FI112708B - Method and apparatus for calculating a response - Google Patents

Abstract

The present invention relates to a device comprising an inlet (2) for receiving an input, calculating means (P) for calculating a response by means of the input, a secret key and a calculation algorithm, the calculation algorithm utilizing a sliding window method, and an outlet (3) for forwarding said response. In order to make the secret key even more difficult for an external attacker to find out, the device further comprises a random number generator (RND) to generate at least some of the multipliers utilized by the calculating means (P) in the sliding window method.

Description

112708

The present invention relates to computing operations which utilize a sliding window method and a secret key which is intended to be protected so that an external attacker does not receive information during the computation that would allow him to determine the secret key.

Smart cards are one example of devices in which the present invention can be applied. In the case of smart cards, the secret key is utilized, for example, for smart card authentication. In the following, the present invention 10 will be described primarily with reference to smart cards, although the present invention may also be applied to other contexts in which it is necessary to perform computing operations utilizing a secret key.

Masking methods are known from WO 99/35782 and Coron, Goubin, "On Boolean and arithmetic masking against differential power analysis," in which the key can be represented, for example, as a sum of two numbers. For each second number, a random number is generated each time.

It is also known in the art to utilize a sliding window method for calculating the multiplication or exponential so that the multiplication can be replaced by the addition or the exponential multiplication. In prior art solutions, the sliding window method is applied by using predefined multipliers with binary values of lengths: *; argue about the width of windows used. Usually there are a few •: · predefined times, for example 1 (window width 1 bit), 3 (window width: 25 veys 2 bits), 5 (window width 3 bits) and 7 (window width 3 bits) ). The values of the available multipliers are pre-selected in such a way that the calculation is as fast as possible. The known solutions select the maximum number of times for the individual lowering operations of the sliding window method. This ensures that the calculation can be completed as quickly as possible.

A disadvantage of the known solution described is that: information may be generated from the calculation that facilitates an outside attacker to determine the secret key when this calculation method is used in calculations using the secret key. One way in which an outside-35 attacker can try to find out the secret key is through a so-called. A DPA attack (Differential Power Analysis), for example, where multiple inputs are repeatedly fed to the smart card (several times 1127G8 glove times) while monitoring the response from the smart card output, the power used during smart card counting, and radiation generated during smart card counting. By statistics of input, power consumption, radiation, and response, an outside attacker 5 may discover the secret key of the smart card. The problem with known sliding-window calculation algorithms is that the utilization of predetermined multipliers in calculations can be detected in power consumption. That is, an outside attacker can statistically observe the order in which the landing operations are performed, since the times when the various multipliers are utilized are observable from the power consumption. After that, the outside attacker has to figure out the values of the multipliers, after which he has the secret key at his disposal.

The object of the present invention is to solve the problem described above and to provide a solution which further complicates the process of solving the secret key using the sliding window method. This object is achieved by the method of calculating the response according to the invention, comprising: selecting the multipliers to be used in the sliding window method and calculating the response by input, secret key and calculation algorithm which utilizes said sliding window method and selected multipliers. The method of the invention is characterized in that at least some of said multipliers in the sliding window method are randomly selected.

: ': The invention further relates to a device for: · | this can be utilized. The device according to the invention includes an input ·. : 25 to receive tea, calculator means to calculate response to input, secret! by the key and calculation algorithm that utilizes the sliding window method, and the output for further input of said response. The device according to the invention is characterized in that the device further comprises a random number generator which produces at least a part of the multipliers used by the calculating means in the sliding window method.

: The invention is based on the realization that when at least some of the multipliers used in the sliding window method are randomly selected, no .. ,; external attacker no longer Use any statistic data during the count, because the counting event and e.g. its required power consumption 35 will change with the introduction of new storytellers. According to the invention, new random multipliers can be introduced with each new computation of 112708 3. However, this is not necessary, but if desired, the same multipliers can be utilized in a few successive calculations. The multipliers can also be changed so that only a portion of the multipliers in use are switched at a time. The bottom line is that an outside attacker will not be able to collect statistics from several hundred or even thousands of consecutive counting operations using the same multipliers. The major advantages of the solution according to the invention are the further improved secret key encryption, i.e. it is more difficult for an outside attacker to find out the secret key.

