FR2830641A1 - Method for raising an argument to an exponential power, for cryptography use, using a processor capable of processing words of sufficient length with an exponent coded in words of k bits with k greater than one - Google Patents

Abstract

Method for raising an argument to an exponential power within a finite group comprising an internal composition law, by use of a processor capable of processing words of length k expressed in bits, the exponent being coded in l words of k bits with l greater than or equal to 1. Independent claims are made for a device and computer program for raising an argument to an exponential power.

Description

<Desc / Clms Page number 1>

Method, device and program for raising an argument to a power of great exponent.

 The field of the invention is that of methods of raising to a power in a finite monoid by means of a processor capable of processing words of length k expressed in bits.

 It is recalled that a set of elements has a monoid structure or is called monoid if there exists for this set a law of associative internal composition having a single neutral element. A composition law is internal if applied to two elements of the set, it gives an element of this set. The law of internal composition applied to the neutral element and to another element of the set gives again this other element of the set. The law of internal composition is associative if applied to n elements, it gives the same element being applied to the first element and the element resulting from its application to the following elements that being applied to the last element and the resulting element from its application to the previous elements. Many real world elements such as images, communication signals, can be digitally processed by a processor using computer words that encode these elements.

For example, for a set of images, a combination of two images gives one image and a combination of white image to another image gives that other image again.

 The concept of group is sometimes found in the state of the art. In the sense of the technique to which the invention applies, a group is a particular monoid in which any element x has a symmetric element x 'such that the law of internal composition applied to these two elements, in any sense, gives as result the neutral element.

 A set constitutes a finite monoid if its cardinal, ie the quantity of its elements, is expressed by a finite number. For example the set of relative integers of the closed interval [O, N-1] where N is a given number, provided with a law of internal composition such as the modulo N addition,

<Desc / Clms Page number 2>

ïde fi monoïde fini. is a finite group that is a finite monoid. This set provided with a law of internal composition such as multiplication modulo N, constitutes a

fi fined monoid.

 We mean by raising an argument x to a power of exponent e in a finite monoid, applying the law of internal composition to an integer e of elements each equal to the argument x. The exponent e is therefore a strictly positive integer.

 For example, if the internal composition law is the addition, the element resulting from an elevation of an argument x to the exponent power e, is equal to the addition of e elements equal to the argument x.

 For example again, if the law of internal composition is multiplication, the element resulting from an elevation of an argument x to the power of exponent e, is equal to the multiplication of e elements each equal to the argument x.

 By squaring an argument x, we mean its elevation to a power of exponent 2. We consider that a first element is multiple of a second element when there exists a third element such as the law of internal composition applied to the second and third element, gives the first element.

 In a known manner, cryptography uses finite monoids consisting of sets of relative integers of the closed interval [0, N-1], provided with the modulo N multiplication as the internal composition law.

 Knuth, D. E. The Art of Computer Programming, Vol. 2 Seminumerical Algorithms-Addison Wesley, 1981, describes a simple computation algorithm of the square-multiplication type. Noting lel the length of the exponent expressed in bits and w (e) the number of non-zero bits in this exponent, this algorithm requires lel-1 squares and w (e) multiplications in the finite monoid. With a standard processor that can process k-bit words, scanning each bit of the exponent leads to calculations with offsets on k-bit words to memorize the exponent. On average, the quantity of multiplications in the finite monoid is close to lel / 2, and the amount of shifts is close to lel (1-1 / k).

<Desc / Clms Page number 3>

 When the exponent is large in order to secure cryptographic processing, the amount of operations performed by the processor slows the cryptographic processing considerably.

 To speed up the calculations, Bergeron et al. - Efficient Computation of Addition Chains - Journal of Bordeaux Number Theory, Volume 6, (1994), 21-38, proposes to compute auxiliary data such as addition strings. The search for a good chain of additions requires a high computation time which reduces the advantage of the acceleration on the elevation calculations to a power when the exponent changes with each power rise.

 The square-multiplication algorithm knows an improvement according to Knuth, which consists of calculating modular powers of the argument x with small odd exponents 1, 3, ..., 2t-1, then examining the exponent in blocks of t bits. The value t = 1 restores the unimproved version. The cost of the computations is lel squares and, on average, t + (1-zut) lel / t multiplications in a monoid, plus the exponent scan. A minimization of the cost in number of squares and multiplications, leads to optimal values for t, function of the length of the exponent and the ratio between the cost of a square and that of a multiplication in the monoid. In the case of monoïdes (Z / nZ * ,.), the values of t are 5 for lel = 512, 6 for = 768, 6 or 7 for = 1024, 7 for = 2048. These sizes of blocks compared with the length k (8, 16, 32, 64) of standard words, show that complex manipulations of bits within words and on different words, accompany a use of optimal values of t. To avoid complex bit manipulations, to simplify the code and reduce the risk of errors, a solution that uses a sub-optimal value t = 4, does not provide complete satisfaction in terms of performance.

 In order to overcome the above-mentioned drawbacks of the state known in the prior art, the object of the invention is a method, a device and a program for raising an argument to a power of large exponent, remarkable for the following points.

<Desc / Clms Page number 4>

 The method for raising an argument x to an exponent power e in a finite monoid, by means of a processor capable of processing words of length k expressed in bits, the exponent e being encoded on 1 words of k bits with 1 greater than or equal to 1, comprises two phases.

un exposant impair compris entre 1 et 2t-1 où t est un nombre inférieur à k, permet d'obtenir 2t-puissances de l'argument x avec des exposants impairs relativement petit en comparaison de l'exposant e. A first power generation phase of the argument x with

an odd exponent between 1 and 2t-1 where t is a number less than k, makes it possible to obtain 2t-powers of the argument x with relatively small odd exponents in comparison with the exponent e.

 A second processing phase of each word that encodes the exponent e in an order from the most significant bit to the least significant bit of the exponent e, makes it possible to obtain a value y in a register, after scanning the last block comprising the least significant bits for encoding the exponent e, equal to the argument x raised to the exponent power e in the finite monoid.

- pour un premier bloc scruté de premier mot tel qu'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de
1 pour le bit de poids faible du bloc, le processeur charge à partir du dit registre, une valeur y égale à unepuissance générée en première phase dont l'exposant c a pour valeur celle codée par le bit de rang b et les bits de rangs suivants jusqu'au bit de poids fort du bloc scruté, effectue b élévations au carré de ladite valeur y et range le résultat ainsi obtenu comme nouvelle valeur y dans le registre ; - pour chaque bloc scruté suivant, le processeur effectue des élévations au carré de ladite valeur y, en quantité égale au nombre de bits du bloc scruté, et s'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de 1 pour le bit de poids faible du bloc, le processeur effectue une multiplication de la valeur y par une puissance In the second phase: the processor scans the current word to be processed in blocks of at most t bits, going from the most significant bits to and to the least significant bit of the current word;

for a first scrambled block of the first word as it exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from
1 for the low-order bit of the block, the processor loads from said register, a value y equal to a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the next rank bits to the most significant bit of the scanned block, b squaring said value y and storing the result thus obtained as a new value y in the register; for each following scrambled block, the processor squares said value y, in an amount equal to the number of bits of the scrambled block, and if there exists in the scrambled block a non-zero bit of least weight with a rank b taken from 1 for the least significant bit of the block, the processor performs a multiplication of the value y by a power

<Desc / Clms Page number 5>

 generated in the first phase whose exponent ca is the value encoded by the bit of rank b and the bits of subsequent ranks up to the most significant bit of the scanned block, before making the last b squared of said value y and storing the result thus obtained in said register.

