FR2842051A1 - CRYPTOGRAPHY METHOD INCLUDING THE CALCULATION OF A MODULAR MULTIPLICATION WITHIN THE MEANING OF MONTGOMERY AND CORRESPONDING ELECTRONIC ENTITY - Google Patents

Abstract

Calculation of a modular multiplication in the sense of Montgomery The two numbers x, a to be multiplied modulo m are expressed in words and the calculation is carried out by cycle, each cycle comprising: - the calculation (102) of a word called coefficient reduction, - the multiplication (100) of a word (Xi) of x by a word (Aj) of a, - the multiplication (101) of the reduction coefficient (Qi) by a word (Mj) of the module m, the addition (103) of the results to a word of a shift memory (104), and the shift of a word in this memory, at the end of a cycle.

Description

The invention relates to a cryptographic method including calculation

  a Montgomery modular multiplication between two large binary numbers. More particularly, the invention aims at a method of calculating such a multiplication, in which the binary representation of the operands is easily configurable on demand, in order to be able to change the size of the operands. The invention also relates to any electronic entity

the process.

  Since the introduction of the RSA system, a lot of research has been done on modular computing techniques, both software and

  equipment. Among all these techniques, the one based on the algorithm of P.L.

  Montgomery is the most interesting and still offers many perspectives. This theory was exposed in a Montgomery article entitled "Modular Multiplication Without Trial Division" in the journal "Mathematics & Computations" of April 1985. The known material achievements of the Montgomery technique are made only in binary representation whose main disadvantage is to impose large work records

and not configurable.

  The most used public key cryptographic systems (RSA, DSA, ECC ...) are based on the modular arithmetic of large numbers. It is indeed necessary to know how to efficiently calculate the modular exponential of numbers whose size requires at least 1024 bits for the representation of the operands, which represents more than 310 decimal digits. The systems for representing operands in computers are based on the binary word grouping several bits. The word structures currently used are therefore: the byte represented by 8 bits,

- the words of 16 or 32 bits.

  So a 1024-bit operand requires 128 bytes (or 32 words of

32 bits), for its representation.

  The realization of a modular exponentiation can be realized in

  performing a series of modular multiplications.

  Given a, e, n three numbers, we try to compute a 'mod n, called modular exponentiation. Operand n is called the module. To prevent the overflow of computers, the above operation may occur

  break down into a series of modular multiplications of the form a. x mod n.

  This is why we are interested in modular multiplication techniques. This last relation indicates that we must carry out the product of a by x and keep in the result only the remainder of the division by n. Remember that the operands in question are large and require several words of representation. If most arithmetic operations do not pose any particular problem, the operation of division on large numbers without particular technique is very expensive. At the cost of a change of

  representation, Montgomery's algorithm allows to circumvent this difficulty.

  When an algorithm is implanted in an electronic circuit, there are generally physical operators, typically adders and multipliers, of a fixed size that will be noted w, for example 8, 16 or 32 bits. We

  says that w is the size of the "word machine".

  Thus, performing an arithmetic operation addition, subtraction or multiplication on large numbers, breaks down into elementary operations involving the basic physical operators on machine words of size w. For a multiplication, this decomposition is generally carried out in a software way, as described below: Let (Au-1, Au-2, ... A1, Ao), (Xu-1, Xut2, ... X1, X0), representing integers a and x, the Ai and Xi being machine words of size w. If h is the size of the operands, we have u = h / w. Typically h = 1024, w = 16 bits or 32 bits and u = 64 or 32. We then see that: a = Ai.2 X = L Xi * 2 Ona: ax = Z Ai.Xj.2 i, j = o We will now briefly recall what a multiplication

modular in the sense of Montgomery.

  We want to calculate a. x mod n, n being odd.

  We choose a radical denoted r <n, where r is the word machine, that is to say r = (2W) (note that r is then relatively prime with n), and we calculate

  coefficients r1 and n 'such that r. rl1- n.n '= 1.

