Настройки

Укажите год
-

Небесная энциклопедия

Космические корабли и станции, автоматические КА и методы их проектирования, бортовые комплексы управления, системы и средства жизнеобеспечения, особенности технологии производства ракетно-космических систем

Подробнее
-

Мониторинг СМИ

Мониторинг СМИ и социальных сетей. Сканирование интернета, новостных сайтов, специализированных контентных площадок на базе мессенджеров. Гибкие настройки фильтров и первоначальных источников.

Подробнее

Форма поиска

Поддерживает ввод нескольких поисковых фраз (по одной на строку). При поиске обеспечивает поддержку морфологии русского и английского языка
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Укажите год
Укажите год
Применить Всего найдено 1473. Отображено 100.
29-03-2012 дата публикации

Key Agreement and Transport Protocol with Implicit Signatures

Номер: US20120079274A1
Автор: Alfred John Menezes, Minghua Qu, Scott Vanstone
Принадлежит: Certicom Corp

A key establishment protocol between a pair of correspondents includes the generation by each correspondent of respective signatures. The signatures are derived from information that is private to the correspondent and information that is public. After exchange of signatures, the integrity of exchange messages can be verified by extracting the public information contained in the signature and comparing it with information used to generate the signature. A common session key may then be generated from the public and private information of respective ones of the correspondents.

Подробнее
Номер записи: 1
31-05-2012 дата публикации

Key Agreement and Transport Protocol

Номер: US20120137133A1
Автор: Marinus Struik
Принадлежит: Certicom Corp

A key establishment protocol includes the generation of a value of cryptographic function, typically a hash, of a session key and public information. This value is transferred between correspondents together with the information necessary to generate the session key. Provided the session key has not been compromised, the value of the cryptographic function will be the same at each of the correspondents. The value of the cryptographic function cannot be compromised or modified without access to the session key.

Подробнее
Номер записи: 2
21-06-2012 дата публикации

Modular exponentiation resistant against skipping attacks

Номер: US20120159189A1
Автор: Marc Joye
Принадлежит: Individual

An exponentiation method resistant against skipping attacks. A main idea of the present invention is to evaluate, in parallel with the exponentiation such as y=g d , a value based on the exponent, e.g. f=d·1. These evaluations are performed using the same exponentiation algorithm by “gluing” together the group operations underlying the computation of y and f so that a perturbation to one operation also perturbs the other. This makes it possible to verify that f indeed equals d before returning the result. Also provided are an apparatus and a computer program product.

Подробнее
Номер записи: 3
11-10-2012 дата публикации

Strengthened public key protocol

Номер: US20120257758A1
Автор: Alfred John Menezes, Donald B. Johnson, Minghua Qu, Scott A. Vanstone
Принадлежит: Individual

A method of determining the integrity of a message exchanged between a pair of correspondents. The message is secured by embodying the message in a function of a public key derived from a private key selected by one of the correspondents. The method comprises first obtaining the public key. The public key is then subjected to at least one mathematical test to determine whether the public key satisfies predefined mathematical characteristics. Messages utilizing the public key are accepted if the public key satisfies the predefined mathematical characteristics.

Подробнее
Номер записи: 4
15-11-2012 дата публикации

Finite field cryptographic arithmetic resistant to fault attacks

Номер: US20120288086A1
Автор: Bruce Murray, Martin Schaffer
Принадлежит: NXP BV

Various embodiments relate to a method for integrity protected calculation of a cryptographic function including: performing an operation c=a∘b in a cryptographic function f(x 1 , x 2 , . . . , x n ) defined over a commutative ring R; choosing a′ and b′ corresponding to a and b such that a′ and b′ are elements of a commutative ring R′; computing c′=a′∘′b′; computing a″=CRT(a, a′) and b″=CRT(b, b′), where CRT is the Chinese Remainder Theorem; computing c″=a″∘″b″; mapping c″ into R′; and determining if the mapping of c″ into R′ equals c′.

Подробнее
Номер записи: 5
03-01-2013 дата публикации

Simultaneous Scalar Multiplication Method

Номер: US20130003964A1
Автор: Adrian Antipa, Yuri Poeluev
Принадлежит: Certicom Corp

In computing point multiples in elliptic curve schemes (e.g. kP and sQ) separately using, for example, Montgomery's method for the purpose of combining kP+sQ, several operations are repeated in computing kP and sQ individually, that could be executed at the same time. A simultaneous scalar multiplication method is provided that reduces the overall number of doubling and addition operations thereby providing an efficient method for multiple scalar multiplication. The elements in the pairs for P and Q method are combined into a single pair, and the bits in k and s are evaluated at each step as bit pairs. When the bits in k and s are equal, only one doubling operation and one addition operation are needed to compute the current pair, and when the bits in k and s are not equal, only one doubling operation is needed and two addition operations.

Подробнее
Номер записи: 6
09-05-2013 дата публикации

Method and apparatus for improving digital signatures

Номер: US20130117569A1
Автор: Martti Takala, Rauno Tamminen, Sampo Sovio, Suvi Lehtinen
Принадлежит: Nokia Oyj

Systems and methods are provided for enchancing pseudo random number generation to thwart various security attacks to a system that relies on digital signature security measures. For example, a random number may be bound to a message that is to be signed using a digital signature. Alternatively, a random number may be bound to a secret seed value, which may be updated subsequent to each signing. Alternatively still, a random number may be bound to both the message to be signed using a digital signature and a secret seed value.

Подробнее
Номер записи: 7
13-03-2014 дата публикации

Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures

Номер: US20140075203A1
Автор: Alberto Batistello, Christophe Giraud, Guillaume Barbu, Soline Renner
Принадлежит: Oberthur Technologies SA

A method of testing security of an electronic device against a combination of a side-channel attack and a fault-injection attack implemented during a method of cryptographic processing that includes: delivering a message signature based on a secret parameter and implementing a recombination of at least two intermediate values according to the Chinese remainder theorem; and verifying the signature on the basis of at least one public exponent. The method of testing includes: transmitting a plurality of messages to be signed by said electronic device; disturbing each message, including modifying the message by inserting an identical error for each message, before executing a step of determining one of the intermediate values; and analyzing physical measurements, obtained during the step of verifying the signature as a function of the message to be signed, the identical error for each message, and an assumption of a value of part of the secret parameter.

Подробнее
Номер записи: 8
02-01-2020 дата публикации

INTEGRATED CIRCUITS WITH MODULAR MULTIPLICATION CIRCUITRY

Номер: US20200004506A1
Автор: Langhammer Martin, Pasca Bogdan
Принадлежит: Intel Corporation

An integrated circuit may be provided with a modular multiplication circuit. The modular multiplication circuit may include an input multiplier for computing the product of two input signals, truncated multipliers for computing another product based on a modulus value and the product, a subtraction circuit for computing a difference between the two products. An error correction circuit may use the difference to look up an estimated quotient value and to subtract out an integer multiple of the modulus value from the difference in a single step, wherein the integer multiple is equal to the estimated quotient value. A final adjustment stage may be used to remove any remaining residual estimation error. 1. An integrated circuit , comprising:a first input port configured to receive a first input signal;a second input port configured to receive a second input signal;a third input port configured to receive a modulus value;an input multiplier configured to multiply the first input signal by the second input signal to generate a corresponding first product;a plurality of reduction multipliers configured to generate a second product using the first product and the modulus value;a subtraction circuit configured to compute a difference between the first and second products; andan error correction circuit configured to remove an estimated integer multiple of the modulus value from the difference in a single step.2. The integrated circuit of claim 1 , wherein the plurality of reduction multipliers comprise a first truncated multiplier that only partially computes a number of most significant bits (MSBs).3. The integrated circuit of claim 2 , wherein the plurality of reduction multipliers further comprise a second truncated multiplier that only partially computes a number of least significant bits (LSBs).4. The integrated circuit of claim 2 , wherein the first truncated multiplier has a first input terminal configured to receive only upper bits of the first product.5. The ...

Подробнее
Номер записи: 9
13-01-2022 дата публикации

LOW-LATENCY DIGITAL SIGNATURE PROCESSING WITH SIDE-CHANNEL SECURITY

Номер: US20220012334A1
Автор: Basso Andrea, Ghosh Santosh, Sastry Manoj
Принадлежит: Intel Corporation

A low-latency digital-signature with side-channel security is described. An example of an apparatus includes a coefficient multiplier circuit to perform polynomial multiplication, the coefficient multiplier circuit providing Number Theoretic Transform (NTT) and INTT (Inverse NTT) processing; and one or more accessory operation circuits coupled with the coefficient multiplier circuit, each of the one or more accessory operation circuits to perform a computation based at least in part on a result of an operation of the NTT/INTT coefficient multiplier circuit, wherein the one or more accessory operation circuits are to receive results of operations of the NTT/INTT coefficient multiplier circuit prior to the results being stored in a memory. 1. An apparatus comprising:a coefficient multiplier circuit to perform polynomial multiplication, the coefficient multiplier circuit providing Number Theoretic Transform (NTT) and INTT (Inverse NTT) processing; andone or more accessory operation circuits coupled with the coefficient multiplier circuit, each of the one or more accessory operation circuits to perform a computation based at least in part on a result of an operation of the NTT/INTT coefficient multiplier circuit;wherein the one or more accessory operation circuits are to receive results of operations of the NTT/INTT coefficient multiplier circuit prior to the results being stored in a memory.2. The apparatus of claim 1 , the one or more accessory operation circuits are to perform the accessory operations in a same cycle as the operations of the NTT/INTT coefficient multiplier circuit.3. The apparatus of claim 2 , wherein the performance of the one or more accessory operations overlaps at least in part with one or more other operations of the apparatus.4. The apparatus of claim 1 , wherein the polynomial multiplication includes multiplying a private polynomial with a public polynomial.5. The apparatus of claim 1 , wherein the computation by the one or more accessory ...

Подробнее
Номер записи: 10
03-01-2019 дата публикации

MIXED-COORDINATE POINT MULTIPLICATION

Номер: US20190004770A1
Автор: KUMAR Raghavan, Mathew Sanu K., Satpathy Sudhir K., SINGH Arvind, Suresh Vikram B.
Принадлежит: Intel Corporation

In one embodiment, an apparatus comprises a multiplier circuit to: identify a point multiply operation to be performed by the multiplier circuit, wherein the point multiply operation comprises point multiplication of a first plurality of operands; identify a point add operation associated with the point multiply operation, wherein the point add operation comprises point addition of a second plurality of operands, wherein the second plurality of operands comprises a first point and a second point, and wherein the first point and the second point are associated with a first coordinate system; convert the second point from the first coordinate system to a second coordinate system; perform the point add operation based on the first point associated with the first coordinate system and the second point associated with the second coordinate system; and perform the point multiply operation based on a result of the point add operation. 1. An apparatus , comprising: identify a point multiply operation to be performed by the multiplier circuit, wherein the point multiply operation comprises point multiplication of a first plurality of operands;', 'identify a point add operation associated with the point multiply operation, wherein the point add operation comprises point addition of a second plurality of operands, wherein the second plurality of operands comprises a first point and a second point, and wherein the first point and the second point are associated with a first coordinate system;', 'convert the second point from the first coordinate system to a second coordinate system;', 'perform the point add operation based on the first point associated with the first coordinate system and the second point associated with the second coordinate system; and', 'perform the point multiply operation based on a result of the point add operation., 'a multiplier circuit to2. The apparatus of claim 1 , wherein the first coordinate system comprises an Affine coordinate system claim 1 , ...

Подробнее
Номер записи: 11
09-01-2020 дата публикации

ELLIPTIC CURVE ISOGENY BASED KEY AGREEMENT PROTOCOL

Номер: US20200014534A1
Автор: BHATTACHARYA SAUVIK, Garcia Morchon Oscar, I Ronald, RIETMAN, Tolhuizen Ludovicus Marinus Gerardus Maria
Принадлежит: Koninklijke Phlips N.V.

An electronic key pre-distribution device () for configuring multiple network nodes () with local key information is provided. The key pre-distribution device comprises applies at least a first hash function () and a second hash function () to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point ( HID)) and a second public point ( H(ID)) on a first elliptic curve () and second elliptic curve (). A first and second secret isogeny () is applied to the first and second public elliptic curve point (), to obtain a first private elliptic curve point () and second private elliptic curve point () being part of private key material () for the network node (). 1. An electronic key pre-distribution device for configuring multiple network nodes with local key information , the key pre-distribution device comprising{'sub': 1', '2, 'a storage comprising information representing a first secret isogeny (φ; s) for a first elliptic curve (E) and a second secret isogeny (φ′; s) for a second elliptic curve (E), an isogeny being arranged to receive a point on an elliptic curve and to produce a point on an elliptic curve as output,'} obtain a digital identifier (ID) for a network node,', {'sub': 1', '2, 'apply at least a first hash function and a second hash function to the digital identifier, the first and second hash functions mapping the digital identifier to a first public point (H(ID)) and a second public point (H(ID)) on a first elliptic curve and second elliptic curve, the first elliptic curve being different from the second elliptic curve, the first and second public point being part of public key material for the network node,'}, 'apply the first and second secret isogeny to the first and second public elliptic curve point, thus obtaining a first private elliptic curve point and second private elliptic curve point being part of private key material for the network node, and, 'a processor circuit configured ...

Подробнее
Номер записи: 12
28-01-2016 дата публикации

SIMPLIFIED INVERSIONLESS BERLEKAMP-MASSEY ALGORITHM FOR BINARY BCH CODE AND CIRCUIT IMPLEMENTING THEREFOR

Номер: US20160026435A1
Автор: HUNG Jui Hui, YEN Chih Nan
Принадлежит: Storart Technology Co.,Ltd.

A simplified inversionless Berlekamp-Massey algorithm for binary BCH codes and circuit implementing the method are disclosed. The circuit includes a first register group, a second register group, a control element, an input element and a processing element. By breaking the completeness of math structure of the existing simplified inversionless Berlekamp-Massey algorithm, the amount of registers used can be reduced by two compared with conventional algorithm. Hardware complexity and operation time can be reduced. 1. A circuit for implementing a simplified inversionless Berlekamp-Massey algorithm for binary BCH codes , comprising:a first register group, having 2t registers connected in series, each register receiving an calculation value of iterative operation from upstream end during each clock and outputting the calculation value of iterative operation to downstream end in the next clock;a second register group, having 2t−1 registers connected in series, each register receiving a copied value from upstream end during each clock and outputting the copied value in the next clock or in a clock after the clock;a control element, electrically connected to the penultimate register from the most downstream end in the first register group, for receiving outputted calculation values of iterative operation from the register and outputting the first calculation value in each iterative operation, a discrepancy value and a control signal;an input element, electrically connected to the antepenultimate register from the most downstream end in the first register group, for receiving outputted calculation values of iterative operation from the register, electrically connected to the register in the most downstream end in the second register group, for receiving outputted copied values from the register, and selectively outputting Galois field value of 0 or 1, or the outputted calculation value of iterative operation to the first register group, and Galois field value of 0 or 1, or ...

Подробнее
Номер записи: 13
26-01-2017 дата публикации

COMPUTATIONAL METHOD, COMPUTATIONAL DEVICE ANDCOMPUTER SOFTWARE PRODUCT FOR MONTGOMERY DOMAIN

Номер: US20170026178A1
Автор: Kaluzhny Uri
Принадлежит:

In Elliptic Curve Cryptography (ECC), one performs a great number of modular multiplications. These are usually done by Montgomery Multiplication algorithm, which needs the operands to be preprocessed (namely, converted to the Montgomery Domain), which is normally done by an equivalent of a long division. We provide a method to perform this conversion by a single Montgomery multiplication on the raw data. The method is formulated for elliptic curve points represented in Jacobian coordinates but can be extended to other representations. 1. A method for computation , comprising:receiving, in a Montgomery multiplier circuit, a pair of input coordinates (x,y) specifying a point on an elliptic curve in a canonical form;converting the pair of the input coordinates to a quotient-based representation comprising three alternative coordinates (X′,Y′,Z′) in a Montgomery form by performing first Montgomery multiplications of the input coordinates by selected conversion factors; andcarrying out one or more elliptic curve operations by applying second Montgomery multiplications to the alternative coordinates in the Montgomery form.2. The method according to claim 1 , wherein the alternative coordinates comprise Jacobian coordinates.3. The method according to claim 1 , wherein performing the first Montgomery multiplications comprises applying a Montgomery multiplication by 1 in computing at least one of the alternative coordinates.4. The method according to claim 3 , wherein performing the first Montgomery multiplications comprises:selecting conversion factors ω, α and β, wherein α and β are powers of ω; andcalculating the alternative coordinates as Montgomery products of α and β with the input coordinates, such that X′=α⊙x, Y′=(β⊙y)⊙1, and Z′=ω.51. The method according to claim 1 , wherein carrying out the one or more elliptic curve operations comprises calculating a result expressed in the quotient-based representation in the Montgomery form claim 1 , and applying at least one ...