 The method according to the invention does not need a specialized microprocessor but is advantageously content with a standard processor capable of processing k-bit words. Unlike the known state of the prior art, the method does not need to resort to auxiliary data. Note that the total amount of squared elevations is fixed only by the amount of bits that encode the exponent e. In particular, it is independent of the length k of the words that can be processed by the processor and the size t of each scanned block, which can therefore be variable. It is thus possible to choose optimal values of t. The quantity of multiplications is equal to the quantity of non-zero blocks that make up the set of words to code the exponent e.

 In the simplest way, at the beginning of the second phase, the value y is initialized to 1 in the register and for each block scanned from the first, the processor squares said value y, in an amount equal to the number of bits of the scanned block, and if there exists in the scanned block a nonzero bit of least weight with a rank b taken from 1 for the least significant bit of the block, the processor performs a multiplication of the value y by a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the next rank bits to the most significant bit of the scrambled block, before making the last b squared of said value y and store the result thus obtained in the register.

 Advantageously, when the length of the exponent e is less than an integer number of words, the nonzero bit of the strongest weight of the first word being of rank k'pris from 1 for the least significant bit, the first block scanned has for most significant bit, the rank bit k'in the first word.

 This avoids scrutinizing null blocks at the top of the first word for which squared elevations would be done on unit values.

<Desc / Clms Page number 6>

 Since the value t can be chosen arbitrarily in the process, the value t can be optimized to accelerate the power rise with a minimum of resources by reducing the number of internal operations in the finite monoid. Each word or at least each word beyond the first word, is then cut into q blocks of size t and, if k is not a multiple of t, a block of reduced size r less than t.

 Advantageously, when the first word contains k'bits of low weight useful for encoding the exponent e, the first word is divided into q'blocks of size t and, if k 'is not a multiple of t, a block of size reduced to less than t.

 The scan of the reduced size block can be done after q scans of blocks of size t.

 According to a first advantageous variant of the invention, the value y is initialized with a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the bits of subsequent ranks up to the most significant bit. the first non-zero scrutinized block of the first word.

 This makes it possible to avoid t-b squared by a unit value of y for scanning the first block.

 According to a second variant of the invention, the scanning of a block begins with a small size block scan on the most significant bits of the block until a small block is found with all its null bits and as soon as such a block is found, the scanning of the following blocks, if any, is continued by block of size t.

 This saves a multiplication when the reduced size block placed on the low weight of the word is non-zero while it is possible to frame a block of reduced size with all its bits to zero weight more strongly.

 The device for raising an argument x to an exponent power e in a finite monoid comprises a processor capable of processing words of length k expressed in bits, a first register to receive the argument x, a second register of 1 words of k bits with 1 greater than or equal to 1 to receive the exponent e, a third register to produce the argument x high to the

<Desc / Clms Page number 7>

 exponent power e and a memory for holding data and instructions executable by the processor.

- un quatrième registre pour contenir des puissances de l'argument x avec un exposant impair compris entre 1 et i-1 où t est un nombre inférieur à k contenu dans la mémoire ; - des instructions contenues dans la mémoire pour traiter chaque mot qui code l'exposant e dans un ordre allant du bit de poids fort jusqu'au bit de poids faible de l'exposant e, agencées pour commander le processeur de façon à ce qu'en exécution : - le processeur scrute le mot courant à traiter par blocs d'au plus t bits en allant des bits de poids forts vers et jusqu'au bit de poids le plus faible du mot courant ;

- pour un premier bloc scruté de premier mot tel qu'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de
1 pour le bit de poids faible du bloc, le processeur charge à partir du troisième registre, une valeur y égale à une puissance générée en première phase dont l'exposant c a pour valeur celle codée par le bit de rang b et les bits de rangs suivants jusqu'au bit de poids fort du bloc scruté, effectue b élévations au carré de ladite valeur y et range le résultat ainsi obtenu comme nouvelle valeur y dans le troisième registre ; - pour chaque bloc scruté suivant, le processeur effectue des élévations au carré de ladite valeur y, en quantité égale au nombre de bits du bloc

scruté, et s'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de 1 pour le bit de poids faible du bloc, le processeur effectue une multiplication de la valeur y par une puissance contenue dans le troisième registre dont l'exposant c a pour valeur celle codée par le bit de rang b et les bits de rangs suivants jusqu'au bit de poids fort du bloc scruté, avant d'effectuer les b dernière élévations au carré de ladite valeur y et de ranger le résultat ainsi obtenu dans le troisième registre ; More particularly, the device comprises:

a fourth register for containing powers of the argument x with an odd exponent between 1 and i-1 where t is a number less than k contained in the memory; instructions contained in the memory for processing each word that encodes the exponent e in an order from the most significant bit to the least significant bit of the exponent e, arranged to control the processor so that in execution: the processor scans the current word to be processed in blocks of at most t bits, going from the most significant bits to and to the least significant bit of the current word;

for a first scrambled block of the first word as it exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from
1 for the low-order bit of the block, the processor loads from the third register, a value y equal to a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the rank bits following to the most significant bit of the scanned block, b squaring said value y and storing the result thus obtained as a new value y in the third register; for each following scrambled block, the processor squares said value y, in an amount equal to the number of bits of the block

scanned, and if there exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from 1 for the least significant bit of the block, the processor performs a multiplication of the value y by a power contained in the third register whose exponent ca is equal to that encoded by the bit of rank b and the bits of subsequent ranks to the most significant bit of the scrambled block, before making the last b squared of said value y and store the result thus obtained in the third register;

<Desc / Clms Page number 8>

 so that the value y contained in the third register after scanning the last block comprising the least significant bits to code the exponent e, is equal to the argument x raised to the exponent power e in the finite monoid .

- pour un premier bloc scruté de premier mot tel qu'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de
1 pour le bit de poids faible du bloc, le processeur charge à partir du troisième registre, une valeur y égale à une puissance générée en première phase dont l'exposant c a pour valeur celle codée par le bit de rang b et les bits de rangs suivants jusqu'au bit de poids fort du bloc scruté, effectue b élévations au carré de ladite valeur y et range le résultat ainsi obtenu comme nouvelle valeur y dans le troisième registre ; - pour chaque bloc scruté suivant, le processeur effectue des élévations au carré de ladite valeur y, en quantité égale au nombre de bits du bloc

scruté, et s'il existe dans le bloc scruté un bit non nul de poids le plus faible avec un rang b pris à partir de 1 pour le bit de poids faible du bloc, le processeur effectue une multiplication de la valeur y par une puissance The program receiving from a first register an argument x and a second register of 1 words of k bits with 1 greater than or equal to 1, k being a word length expressed in bits that can be processed by a processor, an exponent e for produce in a third register the argument x raised to a power of exponent e, made by the processor: - in a first phase, a power generation of the argument x with an odd exponent between 1 and 2t-1 where t is a number less than k; in a second phase, a processing of each word which encodes the exponent e in an order ranging from the most significant bit to the least significant bit of the exponent e, such that: the processor scans the current word at processing in blocks of at most t bits by going from the most significant bits to and from the least significant bit of the current word;

for a first scrambled block of the first word as it exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from
1 for the low-order bit of the block, the processor loads from the third register, a value y equal to a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the rank bits following to the most significant bit of the scanned block, b squaring said value y and storing the result thus obtained as a new value y in the third register; for each following scrambled block, the processor squares said value y, in an amount equal to the number of bits of the block

scanned, and if there exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from 1 for the least significant bit of the block, the processor performs a multiplication of the value y by a power

<Desc / Clms Page number 9>

 generated in the first phase whose exponent ca is the value encoded by the bit of rank b and the bits of subsequent ranks up to the most significant bit of the scanned block, before making the last b squared of said value y and arrange the result thus obtained in the third register; so that the value y contained in the third register after scanning the last block comprising the least significant bits to code the exponent e, is equal to the argument x raised to the exponent power e in the finite monoid .

