Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x.sub.0, x.sub.1, . . . , x.sub.m1); Y=(y.sub.0, y.sub.1, . . . , y.sub.m1); 20), said multiplicative shares being represented in the storage as multiple additive shares (x.sub.i=(x.sub.i,0,x.sub.i,1, . . . , x.sub.i,n1); Yi=(y.sub.i,0,y.sub.i,1, . . . , y.sub.i,n1); 210, 220).

A computer implemented method, program product, and system implementing said method, for transforming a call graph representation of an algorithm into a secured call graph representation of said algorithm. The call graph comprises inputs (a, b, f), internal variables being the edges of the graph (c, d, e), elementary functions being the nodes of the graph, said functions being either linear or not linear, and outputs (g), the method comprising: a step of masking each input of the call graph, a step of replacing each unmasked internal variable of the call graph with a masked variable, a step of replacing at least each non-linear function of the call graph with an equivalent function that applies to masked variables, a step of unmasking each output of the call graph.

The present invention relates to a method for securing against N-order side-channel attacks a cryptographic process using in a plurality of encryption rounds an initial Substitution box S.sub.0 comprising the steps of: generating (E12) a first randomized substitution box S.sub.1 by masking said initial substitution box S.sub.0 such that S.sub.1(x XOR m.sub.1)=S.sub.0(x) XOR m.sub.2, with m.sub.1, m.sub.2 uniformly-distributed random values, for any input value x of the initial substitution box S.sub.0, generating (E13) a first transrandomized Substitution box S(1,1) from the first randomized substitution box S.sub.1 and from masks m.sub.1,1, m.sub.1,1 such that S(1, 1)[x]=S.sub.1[x xor (m.sub.1 xor m.sub.1,1)] xor (m.sub.2 xor m.sub.1,1) for any input value x of the first transrandomized Substitution box S(1,1), generating (E14) from the first transrandomized Substitution box S(1,1) a N1th transrandomized Substitution box S(1, N1) by performing iteratively N2 times a step of generation of a ith transrandomized Substitution box S(1, i) from a i1th transrandomized substitution box S(1, i1) and from a plurality of masks m1,i, m.sub.1,i, m.sub.1,i1, m.sub.1,i1 such that S(1, i)[x]=S(1, i1)[x xor (m.sub.1,i-1 xor m.sub.1,i)] xor (m.sub.1,i1 xor m.sub.1,i) for any input value x of the ith transrandomized substitution box S(1, i), with i an integer comprised in {2, . . . N1}, performing the cryptographic process using (E15) the N1th transrandomized Substitution box S(1, N1) instead of the initial Substitution box S.sub.0 in at least said first round of the cryptographic process.

Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation using masked compressing of coefficients of a polynomial having n.sub.s arithmetic shares for lattice-based cryptography in a processor, the instructions, including: shifting a first arithmetic share of the n.sub.s arithmetic shares by an input mask ?.sub.1; scaling the shifted first arithmetic share by a value based on a first compression factor ? and a masking scaling factor ?.sub.1; shifting the scaled first arithmetic share by a value based on the masking scaling factor ?.sub.1; scaling a second to n.sub.s shares of the n.sub.s arithmetic shares by a value based on the first compression factor ? and the masking scaling factor ?.sub.1; converting the n.sub.s scaled arithmetic shares to n.sub.s Boolean shares; right shifting the n.sub.s Boolean shares based upon the masking scaling factor ?.sub.1 and a second compression factor ?.sub.2; XORing an output mask ?.sub.2 with the shifted first Boolean share to produce n.sub.s compressed Boolean shares; and carrying out a cryptographic operation using the n.sub.s arithmetic shares when the n.sub.s compressed Boolean shares indicates that the coefficients of the polynomial are within boundary values.

The system comprises a sending entity (100) and a receiving entity (200). The sending entity (100) is suitable for generating a random mask (MA) with m bits; applying an XOR operation between the raw data block to be encrypted (T) and the random mask (MA) thus generated to obtain a primary encrypted block (CPV) with m bits; and applying a permutation (PE) on the concatenation of the random mask (MA) and the primary encrypted block (CPV) to obtain a secondary encrypted block (CS). The receiving entity (200) is suitable for receiving the secondary encrypted block (CS) of 2*m bits; applying an inverse permutation (PI) on the secondary encrypted block thus received to obtain the de-concatenation of a random mask (MA) and a primary encrypted block (CPV) with m bits; and applying an XOR operation between the primary encrypted block (CPV) and the random mask (MA) thus de-concatenated to obtain a block in clear (T) with m bits. The permutation (PE) and its inverse permutation (PI) are secret and only shared and known by the communicating entities (100, 200).

A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.

A method is provided for re-masking from a Boolean mask to an arithmetic mask with a modulus (2m*p), in which m is an integer greater than or equal to zero, and p has at least one prime divisor unequal to 2, so that a carry is generated. The carry is masked or balanced to protect it against intrusion attacks.

A computer implemented method, program product, and system implementing said method, for transforming a call graph representation of an algorithm into a secured call graph representation of said algorithm. The call graph comprises inputs (a, b, f), internal variables being the edges of the graph (c, d, e), elementary functions being the nodes of the graph, said functions being either linear or not linear, and outputs (g), the method comprising: a step of masking each input of the call graph, a step of replacing each unmasked internal variable of the call graph with a masked variable, a step of replacing at least each non-linear function of the call graph with an equivalent function that applies to masked variables, a step of unmasking each output of the call graph.

Systems and techniques are provided for secure processing. For instance, a process can include: providing an input value to generate a first output value; obtaining a plurality of first intermediate output values based on a function of the first output value and a tweak value; embedding the plurality of first intermediate output values into a mathematical structure; obtaining a plurality of second intermediate output values, wherein the plurality of second intermediate output values are a function of the plurality of first intermediate output values, a random number, and an inverse of the tweak value; determining a most common value of the plurality of second intermediate output values; obtaining a third intermediate value, the third intermediate value based on a function of the most common value and an inverse of the random number; projecting the third intermediate value from the mathematical structure to obtain a second output value for output.

A method is provided for re-masking from a Boolean mask to an arithmetic mask with a modulus (2m*p), in which m is an integer greater than or equal to zero, and p has at least one prime divisor unequal to 2, so that a carry is generated. The carry is masked or balanced to protect it against intrusion attacks.