摘要:
Based on an encrypting method for performing an exponential remainder calculation y=ad (mod n) from an u-bit exponent d=(du−1, . . . , d0)2, input data a, and a modulo n, calculating a′=a2(mod n) is performed first. Next, calculating y=(a′)f(mod n) is performed on f=(du−1, du−2, . . . , d1)2. Then, when d0=1, calculating y=y×a (mod n) is performed. Then, outputting y=ad (mod n) is performed. In the first step, although an attacker inputs data including a minus value such as a=−1 and a=s, −s, etc., only plus values can be constantly generated in multiplication and squaring. Therefore, the method makes it hard to estimate a secret key using power analyzing attacks such as the SPA and the DPA, thereby realizing an encryption processor having high tamper-resistance.