 The invention will be better understood from the description of an exemplary embodiment which follows with reference to the accompanying drawings in which: - Figure 1 is a device diagram according to the invention; FIG. 2 shows steps of the first phase of the method according to the invention; FIGS. 3 and 4 show steps of the second phase of the process according to the invention; FIGS. 5 to 7 show a first variant of a second process step according to the invention; - Figures 8 to 10 show a second variant of the second phase of the method according to the invention.

 With reference to FIG. 1, a device 1 is arranged to receive as input a number x and a number e and to output a number y equal to a power of argument x and exponent e.

 The device 1 comprises a standard processor 2 designed to process words of length k bits according to instructions and data contained in a memory 3. Registers 4 and 5 are each provided respectively to contain the argument x and the exponent e. When the length lel of the exponent e expressed in bits, is greater than k, the register 5 consists of 1 words of k bits so that lel is between (1-1) k and Ik. A register 6 is provided to contain the power y. A register 7 is provided

<Desc / Clms Page number 10>

 to contain powers of the argument x with odd small exponents.

 The device 1 makes it possible to implement the method described with reference to the following figures, by executing by the processor 2, a program consisting of instructions and data contained in the memory 3 to carry out said method.

 In a first phase of the method with reference to FIG. 2, the processor 2 generates (2t-1) powers of the argument x, each row in a word of the register 7. The number t is a piece of data contained in the memory 3, of value less than k.

 In a step 8, a word index i in register 7 is initialized to 1.

In a step 9, a value x, of the first word of the register 7, is initialized to the value of the argument x.

 In a step 10, the processor 2 calculates the square xs of the argument x which is stored in an internal register of the processor 2 or in memory 3.

 In a step 11, the processor 2 tests whether the current value of the index i is less than 2t-2. A negative result on this test completes the first phase of the process. A positive result in this test activates a succession of steps 12 to 14.

 In step 12, the current value x is loaded into an internal register z of processor 2. In step 13, the current index i is increased by two units. In step 14, the processor 2 multiplies the contents of the internal register z by the square X2 and ranks the value xi obtained, in the word of the register 7, index i updated in step 13.

Step 14 is looped on step 11, having the effect of executing if t is greater than 1, steps 12 to 14 for values of i in step 11, ranging from 1 to 2-3, i varying by increment of 2. Step 14 is then executed for values of i ranging from 3 to 2t-1. According to the well-known law on intervals, the number P of executions of step 14 is given by the formula:
P = 1 + (2t-1-3) / 2 That is to say:

<Desc / Clms Page number 11>

P = 2t-1 ~ 1
In the first phase, the processor 2 thus calculated a square and P products to obtain in the register 7, n odd exponent powers of the argument x: X1 = X1, xs = x, ..., Xn = x ", with n = 2t-1.

 In a second phase of the method with reference to Figures 3 and 4, the processor 2 performs a progressive calculation of the power y by successively scanning each word of the register 5 which contains the exponent e.

 In a step 15, the power value y is initialized to 1 in the register 6. Then, the processor 2 iterates a first loop of steps 17 to 54, indexed by an index Il varying from a value 1 initialized in step 16 at the value 1 detected in step 54 which ends the second phase of the method.

In step 53 preceding step 54, the index Il is increased by one unit to scan the next word of the register 5 or to finish the second phase if this index is greater than the length 1 of the exponent e, expressed in number of words of k bits.

 The word of the register 5 with the index Il = 1 is the one containing the strongest bits of the exponent e. Then, each upper index word contains bits of lower weight up to index word 1 which contains the least significant bits. A length of the exponent e equal to an integer number of words of length k represents a case where the most significant bit of the first word of the register 5 is non-zero. It is on this simplified case that the process is explained at first.

 Within the first loop, the processor 2 iterates a second loop of steps 18 to 35 to scan the current word index)), by block of t bits. The value of t constituting a datum of the memory 3, each word of k bits contains a quantity q of blocks with a length of t bits according to the formula: k = q. t + r where r is the remainder of the integer division of k by t.

 When the remainder r is non-zero, tested in step 36, the processor 2 executes an additional sequence of steps 37 to 52 similar to the

<Desc / Clms Page number 12>

 Steps 18 to 33 for processing a last block with a length of r bits less than t bits.

 In a step 17, a second loop index qq is initialized to 1 to be increased by a unit increment in step 34 at each iteration of the second loop, until reaching the index value q of the last block of t bits. of which an overshoot detected in step 35 leaves the second loop for execution of the following steps. Like the words of index 11, the blocks of index qq inside a word, are scanned starting with the block which contains the most significant bits of the word and continuing with the blocks which contain the weight bits becoming weaker.

 In step 18, the current block of index qq contains t bits which encode a value processed by the processor 2 in its scan of this block.

 In step 19, processor 2 tests whether the value a is zero. A positive result triggers a sequence of steps 20 to 23. A negative result triggers a sequence of steps 24 to 33. Each of the sequences of steps 20 to 23 and 24 to 33 ends on step 34 for processing the next block .

 The sequence of steps 20 to 23 constitutes a third loop in which step 21 is performed t times by the processor 2 with a loop index tt ranging from 1 in step 20 to t by increasing a unit increment at each execution. from step 22 to overflow detected in step 23 which leaves the third loop.

 In step 21, the processor 2 loads the value y of the register 6, squaring it and arranges the new value y thus obtained in the register 6. Thus, in the sequence of steps 20 to 23, the processor 2 execute squarings of the y value of register 6.

In step 24 for which the value a is non-zero, it is considered to be the product of an odd number c by a power of
2 of exhibitor b. The exponent b is the rank of the first non-zero bit starting from the least significant bit in the current block. Indeed, this first non-zero bit with the succession of zero bits of lower weight, encode a power of
2 of exhibitor b. This first non-zero bit with the most significant bits in the

<Desc / Clms Page number 13>

 current block, code the odd number c. The odd number c and the exponent b are then obtained by simple masks on the current block of index qq.

 The sequence of steps 24 to 33 comprises two loops. In a fourth loop, processor 2 executes (tb) times step 26 with a loop index tt varying from 1 in step 25 to (tb) by increasing a unit increment each time step 27 is executed. overrun detected in step 28 which leaves the fourth loop.