Подробнее
Номер записи: 14
23-01-2020 дата публикации

PROTECTING PARALLEL MULTIPLICATION OPERATIONS FROM EXTERNAL MONITORING ATTACKS

Номер: US20200026883A1
Автор: de Almeida Guilherme Ozari, De Mulder Elke, Trichina Elena
Принадлежит:

Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation. An example method may comprise: receiving an input data block and an iteration result value; performing a first field multiplication operation to produce a new iteration result value, by iteratively processing, starting from a first bit position, bits of a combination of the input data block and the iteration result value, wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit; performing a second field multiplication operation to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is represented by one of: a least-significant bit and a most-significant bit, and wherein the second bit position is different from the first bit position; applying the new mask correction value to the new iteration result value; and producing, based on the new iteration result value, a value of a cryptographic hash function to be utilized by at least one of: an authenticated encryption operation or an authenticated decryption operation. 1. A method , comprising:receiving, by a processing device, an input data block and an iteration result value;performing a first field multiplication operation to produce a new iteration result value, by iteratively processing, starting from a first bit position, bits of a combination of the input data block and the iteration result value, wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit;performing a second field multiplication operation to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is represented by one of: a least-significant bit and a most-significant bit, and wherein the second bit ...

Подробнее
Номер записи: 15
31-01-2019 дата публикации

Homogenous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography

Номер: US20190034170A1
Автор: PEETERS ERIC THIERRY
Принадлежит:

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1. A method of operating digital logic circuitry to execute a finite field scalar multiplication of a multiplicand representative of a point in the finite field by a binary-valued scalar , comprising the steps of:initializing one or more memory locations storing components of a sum, the sum representative of a point in the finite field; andoperating the digital logic circuitry to execute a plurality of operations comprising, for each of a plurality of bit positions in the scalar:doubling an operand representative of one of the sum and the multiplicand;responsive to the bit position having a “1” value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; andthen advancing to a next bit position in the scalar; a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', 'then a sixth multiplication followed by a seventh multiplication followed by an eighth multiplication;', 'then a fifth addition;', 'then a ninth multiplication;', 'then a sixth addition followed by a seventh addition;', 'then a tenth multiplication; and', 'then an eighth addition;, 'wherein the doubling step is executed using an atomic pattern consisting of a first addition;', 'then a first multiplication followed by a ...

Подробнее
Номер записи: 16
31-01-2019 дата публикации

PROTECTION OF AN ITERATIVE CALCULATION AGAINST HORIZONTAL ATTACKS

Номер: US20190034629A1
Автор: Diop Ibrahima, Liardet Pierre-Yvan, Linge Yanis
Принадлежит:

An iterative calculation is performed on a first number and a second number, while protecting the iterative calculation against side-channel attacks. For each bit of the second number, successively, an iterative calculation routine of the bit of the second number is determined. The determination is made independent of a state of the bit. The determined iterative calculation routine of the bit is executed. A result of the iterative calculation is generated based on a result of the execution of the determined iterative calculation routine of a last bit of the second number. 1. A method , comprising: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number; and', 'executing the determined iterative calculation routine; and, 'executing, using an electronic circuit, an iterative calculation on a first number and a second number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second numbergenerating a result of the iterative calculation based on a result of the determined iterative calculation routine of a last bit of the second number.2. The method of wherein the iterative calculation routine is selected from a set of iterative calculation routines.3. The method of wherein the iterative calculation is a modular exponentiation claim 2 , the second number representing an exponent to be applied to the first number.4. The method of wherein the set of iterative calculation routines comprises:a square-and-multiple always routine; anda Montgomery multiplication routine.5. The method of wherein the determining the iterative calculation routine of a bit of the second number is performed randomly.6. The method of wherein steps of the iterative calculation routine vary according to the state of the bit of the second number.7. The method of claim 1 , comprising:initializing variables stored in a memory prior to executing the ...

Подробнее
Номер записи: 17
11-02-2016 дата публикации

Elliptic curve encryption method comprising an error detection

Номер: US20160043863A1
Автор: Vincent Dupaquis
Принадлежит: Inside Secure SA

A method in an elliptic curve cryptographic system, the method being executed by an electronic device and including a multiplication operation of multiplying a point of an elliptic curve by a scalar number, the point having affine coordinates belonging to a Galois field, the multiplication operation including steps of detecting the appearance of a point at infinity during intermediate calculations of the multiplication operation, and of activating an error signal if the point at infinity is detected and if the number of bits of the scalar number processed by the multiplication operation is lower than the rank of the most significant bit of an order of a base point of the cryptographic system.

Подробнее
Номер записи: 18
24-02-2022 дата публикации

COMPUTING ACCELERATION FRAMEWORK

Номер: US20220057997A1
Автор: Corbet Lionel, Richardson Harry
Принадлежит: SOFTIRON LIMITED

A processing acceleration system including at least one gate array that performs finite field arithmetic and at least one controller that sends information to the gate array(s) upon a determination that sending the information, performing the finite field arithmetic by the gate array(s), and sending results of the finite field arithmetic to at least one destination is more efficient than general-purpose computing processor(s) performing the finite field arithmetic and sending the results to the at least one destination. The gate array(s) may include field programmable gate array(s), and the destination(s) may include the general-purpose computing processor(s) or storage devices. The finite field arithmetic may include galois field arithmetic such as modular arithmetic, for example as may be used with respect to erasure coding for storage device(s). 1. A processing acceleration system comprising:at least one gate array that performs finite field arithmetic; andat least one controller that sends information to the at least one gate array upon a determination that sending the information, performing the finite field arithmetic by the at least one gate array, and sending results of the finite field arithmetic to at least one destination is more efficient than at least one general-purpose computing processor performing the finite field arithmetic and sending the results to the at least one destination.2. The processing acceleration system as in claim 1 , wherein the at least one gate array comprises at least one field programmable gate array.3. The processing acceleration system as in claim 1 , wherein the at least one gate array also assists with compression or decompression of data.4. The processing acceleration system as in claim 1 , wherein the at least one gate array also assists with de-deduplication of data.5. The processing acceleration system as in claim 1 , wherein the at least one destination comprises the at least one general-purpose computing processor claim ...

Подробнее
Номер записи: 19
07-02-2019 дата публикации

System, Apparatus And Method For Performing A Plurality Of Cryptographic Operations

Номер: US20190044718A1
Автор: Ghosh Santosh, Reinders Andrew H., Sastry Manoj R., Satpathy Sudhir K.
Принадлежит:

In one embodiment, an apparatus includes: a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation. The hardware accelerator may include: a multiplier circuit comprising a parallel combinatorial multiplier; and an ECC circuit coupled to the multiplier circuit to execute the ECC operation. The ECC circuit may compute a prime field multiplication using the multiplier circuit and reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus. The hardware accelerator may execute the RSA operation using the multiplier circuit. Other embodiments are described and claimed. 1. An apparatus comprising: a multiplier circuit comprising a parallel combinatorial multiplier; and', 'an ECC circuit coupled to the multiplier circuit to execute the ECC operation, the ECC circuit to compute a prime field multiplication using the multiplier circuit and to reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus, wherein the hardware accelerator is to execute the RSA operation using the multiplier circuit., 'a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation, the hardware accelerator comprising2. The apparatus of claim 1 , wherein the ECC circuit is to reduce a result of the prime field multiplication in a plurality of multiplication operations for a second type of prime modulus.3. The apparatus of claim 1 , wherein the multiplier circuit comprises a 27-bit×411-bit parallel combinatorial multiplier to multiply a first 384-bit value and a second 384-bit value in 16 clock cycles.4. The apparatus of claim 1 , wherein the hardware accelerator is to isolate first and second portions of first and second values and send the isolated ...

Подробнее
Номер записи: 20
06-02-2020 дата публикации

SYSTEM AND METHOD FOR OPTIMIZED ELLIPTIC CURVE CRYPTOGRAPHY OPERATIONS

Номер: US20200044846A1
Автор: HESS Basil, SOUKHAREV Vladimir
Принадлежит:

A method and protocol for determining linear combinations of a first and second point for an elliptic curve cryptography scheme, including determining a first scalar multiplication of the first point with a first scalar, the first scalar multiplication including performing iteratively in relation to the value of the first scalar either one of: doubling of the first point in Jacobian projective coordinates; or mixed addition with the first point in affine coordinates; determining a combination point by adding the second point to the resultant of the first scalar multiplication; obtaining an affine coordinate representation of the combination point; determining a second scalar multiplication of the combination point with a second scalar, the second scalar multiplication including performing iteratively in relation to the value of the second scalar either one of: doubling of the combination point in Jacobian projective coordinates; or mixed addition with the combination point in affine coordinates. 1. A protocol for determining linear combinations of a first point and a second point for an elliptic curve cryptography scheme , the elliptic curve cryptographic scheme for permitting secure communications between two or more cryptographic correspondent devices , each of the cryptographic correspondent devices comprising a processor and a memory , the memory configured to store a plurality of instructions which when executed by the processor cause the processor to implement the cryptographic scheme , the first point and the second point in affine coordinates , the protocol comprising:obtaining a Jacobian projective coordinate representation of the first point; doubling of a current value of the first point in Jacobian projective coordinates; or', 'mixed addition of a current value of the first point with the initial value of the first point in affine coordinates;, 'determining a first scalar multiplication of the first point with a first scalar, the first scalar ...

Подробнее
Номер записи: 21
14-02-2019 дата публикации

SYSTOLIC PARALLEL GALOIS HASH COMPUTING DEVICE

Номер: US20190052455A1
Автор: Anderson Jordan, LITTLE SEAN
Принадлежит: SECTURION SYSTEMS, INC.

A computing device (e.g., an FPGA or integrated circuit) processes an incoming packet comprising data to compute a Galois hash. The computing device includes a plurality of circuits, each circuit providing a respective result used to determine the Galois hash, and each circuit including: a first multiplier configured to receive a portion of the data; a first exclusive-OR gate configured to receive an output of the first multiplier as a first input, and to provide the respective result; and a second multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second multiplier as a second input. In one embodiment, the computing device further comprises a second exclusive-OR gate configured to output the Galois hash, wherein each respective result is provided as an input to the second exclusive-OR gate. 1. A system to compute a Galois hash for a first incoming packet comprising data , the system comprising: a first Galois multiplier configured to receive a portion of the data;', 'a first multiplexer configured to select one of a plurality of pre-computed keys for use by the first Galois multiplier;', 'a first exclusive-OR gate configured to receive an output of the first Galois multiplier as a first input; and', 'a second Galois multiplier configured to receive an output of the first exclusive-OR gate, wherein the first exclusive-OR gate is further configured to receive an output of the second Galois multiplier as a second input; and, 'a plurality of sub-modules, each sub-module implemented in a computing device, and each sub-module comprisinga second exclusive-OR gate, implemented in the computing device, the second exclusive-OR gate configured to provide the Galois hash as an output, wherein a result is provided by the first exclusive-OR gate of each respective sub-module, and each respective result is provided as an input to the second exclusive-OR gate.2. The system ...

Подробнее
Номер записи: 22
13-02-2020 дата публикации

METHOD FOR CREATING AND DISTRIBUTING CRYPTOGRAPHIC KEYS

Номер: US20200052891A1
Автор: KRENN STEPHAN, LORUENSER THOMAS, PACHER CHRISTOPH, SCHRENK BERNHARD
Принадлежит:

A method creates and distributes cryptographic keys for securing communication at two terminals. Signals for creating correlated values in the two terminals are distributed via a first communication channel burdened with error, and the correlated values are present as keys. A checksum is formed on the basis of the first key present in the first terminal and the checksum is transferred to the second terminal via a second communication channel. A second checksum is formed on the basis of the second key present, and information derived from the two checksums is transferred via the second communication channel to a server. Based on the information derived from the checksums, the server determines a correction value, which, when applied to one or both keys, brings the keys into correspondence. The correction value is transferred to one or both terminals via the second communication channel and is applied to one or both keys. 18-. (canceled)10. The method according to claim 9 , wherein the signals generating the correlated values in the first and second terminals are distributed claim 9 , by:a random signal being created by the first terminal and being transmitted to the second terminal; ora random signal being created by the second terminal and being transmitted to the first terminal; oran entangled quantum state being generated by an external signal source and transmitted to both of the first and second terminals by means of quantum communication.11. The method according to claim 9 , wherein to form the correlated values claim 9 , parts of a transmitted signal are selected and remaining parts of the transmitted signal are discarded.12. The method according to claim 9 , wherein:a key is specified as a binary vector of a given length;a publicly known test matrix containing binary numbers as entries is defined, a number of rows of which corresponds to a given length of the keys and a number of columns of which corresponds to a length of the first and second checksums; ...

Подробнее
Номер записи: 23
21-02-2019 дата публикации

TESTING RESISTANCE OF A CIRCUIT TO A SIDE CHANNEL ANALYSIS

Номер: US20190057228A1
Автор: FEIX Benoît, Thiebeauld de la Crouee Hugues
Принадлежит:

In a general aspect, a test method can include: acquiring a plurality of value sets, each comprising values of a physical quantity or of logic signals, linked to the activity of a circuit to be tested when executing distinct cryptographic operations applied to a same secret data, for each value set, counting occurrence numbers of the values of the set, for each operation and each of the possible values of a part of the secret data, computing a partial result of operation, computing sums of occurrence numbers, each sum being obtained by adding the occurrence numbers corresponding to the operations which when applied to a same possible value of the part of the secret data, provide a partial operation result having a same value, and analyzing the sums of occurrence numbers to determine the part of the secret data. 1. A test method comprising:acquiring a plurality of value sets, each value set comprising values of a physical quantity, or of logic signals linked to activity of a circuit to be tested when the circuit executes an operation of an operation set of distinct cryptographic operations applied to a same data to be discovered;for each value set, counting, by a processing unit, occurrence numbers of values transformed by a first surjective function applied to values of the value set, to form an occurrence number set for the value set;for each operation of the operation set, and each possible value of a part of the data to be discovered, computing, by the processing unit, results of at least two distinct partial operations;computing, by the processing unit, for each partial operation result, cumulative occurrence number sets, each cumulative occurrence number set being obtained by adding together the occurrence number sets corresponding to the operations of the operation set, which, when applied to a same value or equivalent value of the possible values of the part of the data to be discovered, provide a partial operation result having a same transformed value ...

Подробнее
Номер записи: 24
01-03-2018 дата публикации

PROTECTION OF A MODULAR EXPONENTIATION CALCULATION

Номер: US20180060040A1
Автор: Diop Ibrahima, Liardet Pierre-Yvan, Linge Yanis
Принадлежит:

A method of protecting a modular exponentiation calculation on a first number and an exponent, modulo a first modulo, executed by an electronic circuit using a first register or memory location and a second register or memory location, successively including, for each bit of the exponent: generating a random number; performing a modular multiplication of the content of the first register or memory location by that of the second register or memory location, and placing the result in one of the first and second registers or memory locations selected according to the state of the bit of the exponent; performing a modular squaring of the content of one of the first and second registers or memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location, the multiplication and squaring operations being performed modulo the product of the first modulo by said random number. 1. A method , comprising:performing, using an electronic circuit, a modular exponentiation calculation on a first number and an exponent, modulo a first modulo by, for each bit of the exponent:generating a random number;performing a modular multiplication of content of a first memory location by content of a second memory location, and placing a result in one of the first and second memory locations selected according to a state of the bit of the exponent; andperforming a modular squaring of the content of one of the first and second memory locations selected according to the state of the exponent, and placing the result in this selected register or memory location,the multiplication and squaring operations being performed modulo a product of the first modulo and said random number.2. The method of wherein a result of the modular exponentiation calculation is contained in said first memory location.3. The method of claim 1 , comprising:initializing the first memory location to value 1; andinitializing the second memory location to a ...