  Thanks to the identity of Bezout we know that: - such coefficients exist, - does not require a single word for its representation,

  the generalized Euclid algorithm can be used to compute n '= 1 / n mod r.

  In the following, we note "*", the multiplication in the sense of Montgomery.

Note: - has the multiplicand,

  - x, the multiplier expressed as words, Xi, the current word in step i.

  Montgomery's multiplication translates into a modular multiplication-accumulation algorithm. This algorithm can be summarized thus c = O For i = 0 to u-1 c: = c + a.Xi (1) Qi: = Low (c.n ') (2) c: = (c + n.Qi ) / r (3)

  The "Low" function extracts the low-order word from the product c. not'.

  As Montgomery shows in his reference article above, for calculating a modular exponentiation, modular multiplication can be replaced by Montgomery multiplication. However, the multiplication of

  Montgomery is faster than conventional modular multiplication.

  Indeed, by choosing r the word machine, that is to say r = (2W), it appears that the division by r returns to a simple shift of a word in the direction of the words of low weight. The division operation of the line (3) is therefore very fast

  compared to a classical Euclidean division.

  In the expression above, Qi is referred to as "coefficient

  of reduction "which emerges from Montgomery's theory.

  Montgomery has demonstrated in his article that the modular multiplication defined by him makes it possible to calculate by accumulation in c the expression

a.b.ru modulo n.

  In addition, Montgomery's modular exponentiation can be easily obtained using only Montgomery multiplications, namely: a * e = aa * a ... * a (e.times) and the calculation of a traditional modular exponentiation is easily obtained by means of a conversion using an exponential in the Montgomery sense, ie: ae mod n = 1 * [(a * R2) e] (1) with R = ru The algorithm summarized in the table above, however, requires multiplications involving large numbers, namely: a.Xi in (1)

and N. Qi in (3).

  Indeed, a and n are large numbers expressed on 1024 bits, Xi and Qi being

  moreover the "machine size", that is to say 8, 16 or 32 bits.

  These multiplications can involve, for their concrete "implementation" in computer systems, operators of large sizes (able to "manage" large numbers such as a and n) or at least large registers that are necessarily sizes predetermined. As a result, known systems are not configurable, i.e.

  change the size of the operands as needed.

  To solve this problem, the invention proposes to subdivide the large numbers into words of reduced size, for example the size of the word machine, starting from the observation that a sum of partial products of the kind Aj Xi + Nj Xi does not assign that the value of Cj (the word of corresponding rank in the word writing of the result) or possibly also the neighboring word (Cj +,) of

rank immediately higher.

  Thus, the invention can be defined as a cryptographic method including the calculation of a modular multiplication in the Montgomery (*) sense between two numbers (x, a), characterized in that said numbers and a module (m) are expressed. ) in words, said words are stored in corresponding memories and a shift memory is defined where word results are accumulated from cycles of multiplications and additions between words, until the result of said modular multiplication recorded in said memory is obtained. offset, in that, for each word (Xi) of the succession of words of a first aforementioned number, the cycle of operations consisting in: - calculating for the entire cycle (i) considered a word said coefficient of reduction (Qi) - multiplying said word (Xi) of said first number corresponding to said cycle (i) each time by one of the words (Aj) constituting said second number to obtain a succession of first intermediate results, - to mul tiplier said reduction coefficient (Qi) corresponding to said cycle (i) each time by one of the words Mj constituting said module to obtain a succession of second intermediate results, and - to add said first and second intermediate results to the words of the same rows already contained in said shift memory and, at the end of each cycle (i), shifting one word to the least significant bits the content

of said shift memory.

  Said "reduction coefficient" is derived from Montgomery's theory.

  It is clear to those skilled in the art that certain operations mentioned above may be performed independently of one another and that the order in which they are set forth is not an essential characteristic

  for the implementation of the invention.

