Key generation and pace with protection against side channel attacks

1 .- 12 . (canceled) 13 . A method for key generation, arranged in a client processor device, by means of which a second public client key P c ′ of the client is derived, wherein the method for key generation comprises the steps carried out in the client processor device: ( 1 . 1 ) generating a nonce s; ( 2 . 1 ) generating a first asymmetric key pair [k c , P c ] of the client, comprising a first public client key P c and a first private client key k c , the first public client key P c being formed as a result of the point multiplication P c =k c ·G of the first private client key k c with the generator point G of the elliptic curve; ( 2 . 2 ) receiving, from a terminal, a first public terminal key P t which is included in a first asymmetric key pair of the terminal, which key pair comprises the first public terminal key P t and a first private terminal key k t ; ( 3 . 1 ) generating a second asymmetric key pair [k c ′, P c ] of the client, comprising a second public client key P c ′ and a second private client key k c ′; Wherein the public key P c ′ is formed by a calculation, or sequence of calculations, which does not contain any operation whose result depends exclusively on the nonce s and at least one public value. 14 . The method for key generation, arranged in a client processor device, by means of which a second public client key P c ′ of the client is derived, wherein the method for key generation comprises the steps carried out in the client processor device: ( 1 . 1 ) generating a nonce s; ( 2 . 1 ) generating a first asymmetric key pair [k c , P c ] of the client, comprising a first public client key P c and a first private client key k c , the first public client key P c being formed as a result of the point multiplication P c =k c ·G of the first private client key k c with the generator point G of the elliptic curve; ( 2 . 2 ) receiving, from a terminal, a first public terminal key P t which is included in a first asymmetric key pair of the terminal, which key pair comprises the first public terminal key P t and a first private terminal key k t ; ( 3 . 1 ) generating a second asymmetric key pair [k c ′, P c ′] of the client, comprising a second public client key P c ′ and a second private client key k c ′; wherein the public key P c ′ is formed by a calculation, or sequence of calculations, where into each operation in which the nonce s enters, at least one non-public value enters, in particular the first private client key k c or the second private client key k c ′. 15 . The method according to claim 13 , wherein: as a public value, or public values, at least one of the following is provided: the generator point G, the first public terminal key P t , the first private terminal key k t , the intermediate value H c of the PACE protocol; or/and as a non-public value, at least one of the following is provided: the first private client key k c , the second private client key k c ′. 16 . The method according to claim 13 , wherein step (E 3 . 2 *) is carried out as one of the following calculations (i), (ii), (iii) or (iv) which comprise therein one or more operations, in particular point additions + or / and point multiplications · or/and modular multiplications · or/and modular divisions /: P c ′=P 1+ P 2,  (i) with: P 1 =(k c ′·s)·G or P 1 =s·(k c ′·G), and with: P 2 is equal to the result of an operation or sequence of operations with the second private client key k c ′, the first private client key k c and the first public terminal key P t ; in particular: P 2 =(k c ′·k c )·P t ; or P 2 =k c ′·H c ; or P c ′=( k c ′·s )·( G +( k c /s )· P t ); or  (ii) P c ′=s ·(( k c ′·G )+( k c ′/s )· H c ); or  (iii) P c ′=s ·(( k c ′·G )+( k c ′·k c /s )· P t );  (iv) wherein H c is equal to the result of the point operation H c =k c ·P t . 17 . The method for key generation according to claim 13 , wherein step ( 1 . 1 ) generating a nonce is carried out as: (E 1 . 1 *) generating and making available, or making available, at least one masking value m; generating a masked nonce s m ; and wherein in step (E 3 . 2 *) the masked nonce s m and the masking value m, [s m , m], are used as nonce s. 18 . The method according to claim 17 , wherein (E 3 . 2 *) wherein step (E 3 . 2 *) is carried out as one of the following calculations: P c ′=P 1 +P 2 , with: P 1 =(k c ′·s m +k c ′·(Σ j=1 k m j ))·G or P 1 =(k c ′·s m )·G+Σ j=1 k ((k c ′·m j )·G) and with: P 2 equal to the result of a point operation, or sequence of point operations, on the second private client key k c ′, the first private client key k c and the first public terminal key P t . 19 . The method according to claim 13 , further comprising: (C) ( 1 . 1 ) in the client, encrypting the nonce s with a password PIN stored in the client so that an encrypted nonce s′=Enc(s; PIN) is generated, or in the case of a masked nonce s m (E 1 . 1 *) encrypting the masked nonce s m and the mask m with the password PIN so that an encrypted nonce s′=Enc′(s m , m; PIN) is generated; (C) ( 1 . 2 ) transmitting the encrypted nonce s′ from the client to the terminal. 20 . A client processor device arranged to execute a method for key generation according to claim 13 . 21 . A method for key agreement and authentication between a client and a terminal, comprising the steps of: (C) in the client, carrying out a method for key generation according to claim 19 so that a second public client key P c ′ of the client is derived; (C) ( 2 . 2 ) transmitting the first public client key P c to the terminal; (T) ( 1 . 2 ) in the terminal, accepting a password PIN_user which has been entered by a user at the terminal; (T) ( 1 . 4 ) in the terminal, receiving the encrypted nonce s′ sent by the client and decrypting the encrypted nonce s′ with the password PIN_user entered by the user so that a terminal nonce s t =Dec(s,′ PIN-user) is derived; (T) in the terminal, carrying out a terminal method for key generation comprising the steps of: (T) ( 2 . 1 ) in the terminal, generating the first asymmetric key pair [k t , P t ] of the terminal, comprising the first public terminal key P t and the first private terminal key k t , the first public terminal key P t being formed as a result of the point multiplication P t =k t ·G of the first private terminal key k t with the generator point G on the elliptic curve; (T) ( 2 . 2 ) in the terminal, receiving, from the client, the first public client key P c ; (T) in the terminal, generating a second asymmetric key pair [k t ′, P t ′] of the terminal, comprising a second public terminal key P t ′ and a second private terminal key k t ′, the second public terminal key P t ′ being derived using the first public client key P c received from the client, the first private terminal key k t , the terminal nonce s t ′, the generator point G on the elliptic curve, and the second private terminal key k t ′; (AUTH) using the second public client key P c ′ and the second public terminal key P t ′ in a key agreement and authentication protocol between the client and the terminal. 22 . The method according to claim 21 , wherein when generating the second asymmetric key pair [k t ′, P t ′] of the terminal, the second public terminal key P t ′ is derived by the following substeps: (T) ( 2 . 3 ) in the terminal, generating a derived point H t on the elliptic curve by point multiplication H t =k t ·P c of the first public client key P c received from the client with the first private terminal key k t ; (T) ( 2 . 4 ) in the terminal, deriving a derived generator point G t ′ on the elliptic curve by p