In a first preferred embodiment of the method of the invention, some of the individual calculation operations of the sliding window method are randomly selected to be performed by a factor other than the maximum. This embodiment of the invention slows down the computation somewhat. However, this disadvantage is insignificant to the extent that this embodiment increases the randomness of landing operations by making the statistics collected by an outside attacker more misleading.

In a third preferred embodiment of the method of the invention, multipliers are selected such that the longest multipliers are between about 8 and 128 bits long. Thus, in the sliding window method, no manual. bundle all the narrator bits inside the window, so it becomes necessary to calculate the window and narrator difference and continue to use this in the calculation.

; In a fourth preferred embodiment of the method according to the invention, the sliding window method includes calculating operations: performing the window moving calculating operations and the calculating operations of processing the bits contained in the window being viewed in a predetermined sequence from one to another. That is, the calculation operations included in the sliding window method can be divided into two main groups, the calculation operations resulting from window shifting and the observation. Calculation operations resulting from the processing of bits in a 30-byte window (using selected multipliers). In known solutions, the computation proceeds such that during the computation the most suitable operation is always selected next. Whether ': selected window transfer or handling of bits in the window is a matter': which an outside attacker may in some cases see, for example, power consumption ...: 35 times. Thus, an outside attacker can draw conclusions about the progress of the bills if such choices are made. Conversely, if a window, 112/08 4 move, or processing of bits in a window according to a predetermined sequence is selected, for example, every other time the window is moved and every other time the bits in the window are processed, no selection situation like the one described above will occur. li-5 weather information on how invoices are moving. Thus, this embodiment of the invention further improves the safety of landings.

Preferred embodiments of the method and apparatus of the invention are disclosed in the dependent claims 2 to 5 and 6 to 11.

The invention will now be described, by way of example, in more detail 10 with reference to the accompanying drawings, in which: Figure 1 is a flow chart of a first preferred embodiment of the method of the invention, Figure 2 is a flow diagram of a first preferred embodiment of the device a third preferred embodiment of the method of the invention.

Fig. 1 shows a flow chart of a first preferred embodiment of the method of the invention. The method of Figure 1 utilizes. A sliding window method is performed for performing the calculation of the * secret key. The sliding window method is a known method for calculating the multiplication or exponentiation in a binary system. The following is an example of performing multiplication C * B by the sliding window method when using only addition, and in order to prevent an alien attacker from gaining access to information which he could use; find out the secret key C.

C is represented binary C = C0 | Ci | C2 | ... | Cn, Co * 0. Initially the multipliers used in the sliding window method are selected. The narrators were chosen; 30 in this Example 1 (01), 3 (11), 5 (101) and 7 (111).

First, the values of the multipliers are calculated, ie:

• * 'B

B3 = b + b + b B5 = b + b + b + b + b

. : 35 B7 = B + B + B + B + B + B + B

112708 5

In addition, set Ak = 0 (Ak = intermediate result) and m = 0 (m denotes the bit in C, which is then considered.

Let's calculate the first condition: 5 If Cm | Cm + i | Cm + 2 = 111, then calculate Ak = 8 * (Ak) + B7, m = m + 3.

If Cm | Cm + i | Cm + 2 = 101, then Ak = 8 * (Ak) + B5, m = m + 3.

If Cm | Cm + i = 11, then Ak = 4 * (Ak) + B3, m = m + 2.

If Cm = 1, calculate Ak = 2 * (Ak) + B, m = m + 1.

10 For Cm = 0, calculate Ak = 2 * (Ak), m = m + 1.

Repeat until m> n. Then the result is Ak.