Подробнее
Номер записи: 25
10-03-2022 дата публикации

ARITHMETIC DEVICE AND METHOD

Номер: US20220078012A1
Автор: INOUE Kazuki
Принадлежит: Kioxia Corporation

According to an embodiment, the arithmetic device includes a controller. The controller is configured to: convert a bit string of m bits (where m is an integer of 4 or more) representing a multiplication value k when a certain condition is satisfied; set a value based on a coordinate value P of a specific point for a first variable and a second variable based on a second bit value from a least significant bit of the bit string; perform loop processing (m−3) times for multiplication processing of performing multiplication on the first variable and addition processing of adding two different points which are not infinite points by adding the first variable and the second variable; and output a coordinate value kP obtained by a scalar multiplication of the coordinate value P with the multiplication value k based on processing for a most significant bit of the bit string. 1. An arithmetic device comprising a controller ,the controller being configured to:convert a bit string of m bits (where m is an integer of 4 or more) representing a multiplication value k when a certain condition is satisfied;set a value based on a coordinate value P of a specific point for a first variable and a second variable based on a second bit value from a least significant bit of the bit string;perform loop processing (m−3) times for multiplication processing of performing multiplication on the first variable and addition processing of adding two different points which are not infinite points by adding the first variable and the second variable; andoutput a coordinate value kP obtained by a scalar multiplication of the coordinate value P with the multiplication value k based on processing for a most significant bit of the bit string.2. The arithmetic device according to claim 1 , wherein the controller is configured to perform the multiplication processing of performing multiplication on the first variable claim 1 , and the addition processing of adding the first variable and the second ...

Подробнее
Номер записи: 26
02-03-2017 дата публикации

VERIFICATION OF THE SENSITIVITY OF AN ELECTRONIC CIRCUIT EXECUTING A MODULAR EXPONENTIATION CALCULATION

Номер: US20170060535A1
Автор: Teglia Yannick
Принадлежит:

A method of verifying the sensitivity of an electronic circuit executing a modular exponentiation calculation in a first register and a second register, successively including, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of that of the first and second registers which contains the multiplier of the operation of the first step is disturbed, for each bit of the exponent, during the execution of the first step. 1. A method , comprising:verifying a sensitivity of an electronic circuit executing a modular exponentiation calculation using a first register and a second register, wherein: multiplying content of one of the registers, selected from among the first register and the second register according to a state of a current bit of the exponent, by content of the other one of the first and second registers, and placing a result of the multiplication in said one of the first and second registers; and', 'squaring content of said other one of the first and second registers and placing a result of the squaring in the other of the first and second registers; and, 'the executing the modular exponentiation calculation includes, successively for each bit of an exponent of the calculation disturbing, for each bit of the exponent of the calculation, content of at least one of the first and second registers during the multiplying; and', 'determining the sensitivity of the electronic circuit based on disturbed results of the modular exponentiation calculation., 'the verifying includes2. The method of wherein the multiplying is implemented using a Montgomery ladder.3. The ...

Подробнее
Номер записи: 27
02-03-2017 дата публикации

Protection of a modular exponentiation calculation

Номер: US20170061119A1
Автор: Yannick Teglia
Принадлежит: STMICROELECTRONICS ROUSSET SAS

A method of protecting a modular exponentiation calculation executed by an electronic circuit using a first register and a second register, successively comprising, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of said other one of the registers is stored in a third register before the first step and is restored in said other one of the registers before the second step.

Подробнее
Номер записи: 28
01-03-2018 дата публикации

SECURE ELLIPTIC CURVE CRYPTOGRAPHY INSTRUCTIONS

Номер: US20180062843A1
Автор: Gopal Vinodh
Принадлежит:

A processor of an aspect includes a decode unit to decode an elliptic curve cryptography (ECC) point-multiplication with obfuscated input information instruction. The ECC point-multiplication with obfuscated input information instruction is to indicate a plurality of source operands that are to store input information for an ECC point-multiplication operation. At least some of the input information that is to be stored in the plurality of source operands is to be obfuscated. An execution unit is coupled with the decode unit. The execution unit, in response to the ECC point-multiplication with obfuscated input information instruction, is to store an ECC point-multiplication result in a destination storage location that is to be indicated by the ECC point-multiplication with obfuscated input information instruction. Other processors, methods, systems, and instructions are disclosed. 1. A processor comprising:a decode unit to decode an elliptic curve cryptography (ECC) point-multiplication with obfuscated input information instruction, the ECC point-multiplication with obfuscated input information instruction to indicate a plurality of source operands that are to store input information for an ECC point-multiplication operation, wherein at least a portion of the input information that is to be stored in the plurality of source operands is to be obfuscated; andan execution unit coupled with the decode unit, the execution unit, in response to the ECC point-multiplication with obfuscated input information instruction, to store an ECC point-multiplication result in a destination storage location that is to be indicated by the ECC point-multiplication with obfuscated input information instruction.2. The processor of claim 1 , wherein the plurality of source operands are to store at least one of an obfuscated scalar multiplier claim 1 , an obfuscated base point claim 1 , or an obfuscated modulus.3. The processor of claim 1 , wherein the plurality of source operands are to ...

Подробнее
Номер записи: 29
17-03-2022 дата публикации

Multiplication Methods, Non-Transitory Computer-Readable Media, and Multiplication Devices

Номер: US20220085970A1
Автор: AL BADAWI Ahmad, AUNG Khin Mi Mi
Принадлежит:

Efficient polynomial multiplication for Accelerated Fully Homomorphic Encryption (FHE). An efficient method for large integer and polynomial multiplication in a ring using negacyclic convolution and discrete Galois transform with arbitrary primes is described. The method is adapted to work with arbitrary primes that support Gaussian arithmetic. Dealing with non-Gaussian primes gives rise to another problem of how to find primitive roots of unity and of (i). An efficient solution to find those roots of interest is provided. 1. A homomorphic encryption method using at least one processor , the homomorphic encryption method comprising:receiving an input data; andhomomorphically encrypting the input data to obtain a homomorphically encrypted data, including multiplying a first polynomial and a second polynomial associated with the input data, providing a prime number p;', 'determining a first discrete Galois transform based on the first polynomial and the prime number;', 'determining a second discrete Galois transform based on the second polynomial and the prime number;', 'determining a point-wise product of the first discrete Galois transform and the second discrete Galois transform;', 'determining an inverse discrete Galois transform based on the point-wise product; and', 'determining a polynomial product of the first polynomial and the second polynomial based on the inverse discrete Galois transform., 'wherein said multiplying comprises2. The homomorphic encryption method of claim 1 ,{'img': [{'@id': 'CUSTOM-CHARACTER-00067', '@he': '3.22mm', '@wi': '2.12mm', '@file': 'US20220085970A1-20220317-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00068', '@he': '3.22mm', '@wi': '1.10mm', '@file': 'US20220085970A1-20220317-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00069', '@he': '3.22mm', '@wi': '1.10mm', '@file': ' ...

Подробнее
Номер записи: 30
12-03-2015 дата публикации

S12 TX FIR ARCHITECTURE

Номер: US20150074160A1
Автор: Hogeboom John, Khor Hock, Pelteshki Anton, Traldi Matteo Alessio
Принадлежит:

A FIR transmit architecture uses multiple driver divisions to allow signals with different delays to be summed into the output signal by the driver itself. The architecture includes a first multiplexer, a plurality of delay cells, a plurality of sign blocks, a switch block, a second multiplexer, and a plurality of drivers. 123-. (canceled)24. A transmitter finite impulse response (TX FIR) architecture , comprising:a multiplexer;a plurality of delay cells coupled to the multiplexer;a plurality of sign operators coupled to the plurality of delay cells;a plurality of serializer multiplexers, each coupled to a respective sign operator; anda plurality of driver groups, each coupled to a respective serializer multiplexer.25. The TX FIR architecture of claim 24 , wherein each driver group comprises at least one driver.26. The TX FIR architecture of claim 24 , wherein the multiplexer comprises a 20:4 multiplexer configured to output a four-bit data signal.27. The TX FIR architecture of claim 24 , wherein the multiplexer comprises a 16:4 multiplexer configured to output a four-bit data signal.28. The TX FIR architecture of claim 24 , wherein the plurality of delay cells are configured to output delayed versions of an input data signal from the multiplexer.29. The TX FIR architecture of claim 24 , wherein the multiplexer is configured to output a 4-bit data signal; and wherein the plurality of delay cells comprises 6 delay cells configured to output up to six-tap delayed versions of the 4-bit data signal from the multiplexer.30. The TX FIR architecture of claim 24 , wherein the multiplexer is configured to output a 4-bit data signal; and wherein the plurality of serializer multiplexers each comprises a 4:1 multiplexer configured serialize the 4-bit data signal into a serial stream.31. The TX FIR architecture of claim 24 , further comprising a summing unit coupled to the plurality of driver groups.32. The TX FIR architecture of claim 24 , wherein each driver group comprises at ...

Подробнее
Номер записи: 31
10-03-2016 дата публикации

Method and apparatus for scalar multiplication secure against differential power attacks

Номер: US20160072622A1
Автор: Hilal Houssain, Turki F. Al-Somani
Принадлежит: Umm al-Qura University

A method of scalar multiplication to obtain the scalar product between a key and a point on an elliptic curve, wherein the secret is m bits long. In selected embodiments, the first step is to partition the secret into two partitions each with m/2 bits. Point-doubling operations are performed on the point and stored into three buffers. Point additions are performed at randomized time intervals thereby preventing the method from being susceptible to differential power analysis attacks.

Подробнее
Номер записи: 32
29-05-2014 дата публикации

METHOD OF PERFORMING MULTIPLICATION OPERATION IN BINARY EXTENSION FINITE FIELD

Номер: US20140149479A1
Автор: KIM DONGSOO, Son Junyoung, Yang Sangwoon
Принадлежит: Electronics and Telecommunications Research Institute

In a method of performing a multiplication operation in a binary extension finite field, a polynomial defined by 6. The method of claim 5 , wherein the preset integer r is 8. This application claims the benefit of Korean Patent Application Nos. 10-2012-0137290 filed on Nov. 29, 2012 and 10-2013-0086945 filed on Jul. 23, 2013, which are hereby incorporated by reference in their entireties into this application.1. Technical FieldThe present invention relates generally to a method of performing a multiplication operation in a binary extension finite field and, more particularly, to a method that produces a polynomial by expanding polynomial basis multiplication for the multiplication of two polynomials in a binary extension finite field GF(2) and performs a multiplication operation in a binary extension finite field using a mapping table in which bit values having pieces of information about respective terms of the produced polynomial are mapped to respective rows.2. Description of the Related ArtAn Elliptic Curve Cryptosystem (ECC) was proposed by Neal Kobliz and Victor Millerin in 1985 and since then, a lot of research into ECC has been conducted as a public key cryptosystem. This cryptosystem is based on the difficulty of discrete logarithm of points on an elliptic curve, and is advantageous in that it is processed faster and has a smaller key than the Rivest-Shamir-Adleman (RSA) algorithm/Digital Signature Algorithm (DSA) which are widely utilized as a conventional public key cryptosystem when a comparison is performed at the same security level. For example, it is well known that the security of ECC having a key size of about 160 bits is identical to that of RSA having a key size of 1024 bits. Therefore, ECC has attracted attention as a public key cryptosystem suitable for smart cards or the like having limited computing ability and memory.Operations in such ECC include operations of points on an elliptic curve, which include the addition of two different points, ...

Подробнее
Номер записи: 33
11-03-2021 дата публикации

SYSTEM AND METHOD FOR SECURELY SHARING CRYPTOGRAPHIC MATERIAL

Номер: US20210075597A1
Автор: COVACI Alexandra, MADEO Simone, MOTYLINSKI Patrick, Vincent Stéphane
Принадлежит:

Systems and methods described herein relate to techniques in which multiple parties each generate and exchange quantities that are based on a shared secret (e.g., powers of the shared secret) without exposing the shared secret. According to a protocol, two or more parties may exchange sets of elliptic curve points generated over polynomials that can be used, by each of the two or more parties, to determine a power of a shared secret. The protocol may be utilised as part of determining parameters for a smart contract that is broadcast to a blockchain network (e.g., Bitcoin). Based on the protocol, an additional party (e.g., a third party different from the two or more parties) may perform a computational task such as execution of the smart contract. 1. A computer-implemented method comprising:determining, at a participant of a plurality of participants, a function usable to map finite field elements;generating, based on a number of participants, polynomials evaluated in a set of points;distributing the polynomials to corresponding participants of the plurality of participants;determining a sum of polynomials of each participant of the plurality of participants, wherein the sum corresponds to a power of a secret; andcollectively generating, among the plurality of participants and based on the secret, a blockchain transaction.2. A method according to claim 1 , wherein the set of points are a set of elliptic curve points.3. A method according to claim 1 , wherein determining the sum of polynomials is based on a Lagrange interpolation.4. A method according to claim 1 , further comprising determining claim 1 , based at least in part on the power of the secret claim 1 , a common reference string that is determinable by the plurality of participants.5. A method according to claim 1 , further comprising receiving corresponding values of polynomials from each participant of the plurality of participants.6. A method according to claim 1 , wherein off-chain communications are ...

Подробнее
Номер записи: 34
17-03-2016 дата публикации

METHOD TO SECURELY EXECUTE A MODULAR EXPONENTIATION

Номер: US20160077806A1
Автор: HAMZI Nabil, VILLEGAS Karine
Принадлежит: GEMALTO SA

The present invention relates to a method to execute a modular exponentiation R=Xmod N, said method implementing several variable registers and an indicator register m and performing looped calculations. In the invention each loop includes at least two operations from values stored in variable registers, said operations depending on the value stored in m and on the value of the bit(s) of the exponent currently processed, m indicating if the calculation is completed for the current exponent bit at the end of the operations in the current loop. 2. Method according to claim 1 , wherein said termination step returns an error message when eis null and the value in m indicates the calculation is not completed for the current exponent bit claim 1 , returns the result of a last square operation of the current intermediate result if eis null and the value in m indicates the calculation is completed for the current exponent bit claim 1 , returns the result of a last square of the current intermediate result and a last multiplication of the current intermediate result by X if e=1 and the value if m indicates the calculation is completed for the current exponent bit claim 1 , returns the result of a last operation of multiplication of the current intermediate result by X if e=1 and the value in m indicates the calculation is not completed for the current exponent bit.3. Method according to claim 1 , wherein two variable registers Rand Rare used claim 1 , step a) including the initialization of Rand Rto 1 and X and step c) comprising performing the following operations:{'br': None, 'i': R', 'R', '·R', 'N;, 'sub': 0', '0', 'm, '<-mod'}{'br': None, 'i': R', 'R', '·R', 'N., 'sub': 0', '0', 'ei&', 'm, 'img': {'@id': 'CUSTOM-CHARACTER-00011', '@he': '2.46mm', '@wi': '1.78mm', '@file': 'US20160077806A1-20160317-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, '<-mod'}4. Method according to claim 1 , wherein an additional register is used for ...