 In step 26, the processor 2 loads the value y of the register 6, squaring it and arranges the new value y thus obtained in the register 6. Thus, in the sequence of steps 25 to 28, the processor 2 execute (tb) squares of the value y of the register 6.

 In a fifth loop, the processor 2 executes b times the step 31 with a loop index bb varying from 1 to step 30, to b by increasing a unit increment at each execution of the step 32 until it is exceeded. in step 33 that gets out of the fifth loop.

 In step 31, the processor 2 loads the value y of the register 6, squaring it and arranges the new value y thus obtained in the register 6. Thus, in the sequence of steps 30 to 33, the processor 2 execute squarings of the y value of register 6.

 In a step 29 following the step 28 at the output of the fourth loop and before the step 30 at the input of the fifth loop, the processor 2 loads the value y of the register 6, multiplies it by the power xc of odd exponent c obtained in the first phase, and ranks the new value y thus obtained in register 6.

 It can be seen that the sequence of steps previously described gives y as a power of x of exponent e.

 In the simplified case in which we set ourselves to describe the process in a first step, the most significant bit of the first block scanned is non-zero. The first value of a for qq = 1, is therefore non-zero and it is the steps 24 to 33 that are executed for this block.

<Desc / Clms Page number 14>

 For this first block of the first word, y initialized at 1 in step 15, remains at 1 by successive elevations squared in step 26 to step 28. In step 29, XC is multiplied by 1. In steps 30 to 33, xc is high b times squared.

At the last iteration of the fifth loop, we get: y = ((XC) 2) b = xa
For a block of index qq, it is known that the least significant bit, codes a power of 2 whose exponent is the amount of bits in the blocks that follow this block. That is, in a particular case where all the bits of the following blocks would be zero, the value of the exponent e for that single bit is a power of 2 with the exponent of the amount of smaller bits of weight.

b Lorsque a est égal à c*2b, pour le bloc d'indice qq+1, en étape 25, y = xn. En fin d'exécution de la quatrième boucle : y = (xn) 2** (t-b) Après exécution de l'étape 29 : y = (x") )

En fin d'exécution de la cinquième boucle : y = ( (x"r r' y = (xn) 2** (t-b) *2**b* (xC) 2**b y = (xn) 2**t* (xa) C'est à dire y = xm. When a value y which results from the previous qq iterations of the second loop, is such that y = xn, n is an exponent value coded on qq blocks which corresponds to n * 25 coded on (qq + 1) blocks with all the null bits in the last block. When the last block of index qq + 1 adds the value a to (qq + 1) previous blocks, the new exponent m coded on (qq + 1) blocks, is given by the formula: m = n * 2t + a
When a is zero for the block of index qq + 1, in step 20, y = xn. At the end of the third loop: y = (xn) 2 ** t That is y = xm.

b When a is equal to c * 2b, for the block of index qq + 1, in step 25, y = xn. At the end of execution of the fourth loop: y = (xn) 2 ** (tb) After execution of step 29: y = (x "))

At the end of the fifth loop: y = ((x "rr 'y = (xn) 2 ** (tb) * 2 ** b * (xC) 2 ** by = (xn) 2 ** t * (xa) That is, y = xm.

<Desc / Clms Page number 15>

 The properties explained above are verified step by step until the last block of index q so that by ending the second loop in step 35, the value of y contained in the register 6, is a power of x whose the exponent is coded on q blocks.

 When the current index qq exceeds q in step 35, the process continues as shown in FIG. 4 linked by the reference A.

 In step 36, processor 2 tests whether the remainder r is zero. A positive result indicates that the word contains an integer number of blocks of length t and that this word contains no more bits beyond the block of index q. Step 53 is then directly activated. A negative result indicates that the word does not contain an integer number of blocks of length t and that this word still contains a reduced block of index q + 1 with r bits beyond the block of index q. Step 37 is then activated.

 In step 37, the current block of index q + 1 contains r bits which encode a value treated by the processor 2 in its scan of this block.

 Step 38, identical to step 19, activates a sixth loop if the value a is zero and a sequence comprising a seventh and eighth loop if the value a is non-zero.

 The sixth loop is carried out by means of steps 39 to 42 similar to steps 20 to 23 with the only difference that the overshoot test of step 23 is replaced by an overshoot test of r in step 42 so that Square squares of y are performed during executions of step 40 by the processor 2.

 The seventh loop is preceded by a step 43 identical to step 24.

The seventh loop is performed by steps 44 to 47 similar to steps 25 to 28 with the only difference that the tb overflow test in step 28 is replaced by a rb overflow test in step 47 so that rb Square squares of y are performed during executions of step 45 by the processor 2.

 At the output of the seventh loop, a step 48 identical to step 29 precedes the entry of the eighth loop.

<Desc / Clms Page number 16>

 The eighth loop is performed by means of steps 49 to 52 identical to steps 30 to 33 so that squared elevations of y are performed during executions of step 50 by processor 2.

 The properties checked on the calculation of y for the third, fourth and fifth loops remain valid for the sixth, seventh and eighth loop with y equal to xi after treatment of the last block of index q and y equal to xm after treatment of the block of q + 1 which contains only r bits.

 In step 53 activated at the output of the sixth loop, at the output of the eighth loop or directly or directly after step 36, the current index Il of word is increased by a unit increment so as to terminate the process when the increased index It is detected greater than 1 in step 54.

 As long as the index Il tested in step 54 does not exceed index 1 of the last word of register 5, the process is continued by reference B which connects FIG. 4 to FIG. 3 to reactivate step 17 so as to scrutinize the first block of the next word.

 The properties on the calculation of previously explained therein when passing from one block to the next inside a word, remain checked during the passage of the last block of a word to the first block of a next word.

 Thus, the value of y contained in the register 6 is equal to the power of the argument x with the exponent e coded in the 1 word of the register 5.

 Note in the process explained above that the processor does t squares at each execution of the third loop, tb squared at each execution of the fourth loop and squared b elevations at the execution of the fifth loop that follows, so that the processor 2 performs t squares for each block processing of length t that has either zero or not. Simply, the processor 2 performs an additional multiplication for a non-zero block of value a.

 In processing a word of q blocks, the processor 2 performs q times t squares and at most q multiplications by executions of step 29, according to the number of non-zero blocks of value a. If the word contains more than one

<Desc / Clms Page number 17>

 reduced block of r bits, the processor still r reas squares and possibly a multiplication by execution of step 48 if the value of this block is non-zero. In total, to process a word of length k, processor 2 performs qt + r squared, ie k squared elevations and at most q + 1 multiplications. The length k is imposed by the length of the words that the processor 2 is intended to process. The amount of squared elevations equal to k is independent of the value of t. Only the quantity of multiplications is substantially inversely proportional to t.

