There is provided a device for protecting the execution of a cryptographic operation from attacks, the cryptographic operation being implemented by a cryptographic algorithm, the cryptographic operation comprising at least one modular operation between a main base (m) representing a data block and at least one scalar (d) in at least one finite starting group. The device is configured to determine at least one intermediary group (E) different from the at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E. The device is further configured to determine at least one final group (E) from the at least one starting group E and the at least one intermediary group E. The base m being mapped to an auxiliary element (x) in the at least one intermediary group and to an auxiliary base (m) in the at least one final group E. The device performs a first elementary operation in each final group (Ei), the first elementary operation consisting in executing the modular operation between the auxiliary base (m) and an auxiliary scalar (d.sub.a) in each final group E, which provides at least one result, the auxiliary scalar (d.sub.a) being determined from the auxiliary element (x) and from the main scalar (d). The device further performs a second elementary operation in each starting group E, the second elementary operation consisting in executing the modular operation between an additional auxiliary base and an additional auxiliary scalar d.sub.b in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation.

A method of protecting a modular exponentiation calculation on a first number and an exponent, modulo a first modulo, executed by an electronic circuit using a first register or memory location and a second register or memory location, successively including, for each bit of the exponent: generating a random number; performing a modular multiplication of the content of the first register or memory location by that of the second register or memory location, and placing the result in one of the first and second registers or memory locations selected according to the state of the bit of the exponent; performing a modular squaring of the content of one of the first and second registers or memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location, the multiplication and squaring operations being performed modulo the product of the first modulo by said random number.

A method of protecting a modular exponentiation calculation on a first number and an exponent, modulo a first modulo, executed by an electronic circuit using a first register or memory location and a second register or memory location, successively including, for each bit of the exponent: generating a random number; performing a modular multiplication of the content of the first register or memory location by that of the second register or memory location, and placing the result in one of the first and second registers or memory locations selected according to the state of the bit of the exponent; performing a modular squaring of the content of one of the first and second registers or memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location, the multiplication and squaring operations being performed modulo the product of the first modulo by said random number.

A method, a device and a non-transitory computer-readable medium for cryptographic computation are provided. The method for computation includes: receiving, in a Montgomery multiplier circuit having a predefined block size, a pair of operands A and B and a modulus M for computation of a Montgomery product of A and B mod M; specifying a number n of blocks of the predefined block size to be used in the computation; computing a blinded modulus M as a multiple of the modulus M by a random factor R, M=R*M, while selecting R so that the length of M is less than n times the block size by at least two bits; and operating the Montgomery multiplier circuit to compute and output the Montgomery product of A and B mod M.