures even more secure.
[0011] Preferred embodiments of the method and device of the in- vention are disclosed in attached dependent claims 2 to 5 and 6 to 11.
[0012] In the following, the invention will be described in closer detail by way of example and with reference to the accompanying drawings, in which:
[0013] Figure 1 is a flow diagram showing a first preferred embodi- ment of a method of the invention,
[0014] Figure 2 is a flow diagram showing a second preferred embodiment of the method of the invention,
[0015] Figure 3 illustrates a first preferred embodiment of a device of the invention, and [0016] Figure 4 is a flow diagram showing a third preferred embodiment of the method of the invention.
[0017] Figure 1 is a flow diagram showing a first preferred embodiment of a method of the invention. The method of Figure 1 utilizes a sliding window method for carrying out calculation procedures associated with a se- cret key. The sliding window method is a known method for carrying out multiplication and exponentiation procedures in a binary system. In the following, an example will be shown for carrying out a multiplication C*B by employing the sliding window method when only addition is used and when an external attacker is to be prevented from being given information that would enable him or her to find out the secret key C.
[0018] In binary terms, C is expressed C=C0|Cι|C2|...|Cn, C0≠0. First, the multipliers to be used in the sliding window method are selected randomly. In the present example, the multipliers selected are 1 (01), 3 (11), 5 (101) and 7 (111). [0019] First, the values of the multipliers are calculated:
B
B3= B+B+B
B5= B+B+B+B+B
B7= B+B+B+B+B+B+B [0020] Furthermore, Ak=0 (Ak = intermediate result) and m=0 (m indicates a bit in C, which will be examined in the following), are set. Next, the following is repeated:
[0021] The first one fulfilling the condition is calculated: If Cm|Cm+1|Cm+2 = 111 , Ak=8*(A )+B7 is calculated, m = m+3.
If Cm|Cm+ι |Cm+2 = 101 , Ak=8*(Ak)+B5 is calculated, m = m+3.
If Cm|Cm+ι = 11 , Ak=4*(Ak)+B3 is calculated, m = m+2.
If Cm = 1. Ak=2*(Ak)+B is calculated, m = m+1.
If Cm=0, Ak=2*(Ak) is calculated, m = m+1. This is repeated until m>n. The result is then A .
[0022] In the following, a calculation example will be shown wherein binary numbers C*B are multiplied by applying the above formulas. B=101 , C=101101011101 and the multipliers used are the same as above, i.e. 1 , 3, 5 and 7. The values of the multipliers thus are:
B=101
B3 = B+B+B = 1111
B5= B+B+B+B+B = 11001
B7= B+B+B+B+B+B+B = 100011
Figure imgf000006_0001
[0023] The result of the above calculation is obtained from the last intermediate result Ak, the result thus being 11100011010001. During the calculation, all calculation procedures contributing to the result are carried out utilizing the binary system and addition procedures. In the above example, however, the calculation procedures are also indicated utilizing a decimal system and multiplication in order to make it easier to monitor single calculation procedures.
[0024] In block A of Figure 1 , an input is received. Next, the process moves on to block B, wherein random multipliers to be used in the calculation procedures are selected. In other words, instead of always selecting e.g. 1 , 3, 5 and 7 as the multipliers (as in the previous calculation example), the multipliers are, according to the invention, selected randomly. The multipliers can be allotted randomly each time a response is calculated or, alternatively, the same multipliers can be used in a couple of successive procedures for calcu- lating a response, after which new random multipliers are selected. Preferably, the multipliers selected are relatively long ones, the length of the multipliers being about 8 to 128 bits. It is thus even more difficult for an external attacker to find out the multipliers used.
[0025] In block C, the response is calculated applying a calculation algorithm utilizing the secret key, the input and the sliding window method. The calculation procedures associated with the sliding window method are thus carried out as shown by the example above, using the random multipliers selected in block B.
[0026] Figure 2 illustrates a second preferred embodiment of the method of the invention. The method of Figure 2 also utilizes the sliding window method for carrying out the calculation procedures associated with the secret key. The embodiment of Figure 2 differs from the embodiment of Figure 1 in that in the case of Figure 1 , in each single calculation procedure belonging to the sliding window method, always the highest possible multiplier is selected (in order to carry out the calculation procedure as quickly as possible), while in the case of Figure 2, at least some of the single calculation procedures are carried out using, randomly, a multiplier other than the highest possible one. Consequently, the calculation procedures become slightly slower but the calculations proceed in a more "random" manner, which is why less information will be given to the external attacker even if he or she were compiling statistical information e.g. on the power consumption required for cal information e.g. on the power consumption required for carrying out the calculation procedures.