Подробнее
Номер записи: 35
05-03-2020 дата публикации

EXPONENT SPLITTING FOR CRYPTOGRAPHIC OPERATIONS

Номер: US20200076569A1
Автор: Tunstall Michael
Принадлежит:

A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value. 120-. (canceled)21. A method comprising:receiving a first share value and a second share value, wherein a combination of the first share value and the second share value corresponds to a value associated with a cryptographic operation;updating a first value of a first register by performing a first operation with the first and second share values;updating a second value of a second register by performing a second operation with the second share value;selecting, by a processing device, one of the first value of the first register or the second value of the second register based on a particular bit of the second share value; andperforming the cryptographic operation with the selected one of the first value of the first register or the second value of the second register.22. The method of claim 21 , wherein the particular bit corresponds to a least significant bit of the second share value.23. The method of claim 21 , wherein the particular bit corresponds to a most significant bit of the second share value.24. The method of claim 21 , wherein the cryptographic operation corresponds to a generation of a signature.25. The method of claim 21 , wherein the value associated with the cryptographic operation corresponds to an exponent value used in the cryptographic operation.26. The method of claim 21 , wherein the first operation and the second operation are each associated with power consumption to reduce susceptibility to a Differential Power Analysis ( ...

Подробнее
Номер записи: 36
24-03-2016 дата публикации

Homogeneous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography

Номер: US20160087802A1
Автор: PEETERS ERIC THIERRY
Принадлежит:

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1. A method of operating digital logic circuitry to execute a finite field scalar multiplication of a multiplicand representative of a point in the finite field by a binary-valued scalar , comprising the steps of:initializing one or more memory locations storing components of a sum, the sum representative of a point in the finite field; and doubling an operand representative of one of the sum and the multiplicand;', 'responsive to the bit position having a “1” value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; and', 'then advancing to a next bit position in the scalar;, 'operating the digital logic circuitry to execute a plurality of operations comprising, for each of a plurality of bit positions in the scalar a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', 'then a sixth multiplication followed by a seventh multiplication followed by an eighth multiplication;', 'then a fifth addition;', 'then a ninth multiplication;', 'then a sixth addition followed by a seventh addition;', 'then a tenth multiplication; and', 'then an eighth addition;, 'wherein the doubling step is executed using an atomic pattern consisting of a first addition;', 'then a first multiplication followed ...

Подробнее
Номер записи: 37
02-04-2015 дата публикации

Method for Complete Atomic Blocks for Elliptic Curves in Jacobian Coordinates over Prime Fields Countermeasure for Simple-Side Channel Attacks and C-Safe-Fault Attacks for Right-to-Left Algorithms

Номер: US20150092940A1
Автор: Abarzua Rodrigo, Theriault Nicolas
Принадлежит: Universidad de Santiago de Chile

The present invention describes a method which improves the safety aspects of the previously published atomic blocks for the right-to-left case. This method builds new sets of atomic blocks designed to protect against both simple side-channel attacks and C-safe fault attacks for scalar multiplication for elliptic curves over prime fields. In particular, they comprise eliminating the use of dummy operations in the atomic blocks used in the scalar multiplication ([d]P), which are based on elliptic curves defined on fields of prime characteristic. 1. Atomic blocks to protect cryptosystems against simple side-channel attacks (SSCA) and C-Safe fault attacks , CHARACTERIZED in that they comprise eliminating the use of dummy operations in the atomic blocks used in the scalar multiplication ([d]P) , which are based on elliptic curves defined on fields of prime characteristic.2. The atomic blocks according to claim 1 , CHARACTERIZED in that special algebraic substitutions are used for writing formulae of: General Addition claim 1 , Modified Jacobian doubling and Mixted Jacobian and Chudnovsky Jacobian Addition claim 1 , having an efficient structure of atomic block (S claim 1 , N claim 1 , A claim 1 , A claim 1 , M claim 1 , A) when the scalar multiplication ([d]P) is implemented with right-to-left algorithms.3. The atomic blocks according to claim 1 , CHARACTERIZED in that they comprise balancing the number of squarings (S) and multiplications (M) by using the method presented in [Longa08] and [Bernstein07] claim 1 , as well as other algebraic substitutions to eliminate the use of “dummy” operations which may be subject to C-fault attacks.4. The atomic blocks according to claim 3 , CHARACTERIZED in that they comprise creating ordered pairs (S claim 3 ,M claim 3 , wherein Sis a squaring followed by a multiplication Mper each atomic block.5. The atomic blocks according to claim 1 , CHARACTERIZED in that they comprise enumerating the minimum quantity of additions and negations ...

Подробнее
Номер записи: 38
19-06-2014 дата публикации

Masking with shared random bits

Номер: US20140169553A1
Автор: Jay Scott Fuller, Zhimin Chen
Принадлежит: Microsoft Corp

A non-linear transformation including a plurality of non-linear logical operations is masked to a second or higher order. The masking includes receiving a set of random bits, and machine-masking two or more of the plurality of non-linear logical operations with a same random bit from the set of random bits.

Подробнее
Номер записи: 39
05-04-2018 дата публикации

TECHNIQUES FOR SECURE AUTHENTICATION

Номер: US20180097630A1
Автор: MATHEW Sanu, Satpathy Sudhir, Suresh Vikram
Принадлежит: Intel Corporation

Various embodiments are generally directed to techniques for secure message authentication and digital signatures, such as with a cipher-based hash function, for instance. Some embodiments are particularly directed to a secure authentication system that implements various aspects of the cipher-based hash function in dedicated hardware or circuitry. In various embodiments, the secure authentication system may implement one or more elements of the Whirlpool hash function in dedicated hardware. For instance, the compute-intensive substitute byte and mix rows blocks of the block cipher in the Whirlpool hash function may be implemented in dedicated hardware or circuitry using a combination of Galois Field arithmetic and fused scale/reduce circuits. In some embodiments, the microarchitecture of the secure authentication system may be implemented with delayed add key to limit the memory requirement to three sequential registers. 1. An apparatus , comprising:a memory; and receive a message block as an input matrix of bytes;', 'apply a non-linear transformation to each byte of the input matrix based on a plurality of multiplication operations in a Galois Field; and', 'generate an output matrix of bytes based on the non-linear transformation., 'logic comprised in circuitry coupled to the memory, the logic to2. The apparatus of claim 1 , the logic comprising a plurality of multiplication operators to implement the plurality of multiplication operations in the Galois Field claim 1 , the plurality of multiplication operators implemented in dedicated hardware or circuitry.3. The apparatus of claim 2 , the logic to split each byte into two four-bit vectors and provide at least one bit from each of the four-bit vectors as inputs to a first multiplication operator of the plurality of multiplication operators.4. The apparatus of claim 3 , the logic comprising input of a second multiplication operator of the plurality of multiplication operators coupled to the output of the first ...

Подробнее
Номер записи: 40
12-04-2018 дата публикации

Unknown

Номер: US20180101362A1
Автор: DABOSVILLE Guillaume, Servant Victor
Принадлежит:

The invention relates to a cryptographic processing method comprising multiplication of a point P of an elliptic curve on a Galois field by a scalar k, the multiplication comprising steps of: storing, in a first register, a zero point of the Galois field, executing a loop comprising at least one iteration comprising steps of: selecting a window of w bits in the non-signed binary representation of the scalar k, w being a predetermined integer independent of the scalar k and strictly greater than 1, calculating multiple points of P being each associated with a bit of the window and of the form ±2P, adding or not in the first register of multiple points stored, depending of the value of the bit of the window with which the multiple points are associated, wherein the loop ends once each bit of the non-signed binary representation of the scalar k has been selected, returning a value stored in the first register. If all the bits of the window selected during an iteration of the loop are zero, the iteration comprises at least one dummy execution of the addition function, and/or if all the bits of the window during an iteration of the loop are non-zero, the multiple points to be added in the first register during the step are determined from a non-adjacent form associated with the window. 12. A cryptographic processing method executed by at least one processor () , the method comprising multiplication of a point P of an elliptic curve on a Galois field by a scalar k , multiplication comprising steps of:{'b': '100', 'storing () a zero point of the Galois field in a first register,'} [{'b': '102', 'selecting () a window of w bits in a non-signed binary representation of the scalar k, wherein w is a predetermined integer independent of the scalar k and is strictly greater than 1,'}, {'b': '104', 'sup': 'i', 'calculating (), by means of a doubling function, and storing, in at most w second registers, multiple points of P, wherein each multiple point is associated with a bit of ...

Подробнее
Номер записи: 41
26-03-2020 дата публикации

ELECTRONIC CALCULATING DEVICE ARRANGED TO CALCULATE THE PRODUCT OF INTEGERS

Номер: US20200097257A1
Автор: DE HOOGH SEBASTIAAN JACOBUS ANTONIUS, Gorissen Paulus Mathias hubertus Mechtildis Antonius, HOLLMANN HENDRIK DIRK LODEWIJK, Rietman Ronald, Tolhuizen Ludovicus Marinus Gerardus Maria
Принадлежит:

An electronic calculating device () arranged to calculate the product of integers, the device comprising a storage () configured to store integers () in a multi-layer residue number system (RNS) representation, the multi-layer RNS representation having at least an upper layer RNS and a lower layer RNS, the upper layer RNS being a residue number system for a sequence of multiple upper moduli (M), the lower layer RNS being a residue number system for a sequence of multiple lower moduli (m), an integer (x) being represented in the storage by a sequence of multiple upper residues (x=(x)) modulo the sequence of upper moduli (M), upper residues (x) for at least one particular upper modulus (M) being further-represented in the storage by a sequence of multiple lower residues ((x)) of the upper residue (x) modulo the sequence of lower moduli (m), wherein at least one of the multiple lower moduli (m) does not divide a modulus of the multiple upper moduli (M). 1. An electronic calculating device arranged to calculate the product of integers , the device comprising{'sub': i', 'i', 'i', 'M', {'sub2': 'i'}, 'i', 'j', 'j', 'j', 'm', {'sub2': 'i'}, 'j', 'i', 'i', 'j, 'img': [{'@id': 'CUSTOM-CHARACTER-00053', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00054', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00055', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00001.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}, {'@id': 'CUSTOM-CHARACTER-00056', '@he': '3.22mm', '@wi': '0.68mm', '@file': 'US20200097257A1-20200326-P00002.TIF', '@alt': 'custom-character', '@img-content': 'character', '@img-format': 'tif'}], 'a storage configured to store ...

Подробнее
Номер записи: 42
29-04-2021 дата публикации

System, Apparatus And Method For Performing A Plurality Of Cryptographic Operations

Номер: US20210126786A1
Автор: Ghosh Santosh, Reinders Andrew H., Sastry Manoj R., Satpathy Sudhir K.
Принадлежит:

In one embodiment, an apparatus includes a hardware accelerator to execute cryptography operations including a Rivest Shamir Adleman (RSA) operation and an elliptic curve cryptography (ECC) operation. The hardware accelerator may include a multiplier circuit comprising a parallel combinatorial multiplier, and an ECC circuit coupled to the multiplier circuit to execute the ECC operation. The ECC circuit may compute a prime field multiplication using the multiplier circuit and reduce a result of the prime field multiplication in a plurality of addition and subtraction operations for a first type of prime modulus. The hardware accelerator may execute the RSA operation using the multiplier circuit. Other embodiments are described and claimed. 1. At least one computer readable storage medium having stored thereon instructions , which if performed by a machine cause the machine to perform a method comprising:receiving, in a controller of a hardware cryptographic circuit, a request to perform an elliptic curve cryptography (ECC) operation;in response to the request, causing, by the controller, a hardware multiplication circuit of the hardware cryptographic circuit to perform an integer multiplication on a first operand and a second operand to obtain a first result, wherein the first and second operands comprise first and second 384-bit values, respectively, and the multiplication circuit comprises a 27-bit×411-bit parallel combinatorial multiplier;determining whether a modulus reduction operation for the ECC operation is to be performed according to a National Institute of Standards and Technology (NIST) prime value; andin response to determining that the modulus reduction operation is to be performed according to the NIST prime value, performing the modulus reduction operation comprising a plurality of addition and subtraction operations, and without performing any multiplication or division operations.2. The at least one computer readable storage medium of claim 1 , ...

Подробнее
Номер записи: 43
09-06-2022 дата публикации

CRYPTO PROCESSOR, METHOD OF OPERATING CRYPTO PROCESSOR, AND ELECTRONIC DEVICE INCLUDING CRYPTO PROCESSOR

Номер: US20220182220A1
Автор: KWON Sunmin, Shin Youngsam, Yoo Dong-Hoon
Принадлежит: Samsung Electronics Co., Ltd

A crypto processor, a method of operating a crypto processor, and an electronic device including a crypto processor. A method of operating a crypto processor for performing a polynomial multiplication of lattice-based texts includes transferring coefficients of polynomials for the polynomial multiplication to multipliers, performing multiplications for a portion of the coefficients in parallel using the multipliers, performing an addition for a portion of results of the multiplications using an adder, and determining a result of the polynomial multiplication based on another portion of the results of the multiplications and a result of the addition. 1. A method of operating a crypto processor for performing a polynomial multiplication of lattice-based texts , the method comprising:transmitting coefficients of polynomials for the polynomial multiplication to multipliers;performing multiplications for a portion of the coefficients in parallel using the multipliers;performing an addition for a portion of results of the multiplications using an adder; anddetermining a result of the polynomial multiplication based on another portion of the results of the multiplications and a result of the addition.2. The method of claim 1 , wherein the portion of the results of the multiplications is obtained by a portion of the multipliers and transmitted to the adder through internal data paths respectively connecting the portion of the multipliers to the adder.3. The method of claim 1 , wherein the performing of the multiplications comprises performing claim 1 , in parallel:a multiplication between a first polynomial coefficient of a first text and a third polynomial coefficient of a second text, among the coefficients;a multiplication between a second polynomial coefficient of the first text and the third polynomial coefficient;a multiplication between the first polynomial coefficient and a fourth polynomial coefficient of the second text; anda multiplication between the second ...

Подробнее
Номер записи: 44
09-04-2020 дата публикации

ASYMMETRICALLY MASKED MULTIPLICATION

Номер: US20200110907A1
Автор: Jaffe Joshua M.
Принадлежит: Cryptography Research, Inc.

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation. 132.-. (canceled)33. A system comprising:at least one processor; and receiving at least one input value;', 'defining a left-hand-side (LHS) parameter using at least one of the input values;', 'defining a right-hand-side (RHS) parameter using at least one of the input values;', 'calculating a plurality of intermediate values, including a first intermediate value based on the LHS parameter and a second intermediate value based on the RHS parameter, wherein at least one of the first intermediate value and the second intermediate value is calculated based on a mask value; and', 'applying a fix value to at least one of the plurality of intermediate values to generate an output value comprising a multiplication product of at least one unmasked value of the input value used to define the LHS parameter or the RHS parameter., 'a non-transitory computer-readable medium having instructions stored thereon that, when executed on the processor, asymmetrically masks a cryptographic operation to improve resistance to third party attacks by being configured to perform the steps of34. The system of claim 33 , wherein the input value used to define the LHS parameter is different from the input value used to define the RHS parameter claim 33 , andwherein the output value comprises a multiplication product of the input value used to define the LHS parameter and the input value used to define the RHS parameter.35. The system of claim 33 , the instructions further being ...

Подробнее
Номер записи: 45
05-05-2016 дата публикации

Method and System of Improved Galois Multiplication

Номер: US20160124717A1
Автор: Downey Walter J.
Принадлежит:

Embodiments of the invention include an apparatus for performing Galois multiplication using an enhanced Galois table. Galois multiplication may include converting a first and second multiplicand to exponential forms using a Galois table, adding the exponential forms of the first and second multiplicands, and converting the added exponential forms of the first and second multiplicands to a decimal equivalent binary form using the Galois table to decimal equivalent binary result of the Galois multiplication. 1. A method of performing Galois multiplication comprising:converting a first and second multiplicand to exponential forms using a Galois table;adding the exponential forms of the first and second multiplicands;converting the added exponential forms of the first and second multiplicands to a decimal equivalent binary form using the Galois table to decimal equivalent binary result of the Galois multiplication.2. The method of claim 1 , further comprising:converting the decimal equivalent binary form into binary.3. The method of claim 1 , further comprising:converting the first and second multiplicands to a decimal value from binary.4. The method of claim 1 , wherein the Galois table is Table 3.5. The method of claim 1 , wherein the Galois table comprises:a first part with columns for an index, exponential, binary conversion, and exponential conversion;a second part with columns for an index, exponential, and binary conversion; anda third part with columns for an index, exponential, and binary conversion, wherein each binary conversion has a value of 0.6. The method of claim 1 , wherein the method is a part of a Reed-Solomon decoding routine.7. The method of claim 1 , wherein the Galois table comprises:a first part with all the Galois field elements except zero listed in order of exponents, with a first column of binary numbers for each field element wherein there is a consistent mapping of polynomial coefficients of the field element polynomial's powers to bit ...