The following is a calculation example where, by applying the above formulas, the binary numbers C * B are multiplied by B = 101 and 15 C = 101101011101, and the multipliers used are the same as above, i.e. 1, 3, 5 and 7. Then the multiplier values are: B = 101 B3 = B + B + B = 1111 B5 = B + B + B + B + B = 11001 20 B7 = B + B + B + B + B + B + B = 100011 t __—— __ ^ —__ , __ ^ ^ __________________.

'EXAMINED BITS INTERMEDIATE AK EXPLANATION

; Underlined___ 101101011101 5B = 11001 Multiplier B5 selected (processing bits in window) _: 000101011101 8 * 5B + 5B = 45B = Multiplier selected B5 _ 11100001___ 1 000000011101 2 * 45B = 90B = No matching multiplier. Migrate, · __111000010_this window._; ·. 000000011101 8 * 90B + 7B = 727B = Selected multiplier B7; : _ 111000110011__ 000000000001 2 * 727B = 1454B = No suitable multiplier. Migrate: __ 1110001100110_the window._ • 000000000001 2 * 1454B + B = 2909B = Selected multiplier B.

I | 11100011010001 6 112708

The result of the above calculation consists of the last intermediate result Ak, i.e. the result is 11100011010001. During the calculation, all the calculation operations leading to the result are performed using the binary system and the addition operations 5. However, in the example above, the calculation operations are also denoted by using the decimal system and multiplication to facilitate tracking of the individual calculation operations.

In block A of Figure 1, an input is received. Next, we proceed to block B, where random multipliers for the calculation operations are selected. That is, instead of choosing, for example, 1, 3, 5 and 7 (as in the previous calculation example), the multipliers are randomly selected according to the invention. This multiplier random draw may be performed for each response calculation, or alternatively the same multipliers may be used in a few successive response calculation operations, after which new random multipliers are selected. The multipliers are preferably selected so that they are relatively long, i.e., about 8 to 128 bits. This makes it harder for an outside attacker to find out what multipliers are used.

In block C, the response is computed by an algorithm using a secret key input and a sliding window method. Thus, the calculations related to the sliding window method are performed above; using the random women coefficients selected in block B.

; Figure 2 illustrates another preferred embodiment of the method of the invention. The method of Figure 2 also utilizes a sliding window method to perform the calculations associated with the secret key. The embodiment of Fig. 2 differs from the embodiment of Fig. 1 in that, in the case of Fig. 1, in each sliding window method each single calculation operation is always selected to maximize (so that the calculation proceeds as quickly as possible to the final result) individual calculations are performed randomly using something other than the largest possible multiplier. As a result, the progress of the bills slows down somewhat, but the progress of the bills becomes more "random", which results in less information being transmitted to the outside attacker, even if he is compiling statistics, | 35 kin mm. the amount of energy required to complete the invoices.

1 1 o 7 n o 7 ί ί L / U Ο

The following is an example of how the sliding window method of the invention can be applied to compute the multiplication C * B by randomly selecting the multipliers to be used in the calculations, and randomly selecting some of the operations to be performed by any other than the 5 largest multipliers. The counting is done solely by summing, and during the counting process, it is desired to prevent an outside attacker from gaining access to information that would allow him to determine the secret key C.

C is represented binary C = Co | Ci | C2 | ... | Cn, Co * 0. Initially, the multipliers used in the slip window method are selectively selected. In this example, multipliers 1 (01), 3 (11) and 5 (101) are selected as multipliers.

First, the values of the multipliers are calculated, ie:

B

B3 = b + b + b

15 B5— B + B + B + B + B

In addition, set Ak = 0 (Ak = intermediate result) and m = 0 (m denotes the bit in C, which is then considered.

Calculate one of the following conditions, that is, satisfy the condition (that is, randomly select one of the possible individual calculation operations): 20; IF Cm | Cm + i | Cm + 2> - 101, calculate Ak-Ak + Bs, Cm | Cm + l | Cm + 2 = Cm | Cm + l | Cm + 2_ 101.

