| 摘要 |
The invention relates to the protection of cryptographic methods against DPA-type covert channel attacks and, in particular, to a cryptographic method during which an x^d-type modular exponentiation is performed, wherein d is a whole number exponent of m+1 bits, consisting in: scanning the d bits from left to right in a loop subscripted by i varying between m and 0; and, with each revolution of rank i, calculating and saving an updated partial result equal to x^b(i) in an accumulator (R0), b(i) being the most significant m-i+1 bits of exponent d ( b (i) = d<SUB>m->i</SUB>). According to the invention, at the end of a revolution of randomly-selected rank i(j) (i = i(0)), a randomisation step E1 is performed, consisting in subtracting a random number z (z= b(i(j)), z = b (i(j)) .2<SUP>t</SUP>, z = u) from part of the d bits that have not yet been used (d<SUB>i-1->0</SUB>)<SUB/>in the method. Subsequently, once the d bits modified by randomisation step E1 have been used, a consolidation step E2 is performed, consisting in saving (R0 <- R1xR0), in the accumulator (R0), the result of the multiplication of the contents of the accumulator (x^b(i)) by a number that is a function of x^z stored in a registry (R1). |