Подробнее
Номер записи: 46
04-05-2017 дата публикации

Modular Exponentiation Using Randomized Addition Chains

Номер: US20170126407A1
Автор: Joppe Willem Bos
Принадлежит: NXP BV

Various embodiments relate to a device for generating code which implements modular exponentiation, the device including: a memory used to store a lookup table; and a processor in communication with the memory, the processor configured to: receive information for a generated randomized addition chain; output code for implementing the modular exponentiation which loads elements from the lookup table including intermediate results which utilize the information for a generated randomized addition chain; and output code for implementing the modular exponentiation which uses the loaded elements to compute the next element.

Подробнее
Номер записи: 47
25-08-2022 дата публикации

SYSTEM AND METHOD FOR MULTI-PARTY GENERATION OF BLOCKCHAIN-BASED SMART CONTRACT

Номер: US20220271919A1
Автор: COVACI Alexandra, MADEO Simone, MOTYLINSKI Patrick, Vincent Stéphane
Принадлежит:

Systems and methods described herein relate to techniques that allow for multiple parties to jointly generate or jointly agree upon the parameters for generation of a smart contract, such as a verification key. Execution of the smart contract may be performed by a third party, for example, a worker node on a blockchain network. Techniques described herein may be utilised as part of a protocol in which parties of a smart contract share powers of a secret in a manner that allows each party to determine an identical common reference string, agree on parameters for a smart contract, agree and/or make proportionate contributions the smart contract, and combinations thereof. The smart contract may be published to a blockchain network (e.g., Bitcoin Cash). The protocol may be a zero-knowledge protocol. 115.-. (canceled)16. A computer-implemented method of executing a smart contract generated by a first computing entity and a second computing entity , the computer-implemented method implemented by a third computing entity different from both the first computing entity and the second computing entity , the computer-implemented method comprising:receiving, at the third computing entity, the smart contract comprising a first transaction input provided by the first computing entity and a second transaction input provided by the second computing entity;executing the smart contract by performing a computational task comprising the computation of a function on an input to the smart contract to produce an output of the smart contract;producing a proof of correct execution of the smart contract; andgenerating a blockchain transaction using the output of the smart contract.17. The computer-implemented method according to claim 16 , wherein the third computing entity is a node of a blockchain network.18. The computer-implemented method according to claim 16 , wherein the input comprises information that attests to an identity of the third computing entity.19. The computer-implemented ...

Подробнее
Номер записи: 48
01-09-2022 дата публикации

HIGH-PERFORMANCE SYSTEMS TO VALIDATE ISOGENY-BASED CRYPTOGRAPHY KEYS

Номер: US20220276840A1
Автор: El Khatib Rami, Koziel Brian C., Langenberg Brandon
Принадлежит: PQSecure Technologies, LLC

A computer processing system for validating isogeny-based cryptography keys having an electronic computing device with an isogeny-based cryptosystem operably configured to validate public keying material including an elliptic curve by simultaneously computing an elliptic curve supersingularity check along with an elliptic curve public point check. 1. A computer processing system for validating isogeny-based cryptography keys comprising:an electronic computing device with an isogeny-based cryptosystem operably configured to validate public keying material including an elliptic curve by simultaneously computing an elliptic curve supersingularity check along with an elliptic curve public point check.2. The computer processing system according to claim 1 , wherein:the elliptic curve public point check is a torsion basis check.3. The computer processing system according to claim 2 , wherein the torsion basis check further comprises:at least one scalar point multiplication to validate that a plurality of torsion points are of a correct cardinality and generate a basis.4. The computer processing system according to claim 3 , wherein the torsion basis check further comprises:a first plurality of scalar point multiplications configured to verify a numerical result uniqueness and not equal to the point at infinity and a second plurality of scalar point multiplications configured to verify equivalence to the point at infinity.5. The computer processing system according to claim 1 , wherein:the electronic computing device is a high-performance electronic computing device with a plurality of functional units, at least one memory unit, and at least one controller to operably implement multiple independent computations.6. The computer processing system according to claim 1 , wherein:the elliptic curve supersingularity check is configured to find a first plurality of elliptic curve points to verify supersingularity.7. The computer processing system according to claim 6 , wherein ...

Подробнее
Номер записи: 49
26-05-2016 дата публикации

CUBIC ROOT OF A GALOIS FIELD ELEMENT

Номер: US20160147504A1
Автор: Anholt Micha, Teitel Moti
Принадлежит:

A method includes receiving a first element of a Galois Field of order q, where q is a prime number and m is a positive integer. The first element is raised to a predetermined power so as to form a second element z, wherein the predetermined power is a function of qand an integer p, where p is a prime number which divides q−1. The second element z is raised to a ppower to form a third element. If the third element equals the first element, the second element multiplied by a proot of unity raised to a respective power selected from a set of integers between 0 and p−1 is output as at least one root of the first element. 1. A method , comprising:{'sup': 'm', 'receiving, by at least one processor of a circuit, a first element of a Galois Field of order q, where q is a prime number and m is a positive integer;'}{'sup': m', 'm, 'raising, by the at least one processor, the first element to a predetermined power so as to form a second element z, wherein the predetermined power is a function of qand an integer p, where p is a prime number which divides q−1;'}{'sup': 'th', 'raising, by the at least one processor, z to a ppower to form a third element; and'}{'sup': 'th', 'when the third element equals the first element, outputting, by the at least one processor, as at least one root of the first element the second element multiplied by a proot of unity raised to a respective power selected from a set of integers between 0 and p−1.'}2. The method according to claim 1 , wherein m is an even integer claim 1 , q=2 claim 1 , and p=3 claim 1 , so that the at least one root of the first element comprises cube roots thereof.3. The method according to claim 2 , and comprising determining that an order of a group associated with the Galois Field is not divisible by 9.5. The method according to claim 2 , wherein m=10 claim 2 , and wherein the predetermined power is 114.6. The method according to claim 2 , and comprising determining that an order of a group associated with the Galois ...

Подробнее
Номер записи: 50
08-09-2022 дата публикации

METHOD FOR MULTIPLYING POLYNOMIALS FOR A CRYPTOGRAPHIC OPERATION

Номер: US20220286286A1
Автор: BOS Joppe Willem, Renes Joost Roland, SCHNEIDER Tobias, van Vredendaal Christine
Принадлежит:

Various embodiments relate to a method for multiplying a first and a second polynomial in the ring [X]/(X−1) to perform a cryptographic operation in a data processing system, the method for use in a processor of the data processing system, including: receiving the first polynomial and the second polynomial by the processor; mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map; mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map; multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result; multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; and combining the first multiplication result and the second multiplication result using the map. 1. A method for multiplying a first and a second polynomial in the ring [X]/(X−1) to perform a cryptographic operation in a data processing system , the method for use in a processor of the data processing system , comprising:receiving the first polynomial and the second polynomial by the processor;mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map;mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map;multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result;multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; andcombining the first multiplication result and the second multiplication result using the mapwherein the method allows a verification, encryption, or decryption ...

Подробнее
Номер записи: 51
26-05-2016 дата публикации

Method for efficient postcomputation-based generic-point parallel scalar multiplication

Номер: US20160149703A1
Автор: Ayman G. Fayoumi, Mohammed K. Ibrahim, Turki F. Al-Somani
Принадлежит: Umm Al Qura University

A method for efficient postcomputation-based generic-point scalar multiplication includes the following steps: providing a plurality of eight elliptic curve cryptoprocessors and using the cryptoprocessors to perform scalar multiplication of a group of points on an elliptic curve in which kP denotes the scalar multiplication and wherein k is an integer and P is a point on the elliptic curve; and, computing scalar multiplication on the plurality of elliptic curve cryptoprocessors by a series of point doubling and point additions that depend on the bit sequence that regenerates the scalar multiplier k; and wherein the multiplier k is partitioned into u partitions that are processed by the plurality of elliptic curve processors as k =( k u−1 ∥k (u−2) ∥ . . . k (0) ) ( u −1 )( u −2 ).

Подробнее
Номер записи: 52
26-05-2016 дата публикации

METHOD AND APPARATUS FOR PARALLEL SCALAR MULTIPLICATION

Номер: US20160149704A1
Автор: AL-SOMANI Turki F.
Принадлежит: UMM AL-QURA UNIVERSITY

An efficient method of parallel-scalar multiplication to obtain the scalar product between a key and a point on an elliptic curve, using parallel processors. In selected embodiments, the key is partitioned into a number of partitions equal to the number of parallel processors. Precomputed points of the point on the elliptic curve are obtained using point-doubling operations, wherein the number of precomputed points also equals the number of parallel processors. Using a binary scalar-product method, intermediate scalar products are obtained when each of the parallel processors computes in parallel the scalar product between a key partition and a corresponding precomputed point. These intermediate scalar products are then aggregated using point-addition operations to obtain the total scalar product of the key and the point. 1. A method of parallel-scalar multiplication , comprising:obtaining a key;partitioning the key into a plurality of key partitions;obtaining a plurality of precomputed points including precomputed points of a point;calculating, in parallel using a plurality of parallel processors, a plurality of intermediate scalar products, wherein each of the intermediate scalar products is a scalar product between a key partition of the plurality of key partitions and a corresponding precomputed point of the point, and each of the plurality of intermediate scalar products is calculated using a scalar-product method; andcalculating a total scalar product by summing the plurality of intermediate scalar products.2. The method according to claim 1 , wherein the scalar-product method used to calculate the plurality of intermediate scalar products is a binary scalar-product method.3. The method according to claim 1 , whereinthe number of key partitions equals the number of processors in the plurality of parallel processors; andthe number of precomputed points of the point included in the plurality of precomputed points is equal to the number of processors in the ...

Подробнее
Номер записи: 53
17-06-2021 дата публикации

Obfuscating cryptographic parameters used in elliptical curve cryptography, and related systems and devices

Номер: US20210184831A1
Автор: Huiming Chen
Принадлежит: Microchip Technology Inc

An obfuscation process is described for obfuscating a cryptographic parameter of cryptographic operations such as calculations used in elliptical curve cryptography and elliptical curve point multiplication. Such obfuscation processes may be used for obfuscating device characteristics that might otherwise disclose information about the cryptographic parameter, cryptographic operations or a cryptographic operations more generally, such as information sometimes gleaned from side channel attacks and lattice attacks.

Подробнее
Номер записи: 54
13-06-2019 дата публикации

GALOIS FIELD PIPELINED MULTIPLIER WITH POLYNOMIAL AND BETA INPUT PASSING SCHEME

Номер: US20190179617A1
Автор: Kamath Ashwin, Reents Daniel B.
Принадлежит:

The disclosure provides a very flexible mechanism for a storage controller to create RAID stripes and to re-create corrupted stripes when necessary using the erasure coding scheme. Typically, this is known as a RAID 6 implementation/feature. The erasure code calculations are generated using the Galois Multiplication hardware and the system controller can pass any polynomial into the hardware on a per stripe calculation basis. The polynomial value is passed to the hardware via an input descriptor field. The descriptor controls the entire computation process. 1. A method for performing a computation on a multiplier , comprising:receiving a descriptor, wherein the descriptor includes a polynomial select value and a beta value;producing a calculation based on the polynomial select value and the beta value; andoutputting a result from the calculation to an external memory.2. The method of claim 1 , wherein the descriptor contains all of the information that is required by the multiplier to fully execute the requested operation.3. The method of claim 2 , the information includes a length for the data.4. The method of claim 2 , the information includes a source data.5. The method of claim 2 , the information includes a P buffer.6. The method of claim 2 , the information includes a Q buffer.7. The method of claim 1 , wherein a degree of the polynomial select value is eight.8. The method of claim 1 , wherein the beta value defines an 8 bit constant value that is to be multiplied by each incoming byte of an input data stream.9. The method of claim 1 , further comprising a repeat of the receiving claim 1 , producing claim 1 , and outputting steps.10. The method of claim 1 , wherein the calculation is produced by a Galois Field operation.11. The method of claim 1 , wherein a RAID 6 scenario is resolved by the computation on the multiplier.12. A method for performing a computation on a multiplier claim 1 , comprising:receiving a descriptor, wherein the descriptor includes all of ...

Подробнее
Номер записи: 55
13-06-2019 дата публикации

AES/CRC ENGINE BASED ON RESOURCE SHARED GALOIS FIELD COMPUTATION

Номер: US20190179618A1
Автор: John Eugene Britto, Noor Safwat Mostafa
Принадлежит: The Board of Regents of the University of Texas System

For example, the present techniques may provide an energy-efficient multipurpose encryption engine capable of processing both AES and CRC algorithms using a shared Galois Field Computation Unit (GFCU). In an embodiment, an apparatus may comprise computation circuitry adapted to perform Galois Field computations and control circuitry adapted to control the computation circuitry so as to selectively compute either an Advanced Encryption Standard cipher or a Cyclic Redundancy Check. 1. Apparatus comprising:computation circuitry adapted to perform Galois Field computations;control circuitry adapted to control the computation circuitry so as to selectively compute either an Advanced Encryption Standard cipher or a Cyclic Redundancy Check.2. The apparatus of wherein the control circuitry comprises:memory interface circuitry adapted to request a plurality of externally stored predetermined constant values;selection circuitry adapted to select a predetermined constant value for input to the computation circuitry;memory circuitry adapted to store a plurality of input and output data; andcontrol circuitry sequencing circuitry adapted to output control signals to the selection circuitry, the memory circuitry, and the computation circuitry in a plurality of sequences, each sequence adapted to perform a computation.3. The apparatus of wherein the computation circuitry comprises:exclusive-OR circuitry adapted to perform a bitwise exclusive-OR on selected data;shifter circuitry adapted to perform a circular left shift on selected data;memory circuitry adapted to store a plurality of data;selection circuitry adapted to select data input to or output from the exclusive-OR circuitry, the shifter circuitry, and the memory circuitry; andcomputation circuitry sequencing circuitry adapted to receive the control signals from the control the control circuitry selection circuitry to control the selection circuitry, the memory circuitry, the exclusive-OR circuitry, and the shifter circuitry ...

Подробнее
Номер записи: 56
18-09-2014 дата публикации

METHOD AND SYSTEM OF IMPROVED REED-SOLOMON DECODING

Номер: US20140280423A1
Автор: Downey Walter J.
Принадлежит:

Embodiments of an improved Galois multiplication route are described. In some embodiments, the Galois multiplication routine looks up and retrieves a first value corresponding to an address in the Galois table, exclusive ORs the retrieved value with a data value from a data set to generate an intermediate address for the Galois table, wherein the data value is at a location associated with an index, and looks up and retrieves a second value in the Galois table by the intermediate address. 1. An apparatus comprising:a processor; and looking up and retrieving a first value corresponding to an address in the Galois table;', 'exclusive ORing the retrieved value with a data value from a data set to generate an intermediate address for the Galois table, wherein the data value is at a location associated with an index;', 'looking up and retrieving a second value in the Galois table by the intermediate address., 'a memory to store a Galois table and multiplication routine which when executed by the processor causes the processor to perform actions comprising2. The apparatus of claim 1 , wherein the routine further comprises:masking the second value to leave only a relevant portion.3. The apparatus of claim 1 , further comprising: increasing the index by one; and', 'determining that the increased index is outside of the data set., 'prior to looking up and retrieving a second value in the Galois table by the intermediate address,'}4. The apparatus of claim 1 , wherein the Galois table has sub-tables of size 2 claim 1 , whereinm is a dimension of a Galois field.5. The apparatus of claim 4 , wherein a data path of the processor is greater than m.6. The apparatus of claim 1 , wherein the Galois table is Table I.7. The apparatus of claim 1 , wherein each Galois sub-table includes a set of 2data values that are the result of Galois multiplies of some Galois element by all possible Galois elements in binary form order wherein the binary form represents a consistent ordered mapping ...