, If Cfn | Cm + i | Cm + 2 · * - 011, then Ak-Ak + B3, Cm | Cm + i | Cm + 2 = Cm | Cm + i | Cm + 2_; 011.

* 25 IF Cm | Cm + l | Cm + 2,001, calculate Ak-Ak + B, Cm | Cm + 1 | Cm + 2 = Cm | Cm + i | Cm + 2,001.

If m> n-2 is moved by the window computing Ak = 2 * Ak, m = m + 1.

Repeat until CmlCm + ilCm +? = 000 and m = n-2. Then the result is Ak.

The following is a calculation example in which, by applying the above formulas, the binary numbers C * B when B = 101 and 'C = 101101011101 are multiplied, and the multipliers used are the same as above, i.e. 1, 3 and 5. Then the multiplier values are: B = 101, B3 = B + B + B = 1111 and Bs = ί B + B + B + B + B = 11001.

: 35 [INTERIM RESULT IN WINDOW Ak [EXPLANATION 1 112708 8

BITS TO BE CONSIDERED

Underlined___ 101101011101 5B = Selected multiplier B5 ,, 11001 (Handling __ bits in window) _ 000101011101 2 * 5B = 10B = Selected window move _110010__

000101011101 10B + B = 11B = Selected multiplier B

_110111__ 000001011101 2 * 11B = 22B = Selected Window Move _1101110__ 000001011101 2 * 22B = 44B = Selected Window Move _11011100__ 000001011101_2 * 44B = 88B = 110111000 Selected Window Move 000001011101 2 * 88B = 1700B = 1100B00 = 11001100 = 11001100 = 1100B = 1700B = 1700 179B = Selected Multiplier B3 _1101111111__ 000000101101 2 * 179B = 358B = Selected Window Move _11011111110__: 000000101101 358B + 5B = 363B = Selected Multiplier B5: _ 11100010111___: 000000000101 2 * 363B = 7210 Selected Window Move 000000000101 2 * 726B = 1452B = Selected Window Move 1110001011100 »- .I II.— I - | I.-. Il- I -.III I. · III .Il -

000000000101 1452B + B = 1453B = Selected multiplier B

_ 1110001100001__ 000000000011 2 * 1453B = 2906B = Selected Window Move _ 11100011000010__: 000000000011 + 3B = 2909B = Selected Multiplier B3 _ 11100011010001__: l000000000000 112708 9

The result of the above calculation consists of the last intermediate result Ak, i.e. the result is 11100011010001. During the calculation, all the calculation operations leading to the result are performed using the binary system and the addition operations. However, in the example above, the calculation operations are also denoted by the decimal system and the multiplication to facilitate tracking of the individual calculation operations.

In the flow chart of Figure 2 illustrating the progress of another embodiment of the method according to the invention, the blocks A 'and B' correspond to the blocks A and B of Figure 1, i.e. receiving an input, followed by a random selection of 10 multipliers.

In block C, the computation is started by a computation algorithm for response computation which utilizes the sliding window method.

When initiating a single counting operation, it is checked in block D 'whether there is a single counting operation which requires the use of a factor selected for the sliding window method. If this is not the case, proceed to block P where the calculation operation is performed, after which in block J 'it is checked whether the calculation has been completed if there is no return to block D \

If it is detected in block D 'that the shift counting operation 20 will utilize the coefficient selected for the sliding window method,; moving to block E '. In this case, a random number is drawn, for example, between 1-10.

In block F ', a comparison is made whether the random number is greater than the reference number, e.g. 5, if it is desired that half of the single count operations associated with the sliding window method be performed by a random multiplier. If the random: 25 female number is greater than the control number, it moves to block H ', where it is used: a randomly selected multiplier is selected. Alternatively, we move to block G ', .: where the maximum number of times is used.