  According to one aspect of the invention, it is also possible to envisage a simplification of the Montgomery algorithm indicated above: The expression r is repeated. rl1 - n.n '= 1 with the same assumptions on r. Cl ', n and n'. In particular, rl1 is the inverse of r modulo n. We can restrict ourselves

  to the modules n such that the corresponding coefficient n 'is equal to 1.

  The algorithm is simplified as follows: c = O For i = 0 to u-1 c: = c + aXi Qj: = Low (c) c: = (c + n.Qi) / r When n '= 1 according to l Invention, it will be said that the module is "normalized" in the sense of Montgomery. By changing the variable, we can always reduce ourselves to

  case of standardized modules in the sense of Montgomery.

  Indeed, let m = n.n 'and m' = 1, m is odd and therefore relatively prime with r. We can therefore always consider the identity of Bezout identically verified by the new set of coefficients r.r-1- m.m '= 1 So Montgomery's arithmetic applies to the standard m module in the sense

  from Montgomery. In the remainder of the description, the module m will be expressed by

  a series of words Mj. The invention can, however, be implemented without the

  simplification n '= 1, that is to say without using the standard module.

  We see that in the case n '= 1, the calculation of the reduction coefficient Qi is simplified and is obtained by calculating "Low c". It is no longer necessary to calculate c.n '. This simplifies the algorithm described above since Qi, at each cycle, can consist of the sum of said first word contained in said shift memory with the low-order bits of the product of the first word Ao of a second number cited above, by the word Xi of said first number considered in said cycle. At the end of the calculation of a modular exponentiation using Montgomery multiplications, with a standardized module, a result T = ae mod m is obtained by applying the conversion (1) above. Modular exponentiation, modulo n, can then be calculated by a single transformation U = T mod n According to one possible embodiment, the process consists, for each cycle and as it is, of adding an intermediate result. supra, to the word of the same rank and to the next higher rank word contained in said shift memory, to re-register the results of these additions to these same ranks of said memory, then to repeat these operations with the other intermediate result, until the end of said cycle comprising the shift of a aforementioned word. According to another possible embodiment, the method consists, for each cycle, of dividing each intermediate result into two groups respectively gathering the least significant bits and the most significant bits, to temporarily memorize these groups, to be added, to the value of each word of said shift memory the groups gathering the least significant bits of the same rank (J) and the groups gathering the most significant bits of the immediately lower rank (j-1), and to postpone the result of these additions , each time, at the location of the word j considered of said shift memory, up to

  the end of said cycle comprising the shift of a aforementioned word.

  The invention also relates to an electronic entity comprising cryptographic means including a unit for calculating a modular multiplication, in the Montgomery sense, between two numbers, characterized in that said calculation unit comprises: three memories sized to receive respectively said numbers a, b and a module m, each expressed in words of predetermined size in the corresponding memory, a shift memory sized to receive the result of said modular multiplication and arranged to shift its own content, each time by predetermined size word in the direction of the low-order bits, - a first multiplier for making successive products of two words respectively read in the memories of the two numbers, - a calculator of a reduction coefficient determined at the beginning of a cycle of multiplications of the words. a number by a word of the other, - a second multiplier to make products successive ones of a word of said reduction coefficient by a word read in the memory of said module, and - an adder connected, as input, between the outputs of said first and second multipliers and said shift memory and connected, at the output, to said

  shift memory by directly addressing selected words therefrom.

  The invention will be better understood in the light of the description which will

  follow, given by way of example, and with reference to the accompanying drawings in which: - Figure 1 is a block diagram illustrating a part of an electronic entity more particularly constituting a unit for calculating a modular multiplication in the sense of Montgomery, according to the invention; FIG. 2 is a flowchart explaining the operation of the calculation unit of FIG. 1; FIG. 3 is a block diagram of a variant of the calculation unit of FIG. 1; and FIG. 4 is a flowchart explaining the operation of this variant. The unit of calculation 11 of a modular multiplication, in the Montgomery sense, represented in FIG. 1 can be integrated into any electronic entity comprising cryptographic means, to perform such

  modular multiplications and, consequently, modular exponentiation.

