A ciphertext comparison method according to an embodiment is performed by a processor in a computing apparatus, and the method includes an operation of segmenting a first ciphertext and a second ciphertext into m part bitstreams (in this instance, m is a natural number satisfying 1<m), respectively; an operation of extracting a value corresponding to a j1.sup.th part bitstream (in this instance, j=i+1, i is a natural number satisfying 0im1) of the first ciphertext and a j1.sup.th part bitstream of the second ciphertext, as a j.sup.th intermediate value between a first value and a second value in a first lookup table including the first value and the second value of which Hamming weights are identical; an operation extracting a value corresponding to the j.sup.th intermediate value and a j1.sup.th result value, as a j.sup.th result value between a third value and a fourth value in a second lookup table including the third value and the fourth value of which Hamming weights are identical; and in a case of jm, an operation of repeatedly performing extraction as the j.sup.th intermediate value and extraction as the j.sup.th result value by increasing J; and in a case of j=m, an operation of outputting an m.sup.th result value as a result value of comparison between the first ciphertext and the second ciphertext.

A method of verifying the sensitivity of an electronic circuit executing a modular exponentiation calculation in a first register and a second register, successively including, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of that of the first and second registers which contains the multiplier of the operation of the first step is disturbed, for each bit of the exponent, during the execution of the first step.

A method of protecting a modular exponentiation calculation executed by an electronic circuit using a first register and a second register, successively comprising, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of said other one of the registers is stored in a third register before the first step and is restored in said other one of the registers before the second step.

In an embodiment, a processor includes hardware circuitry which may be used to authenticate instruction operands. The processor may execute instructions that perform operand authentication both speculatively and non-speculatively. During speculative execution of such instructions, the processor may execute authentication such that no differences in observable state of the processor, relative to authentication result, are detectable via a side channel. During speculative execution, a result of authentication may be deferred until speculative execution of the instruction, and additional instructions, may be completed. Upon resolution of a condition that indicates acceptance of the speculative execution, a speculative execution result may cause a processor exception and stalling of execution at the instruction to be performed.

The present disclosure relates to a cryptographic method comprising: multiplying a point belonging to a mathematical set with a group structure by a scalar by performing: the division of a scalar into a plurality of groups formed of a same number w of digits, w being greater than or equal to 2; and the execution, by a cryptographic circuit and for each group of digits, of a sequence of operations on point, the sequence of operations being identical for each group of digits, at least one of the operations executed for each of the groups of digits being a dummy operation.

In an embodiment, a processor includes hardware circuitry which may be used to authenticate instruction operands. The processor may execute instructions that perform operand authentication both speculatively and non-speculatively. During speculative execution of such instructions, the processor may execute authentication such that no differences in observable state of the processor, relative to authentication result, are detectable via a side channel. During speculative execution, a result of authentication may be deferred until speculative execution of the instruction, and additional instructions, may be completed. Upon resolution of a condition that indicates acceptance of the speculative execution, a speculative execution result may cause a processor exception and stalling of execution at the instruction to be performed.

In an embodiment, a processor includes hardware circuitry which may be used to authenticate instruction operands. The processor may execute instructions that perform operand authentication both speculatively and non-speculatively. During speculative execution of such instructions, the processor may execute authentication such that no differences in observable state of the processor, relative to authentication result, are detectable via a side channel. During speculative execution, a result of authentication may be deferred until speculative execution of the instruction, and additional instructions, may be completed. Upon resolution of a condition that indicates acceptance of the speculative execution, a speculative execution result may cause a processor exception and stalling of execution at the instruction to be performed.