The blocks F 'to H' provide a situation whereby: a part of the sliding window method computation operations are executed; 30 other than the highest possible multiplier. As a result, the progress of the bills slows down, but the bills become more random, which makes finding the secret key more difficult for an outside attacker.

; Figure 3 is a block diagram of a first preferred embodiment of the device according to the invention. In the case of Fig. 3, the device 1 is assumed to be a smart card having a secret key stored in its memory M, either as a secret key or alternatively encoded (whereby the key is decrypted when the key is read from the memory). This secret key allows the smart card to be authenticated because there is a single smart card on which the secret key in question is stored and thus produces a response dependent on the secret key from the input supplied to the smart card.

The device 1 further includes a calculator P, which may consist of, for example, a processor which, by means of a predetermined calculation algorithm, calculates the response to the input input to the device input 2 and outputs the response further through the output 3. In the calculation, the calculation algorithm utilizes the sliding window 10 method and the secret key of the device 1. According to the invention, device 1 utilizes random number multipliers (as described in connection with the flow charts of Figures 1 and 2) transmitted from the random number generator to the calculator via an internal bus in the sliding window method. Further, the device 1 may utilize the sa-15 random number generator RND to select some of the individual computation operations of the sliding window method to be executed by random multipliers, i.e., by another multiplier selected for use than the maximum multiplier (as described in FIG. 2).

Unlike the example of Figure 3, device 1 may be a device other than a smart card 20. The invention can also be applied, for example, to confidentiality. for the transmission of information over an unreliable communication channel such as the Internet.

In this case, it is necessary to be able to either encrypt the message in such a way that an outsider cannot; read, or alternatively, tag the message electronically so that the recipient of the message can verify that the message is from the correct source. The RSA Algorithm 25 rhythm is a known algorithm that is utilized for encrypting messages and electronic signatures of messages. The RSA algorithm was developed by Ronald, Rivest, Adi Shamir and Leonard Adelman in 1977. In the RSA algorithm, messages are encrypted with a public key and decrypted with a secret key. Similarly, an electronic signature is produced with a secret key, and the signature; 30 it is verified with a public key. Thus, in accordance with the invention, the device 1 of Figure 3 may be, for example, a computer that receives a message with an electronic signature, and uses the method and secret key of the invention to check whether the electron signature is: correct. In this case, the response consists of information indicating whether the signature is correct.

: 35 Yet another alternative is that the device 1 of Fig. 3 is a computer that decrypts the received encrypted message that has been encrypted with the public key corresponding to the secret key by the secret key. Therefore, the response consists of a plain language message.

Figure 4 shows a flow chart of a third preferred embodiment of the method according to the invention. The flowchart of Figure 4 differs from previous embodiments in that in the case of Figure 4, the secret key needed to calculate the response is not stored in plain-language memory. In contrast, the secret key is stored in the memory in such a form that its recovery does not provide information to the outside attacker about the secret key, and that the use of the key in the sliding window method 10 is very simple.

In block A, the secret key is divided into components whose sum corresponds to the secret key. At least one of the components consists of mutually multiplicative numbers, one of which corresponds to a multiplier selected for the sliding window method. The numbers included in the components are stored in memory. way: C = XO + (K1 * X1) + (K2 * X2) + ... + (Kn * Xn)

In the above formula, the secret key is decomposed into components 20, the sum of which forms the secret key C. The components, in turn, consist of numbers or product revenues. Some of the permissions are randomly selected multiplied by Jia K1 - Kn, which can be changed from one count to another later shown-; way way. The other numbers X1 - Xn are binary numbers whose individual »bits indicate when the multiplier in front of the number should be used.

: 25 The multipliers K1-Kn and the numbers XO-X are thus stored in memory. If there is a new smart card to be produced or the like, the first recording is made when the smart card is produced.

