Modular exponentiation method and device resistant against side-channel attacks

摘要

A method and apparatus for performing modular exponentiation using iterative modular multiplications steps and taking as input a first modulus N, a secret exponent d and a base x. During at least one modular multiplication step aiming at computing a result c from two values a, b and the first modulus N so that c=a·b mod N, a processor takes as input the two values a, b and the first modulus N from which are obtained two operands a′, b′ and a second modulus N′ using operations with at most linear complexity—at least one of the two operands a′, b′ is different from the two values a, b, and the two operands a′, b′ are different when a is equal to b—so that the modular multiplication c=a·b mod N from a side-channel viewpoint behaves like a modular squaring except for when a′ equals b′ . An intermediate result c′=a′·b′ mod N′ is computed, and the result c is derived from the intermediate result c′ using an operation with at most linear complexity; and the result c is used in the modular exponentiation.

主权项

1. A method of performing in an electronic device a modular exponentiation in a cryptographic operation comprising iterative modular multiplications steps and taking as input a first modulus N, a secret exponent d and a base x, the method being performed in a processor of the electronic device and comprising the steps, during at least one modular multiplication step aiming at computing a result c from two values a, b and the first modulus N so that c=a·b mod N, of:
taking, by the processor, as input the two values a, b and the first modulus N; obtaining, by the processor, from the two values a, b and the first modulus N, two operands a′, b′ and a second modulus N′ such that at least one of the two operands a′, b′ is different from the two values a, b, and that the two operands a′, b′ are different when a is equal to b, so that the modular multiplication c=a·b mod N from a side-channel viewpoint behaves like a modular squaring except for when a′ equals b′; wherein the operand a′ is obtained from the value a, the operand b′ is obtained from the value b, and the second modulus N′ is obtained from the first modulus N using operations with at most linear complexity; computing, by the processor, an intermediate result c′=a′·b′ mod N′; deriving, by the processor, the result c from the intermediate result c′, wherein c is obtained from c′ using an operation with at most linear complexity; and using, by the processor, the result c in the modular exponentiation of the cryptographic operation.