[0027] In the following, an example will be shown of how, according to the invention, the sliding window method can be applied to carrying out the multiplication C*B such that the multipliers used in the calculation procedures are selected randomly and some of the calculation procedures are selected randomly to be carried out using a multiplier other than the highest one. The calculation procedures only employ addition, and during the calculations, the external attacker is to be prevented from being given information that would enable him or her to find out the secret key C.
[0028] In binary terms, C is expressed C=C0|Cι|C2|...|Cn, C0≠0. First, the multipliers to be used in the sliding window method are selected randomly. In the present example, the multipliers selected are 1 (01), 3 (11) and 5 (101). [0029] First, the values of the multipliers are calculated:
B
B3= B+B+B
B5= B+B+B+B+B.
[0030] Furthermore, Ak=0 (Ak = intermediate result) and m=0 (m in- dicates a bit in C, which will be examined in the following), are set. Next, the following is repeated:
[0031] One of the following fulfilling the condition is calculated (i.e. one of the possible single calculation procedures is selected randomly):
If Cm|Cm+1|Cm+2 >= 101 , Ak=Ak+B5, Cm|Cm+1|Cm+2 = Cm|Cm+ι|Cm+2 -101 is calculated.
If Cm|Cm+1)Cm+2 >= 011 , Ak=Ak+B3, Cm|Cm+1|Cm+2 = CmlCm+ιlCm+2 -011 is calculated. If Cm|Cm+1|Cm+2 >= 001 , Ak=Ak+B, Cm|Cm+1|Cm+2 = Cm|Cm+ι|Cm+2 -001 is calcu- lated.
If m>n-2, the window is moved by calculating Ak=2*Ak, m=m+1.
Figure imgf000008_0001
000 and m=n-2. The result is thus Ak.
[0032] In the following, a calculation example will be shown wherein the binary numbers C*B are multiplied applying the above formulas. B=101 ,
C=101101011101 and the multipliers to be used are the same as above, i.e. 1 , 3 and 5. The values of the multipliers are thus: B=101 , B3 = B+B+B = 1111 and B5= B+B+B+B+B = 11001.
Figure imgf000009_0001
[0033] The result of the above calculation is obtained from the last intermediate result Ak, the result thus being 11100011010001. During the calculation, all calculation procedures contributing to the result are carried out utilizing the binary system and addition procedures. In the above example, however, the calculation procedures are also indicated utilizing a decimal system and multiplication in order to make it easier to monitor single calculation procedures.
[0034] In the flow diagram of Figure 2 illustrating how the second embodiment of the method of the invention proceeds, blocks A' and B' correspond to blocks A and B in Figure 1 , i.e. an input is received in these blocks, after which the multipliers to be used in the calculations are selected randomly.
[0035] In block C, the calculation procedure starts by applying a re- sponse calculation algorithm utilizing the sliding window method.
[0036] When a single calculation procedure starts, it is checked in block D' whether the next single calculation procedure requires the multiplier selected for the sliding window method to be utilized. If not, the process moves on to block I' wherein the calculation procedure is carried out, after which it is checked in block J' whether the calculation procedure has been completed; if not, the process returns to block D'.
[0037] If it is detected in block D' that the next calculation procedure is going to utilize the multiplier selected for the sliding window method, the process moves on to block E'. A random number e.g. between 1 and 10 is then allotted. In block F', it is examined whether the random number is higher than a reference number, e.g. 5, if half of the of the single calculation procedures associated with the sliding window method is to be carried out using the random multiplier. If the random number is higher than the reference number, the process moves on to block H', wherein a multiplier is selected randomly. Alternatively, the process moves on to block G', wherein the highest possible multiplier is selected.
[0038] Blocks F' to H' enable a random number of calculation procedures belonging to the sliding window method to be carried out using a multiplier other than the highest possible one. Consequently, the calculation pro- cedures become slower but the calculations become more random, which makes it even more difficult for the external attacker to find out the secret key. [0039] Figure 3 is a block diagram showing a first preferred embodiment of a device of the invention. In the case of Figure 3, it is assumed that the device 1 is a smart card having a secret key stored in its memory M, either as such or, alternatively, in an encoded format (in which case the en- coding is decoded while the key is being read from the memory). The smart card can be authenticated using the particular secret key because only one smart card exists for which the secret key in question has been stored and which, from the input fed to the smart card, thus generates a response dependent on the secret key. [0040] The device 1 further comprises a calculator P, which may consist e.g. of a processor which, using a predetermined calculation algorithm, calculates the response to the input fed into an inlet 2 of the device, and forwards the response through an outlet 3. In the calculation, the calculation algorithm utilizes the sliding window method and the secret key of the device 1. According to the invention, in the sliding window method the device 1 utilizes multipliers consisting of random numbers generated by a random number generator RND (as described in connection with the flow diagrams of Figures 1 and 2), the multipliers being delivered from the random number generator to the calculator through an internal bus of the device. Furthermore, the device 1 may use the random number generator RND to select some of the single calculation procedures belonging to the sliding window method to be carried out using random multipliers, i.e. using a selected multiplier other than the highest possible one (as described in connection with Figure 2).
