A device includes a memory, which, in operation, stores one or more look-up tables, and cryptographic circuitry coupled to the memory. The cryptographic circuitry, in operation, multiplies first data masked with a first mask by second data masked with a second mask, and protects the first data and the second data during the multiplying. The multiplying and protecting includes remasking the first data with a third mask, remasking the second data with a fourth mask, executing one or more compensation operations using one or more of the one or more look-up tables, and generating third data masked with a fifth mask. The fifth mask is independent of the first, second, third, and fourth masks. The third data corresponds to the first data multiplied by the second data.

According to one embodiment, an execution unit is described, which includes a mask generation circuit configured to generate a mask by multiplying a mask generation vector by blocks of codewords of a plurality of cyclic codes, a masking circuit configured to mask data to be processed by means of the mask, and an arithmetic logic unit configured to process the masked data by means of additions and rotations.

A method for the transition is provided from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret. The value to be kept secret is present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask. A first additive mask and a second additive mask are determined for the value to be kept secret. A first masking transition is executed in which the first Boolean mask is converted into the first additive mask. A second masking transition is executed in which the obfuscation value is converted into an additive correction value, and a third masking transition is executed in which the second Boolean mask is converted into the second additive mask.

A multi-word multiplier circuit includes an interface and circuitry. The interface is configured to receive a first parameter X including one or more first words, and a second parameter Y including multiple second words. The second parameter includes a blinded version of a non-blinded parameter Y that is blinded using a blinding parameter A.sub.Y so that Y=Y+A.sub.Y. The circuitry is configured to calculate a product Z=X.Math.Y by summing multiple sub-products, each of the sub-products is calculated by multiplying a first word of X by a second word of Y, and subtracting from intermediate temporary sums of the sub-products respective third words of a partial product P=X.Math.B.sub.Y, B.sub.Y is a blinding word included in A.sub.Y.

A computer implemented method, program product, and system implementing said method, for transforming a call graph representation of an algorithm into a secured call graph representation of said algorithm. The call graph comprises inputs (a, b, f), internal variables being the edges of the graph (c, d, e), elementary functions being the nodes of the graph, said functions being either linear or not linear, and outputs (g), the method comprising: a step of masking each input of the call graph, a step of replacing each unmasked internal variable of the call graph with a masked variable, a step of replacing at least each non-linear function of the call graph with an equivalent function that applies to masked variables, a step of unmasking each output of the call graph.

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

A method for the transition is provided from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret. The value to be kept secret is present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask. A first additive mask and a second additive mask are determined for the value to be kept secret. A first masking transition is executed in which the first Boolean mask is converted into the first additive mask. A second masking transition is executed in which the obfuscation value is converted into an additive correction value, and a third masking transition is executed in which the second Boolean mask is converted into the second additive mask.

According to one embodiment, an execution unit is described, which includes a mask generation circuit configured to generate a mask by multiplying a mask generation vector by blocks of codewords of a plurality of cyclic codes, a masking circuit configured to mask data to be processed by means of the mask, and an arithmetic logic unit configured to process the masked data by means of additions and rotations.

A multi-word multiplier circuit includes an interface and circuitry. The interface is configured to receive a first parameter X including one or more first words, and a second parameter Y including multiple second words. The second parameter includes a blinded version of a non-blinded parameter Y that is blinded using a blinding parameter A.sub.Y so that Y=Y+A.sub.Y. The circuitry is configured to calculate a product Z=X.Math.Y by summing multiple sub-products, each of the sub-products is calculated by multiplying a first word of X by a second word of Y, and subtracting from intermediate temporary sums of the sub-products respective third words of a partial product P=X.Math.B.sub.Y, B.sub.Y is a blinding word included in A.sub.Y.

A computer implemented method, program product, and system implementing said method, for transforming a call graph representation of an algorithm into a secured call graph representation of said algorithm. The call graph comprises inputs (a, b, f), internal variables being the edges of the graph (c, d, e), elementary functions being the nodes of the graph, said functions being either linear or not linear, and outputs (g), the method comprising: a step of masking each input of the call graph, a step of replacing each unmasked internal variable of the call graph with a masked variable, a step of replacing at least each non-linear function of the call graph with an equivalent function that applies to masked variables, a step of unmasking each output of the call graph.