  This calculation unit can for example be integrated in a microcircuit card comprising cryptographic means, such a calculation unit 11 according to the invention being advantageous for this type of electronic entity because of the speed of calculation and the ease with which one can configure the size of the operands, that is to say the capacity occupied by the memories containing these operands. The calculation unit comprises three memories Ma, M ,, Mm sized to receive respectively two numbers a, b and a standardized module m. The numbers x, a and the module m are each expressed in words (Xi, Aj, Mj ...) of predetermined size in the corresponding memory, which means that each of these memories comprises u registers, each dimensioned to receive a word of the number a or b or the module m. The size of a word in a number or module is the same. Depending on the case, it is possible to choose 8-bit, 16-bit or 32-bit words depending on the capacity of the multipliers and adders that will be used in the computing unit. The latter further comprises a shift memory 104 sized to receive the result of the modular multiplication, by accumulating successive calculations. This memory consists of a series of registers, each of the size of a word Co, Cu ... and it is arranged to shift its own content, at each iteration as described below, by word of said predetermined size. in the direction of the words of least significant bits, ie to Co. It should be noted that the memories Mx, Ma, Mn and the "offset memory" 104 may be allocated portions (depending the size of the operands) of the same memory called RAM (random access memory) configured for the circumstance. Preferably, it will even be possible to use pointers, that is to say, registers simply containing the addresses of the words in the memory

  RAM. At each iteration in i or j, the pointer contents change.

  The calculation unit 11 further comprises a first multiplier 100 to produce successive products of two words respectively read in the memories Ma, Mx of the two numbers, a calculator 102 of a reduction coefficient Qi, this coefficient being determined at the beginning of a cycle (i) of multiplying the words Aj of a number (a) by a word Xi of the other and a second multiplier 101 to produce successive products of said reduction coefficient Qi by a word Mj read in the memory Mm of said module. The calculation unit also comprises an adder 103, here a double adder, connected, at the input, between the outputs of said first and second multipliers 100, 101 and said offset memory 104 and connected, at the output, to this same offset memory 104. with possibility of directly addressing selected words thereof, that is, the output of the adder 103 can "point" directly one or more word locations CJ, Cj + 1 of said shift memory and

  enter the result of one or more corresponding additions.

  FIG. 1 shows the word location Co (the register) in which the word of the least significant weight is written and, conversely, the word location Cu in which the word of the weights is inscribed. strong. In addition, two neighboring word locations of rank j and j + 1 have been represented. These two locations

  are those that are read and modified in a cycle j.

  The memories Ma, Mx of the two numbers are connected to the inputs of the first multiplier 100 via buffer registers 106, 107 of the size of a word. Each register can thus accommodate the word of the number which must be multiplied by that of the other number, at a given moment. The output of this same multiplier is connected to the input of a buffer register 108 having the size of two words. The output of this buffer register is connected to one of the inputs of

the adder 103.

  The calculator of the coefficient Qi comprises an adder 102 which receives at one of its inputs the low-weight word Co contained in the corresponding register of the shift memory and, at its other input, the contents of another buffer register 109 which contains a word called Low P1 calculated at the beginning of a cycle considered (described below) and consists of the least significant bits of the product of a word Xi of a first number x, invariable in a cycle, by the first word A0 of a second number a of which all the words are used during this same cycle. The low-order bits retained in Low P1 form a word of said predetermined size of x or a. The output of the adder 102 is connected to the input of a buffer register 110 whose output is connected to an input of the second multiplier 101. Another buffer register 111 is connected between the memory Mm and the other input of the second multiplier01. This buffer 111 can

  therefore successively receive each word Mj of the memory Mm.

  The output of the second multiplier 101 is connected to the input of a buffer register 113 the size of two words and the output of this register is connected to one of the inputs of the adder. Finally, the adder comprises a third input connected to the shift memory 104. Two consecutive words of this memory can be applied to this third input. The words that are likely to be addressed to this entry of the adder 103 are the same

  which are "pointed" by the output 105 of this same adder.