[0041] As distinct from the example of Figure 3, the device 1 may be a device other than a smart card. The invention can also be applied e.g. to delivering confidential information over an unreliable data transmission channel, such as the Internet. It is then necessary to be able either to encrypt a message such that an outsider is prevented from reading the message, or, alternatively, to equip the message with an electronic signature, thus enabling the receiver of the message to check the origin of the message. An RSA algorithm is a known algorithm utilized for encrypting messages and providing messages with electronic signatures. The RSA algorithm was introduced by Ronald Rivest, Adi Shamir and Leonard Adelman in 1977. In the RSA algorithm, the messages are encrypted using a public key while they are decrypted using a secret key. Correspondingly, an electronic signature is produced using a secret key while the correctness of the signature is checked using a public key. According to the invention, the device 1 of Figure 3 may thus be e.g. a computer, which receives a message equipped with an electronic signature, and, utilizing the secret key and the method of the invention, checks the correctness of the electronic signature. The response then consists of information indicating whether or not the signature is correct.
[0042] Yet another alternative is that the device 1 of Figure 3 is a computer, which, using a secret key, decrypts a received encrypted message encrypted using a public key matching the secret key. The response thus consists of a message in an uncoded format. [0043] Figure 4 is a flow diagram showing a third preferred embodiment of the method of the invention. The flow diagram of Figure 4 differs from the previous embodiments in that in the case of Figure 4, the secret key necessary for calculating the response is not stored in the memory in an uncoded format. Instead, the secret key is stored in the memory in a format which makes it impossible for an external attacker to benefit from using the secret key in order to obtain information on the secret key, and which makes it extremely simple to utilize the secret key in connection with the sliding window method.
[0044] In block A", the secret key is divided into contributory factors whose sum corresponds to the value of the secret key. At least one of the contributory factors consists of numbers to be multiplied with each other, one such number corresponding to the multiplier selected for the sliding window method. The numbers contained in the contributory factors are stored in the memory. In the embodiment of Figure 4, the secret key C is divided into contributory fac- tors in the following manner:
C= X0 + (K1*X1) + (K2*X2) + ... + (Kn* Xn).
[0045] In the above formula, the secret key is divided into contribu- tory factors whose sum constitutes the secret key C. The contributory factors, in turn, consist of numbers or products of numbers. Some of the numbers are randomly selected multipliers K1 to Kn, which can be changed in connection with each calculation procedure in a manner to be described below. The rest of the numbers X1 to Xn are binary numbers, whose single bits are used for indicating when a multiplier preceding a number is to be utilized. The multipliers K1 to Kn and numbers X0 to Xn are thus stored in the memory. If the de- vice in question is a new smart card or the like to be manufactured, the multipliers and numbers are stored for the first time while the smart card is being manufactured.
[0046] In the following, a calculation example will be shown to clarify the selection of numbers to be stored in block A". Assume that the secret key C=11010101 , and that only one random multiplier has been selected to be used in the sliding window method, the multiplier of the above formula thus being K1=5=101 (in binary terms). Next, the numbers X0 and X1 will be searched for.
Figure imgf000013_0001
[0047] It can be seen from the table above that the multiplier K1=101 is used when the window is at 1 and 6. Bits 1 and 6 of number X1 are then set at a value "1 " and the rest of the bits at a value "0", i.e. X1 =1000001. Similarly, it can be seen that a number 001 is used when the window is at 1 and 2. The bits 1 and 6 are then set at a value "1 " in the number X0 whereas the rest of the bits are set at a value "0", i.e. X0=110000. Instead of the secret key C, the following numbers are thus stored in the memory: X0=110000, K1 =101 , and X1 =1000001.
[0048] The value of the secret key can be found out on the basis of these numbers, applying the above formula, i.e. C=110000+(101*100001). The advantage achieved by storing the numbers in the memory as described above is that at no point in time does the secret key C have to be handled in an uncoded format when it is stored in the memory, read from the memory or when the response is calculated, but it is the above numbers and multipliers that are retrieved from the memory to be handled instead. Furthermore, the present representation makes the response easier to calculate using the sliding window method, as will be described below.