Подробнее
Номер записи: 57
22-07-2021 дата публикации

APPARATUS AND METHOD FOR MAINTAINING A COUNTER VALUE

Номер: US20210224042A1
Автор: BOETTCHER Matthias Lothar, SANDBERG Andreas Lars
Принадлежит:

An apparatus and method are provided for maintaining a counter value. The apparatus has first counter control circuitry for maintaining a first counter value representing a first portion of a hybrid counter value, and second counter control circuitry for maintaining a second counter value representing a second portion of the hybrid counter value, wherein the second portion is a higher order portion of the hybrid counter value than the first portion. The first counter control circuitry is arranged to maintain the first counter value as a binary value that indicates a magnitude of the first counter value, the first counter control circuitry comprising adder circuitry that is responsive to an adjustment value to update the first counter value by performing an addition operation to add the adjustment value to a current binary value of the first counter value, and to generate a carry out signal which is set when a carry out is generated by the addition operation. The second counter control circuitry is arranged to maintain the second counter value as a bit sequence having N discrete states, and is responsive to the carry out signal being set to transition the second counter value from the current discrete state to a new discrete state. This allows an arbitrary value to be used as the adjustment value, that is smaller than or equal to the maximum value of the first counter, whilst avoiding the need for the generation and handling of carry bits to be managed across the entire bit range of the hybrid counter value. 1. An apparatus comprising:first counter control circuitry to maintain a first counter value representing a first portion of a hybrid counter value;second counter control circuitry to maintain a second counter value representing a second portion of the hybrid counter value, wherein the second portion is a higher order portion of the hybrid counter value than the first portion;wherein:the first counter control circuitry is arranged to maintain the first counter ...

Подробнее
Номер записи: 58
21-07-2016 дата публикации

NAVIGATION AID METHOD BASED ON METEOROLOGICAL CONDITIONS

Номер: US20160210867A1
Автор: AULETTO Rémy, DACRE-WRIGHT Benoît, Pierre Christophe
Принадлежит:

A navigation aid method for an aircraft flying a reference trajectory between a point of departure and a point of arrival subject to a field of wind vectors comprises: decomposing the reference trajectory into a plurality of discrete waypoints Pi, loading meteorological data comprising the field of wind vectors, iterating the following steps N times, to generate an improved trajectory: for each waypoint Pi named current point, determining a reference plane, determining an orthonormal reference frame, determining a wind curl ((∇W)), determining a sign of the projection of the wind curl on axis zi ((∇W)), determining a direction of displacement from the current point Pi to a new current waypoint Pi′, determining a line of displacement, determining a displacement distance, determining the new current waypoint, determining a new trajectory, assigning the new waypoints Pi′ determined in the preceding iteration to the waypoints Pi for the next iteration. 1. An aircraft navigation aid method for determining an improved trajectory , executed by a flight management system , said aircraft flying a reference trajectory between a point of departure and a point of arrival subject to a field of wind vectors , the method comprising the steps of:decomposing the reference trajectory into a plurality of discrete waypoints Pi indexed i, i varying from 1 to n−1, the point of departure corresponding to an index 0 and the point of arrival to an index n,loading meteorological data comprising the field of wind vectors in an area of predetermined dimensions including the reference trajectory,iterating the following steps N times, so as to generate an improved trajectory: determining a reference plane comprising the current point Pi, the point Pi−1 preceding the current point and the point Pi+1 following the current point,', 'determining an orthonormal reference frame associated with the current point such that the axis xi corresponds to the axis joining the preceding point Pi−1 and the ...

Подробнее
Номер записи: 59
20-07-2017 дата публикации

Cryptography on an elliptical curve

Номер: US20170207918A1
Автор: Jean-Sebastien Coron, Thomas Icart
Принадлежит: Safran Identity and Security SAS

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y 2 =f(X); and from polynomials X1(t), X2(t), X3(t) and U(t) satisfying: f(X1(t))·f(X2(t))·f(X3(t))=U(t) 2 in Fq, with q=3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by: (i) calculating X1=X1(t), X2=X2(t), X3=X3(t) and U=U(t); (ii) if the term f(X1)·f(X2) is a square, then testing whether the term f(X3) is a square in Fq and if so calculating the square root of f(X3) in order to obtain the point P(X3); (iii) otherwise, testing whether the term f(X1) is a square and, if so, calculating the square root of f(X1) in order to obtain the point P(X1); (iv) otherwise, calculating the square root of f(X2) in order to obtain the point P(X2). This point P is useful in a cryptographic application.

Подробнее
Номер записи: 60
29-07-2021 дата публикации

Outsourcing Exponentiation in a Private Group

Номер: US20210234688A1
Автор: Patel Sarvar, Schoppmann Phillipp, YEO Kevin
Принадлежит: Google LLC

A method for outsourcing exponentiation in a private group includes executing a query instruction to retrieve a query element stored on an untrusted server by selecting a prime factorization of two or more prime numbers of a modulus associated with the query element stored on the server, obtaining a group element configured to generate a respective one of the prime numbers, generating a series of base values using the prime factorization and the group element, and transmitting the series of base values from the client device to the server. The server is configured to determine an exponentiation of the group element with an exponent stored on the server using the series of base values. The method also includes receiving a result from the server based on the exponentiation of the group element with the exponent. 1. A computer-implemented method when executed by data processing hardware of a server causes the data processing hardware to perform operations comprising:obtaining a positional base indicative of a numeral position system;determining a server-held exponent based on the positional base, the server-held exponent representative of a plurality of data blocks stored on memory hardware in communication with the data processing hardware;determining a positional count of the server-held exponent, the positional count indicative of a number of digits of the server-held exponent using the numeral position system indicated by the positional base;transmitting the positional count to a client device;receiving, from the client device, a series of base values, the series of base values based on the positional count and a group element representative of one of the plurality of data blocks;determining, using the series of base values and the server-held exponent, a result associated with the one of the plurality of data blocks without revealing an identity of the one of the plurality of data blocks to the server; andtransmitting the result to the client device.2. The method ...

Подробнее
Номер записи: 61
26-07-2018 дата публикации

Asymmetrically masked multiplication

Номер: US20180211065A1
Автор: Joshua M. Jaffe
Принадлежит: Cryptography Research Inc

Methods and systems for masking certain cryptographic operations in a manner designed to defeat side-channel attacks are disclosed herein. Squaring operations can be masked to make squaring operations indistinguishable or less distinguishable from multiplication operations. In general, squaring operations are converted into multiplication operations by masking them asymmetrically. Additional methods and systems are disclosed for defeating DPA, cross-correlation, and high-order DPA attacks against modular exponentiation.

Подробнее
Номер записи: 62
04-07-2019 дата публикации

UNIFIED INTEGER AND CARRY-LESS MODULAR MULTIPLIER AND A REDUCTION CIRCUIT

Номер: US20190205093A1
Автор: Gopal Vinodh, Mathew Sanu K., Satpathy Sudhir K., Suresh Vikram B.
Принадлежит: Intel Corporation

In one embodiment, a processor comprises a multiplier circuit to operate in an integer multiplication mode responsive to a first value of a configuration parameter; and operate in a carry-less multiplication mode responsive to a second value of the configuration parameter. 1. A processor comprising: operate in an integer multiplication mode responsive to a first value of a configuration parameter; and', 'operate in a carry-less multiplication mode responsive to a second value of the configuration parameter., 'a multiplier circuit to2. The processor of claim 1 , the multiplier circuit to comprise a plurality of adders to sum a plurality of partial products claim 1 , wherein carry outputs of the adders are propagated responsive to the first value of the configuration parameter and suppressed responsive to the second value of the configuration parameter.3. The processor of claim 1 , the multiplier circuit to perform an integer multiplication of a first authenticated encryption algorithm responsive to the first value of the configuration parameter and to perform a carry-less multiplication of a second authenticated encryption algorithm responsive to the second value of the configuration parameter.4. The processor of claim 3 , wherein the first authenticated encryption algorithm is Poly1305 and the second authenticated encryption algorithm is Advanced Encryption Standard (AES)-Galois/Counter Mode (GCM).5. The processor of claim 1 , the multiplier circuit to operate in a packed carry-less multiplication mode responsive to a third value of the configuration parameter.6. The processor of claim 1 , further comprising:a first reduction circuit to reduce a first output of the multiplier circuit responsive to the first value of the configuration parameter; anda second reduction circuit to reduce a second output of the multiplier circuit responsive to the second value of the configuration parameter.7. The processor of claim 6 , wherein the first reduction circuit is to reduce ...

Подробнее
Номер записи: 63
19-08-2021 дата публикации

PROTECTING PARALLEL MULTIPLICATION OPERATIONS FROM EXTERNAL MONITORING ATTACKS

Номер: US20210256165A1
Автор: de Almeida Guilherme Ozari, De Mulder Elke, Trichina Elena
Принадлежит:

Systems and methods for protecting from external monitoring attacks cryptographic data processing operations involving universal polynomial hash functions computation. An example method may comprise: receiving an input data block and an iteration result value; performing a first field multiplication operation to produce a new iteration result value, by iteratively processing, starting from a first bit position, bits of a combination of the input data block and the iteration result value, wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit; performing a second field multiplication operation to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is represented by one of: a least-significant bit and a most-significant bit, and wherein the second bit position is different from the first bit position; applying the new mask correction value to the new iteration result value; and producing, based on the new iteration result value, a value of a cryptographic hash function to be utilized by at least one of: an authenticated encryption operation or an authenticated decryption operation. 118-. (canceled)19. A system , comprising:a first multiplier circuit to multiply a hash key by a combination of an input data block and a masked result value to produce a new masked result value, by iteratively processing operand bits starting from a first bit position;a second multiplier circuit to multiply the hash key by a mask correction value to produce a new mask correction value, by iteratively processing operand bits starting from a second bit position, wherein the second bit position is different from the first bit position.20. (canceled)21. The system of claim 19 , wherein the first bit position is represented by one of: a least-significant bit and a most-significant bit.22. The system of claim 19 , wherein the second bit position is ...

Подробнее
Номер записи: 64
09-07-2020 дата публикации

HOMOGENOUS ATOMIC PSTTERN FOR DOUBLE, ADD, AND SUBTRACT OPERATIONSNFOR DIGITAL AUTHENTICATION USING ELLIPTIC CURVE CRYPTOGRAPHY

Номер: US20200218513A1
Автор: PEETERS ERIC THIERRY
Принадлежит:

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1. A method comprising: doubling an operand representative of the sum or a multiplicand;', 'in response to the bit position having a first logical value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; and', 'advancing to a next bit position in the scalar;, 'operating digital logic circuitry to execute a sequence of operations comprising, for bit positions in a scalar a first addition;', 'a first multiplication after the first addition;', 'a second multiplication after the first multiplication;', 'a second addition after the second multiplication;', 'a third multiplication after the second addition;', 'a fourth multiplication after the third multiplication;', 'a third addition after a fourth multiplication;', 'a fifth multiplication after the third addition;', 'a fourth addition after the fifth multiplication;', 'a sixth multiplication after the fourth addition;', 'a seventh multiplication after the sixth multiplication;', 'an eighth multiplication after the seventh multiplication;', 'a fifth addition after the eighth multiplication;', 'a ninth multiplication after the fifth addition;', 'a sixth addition after the ninth multiplication;', 'a seventh addition after the sixth addition;', 'a tenth multiplication after the seventh addition; and', 'an eighth addition after the tenth multiplication., 'wherein the doubling step is executed using an atomic pattern consisting of3. The method of ...

Подробнее
Номер записи: 65
24-08-2017 дата публикации

Homogenous Atomic Pattern for Double, Add, and Subtract Operations for Digital Authentication Using Elliptic Curve Cryptography

Номер: US20170242662A1
Автор: PEETERS ERIC THIERRY
Принадлежит:

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed. 1initializing one or more memory locations storing components of a sum, the sum representative of a point in the finite field; and doubling an operand representative of one of the sum and the multiplicand;', 'responsive to the bit position having a “1” value, adding first and second operands, the first and second operands representative of the sum and the multiplicand; and', 'then advancing to a next bit position in the scalar;, 'operating the digital logic circuitry to execute a plurality of operations comprising, for each of a plurality of bit positions in the scalar a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', 'then a sixth multiplication followed by a seventh multiplication followed by an eighth multiplication;', 'then a fifth addition;', 'then a ninth multiplication;', 'then a sixth addition followed by a seventh addition;', 'then a tenth multiplication; and', 'then an eighth addition;, 'wherein the doubling step is executed using an atomic pattern consisting of a first addition;', 'then a first multiplication followed by a second multiplication;', 'then a second addition;', 'then a third multiplication followed by a fourth multiplication;', 'then a third addition;', 'then a fifth multiplication;', 'then a fourth addition;', ' ...

Подробнее
Номер записи: 66
13-11-2014 дата публикации

Method for Complete Atomic Blocks for Elliptic Curves in Jacobian Coordinates over Prime Fields Countermeasure for Simple-Side Channel Attacks and C-Safe-Fault Attacks for Left-to-Right Algorithms

Номер: US20140334621A1
Автор: Abarzua Rodrigo, Theriault Nicolas
Принадлежит: Universidad de Santiago de Chile

The present invention describes a method which improves the safety aspects of the previously published atomic blocks. This method builds new sets of atomic blocks designed to protect against both simple side-channel attacks and C-safe fault attacks for scalar multiplication for elliptic curves over prime fields. These atomic blocks are structured with the sequence of field operations (S, N, A, A, M, A), Squaring, Negation, Addition, Addition, Multiplication, Addition. These atomic blocks are applied to various operations in Jacobian coordinates: doubling, tripling, and quintupling, as well as mixed Jacobian-affine addition for use in left-to-right scalar multiplication. 1. Atomic blocks to protect cryptosystems against simple side-channel attacks (SSCA) and C-Safe fault attacks , CHARACTERIZED in that they comprise eliminating the use of dummy operations in the atomic blocks used in the scalar multiplication ([d]P) , which are based on elliptic curves defined on fields of prime characteristic , wherein the curves are of the type y=x−3x+b with bεGF(p) and the discriminate is Δ=−108+27b≠0(mod p).2. The atomic blocks according to claim 1 , CHARACTERIZED in that special algebraic substitutions are used for writing formulae of: doubling ([2]P) claim 1 , mixed addition (P+Q) claim 1 , tripling ([3]P) and quintupling ([5]P) claim 1 , having an efficient structure of atomic block (S claim 1 , N claim 1 , A claim 1 , A claim 1 , M claim 1 , A) when the scalar multiplication ([d]P) is implemented with left-to-right algorithms.3. The atomic blocks according to claim 1 , CHARACTERIZED in that they comprise balancing the number of squarings (S) and multiplications (M) by using the method presented in [Longa08] y [Bernstein07] claim 1 , besides algebraic substitutions to eliminate the use of “dummy” operations which may be subject to C-fault attacks.4. The atomic blocks according to claim 3 , CHARACTERIZED in that they comprise creating ordered pairs (S claim 3 ,M) claim 3 , ...

Подробнее
Номер записи: 67
24-08-2017 дата публикации

GENERATING CRYPTOGRAPHIC CHECKSUMS

Номер: US20170244564A1
Автор: DUBROVA Elena, Lindqvist Fredrik, Näslund Mats, Selander Göran
Принадлежит: Telefonaktiebolaget LM Ericsson (publ)

A method () of generating a cryptographic checksum for a message M(x) is provided. The method comprises pseudo-randomly selecting () at least two irreducible polynomials p(x). Each irreducible polynomial p(x) is selected based on a first cryptographic key from the set of irreducible polynomials of degree nover a Galois Field. The method further comprises calculating () a generator polynomial p(x) of degree n=formula (I) as a product of the N irreducible polynomials formula (II), and calculating () the cryptographic checksum as a first function g of a division of a second function of M(x), ƒ(M(x)), modulo p(x), i.e., g(ƒ(M(x)) mod p(x)). By replacing a standard checksum, such as a Cyclic Redundancy Check (CRC), with a cryptographic checksum, an efficient message authentication is provided. The proposed cryptographic checksum may be used for providing integrity assurance on the message, i.e., for detecting random and intentional message changes, with a known level of security. Further, a corresponding computer program, a corresponding computer program product, and a checksum generator for generating a cryptographic checksum, are provided. 1. A method related to a message M(x) , the method comprising:generating a cryptographic checksum for the message, wherein generating a cryptographic checksum for the message comprises:{'sub': i', 'i, 'pseudo-randomly selecting, based on a first cryptographic key, at least two irreducible polynomials {p(x), i=1 . . . N}, wherein each irreducible polynomial p(x) is selected from the set of irreducible polynomials of degree n, over a Galois Field,'}{'sub': i=1', 'i', 'i', 'i=1', 'i, 'sup': N', 'N, 'calculating a generator polynomial p(x) of degree n=Σnas a product of the N irreducible polynomials p(x), p(x)=Πp(x), and calculating the cryptographic checksum as a first function g of a division of a second function of M(x), ƒ(M(x)), modulo p(x), g(ƒ(M(x)) mod p(x)).'}2. The method according to claim 1 , wherein two irreducible polynomials ...

