Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

A cryptographic device performs modular addition between a first integer value x and a second integer value y in a processor by: obtaining a first masked input {circumflex over (x)}, a second masked input , a first mask r.sub.x and a second mask r.sub.y, the first masked input {circumflex over (x)} resulting from the first integer value x masked by the first mask r.sub.x and the second masked input resulting from the second integer value y masked by the second mask r.sub.y; computing a first iteration masked carry value .sub.1, using the first masked input {circumflex over (x)}, the second masked input , the first mask r.sub.x, the second mask r.sub.y and a carry mask value ; recursively updating the masked carry value .sub.i to obtain a final masked carry value .sub.k1, wherein the masked carry value is updated using the first masked input {circumflex over (x)}, the second masked input , the first mask r.sub.x, the second mask r.sub.y, and the carry mask value ; combining the first masked input {circumflex over (x)} and the second masked input and the final masked value .sub.k1 to obtain an intermediate value; combining the intermediate value with the carry mask value to obtain a masked result; and outputting the masked result and a combination of the first mask r.sub.x and the second mask r.sub.y. It is preferred that the combinations use XOR.