A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.

The present invention relates to a method for securing against N-order side-channel attacks a cryptographic process using in a plurality of encryption rounds an initial Substitution box S.sub.0 comprising the steps of: —generating (E12) a first randomized substitution box S.sub.1 by masking said initial substitution box S.sub.0 such that S.sub.1(x XOR m.sub.1)=S.sub.0(x) XOR m.sub.2, with m.sub.1, m.sub.2 uniformly-distributed random values, for any input value x of the initial substitution box S.sub.0, —generating (E13) a first transrandomized Substitution box S(1,1) from the first randomized substitution box S.sub.1 and from masks m.sub.1,1, m′.sub.1,1 such that S(1, 1)[x]=S.sub.1[x xor (m.sub.1 xor m.sub.1,1)] xor (m.sub.2 xor m′.sub.1,1) for any input value x of the first transrandomized Substitution box S(1,1), —generating (E14) from the first transrandomized Substitution box S(1,1) a N−1th transrandomized Substitution box S(1, N−1) by performing iteratively N−2 times a step of generation of a ith transrandomized Substitution box S(1, i) from a i−1th transrandomized substitution box S(1, i−1) and from a plurality of masks m 1,i, m′.sub.1,i, m.sub.1,i−1, m′.sub.1,i−1 such that S(1, i)[x]=S(1, i−1)[x xor (m.sub.1,i-1 xor m.sub.1,i)] xor (m′.sub.1,i−1 xor m′.sub.1,i) for any input value x of the ith transrandomized substitution box S(1, i), with i an integer comprised in {2, . . . N−1}, —performing the cryptographic process using (E15) the N−1th transrandomized Substitution box S(1, N−1) instead of the initial Substitution box S.sub.0 in at least said first round of the cryptographic process.

A first arithmetic input share and a second arithmetic input share of an initial arithmetically-masked cryptographic value are received. A sequence of operations using the arithmetic input shares and a randomly generated number is performed, where a current operation in the sequence of operations generates a corresponding intermediate value that is used in a subsequent operation. At the end of the sequence of operations, a first Boolean output share and a second Boolean output share are generated. The arithmetic-to-Boolean mask conversion is independent of the input bit length.

Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x.sub.0, x.sub.1, . . . , x.sub.m−1); Y=(y.sub.0, y.sub.1, . . . , y.sub.m−1); 20), said multiplicative shares being represented in the storage as multiple additive shares (x.sub.i=(x.sub.i,0,x.sub.i,1, . . . , x.sub.i,n−1); Yi=(y.sub.i,0,y.sub.i,1, . . . , y.sub.i,n−1); 210, 220).

The present invention relates to a method secured against side channel attacks performing an arithmetic operation of a cryptographic algorithm mixing Boolean and arithmetic operations, wherein said method is performed by a cryptographic device comprising a processing system having at least one hardware processor, and said operation has a first value (x) and a second value (y) as operands, comprising: —obtaining (S1) a first masked value (x′), a second masked value (y′), a first Boolean mask (r.sub.x), a second Boolean mask (r.sub.y), said first masked value (x′) resulting from masking said first value (x) by said first Boolean mask (r.sub.x) by performing a Boolean exclusive OR (XOR) operation between said first value (x) and said first Boolean mask (r.sub.x), and said second masked value (y′) resulting from masking said second value (y) by said second Boolean mask (r.sub.y) by performing a Boolean exclusive OR (XOR) operation between said second value (y) and said second Boolean mask (r.sub.y), —performing (S2) in any order a plurality of computing steps combining values among said first masked value (x′), said second masked value (y′), said first Boolean mask (r.sub.x) and said second Boolean mask (r.sub.y) to obtain a boolean masked result equal to the result of the arithmetic operation having said first value (x) and said second value (y) as operands, masked by a third boolean mask (r.sub.x xor r.sub.y) resulting from performing said Boolean exclusive OR (XOR) operation between said first Boolean mask (r.sub.x) and said second Boolean mask (r.sub.y) ((x+y) xor (r.sub.x xor r.sub.y)), wherein said computing steps perform Boolean exclusive OR (XOR) operations or arithmetic operations between said values without disclosing any information relative to the first and second values and, wherein said computing steps are executed by the hardware processor by performing a constant number of elementary operations whatever the bit-size of said first and second values, —outputting (S3) said boolean masked result of the arithmetic operation between said first value (x) and said second value (y).

Provided is a confusion encryption method for communication data text that can prevent attackers from impersonating senders. A plain text is changed to a primary communication data text by adding a one time ID. Confusion is created in the primary communication data text by using a first confusion random number. The confused primary communication data text is changed to a first modified communication data text by adding the first confusion random number. A circular shift operation is performed on the entire first modified communication data text by using a shift count based on a second confusion random number, and the first modified communication data text is then changed to a second modified communication data text by adding the second confusion random number. The second modified communication data text is changed to a communication data text by encryption.

The system comprises a sending entity (100) and a receiving entity (200). The sending entity (100) is suitable for generating a random mask (MA) with m bits; applying an XOR operation between the raw data block to be encrypted (T) and the random mask (MA) thus generated to obtain a primary encrypted block (CPV) with m bits; and applying a permutation (PE) on the concatenation of the random mask (MA) and the primary encrypted block (CPV) to obtain a secondary encrypted block (CS). The receiving entity (200) is suitable for receiving the secondary encrypted block (CS) of 2*m bits; applying an inverse permutation (PI) on the secondary encrypted block thus received to obtain the de-concatenation of a random mask (MA) and a primary encrypted block (CPV) with m bits; and applying an XOR operation between the primary encrypted block (CPV) and the random mask (MA) thus de-concatenated to obtain a block in clear (T) with m bits. The permutation (PE) and its inverse permutation (PI) are secret and only shared and known by the communicating entities (100, 200).

A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.

The present invention relates to a method secured against side channel attacks performing an arithmetic operation of a cryptographic algorithm mixing Boolean and arithmetic operations, wherein said method is performed by a cryptographic device comprising a processing system having at least one hardware processor, and said operation has a first value (x) and a second value (y) as operands, comprising:—obtaining (S1) a first masked value (x′), a second masked value (y′), a first Boolean mask (r.sub.x), a second Boolean mask (r.sub.y), said first masked value (x′) resulting from masking said first value (x) by said first Boolean mask (r.sub.x) by performing a Boolean exclusive OR (XOR) operation between said first value (x) and said first Boolean mask (r.sub.x), and said second masked value (y′) resulting from masking said second value (y) by said second Boolean mask (r.sub.y) by performing a Boolean exclusive OR (XOR) operation between said second value (y) and said second Boolean mask (r.sub.y),—performing (S2) in any order a plurality of computing steps combining values among said first masked value (x′), said second masked value (y′), said first Boolean mask (r.sub.x) and said second Boolean mask (r.sub.y) to obtain a boolean masked result equal to the result of the arithmetic operation having said first value (x) and said second value (y) as operands, masked by a third boolean mask (r.sub.x xor r.sub.y) resulting from performing said Boolean exclusive OR (XOR) operation between said first Boolean mask (r.sub.x) and said second Boolean mask (r.sub.y) ((x+y) xor (r.sub.x xor r.sub.y)), wherein said computing steps perform Boolean exclusive OR (XOR) operations or arithmetic operations between said values without disclosing any information relative to the first and second values and, wherein said computing steps are executed by the hardware processor by performing a constant number of elementary operations whatever the bit-size of said first and second values,—outputting (S3) said boolean masked result of the arithmetic operation between said first value (x) and said second value (y).

A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.