  In operation, the adder 103 is programmed to successively perform the addition of the contents of the buffer register 108 with the two words Cj, Cj + 1 considered of the shift memory, the transfer of the result to the same locations of said memory, then the addition of the contents of the register

  buffer 113 with the two words Cj, Cj + 1 modified from the shift memory.

  The adder is conventionally arranged with a retaining memory Rt in which the retention of a given addition is inscribed. As will be seen below, depending on the case, this deduction may be added to the current addition of the two words. At the end of a cycle on j, the reservoir is written in the Cu

the offset memory 104.

  The operation of the computation unit of FIG. 1 will now be described to realize a Montgomery modular multiplication between the two numbers x and a, the normalized module being expressed by m. Remember that the words of the number x are denoted Xi, the words of the number a are denoted Aj and the words of the normalized module m are denoted Mj. The words inscribed in the shift memory are denoted Cj. The flowchart of FIG. 2 describes a complete cycle on j in which all the words Aj and all the words Mj are used to modify all the words of the shift memory 104, Xi being constant. Modular multiplication in the Montgomery sense is realized only when

  performed all the cycles on i exploiting all the words Xi.

  At the beginning of such a cycle on i, the retaining memory Rt of the adder 103 is reset and a counter j = 0 is initialized (steps 115 and 116). Remember that the numbers x and a and the module m comprise u words. Every

  beginning of cycle on j, the test is carried out to check if j = u (step 117).

  If not, for a cycle on Xi, the multiplierl00 performs the

product P1 = AjXi (step 118).

  In parallel, the test 119 is carried out to check if j = 0 (beginning of cycle).

  If this test is positive, a coefficient Qi, valid for the entire cycle i, is calculated (step 120) using the reduction coefficient calculator mainly consisting of the adder 102. As previously mentioned, this coefficient Qi is constituted of the sum of the first word Co (low weight) of the shift memory 104 at the beginning of the cycle and the part of the least significant bits of the first product P1 which has just been calculated, that is to say half bits of

AoXi product.

  As soon as the value of Qi for the cycle is calculated, we can also calculate

the product P2 = M1Qi (step 121).

  It is important to note at this point that the successive computations of the products P1 and P2 by the respective multipliers 100 and 101, which take longer than the additions to be made by the adder 103, can be

  performed "in parallel", that is to say substantially at the same time.

  As soon as a product P1 is known, step 123 is carried out where the adder 103 realizes the sum (add) between the output of the multiplier100 entered in the register 108 and the two words Cj + 1, Cj pointed at this stage by the output 105 of the adder 103. The content of the memory Rt (retained from the previous operation) is also added. As soon as the sum of this triple addition is made, it is written in the locations Cj + 1, Cj of the shift memory 104. The retention of this addition Radd, which can not be written in Cj + 1, is written in the memory R Then, step 124 is again carried out, as soon as the corresponding product P2 is known, between the value of this product and the double word Cj + 1, Cj entered in the shift memory 104. 'previous step. On the other hand, we do not add restraint. The new retainer Radd is added to the previous one and rewritten in the memory Rt. The additions made by the adder 103 can be made in

  time hidden during the execution of the following multiplications.

  Moreover, as soon as the values of P1 and P2 are known, the counter j is incremented by one unit (step 122) and it returns to the test 117. As long as the response to this test j = u is negative, we carry out recalculations of P1 and P2, resulting in the inclusion of new values in the following locations of

  the shift memory 104, pointed by the output of the adder 103.

  When the test 117 becomes positive, that is to say when reaching the end of a cycle on Xi, the content of the shift memory 104 is shifted by one word to the least significant bits, to step 125 and the last value entered in the memory Rt is reported in the least significant bits of the slot Cu (high-order word of the offset memory 104) in step 126. The cycle i is finished.

  and we start a new cycle with the next word Xi.

  When all cycles have been completed, the shift memory contains

  Montgomery's modular product of numbers x and a.