[0049] In block B", the process waits for an input, in response to which an output should be produced. The process then moves on to block C" wherein the numbers stored in the memory are retrieved, after which in block D", the response is calculated utilizing the retrieved numbers and the sliding window method. In the following, an example will be shown of calculating a response, the example relating particularly to the section of the calculation process utilizing the sliding window method. [0050] After the secret key C has been divided into contributory factors as described in connection with block A", i.e.
C= X0 + (K1*X1) + (K2*X2) + ... + (Kn* Xn),
and when a multiplication A=C*B is to be carried out, this corresponds to carrying out the following calculation:
A=B*X0+(K1 *B)*X1 +(K2*B)*X2+...+(Kn*B)*Xn.
In the last formula, the calculations in parenthesis, such as K1*B, correspond to the actual values of the windows used, the binary form of the numbers X1 , X2...Xn indicating when the values of the calculations in parenthesis are to be used in the sliding window method (0 = no multiplication, 1 = multiplication).
[0051] In other words, if the numbers to be multiplied are C*B when the secret key C is stored as described above, i.e. using the numbers mentioned above, whose values are X0=110000, K1=101 and X1 =1000001 , the following calculation will result when it is assumed that B=101.
Figure imgf000015_0001
[0052] In the table above, the calculations are indicated utilizing multiplication and a decimal system in order for the calculation processes to be easier to monitor. In practice, however, all calculations are carried out using binary system numbers and adding procedures exclusively. The calculations proceed in the following manner:
- when a next bit in the numbers X0 and X1 is to be examined, the previous intermediate result is multiplied by 2 - when the value of the bit of the number X0 to be examined is 1 , 001 is added to the intermediate result, and
- when the value of the bit of the number X1 to be examined is 1 , a value of a multiplier corresponding to the number X1 , i.e. 5, (K1=101 , i.e. 5 in the decimal system) is added to the intermediate result. [0053] After the response has been calculated and forwarded utilizing the calculation procedures described in connection with block D", the process moves on to block E" wherein it is checked whether new random multipliers are to be selected. If desired, the random multipliers can be changed each time a response has been generated after a predetermined number of re- sponses has been generated using the same multipliers, or, alternatively, it can be allotted each time a response has been generated whether the multipliers are changed or whether the same multipliers are still to be used. [0054] If the multipliers are changed, the process moves on to block F". When new random multipliers are to be selected, the selection will be carried out in the following manner. Assume that a secret key has been stored in the memory when the new random multipliers were being selected, using numbers X0 to X3 and K1 to K3, which means that the value of the secret key is the sum of four contributory factors as follows:
C= X0 + (K1*X1) + (K2*X2) + (K3*X3).
[0055] When the new multipliers are being selected, according to the invention the numbers of at least one contributory factor used remain unchanged. In the following, it is assumed that numbers K1 and X1 of the second contributory factor (K1*X1) remain unchanged. When the multipliers are changed, it is to be noted that the value of the secret key C is not to change. Consequently, the sum of the contributory factors no longer to be used must correspond to the sum of the new contributory factors replacing the previous ones. The change is carried out in the following manner:
- two new multipliers are selected randomly, i.e. numbers_K2' and K3'
- a new number X2' is selected such that: (K2' * X2') < X0 + (K2 * X2) + (K3 *X3)
- a new number X3' is selected such that:
(K3' * X3') < X0 + (K2 * X2) + (K3 *X3) - (K2'*X2')
- a new X0' is calculated such that:
X0' = X0 + (K2 * X2) + (K3 *X3) - (K2' * X2') - (K3' * X3').
The secret key C can thus be stored using the numbers contained in the following contributory factors:
C= X0' + (K1 * X1) + (K2' * X2') + (K3' *X3'),
i.e. the numbers contained in three contributory factors have been changed while the numbers X1 and K1 of the fourth contributory factor have remained unchanged. The value of the C has not changed since the sum of the changed contributory factors has remained the same although the values of the num- bers contained in the contributory factors have been changed. [0056] Next, the new numbers and the unchanged numbers are stored in the memory in block A", which means that they can be utilized in future calculation procedures until the multipliers are to be changed again.
[0057] It is to be understood that the above description and the related figures are only intended to illustrate the present invention. It will be obvious to one skilled in the art that the invention can be varied and modified in different ways without deviating from the scope and spirit of the invention disclosed in the attached claims.