Подробнее
Номер записи: 68
09-09-2021 дата публикации

NUMBER-THEORETIC TRANSFORM PROCESSING APPARATUS, NUMBER-THEORETIC TRANSFORM PROCESSING METHOD, AND COMPUTER PROGRAM PRODUCT

Номер: US20210279040A1
Автор: YONEMURA Tomoko
Принадлежит: KABUSHIKI KAISHA TOSHIBA

According to an embodiment, a number-theoretic transform processing apparatus for a noise in lattice-based cryptography, includes a processor configured to perform number-theoretic transform of the noise using a precomputation table including a combination of products of one or more elements that belong to a subspace of a finite field Zq and indicate coefficients of the noise, with one or more number-theoretic transform constants. 1. A number-theoretic transform processing apparatus for a noise in lattice-based cryptography , comprisinga processor configured to perform number-theoretic transform of the noise using a precomputation table including a combination of products of one or more elements that belong to a subspace of a finite field Zq and indicate coefficients of the noise, with one or more number-theoretic transform constants.2. The apparatus according to claim 1 , whereinthe precomputation table includes a combination of products of all elements belonging to the subspace, with the one or more number-theoretic transform constants.3. The apparatus according to claim 1 , whereinthe precomputation table includes a combination of products of one or more elements except zero in elements belonging to the subspace, with the one or more number-theoretic transform constants.4. The apparatus according to claim 1 , whereinthe precomputation table includes only one of a pair of products having values that are converted to each other by changing between plus and minus signs.5. The apparatus according to claim 1 , whereinthe precomputation table includes a combination of products of one or more elements that occur as coefficients of the noise at higher frequencies than a threshold frequency of occurrence among elements belonging to the subspace, with the one or more number-theoretic transform constants.6. The apparatus according to claim 1 , whereinthe processor computes a product of a number-theoretic transform constant with a coefficient of the noise by performing ...

Подробнее
Номер записи: 69
01-08-2019 дата публикации

Minimizing information leakage during modular exponentiation and elliptic curve point multiplication

Номер: US20190238310A1
Автор: Stuart Audley
Принадлежит: Athena Group Inc

Minimizing information leakage during modular exponentiation using random masks is disclosed Minimizing information leakage during elliptic curve point multiplication is disclosed with windowing by using point randomization is disclosed. Elliptic curve point multiplication with windowing calculates and stores multiple points based on the point being multiplied and then processes multiple bits of the multiplier at a time is also disclosed.

Подробнее
Номер записи: 70
17-09-2015 дата публикации

VECTORIZED GALOIS FIELD MULTIPLICATION

Номер: US20150261503A1
Автор: Cuffney James R., JR. John G., JR. Patrick M., Rell, Schwarz Eric M., West
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

Embodiments relate to vectorized Galois field multiplication. An aspect includes a subdivision of first and second input operands into vector elements of equal sizes with multiple modes defined such that a base mode has a size corresponding to a smallest vector element size, which is a factor of a size of the first and second input operands, and a higher mode has a size that is a multiple of the base mode size. The vector elements of the first input operand are modified with a bit mask based on a size of the vector elements. The modified vector elements of the first input operand and the vector elements of the second input operand are input into a single hardware tree configured for subdivision into staggered subtrees a size of each of which being based on the base mode size. 1. A computer system for executing vectorized Galois field multiplication , the system comprising:a memory; anda processor, communicatively coupled to said memory, the computer system configured to perform a method comprising:subdividing first and second input operands into vector elements of equal sizes with multiple modes defined such that a base mode has a size corresponding to a smallest vector element size, which is a factor of a size of the first and second input operands, and a higher mode has a size that is a multiple of the base mode size;modifying the vector elements of the first input operand with a bit mask based on a size of the vector elements; andinputting, by the processor, the modified vector elements of the first input operand and the vector elements of the second input operand into a single hardware tree configured for subdivision into staggered subtrees a size of each of which being based on the base mode size.2. The computer system according to claim 1 , wherein the modified vector elements of the first input operand and the vector elements of the second input operand are non-multiplexed.3. The computer system according to claim 1 , wherein the bit mask is expandable from a ...

Подробнее
Номер записи: 71
17-09-2015 дата публикации

Vectorized galois field multiplication

Номер: US20150261504A1
Автор: Eric M. Schwarz, James R. Cuffney, John G. Rell, Jr., Patrick M. West, Jr.
Принадлежит: International Business Machines Corp

Embodiments relate to vectorized Galois field multiplication. An aspect includes an input of first and second input operands of equal sizes into a single hardware tree, a calculation of a predicted parity as a parity of the first input operand ANDed with a parity of the second input operand, a comparison of the predicted parity with a parity generated on a final result of a Galois field multiplication of the first and second operands and a raising of an error based on a mismatch between the predicted parity and the generated parity.

Подробнее
Номер записи: 72
07-09-2017 дата публикации

EXPONENT SPLITTING FOR CRYPTOGRAPHIC OPERATIONS

Номер: US20170257210A1
Автор: Tunstall Michael
Принадлежит:

A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value. 1. A method comprising:receiving a first share value and a second share value, wherein a combination of the first share value and the second share value corresponds to an exponent value;updating a value of a first register using a first equation that is based on the first and second share values;updating a value of a second register using a second equation that is based on the second share value; andselecting, by a processing device, one of the value of the first register or the value of the second register based on a bit value of the second share value.2. The method of claim 1 , wherein the combination of the first share value and the second share value that corresponds to the exponent value is a logical or arithmetic operation between the first share value and the second share value.3. The method of claim 1 , further comprising:performing a cryptographic operation based on the selected value of the first or second register.4. The method of claim 3 , wherein the selected value of the first or second register corresponds to a group exponentiation based on the exponent value that corresponds to the first share value and the second share value claim 3 , and wherein the cryptographic operation is further based on the group exponentiation.5. The method of claim 1 , wherein the bit value of the second share value is the least significant bit or the most significant bit of the second share value.6. The method of claim 1 , wherein the value of the first ...

Подробнее
Номер записи: 73
07-09-2017 дата публикации

SYSTEM AND METHOD FOR ONE-TIME CHINESE-REMAINDER-THEOREM EXPONENTIATION FOR CRYPTOGRAPHIC ALGORYTHMS

Номер: US20170257211A1
Автор: VIGILANT David
Принадлежит: GEMALTO SA

A system, method and computer-readable storage medium with instructions for protecting an electronic device against fault attack. The technology includes operating the electronic device to determine two half-size exponents, dp and dq, from the exponent d; to split the base m into two sub-bases mp and mq determined from the base m; and to iteratively compute a decryption result S by repeatedly multiplying an accumulator A by m, mp, mq or 1 depending on the values of the i-th bit of dp and dq for each iteration I′. Other systems and methods are disclosed. 1. A method for operating a cryptography apparatus to perform a decryption operation having an exponentiation operation X , the method protecting the apparatus from revealing information in regard to the exponentiation operation X when the operation is exposed to a fault attack while being executed on the cryptography apparatus , the method comprising producing a result equivalent to the exponentiation by:{'sup': 'd', 'receiving, on the cryptography apparatus, a message m on which to perform a cryptographic operation equivalent to the exponentiation operation S=mmod n;'}determining two half-size exponents from the exponent d;splitting the base m into two sub-bases mp and mq determined from the base m;iteratively computing S by repeatedly multiplying an accumulator A by m, mp, mq or 1 depending on the values of the i-th bit of dp and dq for each iteration i;returning as the value S the final value of the accumulator A; and completing the cryptographic operation using the value S obtained from the operation.2. The method of wherein the two half-sized exponents are dp and dq such that dp=d mod (p−1) and dq=d mod (q−1) where p and q are prime numbers such that n=pq.3. The method of wherein:{'br': None, 'i': mp=', 'q*iq', 'm−', 'n, '1+*(1)mod ; and'}{'br': None, 'i': mq=', 'q*iq', 'm−', 'n, '1+(1−)*(1)mod wherein'}{'br': None, 'i': iq=q', 'p., 'sup': '−1', 'mod'}4. The method of wherein dp and dq have bits indexed from 0 ...

Подробнее
Номер записи: 74
06-09-2018 дата публикации

ENCRYPTION PROCESSING APPARATUS AND ENCRYPTION PROCESSING METHOD

Номер: US20180254902A1
Автор: Yamada Shinya
Принадлежит:

An apparatus computing scalar multiplication of a point on an elliptic curve by a scalar value includes an estimation unit configured to estimate a pre-computation amount based on the scalar value, a pre-computation unit configured to perform pre-computation based on the point on the elliptic curve by using the estimated pre-computation amount, a generating unit configured to generate an internal representation of the scalar value by using the estimated pre-computation amount, and a computation unit configured to output a result of the scalar multiplication of the point based on the result of the pre-computation and the internal representation. 1. An apparatus for computing scalar multiplication of a point on an elliptic curve by a scalar value , the apparatus comprising:an estimation unit configured to estimate a pre-computation amount based on the scalar value;a pre-computation unit configured to perform pre-computation based on the point on the elliptic curve by using the estimated pre-computation amount;a generating unit configured to generate an internal representation of the scalar value by using the estimated pre-computation amount; anda computation unit configured to output a result of the scalar multiplication of the point on the elliptic curve based on the result of the pre-computation and the generated internal representation.2. The apparatus according to claim 1 , wherein the estimation unit estimates the pre-computation amount based on a number of non-zero digits of the internal representation for each of different pre-computation amounts.3. The apparatus according to claim 1 , wherein the estimation unit estimates the pre-computation amount based on a sum of the number of non-zero digits and the pre-computation amount of the pre-computation unit.4. The apparatus according to claim 1 , wherein the estimation unit estimates claim 1 , as the pre-computation amount claim 1 , a pre-computation amount producing a minimum sum of the number of non-zero digits ...

Подробнее
Номер записи: 75
13-09-2018 дата публикации

Method for electronic signing of a documen with a predetermined secret key

Номер: US20180262343A1
Автор: Emmanuel Prouff, Herve Chabanne
Принадлежит: Idemia Identity and Security France SAS

The present invention relates to a method for electronic signing of a document with a predetermined secret key (x), the method being characterized in that it comprises the implementation of steps of: (a) Drawing a pair formed by a first internal state (s 1 i ) and a white-box implementation (WB i ) of a modular arithmetic operation, from among a set of predetermined pairs ({(s 1 i ,WB i )} i∈[0,n-1] ) each for one nonce (k i ), said first internal state (s 1 i ) being a function of the nonce (k i ) and said modular arithmetic operation being a function of the first internal state (s 1 i ), of the nonce (k i ) and of the secret key (x); (b) Determining a second internal state (s 2 i ) by application of said drawn white-box implementation (WB i ) to a condensate of the document obtained via a given hash function; (c) Generating an electronic signature of the document from the first internal state (s 1 i ) of the drawn pair and from the second determined internal state (s 2 i ), and deleting the drawn pair of said set of pairs ({(s 1 i ,WB i )} i∈[0,n-1] ).

Подробнее
Номер записи: 76
01-10-2015 дата публикации

SERIAL MULTIPLY ACCUMULATOR FOR GALOIS FIELD

Номер: US20150277857A1
Автор: HUNG Jui Hui, YEN Chih Nan
Принадлежит: Storart Technology Co.,Ltd.

A serial multiply accumulator (MAC) for operation of two multiplications and one addition over Galois field is disclosed. The MAC includes a first element feeding circuit, a second element feeding circuit, a number of first calculating circuits and a second calculating circuit. By re-arranging the circuit design, many elements used in the conventional MAC, such as XOR gates and registers, can be saved. The present invention has an advantage of lower area cost. 1. A serial multiply accumulator for operation of two multiplications and one addition over Galois field , comprising:a first element feeding circuit for sequentially outputting first elements in the Galois field per clock cycle;a second element feeding circuit for sequentially outputting second elements in the Galois field per clock cycle;a plurality of first calculating circuits, linked successively from upstream to downstream, each receiving the first element, the second element, one third element, and one fourth element per clock cycle, receiving an operating data from an upstream-linked first calculating circuit, optionally receiving a feedback data, producing two products by multiplying the first element by the third element and multiplying the second element by the fourth element, and outputting another operating data downstream, the outputted operating data being available from adding one product to the other, adding the products to the received operating data, adding the products to the feedback data, or adding the products and the received operating data to the feedback data, wherein the first calculating circuit arranged most upstream doesn't receive the operating data from other first calculating circuit; anda second calculating circuit, linked to the first calculating circuit arranged the most downstream, for receiving the first element, the second element, one third element, and one fourth element per clock cycle, receiving the outputted operating data from the linked first calculating circuit, ...

Подробнее
Номер записи: 77
22-09-2016 дата публикации

MULTIPLIER PIPELINING OPTIMIZATION WITH A BIT FOLDING CORRECTION

Номер: US20160274866A1
Автор: "ODwyer T.J.", LAURENT PIERRE
Принадлежит: Intel Corporation

One embodiment provides a system. The system includes a register to store an operand; a multiplier; and optimizer logic to initiate a square/multiply stage to operate on the operand, initiate a reduction stage prior to completion of the square/multiply stage, and determine whether a carry propagation has occurred. 1. A system comprising:a register to store an operand;a multiplier; andoptimizer logic to initiate a square/multiply stage to operate on the operand, initiate a reduction stage prior to completion of the square/multiply stage, and determine whether a carry propagation has occurred.2. The system of claim 1 , wherein the optimizer logic is further to perform a bit folding correction of a result of the reduction stage if the carry propagation has occurred.3. The system of claim 1 , wherein the optimizer logic is further to reorder provision of a plurality of elements of the operand to the multiplier claim 1 , the reordering to reduce a likelihood that the carry propagation will occur.4. The system of claim 1 , wherein the multiplier is to perform a plurality of pipelined multiplications of a plurality of elements of the operand.5. The system of claim 1 , further comprising modular exponentiation (ME) logic and a parameter store claim 1 , the ME logic to precompute a constant parameter m′ and to store the constant parameter in the parameter store.6. The system of claim 1 , wherein the operand is related to modular exponentiation.7. The system of claim 1 , wherein the reduction stage is related to a modified Barrett reduction.8. A method comprising:initiating, by optimizer logic, a square/multiply stage to operate on an operand;initiating, by the optimizer logic, a reduction stage prior to completion of the square/multiply stage; anddetermining, by the optimizer logic, whether a carry propagation has occurred.9. The method of claim 8 , further comprising:performing, by the optimizer logic, a bit folding correction of a result of the reduction stage if the carry ...