  The variant of FIG. 3 differs from the calculation unit described with reference to FIG. 1 by the structure of the adder and the manner in which it

  point the shift memory, word by word and no longer by group of two words.

  All the means for calculating the products P1 and P2 which register successively in the registers 108 and 113 are identical to those of FIG. 1 and will therefore not be described again. The memory 104 is also identical with the difference that it is "pointed" word by word, ie the adder reads only one word of the shift memory each time and modifies only that

  same word at the end of a calculation phase.

  However, according to the variant, the contents of the buffer registers 108 and 113 are treated differently in that the product P1 is divided into two words, a word L1 containing the least significant bits and a word H1 containing the most significant bits. Similarly, the product P2 is divided into two words, a word L2

  containing the least significant bits and a word H2 containing the most significant bits.

  The word of the memory 104 pointed at a given moment by the adder 103 is noted Cj. These different words are addressed to a set 112 of five input registers of the adder forming "queue". However, as will be seen below with reference to FIG. 4, the words L1, L2 (least significant) of a cycle j are added together with the word Cj of the register memory but with the words H1 and H2.

  of the cycle j-1. This is explained by the flowchart in Figure 4.

  At the beginning of a constant Xi processing cycle, a counter j = 0 is initialized (step 130), the holding Rt is set to zero and the values H1 and H2 are set to zero.

  contained in registers 108 and 113.

  We then go to a test 131 to check if j = u. If not, the value of the product P1 (step 132) constituting the product of Aj by Xi is started, which makes it possible to write in the register 108 the corresponding values of L1 and H1. At the same time, the test 133 is performed on j to check if j = 0. If it is the case, proceed to step 134 where the value of Qi for cycle i is calculated as in FIG. previous example. This calculation can be performed as soon as the value of L1 of the product AoXi is known in step 132.

  Therefore and for all the values of j following, it is possible to calculate (step 135) the sequence of products P2, that is to say, to obtain the values L2 and H2 which are registered in the register 113. As before, the products L1, H1 and L2, H2 can be calculated "in parallel" independently of

  operation of the adder 103.

  For the latter, at each negative test 133, the current values of L1 and L2 are updated (step 136) for the adder 103, that is to say that the words L1 and L2 contained in the registers 108 and 113 are transferred to

  corresponding registers of the set 112, the words H1 and H2 being retained.

  These are updated but not the registers of the set 112 containing

  H1 and H2 calculated in the previous cycle.

  An addition is then made to step 137 which consists in adding the values entered in the set 112 supplying the adder 103, ie Cj, the values L1 and L2 of the cycle j, the values H1 and H2 of the preceding cycle and the value entered in the memory Rt. The result is re-entered at the location Cj of the shift memory and the retention Radd of this addition is written in the

Rt memory.

  Then, step 138 o the current values of H1 and H2 are updated, that is to say that the words H1 and H2 contained in the registers 108 and 1 13 are transferred to the corresponding registers of the 112. We increment the counter j by one in step 139 and return to

  test 131 o the same operations are renewed for the cycle j + 1.

  When the test 131 becomes positive, proceed to step 140 where the value of Cu is calculated analogously to a calculation of Cj (step 137) but without taking into account L1 and L2, that is to say in adding Cu, H1, H2 and Rt, the retention of this addition Radd is entered in Rt. In step 141, the contents of the shift memory 104 are shifted by one word to the least significant bits. In step 142, the last value entered in the memory Rt is transferred to the location CQ (high-order bits) of the shift memory 104. The cycle i is completed and

  start a new cycle with the next word Xi.

  Other variants can be envisaged.

  In particular, we could use only one multiplier that would be programmed to perform a first series of computations in the loop j to compute for example all the Aj Xi then a second series of computations in a

  other loop j, this time to calculate all Q1.mj.

  Moreover, it should be noted that the words of the numbers a, x, m and c can be

  of different sizes; the implementation of the invention remains possible.