Claims

1. A method for calculating a response, the method comprising: selecting multipliers to be utilized in a sliding window method, and calculating the response by means of an input, a secret key and a calculation algorithm, the calculation algorithm utilizing said sliding window method and the selected multipliers, characterized by selecting at least some of the multipliers to be utilized in the sliding window method randomly.
2. A method as claimed in claim ^characterized by selecting some of the single calculation procedures of the sliding window method randomly, carrying out calculation procedures other than those selected randomly by using the highest possible multiplier, and carrying out the randomly selected calculation procedures by using a multiplier other than the highest possible one.
3. A method as claimed in claim 1 or 2, characterized by selecting said multipliers to be selected randomly such that the length of the highest multipliers is 8 to 128 bits.
4. A method as claimed in any one of claims 1 to 3, charac- t e r i z e d by dividing the secret key into contributory factors such that the sum of the contributory factors corresponds to the value of the secret key, and such that at least one of the contributory factors consists of numbers to be multiplied with each other, one such number consisting of a multiplier selected ran- domly for the sliding window method, and retrieving, in order to calculate the response, the numbers contained in the contributory factors from the memory and utilizing the numbers in the sliding window method in order to calculate the response to the input.
5. A method as claimed in any one of claims 1 to4, charac- t e r i z e d by carrying out the calculation procedures belonging to the sliding window method such that the calculation procedures caused by moving a window and the calculation procedures caused by handling the bits contained in the window to be examined are carried out in a predetermined order each time a calculation procedure is carried out.
6. A device comprising: an inlet (2) for receiving an input, calculating means (P) for calculating a response by means of the input, a secret key and a calculation algorithm, the calculation algorithm utilizing a sliding window method, and an outlet (3) for forwarding said response, characterized in that the device further comprises a random number generator (RND) to generate at least some of the multipliers utilized by the calculating means (P) in the sliding window method.
7. A device as claimed in claim 6, characterized in that the calculating means (P) are arranged to select some of the single calculation procedures belonging to the sliding window method randomly to be carried out using a multiplier other than the highest one and to carry out calculation procedures other than those selected randomly by using the highest possible multiplier.
8. A device as claimed in claim 6 or 7, characterized in that the random number generator (RND) is arranged to generate multipliers such that the length of the highest multipliers to be utilized in the sliding window method is 8 to 128 bits.
9. A device as claimed in any one of claims 6 to 8, character- i z e d in that said device is a smart card.
10. A device as claimed in any one of claims 6 to 9, character i z e d in that said device is a device which decrypts an encrypted message, in which case said response consists of the message.
11. A device as claimed in any one of claims 6 to 9, charac- t e r i z e d in that said device is a device which checks the correctness of an electronic signature, in which case said response indicates whether or not the electronic signature is correct.
PCT/FI2001/000836 2000-09-29 2001-09-26 Method and device for calculating a response WO2002028009A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001291913A AU2001291913A1 (en) 2000-09-29 2001-09-26 Method and device for calculating a response