The following is a calculation example which illustrates the selection of numbers to be stored in block: A ". Assume that the secret key; 30 0 = 11010101, and that a single random multiplier, i.e. K1 = 5 = 101 | (in binary form) Next, the numbers X0 and X1 are explained.

; EXAMINED BITS EXPLANATION WINDOW POSITION

I DELETED _l____ 112708 12 11010101_Reduce window 101 1_ 00110101_Reduce 001__ 00010101_Remove window__00010101_Remove window__ 00000101_Remove window_aa_0000010_Remove window_aa

From the table above it is seen that the multiplier K1 = 101 has been used when the window was in positions 1 and 6. The bits 1 and 6 of X1 are then set to "1" and the other bits to "0", i.e. X1 = 1000001. Correspondingly, it is found that the number 001 has been used when the window was in positions 1 and 2. The bits 1 and 6 are then set to "1" in X0 while the other bits are set to "0", i.e. X0 = 110,000. Thus, instead of secret key C, the numbers: -X0 = 110000, 10-K1 = 101, and -X1 = 1000001 are stored in memory.

The value of the secret key can be determined by these numbers using the above formula, i.e. C = 110000 + (101 * 100001). The benefit of which

: the above mentioned form of storage achieves that the secret key C

: 15 never need to be processed in plain text when storing, reading from memory or calculating a response, but from memory ·, the above numbers and multipliers are requested for processing. In addition, the above representation facilitates the calculation of the response by the sliding window method as described below.

In block B ", wait is received until the response to be counted is received. This moves to block C", which retrieves the numbers stored in the memory, followed by block D "using the response calculation; · The retrieved numbers and the sliding window method. specifically for the sliding window;

When the secret key C has been decomposed into components as explained in the context of block A ", i.e., is 112708 C = XO + (K1 * X1) + (K2 * X2) + ... + (Kn * Xn), and when multiplication A = C * B, this corresponds to performing the following calculation operation: A = B * XO + (K1 * B) * X1 + (K2 * B) * X2 + ... + (Kn * B) * Xn

In the latest formula, calculations in parentheses, such as K1 * B, represent the actual values of the windows used, and the binary form of X1, X2 ... Xn indicates that the values in parentheses should be used when using the sliding window method (0 = not multiplied; ).

That is, if the numbers C * B to be multiplied, when the secret key C is stored in the above form, i.e. the above numbers having values 15 X0 = 110000, K1 = 101 and X1 = 1000001, the next calculation is assumed, assuming B = 101 .

BIT NO X0 X1 CALCULATION INTERIM RESULT

1 1 1 B + 5B 6B = _____11110_ 2 10 2 * 6B + B 13B =: ____ 1000001 3 0 0 2Ί3Β 26B = J____ 10000010 4 0 0 2 * 26B 52B = v____ 100000100 5 0 0 2 * 52B 104B = 7____ 1000001000 J. 6 0 1 2 * 104B + 5B 213B =

: ·; 111 110000101001 I

20 In the table above, invoices are denoted by a decimal system: and by using multiplication to make it easier to track the progress of the invoices.

• In practice, however, all calculations are performed with binary system numbers and only by addition operations. The calculations proceed as follows: 112/08 14 - when moving to the next bit in the turn, XO and X1 multiply the previous intermediate result by two, - when the value of the bit under XO is 1 is added to intermediate 001, and - when the bit under X1 is 1 the value of the multiplier corresponding to X1 5 is added to the intermediate result, ie 5 (K1 = 101, ie 5 in decimal system).

Once the response has been calculated and fed further using the calculation operations described in connection with block D ", we proceed to block E", which checks whether the selection of new random multipliers is timely. Random multipliers may be changed, if desired, after each response has been generated, when a predetermined number of responses have been generated by the same multipliers, or alternatively, after each response has been generated, the random multiplier may be changed or continued with the same multipliers.