 The probability of having a null block is 0.5 for t = 1 and decreases considerably when t increases. One might think it better to take t close to k to reduce the quantity of multiplications. For example t = k, would require at most a multiplication per word. However in the first phase, the processor must calculate (P + 1) products in an amount equal to a power of 2 with (t-1) for exponent. The exponential growth of the quantity of multiplications as t approaches k, rapidly diminishes the advantage of taking a large value of k in the second phase where the quantity of multiplications is only proportional to the quantity of words necessary to code the exponent e and to the amount of blocks in each word. Considering what has just been explained, it is understood that there exists an optimum value of t between 1 and k for the processor 2 to perform a minimum quantity of multiplications. Rich in the teaching that has just been described, those skilled in the art can easily design an optimization program based on mathematical considerations that are not the subject of the present invention. This program can be previously executed on an independent computer, the calculated value t is then stored or downloaded into the memory 3. This calculation program t can also reside in the memory 3 so as to optimize the value of t according to the length of each exponent e received.

 The device calculates the optimal value of t by means of a transcendental inequation parameterized by k, t and a ratio a. The length k of the words manipulated by the processor is known. The ratio is between the cost of a square

<Desc / Clms Page number 18>

 and that of a multiplication in the finite monoids is known, for example by means of a preliminary measurement. It is therefore possible to establish once and for all a table for each finite monoid, each table giving the optimum value t for a range of lengths l of exponent.

The process is now explained in a second time on a more general case where the length lel of the exponent is not equal to an integer of words of length k. The most significant word, ie the first word of the register 5, then contains a certain amount of bits of zero significant weight before a first non-zero bit which with the following bits to the least significant bit of the this first word constitutes a set of k'bits with k 'less than k. This set of k'bits is then divided into q'blocks of size t and if need be into an additional block of size r'où q'and are given by the Euclidean division: K '= q't + r'
The first iteration of the first loop is specially parameterized for Il = 1. In step 35, the test on an overshoot of q is replaced by a test on an overshoot of q ', the steps 17 to 34 remaining identical elsewhere. In step 36, the zero value of r'qui is tested.

In step 37, it is the value a coded by the block of index q '+ 1 which is considered. In step 42, the test on exceeding r is replaced by a test on exceeding r '. In step 47, the test on exceeding (r-b) is replaced by a test on exceeding (r'-b). Steps 38 to 41,43 to 46 and 48 to 53, remain identical elsewhere.

 This first particular iteration has the advantage of finding a non-zero value of a at the first execution of step 19 and thus not to execute step 21 unnecessarily in which the square of it would remain trivially at 1 for blocks. heavy weights with null bits. Thus, processor 2 performs squaring for the first word.

 The following iterations of the first loop of 11 = 2 to 11 = 1 are performed by means of steps 17 to 54 as described in FIG.

<Desc / Clms Page number 19>

 simplified case, the totality of each next word until the word of low weight being then scrutinized by the processor 2.

Thus, the amount of squarings remains equal to the length lel of the exponent e with: lei = k '+ (1-1) k
The general case covers the simple case with implicitly k '= k, q' = q and r '= r.

This is why the notation k ', q' and will now be used with reference to the most significant word which encodes the exponent e, even in the particular case where k 'would be equal to k.

 With reference to FIG. 5, a first variant of the method makes it possible to reduce the quantity of squares to a value less than lel by replacing steps 15 and 16 by particular steps for the most significant word of register 5.

 The second phase of the process then begins with a step 55 in which the index 11 of the scanning words of the register 5, is initialized to 1 to make support the word of high weight by the processor.

 In a step 56, the block scan index qq in the word is initialized to 1 to support the first non-zero high order block by the processor.

 In a step 57, the processor 2 considers a value a as that encoded by the bits of this non-zero block.

 In a step 58, similar to step 24, this value a is considered to be the product of an odd number c by a power of 2 of exponent b.

 In a step 59, the value of y is directly initialized to the value xc calculated in the first phase as being the power of the argument x of exponent c.

 Thus, the processor 2 first squares on a value of y different from 1 in a step 61, iterated b times by means of a loop index bb previously initialized to 1 in a step 60, incremented in a step 62 with passing test in a step 63.

<Desc / Clms Page number 20>

 At the end of the loop performed by steps 60 to 63, a step 64 tests whether it is zero.

 A positive response to this test means that the bit string of the current word whose most significant bit is non-zero has a length less than t. The first block scanned is then a small block r'qui is also the last before taking care of the next word. The process continues with a step 102 shown in FIG. 7 such that the link from step 64 to step 102 can be followed by means of the C mark.

 A negative response to this test means that the bit string of the current word whose most significant bit is non-zero, has a length greater than or equal to t. The first block scanned is then a block of reduced size t which may possibly be followed by another block of size t or a block of reduced size r ', before taking over the next word. A step 65 increments the block current index of which the overshoot is tested in a step 66. A negative test response of step 65 means that there is a next block of size t and the process continues with a step 67 represented in FIG. 6 such that the link from step 66 to step 67 and displayed by the reference D. A positive test response of step 65 means that there is no next block of size t and the method continues with a step 85 shown in FIG. 7 such as the link from step 66 to step 85 and visualized by reference E.

 Thus, processor 2 avoids trivial squares of unit values of y such that it could do for the first processed block (tb) or (r'-b) times in steps 26 or 45. The process is optimized in that the amount of squared elevations is reduced accordingly.

 As long as there are blocks of index qq less than q ', detected by a test step 84, steps 67 to 83 are repeated. Steps 67 to 83 are similar to steps 18 to 34.

 In step 67, the current block is considered to encode a value tested at zero in a step 68.

 A positive response to the test of step 68 activates a step 70 iterated t times according to a loop index tt initialized at 1 in step 69 and incremented by

<Desc / Clms Page number 21>

 step 71 to exceed detected in step 72. At each iteration of step 70, the processor 2 squars y.

 A negative response to the test of step 68 activates a step 73 identical to step 24 previously described. Then a step 75 is iterated (tb) times according to a loop index tt initialized to 1 in step 74 and incremented in step 76 until it is exceeded in step 77. At each iteration of step 70, the processor 2 performs a squaring of y.

 That is either zero or non-zero, step 70 or 75 respectively, causes processor 2 to execute squaring on a value y which is already a power of argument x, following the executions of step 59 and 61 previous. This avoids unnecessary squaring of unit values.

 Steps 78 to 83 are identical to steps 29 to 35. After incrementing in step 83 the block index qq, exceeding q 'tested in step 84 means that q' blocks of length t have been processed by the processor 2 in steps 57 to 66 then 67 to 83 iterated (q'-1) times. A positive test response of step 84 activates a step 85 as viewed by the link E of FIG. 6 to FIG. 7. Each of steps 85 to 102 of FIG. 7 is identical to each of steps 36 to 53. of Figure 4.

 In step 102, the word index 11 is set to 2 to reference the second word of the register 5. A value of 1 greater than 2 causes a negative response to the test of step 103 which activates the step 17 to continue the second phase of the method in the same manner as that described above with reference to FIGS. 3 and 4 for the words of index Il greater than 1. The reference B shows the link of FIG. 7 to FIG.

 With reference to FIG. 8, a second variant of the method performs, when r is non-zero, a division of the word into q blocks of size t and a block of reduced size r so that the block of reduced size is not systematically the last block of the word considered.

<Desc / Clms Page number 22>

 The method described with reference to FIG. 3 is modified in that the transition from step 16 to step 17 is diverted to a step 104 as visualized by the reference J in FIG. 8.

 In step 104, processor 2 tests whether r is zero for the current word.

A positive response returns to the unmodified process as viewed by the B mark. A negative response activates a step 105.

