The present disclosure relates to a cryptographic method comprising: multiplying a point belonging to a mathematical set with a group structure by a scalar by performing: the division of a scalar into a plurality of groups formed of a same number w of digits, w being greater than or equal to 2; and the execution, by a cryptographic circuit and for each group of digits, of a sequence of operations on point, the sequence of operations being identical for each group of digits, at least one of the operations executed for each of the groups of digits being a dummy operation.

A device for multiplying two bit sequences has a controller that selects and activates exactly one multiplier unit from a plurality of parallel multiplier units, according to a random signal. A partial multiplier unit shared by all the multiplier units receives and multiplies operands formed by the respectively activated multiplier unit. Each multiplier unit implements a different multiplication method with a respective selector unit that selects segments of the bit sequences to be multiplied, in accordance with a selection plan adapted to the respective multiplication method, to form operands from one or more segments and outputs the operands. The respective accumulation unit receives step by step partial products from the partial multiplier unit, accumulates the partial products in accordance with an accumulation plan adapted to the implemented multiplication method and matching the selection plan, and outputs the calculated product of after accumulation has been completed.

Cryptographic circuitry, in operation, performs a calculation on a first number and a second number. The performing of the calculation is protected by breaking the second number into a plurality of third numbers, a sum of values of the third numbers being equal to a value of the second number. The calculation is performed bit by bit for each rank of the third numbers. Functional circuitry, coupled to the cryptographic circuitry, uses a result of the calculation.

Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x.sub.0, x.sub.1, . . . , x.sub.m−1); Y=(y.sub.0, y.sub.1, . . . , y.sub.m−1); 20), said multiplicative shares being represented in the storage as multiple additive shares (x.sub.i=(x.sub.i,0,x.sub.i,1, . . . , x.sub.i,n−1); Yi=(y.sub.i,0,y.sub.i,1, . . . , y.sub.i,n−1); 210, 220).

The present invention relates to a method to securely load set of sensitive data hardware registers with sensitive data on a chip supporting hardware cryptography operations, said method comprising the following steps monitored by software instructions, at each run of a software: select a set of available hardware registers listed in a predefined list listing, in the chip architecture, the unused hardware registers and other relevant hardware registers not handling sensitive data and not disrupting chip functionality when loaded, establish an indexible register list of the address of the sensitive data hardware registers and of the hardware registers in the set of available hardware registers, in a loop, write each hardware register in this register list with random data, a random number of times, in random order except the last writing in each of the sensitive data hardware registers where a part of the sensitive data is written.

An iterative calculation is performed on a first number and a second number, while protecting the iterative calculation against side-channel attacks. For each bit of the second number, successively, an iterative calculation routine of the bit of the second number is determined. The determination is made independent of a state of the bit. The determined iterative calculation routine of the bit is executed. A result of the iterative calculation is generated based on a result of the execution of the determined iterative calculation routine of a last bit of the second number.

There is provided a device for protecting the execution of a cryptographic operation from attacks, the cryptographic operation being implemented by a cryptographic algorithm, the cryptographic operation comprising at least one modular operation between a main base (m) representing a data block and at least one scalar (d) in at least one finite starting group. The device is configured to determine at least one intermediary group (E) different from the at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E. The device is further configured to determine at least one final group (E) from the at least one starting group E and the at least one intermediary group E. The base m being mapped to an auxiliary element (x) in the at least one intermediary group and to an auxiliary base (m) in the at least one final group E. The device performs a first elementary operation in each final group (Ei), the first elementary operation consisting in executing the modular operation between the auxiliary base (m) and an auxiliary scalar (d.sub.a) in each final group E, which provides at least one result, the auxiliary scalar (d.sub.a) being determined from the auxiliary element (x) and from the main scalar (d). The device further performs a second elementary operation in each starting group E, the second elementary operation consisting in executing the modular operation between an additional auxiliary base and an additional auxiliary scalar d.sub.b in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation.

Cryptographic circuitry, in operation, performs a calculation on a first number and a second number. The performing of the calculation is protected by breaking the second number into a plurality of third numbers, a sum of values of the third numbers being equal to a value of the second number. The calculation is performed bit by bit for each rank of the third numbers. Functional circuitry, coupled to the cryptographic circuitry, uses a result of the calculation.

Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x.sub.0, x.sub.1, . . . , x.sub.m1); Y=(y.sub.0, y.sub.1, . . . , y.sub.m1); 20), said multiplicative shares being represented in the storage as multiple additive shares (x.sub.i=(x.sub.i,0,x.sub.i,1, . . . , x.sub.i,n1); Yi=(y.sub.i,0,y.sub.i,1, . . . , y.sub.i,n1); 210, 220).

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.