If the selection of new random multipliers becomes timely, it is done as follows. the sum is as follows: C = X0 + (K1 * X1) + (K2 * X2) + (K3 * X3) 20. When selecting new multipliers, the numbers of at least one of the components used in accordance with the invention are kept unchanged. the components K1 and X1 of the component (K1 * X1) are retained: unchanged Note that the value of the key i 25 C must not change when replacing the multipliers, so the sum of the components to be decommissioned must correspond to the sum of the new substitutes. that: - randomly select two new multipliers, that is, the numbers K2'and K3 '- select a new number X2' si 30 (K21 * X2 ') <X0 + (K2 * X2) + (K3 * X3) - select a new number X3' such that:: (K3 * * X3 ') <X0 + (K2 * X2) + (K3 * X3) - (K2 '* X2'): - calculate a new X0 'such that:. X0 '= X0 + (K2 * X2) + (K3 * X3) - (K2' * X2 ') - (K3' * X3 ') 112708 15 The secret key C can then be stored using the numbers in the following components: C = XO' + (K1 * X1) + (K21 * X2 ') + (K3 * * X3') 5, that is, the figures in the three components have been changed, while the numbers X1 and K1 in the fourth component have remained unchanged. The value of C has not changed because the sum of the changed components has remained the same even though the values of the numbers included in the components have been changed.

10 The new numbers as well as the unchanged numbers are then stored in block A "so that they can be utilized in future calculations until the change of the multipliers becomes relevant again.

It is to be understood that the foregoing description and the accompanying figures are merely intended to illustrate the present invention. Various variations and modifications of the invention will be apparent to those skilled in the art without departing from the scope and spirit of the invention set forth in the appended claims.

Claims (11)

A method for calculating a response, in which method: multipliers used in a sliding window method are selected and a response is calculated using an input, a secret key, and a calculation algorithm using said sliding window method selected multipliers characterized by eating at least a portion of said multipliers used in the sliding window method are selected at random. Method according to claim 1, characterized in that some of the individual counting operations in the sliding window method are selected at random, other counting operations in addition to those selected at random are carried out by using the largest possible multiplier and the randomly selected multiplier by using counting operations. the largest possible multiplier. Method according to claim 1 or 2, characterized in that said multipliers, which are selected at random, are selected so that the length of the largest multipliers is 8 -128 bits. A method according to any one of claims 1 to 3, characterized in that in the process: j the secret key is divided into sub-factors such that the sum of sub-factors. The values correspond to the value of the secret key and so that at least one of the sub-factors is made up of tai which can be multiplied by one another, of which a tai is made up of a multiplier selected at random for the sliding window method and for calculating the answer the numbers are retrieved. is included in the subfactors of memory and used in the sliding window method to calculate the answer for: the input. Method according to any one of claims 1-4, characterized in that the counting operations included in the sliding window method are performed so that the counting operations caused by the movement of a window and: the counting operations caused by the handling of the bits which is part of the window being examined is performed in a predetermined order each time a counting operation is performed. 19 1 12708 An apparatus comprising: an input (2) for receiving an input, computational means (P) for calculating an answer by means of an input, a secret key and a computational algorithm using a sliding window method and an output (3) for further feeding said input, characterized in that the device further comprises a random number generator (RND) which generates at least a portion of the multipliers used by the calculating means (P) in the sliding window method. Device according to claim 6, characterized in that the computational means (P) are arranged to randomly select a part of the individual counting operations belonging to the sliding window method to be performed by using a multiplier other than the largest possible multiplier and performing other counting operations except those selected at random by using the largest possible multiplier. Device according to any one of claims 6 to 7, characterized in that the random number generator (RND) is arranged to generate multipliers such that the length of the largest multipliers used in the sliding window method is 8-128 bits. Device according to any one of claims 6 - 8, characterized in that said device is a smart card. Device according to any of claims 6-9, characterized in that said device is a device which decodes an encrypted message, said reply being the message. '; 11. Device according to any of claims 6-9, characterized in that said device is a device which checks the accuracy of an electronic signature, said response indicating whether the electronic signature is correct.