 In step 105 and the following, an index qq references a bit rank in the current index word Il, such that qq = 1 references the most significant bit, each subsequent index value references a bit of weight lower than the previous one up to the value qq = k which references the least significant bit.

In step 105, the index qq is initialized to 1 to reference the most significant bit. It will be understood that for the most significant word when 11 = 1, the index qq can be initialized to the rank of the first non-zero high order bit by replacing in the following k by k ', q by q' and r by r ' .

 In a step 106, the processor applies a mask on the current word to interpret a sequence of r bits of rank qq to (qq + r-1) as encoding a value d.

 A step 107 consists in testing a zero value of d. A positive response indicates that a small block r has been found with all bits at zero. Steps 108 to 113 are then enabled to perform squarings of y. Steps 108 to 111 are the same as steps 20 to 23. A negative response indicates that a reduced size block r was not found with all of its bits set to zero. A step 114 is then activated.

 For the case where a block of reduced size r has been found, step 112 increases by r, the index qq to position itself on the bit which follows the least significant bit of the block of reduced size.

Step 113 tests whether the new current index qq is greater than k. A positive response indicates an overshoot which causes the process to proceed with the H mark to a step 162 described later with reference to FIG.
10. A negative response indicates that there are still bits of low weight in the current word as a result of the reduced size block r. The existence of bits of

<Desc / Clms Page number 23>

 a small quantity in necessarily multiple quantity of t, the method is continued by the reference F to a step 127 described later with reference to FIG. 9.

 In step 114, the processor applies a mask on the current word to interpret a sequence of t bits of rank qq to (qq + t-1) as encoding a value a. That is, when a string of r first high order bits is not detected zero in step 107, a block of t bits is considered in steps 114-124.

 The value of a being necessarily non-zero because the r bits of high weight are not all zero, a succession of steps 115 to 124 identical respectively to steps 24 to 33, follows step 114. As in the method With reference to FIG. 3, steps 115 to 124 have the function of causing processor 2 (tb) squaring followed by multiplication by an argument power x obtained in first phase followed by b elevations. square.

 For the case where a block of reduced size r has not been found, step 125 increases by t, the index qq to position itself on the bit which follows the least significant bit of the block of size t.

 Step 126 tests whether the new current index qq is greater than q. t. A positive response indicates an overshoot which causes the process to proceed by the G-mark to a step 145 described later with reference to Fig. 10. A negative response indicates that there are still low-order bits in the current word as a result of block size current t. After a passage in the step 113, the process which continues according to the marks F and H, no longer passes through the steps 106 to 126. At each passage in the step 126, an integer number of blocks of t bits has been processed by the processor 2. If q blocks have been processed in the passage in step 125, qq is equal to q. t + 1 in step 126. As long as q blocks of size t have not been processed, the existence of bits of low weight in quantities necessarily greater than t makes the loopback process on step 106 continue. .

<Desc / Clms Page number 24>

 With reference to FIG. 9, the process continues according to the reference F.

When the index qq tested in step 113 is not greater than k, there remain bits of low weight in the current word of index Il. Since step 113 follows the processing of a reduced size block r, the least significant bits necessarily constitute an integer of blocks of size t.

 In a step 127, the processor applies a mask on the current word to interpret a sequence of t bits of rank qq to (qq + t-1) as encoding a value a.

 In a step 128, the processor 2 tests whether the value a is zero as in step 19. A positive response activates steps 129 to 132, each respectively identical to each of the steps 20 to 23 to perform t squares of y. . A negative response activates steps 133 to 142, each respectively identical to each of steps 24 to 33 to perform (tb) square squares of y, followed by a multiplication of y by a power of x obtained in first phase, followed by b squared elevations of y.

 Following squares according to steps 129 to 132 or squares and multiplication according to steps 133 to 142, step 143 increases the bit rank index by t.

 In a test step 144, a value of qq greater than k indicates that the processing of the current index word II is complete. A value of qq no greater than k indicates that there are still blocks of length t to be processed in the current index word II.

 A negative test response of step 144 loops the process on step 127 to treat the remaining blocks identically to that described with reference to FIG.

A positive response to the test of step 144 activates step 161 described with reference to FIG. 10 as viewed by link H of FIG. 9 in FIG.
10.

 With reference to FIG. 10, the reference G follows a positive test response of step 126 which means that q blocks of size t have been processed without

<Desc / Clms Page number 25>

 found a block of reduced size r consisting of null bits. It remains then a block of reduced size r.

 In a step 145, the processor applies a mask on the current word to interpret a sequence of t bits of rank qq to (qq + r-1) as coding a value a to process the block of reduced size remaining, identically to that described with reference to FIG. 4, by means of steps 146 to 160, identical each respectively to each of the steps 38 to 52.

 Following a positive response to the test of step 144, 150 or 160, step 161 increases the index Il by one unit to reference the next word in register 5 if it exists. If the new index Il tested in step 162, is greater than the length 1 of the exponent e expressed in number of words, the process is finite with y in the register 6, having for value the power of the argument x d exhibitor e. Otherwise, step 162 is looped on step 104 or 105 to process the next word of the register 5 which encodes the exponent e.

 This second variant, by not systematically placing the reduced-size block r on the low-order bits following the q blocks of size t, makes it possible to save a multiplication when there is a small block r with all its null bits before a block of size t. This second variant has the effect of increasing the probability of appearance of a null block.

 The second variant of the method can be combined with the first variant by direct passage from step 115 to step 120, following and only following the first execution of step 114. By short-circuiting steps 116 to 119 for the scan of the t high-order bits of the exponent e, we find the advantages of the first variant explained with reference to FIG. 5, namely those of avoiding making (tb) trivial first trivial squares of a value unitary of y.

 The method is for example implemented by means of the device 1 described with reference to Figure 1 in the memory 3 which resides a program consisting of instructions and data that encode executable language by the processor 2, the previously described steps.

<Desc / Clms Page number 26>

 It will be understood that the steps as described with reference to Figures 2 to 10, have been in this manner to facilitate understanding of the method. Some steps or monoïdes of steps can be realized by means of appropriately parameterized sub-programs and standard instructions of a programming language.

 For example, steps 11 to 14 are achievable by means of a standard loop instruction to perform 2t-2 multiplications of a value xi by a square X2 to generate a power x, + i.

 Steps 20 to 23, 39 to 42, 69 to 72, 88 to 91, 108 to 111, 129 to 132 or 147 to 150 are achievable by means of the same first subroutine called by a first instruction following a positive response to a test. zero value respectively in step 19, 38, 68, 87, 107, 128 or 146, parameterized by t, r or as appropriate for the subroutine return test.

 The first subroutine includes a standard loop instruction to perform t, r or squared according to the parameterization.

 This same first subroutine also makes it possible to carry out steps 25 to 28,44 to 47,74 to 77,93 to 96,116 to 119,134 to 137 or 152 to 155 by being called by a second instruction at the end of step 24, respectively. , 73, 92, 115, 133 or 151, parameterized by (tb), (rb) or (r'-b) as appropriate for the subroutine return test.

 This same first sub-program also makes it possible to carry out steps 30 to 33, 49 to 52, 60 to 63, 79 to 82, 98 to 101, 121 to 124, 139 to 142 or 157 to 160 by being called by a third instruction at the end respectively. step 29,48, 59,78, 97,120, 138 or 156, set by b for the subroutine return test.

