FR3010561A1 - METHOD OF PROTECTING DATA INTEGRITY USING IDEMPOTENT NUMBER - Google Patents

Abstract

The invention relates to a method for protecting the integrity of a data in a processing circuit (PRC), the method comprising the steps of: choosing two positive integers (N, R), first between them, a first (N) of the two numbers being greater than a datum to be protected (ID1), encoding the data to be protected by a multiplication operation by an idempotent number (IP) modulo the product (NR) of the two numbers, the idempotent number being chosen idempotent in a ring having a number of distinct elements equal to the product of the two numbers, and equal to a multiple of a second (R) of the two numbers and equal to a multiple of the first of the two numbers increased by one, and activate a signal of error (FS) if a modular reduction modulo the second of the two numbers, of the encoded data (ED1) is not null.

Description

The present invention relates to the protection against fault injection of data manipulated by a data processing circuit. It applies in particular to the protection of a processor, whether integrated in a microcircuit like those implanted in smart cards, or in a computer. The injection of fault in a processing circuit is generally intended to discover sensitive data manipulated by the circuit. Among the known attacks of a circuit, fault injection attacks consist in introducing disturbances in the circuit in particular while executing sensitive operations such as cryptographic algorithms. These attacks can cause the modification of a data or an address in a register, knowing that generally, it is not possible to detect that a datum or an address is invalid. The disturbance of an address register can disrupt the execution of a program and for example trigger the execution of a download routine transmitting on a port data stored by the circuit. These disturbances can be achieved by applying to the circuit one or more brief lighting for example by a laser beam, or one or more voltage peaks on one of its contacts.

In order to fight against these various attacks by nature, many solutions very different from each other have been made. The invention relates more particularly to the fight against attacks that compromise the integrity of data and addresses when manipulated by a processing circuit. For this purpose, it is known to associate with each data a signature for example CRC type (Cyclic Redundancy Check), calculated from the data. Such a signature is particularly suitable for detecting a data transmission error. On the other hand, when the datum undergoes a transformation resulting for example from the execution of computations, the original signature of the datum is no longer coherent with the data at the output of the processing. A new signature must therefore be calculated from the output data if the integrity of the output data is to be protected.

As a result, a signature does not detect a disturbance occurring during a treatment. It is therefore desirable to protect the integrity of data, including during processing of such data.

Embodiments provide a method for protecting the integrity of a data in a processing circuit, the method comprising the steps of: selecting two positive integers, first ones between them, a first of the two numbers being greater than one data to be protected, to encode the data to be protected by a multiplication operation by a number idempotent modulo the product of the two numbers, the idempotent number being chosen idempotent in a ring having a number of distinct elements equal to the product of the two numbers, and equal to a multiple of a second of the two numbers and equal to a multiple of the first of the two numbers increased by one, and to activate an error signal if a modular reduction modulo the second of the two numbers, of the encoded data is not nothing. According to one embodiment, the method comprises the steps of: providing the input encoded data of a processing performed by the processing circuit, the processing comprising one or more operations, each processing operation being exclusively either an addition or a subtraction, ie a multiplication, application of the processing to the encoded data to obtain a new encoded data, the operands of each operation of addition or subtraction of the processing being encoded by the multiplication operation by the idempotent number modulo the product of the two numbers, and activation of the error signal if a modular reduction modulo the second of the two numbers, of one of the encoded data is not zero. According to one embodiment, the method comprises a step of decoding one of the encoded data by performing a modular reduction modulo the first of the two numbers of the encoded data. According to one embodiment, the first of the two numbers is chosen equal to 216 + 1, and the second of the two numbers is chosen equal to 28 - 1 or 28 + 1.

