Numerous cryptographic algorithms make use of large-integer multiplication (or exponentiation) and reduction of the product to a residue value that is congruent for a specified modulus that is related to the cryptographic key. Some crypotographic algorithms, including the AES/Rijndael block cipher and also those based on discrete logarithms and elliptic curves, perform arithmetic operations on polynomials in a finite field, such as the binary field GF(2n), including multiplication (or exponentiation) and modular reduction operations on such polynomials.
Mathematical computations in cryptographic algorithms, especially those performed by hardware-implemented cryptographic systems (such as RISC-based smart cards), may be susceptible to various side-channel attacks, including power analysis and timing attacks. An attacker externally monitors aspects of the hardware that are accessible, such as current through chip pads or electromagnetic emissions from a chip, in order to obtain information about internal operations which may be subjected to various analyses in an effort to uncover the encryption key. Therefore, it is important that computations be secured so that information about the key cannot be obtained.
Typically, secure microcontrollers for smart cards use various kinds of hardware-based countermeasures to thwart such attacks. While some software-level countermeasures introduced into a cryptographic algorithm itself might also be considered, it is very important that any such countermeasures not adversely affect the speed or accuracy of the underlying computations. Not all of the internal operations of a cryptographic algorithm are as readily adaptable so as to incorporate software countermeasures without appreciable slowing and without jeopardizing accuracy of a final result.
Arithmetic operations in particular, including modular multiplication, either upon integers or upon polynomials with integer coefficients, generally require a specific result from operating upon given operands. Any changes that would obtain an erroneous final result would clearly be unwelcome. At the same time, it is important that these computations be fast and accurate. Multiplication and reduction, whether operated upon large integers or upon polynomials in a finite field, is usually the most computationally intensive portion of a cryptographic algorithm. In electronic digital hardware, various computational methods have been developed for efficiently performing modular multiplication, including those based upon the Barrett reduction method.
One particular case that frequently occurs in cryptographic applications is where one of the operands of a modular multiplication (or exponentiation) operation is known in advance or used several times. It would be desirable to take advantage of such occurrences in order to speed up the computation.