 The steps 24 to 33,43 to 52,73 to 82,92 to 101,133 to 142 or 151 to 160 are feasible by means of the same second subroutine called by a fourth instruction following a negative response to the zero value test respectively in step 19, 38, 68, 87, 128 or 146, parameterized by t, r or r 'as the case may be.

<Desc / Clms Page number 27>

 The second subroutine includes at least one fifth instruction to determine c and b in step 24,43, 73,92 133 or 151, followed by the second instruction to call the first subroutine, followed by a sixth instruction to return first. sub-program to perform a multiplication according to step 29,48, 78,97, 138 or 156, followed by the third instruction to call the first subroutine, followed by a seventh return instruction of the first subroutine to perform a return to the calling program.

 This same second sub-program also makes it possible to carry out steps 115 to 124 by being called by an eighth instruction at the end of step 114, parameterized by part.

 The person skilled in the art can then easily carry out a main program with the appropriate subroutine calls, to implement the method described with reference to FIGS. 3 and 4,5 to 7 or 8 to 10.

 The invention is particularly applicable to cryptographic methods based on modular arithmetic.

 The most common standard, PKCS &num; 1 defines a RSA secret key as a set of module and exponent, without the possibility to add data, considered secret that the signer could exploit in a proprietary algorithm, such as additions chains. . The invention allows accelerated RSA calculations using the only secret key data defined in the standard. A direct application is the implementation of a cryptographic calculation module in browsers using the data structure defined in the standard.

 Public key algorithms based on the discrete logarithm (El Gamal, DSA, Guillou-Quisquater) require modular power elevations with exponents that vary with each execution of the protocol. The contribution of auxiliary data such as chains of additions, is discarded because too expensive and not reusable with certainty. The invention offers an acceleration of calculations at reduced cost.

<Desc / Clms Page number 28>

 The Diffie-Helmann key exchange algorithm requires two power elevations, modular at each execution. The security of the algorithm requires exhibitors to change with each run. The invention is advantageously applied for these calculations.

 Recent cryptographic algorithms, based on elliptic curves, use additive notations for the finite monoid: an addition replaces the multiplication, a doubling replaces the square, an integer multiplication replaces the elevation with the power, and a zero initialization replaces initialization to 1. This formal modification does not change the scope of the invention which then applies to the calculations y = éx, with e integer and x in the finite monoid.

 The invention also applies to cryptographic protocols based on the discrete logarithm in class groups and protocols using groups of braids.

Claims (1)