Claims (10)

  A method of cryptography including the calculation of a Montgomery modular multiplication (*) between two numbers (x, a), characterized in that said numbers and a module (m) are expressed in words, said data being stored words in corresponding memories and defining a shift memory where words of the multiplication and addition cycles between words are accumulated in words until the result of said modular multiplication is recorded in said shift memory, in that for each word (Xi) of the succession of words of a aforementioned first number, the cycle of operations consisting in: - calculating for the whole cycle (i) considered a word said coefficient of reduction (Qi) - to be multiplied said word (Xi) of said first number corresponding to said cycle (i) each time by one of the words (Aj) constituting said second number to obtain a succession of first intermediate results, - to multiply said coefficient of reduction (Q i) corresponding to said cycle (i) each time by one of the words (Mj) constituting said module to obtain a succession of second intermediate results, and - to add said first and second intermediate results, to the words of the same ranks already contained in said shift memory and, at the end of each cycle (i), to shift from one word to the least significant bits the content of said shift memory.   2. Method according to claim 1, characterized in that such a reduction coefficient (Q>) consists of the sum of said first word contained in said shift memory with the least significant bits of the product of the first word (Ao). of a second number mentioned above by the word (Xi) of said first   number considered in said cycle.   3. Method according to claim 1 or 2, characterized in that the two multiplications of words (Xi Aj, QiMj) substantially at the same time.   4. Method according to one of the preceding claims, characterized in   what it consists, for each cycle, to add an intermediate result above to the word of the same rank and to the next higher rank word contained in said shift memory, to re-register the results of these additions to these same ranks of said memory, then to repeat these operations with the other intermediate result, until the end of said cycle comprising the shift of a aforementioned word. 5. Method according to claim 4, characterized in that it consists, during a same cycle, to carry word by word the retention of the aforementioned additions and, at the end of a cycle, to postpone the last deduction in the bits of   least significant of the most significant word (CJ) of said shift memory.   6. Method according to one of claims 1 to 3, characterized in that   consists for each cycle to share each intermediate result in two groups respectively gathering the least significant bits and the most significant bits, to temporarily store these groups, to add, as and when, to the value of each word of said memory shifting the groups collecting the least significant bits of the same rank () and the groups gathering the most significant bits of the immediately lower rank (j-1), and reporting the result of these additions, each time, to the location of the word () considered from that memory to   offset, until the end of said cycle comprising the shift of a aforementioned word.   An electronic entity comprising cryptographic means including a unit for calculating a modular multiplication, in the Montgomery sense, between two numbers, characterized in that said computing unit comprises: three memories sized to receive said numbers respectively (a , b) and a module (m), each expressed in words of predetermined size in the corresponding memory, - a shift memory (104) sized to receive the result of said modular multiplication and arranged to shift its own content, each time by predetermined size word in the direction of the least significant bits, - a first multiplier (100) for making successive products of two words respectively read in the memories of the two numbers, - a calculator (102) with a determined reduction coefficient. at the beginning of a cycle of multiplications of the words of a number by a word of the other, - a second multiplier (101) to make products successive s of a word of said reduction coefficient by a word read in the memory of said module, and an adder (103) connected, as input, between the outputs of said first and second multipliers and said offset memory and connected, at the output, to said shift memory by directly addressing words selected from it.   8. Electronic entity according to claim 7, characterized in that said adder (103) is a double adder arranged to perform a first addition between an intermediate result produced by said first multiplier and two adjacent words (Cj, Cj + 1) of ranks. corresponding ones of said shift memory and to report the result to the two corresponding word locations thereof, then to make a second similar addition from the intermediate result produced by said second multiplier and to report the result to the same two word locations correspondents of said shift memory.   9. Electronic entity according to claim 7, characterized in that it comprises buffer registers (108, 113) interposed between said multipliers and said adder.   10. Electronic entity according to claim 9, characterized in that said buffer registers are arranged to separately receive the low weight portions and the high weight portions of the two multipliers, the adder being arranged to record the result at a word location. corresponding of said shift memory.