In recent years, the importance of information security technology has been increasing. As one of the infrastructure technologies of information security, public-key cryptography has been actively studied.
There are several kinds of public-key cryptographies, and among them, the Rivest-Shamir-Adleman (RSA) algorithm, which utilizes modular exponentiation, elliptical curve cryptography (ECC), which utilizes scalar multiplication of a point on an elliptic curve, and the like are known.
In utilizing the public-key cryptographies, it is important to keep the private key secret to maintain security. In recent years, however, some attacking methods for breaking the private key have become known. Accordingly, in order to make the equipment which executes processing with the public-key cryptography tamper-proof, some countermeasures against at least the known attacking methods are required to be implemented in the equipment.
As one example of side-channel attacks, an attacking method called a power analysis (PA) attack is known. There are two types of PA; simple power analysis (SPA) and differential power analysis (DPA).
Therefore, equipment which executes processing with the public-key cryptography is required to have security against an SPA attack and security against a DPA attack. For example, one of the countermeasures against an SPA attack includes a method called a “window method” and one of the countermeasures against a DPA attack includes a method of randomizing data. Further, a cryptographic device for realizing effective tamper-proof modular exponentiation and scalar multiplication of a point has been proposed; with respect to an encryption method which executes modular exponentiation, a cryptographic processor has also been proposed that makes the estimation of the private key with a PA attack difficult and that is highly tamper-proof.
Some documents, such as Japanese Laid-open Patent Publication No. 2003-233307 and International Publication Pamphlet No. WO 2009/122461 are known.