According to one embodiment, one of the encoded data is supplied to the input of a coprocessor generating the error signal according to the encoded data provided. According to one embodiment, the coprocessor realizes the decoding of the encoded data input to the coprocessor. According to one embodiment, the encoded data is an access address to a data item or a program instruction in a memory, and is supplied to the input of a memory control unit, the control unit generating the error signal according to the encoded data. According to one embodiment, the control unit decodes the encoded data supplied to the control unit, to obtain a memory access address or data to be written to the memory. According to one embodiment, each encoded data is decoded only if the error signal generated from the encoded data is in the idle state. According to one embodiment, the encoded data is an instruction address in a program memory, a subsequent consecutive instruction address being obtained by adding the idempotent number to the encoded data. Embodiments also relate to a data processing circuit, configured to: encode data to be protected by a multiplication operation by an idempotent number modulo the product of two positive integers, first ones between them, a first of the two numbers being greater than the received data, the idempotent number being chosen idempotent in a ring having a number of distinct elements equal to the product of the two numbers, and equal to a multiple of a second of the two numbers and equal to a multiple of the first of the two When the numbers are increased by one, and an error signal is activated if a modulo reduction modulo the second of the two numbers, the resulting data item is not zero. According to one embodiment, the circuit is configured to: transmit the input encoded data of a processing comprising one or more operations, each operation of the processing being exclusively either an addition, a subtraction or a multiplication, and apply the processing with the encoded data to obtain a new encoded data, the operands of each operation of adding or subtracting the processing being encoded by the multiplication operation by the idempotent number modulo the product of the two numbers. According to one embodiment, the circuit is configured to decode one of the encoded data by performing a modular reduction modulo the first of the two numbers of the encoded data. According to one embodiment, the circuit comprises a coprocessor or a control unit of a memory configured to receive one of the encoded data, and comprising an interface circuit comprising a test circuit configured to activate the error signal. if a modular reduction modulo the second of the two numbers, received encoded data is not zero. According to one embodiment, the interface circuit comprises a decoding circuit configured to apply a modular reduction modulo the first of the two numbers, to a data item to be decoded. According to one embodiment, the circuit comprises a coprocessor carrying out the modular reduction operations modulo the product of the two numbers. Exemplary embodiments of the invention will be described in the following, without limitation in connection with the accompanying figures in which: Figures 1 and 2 schematically show a processor and a coprocessor implementing a method of protecting the Data integrity, according to various embodiments, Figures 3 to 5 schematically show a processor and a memory, implementing the protection method, according to various embodiments. According to one embodiment, the data integrity protection method implements an idempotent number in a finite ring EN.R at NR (or N x R) distinct elements, N and R being prime positive integers between them and the number N being larger than all the data to be protected. In other words, the number-of-bits size of the number N (ie LOG2 (N)) is chosen equal to or larger than the size of the data to be protected. To be idempotent, an IP number satisfies the following equation: IP-IP mod (N-R) = IP (1) in which mod represents the modular reduction operation. In addition, the number IP is chosen to have the following properties: IP = 1 mod N (2) IP = 0 mod R (3) It can be shown that equations (2) and (3) are equivalent to following equation: IP = (R-1 mod N) - R (4) It can also be demonstrated that the number IP obtained by equation (4) is idempotent in the ring ZN.R. Thus, equation (4) can be used to determine the IP number. As an extremely simplified example to facilitate understanding, the numbers N and R may be chosen to be equal to 7 and 4, respectively, which are prime between them. The inverse number R-1 modulo N corresponding to R (= 4) can be determined equal to 2 modulo 7. It follows that IP is equal to 4x2 = 8. The IP number satisfies equation (1) because IP-IP is equal to 64, ie 8 modulo 28 (28 = NR). The method comprises a step of encoding each data item (or address) ID to be protected, consisting of multiplying the data by the idempotent number IP modulo (NR), according to the following relation: ED = ID-IP mod (NR) ( 5) ED being the encoded data. In what follows, the term "data" can also designate an address of a data item or an instruction executable by a processor, in a memory.

The integrity of the ED data thus encoded can be verified at any time on the basis of relations (3) and (5), by calculating a control data T obtained by applying the modulo R modular reduction operation to the encoded data. ED and comparing the control data to 0: T = ED mod R (6) Thus, the encoded data ED is integral if and only if the data T is zero. The encoded data ED can be decoded at any time on the basis of relations (2) and (5). Thus, the data D corresponding to the encoded data ED can be calculated by applying the modulo reduction operation N to the ED data: D = ED mod N (7) It turns out that an encoded data item can be processed comprising several elementary arithmetic operations, without having to be decoded and encoded again. This property can be checked if elementary arithmetic operations are limited to addition, subtraction and multiplication operations, excluding division operations. The resulting data of the treatment must be calculated modulo (N-R). Data resulting from intermediate operations of processing, can also be calculated modulo (N-R). Each operand of the addition and subtraction operations of the processing G must itself be encoded by the relation (5) or result from the product of a relative integer by one or more data encoded by the relation (5). Thus a treatment G having the aforementioned properties can be modeled by the following relation: G (ID) = j ai IDmi-F Euk ai IDk '(8) in which the numbers ai are relative integers, the numbers mi, i, j and k are positive integers and IDk are other data. If the treatment G is applied to the corresponding encoded data modulo (NR), we obtain: G (ED) = [Ei aiEDmi + ai EDI mod (N-R) (9) in which ED and EDk are encoded data obtained by applying the relation (5) to the data ID and IDk. It follows from the relations (1), (5) and (9) that: G (ED) = IP - [Ei i ai IDmi + Eilk ai mod (N-R) (10) It follows from relations (8) and (10) ) that: G (ED) = IP-G (ID) mod (NR) (1 1) Therefore, the data G (ED) resulting from the application of the G modulo (NR) processing to the encoded data ED, EDk is equal to the result of the encoding, by application of the relation (5), of the data G (ID) resulting from the application of the processing G to the corresponding non-encoded data ID, IDk.

According to the relation (5), the encoding of a data item produces an encoded data having a bit size increased by the number of bits of the number R (ie LOG2 (R)). If the size of the number N corresponds to the size of the data to be protected, the size of the encoded data is equal to the sum of the size of the number N and the size of the number R. The set EN.R comprises NR distinct numbers modulo (NR), of which only N numbers are valid, that is, satisfy the condition T = 0 and are capable of being decoded by the relation (7). As a result, the larger the number R is chosen, the lower the probability (= 1 / R) that a fault injection generates a valid datum.

FIG. 1 represents a data processing device comprising a processor PRC associated with a coprocessor CPR ensuring for the processor PRC a particular processing CF1 such as a cryptographic processing. The processor PRC executes a FCT processing receiving as input data ID1, ID2, IDp and outputting a resulting data RD which is transmitted to an input register RG1 of the coprocessor CPR to be processed by the processing CF1 performed by the coprocessor. FCT treatment is of the form of treatment G as modeled by relation (8). In other words, the FCT treatment comprises only elementary arithmetic operations (addition, subtraction, multiplication) excluding the division. According to one embodiment, the data ID1, ID2, IDp are encoded by applying to them the relation (5), so as to obtain encoded data ED1, ED2, EDp. The ED1-EDp encoded data is provided as input to the FCT processing. The resulting data provided by the FCT process is then modulo (N-R) reduced to obtain an ERD encoded result data which is input into the RG1 register of the coprocessor CPR. The modulo (N-R) reduction operation can be applied to intermediate results of the FCT treatment. This arrangement makes it possible in particular to avoid that the size of any data resulting from intermediate processing, exceeds that of PRC processor registers used to perform the FCT treatment. The data ID1, ID2, IDp can be addresses, knowing that the addresses generally only undergo addition, subtraction and multiplication operations.

Moreover, the coprocessor CPR includes an INTF decoding circuit which may comprise the register RG1. The circuit INTF also comprises circuits MR, MN connected to an output of the register RG1, and a switch 11 controlled by the circuit MR. The switch 11 is connected between the output of the register RG1 and the input of the circuit MN. The circuit MN is configured to decode the data in the register RG1 by applying to it a modular reduction operation modulo N according to the relation (7). The output of the circuit MN is connected to an input of the processing CF1 to transmit the decoded data RD corresponding to the coded data ERD in the register RG1. The circuit MR is configured to carry out a modulo reduction of the contents of the register RG1, to compare the result of the reduction modulo R (test of the relation (6) T = 0) with 0, and to provide an error signal FS. depending on the result of this comparison. The signal FS is supplied at the output of the coprocessor CPR and controls the switch 11. If the signal FS is in the inactive state, indicating that the data in the register RG1 satisfies the relation T = 0, the switch 11 is closed, otherwise it remains open. Thus, the data in the register RG1 is decoded and transmitted to the input of the processing CF1 only if it is valid (relation T = 0 verified). The coprocessor CPR is therefore configured to detect that a data item entered in its input register RG1 has undergone a disturbance, either because an input data item of the FCT processing has undergone a disturbance, or while the FCT processing is active. either during the transmission of this data between the PRC processor and the coprocessor CPR. The switch 11 makes it possible to avoid activating the processing CF1 of the coprocessor CPR with invalid data. Indeed, introducing invalid data in a processing circuit may allow to discover secret data implemented by the processing circuit. However, the switch 11 may be omitted in particular to allow the verification by the MR circuit and the decoding by the circuit MN at the same time. The FS error signal can be processed later. The switch 11 may also be omitted if the data in the register RG1 may not be encoded under certain conditions, especially when the processing CF1 is not applied to secret data. Note that the decoding performed by the circuit MN, when applied to a non-encoded data, does not modify the data.

When data must undergo more complex processing involving other operations than addition, subtraction and multiplication operations, the data can be decoded for example by the PRC processor, using the relation ( 7), before being subjected to a complex treatment. Each data resulting from the complex processing can then be encoded using the relation (5). The PRC processor may also be configured to test the integrity of a datum by the relation (6) at any time, especially before decoding a datum. The signal FS may be transmitted to the PRC processor and / or an error processing circuit, to take any appropriate measure depending in particular on the object in which the PRC processor is integrated. Thus, if the PRC processor is in an integrated circuit, the signal FS may reveal an attack of the integrated circuit. In this case, the activation of the signal FS may, for example, trigger a reset or permanent blocking of the integrated circuit, and / or a complete erasure of a memory or only of sensitive data, etc. Activation of the FS signal can also simply trigger the replacement of the CF1 processing input data with randomly selected data. According to one embodiment, the numbers N and R are chosen such that the product N-R can be stored in a register of the processor PRC. According to one embodiment, the number N is chosen equal to 216 + 1, and the number R is chosen equal to 28 - 1 or 28 + 1. Under these conditions, the numbers N and R are prime between them, and the modulo (NR), modulo N and modulo R modular reduction operations can be performed by simple and inexpensive calculations in terms of resources and computation time. According to an embodiment illustrated in FIG. 2, the operations of encoding the data, in accordance with the relation (5), are carried out by a processing circuit of the coprocessor CPR (or another coprocessor connected to the processor PRC). Thus, Figure 2 shows the PRC processor and a coprocessor CPR1. The coprocessor CPR1 differs from the coprocessor CPR in that it further comprises a processing circuit CF2. The circuit CF2 comprises an ECC circuit performing the encoding operation, and an input / output register RG2 in which the PRC processor writes data to be encoded and in which the ECC circuit inscribes the corresponding encoded data. Moreover, the processor PRC is configured to perform the data encoding operations according to the relation (5) by the coprocessor CPR1. According to one embodiment, modulo (NR) modular reduction operations performed by the FCT processing circuit and / or the resultant data provided by the FCT process are performed by the coprocessor CPR1 or another coprocessor, in particular in order to unload the latter of operations that can be expensive in computing time. Thus, in the example of FIG. 2, the circuit CF2 of the coprocessor CPR1 comprises an MRC circuit performing the modular modulo reduction operation (NR), and an input / output register RG3 in which the PRC processor writes a data item. to be processed by the MRC circuit, and wherein the MRC circuit inserts the corresponding reduced data. Furthermore, the PRC processor is configured to perform modular modulo (N-R) reduction operations by the coprocessor CPR1. The modular reduction operations performed by the MR and 10 MN circuits can also be directly accessible to the PRC processor in order to be able to perform decoding and data integrity tests at any time, while limiting the use of the resources of the processor. The data protection method described above can also be applied to the access addresses to a memory. Thus, FIG. 3 shows the PRC processor, a memory MEM and an MCU memory control unit connecting an ADB address bus and a data bus DTB of the PRC processor to the memory MEM. According to one embodiment, the MCU unit comprises the INTF decoding circuit previously described. The register RG1 is connected to the address bus ADB of the PRC processor. The circuit MN is connected at the output to an address input of the memory MEM. The address entry of the memory can be connected to an address register ARG of the memory MEM. The addresses transmitted by the processor PRC to the address bus ADB are addresses encoded using relation (5) or addresses calculated using addition, subtraction and / or multiplication, modulo (NR), on data encoded using relation (5). According to one embodiment, the memory MEM is a data memory. If the PRC processor executes a program, all the immediate data access addresses in the MEM memory and all 30 immediate values added or removed to calculate a memory access address MEM in the program can be encoded. using the relation (5). The encoding of the addresses and immediate values appearing in the program executed by the processor can be performed at the time of the generation of the executable code by the processor PRC, for example by a compiler. The encoding of addresses and immediate values can also be done at the time of execution of the program by the processor. The compiler can then insert into the program the instructions necessary to perform this encoding. The compiler can also add in the program executed by the PRC processor modulo (NR) modular reduction operations, as a result of addition, subtraction and multiplication operations for determining a memory access address. SAME. Some data manipulated by a processor and to be stored in a data memory may only undergo addition, subtraction and / or multiplication operations. According to an embodiment illustrated in FIG. 4, these data are encoded using relation (5) and the operations they undergo are carried out modulo (NR), the data resulting from these operations are transmitted on the bus data to the MEM memory. Thus, FIG. 4 shows the processor PRC connected to the memory MEM via a memory control unit MCU1. The unit MCU1 differs from the unit MCU in that the decoding circuit INTF is interposed on the data bus DTB. The data transmitted by the PRC processor on the DTB bus is previously encoded by applying to them the relation (5).

According to one embodiment, the data to be transmitted to the memory MEM are decoded by the circuit MN of the INTF circuit before being entered in the memory MEM. The data read in the memory MEM can then be encoded by the PRC processor or by an encoding circuit (not shown) that can be integrated in the INTF circuit, before being used in processing. According to another embodiment, the data transmitted to the memory MEM are stored in the latter without being previously decoded. In this case, the data is transmitted by the decoding circuit INTF to the memory MEM without being processed by the circuit MN. The data can be decoded only when transmitted to an input / output circuit connected to the PRC processor for use by an external device, or prior to processing involving operations other than an addition, subtraction or multiplication. According to another embodiment illustrated in FIG. 5, the MCU control unit is connected between the PRC processor and a PMM program memory containing a program executed by the PRC processor. The PRC processor includes an instruction pointer IRG register storing an instruction address to read into the PMM memory and execute. All PMM access addresses and all values added or deleted to update the IRG register, contained in the program executed by the PRC processor, can be encoded using relation (5) at the time the generation of the executable code by the PRC processor, for example by a compiler. The compiler can also add to the addition, subtraction, and multiplication operations to generate a PMM access address of modulo (N-R) modular reduction operations. On the other hand, when the PRC processor has to access a next instruction, in the absence of address jump, the processor is configured to increment the address contained in the IRG register not by one, but by the value of the idempotent number. IP modulo (N - R). In this manner, an attack to disrupt the contents of the processor's IRG instruction pointer register has a low probability of replacing the contents of that register with an address that would be considered valid by the MR circuit.

It should be noted that the operation of verification of an encoded data, performed by the MR circuit, and the decoding operation carried out by the circuit MN, can be executed at any time by the processor PRC, the coprocessor CPR, CPR1 or the MCU control unit. Moreover, in the embodiments of FIGS. 3 to 5, the access addresses to the memory MEM, PMM may be virtual addresses that are translated into real addresses by the MCU. The embodiments of FIGS. 3 to 5 may be applied only to a particular area of the memory MEM, PMM, for example a memory area storing sensitive data or instructions carrying out a cryptographic function.

It will be apparent to those skilled in the art that the present invention is capable of various alternative embodiments and various applications. Thus, the operation of decoding an encoded data item may not be necessary. Indeed, in some treatments, the real value of a data may not be useful. In addition, it is not necessary to apply a treatment to a data item to be protected. Indeed, the protection of data is provided according to the invention, since it is put in a form encoded by the relation (5). It should also be noted that the modulo N-R reduction operations are performed only to prevent the size of the encoded data from being too large, for example to limit the size of the encoded data to the size of the internal registers of the PRC processor. Therefore, if the processed data is sufficiently small or if the registers, buses, and other hardware of the processor are of sufficient size relative to the processed data, it is possible that no modulo N-R modular reduction operation should be applied.

Furthermore, all or part of the previously described embodiments can be combined with each other without departing from the scope of the present invention, as defined by the appended claims.

Claims (16)

REVENDICATIONS1. A method of protecting the integrity of a data in a processing circuit (PRC), the method comprising the steps of: selecting two positive integers (N, R), first between them, a first (N) of the two with numbers being greater than a datum to be protected (ID), encoding the datum to be protected by a multiplication operation by an idempotent number (IP) modulo the product (NR) of the two numbers, the idempotent number being chosen idempotent in a ring having a number of distinct elements equal to the product of the two numbers, and equal to a multiple of a second (R) of the two numbers and equal to a multiple of the first of the two numbers increased by one, and activate an error signal (FS ) if a modular reduction modulo the second of the two numbers, the encoded data (ED) is not zero. 2. Method according to claim 1, comprising the steps of: providing the encoded data (ED) at the input of a processing (FCT) produced by the processing circuit, the processing comprising one or more operations, each processing operation being exclusively either an addition, a subtraction or a multiplication, application of the processing to the encoded data to obtain a new encoded data (ERD), the operands of each operation of addition or subtraction of the processing being encoded by the operation of multiplication by the idempotent number (IP) modulo the product (NR) of the two numbers (N, R), and activation of the error signal (FS) if a modular reduction modulo the second (R) of the two numbers, of one of the encoded data is not zero. 3. Method according to claim 1 or 2, comprising a step of decoding one of the encoded data (ED, ERD) by performing a modular reduction modulo the first (N) of the two numbers (N, R), of the data encoded. 4. Method according to one of claims 1 to 3, wherein the first (N) of the two numbers (N, R) is chosen equal to 216 + 1, and the second (R) of the two numbers is chosen equal to 28 - 1 or 28 + 1. 5. Method according to one of claims 1 to 4, wherein one of the encoded data (ED, ERD) is supplied to the input of a coprocessor (CPR, CPR1) generating the error signal (FS) according to the encoded data provided. 6. The method of claim 5, wherein the coprocessor (CPR, CPR1) performs the decoding of the encoded data (ED, ERD) provided at the input of the coprocessor. 7. Method according to one of claims 1 to 6, wherein the encoded data is a data access address or a program instruction in a memory (MEM, PMM), and is supplied to the input d a control unit (MCU, MCU1) of the memory, the control unit generating the error signal (FS) according to the encoded data. 8. The method of claim 7, wherein the control unit (MCU, MCU1) performs the decoding of the encoded data (ED, ERD) supplied to the control unit, to obtain a memory access address. (MEM, PMM) or data to be written to the memory. 9. Method according to one of claims 1 to 8, wherein each encoded data (ED, ERD) is decoded only if the error signal (FS) generated from the encoded data is in the inactive state. The method according to one of claims 1 to 9, wherein the encoded data (ED, ERD) is an instruction address in a program memory (PMM), a subsequent consecutive instruction address being obtained by adding the idempotent number (IP) to the encoded data. 11. A data processing circuit, configured to: encode a data (ID) to be protected by a multiplication operation by an idempotent number (IP) modulo the product (NR) of two positive integers (N, R), first between they, a first of the two numbers (N) being greater than the received data, the idempotent number being chosen idempotent in a ring having a number of distinct elements equal to the product of the two numbers, and equal to a multiple of a second ( R) of the two numbers and equal to a multiple of the first of the two numbers increased by one, and activate an error signal (FS) if a modular reduction modulo the second of the two numbers, of the resultant encoded data is not nothing. The circuit of claim 11, configured to transmit the encoded data (ED) input of a process (FCT) comprising one or more operations, each operation of the process being exclusively an addition, a subtraction or a multiplication, and apply the processing to the encoded data to obtain a new encoded data (ERD), the operands of each operation of adding or subtracting the processing being encoded by the multiplication operation 20 by the idempotent number modulo the product ( N - R) of the two numbers (N, R). 13. Circuit according to claim 11 or 12, configured to decode one of the encoded data (ED, ERD) by performing a modular reduction modulo the first (N) of the two numbers (N, R) of the encoded data. 25 14. Circuit according to one of claims 11 to 13, comprising a coprocessor (CPR, CPR1) or a control unit (MCU, MCU1) of a memory (MEM, PMM) configured to receive one of the encoded data ( ED, ERD), and comprising an interface circuit (INTF) having a test circuit (MR) configured to activate the error signal (FS) if a modular reduction modulo the second (R) of the two numbers (N). , R), the received encoded data is not zero. The circuit of claim 14, wherein the interface circuit (INTF) comprises a decoding circuit (MN) configured to apply a modular retrofit modulo the first (N) of the two numbers (N, R) to a given data. to decode. 16. Circuit according to one of claims 11 to 15, comprising a coprocessor (CPR1) performing the modular reduction operations modulo the product of the two numbers (N, R).