for a first scrambled block of the first word as it exists in the scanned block a non-zero bit of the lowest weight with a rank b taken from CLAIMS: 1. Method for raising an argument x to a power of exponent e in a finite group comprising an internal composition law, by means of a processor (2) capable of processing words of length k expressed in bits, the exponent e being encoded on 1 k-bit words with 1 greater or equal to 1, characterized in that it comprises: a first power generation phase of the argument x with an odd exponent between 1 and 2t-1 where t is a number less than k; a second processing phase of each word which encodes the exponent e in an order ranging from the most significant bit to the least significant bit of the exponent e, in which: the processor (2) scans the current word to be processed in blocks of at most t bits - by going from the most significant bits to and from the least significant bit of the current word; 1 for the least significant bit of the block, the processor (2) loads from a register (6), a value y equal to a power generated in first phase whose exponent ca for value that encoded by the bit of rank b and the next rank bits up to the most significant bit of the scanned block, b squaring said value y and storing the result thus obtained as a new value y in the register (6); for each following scrambled block, the processor (2) squares said value y, in an amount equal to the number of bits of the scrambled block, and if there exists in the scruttered block a nonzero bit of the most significant weight. low with a rank b taken from 1 for the least significant bit of the block, the processor (2) applies the internal composition law to the value y and to a power generated in the first phase whose exponent ca to value that encoded by the bit of rank b and the next rank bits to the most significant bit of the scanned block, before performing the last bs of said value y and storing the result thus obtained in the register (6); so that the value y contained in the register (6) after scanning the last block comprising the least significant bits to code the exponent e, is equal to the argument x raised to the exponent power e in the finished group. 2. Method for raising an argument x to an exponent power e according to claim 1, characterized in that the nonzero bit of the largest weight of the first word is of rank k'pris from 1 for the bit of the lowest weight, the first block scanned has the most significant bit, the bit of rank k 'in the first word. 3. A method for raising an argument x to an exponent power e according to claim 1 or 2, characterized in that the register (6) is initialized with a power generated in the first phase whose exponent is equal to that encoded by the bit of rank b and the following bits of rank up to the most significant bit of the first non-zero scanned block of the first word. 4. A method for raising an argument x to an exponent power e according to claim 1 or 2, characterized in that at the beginning of the second phase, the value y is initialized in the register (6) with a neutral element of the internal composition law and in that for each block scanned from the first, the processor (2) squaring said value y, in an amount equal to the number of bits of the scanned block, and if it exists in the block scanned a non-zero bit of the lowest weight with a rank b taken from 1 for the least significant bit of the block, the processor (2) applies the internal composition law to the value y and to a power generated in first phase whose exponent ca for value the one coded by the bit of rank b and the bits of following ranks to the most significant bit of the scrambled block, before <Desc / Clms Page number 31> to perform the last b elevations squared of said value y and store the result thus obtained u in the register (6). 5. Method for raising an argument x to an exponent power e according to one of the preceding claims, characterized in that at least each word beyond the first word, is divided into q blocks of size t and, if k is not a multiple of t, a block of reduced size r less than t. 6. Method for raising an argument x to an exponent power e according to one of claims 2 to 5, characterized in that the first word is cut into q'blocks of size t and, if k 'is not a multiple of t, a block of reduced size r 'less than t. 7. A method for raising an argument x to an exponent power e according to claim 5 or 6, characterized in that for each word, the scan of a block starts with a reduced size block scan on the bits of weight strong block to find a block of reduced size with all its null bits and as soon as such a block is found, the scan of the following blocks if there exist, is continued by block size t. 8. A method for raising an argument x to an exponent power e according to claim 5 or 6, characterized in that for each word, the scan of the reduced size block is made after q scrutinizing blocks of size t. 9. A method for raising an argument x to an exponent power e according to one of the preceding claims, characterized in that the finite group is a set of relative integers of a closed interval [0, N-1] and in that the law of internal composition is the modulo N multiplication of unit neutral element. 10. A method for raising an argument x to an exponent power e according to one of claims 1 to 8, characterized in that the finite group is a set of positive integers or zero of absolute value strictly less than an integer N and in that the law of internal composition is the modulo addition of zero neutral element. for a first scrambled block of the first word as it exists in the scrubbed block a non-zero bit of least weight with a rank b taken from 1 for the least significant bit of the block, the processor (2) loads from a register (6), a value y equal to a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the bits of following ranks to the most significant bit of the scanned block, performs squarings of said value y and arranges the result thus obtained as a new value y in the register (6); 11. A device for raising an argument x to an exponent power e in a finite group provided with an internal composition law, comprising a processor (2) capable of processing words of length k expressed in bits, a register (4 ) to receive the argument x, a register (5) of 1 words of k bits with 1 greater than or equal to 1 to receive the exponent e, a register (6) to produce the argument x raised to the power of exponent e and a memory (3) for containing data and instructions executable by the processor (2), characterized in that it comprises: - a register (7) for containing powers of the argument x with an odd exponent between 1 and 2t-1 where t is a number less than k contained in the memory (3); instructions contained in the memory (3) for processing each word which encodes the exponent e in an order ranging from the most significant bit to the least significant bit of the exponent e, arranged to control the processor (2) so that in execution: - the processor (2) scans the current word to be processed in blocks of at most t bits by going from the most significant bits to and to the least significant bit of the current word ; <Desc / Clms Page number 33> end | 12. Device for raising an argument x to an exponent power e according to claim 11, characterized in that the memory (3) contains at least one instruction to have the processor (2) scan the first word of the register (5). ) from the strongest non-zero bit so that this bit is of rank starting from 1 for the least significant bit, only k'bits of the first word are processed. for each following scrambled block, the processor (2) squares said value y, in an amount equal to the number of bits of the scrambled block, and if there exists in the scruttered block a nonzero bit of the most significant weight. weak with a rank b taken from 1 for the least significant bit of the block, the processor (2) applies the internal composition law to the value y and to a power contained in the register (7) whose exponent ca for value that coded by the bit of rank b and the next rank bits to the most significant bit of the scanned block, before making the last b squared of said value y and storing the result thus obtained in the register (6); so that the value y contained in the register (6) after scanning the last block comprising the least significant bits for coding the exponent e, is equal to the argument x raised to the exponent power e in the group 13. Device for raising an argument x to an exponent power e according to claim 11 or 12, characterized in that the register (6) is initialized with a power contained in the register (7) whose exponent ca for value that encoded by the bit of rank b and the next rank bits to the most significant bit of the first non-zero scanned block of the first word. Apparatus for raising an argument x to an exponent power e according to claim 11 or 12, characterized in that the register (6) is initialized to 1 and in that the memory (3) contains at least one instruction for <Desc / Clms Page number 34> make the processor (2) squaring said value y, in an amount equal to the number of bits of each block scanned, and if there exists in the scruted block a non-zero bit of least weight with a rank b taken from 1 for the least significant bit of the block, to be applied by the processor (2) the composition law internal to the value y and a power contained in the register ( 7) whose exponent is equal to that encoded by the bit of rank b and the next rank bits to the most significant bit of the scanned block, before making the last b squared of said value y and of arrange the result thus obtained in the register (6). 15. Device for raising an argument x to an exponent power e according to one of claims 11 to 14, characterized in that the memory (3) contains at least one instruction for cutting at least each word beyond the first word. , in q blocks of size t and, if k is not a multiple of t, a block of reduced size r less than t. 16. Device for raising an argument x to an exponent power e according to one of claims 12 to 15, characterized in that the memory (3) contains at least one instruction for cutting the first word into size blocks. t and, if k is not a multiple of t, a block of reduced size r 'less than t. 17. Apparatus for raising an argument x to an exponent power e according to claim 15 or 16, characterized in that the memory (3) contains at least one instruction to start on each word, the scanning of a block by a small size block scan on the most significant bits of the block until finding a small block with all its null bits and at least one instruction to continue as soon as such a block is found, the scan of the block or blocks following if it exists, by size block t. <Desc / Clms Page number 35> 18. Device for raising an argument x to an exponent power e according to Claim 15 or 16, characterized in that the memory (3) contains at least one instruction for scanning the block size reduced after scanning q blocks of size t. for a first scrambled block of the first word as it exists in the scrubbed block a non-zero bit of the lowest weight with a rank b taken from 19. Program for generating in a register (6) an argument x received a register (4), raised to an exponent power e received from a register (5) of 1 k-bit words with 1 greater than or equal to 1, k being a word length expressed in bits that can be processed a processor (2), characterized for executing by the processor (2): in a first phase, a power generation of the argument x with an odd exponent between 1 and 2t-1 where t is a number less than k; in a second phase, a processing of each word which encodes the exponent e in an order ranging from the most significant bit to the least significant bit of the exponent e, such that: the processor (2) scrutinizes the current word to be processed in blocks of at most t bits by going from the most significant bits to and from the least significant bit of the current word; 1 for the least significant bit of the block, the processor (2) loads from the register (6), a value y equal to a power generated in the first phase whose exponent ca to value that encoded by the bit of rank b and the next rank bits up to the most significant bit of the scrambled block, b squaring said value y and storing the result thus obtained as a new value y in the register (6); for each following scrambled block, the processor (2) squares said value y, in an amount equal to the number of bits of the scrambled block, and if there exists in the scruttered block a nonzero bit of the most significant weight. low with a rank b taken from 1 for the weight bit <Desc / Clms Page number 36>  weak of the block, the processor (2) performs a multiplication of the value y by a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the following bits of ranks up to the weight bit strong of the scanned block, before making the last b squared of said value y and storing the result thus obtained in the register (6); so that the value y contained in the register (6) after scanning the last block comprising the least significant bits to code the exponent e, is equal to the argument x raised to the exponent power e in the finished group. 20. Program for producing an argument x high at exponent power e according to claim 19, characterized in that it is arranged to scan the first block of the first word from the nonzero bit of the strongest weight of the first rank word k'pris from 1 for the least significant bit, so that the first block scrutinized has for most significant bit, the rank bit k'in the first word. 21. Program for producing an argument x high at exponent power e according to claim 19 or 20, characterized in that it is arranged to initialize the register (6) with a power generated in the first phase whose exponent ca for value that encoded by the bit of rank b and the next rank bits to the most significant bit of the first non-zero scanned block of the first word. 22. Program for producing an argument x raised to an exponent power e according to claim 19 or 20, characterized in that it is arranged to initialize at the beginning of the second phase, the value y to 1 in the register (6) and in that for each block scanned from the first, the program is arranged to squaring said value y, in an amount equal to the number of bits of the scanned block, and if it exists in the block <Desc / Clms Page number 37>  scanned a non-zero bit of least weight with a rank b taken from 1 for the least significant bit of the block, to perform a multiplication of the value y by a power generated in first phase whose exponent ca for value the one coded by the bit of rank b and the bits of following ranks up to the most significant bit of the scrambled block, before making the last b squared of said value y and storing the result thus obtained in the register ( 6). 23. Program for producing an argument x raised to an exponent power e according to one of claims 19 to 22, characterized in that it is arranged to cut at least each word beyond the first word, in q blocks of size t and, if k is not a multiple of t, into a block of reduced size r less than t. 24. Program for producing an argument x raised to an exponent power e according to one of claims 20 to 23, characterized in that it is arranged to cut the first word into q'blocks of size t and, if k 'is not a multiple of t, a block of reduced size r' less than t. 25. Program for producing an argument x high at exponent power e according to claim 23 or 24, characterized in that it is arranged to start for each word, scanning a block by a size block scan reduced on the most significant bits of the block until finding a block of reduced size with all its null bits and as soon as such a block is found, the scanning of the following blocks if there exist, to continue the block scan of size t. 26. A program for producing an argument x high at an exponent power e according to claim 23 or 24, characterized in that it is arranged to scan the block of reduced size after q searches of blocks of size t of a word .