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20002151 2000-09-29
FI20002151A FI112708B (en) 2000-09-29 2000-09-29 Method and apparatus for calculating a response

Publications (1)

Publication Number Publication Date
WO2002028009A1 true WO2002028009A1 (en) 2002-04-04

Family

ID=8559195

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2001/000836 WO2002028009A1 (en) 2000-09-29 2001-09-26 Method and device for calculating a response

Country Status (3)

Country Link
AU (1) AU2001291913A1 (en)
FI (1) FI112708B (en)
WO (1) WO2002028009A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018125677A1 (en) * 2016-12-26 2018-07-05 Alibaba Group Holding Limited Key processing method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999035782A1 (en) * 1998-01-02 1999-07-15 Cryptography Research, Inc. Leak-resistant cryptographic method and apparatus

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999035782A1 (en) * 1998-01-02 1999-07-15 Cryptography Research, Inc. Leak-resistant cryptographic method and apparatus

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MESSERGES THOMAS D. ET AL.: "Investigations of power analysis attacks on smartcards", USENIX WORKSHOP ON SMARTCARD TECHNOLOGY, 10 May 1999 (1999-05-10) - 11 May 1999 (1999-05-11), CHICAGO, ILLINOIS, USA, XP002905430 *
PHILLIPS B.J. ET AL.: "Implementing 1,024-bitRSA exponentiation on a 32-bit processor core", APPLICATION-SPECIFIC SYSTEMS, ARCHITECTURES AND PROCESSORS, 2000. PROCEEDINGS. IEEE INTERNATIONAL CONFERENCE ON, 10 July 2000 (2000-07-10) - 12 July 2000 (2000-07-12), pages 127 - 137, XP002905429 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018125677A1 (en) * 2016-12-26 2018-07-05 Alibaba Group Holding Limited Key processing method and device
US10721056B2 (en) 2016-12-26 2020-07-21 Alibaba Group Holding Limited Key processing method and device

Also Published As

Publication number Publication date
FI112708B (en) 2003-12-31
FI20002151A0 (en) 2000-09-29
AU2001291913A1 (en) 2002-04-08
FI20002151L (en) 2002-03-30

Similar Documents

Publication Publication Date Title
CN108833103B (en) Method and system for secure communication between a radio frequency identification tag and a reading device
Biham et al. Power analysis of the key scheduling of the AES candidates
US4964164A (en) RSA computation method for efficient batch processing
EP1327932B1 (en) Encryption apparatus and method with side-channel attack resistance
US5737424A (en) Method and system for secure distribution of protected data using elliptic curve systems
Walter et al. Distinguishing exponent digits by observing modular subtractions
JP4671571B2 (en) Secret information processing device and memory for storing secret information processing program
US8479018B2 (en) System for making program difficult to read, device for making program difficult to read, and method for making program difficult to read
EP1308885B1 (en) Information processing and encryption unit
US20020095583A1 (en) Digital signatures on a smartcard
Abdeldaym et al. Modified RSA algorithm using two public key and Chinese remainder theorem
JP2008252299A (en) Cryptographic processing system and cryptographic processing method
EP3202079B1 (en) Exponent splitting for cryptographic operations
Courtois et al. Speed optimizations in Bitcoin key recovery attacks
US7227947B2 (en) Cryptographic method and cryptographic device
EP0792045A2 (en) Method and apparatus for authentication using digital signatures
US7123717B1 (en) Countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm
EP1443393B1 (en) Elliptic curve exponentiation that can counter a differential fault attack
EP1443699A1 (en) Information processing means and IC card
US7742595B2 (en) Cryptographic method protected against covert channel type attacks
Gilbert et al. Attacks on Shamir's ‘RSA for paranoids’
US6609141B1 (en) Method of performing modular inversion
US20040184604A1 (en) Secure method for performing a modular exponentiation operation
WO2002028009A1 (en) Method and device for calculating a response
US20030163760A1 (en) Information processing method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ CZ DE DE DK DK DM DZ EC EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP