СПОСОБ ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ, СПОСОБ ЧИСЛЕННОГО АНАЛИЗА, ПРОГРАММА ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ, ПРОГРАММА ЧИСЛЕННОГО АНАЛИЗА, УСТРОЙСТВО ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ И УСТРОЙСТВО ЧИСЛЕННОГО АНАЛИЗА

Изобретение относится к способам, устройствам и машиночитаемым носителям для вычисления физического значения и численного анализа. Технический результат заключается в снижении рабочей нагрузки при формировании модели расчетных данных и снижении вычислительной нагрузки в решающем процессе без ухудшения точности анализа. Способ вычисления физического значения, выполняемый компьютером, содержит этап вычисления физических значений, на котором посредством центрального процессорного модуля вычисляют физические значения в области анализа, разделенной на множество разделенных областей, с использованием дискретизированного основного уравнения, которое использует значения, не требующие координат вершин (Вершина) разделенных областей и информации о связности вершин (Связность), и которое выводят на основе метода взвешенных невязок и модели расчетных данных, в которой объемы разделенных областей и характеристические значения граничной поверхности, указывающие характеристики граничных поверхностей соседних ...

Устройство для вычисления ранга модулярного числа

Изобретение относится к вычислительной технике. Технический результат заключается в сокращении размерности операнд при вычислении ранга числа. Технический результат достигается тем, что в устройство определения знака числа, представленного в системе остаточных классов (СОК), содержащее n входов остатка, где n – количество модулей системы остаточных классов, n регистров хранения разрядов исходного числа, n-1 вычислительную ступень прямого хода, при этом i-я вычислительная ступень прямого хода, где i=1,…,n-1, содержит n-i сумматоров по модулю и n-i блоков умножения на по модулю , где j=i+1,…, n и – мультипликативная инверсия модуля по модулю , дополнительно введены n выходов прямого хода, n блоков перевода в СОК, n блоков хранения предвычисленных рангов, n выходов исходного числа, выход ранга, а также n-1 вычислительная ступень обратного хода, каждая из которых содержит n умножителей по модулю , n сумматоров по модулю , где j=1,…, n, вычислитель ранга суммы, вычислитель ранга произведения ...

АРИФМЕТИЧЕСКОЕ УСТРОЙСТВО ПО МОДУЛЮ СЕМЬ

Изобретение относится к арифметическому устройству по модулю семь. Технический результат заключается в обеспечении возможности выполнения нескольких видов арифметических операций по модулю семь. Устройство содержит двенадцать элементов ИСКЛЮЧАЮЩЕЕ ИЛИ, причем вторые входы четвертого, пятого, шестого и восьмого, девятого, десятого элементов ИСКЛЮЧАЮЩЕЕ ИЛИ соединены соответственно с выходами второго, третьего, пятого и четвертого, шестого, одиннадцатого элементов ИСКЛЮЧАЮЩЕЕ ИЛИ, а первый вход седьмого, второй вход k-го и выход (6+k)-го элементов ИСКЛЮЧАЮЩЕЕ ИЛИ соединены соответственно с выходом первого элемента ИСКЛЮЧАЮЩЕЕ ИЛИ, (3+k)-м входом и k-м выходом арифметического устройства по модулю семь, при этом в него дополнительно введены два элемента ИСКЛЮЧАЮЩЕЕ ИЛИ и восемь элементов ЗАПРЕТ, первый, второй входы одиннадцатого и первый, второй входы i-го элементов ИСКЛЮЧАЮЩЕЕ ИЛИ соединены соответственно с выходами пятого, третьего и неинвертирующим, инвертирующим входами i-го элементов ...

УСТРОЙСТВО ДЛЯ УМНОЖЕНИЯ ЧИСЕЛ ПО МОДУЛЮ m

Изобретение относится к устройству для умножения чисел по модулю m. Технический результат заключается в упрощении конструкции устройства. Устройство содержит синхронизирующий вход устройства, входы устройства первого и второго операнда, m фазовращателей на фиксированное значение фазы 2π/m, m фазированных ключей, результирующий сумматор, m-1 сумматоров фаз, выход устройства. 1 ил.

Устройство определения знака числа, представленного в системе остаточных классов

Изобретение относится к области вычислительной техники. Техническим результатом является увеличение скорости и точности вычислений определения знака чисел, представленных в системе остаточных классов. Раскрыто устройство определения знака числа, представленного в системе остаточных классов, содержащеевходов остатка, где– количество модулейсистемы остаточных классов,регистров для хранения разрядов исходного числа,блоков умножения, где входы остатка подключены к входам соответствующих регистров для хранения разрядов исходного числа, при этом в него введенывычислительных ступеней, при этом-я вычислительная ступень, где, содержитсумматоров по модулюиблоков умножения на весапо модулю, гдеи– мультипликативная инверсия модуляпо модулюи модули упорядочены по возрастанию иявляется степенью 2, в первой вычислительной ступени первые информационные входы-х сумматоров по модулючерез инверторы подключены к выходу первого регистра для хранения разрядов исходного числа, вторые информационные входы-х сумматоров ...

АРИФМЕТИЧЕСКОЕ УСТРОЙСТВО ПО МОДУЛЮ М

Изобретение относится к области автоматики и вычислительной техники и может быть использовано в вычислительных структурах, работающих с дискретно-фазированным представлением чисел модулярной системы счисления. Техническим результатом является осуществление выполнения любой модулярной математической операции с двумя операндами в дискретно-фазированной форме представления чисел. Устройство содержит синхронизирующий вход устройства, входы устройства первого и второго операнда, вход номера операции устройства, мультиплексор, блоки памяти, дешифратор, первую и вторую группы фазовращателей на фиксированное значение фазы 2π/m, первую и вторую группы фазированных ключей, m групп управляемых фазовращателей, сумматоры, результирующий сумматор, выход устройства. 5 ил.

Устройство для вычисления сумм парных произведений

Изобретение относится к вычислительной технике. Технический результат заключается в повышении корректирующих способностей устройства для вычисления сумм парных произведений. Устройство содержит преобразователь кода СОК в позиционный код, счетчик тактов, блок коррекции ошибки, модульный сумматор, два блока вычисления сумм парных произведений по произвольному модулю и один блок вычисления сумм парных произведений по контрольному модулю, каждый из которых содержит регистр, блок памяти, матричный умножитель, три группы буферных регистров и матричный сумматор, блок коррекции ошибки содержит четыре регистра, коммутатор, два блока памяти, матричный умножитель, модульный сумматор, счетчик количества переходов за рабочий диапазон, введен дополнительный блок вычисления сумм парных произведений по контрольному модулю, состоящий из регистра, блока памяти, матричного умножителя, матричного сумматора и трех групп буферных регистров, кроме того, в блок коррекции ошибки введены пятый информационный вход ...

НАКАПЛИВАЮЩИЙ СУММАТОР ПО ПРОИЗВОЛЬНОМУ МОДУЛЮ

Изобретение относится к вычислительной технике. Технический результат заключается в уменьшении объема используемого оборудования. Накапливающий сумматор по произвольному модулю содержит n-разрядный мультиплексор, (n+1)-разрядный сумматор, n-разрядный регистр, первые и вторые информационные входы устройства, информационные выходы устройства, тактовый вход устройства, вход синхронизации n-разрядного регистра, вход установки устройства в начальное состояние, вход сброса n-разрядного регистра, n полных одноразрядных сумматоров, (n+1)-разрядный мультиплексор, элемент «2И-НЕ», элемент «НЕ», n-входовый элемент «ИЛИ». 1 ил.

VORRICHTUNG UND VERFAHREN ZUM UMRECHNEN EINES TERMS

Modul und Verfahren zur abgesicherten Berechnung von mathematischen Operationen

Ein elektronisches Modul zur Berechnung einer mathematischen Operation umfasst eine Vielzahl von Berechnungseinheiten zur Berechnung der mathematischen Operation für einen Satz von Parametern, wobei jede Berechnungseinheit eingerichtet ist, die mathematische Operation mit dem Satz von Parametern nach einem Berechnungsverfahren zu berechnen, wobei sich das Berechnungsverfahren bei mindestens zwei Berechnungseinheiten unterscheidet. Ferner sind ein Kryptografiechip und ein Verfahren zur Berechnung der mathematischen Operation definiert.

Performing constant modulo arithmetic

A binary logic circuit for determining y = x mod(2m — 1). where x is an n-bit integer, y is an m-bit integer, and n > m, the binary logic circuit comprising: reduction logic configured to reduce x to a sum of a first m-bit integer β and a second m-bit integer y; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by β; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by y; and the binary value 1.

Encryption processor with shared memory interconnect

An encryption chip is programmable to process a variety of secret key and public key encryption algorithms. The chip includes a pipeline of processing elements, each of which can process a round within a secret key algorithm. Data is transferred between the processing elements through dual port memories, A central processing unit allows for processing of very wide data words from global memory in single cycle operations. An adder circuit is simplified by using plural relatively small adder circuits with sums and carries looped back in plural cycles. Multiplier circuitry can be shared between the processing elements and the central processor by adapting the smaller processing element multipliers for concatenation as a very wide central processor multiplier.

SECURE SLIDING WINDOW EXPONENTIATION

Oblivious carry runway registers for performing piecewise additions

Methods and apparatus for piecewise addition into an accumulation register using one or more carry runway registers, where the accumulation register includes a first plurality of qubits with each qubit representing a respective bit of a first binary number and where each carry runway register includes multiple qubits representing a respective binary number. In one aspect, a method includes inserting the one or more carry runway registers into the accumulation register at respective predetermined qubit positions, respectively, of the accumulation register; initializing each qubit of each carry runway register in a plus state; applying one or more subtraction operations to the accumulation register, where each subtraction operation subtracts a state of a respective carry runway register from a corresponding portion of the accumulation register; and adding one or more input binary numbers into the accumulation register using piecewise addition.

INTEGER DIVISION METHOD WHICH IS SECURE AGAINST COVERT CHANNEL ATTACKS

"EMOD" A FAST MODULUS CALCULATION FOR COMPUTER SYSTEMS

SURFACE CODE COMPUTATIONS USING AUTO-CCZ QUANTUM STATES

Methods and apparatus for performing surface code computations using Auto-CCZ states. In one aspect, a method for implementing a delayed choice CZ operation on a first and second data qubit using a quantum computer includes: preparing a first and second routing qubit in a magic state; interacting the first data qubit with the first routing qubit and the second data qubit with the second routing qubit using a first and second CNOT operation, where the first and second data qubits act as controls for the CNOT operations; if a received first classical bit represents an off state: applying a first and second Hadamard gate to the first and second routing qubit; measuring the first and second routing qubit using Z basis measurements to obtain a second and third classical bit; and performing classically controlled fixup operations on the first and second data qubit using the second and third classical bits.

QUANTUM CIRCUIT OPTIMIZATION USING WINDOWED QUANTUM ARITHMETIC

Methods, systems and apparatus for performing windowed quantum arithmetic. In one aspect, a method for performing a product addition operation includes: determining multiple entries of a lookup table, comprising, for each index in a first set of indices, multiplying the index value by a scalar for the product addition operation; for each index in a second set of indices, determining multiple address values, comprising extracting source register values corresponding to indices between i) the index in the second set of indices, and ii) the index in the second set of indices plus the predetermined window size; and adjusting values of a target quantum register based on the determined multiple entries of the lookup table and the determined multiple address values.

DIGITAL MATRIXING SYSTEM

A digital multiplying apparatus is presented which digitally multiplies a digital signal by a coefficient. The apparatus comprises means for providing a plurality of fraction signals of the digital signal. The fractions are powers of one-half times the digital signal. Means are provided for multiplying the smallest of these fractions by a factor to obtain a remainder signal representing the value left after expressing the coefficient as a sum of powers of one-half. Finally, means for combining the plurality of fraction signals and the remainder signal are provided.

DIGITAL SYNTHESIZER WITH COHERENT DIVISION

L'invention concerne un dispositif de synthèse numérique directe de fréquence. Le dispositif comprend: un accumulateur cohérent (1), de modulo M, pour générer une première loi de phase à partir d'un mot de commande de fréquence, une table (2), adressée par une deuxième loi de phase dérivée de la première loi de phase, pour générer un signal sinusoïdal numérique, un convertisseur numérique analogique (3) pour convertir le signal sinusoïdal numérique en un signal sinusoïdal analogique, un filtre (4) pour filtrer le signal sinusoïdal analogique, et un diviseur (5) pour diviser le signal filtré, le diviseur a un certain ordre inférieur à M et il a une entrée de synchronisation commandée par une impulsion de synchronisation pour resynchroniser le signal après division, l'impulsion de synchronisation étant élaborée à partir de la loi de phase. Application: in particulier à des snthétiseurs numériques pour radar.

METHOD AND APPARATUS FOR MINIMIZING DIFFERENTIAL POWER ATTACKS ON PROCESSORS

A method of masking a conditional jump operation in a cryptographic processor, wherein program execution jumps to one of two branches dependent on a first or second condition of a distinguishing value V relative to a reference wherein the reference is bounded by an upper limit Vmax and a lower limit Vmin. The method comprising the steps of determining the location of a conditional jump and inserting code thereat for executing instructions to change program execution to a respective one of the two branches by using said distinguishing value and a base address to compute a target address, wherein for each evaluation of said condition a different number of instructions are executed, thereby minimizing the effectiveness of a differential power attack.

密码处理器

... 一种密码处理器用以执行密码应用之运算，包括复数共同处理器(104a，104b，104c)，每一共同处理器具有一控制单元以及一算术单元，一中央处理单元(102)，用以控制该复数共同处理器(104a，104b，104c)，以及一总线(101)，用以连接每一共同处理器(104a，104b，104c)至该中央处理单元(102)。该中央处理单元(102)，该复数共同处理器(104a，104b，104c)以及该总线(101)被集积于一单一芯片(100)上。该芯片更包括一共同电源供应端(122)用以输入该复数共同处理器(104a，104b，104c)。藉由不同共同处理器之平行连接，一方面获得处理量的增加，另一方面相对于以评估密码处理器电源轮廓为基础之攻击者，增加密码处理器之安全性的改善，因为至少二共同处理器之电源轮廓被重叠。此外，本密码处理器，藉由不同共同处理器的使用，也被实施为多功能密码处理器，以便适合多重不同密码算法。 ...

For the implementation of a two-channel attacks the efficiency of the simplified method and apparatus

Countermeasure method and devices for asymmetrical cryptography with signature diagram

Safety compound model index outsourcing calculation method based on single server

Enciphering and deciphering method and apparatus

An integer Z101 is divided by an integer I102 to obtain a remainder R109. The integer I102 includes a polynomial of power of a basic operational unit of a computer. In this way, the integer I for divisor is limited based on the basic operational unit of the computer, thus a shift operation, which is required for a conventional operation method, can be eliminated. The remainder can be calculated byonly addition and subtraction. Accordingly, a code size becomes compact and the remainder of the integer can be calculated at a high speed.

Information security device, prime genrating device and prime genrating method

ARITHMETIC PROCESS, ARITHMETIC APPARATUS AND APPARATUS OF TRAITEMENTCRYPTOGRAPHIQUE

SYSTEM Of SCHEDULING OF the EXECUTION OF SPOTS GIVES RHYTHM BY a VECTORIAL LOGICAL TIME

PROCESS Of DEVELOPMENT Of a PARAMETER OF CRYPTOGRAPHY

Détermination d'un nombre premier pour son utilisation dans un processus de cryptographie. On applique cycliquement un test prédéterminé à un nombre entier (N) qui utilise chaque fois le reste (NR) et la partie entière du quotient (q) de la division d'un nombre choisi (S) par un nombre entier actuel, à chaque test négatif on sélectionne le nombre entier suivant (N) et on calcule un nouveau reste de la division suivante sans effectuer cette division, directement à partir du reste (NR) et du quotient (q) et on recommence jusqu'à ce que le test soit positif.

Cryptography key data storing method for e.g. chip card, involves converting data, from cryptography key and used with operand within Euclidean operation, into data to be used with operand within Montgomery operation

Un procédé de traitement de données, pour déterminer le résultat d'une opération d'un premier type impliquant un opérande dans une entité électronique comportant une unité de stockage non volatil, comprend les étapes de : - conversion d'une donnée, issue d'au moins une partie de clé et destinée à être utilisée avec l'opérande au sein de l'opération du premier type, en une donnée de clé apte à être utilisée avec ledit opérande au sein d'une opération d'un second type ; - stockage de la donnée de clé dans l'unité de stockage non volatil ; - lecture dans l'unité de stockage non volatil de la donnée de clé ; - réalisation de l'opération du second type avec la donnée de clé lue et ledit opérande. Des dispositifs associés sont également proposés.

MODULO ADDRESS GENERATOR AND METHOD THEREOF

PURPOSE: A device and a method for generating modulo address are provided to perform a high speed digital signal process by considering an overhead with respect to an area charged using a high speed adder without multi-stage addition. CONSTITUTION: The first low speed adder(21) obtains an address to be designated next in accordance with the current address(A) and an address increasing amount(I). The second low speed adder(22) searches an address range(B-M=b) to be assigned by inputting the maximum address(M) and the minimum address(B). An adder and subtracter(23) adds or subtracts the outputs of the two adder(21)(22) according to a sign of an address increasing amount(I). A comparator(24) detects as to whether the address output value increased as much as the address increasing amount(I) from the current address in the first low speed adder(21) between the maximum address(M) and the minimum address(B). An output selecting unit(25) selects and outputs the output(a) of the first low speed ...

MODULO ADDRESSING

In one embodiment, a modulo addressing unit for a processor is described that includes a plurality of adders to generate an uncorrected target modulo address and at least one corrected target modulo address in parallel. A comparator selects one of the target modulo addresses a function of a base address (b) for a circular buffer, a length (L) of the circular buffer, an index address (I) and a modifier value (M). In one embodiment the comparator selects a first corrected target modulo address when I+M=B+L and an uncorrected modulo address B <= I+ M < B+L. © KIPO & WIPO 2007 ...

COUNTERMEASURE METHOD AND DEVICES FOR ASYMMETRICAL CRYPTOGRAPHY WITH SIGNATURE DIAGRAM

Device and method for converting a term

A device for converting a term (T) comprising a product of a first operand (A) and a second operand (B) into a representation having an integer quotient (Q) regarding a modulus and a remainder (R), the integer quotient (Q) being defined by T/N, T being the term and N being the modulus, and the remainder (R) being defined by T mod N, N being the modulus, includes means for modularly reducing the term using the modulus on the one hand and for modularly reducing the term using an auxiliary modulus, which is greater than the modulus, on the other hand to obtain the remainder (R) on the one hand and the auxiliary remainder (R1) on the other hand. Both the remainder (R) and the auxiliary remainder (R1) are fed into means (12) for combining to obtain the integer quotient (Q). The inventive device makes it possible to calculate even the integer quotient, that is the result of the DIV operation, by performing a command for a modular multiplication existing on conventional cryptoprocessors two times ...

SYSTEM FOR SCHEDULING THE EXECUTION OF TASKS CLOCKED BY A VECTOR LOGICAL TIME

The invention relates to a module (10) for comparing two items of data (A,B) of Nm bits, comprising a comparison output (GE) indicative of an order relation between the two items of data, said output being defined by a table comprising rows associated with the consecutive possible values of the first data item (A) and columns associated with the consecutive possible values of the second data item (B), where each row comprises a state at the intersection with the column associated with the same value, followed by a series of 0 states. The series of 0 states is followed by a series of 1 states completing the row in a circular manner, the number of 0 states being the same for each row and less than half the maximum value (15) of the data items.

CIRCUIT ARRANGEMENT AND METHOD FOR RSA KEY GENERATION

In order to further develop a circuit arrangement for as well as a method of performing at least one operation, in particular at least one cryptographic calculation, wherein the problem of creating at least one key, in particular the R[ivest-]S[hamir- ] A[dleman] key, satisfying at least one defined digital signature laws, in particular satisfying the German Digital Signature Law, is solved it is proposed that at least one, preferably two, prime numbers (p; q) for key generation, in particular for R[ivest- ]S[hamir-]A[dleman] key generation, are searched in compliance with at least one defined digital signature law, in particular with the German Digital Signature Law.

METHOD AND SYSTEM FOR A FULL-ADDER POST PROCESSOR FOR MODULO ARITHMETIC

A full-adder post processor performs modulo artithmetic. The full-adder post processor is a hardware implementation able to calculate A mod N, (A+B) mod N and (A-B) mod N. The processor includes a full adder able to add the operands A and B while modulo reduction is accomplished in the processor by successively substracting the largest possible multiple of the modulus N obtainable by bit shifting prior to subtraction.

MODULO ADDRESSING

In one embodiment, a modulo addressing unit for a processor is described that includes a plurality of adders to generate an uncorrected target modulo address and at least one corrected target modulo address in parallel. A comparator selects one of the target modulo addresses a function of a base address (b) for a circular buffer, a length (L) of the circular buffer, an index address (I) and a modifier value (M). In one embodiment the comparator selects a first corrected target modulo address when I+M=B+L and an uncorrected modulo address B <= I+M < B+L.

Digital computation method involving euclidean division

A computational method for implementation in an electronic digital processing system performs integer division upon very large (multi-word) operands. An approximated reciprocal of the divisor is obtained by extracting the two most significant words of the divisor, adding one to the extracted value and dividing from a power of two out to two significant words. Multiplying this reciprocal value by a remainder (initialized as the dividend) obtains a quotient value, which is then decremented by a random value. The randomized quotient is multiplied by the actual divisor, and decremented from the remainder. The quotient value is accumulated to obtain updated quotient values. This process is repeated over a fixed number of rounds related to the relative sizes in words of the dividend and divisor. Each round corrects approximation and randomization errors from a preceding round.

Modulo reduction method using a precomputed table

A modulo reduction method using a precomputed table to increase a reduction speed during the execution of ordinary operational processes using computers and comprises a first step which searches out with an index of an upper log2 t (t≧1) bit number and adds the value stored in a table to a lower n(n≧512) bit number; a second step, which if the result, obtained from the addition of said lower n bit number to the number searched out from the table at said first step, produces an overflow (1 bit), eliminates said overflow and finishes the execution of an operation; and a third step, which if said overlow does not occur at said second step, addsN on a modulo N to the result obtained from said first step and finishes the execution of the operation.

Processor for executing arithmetic operations on input data and constant data with a small error

A process for carrying out modulo reduction of floating-point data uses a predetermined constant. A subtraction operation of more significant bits of the predetermined constant from a mantissa part of the floating-point data is performed and the subtraction result is normalized. Less significant bits of the predetermined constant are shifted and this result is subtracted from the above normalized data and is then normalized. Thus, a remainder resulting from the modulo reduction is obtained.

Frequency synthesizer

A saw-tooth waveform signal generating circuit (3) generates a saw-tooth waveform signal d in response to a timing signal b derived from a reference clock a. A voltage comparator (4) slices the saw-tooth waveform signal with a reference voltage to shape the waveform thereof, thereby producing a synthesizer output e having a rectangular waveform. A counter (5) adds or subtracts a predetermined value every time a reference clock arrives. The count of the counter (5) is converted to an analog value by a DAC (6) and then is applied to, for example, the saw-tooth waveform signal generating circuit as a bias. As a result, the voltage for causing the saw-tooth waveform signal to start rising or falling is manipulated to allow the voltage comparator to slice the saw-tooth waveform signal at any desired timing. Hence, a synthesizer output can be produced in any desired phase.

METHOD AND APPARATUS FOR EFFICIENT PROGRAMMABLE CYCLIC REDUNDANCY CHECK (CRC)

A method and apparatus to optimize each of the plurality of reduction stages in a Cyclic Redundancy Check (CRC) circuit to produce a residue for a block of data decreases area used to perform the reduction while maintaining the same delay through the plurality of stages of the reduction logic. A hybrid mix of Karatsuba algorithm, classical multiplications and serial division in various stages in the CRC reduction circuit results in about a twenty percent reduction in area on the average with no decrease in critical path delay.

Method and apparatus for generating random number generators

A method and apparatus are provided for generating a parameter value to be used as a parameter for a random number generator. A random value is generated and the random value is mapped to a prime number. The parameter value is generated by multiplying the prime number by previously selected prime numbers. Each parameter value is then used as one of a plurality of parameters for the random number generator.

Modulo addressing

In one embodiment, a modulo addressing unit for a processor is described that includes a plurality of adders to generate an uncorrected target modulo address and at least one corrected target modulo address in parallel. A comparator selects one of the target modulo addresses a function of a base address (b) for a circular buffer, a length (L) of the circular buffer, an index address (I) and a modifier value (M). In one embodiment the comparator selects a first corrected target modulo address when I+M=B+L and an uncorrected modulo address when B<=I+M Подробнее

RANDOMIZED MODULAR REDUCTION METHOD AND HARDWARE THEREFOR

Data sequence encryption using primes generated from random natural numbers

A data sequence is encrypted by initially generating first and second random natural numbers r1,r2using a random number generator. The random natural numbers r1, r2can then be used to identify two distinct prime numbersp,qwhich can be used to encrypt the data sequence b obtaining a first value equal to (2r, 2)! and a [(2r2-1)!]2second value equal to (2r22)!, prime-factorising the first and second obtained values, [(r21)!]2and identifying in the first and second prime-factorisations the prime factorsp,qimmediately greater than the first and second random natural numbers r1, r2respectively. The first and second values can be calculated directly or can be obtained by way of a look-up from the Carré de PIAT.

A data processing system and method for performing a mathematical operation on multi bit binary integer numbers using floating point arithmetic

The data processing system and method performs a mathematical operation on multi bit binary integer numbers using floating point arithmetic. The binary integer numbers are divided into corresponding segments and processed to determine at least one result of a mathematical operation for each segment. Corresponding segments comprise a corresponding group of w bits of the binary integer numbers. Floating point registers store said results of the mathematical operations. Each floating point register has m mantissa bits, where m > w. A sum of said results of the mathematical operations is determined for each segment in a floating point register. A w bit result of the mathematical operation is generated in a floating point register for each segment. Also, a carry result is generated in a floating point register to be carried over to a next segment for use in the determination of the sum of said results of mathematical operations for the next segment. The result and the carry result for each segment ...

A data processing system and method for performing a mathematical operation on multi bit binary integer numbers using floating point arithmetic

Apparatus for and methods of identifying a prime number, determining primality and determining prime factors

PROCEDURE AND MECHANISM FOR THE MODULO COMPUTATION

PORTABLE DATA MEDIUM WITH ACCESS PROTECTION BY ALLOTTING PRO RATA HURRYING

DETERMINATION OF THE MODULO COUNT VALUE IN A SYSTEM WITH SLEEP ABILITY

BRANCH CANAL-ATTACK-RESISTANT PRODUCTION OF PRIME NUMBERS

PROCEDURE FOR THE INTEGER DIVISION AGAINST ATTACKS AT HIDDEN CHANNELS

DATA TRANSLATOR

DIVISION OF BINARY NUMBERS

CONFIGURABLE MULTI-STEP SHIFT REGISTER WITH LINEAR FEEDBACK

PROCEDURE FOR THE MODULAR REDUCTION OF NUMBERS.

SYSTEM AND METHOD FOR CALCULATING A RESULT FROM A DIVISION

Quantum circuit optimization using windowed quantum arithmetic

Methods, systems and apparatus for performing windowed quantum arithmetic. In one aspect, a method for performing a product addition operation includes: determining multiple entries of a lookup table, comprising, for each index in a first set of indices, multiplying the index value by a scalar for the product addition operation; for each index in a second set of indices, determining multiple address values, comprising extracting source register values corresponding to indices between i) the index in the second set of indices, and ii) the index in the second set of indices plus the predetermined window size; and adjusting values of a target quantum register based on the determined multiple entries of the lookup table and the determined multiple address values.

METHOD FOR GENERATING A PRIME NUMBER FOR A CRYPTOGRAPHIC APPLICATION

The present invention relates to a method for generating a prime number and using it in a cryptographic application, comprising the steps of: a) determining at least one binary base B with a small size b = log2(B) bits and for each determined base B at least one small prime pi such that B mod pi = 1, with i an integer, b) selecting a prime candidate YP, c) decomposing the selected prime candidate YP in a base B selected among said determined binary bases : YP = ?yjBi d) computing a residue yPB from the candidate YP for said selected base such that yPB = ?yj e) testing if said computed residue yPB is divisible by one small prime pi selected among said determined small primes for said selected base B, f) while said computed residue yPB is not divisible by said selected small prime, iteratively repeating above step e) until tests performed at step e) prove that said computed residue yPB is not divisible by any of said determined small primes for said selected base B, g) when said computed ...

DEVICE AND METHOD FOR PERFORMING MULTIPLE MODULUS CONVERSION USING INVERSE MODULUS MULTIPLICATION

A method and device (300) are provided that allow computation of multiple modulus conversion (MMC) outputs using little or no division operations. Instead of division operations, multiplication and logical shift operations (310) are used to produce pseudo-quotients and pseudo-remainders, which may be corrected in a final step to produce correct MMC outputs. This allows for more efficient implementation, since division is typically less efficient than multiplication and logical shift. The method and device operate on MMC inputs that may be partitioned into sub-quotients of varying numbers of digits in any numbering system (306). The multiplication and logical shift operations are performed on each of the sub-quotients according to a procedure derived from long-division techniques.

PROCESSOR CHIP

ACCELERATED CRYPTOGRAPHIC OPERATIONS

The present invention relates to a method and apparatus for decompressing elliptic curve points in cryptographic systems, wherein an elliptic curve point on an elliptic curve f(x) is defined over a field f p where p is either 3 mod 4 or 5 mod 8 and p is sparsely represented, the method comprising extracting a square root ~ f (x) including calculating exponents comprised of a success series of 1's in a binary expansion of the exponent and combining these exponents together with an appropriate number of squarings and multiplications to obtain a desired square root, the square root being a solution said curve.

Cryptographic operation performing procedure for chip card, involves hiding specific number by definite times of random number before doing division and/or modular reduction and subtracting random number from division result

L'invention concerne un procédé cryptographique au cours duquel on réalise une division entière de type q = a div b et / ou une réduction modulaire de type r = a mod b, avec q un quotient, a un nombre de m bits, b un nombre de n bits, n inférieur ou égal à m et bn-1 non nul, bn-1 étant le bit de poids le plus fort du nombre b. Selon l'invention, on masque le nombre a par un nombre aléatoire p avant de réaliser la division entière et / ou la réduction modulaire. L'invention concerne également un composant électronique pour la mise en oeuvre du procédé ci-dessus. Application aux cartes à puce.

MODULAR REDUCTION DEVICE

Software or hardware multiple word operands integer division calculation performing method for cryptographic processing system, involves obtaining reciprocal value of divisor by extracting number of most significant words of divisor

Un procédé de calcul pour une réalisation dans un système de traitement numérique électronique effectue une division d'entiers sur de très grands opérandes. Une réciproque approchée du diviseur (B) est obtenue en extrayant les deux mots les plus significatifs du diviseur (B), ajoutant un à la valeur extraite et la divisant d'une puissance de deux à partir de deux mots significatifs. En multipliant cette valeur de réciproque (S) par un reste (R) (initialisé comme le dividende (A)), on obtient une valeur de quotient (Q) ensuite décrémentée d'une valeur aléatoire. Le quotient aléatoire (Q) est multiplié par le diviseur (B) et décrémenté du reste (R). La valeur de quotient (Q) est cumulée pour obtenir des valeurs de quotient actualisées. Ce processus est répété sur un nombre fixe d'arrondis selon les longueurs relatives en mots du diviseur (B) et du dividende (A). Chaque arrondi corrige les erreurs d'approximation et de répartition aléatoire d'un arrondi précédent.

Modulo reduction method using precalculated table in e.g. smart card

La présente invention concerne un procédé de réduction modulo comprenant les étapes qui consistent à: (1) rechercher une valeur mémorisée dans une table à l'aide d'un index d'un nombre à bits de poids fort et ajouter la valeur mémorisée dans la table à un nombre à bits de poids faible; (2) si le résultat obtenu à partir de l'addition du nombre à bits de poids faible et du nombre recherché dans la table au cours de l'étape (1) produit un dépassement de capacité (1 bit), supprimer le dépassement de capacité et terminer l'exécution d'une opération; et (3) si un dépassement de capacité n'a pas lieu au cours de l'étape (2), ajouter N sur un modulo N au résultat obtenu à partir de l'étape (1) et terminer l'exécution de l'opération.

Device to carry out a division

Ce dispositif est conçu pour effectuer une division du nombre dividende A formé de "m" mots exprimant une base "b", par un diviseur D. Il comporte une mémoire vive (2), un organe de multiplication inclus dans une unité de calcul (8) muni d'une première entrée (xi ) pour "x" mots d'un multiplicande, d'une deuxième entrée (Ai ) pour "y" mots d'un multiplicateur. Il est prévu des moyens de cumul pour ajouter à des emplacements de la mémoire (2) un multiple d'une quantité dbk .bJ élaborée par ledit organe de multiplication, des moyens de test pour fournir une indication de la valeur nulle d'un séparateur S dans ledit emplacement et pour activer les moyens de cumuls jusqu'à ce que les moyens de test fournissent ladite indication et des moyens de décrémentation pour décrémenter la valeur J à chaque indication. Le reste de la division est contenu dans les derniers emplacements et le quotient dans les premiers. Application aux cryptages RSA.

METHOD FOR PROTECTING DATA INTEGRITY USING A NUMBER [...]

L'invention concerne un procédé de protection de l'intégrité d'une donnée dans un circuit de traitement (PRC), le procédé comprenant des étapes consistant à : choisir deux nombres entiers positifs (N, R), premiers entre eux, un premier (N) des deux nombres étant supérieur à une donnée à protéger (ID1), encoder la donnée à protéger par une opération de multiplication par un nombre idempotent (IP) modulo le produit (N R) des deux nombres, le nombre idempotent étant choisi idempotent dans un anneau ayant un nombre d'éléments distincts égal au produit des deux nombres, et égal à un multiple d'un second (R) des deux nombres et égal à un multiple du premier des deux nombres augmenté de un, et activer un signal d'erreur (FS) si une réduction modulaire modulo le second des deux nombres, de la donnée encodée (ED1) n'est pas nulle.

GENERATING MESSAGE TO TEST FOR GENERATING CRYPTOGRAPHIC KEYS

EXPONENTIATION METHOD RESISTANT AGAINST SIDE-CHANNEL AND SAFE-ERROR ATTACKS

An exponentiation method resistant against side-channel attacks and safe- error attacks. Input to the method is g in a multiplicatively written group G and a /-digit exponent d with a radix m>1 and output is z = gd-1. (d -1 ) is expressed as a series of (/-1 ) non-zero digits, d*0... d*I-2, in the set {m-1,...,2m-2} and an extra digit d*I-1 that is equal to dI-1-1, where dI-1represents the most significant radix-m digit of d, and gd-1 is evaluated through a m-ary exponentiation algorithm on input g and (d-1 ) represented by d*0... d*I-1. Also provided are an apparatus and a computer program product.

CRYPTOGRAPHIC PROCESSOR

The invention relates to a cryptographic processor for carrying out operations for cryptographic applications and comprising a large number of coprocessors (104a, 104b, 104c), each coprocessor having a control unit and an arithmetic unit, a central processing unit (102) for controlling the large number of coprocessors (104a, 104b, 104c) and a bus (101) for connecting each coprocessor (104a, 104b, 104c) to the central processing unit (102). The central processing unit (102), the majority of coprocessors (104a, 104b, 104c) and the bus (101) are integrated into a single chip (100). The chip also comprises a common power supply input (122) for supplying the large number of coprocessors (104a, 104b, 104c). The connection in series of different coprocessors increases the throughput of the cryptographic processor and simultaneously improves the security of said processor against attacks, made on the basis of an evaluation of output profiles of the cryptographic processor, as the output profiles ...

Method for secure integer division or modular reduction against hidden channel attacks

The invention concerns a cryptographic method which includes integer division of the type q=a div b and/or a modular reduction of the type r=a mod b, with q being a quotient, a being a number of m bits, b being a number of n bits, n being not more than m and b_n-1 being the most significant bit of the number b. The number a is masked by a random number p before performing the integer division and/or the modular reduction. The invention also concerns an electronic component for implementing the method. The invention is applicable for making smart cards secure against hidden channel attacks, and in particular differential attacks.

Modular reduction using folding

Techniques are described to determine N mod M, where N is a number having a width of n-bits, and M is a number having a width of m-bits. The techniques, generally, involve determining N=Nrt2f mod M+NL and, subsequently, determining N mod M.

Method and apparatus for arithmetic operation and recording medium of method of operation

An integer Z101 is divided by an integer I102 to obtain a remainder R109. The integer I102 includes a polynomial of power of a basic operational unit of a computer. In this way, the integer I for divisor is limited based on the basic operational unit of the computer, thus a shift operation, which is required for a conventional operation method, can be eliminated. The remainder can be calculated by only addition and subtraction. Accordingly, a code size becomes compact and the remainder of the integer can be calculated at a high speed.

Residue-based error detection for a shift operation

Errors in a shift result can be detected with a residue-based mechanism, instead of with duplication of an entire shifter. The commutative property of residue computation over a bit string allows the residue of a value to be independent of the actual bit positions when the divisor is a Merrill number. Without a duplicated shifter, an operand that is the subject of a shift operation is formatted to become a multiple of k, where divisor=2k-1, and the divisor is used for computation of residues. The shift operation is translated to a single position shift or a zero position shift. The translated shift is applied to the formatted operand to generate a shift check value. Despite different values, the residues of the shift result and the shift check value will be the same as long as bit groups are consistent between the two. An error(s) is detected by comparing the residue of the shift check value with the residue of the shift result.

Methods and apparatus for incomplete modular arithmetic

Methods and apparatus for modular arithmetic operations with respect to a modulus p include representing operands as a series of s w-bit numbers, wherein 1 $s=\frac{k}{w}.$ Operations are executed word by word and a carry, borrow, or other bit or word is obtained from operations on most significant words of the operands. Depending on the value of this bit or word, an operation-specific correction factor is applied. Cryptographic systems include computer executable instructions for such methods. Bit-level operations are generally avoided and the methods and apparatus are applicable to systems based on, ...

Performing constant modulo arithmetic

A binary logic circuit for determining y=x mod(2m−1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer β and a second m-bit integer γ; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by β; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by γ; and the binary value 1.

COMPUTER SYSTEM, COMPUTER PROGRAM, AND ADDITION METHOD

A computer system that makes it difficult to analyze the content of a calculation. A power operation unit (262) performs the following operations using the input data "a" and "b": ga = ga mod n, gb = gb mod n. Next, a multiplication unit (264) performs the following calculation using ga and gb: gab = ga × gb mod n. Next, a discrete logarithm calculation unit (266) calculates ci mod pi - 1 to satisfy gab = gci mod pi (i = 1, 2, 3,...,k). Next, a CRT unit (267) calculates "c" to satisfy ci = c mod pi - 1 (i = 1, 2, 3,...,k) using the Chinese remainder theorem CRT.

COMPUTER SYSTEM, COMPUTER PROGRAM, AND ADDITION METHOD

Arithmetic processor

The present invention provides an arithmetic processor comprising: an arithmetic logic unit having a plurality of arithmetic circuits each for performing a group of associated arithmetic operations the arithmetic logic unit having an operand input data bus for receiving operand data thereon and a result data output bus for returning the results of the arithmetic operations thereon. A register file is coupled to the operand data bus and the result data bus; and a controller is coupled to the ALU and the register file, the controller selecting one of the plurality of arithmetic circuits in response to a mode control signal requesting an arithmetic operation and for controlling data access between the register file and the ALU and whereby the register file is shared by the arithmetic circuits.

Frequency synthesizer

ЭЛЕКТРОННОЕ ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО ДЛЯ ВЫПОЛНЕНИЯ АРИФМЕТИКИ С ОБФУСКАЦИЕЙ

Группа изобретений относится к области вычислительной техники и может быть использована для выполнения арифметики с обфускацией в коммутативном кольце. Техническим результатом является повышение защищенности. Устройство содержит хранилище, выполненное с возможностью хранения таблицы приращений (), определенной для приращения кольцевого элемента (1;), причем таблица приращений отображает входной кольцевой элемент () в выходной целочисленный список (), кодирующий выходной кольцевой элемент (), так, что выходной кольцевой элемент равен кольцевому элементу приращения, кольцевым образом сложенному с входным кольцевым элементом (). С использованием таблицы приращений блок кольцевого сложения складывает первый входной для сложения целочисленный список (), кодирующий первый входной для сложения кольцевой элемент, и второй входной для сложения целочисленный список (), кодирующий второй входной для сложения кольцевой элемент. Устройство может содержать блок кольцевого умножения, также использующий ...

СПОСОБ ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ, СПОСОБ ЧИСЛЕННОГО АНАЛИЗА, ПРОГРАММА ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ, ПРОГРАММА ЧИСЛЕННОГО АНАЛИЗА, УСТРОЙСТВО ВЫЧИСЛЕНИЯ ФИЗИЧЕСКОГО ЗНАЧЕНИЯ И УСТРОЙСТВО ЧИСЛЕННОГО АНАЛИЗА

... 1. Способ вычисления физического значения для вычисления физических значений в способе численного анализа для численного анализа физического явления, содержащийэтап вычисления физических значений, на котором вычисляют физические значения в области анализа, разделенной на множество разделенных областей, гдена этапе вычисления физических значений физические значения вычисляют с использованием: дискретизированного основного уравнения, которое использует значения, не требующие координат вершин (Вершина) разделенных областей и информации о связности вершин (Связность), и которое выводят на основе метода взвешенных невязок; и модели расчетных данных, в которой объемы разделенных областей и характеристические значения граничной поверхности, указывающие характеристики граничных поверхностей соседних разделенных областей, предоставляют в виде значений, не требующих координат вершин (Вершина) разделенных областей и информации о связности вершин (Связность).2. Способ вычисления физического значения ...

УСТРОЙСТВО ДЛЯ СЛОЖЕНИЯ К ЧИСЕЛ ПО МОДУЛЮ М

Изобретение относится к области автоматики и вычислительной техники и может быть использовано в вычислительных структурах, работающих с дискретно-фазированным представлением чисел модулярной системы счисления. Техническим результатом является повышение быстродействия устройства за счет осуществления сложения дискретных фаз гармоник. Устройство содержит k информационных входов устройства, измеритель фазы гармонического сигнала, синхронизирующий вход устройства, k-1 блоков сложения фаз, три выхода устройства. 3 ил.

Способ определения знака числа в системе остаточных классов

Изобретение относится к вычислительной технике. Технический результат заключается в расширении функциональности путем независимости от порядка модулей. Способ определения знака числа в системе остаточных классов, пригодный для реализации средствами вычислительной техники, включает для системы остаточных классов с модулями , , …, и треугольной матрицы с элементами , где , , на основе входного значения числа ), где – остаток от деления числа на модуль , вычисление промежуточных значений вычислительной ступенью, причем я ступень вычисляет выражение для , берут нечетные модули, на основе входного значения ) вычисляют вспомогательное значение где и , каждая я ступень дополнительно вычисляет выражение для , после вычисления значений -й вычислительной ступенью значения и сравнивают соответственно с /2 и /2 и если > /2 или одновременно = /2 и /2, то считают, что исходное число отрицательное, иначе положительное. 2 табл.

Система распределенного хранения данных

Изобретение относится к вычислительным модулярным системам и предназначено для выполнения подготовки исходных файлов для надежного распределенного хранения посредством перевода в систему остаточных классов и для восстановления полученных файлов, принятых из распределенной среды в случае ошибки или неполучения одной из частей файла. Техническим результатом является снижение аппаратных и временных издержек коррекции ошибок модулярных чисел, полученных из систем распределенного хранения данных. Система содержит n+1 регистров хранения остатков по модулю pi, где n - количество рабочих модулей pi системы остаточных классов, n+1 блоков умножения на ki, сумматор произведений, блок коррекции ошибки, а блок коррекции ошибки содержит блок сравнения и n+2 мультиплексора, n+1 блок нахождения остатков по модулю pi, распределенное хранилище, блок нахождения остатка по модулю и n+1 блок нахождения остатков по модулю , где - рабочий диапазон, - полный диапазон системы остаточных классов, , в блоках умножения ...

ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО

Вычислительное устройство относится к вычислительной технике и может быть использовано в цифровых вычислительных устройствах, устройствах цифровой обработки сигналов, в криптографических приложениях, а также в устройствах для формирования кодовых последовательностей, построение которых основывается на теории конечных полей. Техническим результатом является увеличение быстродействия формирования остатка от числа по модулю и неполного частного. Устройство содержит два n/2 – разрядных регистра сдвига, блок формирования частного и остатка, содержащий три сумматора, четырехвходовый мультиплексор, регистр кода остатка, два n/2 – разрядных регистра сдвига. 3 ил., 2 табл.

ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО

Изобретение относится к области цифровой обработки сигналов. Технический результат заключается в увеличении быстродействия при формировании остатка от числа по модулю и неполного частного. Технический результат достигается за счет того, что устройство содержит два n/2-разрядных регистра сдвига, блок формирования частного и остатка, при этом блок формирования частного и остатка содержит три блока сравнения, мультиплексор, элемент ИЛИ, сумматор, регистр кода остатка, два n/2-разрядных регистра сдвига, мультиплексор содержит два инвертора, два элемента И, три ключа, блок элементов ИЛИ, два элемента ИЛИ, n – количество разрядов в представлении чисел. 3 ил., 2 табл.

ВЫЧИСЛИТЕЛЬНОЕ УСТРОЙСТВО

Изобретение относится к области вычислительной техники. Техническим результатом изобретения является повышение быстродействия устройства вычисления остатка по модулю и неполного частного. Раскрыто вычислительное устройство для нахождения остатка по модулю и неполного частного, обеспечивающее вычисление остатка R от числа A по модулю P путем последовательного выполнения (n/2-1) операций, где n – количество разрядов входного числа A, в соответствии с выражением: R=(22(22…(22(an-1·2+an-2)+(an-3·2+an-4))+…+(a3·2+a2))+(a1·2+a0)) mod P, где ai,- коэффициенты в двоичном представлении числа A. 2 ил., 4 табл.

АРИФМЕТИКО-ЛОГИЧЕСКОЕ УСТРОЙСТВО ДЛЯ ФОРМИРОВАНИЯ ОСТАТКА ПО ПРОИЗВОЛЬНОМУ МОДУЛЮ ОТ ЧИСЛА

Изобретение относится в вычислительной технике. Технический результат заключается в уменьшении энергопотребления. Устройство содержит три n-разрядных регистра, где n – разрядность входных чисел, инвертор, (n+1)-разрядный сумматор, мультиплексор, электронный ключ, входную и выходную n-разрядные шины, модуль управляющего блока. 2 ил.

Informationssicherheitsvorrichtung, Vorrichtung und Verfahren zur Erzeugung einer Primzahl

Calculation of a modulo value, especially for use with a UMTS communication system, by use of a whole number hypothesis that enables faster implementation of the modulo operation

Method for calculation of a modulo operation, a mod p, using a table (1) that contains the values n x p for n = 1, 2-n. A whole number hypothesis, nH, is calculated for the unknown values n. Lastly the values nH x p and adjoining values are determined. The values a - nH x p and adjoining values are also calculated and compared to zero. From the comparison a value for n is determined. The invention also relates to a corresponding device.

Skaleninvariante Barrett-Reduktion für Kryptographie mit elliptischen Kurven

Verfahren, welches in einer Public-Key-Verschlüsselungseinheit ausgeführt wird, aufweisend: Berechnen eines N-Bit-skalierten Reduktionsparameters basierend auf einem k-Bit-Divisionsrest m, wobei N größer als k ist; und Durchführen einer Barrett-Reduktion mittels des N-Bit-skalierten Reduktionsparameters auf einem N-Bit-skalierten Ergebnis, das mittels eines N-Bit-skalierten Divisionsrests generiert wird, um das N-Bit-skalierte Ergebnis auf ein k-Bit-Ergebnis im Hinblick auf den k-Bit-Divisionsrest m zu reduzieren.

METHOD AND APPARATUS FOR DETERMINING THE MODULO OF NON-POWER OF TWO NUMBERS

When calculating a mod-b, the apparatus includes an excess calculator arranged to calculate the next power of two higher than b to give an estimate of the number of wraps and to shift a, in binary, to the right by the estimated number of wraps to derive an excess. A subtractor is arranged to subtract the product of b and the excess from a to derive the result.

PROCEDURE AND DEVICE FOR PROCESSING CODING OPERATIONS WITH ARBITRARY KEY BIT LENGTH WITH SIMILAR EFFICIENCIES

Key Agreement and Transport Protocol with Implicit Signatures

A key establishment protocol between a pair of correspondents includes the generation by each correspondent of respective signatures. The signatures are derived from information that is private to the correspondent and information that is public. After exchange of signatures, the integrity of exchange messages can be verified by extracting the public information contained in the signature and comparing it with information used to generate the signature. A common session key may then be generated from the public and private information of respective ones of the correspondents.

Modulo operation method and apparatus for same

The present invention provides a modulo operation method. The modulo operation method, in a case where the square of a divisor N is greater than or equal to a dividend C, includes: determining the number of computation stages n satisfying 2 n <N≦2 n+1 ; performing an initialization operation by initializing a constant a to the smallest integer greater than or equal to half of N; performing a first operation by subtracting, when C is greater than or equal to N·a (product of N and a), the value of C by the value of N·a; and performing a second operation by assigning the smallest integer greater than or equal to half of a to the value of a, wherein the value of C is output as the result of modulo operation after the first operation and the second operation are repeated n times. In the first operation, when C is less than N·a, the value of C is unchanged. In the modulo operation method and apparatus of the present invention, the amount of computation in a modulo operation or division operation does not increase in linear proportion to the magnitude of the divisor N but increases in proportion to log N. As a result, the total amount of computation decreases and computation speed increases.

Key Agreement and Transport Protocol

A key establishment protocol includes the generation of a value of cryptographic function, typically a hash, of a session key and public information. This value is transferred between correspondents together with the information necessary to generate the session key. Provided the session key has not been compromised, the value of the cryptographic function will be the same at each of the correspondents. The value of the cryptographic function cannot be compromised or modified without access to the session key.

Modular exponentiation resistant against skipping attacks

An exponentiation method resistant against skipping attacks. A main idea of the present invention is to evaluate, in parallel with the exponentiation such as y=g d , a value based on the exponent, e.g. f=d·1. These evaluations are performed using the same exponentiation algorithm by “gluing” together the group operations underlying the computation of y and f so that a perturbation to one operation also perturbs the other. This makes it possible to verify that f indeed equals d before returning the result. Also provided are an apparatus and a computer program product.

Strengthened public key protocol

A method of determining the integrity of a message exchanged between a pair of correspondents. The message is secured by embodying the message in a function of a public key derived from a private key selected by one of the correspondents. The method comprises first obtaining the public key. The public key is then subjected to at least one mathematical test to determine whether the public key satisfies predefined mathematical characteristics. Messages utilizing the public key are accepted if the public key satisfies the predefined mathematical characteristics.

Montgomery multiplication circuit

A circuit for calculating a sum of products, each product having a q-bit binary operand and a k-bit binary operand, where k is a multiple of q,includes a q-input carry-save adder (CSA); a multiplexer ( 10 ) by input of the adder, having four k-bit channels respectively receiving the value 0, a first (Yi) of the k-bit operands, the second k-bit operand (M [63:0] , m i ), and the sum of the two k-bit operands, the output of a multiplexer of rank t (where t is between 0 and q−1) being taken into account by the adder with a t-bit left shift; and each multiplexer having first and second path selection inputs, the bits of a first of the q-bit operands being respectively supplied to the first selection inputs, and the bits of the second q-bit operand being respectively supplied to the second selection inputs.

Finite field cryptographic arithmetic resistant to fault attacks

Various embodiments relate to a method for integrity protected calculation of a cryptographic function including: performing an operation c=a∘b in a cryptographic function f(x 1 , x 2 , . . . , x n ) defined over a commutative ring R; choosing a′ and b′ corresponding to a and b such that a′ and b′ are elements of a commutative ring R′; computing c′=a′∘′b′; computing a″=CRT(a, a′) and b″=CRT(b, b′), where CRT is the Chinese Remainder Theorem; computing c″=a″∘″b″; mapping c″ into R′; and determining if the mapping of c″ into R′ equals c′.

Simultaneous Scalar Multiplication Method

In computing point multiples in elliptic curve schemes (e.g. kP and sQ) separately using, for example, Montgomery's method for the purpose of combining kP+sQ, several operations are repeated in computing kP and sQ individually, that could be executed at the same time. A simultaneous scalar multiplication method is provided that reduces the overall number of doubling and addition operations thereby providing an efficient method for multiple scalar multiplication. The elements in the pairs for P and Q method are combined into a single pair, and the bits in k and s are evaluated at each step as bit pairs. When the bits in k and s are equal, only one doubling operation and one addition operation are needed to compute the current pair, and when the bits in k and s are not equal, only one doubling operation is needed and two addition operations.

Method and apparatus for improving digital signatures

Systems and methods are provided for enchancing pseudo random number generation to thwart various security attacks to a system that relies on digital signature security measures. For example, a random number may be bound to a message that is to be signed using a digital signature. Alternatively, a random number may be bound to a secret seed value, which may be updated subsequent to each signing. Alternatively still, a random number may be bound to both the message to be signed using a digital signature and a secret seed value.

Computing the eth root of a number using a variant of the rsa algorithm (for even e's)

An E th root unit is configured to compute an E th root of a number A with a machine. The E th root unit locates a value E, which is even, in a first entry of a plurality of entries of a structure. The E th root unit is configured to read a product of the pair of prime numbers from the first entry. The E th root unit is configured to read a second of the pair of key values in the first entry. The E th root unit is configured to encrypt the number A using the product of the pair of prime numbers to generate an encrypted value. The E th root unit is configured to apply a decryption operation to the encrypted value using the second of the pair of key values to generate an intermediate value. The E th root unit is configured to compute a square root of the intermediate value.

METHODS OF CALCULATING NEGATIVE INVERSE OF MODULUS

Provided is a method of calculating a negative inverse of a modulus, wherein the negative inverse, which is an essential element in Montgomery multiplication, is quickly obtained. The method includes setting a modulus, defining P obtained by converting the modulus to a negative number, and defining S obtained by subtracting 1 from P, and calculating a negative inverse of the modulus by using P and S. 1. A method of calculating a negative inverse of a modulus M , the method comprising:{'sub': '0', 'setting a modulus M;'}{'sub': '0', 'defining P obtained by converting the modulus Mto a negative number, and defining S obtained by subtracting 1 from P; and'}{'sub': 0', '0, 'claim-text': dividing S by 2;', {'sub': 0', '0, 'assigning a value of a least significant bit (LSB) of S divided by 2 as a value of the LSB that is not determined among the bits forming the negative inverse Vof the modulus M; and'}, 'replacing S by a value obtained by adding a value obtained by dividing S by 2 to a value obtained by multiplying P by the value of the LSB of the divided S,, 'calculating a negative inverse Vof the modulus Mby using P and S, wherein the calculating of the negative inverse compriseswherein the setting, defining, and calculating steps are performed by at least one processor.2. The method of claim 1 , wherein k bits are equally assigned to the modulus Mand the negative inverse Vof the modulus M claim 1 , wherein k is equal to or below a number of bits assigned to the entire modulus.3. The method of claim 2 , wherein in the calculating of the negative inverse V claim 2 , a least significant bit (LSB) of the negative inverse Vthrough a most significant bit (MSB) of the negative inverse Vare sequentially calculated.4. The method of claim 1 , further comprising repeating the dividing claim 1 , the assigning claim 1 , and the replacing until the MSB of the negative inverse Vof the modulus Mis obtained.6. The method of claim 1 , further comprising storing the negative inverse Vof ...

Quantum Arithmetic On Two-Dimensional Quantum Architectures

2D nearest-neighbor quantum architectures for Shor's factoring algorithm may be accomplished using the form of three arithmetic building blocks: modular addition using Gossett's carry-save addition, modular multiplication using Montgomery's method, and non-modular multiplication using an original method. These arithmetic building blocks may assume that ancillae are cheap, that concurrent control may be available and scalable, and that execution time may be the bottleneck. Thus, the arithmetic building blocks may be optimized in favor of circuit width to provide improved depth existing nearest-neighbor implementations.

MODULAR ARITHMATIC UNIT AND SECURE SYSTEM INCLUDING THE SAME

A modular arithmetic unit includes a first input generator receiving first data to generate a first operand; a second input generator receiving second data to generate a second operand; an accumulator performing an accumulate/shift operation to add the first and second operands and outputting the carry and sum; a carry propagation adder adding the carry and the sum to output a result; and a data handler receiving either external data or the result and outputting the first data and the second data. 1. A modular arithmetic unit comprising:a first input generator configured to receive first data to generate a first operand;a second input generator configured to receive second data to generate a second operand;an accumulator configured to perform an accumulate/shift operation on the first and second operands respectively received from the first input generator and the second input generator to output a carry and sum;a carry propagation adder configured to add the carry and the sum received from the accumulator to output a result; anda data handler configured to receive external data or the result from the carry propagation adder and output the first data and the second data.2. The modular arithmetic unit of claim 1 , wherein the first input generator comprises:a first operand multiplexer configured to select one of the first data and a previous first data;a first operand register configured to store the selected first data; anda first operand logic configured to output a multiple of the stored first data, andwherein the second input generator comprises:a second operand multiplexer configured to select one of the second data and a previous second data;a second operand register configured to store the selected second data; anda second operand logic configured to output a multiple of the stored second data.3. The modular arithmetic unit of claim 2 , wherein when performing a Montgomery multiplication operation claim 2 , the first operand is a product of a multiplicand by a ...

MODULAR MULTIPLIER AND MODULAR MULTIPLICATION METHOD THEREOF

A modular multiplier and a modular multiplication method are provided. The modular multiplier includes: a first register which stores a previous accumulation value calculated at a previous cycle; a second register which stores a previous quotient calculated at the previous cycle; a quotient generator which generates a quotient using the stored previous accumulation value output from the first register; and an accumulator which receives an operand, a bit value of a multiplier, the stored previous accumulation value, and the stored previous quotient to calculate an accumulation value in a current cycle, wherein the calculated accumulation value is updated to the first register, and the generated quotient is updated to the second register. 1. A modular multiplier comprising:a first register which stores a previous accumulation value calculated at a previous cycle;a second register which stores a previous quotient calculated at the previous cycle;a quotient generator which generates a quotient, which is not used in a current cycle, using the stored previous accumulation value output from the first register; andan accumulator which receives an operand, a bit value of a multiplier, the stored previous accumulation value, and the stored previous quotient to calculate an accumulation value in the current cycle,wherein the calculated accumulation value is updated to the first register, andwherein the generated quotient is updated to the second register.2. The modular multiplier of claim 1 , wherein in the current cycle claim 1 , an operation of generating the quotient by the quotient generator and an operation of calculating the accumulation value by the accumulator are independently performed.3. The modular multiplier of claim 2 , wherein:{'sub': i−1', 'i−1', 'i−1', 'i−1', 'i−1', 'i−1, 'sup': 2k', 'k', '2', '2k, 'the generated quotient satisfies a mathematical formula of q=(m′×smod 2) div 2, where qis the generated quotient, m′ is (−m′×M) mod 2≡1, M is a modulus, k is a ...

Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures

A method of testing security of an electronic device against a combination of a side-channel attack and a fault-injection attack implemented during a method of cryptographic processing that includes: delivering a message signature based on a secret parameter and implementing a recombination of at least two intermediate values according to the Chinese remainder theorem; and verifying the signature on the basis of at least one public exponent. The method of testing includes: transmitting a plurality of messages to be signed by said electronic device; disturbing each message, including modifying the message by inserting an identical error for each message, before executing a step of determining one of the intermediate values; and analyzing physical measurements, obtained during the step of verifying the signature as a function of the message to be signed, the identical error for each message, and an assumption of a value of part of the secret parameter.

METHOD FOR IMPLEMENTING PRECOMPUTATION OF LARGE NUMBER IN EMBEDDED SYSTEM

Disclosed is a method for implementing precomputation of a large number in an embedded system. A modulo module, a modulo adding module, and a Montgomery modular multiplier are invoked according to a data format of a modulus length and a value of each data bit of a binary number corresponding to the modulus length, to perform an iterative operation, so that a precomputation result of a large number can be obtained when the modulus length is an arbitrary value, thereby improving the data processing speed. 1. A method for realizing pre-computation for a large number in an embedded system , comprising:SA1 comprising: reading data in a first register, and writing the data which is read into a first random access memory; reading data in a second register, and writing the data which is read into a second random access memory; wherein the first register is configured to store a first data, the second register is configured to store a second data, the second data is a power with 2 as its base number and a third data as its exponent, the third data is an integer;SA2 comprising: invoking a module for modulo to perform an operation on the data in the first random access memory and the data in the second random access memory, and writing a result which is obtained from the operation into a third register and a fourth register respectively; wherein the module for modulo is configured to perform modulo operation with the data in the second random access memory mod the data in the first access memory;SA3 comprising: reading data in the third register, and writing the data which is read into a third random access memory and a fourth random access memory respectively; reading data in the first register, and writing the data which is read into a fifth random access memory;SA4 comprising: invoking an modulo addition module to perform an operation on the data in the third random access memory, the data in the fourth random access memory and the data in the fifth random access memory, ...

INTEGRATED CIRCUITS WITH MODULAR MULTIPLICATION CIRCUITRY

An integrated circuit may be provided with a modular multiplication circuit. The modular multiplication circuit may include an input multiplier for computing the product of two input signals, truncated multipliers for computing another product based on a modulus value and the product, a subtraction circuit for computing a difference between the two products. An error correction circuit may use the difference to look up an estimated quotient value and to subtract out an integer multiple of the modulus value from the difference in a single step, wherein the integer multiple is equal to the estimated quotient value. A final adjustment stage may be used to remove any remaining residual estimation error. 1. An integrated circuit , comprising:a first input port configured to receive a first input signal;a second input port configured to receive a second input signal;a third input port configured to receive a modulus value;an input multiplier configured to multiply the first input signal by the second input signal to generate a corresponding first product;a plurality of reduction multipliers configured to generate a second product using the first product and the modulus value;a subtraction circuit configured to compute a difference between the first and second products; andan error correction circuit configured to remove an estimated integer multiple of the modulus value from the difference in a single step.2. The integrated circuit of claim 1 , wherein the plurality of reduction multipliers comprise a first truncated multiplier that only partially computes a number of most significant bits (MSBs).3. The integrated circuit of claim 2 , wherein the plurality of reduction multipliers further comprise a second truncated multiplier that only partially computes a number of least significant bits (LSBs).4. The integrated circuit of claim 2 , wherein the first truncated multiplier has a first input terminal configured to receive only upper bits of the first product.5. The ...

CALCULATING DEVICE

According to one embodiment, a calculating device includes a first memory, a second memory, a third memory, a first arithmetic module, a second arithmetic module, a first conductive line electrically connecting a first output terminal of the first memory and a first input terminal of the first arithmetic module, a second conductive line electrically connecting a second output terminal of the first memory and a first input terminal of the second arithmetic module, a third conductive line electrically connecting a first output terminal of the second memory and a second input terminal of the second arithmetic module, a fourth conductive line electrically connecting a first output terminal of the third memory and a third input terminal of the second arithmetic module, and a fifth conductive line electrically connecting a first output terminal of the second arithmetic module and a second input terminal of the first arithmetic module. 116-. (canceled)17. A calculating device , comprising:a first memory;a second memory;a third memory;a first arithmetic module; anda second arithmetic module,whereinthe first memory stores a first variable group {x},the second memory stores a second variable group {y},the third memory stores a first parameter group {J},the first variable group {x} includes N (N being an integer of 2 or more) ith entries of a first variable xi (i being an integer not less than 1 and not more than N),the second variable group {y} includes N ith entries of a second variable yi (i being an integer not less than 1 and not more than N),{'sub': 'l,m', 'the first parameter group {J} includes N×N first parameters J(l being an integer not less than 1 and not more than N, and m being an integer not less than 1 and not more than N),'}the first arithmetic module update the ith entry of the first variable xi based on the ith entry of the second variable yi,the second arithmetic module update the ith entry of the second variable yi based on at least at least a part of the ...

LOW-LATENCY DIGITAL SIGNATURE PROCESSING WITH SIDE-CHANNEL SECURITY

A low-latency digital-signature with side-channel security is described. An example of an apparatus includes a coefficient multiplier circuit to perform polynomial multiplication, the coefficient multiplier circuit providing Number Theoretic Transform (NTT) and INTT (Inverse NTT) processing; and one or more accessory operation circuits coupled with the coefficient multiplier circuit, each of the one or more accessory operation circuits to perform a computation based at least in part on a result of an operation of the NTT/INTT coefficient multiplier circuit, wherein the one or more accessory operation circuits are to receive results of operations of the NTT/INTT coefficient multiplier circuit prior to the results being stored in a memory. 1. An apparatus comprising:a coefficient multiplier circuit to perform polynomial multiplication, the coefficient multiplier circuit providing Number Theoretic Transform (NTT) and INTT (Inverse NTT) processing; andone or more accessory operation circuits coupled with the coefficient multiplier circuit, each of the one or more accessory operation circuits to perform a computation based at least in part on a result of an operation of the NTT/INTT coefficient multiplier circuit;wherein the one or more accessory operation circuits are to receive results of operations of the NTT/INTT coefficient multiplier circuit prior to the results being stored in a memory.2. The apparatus of claim 1 , the one or more accessory operation circuits are to perform the accessory operations in a same cycle as the operations of the NTT/INTT coefficient multiplier circuit.3. The apparatus of claim 2 , wherein the performance of the one or more accessory operations overlaps at least in part with one or more other operations of the apparatus.4. The apparatus of claim 1 , wherein the polynomial multiplication includes multiplying a private polynomial with a public polynomial.5. The apparatus of claim 1 , wherein the computation by the one or more accessory ...

MIXED-COORDINATE POINT MULTIPLICATION

In one embodiment, an apparatus comprises a multiplier circuit to: identify a point multiply operation to be performed by the multiplier circuit, wherein the point multiply operation comprises point multiplication of a first plurality of operands; identify a point add operation associated with the point multiply operation, wherein the point add operation comprises point addition of a second plurality of operands, wherein the second plurality of operands comprises a first point and a second point, and wherein the first point and the second point are associated with a first coordinate system; convert the second point from the first coordinate system to a second coordinate system; perform the point add operation based on the first point associated with the first coordinate system and the second point associated with the second coordinate system; and perform the point multiply operation based on a result of the point add operation. 1. An apparatus , comprising: identify a point multiply operation to be performed by the multiplier circuit, wherein the point multiply operation comprises point multiplication of a first plurality of operands;', 'identify a point add operation associated with the point multiply operation, wherein the point add operation comprises point addition of a second plurality of operands, wherein the second plurality of operands comprises a first point and a second point, and wherein the first point and the second point are associated with a first coordinate system;', 'convert the second point from the first coordinate system to a second coordinate system;', 'perform the point add operation based on the first point associated with the first coordinate system and the second point associated with the second coordinate system; and', 'perform the point multiply operation based on a result of the point add operation., 'a multiplier circuit to2. The apparatus of claim 1 , wherein the first coordinate system comprises an Affine coordinate system claim 1 , ...

METHOD, DEVICE AND NON-TRANSITORY COMPUTER-READABLE MEDIUM FOR CRYPTOGRAPHIC COMPUTATION

A method, a device and a non-transitory computer-readable medium for cryptographic computation are provided. The method for computation includes: receiving, in a Montgomery multiplier circuit having a predefined block size, a pair of operands A and B and a modulus M for computation of a Montgomery product of A and B mod M; specifying a number n of blocks of the predefined block size to be used in the computation; computing a blinded modulus M′ as a multiple of the modulus M by a random factor R, M′=R*M, while selecting R so that the length of M′ is less than n times the block size by at least two bits; and operating the Montgomery multiplier circuit to compute and output the Montgomery product of A and B mod M′. 1. A method for cryptographic computation , comprising:receiving, in a Montgomery multiplier circuit having a predefined block size, a pair of operands A and B and a modulus M for computation of a Montgomery product of A and B mod M;specifying a number n of blocks of the predefined block size to be used in the computation, wherein n is an integer greater than 1;computing a blinded modulus M′ as a multiple of the modulus M by a random factor R, while selecting R so that the length of M′ is less than n times the block size by at least two bits; andoperating the Montgomery multiplier circuit to compute and output the Montgomery product of A and B mod M′.2. The method according to claim 1 , wherein operating the Montgomery multiplier circuit comprises performing n iterations of a computational loop so as to generate a result equivalent to the Montgomery product of A and B mod M upon conclusion of the n iterations without performing a conditional modular reduction of the result.3. The method according to claim 2 , further comprising:feeding the result as an operand to the Montgomery multiplier circuit for a further operation without performing the conditional modular reduction.4. The method according to claim 1 , further comprising:selecting at least one other ...

MONTGOMERY MODULAR MULTIPLICATION DEVICE AND EMBEDDED SECURITY CHIP WITH SAM

A Montgomery modular multiplication device and an embedded security chip. The Montgomery modular multiplication device includes a first Montgomery modular multiplication module, a power calculation module and a second Montgomery modular multiplication module. The first Montgomery modular multiplication module obtains a first operation result A according to two first preset parameters. The power calculation module obtains a second operation result B according to the first operation result A output by the first Montgomery modular multiplication module, the first preset parameters, the second preset parameter and a power calculation function. The first Montgomery modular multiplication module further obtains a Montgomery modular multiplication conversion coefficient according to the first operation result A and the second operation result B. The second Montgomery modular multiplication module obtains a final modular multiplication result according to a first input parameter NA, a second input parameter NB and the Montgomery modular multiplication conversion coefficient. 1. A Montgomery modular multiplication device , wherein said Montgomery modular multiplication device comprises:a first storage module which is used for storing two first preset parameters and a second preset parameter, wherein the first preset parameter is a constant 1, the second preset parameter is W-4 (W=φ(N), wherein y is an euler function and N is a module in Montgomery modular multiplication), and the second preset parameter is only related to the modulus N;A first Montgomery modular multiplication module which is used for obtaining a first operation result A according to two first preset parameters;{'b': 1', '1, 'a power calculation module which is used for obtaining a second operation result B according to the first operation result A output by the first Montgomery modular multiplication module, the first preset parameters, the second preset parameter and a power calculation function, wherein ...

RANDOM NUMBER GENERATION APPARATUS, RANDOM NUMBER GENERATION METHOD AND PROGRAM

A random number acquiring unit obtains a first sequence that comprises values of digits of a random number represented by a binary number as elements. A logical product arithmetic unit obtains a third sequence that is results of elementwise logical product operation between the first sequence and a second sequence that comprises values of digits of one or more Mersenne numbers represented by one or more binary numbers and a zero value as elements. 1: A random number generation apparatus comprising:a random number acquiring unit obtaining a first sequence that comprises values of digits of a random number represented by a binary number as elements; anda logical product arithmetic unit obtaining a third sequence that is results of elementwise logical product operation between the first sequence and a second sequence that comprises values of digits of one or more Mersenne numbers represented by one or more binary numbers and a zero value as elements.2: The random number generation apparatus according to claim 1 , wherein the first sequence comprises a first subsequence; a second subsequence comprised in the second sequence indicates any of the Mersenne numbers; the third sequence comprises a third subsequence that is results of elementwise logical product operation between the first subsequence and the second subsequence; and the processes of the random number acquiring unit and the logical product arithmetic unit are executed again when the second subsequence matches the third subsequence.3: The random number generation apparatus according to claim 1 , wherein the first sequence comprises a first subsequence; a second subsequence comprised in the second sequence indicates any of the Mersenne numbers; the third sequence comprises a third subsequence that is results of elementwise logical product operation between the first subsequence and the second subsequence; and the processes of the random number acquiring unit and the logical product arithmetic unit are executed ...

ELLIPTIC CURVE ISOGENY BASED KEY AGREEMENT PROTOCOL

An electronic key pre-distribution device () for configuring multiple network nodes () with local key information is provided. The key pre-distribution device comprises applies at least a first hash function () and a second hash function () to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point ( HID)) and a second public point ( H(ID)) on a first elliptic curve () and second elliptic curve (). A first and second secret isogeny () is applied to the first and second public elliptic curve point (), to obtain a first private elliptic curve point () and second private elliptic curve point () being part of private key material () for the network node (). 1. An electronic key pre-distribution device for configuring multiple network nodes with local key information , the key pre-distribution device comprising{'sub': 1', '2, 'a storage comprising information representing a first secret isogeny (φ; s) for a first elliptic curve (E) and a second secret isogeny (φ′; s) for a second elliptic curve (E), an isogeny being arranged to receive a point on an elliptic curve and to produce a point on an elliptic curve as output,'} obtain a digital identifier (ID) for a network node,', {'sub': 1', '2, 'apply at least a first hash function and a second hash function to the digital identifier, the first and second hash functions mapping the digital identifier to a first public point (H(ID)) and a second public point (H(ID)) on a first elliptic curve and second elliptic curve, the first elliptic curve being different from the second elliptic curve, the first and second public point being part of public key material for the network node,'}, 'apply the first and second secret isogeny to the first and second public elliptic curve point, thus obtaining a first private elliptic curve point and second private elliptic curve point being part of private key material for the network node, and, 'a processor circuit configured ...

APPLICATIONS OF AND TECHNIQUES FOR QUICKLY COMPUTING A MODULO OPERATION BY A MERSENNE OR A FERMAT NUMBER

Various embodiments include a modulo operation generator associated with a cache memory in a computer-based system. The modulo operation generator generates a first sum by performing an addition and/or a subtraction function on an input address. A first portion of the first sum is applied to a lookup table that generates a correction value. The correction value is then added to a second portion of the first sum to generate a second sum. The second sum is adjusted, as needed, to be less than the divisor. The adjusted second sum forms a residue value that identifies a cache memory slice in which the input data value corresponding to the input address is stored. By generating the residue value in this manner, the cache memory efficiently distributes input data values among the slices in a cache memory even when the number of slices is not a power of two. 1. A computer-implemented method for performing a modulo operation , the method comprising:performing a first set of summations on an input value associated with the modulo operation to generate a first sum;accessing a correction value associated with a first portion of the first sum;performing a second set of summations on the correction value and a second portion of the first sum to generate a second sum; andgenerating a result of the modulo operation based on the second sum.2. The computer-implemented method of claim 1 , wherein a divisor of the modulo operation is a Mersenne number claim 1 , and wherein performing the first set of summations on the input value comprises:dividing the input value into a set of coefficients; andadding a first coefficient included in the set of coefficients to a second coefficient included in the set of coefficients.3. The computer-implemented method of claim 1 , wherein a divisor of the modulo operation is a Mersenne number claim 1 , and wherein accessing the correction value comprises retrieving correction value from a lookup table claim 1 , wherein the correction value represents a ...

SIMPLIFIED INVERSIONLESS BERLEKAMP-MASSEY ALGORITHM FOR BINARY BCH CODE AND CIRCUIT IMPLEMENTING THEREFOR

A simplified inversionless Berlekamp-Massey algorithm for binary BCH codes and circuit implementing the method are disclosed. The circuit includes a first register group, a second register group, a control element, an input element and a processing element. By breaking the completeness of math structure of the existing simplified inversionless Berlekamp-Massey algorithm, the amount of registers used can be reduced by two compared with conventional algorithm. Hardware complexity and operation time can be reduced. 1. A circuit for implementing a simplified inversionless Berlekamp-Massey algorithm for binary BCH codes , comprising:a first register group, having 2t registers connected in series, each register receiving an calculation value of iterative operation from upstream end during each clock and outputting the calculation value of iterative operation to downstream end in the next clock;a second register group, having 2t−1 registers connected in series, each register receiving a copied value from upstream end during each clock and outputting the copied value in the next clock or in a clock after the clock;a control element, electrically connected to the penultimate register from the most downstream end in the first register group, for receiving outputted calculation values of iterative operation from the register and outputting the first calculation value in each iterative operation, a discrepancy value and a control signal;an input element, electrically connected to the antepenultimate register from the most downstream end in the first register group, for receiving outputted calculation values of iterative operation from the register, electrically connected to the register in the most downstream end in the second register group, for receiving outputted copied values from the register, and selectively outputting Galois field value of 0 or 1, or the outputted calculation value of iterative operation to the first register group, and Galois field value of 0 or 1, or ...

COMPUTATIONAL METHOD, COMPUTATIONAL DEVICE ANDCOMPUTER SOFTWARE PRODUCT FOR MONTGOMERY DOMAIN

In Elliptic Curve Cryptography (ECC), one performs a great number of modular multiplications. These are usually done by Montgomery Multiplication algorithm, which needs the operands to be preprocessed (namely, converted to the Montgomery Domain), which is normally done by an equivalent of a long division. We provide a method to perform this conversion by a single Montgomery multiplication on the raw data. The method is formulated for elliptic curve points represented in Jacobian coordinates but can be extended to other representations. 1. A method for computation , comprising:receiving, in a Montgomery multiplier circuit, a pair of input coordinates (x,y) specifying a point on an elliptic curve in a canonical form;converting the pair of the input coordinates to a quotient-based representation comprising three alternative coordinates (X′,Y′,Z′) in a Montgomery form by performing first Montgomery multiplications of the input coordinates by selected conversion factors; andcarrying out one or more elliptic curve operations by applying second Montgomery multiplications to the alternative coordinates in the Montgomery form.2. The method according to claim 1 , wherein the alternative coordinates comprise Jacobian coordinates.3. The method according to claim 1 , wherein performing the first Montgomery multiplications comprises applying a Montgomery multiplication by 1 in computing at least one of the alternative coordinates.4. The method according to claim 3 , wherein performing the first Montgomery multiplications comprises:selecting conversion factors ω, α and β, wherein α and β are powers of ω; andcalculating the alternative coordinates as Montgomery products of α and β with the input coordinates, such that X′=α⊙x, Y′=(β⊙y)⊙1, and Z′=ω.51. The method according to claim 1 , wherein carrying out the one or more elliptic curve operations comprises calculating a result expressed in the quotient-based representation in the Montgomery form claim 1 , and applying at least one ...

Efficient modulo calculation

Hardware logic is described which is arranged to efficiently perform modulo calculation with respect to a constant value b. The hardware logic comprises a series of addition units (each comprising a plurality of binary adders). A first stage addition unit in the series groups bits from an input number into a number of strings, multiplies each string by a corresponding coefficient using adders and left-shifting and adds the resulting strings together to generate an intermediate value which, in most examples, has a smaller range of possible values than the input number. The series of addition units also includes a second stage addition unit and/or a final stage addition unit. A second stage addition unit uses similar methods to generate an updated intermediate value in a pre-defined terminating range. A final stage addition unit generates a final result from the final intermediate result output by an immediately previous addition unit in the series.

PROTECTING PARALLEL MULTIPLICATION OPERATIONS FROM EXTERNAL MONITORING ATTACKS

Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation. An example method may comprise: receiving an input data block and an iteration result value; performing a first field multiplication operation to produce a new iteration result value, by iteratively processing, starting from a first bit position, bits of a combination of the input data block and the iteration result value, wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit; performing a second field multiplication operation to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is represented by one of: a least-significant bit and a most-significant bit, and wherein the second bit position is different from the first bit position; applying the new mask correction value to the new iteration result value; and producing, based on the new iteration result value, a value of a cryptographic hash function to be utilized by at least one of: an authenticated encryption operation or an authenticated decryption operation. 1. A method , comprising:receiving, by a processing device, an input data block and an iteration result value;performing a first field multiplication operation to produce a new iteration result value, by iteratively processing, starting from a first bit position, bits of a combination of the input data block and the iteration result value, wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit;performing a second field multiplication operation to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is represented by one of: a least-significant bit and a most-significant bit, and wherein the second bit ...

COMPUTER-IMPLEMENTED SYSTEM AND METHOD FOR TRUSTLESS ZERO-KNOWLEDGE CONTINGENT PAYMENT

The invention relates to efficient zero knowledge verification of composite statements that involve both arithmetic circuit satisfiability and dependent statements about the validity of public keys (key-statement proofs) simultaneously. The method enables a prover to prove this particular statement in zero-knowledge. More specifically, the invention relates to a computer-implemented method for enabling zero-knowledge proof or verification of a statement (S) in which a prover proves to a verifier that a statement is true while keeping a witness (W) to the statement a secret. The invention also relates to the reciprocal method employed by a verifier who verifies the proof. The method includes the prover sending to the verifier a statement (S) having an arithmetic circuit with m gates and n wires configured to implement a function circuit and determine whether for a given function circuit output (h) and an elliptic curve point (P), the function circuit input (s) to a wire of the function circuit is equal to the corresponding elliptic curve point multiplier (s). The prover also sends individual wire commitments and/or a batched commitment for wires of the circuit, an input for a wire in the arithmetic circuit; and a function circuit output (h). The prover receives from the verifier a challenge value (x) and responding with an opening or additionally sends a proving key (PrK) to the verifier. The statement and the data enables the verifier to determine that the circuit is satisfied and calculate the elliptic curve point (P) and validate the statement, thus determining that the prover holds the witness (W) to the statement. 1. A computer-implemented method for enabling a trustless zero-knowledge contingent payment or exchange of reward data from a buyer or verifier in exchange for access data from a seller or prover , the method including:{'sub': B', 'B, 'receiving from a buyer a buyer public key (pk) derived from multiplying a buyer secret key (sk) with an elliptic curve ...

GENERATING A HASH USING S-BOX NONLINEARIZING OF A REMAINDER INPUT

A processor includes a hash register and a hash generating circuit. The hash generating circuit includes a novel programmable nonlinearizing function circuit as well as a modulo-2 multiplier, a first modulo-2 summer, a modulor-2 divider, and a second modulo-2 summer. The nonlinearizing function circuit receives a hash value from the hash register and performs a programmable nonlinearizing function, thereby generating a modified version of the hash value. In one example, the nonlinearizing function circuit includes a plurality of separately enableable S-box circuits. The multiplier multiplies the input data by a programmable multiplier value, thereby generating a product value. The first summer sums a first portion of the product value with the modified hash value. The divider divides the resulting sum by a fixed divisor value, thereby generating a remainder value. The second summer sums the remainder value and the second portion of the input data, thereby generating a hash result. 1. A method comprising:(a) storing an amount of incoming data in a processor, wherein the amount of incoming data comprises a first portion and a second portion;(b) maintaining a hash register value in a hash register;(c) supplying the first portion of the amount of incoming data onto a set of input leads of a modulo-2 multiplier;(d) using the modulo-2 multiplier to modulo-2 multiply the first portion by a multiplier value thereby generating a product value, wherein the product value comprises a first portion and a second portion;(e) using a programmable nonlinearizing function circuit to perform a nonlinearizing function on the hash register value and thereby generating a modified version of the hash register value;(f) using a first modulo-2 summer to modulo-2 sum the first portion of the product value and the modified version of the hash register value and thereby generating a first sum value;(g) using a modulo-2 divider to modulo-2 divide the first sum value by a divisor value and ...

Homogenous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1. A method of operating digital logic circuitry to execute a finite field scalar multiplication of a multiplicand representative of a point in the finite field by a binary-valued scalar , comprising the steps of:initializing one or more memory locations storing components of a sum, the sum representative of a point in the finite field; andoperating the digital logic circuitry to execute a plurality of operations comprising, for each of a plurality of bit positions in the scalar:doubling an operand representative of one of the sum and the multiplicand;responsive to the bit position having a “1” value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; andthen advancing to a next bit position in the scalar; a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', 'then a sixth multiplication followed by a seventh multiplication followed by an eighth multiplication;', 'then a fifth addition;', 'then a ninth multiplication;', 'then a sixth addition followed by a seventh addition;', 'then a tenth multiplication; and', 'then an eighth addition;, 'wherein the doubling step is executed using an atomic pattern consisting of a first addition;', 'then a first multiplication followed by a ...

PROTECTION OF AN ITERATIVE CALCULATION AGAINST HORIZONTAL ATTACKS

An iterative calculation is performed on a first number and a second number, while protecting the iterative calculation against side-channel attacks. For each bit of the second number, successively, an iterative calculation routine of the bit of the second number is determined. The determination is made independent of a state of the bit. The determined iterative calculation routine of the bit is executed. A result of the iterative calculation is generated based on a result of the execution of the determined iterative calculation routine of a last bit of the second number. 1. A method , comprising: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number; and', 'executing the determined iterative calculation routine; and, 'executing, using an electronic circuit, an iterative calculation on a first number and a second number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second numbergenerating a result of the iterative calculation based on a result of the determined iterative calculation routine of a last bit of the second number.2. The method of wherein the iterative calculation routine is selected from a set of iterative calculation routines.3. The method of wherein the iterative calculation is a modular exponentiation claim 2 , the second number representing an exponent to be applied to the first number.4. The method of wherein the set of iterative calculation routines comprises:a square-and-multiple always routine; anda Montgomery multiplication routine.5. The method of wherein the determining the iterative calculation routine of a bit of the second number is performed randomly.6. The method of wherein steps of the iterative calculation routine vary according to the state of the bit of the second number.7. The method of claim 1 , comprising:initializing variables stored in a memory prior to executing the ...

METHOD, APPARATUS, DEVICE AND COMPUTER-READABLE STORAGE MEDIUM FOR STORAGE MANAGEMENT

Example embodiments of the present disclosure provide a method, an apparatus, a device and a computer-readable storage medium for storage management. The method for storage management includes: obtaining an available channel mode of a plurality of channels in a memory of a data processing system, the available channel mode indicating availabilities of the plurality of channels, and each of the plurality of channels being associated with a set of addresses in the memory; obtaining a channel data-granularity of the plurality of channels, the channel data-granularity indicating a size of a data block that can be carried on each channel; obtaining a target address of data to be transmitted in the memory; and determining a translated address corresponding to the target address based on the available channel mode and the channel data-granularity. 1. A method for storage management , comprising:obtaining an available channel mode of a plurality of channels in a memory of a data processing system, the available channel mode indicating availabilities of the plurality of channels, and each of the plurality of channels being associated with a set of addresses in the memory;obtaining a channel data-granularity of the plurality of channels, the channel data-granularity indicating a size of a data block that can be carried on cads channel;obtaining a target address of data to be transmitted in the memory; anddetermining a translated address corresponding to the target address based on the available channel mode and the channel data-granularity.2. The method according to claim 1 , wherein obtaining the available channel mode comprises:obtaining information related to unavailable channels in the plurality of channels; anddetermining the available channel mode based on the information related to the unavailable channels.3. The method according to claim 1 , wherein determining the translated address comprises:dividing the target address into a high-order portion and a low-order ...

Elliptic curve encryption method comprising an error detection

A method in an elliptic curve cryptographic system, the method being executed by an electronic device and including a multiplication operation of multiplying a point of an elliptic curve by a scalar number, the point having affine coordinates belonging to a Galois field, the multiplication operation including steps of detecting the appearance of a point at infinity during intermediate calculations of the multiplication operation, and of activating an error signal if the point at infinity is detected and if the number of bits of the scalar number processed by the multiplication operation is lower than the rank of the most significant bit of an order of a base point of the cryptographic system.

COMPUTING ACCELERATION FRAMEWORK

A processing acceleration system including at least one gate array that performs finite field arithmetic and at least one controller that sends information to the gate array(s) upon a determination that sending the information, performing the finite field arithmetic by the gate array(s), and sending results of the finite field arithmetic to at least one destination is more efficient than general-purpose computing processor(s) performing the finite field arithmetic and sending the results to the at least one destination. The gate array(s) may include field programmable gate array(s), and the destination(s) may include the general-purpose computing processor(s) or storage devices. The finite field arithmetic may include galois field arithmetic such as modular arithmetic, for example as may be used with respect to erasure coding for storage device(s). 1. A processing acceleration system comprising:at least one gate array that performs finite field arithmetic; andat least one controller that sends information to the at least one gate array upon a determination that sending the information, performing the finite field arithmetic by the at least one gate array, and sending results of the finite field arithmetic to at least one destination is more efficient than at least one general-purpose computing processor performing the finite field arithmetic and sending the results to the at least one destination.2. The processing acceleration system as in claim 1 , wherein the at least one gate array comprises at least one field programmable gate array.3. The processing acceleration system as in claim 1 , wherein the at least one gate array also assists with compression or decompression of data.4. The processing acceleration system as in claim 1 , wherein the at least one gate array also assists with de-deduplication of data.5. The processing acceleration system as in claim 1 , wherein the at least one destination comprises the at least one general-purpose computing processor claim ...

SIGN-BASED PARTIAL REDUCTION OF MODULAR OPERATIONS IN ARITHMETIC LOGIC UNITS

Aspects of the present disclosure involve a method and a system to execute the method to perform a cryptographic operation involving a modulo N computation, the method comprising loading a first integer number and a second integer number, wherein the first integer number and the second integer number are within an interval of 2N integer numbers, and performing an arithmetic operation involving the first integer number and the second integer number, wherein the arithmetic operation is to produce a third integer number, and wherein the arithmetic operation comprises a shifting operation to ensure that the third integer number is inside the interval of 2N integer numbers. 1. A method to perform a cryptographic operation involving a modulo N computation , the method comprising:loading, by a processing device, a first integer number and a second integer number, wherein the first integer number and the second integer number are within an interval of 2N integer numbers; andperforming, by the processing device, an arithmetic operation involving the first integer number and the second integer number, wherein the arithmetic operation is to produce a third integer number, and wherein the arithmetic operation comprises a shifting operation to ensure that the third integer number is inside the interval of 2N integer numbers, the shifting operation selected based on a relation of the first integer number and the second integer number to a reference number.2. The method of claim 1 , wherein the interval of 2N integer numbers extends from −N to N−1.3. The method of claim 1 , wherein the interval of 2N integer numbers extends from −N+1 to N.4. The method of claim 1 , wherein the arithmetic operation is an addition operation claim 1 , and wherein the shifting operation comprises:determining that the first integer number and the second integer number belong to a same subinterval of the interval of 2N integer numbers.5. The method of claim 4 , wherein determining that the first integer ...

Providing searching over encrypted keywords in a database

The present invention relates to a computer-implemented method, system and computer readable medium for providing a searching over encrypted keywords in a database. The method comprises the steps of generating at least one keyword, generating a plurality of different encrypted keywords corresponding to said keyword, storing said at least one encrypted keyword in said database; generating a plurality of different trapdoors for said keyword, verifying said plurality of different trapdoors with said plurality of different encrypted keywords corresponding to said keyword and determining said keyword if said plurality of different trapdoors match with one said encrypted keyword corresponding to said keyword else determining said keyword is not found.

System, Apparatus And Method For Performing A Plurality Of Cryptographic Operations

In one embodiment, an apparatus includes: a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation. The hardware accelerator may include: a multiplier circuit comprising a parallel combinatorial multiplier; and an ECC circuit coupled to the multiplier circuit to execute the ECC operation. The ECC circuit may compute a prime field multiplication using the multiplier circuit and reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus. The hardware accelerator may execute the RSA operation using the multiplier circuit. Other embodiments are described and claimed. 1. An apparatus comprising: a multiplier circuit comprising a parallel combinatorial multiplier; and', 'an ECC circuit coupled to the multiplier circuit to execute the ECC operation, the ECC circuit to compute a prime field multiplication using the multiplier circuit and to reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus, wherein the hardware accelerator is to execute the RSA operation using the multiplier circuit., 'a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation, the hardware accelerator comprising2. The apparatus of claim 1 , wherein the ECC circuit is to reduce a result of the prime field multiplication in a plurality of multiplication operations for a second type of prime modulus.3. The apparatus of claim 1 , wherein the multiplier circuit comprises a 27-bit×411-bit parallel combinatorial multiplier to multiply a first 384-bit value and a second 384-bit value in 16 clock cycles.4. The apparatus of claim 1 , wherein the hardware accelerator is to isolate first and second portions of first and second values and send the isolated ...

SYSTEM AND METHOD FOR OPTIMIZED ELLIPTIC CURVE CRYPTOGRAPHY OPERATIONS

A method and protocol for determining linear combinations of a first and second point for an elliptic curve cryptography scheme, including determining a first scalar multiplication of the first point with a first scalar, the first scalar multiplication including performing iteratively in relation to the value of the first scalar either one of: doubling of the first point in Jacobian projective coordinates; or mixed addition with the first point in affine coordinates; determining a combination point by adding the second point to the resultant of the first scalar multiplication; obtaining an affine coordinate representation of the combination point; determining a second scalar multiplication of the combination point with a second scalar, the second scalar multiplication including performing iteratively in relation to the value of the second scalar either one of: doubling of the combination point in Jacobian projective coordinates; or mixed addition with the combination point in affine coordinates. 1. A protocol for determining linear combinations of a first point and a second point for an elliptic curve cryptography scheme , the elliptic curve cryptographic scheme for permitting secure communications between two or more cryptographic correspondent devices , each of the cryptographic correspondent devices comprising a processor and a memory , the memory configured to store a plurality of instructions which when executed by the processor cause the processor to implement the cryptographic scheme , the first point and the second point in affine coordinates , the protocol comprising:obtaining a Jacobian projective coordinate representation of the first point; doubling of a current value of the first point in Jacobian projective coordinates; or', 'mixed addition of a current value of the first point with the initial value of the first point in affine coordinates;, 'determining a first scalar multiplication of the first point with a first scalar, the first scalar ...

SYSTOLIC PARALLEL GALOIS HASH COMPUTING DEVICE

A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate. 1. A system to compute a Galois hash for a first incoming packet comprising data , the system comprising: a first Galois multiplier configured to receive a portion of the data;', 'a first multiplexer configured to select one of a plurality of pre-computed keys for use by the first Galois multiplier;', 'a first exclusive-OR gate configured to receive an output of the first Galois multiplier as a first input; and', 'a second Galois multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second Galois multiplier as a second input; and, 'a plurality of sub-modules, each sub-module implemented in a computing device, and each sub-module comprisinga second exclusive-OR gate, implemented in the computing device, the second exclusive-OR gate configured to provide the Galois hash as an output, wherein a result is provided by the first exclusive-OR gate of each respective sub-module, and each respective result is provided as an input to the second exclusive-OR gate.2. The system ...

METHOD AND DEVICE FOR DATA ENCRYPTION

Aspects of the disclosure provide a method for encrypting data. The method includes generating a sequence of states of a pseudo-random number generator (PRNG), generating a key stream including a sequence of key sections based on the sequence of states, and encrypting or decrypting data with the key stream. An initial state of the PRNG is generated based on a seed and a key, and each of other states in the sequence of states of the PRNG is generated based on a previous state of the PRNG and the key. The method eliminates the vulnerability to known-plaintext attack, and improves the security of communications between computer systems. Also, the method showed a performance improvement when compared to the Advanced Encryption Standard (AES) in cipher block chaining (CBC) mode. Moreover, the size of the encrypted data is almost the same as that of the original data. 1. A method for encrypting and decrypting data , comprising:generating a sequence of states of a pseudo-random number generator (PRNG), wherein an initial state of the PRNG is generated based on a seed and a key, and each of the other states in the sequence of states of the PRNG is generated based on a previous state of the PRNG and the key;generating, via processing circuitry, a key stream including a sequence of key sections, wherein each key section is generated by the PRNG based on one of the sequences of the states of the PRNG; andencrypting or decrypting the data with the key stream to generate encrypted data or decrypted data respectively.2. The method of claim 1 , wherein generating the sequence of states of the PRNG includes claim 1 ,performing a modulo-m addition or multiplication of the seed and the key to generate the initial state of the PRNG; andperforming a modulo-m addition or multiplication of a previous state of PRNG and the key to generate one of the other states in the sequence of states of the PRNG.3. The method of claim 1 , wherein when the data is data to be encrypted claim 1 , the ...

METHOD FOR CREATING AND DISTRIBUTING CRYPTOGRAPHIC KEYS

A method creates and distributes cryptographic keys for securing communication at two terminals. Signals for creating correlated values in the two terminals are distributed via a first communication channel burdened with error, and the correlated values are present as keys. A checksum is formed on the basis of the first key present in the first terminal and the checksum is transferred to the second terminal via a second communication channel. A second checksum is formed on the basis of the second key present, and information derived from the two checksums is transferred via the second communication channel to a server. Based on the information derived from the checksums, the server determines a correction value, which, when applied to one or both keys, brings the keys into correspondence. The correction value is transferred to one or both terminals via the second communication channel and is applied to one or both keys. 18-. (canceled)10. The method according to claim 9 , wherein the signals generating the correlated values in the first and second terminals are distributed claim 9 , by:a random signal being created by the first terminal and being transmitted to the second terminal; ora random signal being created by the second terminal and being transmitted to the first terminal; oran entangled quantum state being generated by an external signal source and transmitted to both of the first and second terminals by means of quantum communication.11. The method according to claim 9 , wherein to form the correlated values claim 9 , parts of a transmitted signal are selected and remaining parts of the transmitted signal are discarded.12. The method according to claim 9 , wherein:a key is specified as a binary vector of a given length;a publicly known test matrix containing binary numbers as entries is defined, a number of rows of which corresponds to a given length of the keys and a number of columns of which corresponds to a length of the first and second checksums; ...

Protection of cryptographic operations by intermediate randomization

Aspects of the present disclosure involve a method and a system to support execution of the method to perform a cryptographic operation involving a first vector and a second vector, by projectively scaling the first vector, performing a first operation involving the scaled first vector and the second vector to obtain a third vector, generating a random number, storing the third vector in a first location, responsive to the random number having a first value, or in a second location, responsive to the random number having a second value, and performing a second operation involving a first input and a second input, wherein, based on the random number having the first value or the second value, the first input is the third vector stored in the first location or the second location and the second input is a fourth vector stored in the second location or the first location.

PRIVATE TWO-PARTY COMPUTATION USING PARTIALLY HOMOMORPHIC ENCRYPTION

A product of prime numbers and a quadratic non-residue of one of the prime numbers are received as a public key from a first party. The product of prime numbers comprises a first group and the prime numbers respectively comprise a first sub-group and a second sub-group of the first group. Data of the first party is automatically encrypted bit-wise using a computerized device by encrypting first bit values of the data of the first party as quadratic residue and encrypting second bit values of the data of the first party as quadratic non-residue to produce a first intermediate number. The first intermediate number is automatically multiplied by the quadratic non-residue of the public key using the computerized device to complete encryption of the data of the first party. A square root of a value is received from a second party. The second party does not have the quadratic residue and the quadratic non-residue. A single bit of the data of the first party is automatically decrypted for the second party by factoring the product of prime numbers to evaluate whether the single bit has a square root in the first sub-group or the second sub-group based on the square root of the value from the second party. 1. A method comprising:receiving a product of prime numbers and a quadratic non-residue of one of said prime numbers as a public key from a first party, said product of prime numbers comprising a first group and said prime numbers respectively comprising a first sub-group and a second sub-group of said first group;automatically encrypting data of said first party, bit-wise, using a computerized device, by encrypting first bit values of said data of said first party as quadratic residue and encrypting second bit values of said data of said first party as quadratic non-residue to produce a first intermediate number;automatically multiplying said first intermediate number by said quadratic non-residue of said public key using said computerized device to complete encryption of ...

EFFICIENT SQUARING WITH LOOP EQUALIZATION IN ARITHMETIC LOGIC UNITS

Aspects of the present disclosure describe a method and a system to support execution of the method to perform a cryptographic operation involving identifying an N-word number, X=XN−1 . . . XX, to be squared, performing a first loop comprising M first loop iterations, wherein M is a largest integer not exceeding (N+1)/2, each of the M first loop iterations comprising a second loop that comprises a plurality of second loop iterations, wherein an iteration m of the second loop that is within an iteration j of the first loop comprises computing a product X*Xof a word Xand a word X, wherein a+b=2j+m, j≥0 and m≥0, and wherein all second loops have an equal number of second loop iterations. 1. A method to perform a cryptographic operation involving squaring an N-word number , X=X. . . XX , the method comprising:{'sub': a', 'b', 'a', 'b, 'performing, by a processing device, a first loop comprising M first loop iterations, wherein M is a largest integer number not exceeding (N+1)/2, each of the M first loop iterations comprising a second loop that comprises a plurality of second loop iterations, wherein an iteration m of the second loop that is within an iteration j of the first loop comprises computing a product X*Xof a word Xand a word X, wherein a+b=2j+m, j≥0 and m≥0, and wherein all second loops have an equal number of second loop iterations.'}2. The method of claim 1 , wherein the iteration m of the second loop that is within the iteration j of the first loop further comprises:{'sub': a', 'b, 'multiplying the product X*Xby f wherein f=1 if a is equal to b and f=2 if a is not equal to b,'}adding a carry value stored during the iteration m−1 of the second loop;{'sub': 'a+b', 'adding an accumulator value Astored during the iteration j−1 of the first loop;'}storing a high word of a resulting number as a new carry; and{'sub': 'a+b', 'storing a low word of the resulting number as the accumulator A.'}3. The method of claim 2 , further comprising:determining that the iteration ...

TESTING RESISTANCE OF A CIRCUIT TO A SIDE CHANNEL ANALYSIS

In a general aspect, a test method can include: acquiring a plurality of value sets, each comprising values of a physical quantity or of logic signals, linked to the activity of a circuit to be tested when executing distinct cryptographic operations applied to a same secret data, for each value set, counting occurrence numbers of the values of the set, for each operation and each of the possible values of a part of the secret data, computing a partial result of operation, computing sums of occurrence numbers, each sum being obtained by adding the occurrence numbers corresponding to the operations which when applied to a same possible value of the part of the secret data, provide a partial operation result having a same value, and analyzing the sums of occurrence numbers to determine the part of the secret data. 1. A test method comprising:acquiring a plurality of value sets, each value set comprising values of a physical quantity, or of logic signals linked to activity of a circuit to be tested when the circuit executes an operation of an operation set of distinct cryptographic operations applied to a same data to be discovered;for each value set, counting, by a processing unit, occurrence numbers of values transformed by a first surjective function applied to values of the value set, to form an occurrence number set for the value set;for each operation of the operation set, and each possible value of a part of the data to be discovered, computing, by the processing unit, results of at least two distinct partial operations;computing, by the processing unit, for each partial operation result, cumulative occurrence number sets, each cumulative occurrence number set being obtained by adding together the occurrence number sets corresponding to the operations of the operation set, which, when applied to a same value or equivalent value of the possible values of the part of the data to be discovered, provide a partial operation result having a same transformed value ...

PROTECTION OF A MODULAR EXPONENTIATION CALCULATION

A method of protecting a modular exponentiation calculation on a first number and an exponent, modulo a first modulo, executed by an electronic circuit using a first register or memory location and a second register or memory location, successively including, for each bit of the exponent: generating a random number; performing a modular multiplication of the content of the first register or memory location by that of the second register or memory location, and placing the result in one of the first and second registers or memory locations selected according to the state of the bit of the exponent; performing a modular squaring of the content of one of the first and second registers or memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location, the multiplication and squaring operations being performed modulo the product of the first modulo by said random number. 1. A method , comprising:performing, using an electronic circuit, a modular exponentiation calculation on a first number and an exponent, modulo a first modulo by, for each bit of the exponent:generating a random number;performing a modular multiplication of content of a first memory location by content of a second memory location, and placing a result in one of the first and second memory locations selected according to a state of the bit of the exponent; andperforming a modular squaring of the content of one of the first and second memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location,the multiplication and squaring operations being performed modulo a product of the first modulo and said random number.2. The method of wherein a result of the modular exponentiation calculation is contained in said first memory location.3. The method of claim 1 , comprising:initializing the first memory location to value 1; andinitializing the second memory location to a ...

PROTECTION OF A MODULAR CALCULATION

A method of protecting a modular calculation on a first number and a second number, executed by an electronic circuit, including the steps of: combining the second number with a third number to obtain a fourth number; executing the modular calculation on the first and fourth numbers, the result being contained in a first register or memory location; initializing a second register or memory location to the value of the first register or to one; and successively, for each bit at state 1 of the third number: if the corresponding bit of the fourth number is at state 1, multiplying the content of the second register or memory location by the inverse of the first number and placing the result in the first register or memory location, if the corresponding bit of the fourth number is at state 0, multiplying the content of the second register or memory location by the first number and placing the result in the first register or memory location. 1. A method , comprising:performing, using an electronic circuit, a modular calculation on a first number and a second number, the performing the modular calculation including:combining the second number with a third number to obtain a fourth number;executing the modular calculation on the first and fourth numbers, the result being contained in a first memory location;initializing a second memory location; and if a corresponding bit of the fourth number is at a first state, a content of the second memory location is multiplied by an inverse of the first number and the result is placed in the first memory location; and', 'if the corresponding bit of the fourth number is at a second state, the content of the second memory location is multiplied by the first number and the result is placed in the first memory location., 'successively, for each bit of the third number at a first state2. The method of wherein the first memory location is a first register of the electronic circuit and the second memory location is a second register of the ...

ARITHMETIC DEVICE AND METHOD

According to an embodiment, the arithmetic device includes a controller. The controller is configured to: convert a bit string of m bits (where m is an integer of 4 or more) representing a multiplication value k when a certain condition is satisfied; set a value based on a coordinate value P of a specific point for a first variable and a second variable based on a second bit value from a least significant bit of the bit string; perform loop processing (m−3) times for multiplication processing of performing multiplication on the first variable and addition processing of adding two different points which are not infinite points by adding the first variable and the second variable; and output a coordinate value kP obtained by a scalar multiplication of the coordinate value P with the multiplication value k based on processing for a most significant bit of the bit string. 1. An arithmetic device comprising a controller ,the controller being configured to:convert a bit string of m bits (where m is an integer of 4 or more) representing a multiplication value k when a certain condition is satisfied;set a value based on a coordinate value P of a specific point for a first variable and a second variable based on a second bit value from a least significant bit of the bit string;perform loop processing (m−3) times for multiplication processing of performing multiplication on the first variable and addition processing of adding two different points which are not infinite points by adding the first variable and the second variable; andoutput a coordinate value kP obtained by a scalar multiplication of the coordinate value P with the multiplication value k based on processing for a most significant bit of the bit string.2. The arithmetic device according to claim 1 , wherein the controller is configured to perform the multiplication processing of performing multiplication on the first variable claim 1 , and the addition processing of adding the first variable and the second ...

METHOD FOR GENERATING A PRIME NUMBER FOR A CRYPTOGRAPHIC APPLICATION

The present invention relates to a method for generating a prime number and using it in a cryptographic application, comprising the steps of: a) determining at least one binary base B with a small size b=log(B) bits and for each determined base B at least one small prime psuch that B mod p=1, with i an integer, b) selecting a prime candidate Y, c) decomposing the selected prime candidate Yin a base B selected among said determined binary bases : Y=ΣyBd) computing a residue yfrom the candidate Yfor said selected base such that y=Σe) testing if said computed residue yis divisible by one small prime pi selected among said determined small primes for said selected base B, f) while said computed residue yis not divisible by said selected small prime, iteratively repeating above step e) until tests performed at step e) prove that said computed residue yis not divisible by any of said determined small primes for said selected base B, g) when said computed residue yis not divisible by any of said determined small primes for said selected base B, iteratively repeating steps c) to f) for each base B among said determined binary bases, h) when, for all determined bases B, said residue ycomputed for a determined base is not divisible by any of said determined small primes for said determined base B, executing a known rigorous probable primality test on said candidate Y, and when the known rigorous probable primality test is a success, storing said prime candidate Yand using said stored prime candidate Yin said cryptographic application. 1. A method for generating a prime number and using it in a cryptographic application , comprising the steps of:{'b': 2', '4', '3', '5, 'sub': 2', 'i', 'i, 'a) determining, via a processing system () comprising at least one hardware processor (), a test primality circuit () and a memory circuit (), at least one binary base B with a small size b=log(B) bits and for each determined base B, at least one small prime psuch that B mod p=1, with i an ...

VERIFICATION OF THE SENSITIVITY OF AN ELECTRONIC CIRCUIT EXECUTING A MODULAR EXPONENTIATION CALCULATION

A method of verifying the sensitivity of an electronic circuit executing a modular exponentiation calculation in a first register and a second register, successively including, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of that of the first and second registers which contains the multiplier of the operation of the first step is disturbed, for each bit of the exponent, during the execution of the first step. 1. A method , comprising:verifying a sensitivity of an electronic circuit executing a modular exponentiation calculation using a first register and a second register, wherein: multiplying content of one of the registers, selected from among the first register and the second register according to a state of a current bit of the exponent, by content of the other one of the first and second registers, and placing a result of the multiplication in said one of the first and second registers; and', 'squaring content of said other one of the first and second registers and placing a result of the squaring in the other of the first and second registers; and, 'the executing the modular exponentiation calculation includes, successively for each bit of an exponent of the calculation disturbing, for each bit of the exponent of the calculation, content of at least one of the first and second registers during the multiplying; and', 'determining the sensitivity of the electronic circuit based on disturbed results of the modular exponentiation calculation., 'the verifying includes2. The method of wherein the multiplying is implemented using a Montgomery ladder.3. The ...

Protection of a modular exponentiation calculation

A method of protecting a modular exponentiation calculation executed by an electronic circuit using a first register and a second register, successively comprising, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of said other one of the registers is stored in a third register before the first step and is restored in said other one of the registers before the second step.

FINITE FIELD INVERTER

A finite field inverter is disclosed, wherein the finite field inverter includes an input port, an output port and a search tree inverse circuit configured to perform an inverse operation of the operand α(x) in the finite field GF (2) based on a search tree structure. The search tree inverse circuit is provided with a left search tree and a right search tree. The left search tree and the right search tree each includes tree nodes for processing inverse operations over the finite field GF (2) and connecting wires connected between the tree nodes. The tree nodes include a root node, internal nodes and leaf nodes. Each path from the root node to a leaf node represents an element in the finite field GF (2). The connecting wires between the tree nodes connect the path representing the operand α(x) with the path representing the inversion result b(x) . The present invention uses a search tree inverse circuit to achieve an inverse operation of an element in a finite field, and compared with the existing finite field inverter, the present invention is more efficient in processing inverse operations over the finite field GF (2). 1. A finite field inverter , comprising:an input port, configured to input an operand α(x);{'sup': 'n', 'a search tree inverse circuit, configured to perform an inverse operation of the operand α(x) in the finite field GF (2) based on a search tree structure;'}an output port, configured to output an inversion result b(x) of the operand α(x);wherein the search tree inverse circuit is provided with a left search tree and a right search tree;{'sup': n', 'n, 'the left search tree and the right search tree each comprises tree nodes for processing inverse operations over the finite field GF (2) and connecting wires connected between the tree nodes, the tree nodes comprise a root node, internal nodes and leaf nodes, each path from the root node to a leaf node represents an element in the finite field GF (2); and the connecting wires between the tree nodes ...

SECURE ELLIPTIC CURVE CRYPTOGRAPHY INSTRUCTIONS

A processor of an aspect includes a decode unit to decode an elliptic curve cryptography (ECC) point-multiplication with obfuscated input information instruction. The ECC point-multiplication with obfuscated input information instruction is to indicate a plurality of source operands that are to store input information for an ECC point-multiplication operation. At least some of the input information that is to be stored in the plurality of source operands is to be obfuscated. An execution unit is coupled with the decode unit. The execution unit, in response to the ECC point-multiplication with obfuscated input information instruction, is to store an ECC point-multiplication result in a destination storage location that is to be indicated by the ECC point-multiplication with obfuscated input information instruction. Other processors, methods, systems, and instructions are disclosed. 1. A processor comprising:a decode unit to decode an elliptic curve cryptography (ECC) point-multiplication with obfuscated input information instruction, the ECC point-multiplication with obfuscated input information instruction to indicate a plurality of source operands that are to store input information for an ECC point-multiplication operation, wherein at least a portion of the input information that is to be stored in the plurality of source operands is to be obfuscated; andan execution unit coupled with the decode unit, the execution unit, in response to the ECC point-multiplication with obfuscated input information instruction, to store an ECC point-multiplication result in a destination storage location that is to be indicated by the ECC point-multiplication with obfuscated input information instruction.2. The processor of claim 1 , wherein the plurality of source operands are to store at least one of an obfuscated scalar multiplier claim 1 , an obfuscated base point claim 1 , or an obfuscated modulus.3. The processor of claim 1 , wherein the plurality of source operands are to ...

Three dimensional integrated circuit connection structure and method

An integrated circuit die stack comprises a first die and a second die connected to each other. Each of the first and second dies comprise a functional circuitry, a plurality of first contacts on a first surface of the respective die, a plurality of second contacts on a second surface of the respective die, and a programmable array coupled to the functional circuitry and the plurality of first and second contacts. The programmable array includes a plurality of programmable connection elements in the first and second dies. The programmable connection elements are programmed to bypass one of the first and second dies.

Float Division by Constant Integer

A binary logic circuit for determining the ratio x/d where x is a variable integer input, the binary logic circuit comprising: a logarithmic tree of modulo units each configured to calculate x[a: b] mod d for respective block positions a and b in x where b>a with the numbering of block positions increasing from the most significant bit of x up to the least significant bit of x, the modulo units being arranged such that a subset of M−1 modulo units of the logarithmic tree provide x[0: m] mod d for all m∈{1, M}, and, on the basis that any given modulo unit introduces a delay of 1: all of the modulo units are arranged in the logarithmic tree within a delay envelope of ┌logM┐; and more than M−2of the subset of modulo units are arranged at the maximal delay of ┌logM┐, where 2is the power of 2 immediately smaller than M. 2. The binary logic circuit as claimed in claim 1 , wherein divisor d=2±1 for integer n≥2.3. The binary logic circuit as claimed in claim 1 , wherein the number of blocks of the input is M=2+1 for integer v≥3 and at least two modulo units are arranged at the maximal delay of ┌logM┐.4. The binary logic circuit as claimed in claim 1 , wherein each modulo unit receives a pair of input values claim 1 , each input value being claim 1 , depending on the position of the modulo unit in the logarithmic tree claim 1 , a block of the input x or an output value from another modulo unit claim 1 , and each modulo unit being configured to combine its pair of input values and perform its mod d operation on the resulting binary value.5. The binary logic circuit as claimed in claim 1 , wherein the modulo units of the logarithmic tree are arranged in a plurality of stages claim 1 , where no modulo unit of a given stage receives an input value from a modulo unit of a higher stage claim 1 , the modulo units of a first claim 1 , lowest stage are each arranged to receive a pair of adjacent blocks from the input x as input values claim 1 , and the modulo units of each higher ...

Multiplication Methods, Non-Transitory Computer-Readable Media, and Multiplication Devices

Efficient polynomial multiplication for Accelerated Fully Homomorphic Encryption (FHE). An efficient method for large integer and polynomial multiplication in a ring using negacyclic convolution and discrete Galois transform with arbitrary primes is described. The method is adapted to work with arbitrary primes that support Gaussian arithmetic. Dealing with non-Gaussian primes gives rise to another problem of how to find primitive roots of unity and of (i). An efficient solution to find those roots of interest is provided. 1. A homomorphic encryption method using at least one processor , the homomorphic encryption method comprising:receiving an input data; andhomomorphically encrypting the input data to obtain a homomorphically encrypted data, including multiplying a first polynomial and a second polynomial associated with the input data, providing a prime number p;', 'determining a first discrete Galois transform based on the first polynomial and the prime number;', 'determining a second discrete Galois transform based on the second polynomial and the prime number;', 'determining a point-wise product of the first discrete Galois transform and the second discrete Galois transform;', 'determining an inverse discrete Galois transform based on the point-wise product; and', 'determining a polynomial product of the first polynomial and the second polynomial based on the inverse discrete Galois transform., 'wherein said multiplying comprises2. The homomorphic encryption method of claim 1 ,{'img': [{'@id': 'CUSTOM-CHARACTER-00067', '@he': '3.22mm', '@wi': '2.12mm', '@file': 'US20220085970A1-20220317-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00068', '@he': '3.22mm', '@wi': '1.10mm', '@file': 'US20220085970A1-20220317-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00069', '@he': '3.22mm', '@wi': '1.10mm', '@file': ' ...

SYSTEM AND METHOD TO GENERATE PRIME NUMBERS IN CRYPTOGRAPHIC APPLICATIONS

Aspects of the present disclosure involve a method, a system and a computer readable memory to generate and use prime numbers in cryptographic operations by determining one or more polynomial functions that have no roots modulo each of a predefined set of prime numbers, selecting one or more input numbers, generating a candidate number by applying one or more instances of the one or more polynomial functions to the one or more input numbers, determining that the candidate number is a prime number, and using the determined prime number to decrypt an input into the cryptographic operation. 1. A method to perform a cryptographic operation , the method comprising:determining, by a processing device, one or more polynomial functions that have no roots modulo each of a predefined set of prime numbers;selecting, by the processing device, one or more input numbers;generating, by the processing device, a candidate number by applying one or more instances of the one or more polynomial functions to the one or more input numbers;determining, by the processing device, that the candidate number is a prime number; andusing, by the processing device, the determined prime number to decrypt an input into the cryptographic operation.2. The method of claim 1 , wherein the one or more polynomial functions are quadratic functions whose discriminant is a quadratic nonresidue modulo each of the predefined set of prime numbers.3. The method of claim 1 , wherein a number of the one or more input numbers is at least four.4. The method of claim 1 , wherein generating the candidate number comprises determining a product of the one or more instances of the one or more polynomial functions.5. The method of claim 4 , wherein the product of the one or more instances of the one or more polynomial functions is determined modulo a modulus number claim 4 , wherein the modulus number is divisible by each of the predefined set of prime numbers.6. The method of claim 5 , wherein the product of the one or ...

S12 TX FIR ARCHITECTURE

A FIR transmit architecture uses multiple driver divisions to allow signals with different delays to be summed into the output signal by the driver itself. The architecture includes a first multiplexer, a plurality of delay cells, a plurality of sign blocks, a switch block, a second multiplexer, and a plurality of drivers. 123-. (canceled)24. A transmitter finite impulse response (TX FIR) architecture , comprising:a multiplexer;a plurality of delay cells coupled to the multiplexer;a plurality of sign operators coupled to the plurality of delay cells;a plurality of serializer multiplexers, each coupled to a respective sign operator; anda plurality of driver groups, each coupled to a respective serializer multiplexer.25. The TX FIR architecture of claim 24 , wherein each driver group comprises at least one driver.26. The TX FIR architecture of claim 24 , wherein the multiplexer comprises a 20:4 multiplexer configured to output a four-bit data signal.27. The TX FIR architecture of claim 24 , wherein the multiplexer comprises a 16:4 multiplexer configured to output a four-bit data signal.28. The TX FIR architecture of claim 24 , wherein the plurality of delay cells are configured to output delayed versions of an input data signal from the multiplexer.29. The TX FIR architecture of claim 24 , wherein the multiplexer is configured to output a 4-bit data signal; and wherein the plurality of delay cells comprises 6 delay cells configured to output up to six-tap delayed versions of the 4-bit data signal from the multiplexer.30. The TX FIR architecture of claim 24 , wherein the multiplexer is configured to output a 4-bit data signal; and wherein the plurality of serializer multiplexers each comprises a 4:1 multiplexer configured serialize the 4-bit data signal into a serial stream.31. The TX FIR architecture of claim 24 , further comprising a summing unit coupled to the plurality of driver groups.32. The TX FIR architecture of claim 24 , wherein each driver group comprises at ...

Method and apparatus for scalar multiplication secure against differential power attacks

A method of scalar multiplication to obtain the scalar product between a key and a point on an elliptic curve, wherein the secret is m bits long. In selected embodiments, the first step is to partition the secret into two partitions each with m/2 bits. Point-doubling operations are performed on the point and stored into three buffers. Point additions are performed at randomized time intervals thereby preventing the method from being susceptible to differential power analysis attacks.

METHOD OF PERFORMING MULTIPLICATION OPERATION IN BINARY EXTENSION FINITE FIELD

In a method of performing a multiplication operation in a binary extension finite field, a polynomial defined by 6. The method of claim 5 , wherein the preset integer r is 8. This application claims the benefit of Korean Patent Application Nos. 10-2012-0137290 filed on Nov. 29, 2012 and 10-2013-0086945 filed on Jul. 23, 2013, which are hereby incorporated by reference in their entireties into this application.1. Technical FieldThe present invention relates generally to a method of performing a multiplication operation in a binary extension finite field and, more particularly, to a method that produces a polynomial by expanding polynomial basis multiplication for the multiplication of two polynomials in a binary extension finite field GF(2) and performs a multiplication operation in a binary extension finite field using a mapping table in which bit values having pieces of information about respective terms of the produced polynomial are mapped to respective rows.2. Description of the Related ArtAn Elliptic Curve Cryptosystem (ECC) was proposed by Neal Kobliz and Victor Millerin in 1985 and since then, a lot of research into ECC has been conducted as a public key cryptosystem. This cryptosystem is based on the difficulty of discrete logarithm of points on an elliptic curve, and is advantageous in that it is processed faster and has a smaller key than the Rivest-Shamir-Adleman (RSA) algorithm/Digital Signature Algorithm (DSA) which are widely utilized as a conventional public key cryptosystem when a comparison is performed at the same security level. For example, it is well known that the security of ECC having a key size of about 160 bits is identical to that of RSA having a key size of 1024 bits. Therefore, ECC has attracted attention as a public key cryptosystem suitable for smart cards or the like having limited computing ability and memory.Operations in such ECC include operations of points on an elliptic curve, which include the addition of two different points, ...

IMAGE DATA DECOMPRESSION

A method and decompression unit for performing decompression to determine image element values from compressed data representing a block of image element values each comprising one or more data values relating to a respective one or more channels. An indication of an origin value for each of the channels is read from the compressed data. For each of the channels, an indication of a first number of bits for representing difference values between the data values and the origin value for the channel is read from the compressed data. For each of the one or more channels, a second number of bits is obtained, wherein representations of the difference values for each of the channels are included in the compressed data using the second number of bits for that channel. The obtained second numbers of bits for the respective channels are used to read the representations of the difference values for the image element values being decompressed from the compressed data. Based on the representations of the difference values read from the compressed data, for each of the channels and for each of the image element values being decompressed, a difference value is determined in accordance with the first number of bits for the channel. For each of the one or more channels, the data value relating to the channel for each of the image element values being decompressed is determined using: (i) the origin value for the channel, and (ii) the determined difference value for the channel for the image element value. 1. A computer-implemented method of performing decompression to determine one or more image element values from compressed data , wherein the compressed data represents a block of image data comprising a plurality of image element values , each image element value comprising one or more data values relating to a respective one or more channels , the method comprising:reading, from the compressed data, an indication of an origin value for each of the one or more channels;reading, ...

IMAGE DATA COMPRESSION

A method and compression unit for compressing a block of image data to satisfy a target level of compression, wherein the block of image data comprises a plurality of image element values, each image element value comprising one or more data values relating to a respective channel. For each of the channels: (i) an origin value for the channel for the block is determined, (ii) difference values are determined representing differences between the data values and the determined origin value for the channel for the block, and (iii) a first number of bits for losslessly representing a maximum difference value of the difference values for the channel for the block is determined. The determined first number of bits for each of the channels is used to determine a respective second number of bits for each of the channels, the second number of bits being determined such that representing each of the difference values for the channels with the respective second number of bits satisfies the target level of compression for compressing the block of image data. Compressed data is formed, having for each of the one or more channels an indication of the determined origin value for the channel, an indication of the determined first number of bits for the channel, and representations of the determined difference values for the channel, wherein each of the representations of the determined difference values for the channel uses the determined second number of bits for the channel, such that the target level of compression is satisfied. 1. A computer-implemented method of compressing a block of image data to satisfy a target level of compression , wherein the block of image data comprises a plurality of image element values , each image element value comprising one or more data values relating to a respective one or more channels , the method comprising: determining an origin value for the channel for the block;', 'determining difference values representing differences between the data ...

Integrated circuit die stack

An integrated circuit die stack comprises a first die coupled with a second die. The first die has a first memory volume. The second die has a second memory volume different from the first memory volume. Each of the first and second dies comprises a functional circuitry and a programmable array coupled with the functional circuitry. The programmable arrays in the first and second dies are programmed to bypass one of the first die or the second die having the smaller of the first memory volume or the second memory volume at a first time period.

SYSTEM AND METHOD FOR SECURELY SHARING CRYPTOGRAPHIC MATERIAL

Systems and methods described herein relate to techniques in which multiple parties each generate and exchange quantities that are based on a shared secret (e.g., powers of the shared secret) without exposing the shared secret. According to a protocol, two or more parties may exchange sets of elliptic curve points generated over polynomials that can be used, by each of the two or more parties, to determine a power of a shared secret. The protocol may be utilised as part of determining parameters for a smart contract that is broadcast to a blockchain network (e.g., Bitcoin). Based on the protocol, an additional party (e.g., a third party different from the two or more parties) may perform a computational task such as execution of the smart contract. 1. A computer-implemented method comprising:determining, at a participant of a plurality of participants, a function usable to map finite field elements;generating, based on a number of participants, polynomials evaluated in a set of points;distributing the polynomials to corresponding participants of the plurality of participants;determining a sum of polynomials of each participant of the plurality of participants, wherein the sum corresponds to a power of a secret; andcollectively generating, among the plurality of participants and based on the secret, a blockchain transaction.2. A method according to claim 1 , wherein the set of points are a set of elliptic curve points.3. A method according to claim 1 , wherein determining the sum of polynomials is based on a Lagrange interpolation.4. A method according to claim 1 , further comprising determining claim 1 , based at least in part on the power of the secret claim 1 , a common reference string that is determinable by the plurality of participants.5. A method according to claim 1 , further comprising receiving corresponding values of polynomials from each participant of the plurality of participants.6. A method according to claim 1 , wherein off-chain communications are ...

METHOD TO SECURELY EXECUTE A MODULAR EXPONENTIATION

The present invention relates to a method to execute a modular exponentiation R=Xmod N, said method implementing several variable registers and an indicator register m and performing looped calculations. In the invention each loop includes at least two operations from values stored in variable registers, said operations depending on the value stored in m and on the value of the bit(s) of the exponent currently processed, m indicating if the calculation is completed for the current exponent bit at the end of the operations in the current loop. 2. Method according to claim 1 , wherein said termination step returns an error message when eis null and the value in m indicates the calculation is not completed for the current exponent bit claim 1 , returns the result of a last square operation of the current intermediate result if eis null and the value in m indicates the calculation is completed for the current exponent bit claim 1 , returns the result of a last square of the current intermediate result and a last multiplication of the current intermediate result by X if e=1 and the value if m indicates the calculation is completed for the current exponent bit claim 1 , returns the result of a last operation of multiplication of the current intermediate result by X if e=1 and the value in m indicates the calculation is not completed for the current exponent bit.3. Method according to claim 1 , wherein two variable registers Rand Rare used claim 1 , step a) including the initialization of Rand Rto 1 and X and step c) comprising performing the following operations:{'br': None, 'i': R', 'R', '·R', 'N;, 'sub': 0', '0', 'm, '<-mod'}{'br': None, 'i': R', 'R', '·R', 'N., 'sub': 0', '0', 'ei&', 'm, 'img': {'@id': 'CUSTOM-CHARACTER-00011', '@he': '2.46mm', '@wi': '1.78mm', '@file': 'US20160077806A1-20160317-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, '<-mod'}4. Method according to claim 1 , wherein an additional register is used for ...

Modular reduction device

A modular reduction device particularly for cryptography on elliptical curves. The device includes a Barrett modular reduction circuit and a cache memory in which the results of some precalculations are carried out. When the result is not present in the cache memory, a binary division circuit makes the precalculation and stores the result in the cache memory.

HOMOMORPHIC ENCRYPTION FOR MACHINE LEARNING AND NEURAL NETWORKS USING HIGH-THROUGHPUT CRT EVALUATION

Embodiments are directed to homomorphic encryption for machine learning and neural networks using high-throughput Chinese remainder theorem (CRT) evaluation. An embodiment of an apparatus includes a hardware accelerator to receive a ciphertext generated by homomorphic encryption (HE) for evaluation, decompose coefficients of the ciphertext into a set of decomposed coefficients, multiply the decomposed coefficients using a set of smaller modulus determined based on a larger modulus, and convert results of the multiplying back to an original form corresponding to the larger modulus. 1. An apparatus comprising: receive a ciphertext generated by homomorphic encryption (HE) for evaluation;', 'decompose coefficients of the ciphertext into a set of decomposed coefficients;', 'multiply the decomposed coefficients using a set of smaller modulus determined based on a larger modulus; and', 'convert results of the multiplying back to an original form corresponding to the larger modulus., 'a hardware accelerator to2. The apparatus of claim 1 , wherein the decomposed coefficients are multiplied independently from one another using the smaller modulus.3. The apparatus of claim 2 , wherein the smaller modulus comprise at least one of generalized Mersenne primes or pseudo Mersenne primes.4. The apparatus of claim 1 , wherein the hardware accelerator to decompose the coefficients comprises the hardware accelerator to perform a Chinese remainder theorem (CRT) decomposition of the coefficients.5. The apparatus of claim 4 , wherein the hardware accelerator further comprises a set of multiplier circuits claim 4 , reduction circuits claim 4 , addition circuits claim 4 , and modular reduction circuits to perform the CRT decomposition of the coefficients.6. The apparatus of claim 1 , wherein the hardware accelerator to convert the results comprises the hardware accelerator to perform a reverse Chinese remainder theorem (CRT) transform on the results of the multiplying.7. The apparatus of ...

Performing constant modulo arithmetic

A binary logic circuit for determining y=x mod(2m−1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer β and a second m-bit integer γ; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by β; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by γ; and the binary value 1.

EXPONENT SPLITTING FOR CRYPTOGRAPHIC OPERATIONS

A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value. 120-. (canceled)21. A method comprising:receiving a first share value and a second share value, wherein a combination of the first share value and the second share value corresponds to a value associated with a cryptographic operation;updating a first value of a first register by performing a first operation with the first and second share values;updating a second value of a second register by performing a second operation with the second share value;selecting, by a processing device, one of the first value of the first register or the second value of the second register based on a particular bit of the second share value; andperforming the cryptographic operation with the selected one of the first value of the first register or the second value of the second register.22. The method of claim 21 , wherein the particular bit corresponds to a least significant bit of the second share value.23. The method of claim 21 , wherein the particular bit corresponds to a most significant bit of the second share value.24. The method of claim 21 , wherein the cryptographic operation corresponds to a generation of a signature.25. The method of claim 21 , wherein the value associated with the cryptographic operation corresponds to an exponent value used in the cryptographic operation.26. The method of claim 21 , wherein the first operation and the second operation are each associated with power consumption to reduce susceptibility to a Differential Power Analysis ( ...

EXPONENT FLOW CHECKING

A technique for checking an exponent calculation for an execution unit that supports floating point operations includes generating, using a residue prediction circuit, a predicted exponent residue for a result exponent of a floating point operation. The technique also includes generating, using an exponent calculation circuit, the result exponent for the floating point operation and generating, using the residue prediction circuit, a result exponent residue for the result exponent. Finally, the technique includes comparing the predicted exponent residue to the result exponent residue to determine whether the result exponent generated by the exponent calculation circuit is correct and, if not, signaling an error. 1. A method of checking an exponent calculation for an execution unit that supports floating point operations , comprising:generating, using an exponent calculation circuit, a result exponent for a floating point operation;generating, using a residue prediction circuit, a predicted exponent residue for the result exponent;generating, using the residue prediction circuit, a result exponent residue for the result exponent; andcomparing, using the residue prediction circuit, the predicted exponent residue to the result exponent residue to determine whether the result exponent generated by the exponent calculation circuit is correct and, if not, signaling an error.2. The method of claim 1 , wherein the generating claim 1 , using a residue prediction circuit claim 1 , a predicted exponent residue for the result exponent further comprises:multiplying a first operand exponent residue for a first operand exponent by a second operand exponent residue for a second operand exponent to generate a first intermediate exponent residue; andadding a third operand exponent residue for a third operand exponent to the first intermediate exponent residue to generate a second intermediate exponent residue.3. The method of claim 2 , wherein the generating claim 2 , using a residue ...

Homogeneous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1. A method of operating digital logic circuitry to execute a finite field scalar multiplication of a multiplicand representative of a point in the finite field by a binary-valued scalar , comprising the steps of:initializing one or more memory locations storing components of a sum, the sum representative of a point in the finite field; and doubling an operand representative of one of the sum and the multiplicand;', 'responsive to the bit position having a “1” value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; and', 'then advancing to a next bit position in the scalar;, 'operating the digital logic circuitry to execute a plurality of operations comprising, for each of a plurality of bit positions in the scalar a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', 'then a sixth multiplication followed by a seventh multiplication followed by an eighth multiplication;', 'then a fifth addition;', 'then a ninth multiplication;', 'then a sixth addition followed by a seventh addition;', 'then a tenth multiplication; and', 'then an eighth addition;, 'wherein the doubling step is executed using an atomic pattern consisting of a first addition;', 'then a first multiplication followed ...

Float Division by Constant Integer

A binary logic circuit for determining the ratio x/d where x is a variable integer input, the binary logic circuit comprising: a logarithmic tree of modulo units each configured to calculate x[a:b]mod d for respective block positions a and b in x where b>a with the numbering of block positions increasing from the most significant bit of x up to the least significant bit of x, the modulo units being arranged such that a subset of M−1 modulo units of the logarithmic tree provide x[0:m]mod d for all m∈{1, M}, and, on the basis that any given modulo unit introduces a delay of 1: all of the modulo units are arranged in the logarithmic tree within a delay envelope of ┌logM┐; and more than M−2of the subset of modulo units are arranged at the maximal delay of ┌logM┐, where 2is the power of 2 immediately smaller than M. 2. A binary logic circuit as claimed in claim 1 , wherein divisor d=2±1 for integer n≥2.3. A binary logic circuit as claimed in claim 1 , wherein the number of blocks of the input is M=2+1 for integer v≥3 and at least two modulo units are arranged at the maximal delay of ┌logM┐.4. A binary logic circuit as claimed in claim 1 , wherein each modulo unit receives a pair of input values claim 1 , each input value being claim 1 , depending on the position of the modulo unit in the logarithmic tree claim 1 , a block of the input x or an output value from another modulo unit claim 1 , and each modulo unit being configured to combine its pair of input values and perform its mod d calculation on the resulting combined pair of input values.5. A binary logic circuit as claimed in claim 1 , wherein the modulo units of the logarithmic tree are arranged in a plurality of stages claim 1 , where no modulo unit of a given stage receives an input value from a modulo unit of a higher stage claim 1 , the modulo units of a first claim 1 , lowest stage are each arranged to receive a pair of adjacent blocks from the input x as input values claim 1 , and the modulo units of each ...

DATA LOADING AND STORAGE SYSTEM AND METHOD

A data loading and storage system includes a storage module, a buffering module, a control module, a plurality of data loading modules, a plurality of data storage modules and a multi-core processor array module. The data is continuously stored in a DDR, and the data computed by the multi-core processor may be arranged continuously or be arranged according to a certain rule. After DMA reads the data into the DATA_BUF module by a BURST mode, in order to support fast loading of the data into the multi-core processor array, the data loading modules (i.e., load modules) are designed. In order to quickly store the computed result of the multi-core processor array into the (DATA_BUF module according to a certain rule, the data storage modules (i.e., store module) are designed. 1. A data loading and storage system , comprising:a storage module, configured to store configuration instructions and data;a buffering module, comprising an instruction buffering module and a data buffering module, wherein the instruction buffering module is configured to buffer the configuration instructions in the storage module, and the data buffering module is configured to buffer the data in the storage module;a control module, configured to send a trigger signal;a plurality of data loading modules, configured to read the configuration instructions in the instruction buffering module in response to receiving the trigger signal, generate a data address according to the configuration instructions, and read the data in the data buffering module according to the data address;a multi-core processor array module, configured to receive the data read by the plurality of data loading modules, and compute the received data to obtain computed data; anda plurality of data storage modules, configured to receive and store the computed data from the multi-core processor array module;wherein the data buffering module is further configured to receive and buffer the computed data from the multi-core processor ...

DATA ACCESS OPTIMIZATION IN DISTRIBUTED DATABASE

A distributed database receives an instruction to read or write data. The instruction includes a key. The database includes a key space defined by attoshards. An attoshard is a segment of key space having a size, in keys, proportional to a total number of nodes in the database. The attoshard includes keys for cluster segments at predefined positions in the attoshard. Each cluster segment corresponds to one cluster. A node of the database hashes the key to generate a token. The node performs a modulo operation on the token using the total number of nodes in the database to compute a remainder value. The node determines a cluster segment of an attoshard based on a position in the attoshard defined by the remainder value. The node determines a cluster for the instruction based on the cluster segment and executes the instruction at the determined cluster. 1. A computer-implemented method for querying a database distributed across a set of clusters , each cluster including a set of nodes , the computer-implemented method comprising , by a node:receiving an instruction to write or read data, the instruction comprising a key specifying a location for the data within the database, the database including a keyspace defined by attoshards, each attoshard being a segment of the keyspace having a size, in keys, proportional to a total number of nodes in the database, each attoshard comprising keys for a plurality of cluster segments at predefined positions within the attoshard, each cluster segment corresponding to one cluster of the plurality of clusters;hashing the key to generate a token;performing a modulo operation on the token using the total number of nodes in the database to compute a remainder value;determining a cluster segment of an attoshard based on a position in the attoshard defined by the remainder value;determining a cluster of the set of clusters for the instruction corresponding to the determined cluster segment; andexecuting the instruction to write or read ...

PERSONNEL INSPECTION WITH THREAT DETECTION AND DISCRIMINATION

A method includes receiving, from a plurality of magnetic field receivers including magnetic sensors, data characterizing samples obtained by the plurality of magnetic field receivers, the samples of a combination of a first magnetic field and a second magnetic field resulting from interaction of the first magnetic field and an object; determining, using the received data, a polarizability index of the object, the polarizability index characterizing a magnetic polarizability property of the object; classifying, using the determined polarizability index, the object as threat or non-threat; and providing the classification. Related apparatus, systems, techniques, and articles are also described. 1. A method comprising:receiving, from a plurality of magnetic field receivers including magnetic sensors, data characterizing samples obtained by the plurality of magnetic field receivers, the samples of a combination of a first magnetic field and a second magnetic field resulting from interaction of the first magnetic field and an object;determining, using the received data, a polarizability index of the object, the polarizability index characterizing a magnetic polarizability property of the object;classifying, using the determined polarizability index, the object as threat or non-threat; andproviding the classification.2. The method of claim 1 , wherein the polarizability index of the object characterizes at least a shape claim 1 , a permeability claim 1 , and a conductivity of the object.3. The method of claim 1 , wherein the polarizability index of the object includes a complex tensor including at least six elements characterizing directional polarizability components of the object at one or more frequencies employed by the transmitting system.4. The method of claim 1 , wherein determining the polarizability index includes solving a set of trial solutions via a precomputed pseudo-inverse claim 1 , determining a residual for each of the trial solutions claim 1 , and ...

Method for Complete Atomic Blocks for Elliptic Curves in Jacobian Coordinates over Prime Fields Countermeasure for Simple-Side Channel Attacks and C-Safe-Fault Attacks for Right-to-Left Algorithms

The present invention describes a method which improves the safety aspects of the previously published atomic blocks for the right-to-left case. This method builds new sets of atomic blocks designed to protect against both simple side-channel attacks and C-safe fault attacks for scalar multiplication for elliptic curves over prime fields. In particular, they comprise eliminating the use of dummy operations in the atomic blocks used in the scalar multiplication ([d]P), which are based on elliptic curves defined on fields of prime characteristic. 1. Atomic blocks to protect cryptosystems against simple side-channel attacks (SSCA) and C-Safe fault attacks , CHARACTERIZED in that they comprise eliminating the use of dummy operations in the atomic blocks used in the scalar multiplication ([d]P) , which are based on elliptic curves defined on fields of prime characteristic.2. The atomic blocks according to claim 1 , CHARACTERIZED in that special algebraic substitutions are used for writing formulae of: General Addition claim 1 , Modified Jacobian doubling and Mixted Jacobian and Chudnovsky Jacobian Addition claim 1 , having an efficient structure of atomic block (S claim 1 , N claim 1 , A claim 1 , A claim 1 , M claim 1 , A) when the scalar multiplication ([d]P) is implemented with right-to-left algorithms.3. The atomic blocks according to claim 1 , CHARACTERIZED in that they comprise balancing the number of squarings (S) and multiplications (M) by using the method presented in [Longa08] and [Bernstein07] claim 1 , as well as other algebraic substitutions to eliminate the use of “dummy” operations which may be subject to C-fault attacks.4. The atomic blocks according to claim 3 , CHARACTERIZED in that they comprise creating ordered pairs (S claim 3 ,M claim 3 , wherein Sis a squaring followed by a multiplication Mper each atomic block.5. The atomic blocks according to claim 1 , CHARACTERIZED in that they comprise enumerating the minimum quantity of additions and negations ...

LOGIC SIMULATION OF CIRCUIT DESIGNS USING ON-THE-FLY BIT REDUCTION FOR CONSTRAINT SOLVING

A system performs logic simulation of a circuit design specified using a hardware description language such as Verilog. The system performs constraint solving based on an expression specified in the specification of the circuit design. The system identifies required bits for each variable in the expression. The number of required bits is less than the number of bits specified in the variable declaration. The system performs bit-level constraint solving by performing a bit operation on the set of required bits and a simplified processing of the remaining bits of the variable. Since the original circuit design is preserved with the original bit-widths for simulation, those required bits are used on the fly internally during constraint solving. Furthermore, dynamic bit reductions on arithmetic operations are performed on the fly. The system improves computational efficiency by restricting bit operations to fewer bits of variables and operators of the expression. 1. A method for execution of expressions in logic simulation of a circuit design , the method comprising:receiving a specification of the circuit design, the specification using a hardware declaration language;receiving a request to perform logic simulation of the circuit design;identifying an expression in the specification of the circuit design, the expression specifying an operation based on one or more variables, wherein the specification of the circuit design includes a declaration of the variable;identifying a set of required bits for a variable used in the expression, wherein the number of required bits is less than the number of bits specified in the declaration of the variable;performing, by a processor, bit-level constraint solving using the expression by limiting the operation to the set of required bits;determining a result of logic simulation based on the processing of the logical expression; andsending the results of the logic simulation for display.2. The method of claim 1 , further comprising: ...

Masking with shared random bits

A non-linear transformation including a plurality of non-linear logical operations is masked to a second or higher order. The masking includes receiving a set of random bits, and machine-masking two or more of the plurality of non-linear logical operations with a same random bit from the set of random bits.

IMPLICIT RSA CERTIFICATES

A secure digital communications method is provided in which a Certificate Authority generates an improved RSA key pair having a modulus, a public key exponent, a public key, and a private key. The public key exponent can contain descriptive attributes and a digital signature. The digital signature can be responsive to the descriptive attributes and the modulus. A secure session can be established between a first system and a second system, within a secure digital communication protocol. The second system can verify the digital signature to authenticate the public key. 1. A method for secure digital communications comprising the steps of:generating by a certificate authority an asymmetric key pair comprising a first public key and a private key; andproviding in the first public key descriptive attributes and a digital signature,wherein the digital signature is responsive to at least part of the first public key,wherein the asymmetric key pair is a Rivest, Shamir, and Adelman (RSA) key pair,wherein the asymmetric key pair further comprises a modulus n and a public key exponent e,wherein the public key exponent e includes the descriptive attributes and the digital signature,wherein a first portion of the public key exponent e is allocated to descriptive attributes,wherein a second portion of the public key exponent e is allocated to the digital signature, andwherein the digital signature is responsive to the modulus and the descriptive attributes.2. The method of further comprising the steps of:passing the modulus and the public key exponent from a first system to a second system;establishing a secure session between the first system and the second system, within a secure digital communication protocol, responsive to the modulus and the public key exponent; andverifying, by the second system, the digital signature, responsive to the modulus and the public key exponent, thereby authenticating the first public key.3. The method of further comprising the steps of:passing ...

METHOD FOR CALCULATING ELLIPTIC CURVE SCALAR MULTIPLICATION

An elliptic curve scalar multiplication apparatus stores a prime number p and information of a first point, the prime number p defining a field of definition F, which defines a first curve, which is a Weierstrass form elliptic curve, and expressed as p=p+pc+ . . . +pc, (where c equals 2and f is an integer equal to or larger than 1 that is units of breaking data into pieces in multiple-precision integer arithmetic executed by the elliptic curve scalar multiplication apparatus), calculates a Montgomery constant k, work, and h, executes doubling of a second point, which is calculated from the first point, by Montgomery multiplication that uses k, work, and h, adds a third point and fourth point, which are calculated from the first point, by Montgomery multiplication that uses k, work, and h; and calculates a scalar multiple of the first point, based on a result of the doubling and the addition. 1. An elliptic curve scalar multiplication method by which an elliptic curve scalar multiplication apparatus is configured to execute scalar multiplication of a first point on a first curve , which is a Weierstrass form elliptic curve ,{'sub': p', '0', '1', 'n, 'sup': n−1', 'f, 'b': '2', 'the elliptic curve scalar multiplication apparatus being configured to store a prime number p and information of the first point, the prime number p defining a field of definition F, which defines the first curve, and being expressed as p=p+pc+ . . . +pc, (where c equals and f is an integer equal to or larger than 1 that is units of breaking data into pieces in multiple-precision integer arithmetic executed by the elliptic curve scalar multiplication apparatus),'} [{'sub': 0', '0', '1', 'n', '0', '1', 'n, 'sup': n−1', 'n−1', 'f, 'claim-text': [{'sub': 0', '0', '0, 'sup': f', 'f', 'f, '(a1) determining whether or not p=2−1 is true, and proceeding to the processing (a2) when it is determined that p=2−1 is true, and to the processing (a3) when it is determined that p=2−1 is not true;'}, {'sub': '0 ...

COUNTERMEASURE TO SAFE-ERROR FAULT INJECTION ATTACKS ON CRYPTOGRAPHIC EXPONENTIATION ALGORITHMS

There is disclosed a countermeasure using the properties of the Montgomery multiplication for securing cryptographic systems such as RSA and DSA against, in particular, safe-error injection attacks. In the proposed algorithm, the binary exponentiation b=amod n is iteratively calculated using the Montgomery multiplication when the current bit dof the exponent d is equal to zero. In that case, the Montgomery multiplication of the actual result of the exponentiation calculation by R is realized. Thanks to this countermeasure, if there is any perturbation of the fault injection type introduced during the computation, it will have visible effect on the final result which renders such attack inefficient to deduce the current bit dof the private key d. 1. A cryptographic method comprising:receiving a first message a-;{'sup': d', 'k−1', 'i, 'sub': k−1', 'k−2', '1', '0', 'i=0', 'i', 'i, 'generating a second message b by computing a modular exponentiation b=amod n, where d is an integer expressed in binary representation as d=(dd. . . dd)2 such that d=Σd×2, with variable d∈ (0,1), where n is a positive integer modulus, and where R is the Montgomery constant defined as the smallest power of g greater than n, where g is a machine-word base,'}{'sup': 'd', 'claim-text': initializing a first variable to R modulus n-;', {'sub': i', 'k−1', 'k−2', '1', '0, 'claim-text': {'sub': 'i', 'dis equal to 0, then inserting a counter measure replacing the first variable by the Montgomery multiplication of said first variable with R, modulus n.'}, 'computing an iterative process a number k of times, with dsuccessively taking values d, d, . . . d, and d, respectively, each iteration of said iterative process comprising], 'wherein computing the modular exponentiation b=amod n comprises2. The cryptographic method of claim 1 , wherein computing the modular exponentiation b=amod n uses the Montgomery transformation and comprises:initializing the first variable and a second variable to R modulus n ...

PARALLEL COMPUTATION TECHNIQUES FOR ACCELERATED CRYPTOGRAPHIC CAPABILITIES

Computing devices and techniques for performing modular exponentiation for a data encryption process are described. In one embodiment, for example, an apparatus may include at least one memory logic for an encryption unit to perform encryption according to RSA encryption using a parallel reduction multiplier (PRM) MM process, at least a portion of the logic comprised in hardware coupled to the at least one memory and the at least one wireless transmitter, the logic to precompute a reduction coefficient, determine an operand product and a reduction product in parallel, the reduction product based on the reduction coefficient, and generate a MM result for the PRM MM process based on the operand product and the reduction product. Other embodiments are described and claimed. 1. An apparatus , comprising:at least one memory; precompute a reduction coefficient,', 'determine an operand product and a reduction product in parallel, the reduction product based on the reduction coefficient, and', 'generate a Montgomery multiplication (MM) result for a parallel reduction multiplier (PRM) MM process based on the operand product and the reduction product., 'logic for an encryption unit coupled to the at least one memory, the logic to2. The apparatus of claim 1 , the encryption unit to perform Rivest claim 1 , Sharmir claim 1 , Adelman (RSA) encryption using the PRM MM process.3. The apparatus of claim 1 , comprising a PRM MM data path claim 1 , at least a portion of the PRM MM data path comprised in hardware claim 1 , coupled to the logic.4. The apparatus of claim 3 , the PRM MM data path comprising a 32 bit word-based data path.5. The apparatus of claim 3 , the PRM MM data path comprising a first multiplier and a second multiplier for determining the operand product and the reduction product in parallel.6. The apparatus of the first multiplier and the second multiplier comprising 32×32 word multipliers.7. The apparatus of claim 3 , the PRM MM data path comprising a ...

TECHNIQUES FOR SECURE AUTHENTICATION

Various embodiments are generally directed to techniques for secure message authentication and digital signatures, such as with a cipher-based hash function, for instance. Some embodiments are particularly directed to a secure authentication system that implements various aspects of the cipher-based hash function in dedicated hardware or circuitry. In various embodiments, the secure authentication system may implement one or more elements of the Whirlpool hash function in dedicated hardware. For instance, the compute-intensive substitute byte and mix rows blocks of the block cipher in the Whirlpool hash function may be implemented in dedicated hardware or circuitry using a combination of Galois Field arithmetic and fused scale/reduce circuits. In some embodiments, the microarchitecture of the secure authentication system may be implemented with delayed add key to limit the memory requirement to three sequential registers. 1. An apparatus , comprising:a memory; and receive a message block as an input matrix of bytes;', 'apply a non-linear transformation to each byte of the input matrix based on a plurality of multiplication operations in a Galois Field; and', 'generate an output matrix of bytes based on the non-linear transformation., 'logic comprised in circuitry coupled to the memory, the logic to2. The apparatus of claim 1 , the logic comprising a plurality of multiplication operators to implement the plurality of multiplication operations in the Galois Field claim 1 , the plurality of multiplication operators implemented in dedicated hardware or circuitry.3. The apparatus of claim 2 , the logic to split each byte into two four-bit vectors and provide at least one bit from each of the four-bit vectors as inputs to a first multiplication operator of the plurality of multiplication operators.4. The apparatus of claim 3 , the logic comprising input of a second multiplication operator of the plurality of multiplication operators coupled to the output of the first ...

PROCESSING DEVICE, ACCELERATOR, AND METHOD FOR FEDERATED LEARNING

A processing device for federated learning, including: a modular exponentiation module including at least one modular exponentiation engine; a pre-processing module for providing operations corresponding to a plurality of operator modes; a montgomerization module for providing montgomerization operations; a confusion calculation module for providing modular multiplication operations in montgomery space; a montgomery reduction module for providing montgomery reduction operations; and a controller for determining, according to an input operator mode, whether to enable at least two modules out of the pre-processing module, the montgomerization module, the confusion calculation module, and the montgomery reduction module, so as for cooperatively performing the input operator mode together with the modular exponentiation module. 1. A processing device for federated learning comprising:a modular exponentiation module comprising at least one modular exponentiation engine;a pre-processing module configured for providing operations corresponding to a plurality of operator modes;a montgomerization module configured for providing montgomerization operations;a confusion calculation module configured for providing modular multiplication operations in montgomery space;a montgomery reduction module configured for providing montgomery reduction operations; anda controller for:determining, according to an input operator mode, whether to enable at least two modules out of the pre-processing module, the montgomerization module, the confusion calculation module, and the montgomery reduction module, so as for cooperatively performing the input operator mode together with the at least one modular exponentiation engine of the modular exponentiation module,wherein the input operator mode is one of the plurality of operator modes,wherein performing modular exponentiation operations by the modular exponentiation module comprises: shifting bit-by-bit from a highest non-zero bit to a lowest ...

SYSTEM AND METHOD FOR IMPROVED FRACTIONAL BINARY TO FRACTIONAL RESIDUE CONVERTER AND MULTIPLER

Methods and systems for residue number system based ALUs, processors, and other hardware provide the full range of arithmetic operations while taking advantage of the benefits of the residue numbers in certain operations. 1. A residue number normalization unit comprising:a plurality of digit processing units that perform one or more modular arithmetic operations on one or more operands to generate an output within a predefined modulus value, wherein the modular arithmetic operations do not result in a carry value;a common data bus that transmits data to and from each of the plurality of digit processing units;a digit power multiplier that receives a mixed radix digit and an associated digit power value, and transmit a resulting weighted digit power product, the multiplier coupled to the digit power accumulator;a digit power accumulator that receives and accumulate weighted digit power products, the accumulator coupled to a result selector; convert one or more residue numbers having at least a fractional representation to a plurality of digits in mixed radix format;', 'receive one or more mixed radix digits, each digit associated with a mixed radix power, and multiplying the digit value by the associated mixed radix power, thereby forming a weighted digit power product; and', 'sum a selected portion of the plurality of weighted digit power products;, 'a controller that transmits one or more commands to instruct one or more of the plurality of digit processing units towherein said result selector, responsive to one or more controller commands, transmits a result from among one or more candidate normalization values.2. A residue converter configured to convert a fractional binary value to a fractional residue value comprising:an input register that receives a plurality of binary input digits, the plurality of binary input digits configured as a parallel binary input receiving a binary fractional value;a modulus shift register that stores a plurality of modulus values ...

Unknown

The invention relates to a cryptographic processing method comprising multiplication of a point P of an elliptic curve on a Galois field by a scalar k, the multiplication comprising steps of: storing, in a first register, a zero point of the Galois field, executing a loop comprising at least one iteration comprising steps of: selecting a window of w bits in the non-signed binary representation of the scalar k, w being a predetermined integer independent of the scalar k and strictly greater than 1, calculating multiple points of P being each associated with a bit of the window and of the form ±2P, adding or not in the first register of multiple points stored, depending of the value of the bit of the window with which the multiple points are associated, wherein the loop ends once each bit of the non-signed binary representation of the scalar k has been selected, returning a value stored in the first register. If all the bits of the window selected during an iteration of the loop are zero, the iteration comprises at least one dummy execution of the addition function, and/or if all the bits of the window during an iteration of the loop are non-zero, the multiple points to be added in the first register during the step are determined from a non-adjacent form associated with the window. 12. A cryptographic processing method executed by at least one processor () , the method comprising multiplication of a point P of an elliptic curve on a Galois field by a scalar k , multiplication comprising steps of:{'b': '100', 'storing () a zero point of the Galois field in a first register,'} [{'b': '102', 'selecting () a window of w bits in a non-signed binary representation of the scalar k, wherein w is a predetermined integer independent of the scalar k and is strictly greater than 1,'}, {'b': '104', 'sup': 'i', 'calculating (), by means of a doubling function, and storing, in at most w second registers, multiple points of P, wherein each multiple point is associated with a bit of ...

A CALCULATION DEVICE FOR ENCODED ADDITION

An electronic calculating device () is provided arranged for encoded addition in an Abelian group N. The calculating device comprises a storage () configured to store encoded elements of the Abelian group N, an addition unit () arranged to add multiple encoded addends, wherein the addition unit is configured to form an encoded element comprising at least the encoded parts of the multiple encoded addends, and reduction unit () arranged to reduce an encoded element, by replacing in a sequence of the encoded elements, two encoded elements with a further encoded element. 1. An electronic calculating device arranged for white-box encoded addition in an Abelian group N , comprising [{'img': {'@id': 'CUSTOM-CHARACTER-00036', '@he': '3.56mm', '@wi': '3.56mm', '@file': 'US20200097256A1-20200326-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, 'in a first form, of one or more types, a type of the first form ((X, b)) being defined by a set X, an element b of a group A, and a map [ ]: X→M, wherein an element X of the set X represents the element π([x]b) of the Abelian group N, wherein'}, 'π is a homomorphic surjective projection π: M→N from an Abelian group to the group N,', 'the group A and a group G together decompose a subgroup H of the automorphism group Aut(M), wherein H=GA, the groups A and G having the property that ga=ag for any a in A and g in C, the group H having an action on the set X,', 'the map [ ] is an at least partial map [ ]: X→M, such that [xh]=[x]h, for any x in X and h in H, where the map is defined, and wherein the composition π[ ]: X→N is surjective,, 'a storage configured to store encoded elements of the Abelian group N, the storage comprising elements encoded in the following forms{'img': {'@id': 'CUSTOM-CHARACTER-00037', '@he': '3.22mm', '@wi': '2.46mm', '@file': 'US20200097256A1-20200326-P00003.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, 'in a second form, of at ...

ELECTRONIC CALCULATING DEVICE ARRANGED TO CALCULATE THE PRODUCT OF INTEGERS

An electronic calculating device () arranged to calculate the product of integers, the device comprising a storage () configured to store integers () in a multi-layer residue number system (RNS) representation, the multi-layer RNS representation having at least an upper layer RNS and a lower layer RNS, the upper layer RNS being a residue number system for a sequence of multiple upper moduli (M), the lower layer RNS being a residue number system for a sequence of multiple lower moduli (m), an integer (x) being represented in the storage by a sequence of multiple upper residues (x=(x)) modulo the sequence of upper moduli (M), upper residues (x) for at least one particular upper modulus (M) being further-represented in the storage by a sequence of multiple lower residues ((x)) of the upper residue (x) modulo the sequence of lower moduli (m), wherein at least one of the multiple lower moduli (m) does not divide a modulus of the multiple upper moduli (M). 1. An electronic calculating device arranged to calculate the product of integers , the device comprising{'sub': i', 'i', 'i', 'M', {'sub2': 'i'}, 'i', 'j', 'j', 'j', 'm', {'sub2': 'i'}, 'j', 'i', 'i', 'j, 'img': [{'@id': 'CUSTOM-CHARACTER-00053', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00054', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00055', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00056', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}], 'a storage configured to store ...

RESIDUE BASED ERROR DETECTION FOR INTEGER AND FLOATING POINT EXECUTION UNITS

An error detection unit including one or more register files that store at least one operand and at least one operand residue, an operand multiplexor operable to receive the operand, a residue multiplexor operable to receive the operand residue, a source operand residue generator operable to generate at least one generated residue from the operand, a first comparator that compares the operand residue to the generated residue, the result of the first comparator being sent to a reorder buffer, an execution unit that supplies the operand to a residue calculator and a result residue generator, wherein the residue calculator operable to determine an expected residue and the result residue generator operable to generate a result residue, and a second comparator that compares the expected residue with the result residue, the result of the second comparator being sent to the reorder buffer. 1. An error detection unit , comprising:one or more register files that store at least one operand and at least one operand residue;an operand multiplexor operable to receive the operand;a residue multiplexor operable to receive the operand residue;a source operand residue generator operable to generate at least one generated residue from the operand;a first comparator that compares the operand residue to the generated residue, the result of the first comparator being sent to a reorder buffer;an execution unit that supplies the operand to a residue calculator and a result residue generator, wherein the residue calculator operable to determine an expected residue and the result residue generator operable to generate a result residue; anda second comparator that compares the expected residue with the result residue, the result of the second comparator being sent to the reorder buffer.2. The error detection unit according to claim 1 , wherein the result residue is stored in at least one of the register files and retrieved on read by a dependent instruction and sent to the residue ...

System, Apparatus And Method For Performing A Plurality Of Cryptographic Operations

In one embodiment, an apparatus includes a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation. The hardware accelerator may include a multiplier circuit comprising a parallel combinatorial multiplier, and an ECC circuit coupled to the multiplier circuit to execute the ECC operation. The ECC circuit may compute a prime field multiplication using the multiplier circuit and reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus. The hardware accelerator may execute the RSA operation using the multiplier circuit. Other embodiments are described and claimed. 1. At least one computer readable storage medium having stored thereon instructions , which if performed by a machine cause the machine to perform a method comprising:receiving, in a controller of a hardware cryptographic circuit, a request to perform an elliptic curve cryptography (ECC) operation;in response to the request, causing, by the controller, a hardware multiplication circuit of the hardware cryptographic circuit to perform an integer multiplication on a first operand and a second operand to obtain a first result, wherein the first and second operands comprise first and second 384-bit values, respectively, and the multiplication circuit comprises a 27-bit×411-bit parallel combinatorial multiplier;determining whether a modulus reduction operation for the ECC operation is to be performed according to a National Institute of Standards and Technology (NIST) prime value; andin response to determining that the modulus reduction operation is to be performed according to the NIST prime value, performing the modulus reduction operation comprising a plurality of addition and subtraction operations, and without performing any multiplication or division operations.2. The at least one computer readable storage medium of claim 1 , ...

CRYPTO PROCESSOR, METHOD OF OPERATING CRYPTO PROCESSOR, AND ELECTRONIC DEVICE INCLUDING CRYPTO PROCESSOR

A crypto processor, a method of operating a crypto processor, and an electronic device including a crypto processor. A method of operating a crypto processor for performing a polynomial multiplication of lattice-based texts includes transferring coefficients of polynomials for the polynomial multiplication to multipliers, performing multiplications for a portion of the coefficients in parallel using the multipliers, performing an addition for a portion of results of the multiplications using an adder, and determining a result of the polynomial multiplication based on another portion of the results of the multiplications and a result of the addition. 1. A method of operating a crypto processor for performing a polynomial multiplication of lattice-based texts , the method comprising:transmitting coefficients of polynomials for the polynomial multiplication to multipliers;performing multiplications for a portion of the coefficients in parallel using the multipliers;performing an addition for a portion of results of the multiplications using an adder; anddetermining a result of the polynomial multiplication based on another portion of the results of the multiplications and a result of the addition.2. The method of claim 1 , wherein the portion of the results of the multiplications is obtained by a portion of the multipliers and transmitted to the adder through internal data paths respectively connecting the portion of the multipliers to the adder.3. The method of claim 1 , wherein the performing of the multiplications comprises performing claim 1 , in parallel:a multiplication between a first polynomial coefficient of a first text and a third polynomial coefficient of a second text, among the coefficients;a multiplication between a second polynomial coefficient of the first text and the third polynomial coefficient;a multiplication between the first polynomial coefficient and a fourth polynomial coefficient of the second text; anda multiplication between the second ...

ASYMMETRICALLY MASKED MULTIPLICATION

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation. 132.-. (canceled)33. A system comprising:at least one processor; and receiving at least one input value;', 'defining a left-hand-side (LHS) parameter using at least one of the input values;', 'defining a right-hand-side (RHS) parameter using at least one of the input values;', 'calculating a plurality of intermediate values, including a first intermediate value based on the LHS parameter and a second intermediate value based on the RHS parameter, wherein at least one of the first intermediate value and the second intermediate value is calculated based on a mask value; and', 'applying a fix value to at least one of the plurality of intermediate values to generate an output value comprising a multiplication product of at least one unmasked value of the input value used to define the LHS parameter or the RHS parameter., 'a non-transitory computer-readable medium having instructions stored thereon that, when executed on the processor, asymmetrically masks a cryptographic operation to improve resistance to third party attacks by being configured to perform the steps of34. The system of claim 33 , wherein the input value used to define the LHS parameter is different from the input value used to define the RHS parameter claim 33 , andwherein the output value comprises a multiplication product of the input value used to define the LHS parameter and the input value used to define the RHS parameter.35. The system of claim 33 , the instructions further being ...

Method and System of Improved Galois Multiplication

Embodiments of the invention include an apparatus for performing Galois multiplication using an enhanced Galois table. Galois multiplication may include converting a first and second multiplicand to exponential forms using a Galois table, adding the exponential forms of the first and second multiplicands, and converting the added exponential forms of the first and second multiplicands to a decimal equivalent binary form using the Galois table to decimal equivalent binary result of the Galois multiplication. 1. A method of performing Galois multiplication comprising:converting a first and second multiplicand to exponential forms using a Galois table;adding the exponential forms of the first and second multiplicands;converting the added exponential forms of the first and second multiplicands to a decimal equivalent binary form using the Galois table to decimal equivalent binary result of the Galois multiplication.2. The method of claim 1 , further comprising:converting the decimal equivalent binary form into binary.3. The method of claim 1 , further comprising:converting the first and second multiplicands to a decimal value from binary.4. The method of claim 1 , wherein the Galois table is Table 3.5. The method of claim 1 , wherein the Galois table comprises:a first part with columns for an index, exponential, binary conversion, and exponential conversion;a second part with columns for an index, exponential, and binary conversion; anda third part with columns for an index, exponential, and binary conversion, wherein each binary conversion has a value of 0.6. The method of claim 1 , wherein the method is a part of a Reed-Solomon decoding routine.7. The method of claim 1 , wherein the Galois table comprises:a first part with all the Galois field elements except zero listed in order of exponents, with a first column of binary numbers for each field element wherein there is a consistent mapping of polynomial coefficients of the field element polynomial's powers to bit ...

Efficient Montgomery Multiplier

An Integrated Montgomery Calculation Engine (IMCE), for multiplying two multiplicands modulo a predefined number, includes a Carry Save Adder (CSA) circuit and control circuitry. The CSA circuit has multiple inputs, and has outputs including a sum output and a carry output. The control circuitry is coupled to the inputs and the outputs of the CSA circuit and is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery precompute value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands. 1. An Integrated Montgomery Calculation Engine (IMCE) for multiplying two multiplicands modulo a predefined number , the IMCE comprising:a Carry Save Adder (CSA) circuit, having multiple inputs, and having outputs comprising a sum output and a carry output; andcontrol circuitry, which is coupled to the inputs and the outputs of the CSA circuit and which is configured to operate the CSA circuit in at least (i) a first setting that calculates a Montgomery precompute value and (ii) a second setting that calculates a Montgomery multiplication of the two multiplicands.2. The IMCE according to claim 1 , wherein the control circuitry is configured to logically shift the sum output and the carry output of the CSA circuit claim 1 , and to couple the shifted sum output and. the shifted carry output to respective inputs of the CSA circuit.3. The IMCE according to claim 2 , wherein the control circuitry is configured to logically shift-left the sum output and the carry output of the CSA circuit in the first setting claim 2 , and to logically shift-right the sum output and the carry output of the CSA circuit in the second setting.4. The IMCE according to claim 1 , wherein claim 1 , in the first setting claim 1 , the control circuitry is configured to set two of the inputs of the CSA circuit to a constant value that depends on the predefined number.5. The IMCE according to claim 1 , wherein claim 1 , in the first ...

Fast Precomputation for Montgomery Multiplier

A Montgomery multiplication apparatus (MMA), for multiplying two multiplicands modulo a predefined number, includes a pre-compute circuit and a Montgomery multiplication circuit. The pre-compute circuit is configured to compute a Montgomery pre-compute value by performing a series of iterations. In a given iteration, the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration. The Montgomery multiplication circuit is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit. 1. A Montgomery multiplication apparatus (MMA) for multiplying two multiplicands modulo a predefined number , the MMA comprising:a pre-compute circuit, which is configured to compute a Montgomery pre-compute value by performing a series of iterations, wherein in a given iteration the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration; anda Montgomery multiplication circuit, which is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit.2. The MMA according to claim 1 , wherein the Montgomery pre-compute value comprises at least two to the power of twice the number of bits of the Montgomery multiplicands.3. The MMA according to claim 1 , wherein the pre-compute circuit is configured claim 1 , in the given iteration claim 1 , to modify a bit-wise-sum and a bit-wise-carry by performing bit-wise-sum and bit-wise carry operations on (i) the bit-wise sum calculated in the preceding iteration claim 1 , (ii) twice the bit-wise carry calculated in the preceding ...

Efficient modulo calculation

Hardware logic is arranged to efficiently perform modulo calculation with respect to a constant value b. The hardware logic comprises a series of addition units (each comprising a plurality of binary adders). A first stage addition unit in the series groups bits from an input number into a number of strings, multiplies each string by a corresponding coefficient using adders and left-shifting and adds the resulting strings together to generate an intermediate value which, in most examples, has a smaller range of possible values than the input number. The series of addition units also includes a second stage addition unit and/or a final stage addition unit. A second stage addition unit uses similar methods to generate an updated intermediate value in a pre-defined terminating range. A final stage addition unit generates a final result from the final intermediate result output by an immediately previous addition unit in the series.

Modular Exponentiation Using Randomized Addition Chains

Various embodiments relate to a device for generating code which implements modular exponentiation, the device including: a memory used to store a lookup table; and a processor in communication with the memory, the processor configured to: receive information for a generated randomized addition chain; output code for implementing the modular exponentiation which loads elements from the lookup table including intermediate results which utilize the information for a generated randomized addition chain; and output code for implementing the modular exponentiation which uses the loaded elements to compute the next element.

BIT DECOMPOSITION SECURE COMPUTATION APPARATUS, BIT COMBINING SECURE COMPUTATION APPARATUS, METHOD AND PROGRAM

The present invention provides a bit decomposition secure computation system comprising: a share value storage apparatus to store share values obtained by applying (2, 3) type RSS using modulo of power of 2 arithmetic; a decomposed share value storage apparatus to store a sequence of share values obtained by applying (2, 3) type RSS using modulo 2 arithmetic; and a bit decomposition secure computation apparatus that, with respect to sharing of a value w, r1, r2, and r3 satisfying w=r1+r2+r3 mod 2{circumflex over ( )}n, where {circumflex over ( )} is a power operator and n is a preset positive integer, being used as share information by the (2, 3) type RSS stored in the share value storage apparatus, includes: an addition sharing unit that sums two values out of r1, r2 and r3 by modulo 2{circumflex over ( )}n, generates and distributes a share value of the (2, 3) type RSS with respect to the sum; and a full adder secure computation unit that executes addition processing of the value generated by the addition sharing unit and a value not used by the addition sharing unit, for each digit, by using secure computation of a full adder, and stores the result in the decomposed share value storage apparatus. 1. A bit decomposition secure computing system comprising:a share value storage apparatus to store share values obtained by applying (2, 3) type RSS (Replication type Secret Sharing) using modulo of power of 2 arithmetic;a decomposed share value storage apparatus to store a sequence of share values obtained by applying (2, 3) type RSS using modulo 2 arithmetic; anda bit decomposition secure computation apparatus including:a processor; and a memory storing a program executable by the processor, wherein the processor is configured to performwith respect to sharing of a value w,r1, r2, and r3 satisfying w=r1+r2+r3 mod 2{circumflex over ( )}n, where mod is a modulo operator, {circumflex over ( )} is a power operator and n is a preset positive integer, being used as share ...