Подробнее
Номер записи: 78
13-08-2020 дата публикации

Cryptosystem and method using isogeny-based computations to reduce a memory footprint

Номер: US20200259648A1
Автор: Brian Craig KOZIEL
Принадлежит: PQSecure Technologies LLC

A computer processing system and method for reducing memory footprint that includes initiating, through at least one computer processor, a cryptography session utilizing an -degree isogeny arithmetic computation having chained computations therein. The cryptography session includes implementing a first iteration cycle, of a plurality of iteration cycles, and a implementing a remaining amount of the plurality of iteration cycles, each of the plurality iteration cycles computing isogenies using a compressed Z value to complete the -degree isogeny arithmetic computation. The first iteration cycle includes individually computing a plurality of sequentially occurring pivot points within the chained computations, implementing a Co-Z algorithm within the plurality of sequentially occurring pivot points to compute and store the compressed Z value on one of the plurality of temporary registers and computing a first isogeny of the

Подробнее
Номер записи: 79
08-10-2015 дата публикации

Elliptic curve point multiplication procedure resistant to side-channel information leakage

Номер: US20150288520A1
Автор: Billy Bob Brumley, David Merrill Jacobson
Принадлежит: Qualcomm Inc

One feature pertains to elliptic curve (EC) point multiplication for use in generating digital signatures. In one aspect, a scalar multiplier k) of a base point (P) of order (n) is selected on an elliptic curve for use with EC point multiplication. An integer value (r) is then randomly generated from within a range of values constrained so that, regardless of the particular value of (r) obtained within the range, EC point multiplication procedures performed using the scalar multiplier (k) summed with a product of the integer multiplier (r) and the order (n) consume device resources independent of the value of the scalar multiplier (k) to thereby reduce or eliminate side-channel leakage. This may be achieved by determining the range of values for r so that the bit position of the most significant bit of k+(r*n) will be even and fixed for a particular elliptic curve.

Подробнее
Номер записи: 80
28-09-2017 дата публикации

System and method for providing defence to a cryptographic device against side-channel attacks targeting the extended euclidean algorithm during decryption operations

Номер: US20170279600A1
Автор: Frederic De Portzamparc, Mariya GEORGIEVA
Принадлежит: GEMALTO SA

A system, method and computer-readable storage medium for decrypting a code c using a modified Extended Euclidean Algorithm (EEA) having an iteration loop independent of the Hamming weight of inputs to the EEA and performing a fixed number of operations regardless of the inputs to the EEA thereby protecting a cryptographic device performing the decryption from side-channel attacks.

Подробнее
Номер записи: 81
20-08-2020 дата публикации

PERFORM CRYPTOGRAPHIC COMPUTATION SCALAR MULTIPLY INSTRUCTION

Номер: US20200264843A1
Автор: Bradbury Jonathan D., Jacobi Christian, MALLEY EDWARD T., Schwarz Eric M.
Принадлежит:

A single architected instruction to perform scalar multiplication for cryptographic operations is obtained. The instruction is executed, and the executing includes determining a scalar multiply function of a plurality of scalar multiply functions supported by the instruction to be performed. Input for the scalar multiply function is obtained, and the input includes at least one source component and a scalar value. The scalar multiply function is performed using the input to provide an output to be used in a cryptographic operation. 1. A computer program product for facilitating processing within a computing environment , the computer program product comprising: obtaining an instruction, the instruction being a single architected instruction; and', determining a scalar multiply function of a plurality of scalar multiply functions supported by the instruction to be performed;', 'obtaining input for the scalar multiply function to be performed, the input comprising at least one source component and a scalar value; and', 'performing the scalar multiply function using the input to provide an output to be used in a cryptographic operation., 'executing the instruction, the executing comprising], 'a computer readable storage medium readable by a processing circuit and storing instructions for performing a method comprising2. The computer program product of claim 1 , wherein the performing the scalar multiply function comprises performing scalar multiplication of a point on an elliptic curve claim 1 , the point specified by the at least one source component.3. The computer program product of claim 2 , wherein the point on the elliptic curve is specified by a first source component of the at least one source component and a second source component of the at least one source component claim 2 , and wherein the first source component and the second source component are input to the instruction via a parameter block located using a register associated with the instruction.4. The ...

Подробнее
Номер записи: 82
20-08-2020 дата публикации

A COMPUTATION DEVICE AND METHOD

Номер: US20200266970A1
Автор: DE HOOGH SEBASTIAAN JACOBUS ANTONIUS, Rietman Ronald
Принадлежит:

Some embodiments are directed to an electronic computation device () arranged for obfuscated execution of a multiplication. The device comprises a storage () arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x, x, . . . , x); Y=(y, y, . . . , y); ), said multiplicative shares being represented in the storage as multiple additive shares (x=(x,x, . . . , x); Yi=(y,0,y, . . . , y); ). 1. An computation device arranged for obfuscated execution of a multiplication , comprising: wherein the memory circuit is arranged to store a plurality of variables,', {'sub': 0', '1', 'm−1', '0', '1', 'm−1, 'wherein each variable (x;y) of the plurality of variables are represented as one or more multiplicative shares (X=(x, x, . . . , x); Y=(y,y, . . . , y)),'}, {'sub': i', 'i,0', 'i,1', 'i,n−1', 'i', 'i,0', 'i,1', 'i,n−1, 'wherein the multiplicative shares are represented as a plurality of additive shares (X=(x, x, . . . , x); Y=(y, y, . . . , y))'}], 'a memory circuit,'}a processor circuit, wherein the processor circuit is configured to multiply a first variable of the plurality of variables with a second variable of the plurality of variables to obtain a multiplication result (z=xy), the multiplying comprising:{'sub': i', 'i', 'i', 'i', 'i, 'for each multiplicative share of the first variable, computing a convolution (Z=X*Y) of the additive shares representing the multiplicative share of the first variable (X) and the additive shares representing the corresponding multiplicative shares of the second variable (Y),'}{'sub': 'i', 'storing the result of the convolutions as a plurality of additive shares (Z) in the memory circuit as a representation in additive shares of at least one multiplicative share of the multiplication result (z).'}2. The computation device as in claim 1 , further comprising a communication interface claim 1 , wherein the ...

Подробнее
Номер записи: 83
20-08-2020 дата публикации

SYSTEMS AND METHODS FOR OPERATING SECURE ELLIPTIC CURVE CRYPTOSYSTEMS

Номер: US20200266986A1
Автор: Dubeuf Jeremy, Lhermet Frank, Loisel Yann Yves Rene
Принадлежит: MAXIM INTEGRATED PRODUCTS, INC.

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as simple power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem. 1. A secure Elliptic Curve Cryptosystem (ECC) for performing elliptic scalar operations , the ECC comprising:a secure microcontroller that is embedded in a computing system, the secure microcontroller comprising a cryptography circuit configured to implement a countermeasure and prevent secret scalar leakage; and receiving an elliptic point, P/2, and the secret scalar, k;', 'initializing a value Q to the elliptic point that does not include an initial value at an infinity point;', 'processing the secret key bits of the secret scalar in sequential steps, wherein processing comprises doubling the value Q, wherein each step comprises performing elliptic operations comprising at least one of elliptical point subtraction or addition;', 'performing an elliptical point subtraction by subtracting the elliptic point, P/2, from the value Q to compute a product kP; and', 'determining a difference between the value Q and the elliptic point outside of a balanced loop configuration to protect a least ...

Подробнее
Номер записи: 84
16-12-2021 дата публикации

AGGREGATE GHASH-BASED MESSAGE AUTHENTICATION CODE (MAC) OVER MULTIPLE CACHELINES WITH INCREMENTAL UPDATES

Номер: US20210390024A1
Автор: DEUTSCH SERGEJ, Durham David M., Grewal Karanvir S., KOUNAVIS Michael E.
Принадлежит: Intel Corporation

Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module. 1. A system comprising: generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks;', 'generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit;', 'generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line;', 'encode the first data blocks and the metadata block;', 'encrypt the aggregate GHASH as an aggregate message authentication code (AMAC);', 'provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line; and', 'provide the AMAC for storage on the memory module or on a device separate from the memory module., 'a controller comprising circuitry, the controller to2. The system of claim 1 , wherein generating the aggregate GHASH comprises multiplication of the plurality of first data blocks in a Galois Field with secret ...

Подробнее
Номер записи: 85
16-12-2021 дата публикации

Exponent splitting for cryptographic operations

Номер: US20210391975A1
Автор: Michael Tunstall
Принадлежит: Cryptography Research Inc

A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.

Подробнее
Номер записи: 86
27-08-2020 дата публикации

TECHNOLOGIES FOR PERFORMING COLUMN ARCHITECTURE-AWARE SCRAMBLING

Номер: US20200272340A1
Автор: Coulson Richard, Khan Jawad, Kwok Zion
Принадлежит:

Technologies for scrambling functions in a column-addressable memory architecture includes a device having a memory and a circuitry. The memory includes a matrix storing individually addressable bit data, and the matrix is formed by rows and columns. The circuitry is to receive a request to perform a write operation of one or more bit values to one of the columns. The circuitry is further to determine a scrambler state at each location of the column, the location corresponding to a respective row and column index. The scrambler state is indicative of a function used to determine a value at the respective column location. Each of the bit values is scrambled as a function of the scrambler state for the respective column location and written thereto. 1. A device comprising:a memory comprising a matrix storing individually addressable bit data, the matrix formed by a plurality of rows and a plurality of columns; receive a request to perform a write operation of one or more bit values to one of the plurality of columns;', 'determine a scrambler state at each location in the one of the plurality of columns, the location corresponding to a respective row and column index of the one of the plurality of columns and the scrambler state being indicative of a pattern used to determine a value at the respective column location; and', 'scramble each of the bit values as a function of the scrambler state for the respective column location., 'circuitry connected to the memory, wherein the circuitry is to2. The device of claim 1 , wherein the circuitry is further to write the scrambled values to each respective column location.3. The device of claim 2 , wherein the circuitry is further to:receive a request to perform a read operation on the one of the plurality of columns, the request specifying one or more locations in the one of the plurality of columns;determine the scrambler state at each specified location;descramble, as a function of the scrambler state, a bit value at each ...

Подробнее
Номер записи: 87
27-08-2020 дата публикации

FINITE-FIELD DIVISION OPERATOR, ELLIPTIC CURVE CRYPTOSYSTEM HAVING FINITE-FIELD DIVISION OPERATOR AND METHOD FOR OPERATING ELLIPTIC CURVE CRYPTOSYSTEM

Номер: US20200274710A1
Автор: KWON Hyeok-Chan, LEE Sang-Woo
Принадлежит: Electronics and Telecommunications Research Institute

Disclosed herein are a finite-field division operator, an elliptic curve cryptosystem having the finite-field division operator, and a method for operating the elliptic curve cryptosystem. The method for operating an elliptic curve cryptosystem may include, setting, by a key setting unit, a length of a key of a cryptographic algorithm, generating, by the key setting unit, first setup information that indicates a number of words corresponding to the key length, and generating, by the key setting unit, second setup information that indicates a number of repetitions of an operation by a finite-field division operator corresponding to the key length. 1. A method for operating an elliptic curve cryptosystem , comprising:setting, by a key setting unit, a length of a key of a cryptographic algorithm;generating, by the key setting unit, first setup information that indicates a number of words corresponding to the key length; andgenerating, by the key setting unit, second setup information that indicates a number of repetitions of an operation by a finite-field division operator corresponding to the key length.2. The method of claim 1 , wherein:the first setup information is transmitted to a first operation device including a coordinate system transformation unit, an elliptic curve point addition unit, and an elliptic curve scalar multiplication unit, andthe second setup information is transmitted to the finite-field division operator.3. The method of claim 2 , wherein the first operation device is implemented using software.4. The method of claim 2 , wherein the finite-field division operator is implemented using hardware.5. The method of claim 4 , wherein the finite-field division operator comprises:multiple registers, each configured to store an initial value and an intermediate calculation value;multiple adders/subtractors, each configured to perform finite-field addition or subtraction on output values of the multiple registers;multiple multiplexers, each configured to ...

Подробнее
Номер записи: 88
20-10-2016 дата публикации

Rsa algorithm acceleration processors, methods, systems, and instructions

Номер: US20160308676A1
Автор: Nan QIAO, Xiangzheng Sun, YANG LU
Принадлежит: Intel Corp

A processor includes a decode unit to decode an instruction. The instruction indicates a first 64-bit source operand having a first 64-bit value, indicates a second 64-bit source operand having a second 64-bit value, indicates a third 64-bit source operand having a third 64-bit value, and indicates a fourth 64-bit source operand having a fourth 64-bit value. An execution unit is coupled with the decode unit. The execution unit is operable, in response to the instruction, to store a result. The result includes the first 64-bit value multiplied by the second 64-bit value added to the third 64-bit value added to the fourth 64-bit value. The execution unit may store a 64-bit least significant half of the result in a first 64-bit destination operand indicated by the instruction, and store a 64-bit most significant half of the result in a second 64-bit destination operand indicated by the instruction.

Подробнее
Номер записи: 89
10-09-2020 дата публикации

SECURE COMPUTATION APPARATUS, SYSTEM, METHOD AND PROGRAM

Номер: US20200287711A1
Автор: Araki Toshinori, Furukawa Jun, OHARA Kazuma
Принадлежит: NEC Corporation

A bit-decomposition secure computation apparatus uses r1, r2, and r3 satisfying w=r1+r2+r3 mod 2{circumflex over ( )}n as share information of (2, 3) threshold type RSS (Replicated Secret Sharing) stored in a share value storage apparatus, and includes an addition sharing part that sums two values out of the share information by modulo 2{circumflex over ( )}n arithmetic and distributes the sum using (2, 3) type RSS; and a full adder secure computation part that adds the value generated by the addition sharing part by distributing the sum of the two values to share information of one remaining value other than the two values used by the addition sharing part for each digit by using secure computation of a full adder. 1. A secure computation apparatus comprising:a share value storage apparatus that stores share values obtained by using (2, 3) threshold type RSS (Replicated Secret Sharing) with modulo 2 to the power of n;a decomposed share value storage apparatus that stores a sequence of share values obtained by using (2, 3) threshold type RSS with modulo 2; anda bit-decomposition secure computation apparatus including a processor and a memory storing program instructions executable by the first processor, whereinthe processor included in the bit-decomposition secure computation apparatus is configured towith respect to a value w, use r1, r2, and r3 satisfying w=r1+r2+r3 mod 2{circumflex over ( )}n (where mod is a modulo operation; n is an integer of 2 or more, and {circumflex over ( )} is a power operator), as share information of (2, 3) threshold type RSS stored in the share value storage apparatus, and execute:an addition sharing process that sums two values out of the share information by modulo 2{circumflex over ( )}n arithmetic and distributes the sum using (2, 3) threshold type RSS; anda full adder secure computation process that adds a share value of the sum of the two values generated by the addition sharing process to share information of one remaining value ...

Подробнее
Номер записи: 90
27-10-2016 дата публикации

CIRCUITRY AND METHODS FOR IMPLEMENTING GALOIS-FIELD REDUCTION

Номер: US20160313978A1
Автор: Chu Pohrong Rita
Принадлежит:

Galois-field reduction circuitry for reducing a Galois-field expansion value, using an irreducible polynomial, includes a plurality of memories, each for storing a respective value derived from the irreducible polynomial and a respective combination of expansion bit values, wherein expansion bits of the expansion value address the plurality of memories to output one or more of the respective values. The Galois-field reduction circuitry also includes exclusive-OR circuitry for combining output of the plurality of memories with in-field bits of said expansion value. There are also a method of operating such Galois-field reduction circuitry to reduce a Galois-field expansion value, a programmable integrated circuit device incorporating the circuitry, a method of performing a Galois-field multiplication operation on such a programmable integrated circuit device, and a method of configuring a programmable integrated circuit device to perform such a Galois-field multiplication operation. 1. Galois-field reduction circuitry for reducing a Galois-field expansion value using an irreducible polynomial , the Galois-field reduction circuitry comprising:a plurality of memories, each for storing a respective value derived from said irreducible polynomial and a respective combination of expansion bit values, wherein expansion bits of said expansion value address said plurality of memories to output one or more of said respective values; andexclusive-OR circuitry for combining output of said plurality of memories with in-field bits of said expansion value.2. The Galois-field reduction circuitry of wherein:different ranges of said expansion bits address different ones of said plurality of memories to output a plurality of said respective values; andsaid exclusive-OR circuitry comprises:first exclusive-OR circuitry for combining said plurality of said respective values with each other, andsecond exclusive-OR circuitry for combining output of said first exclusive-OR circuitry with ...

Подробнее
Номер записи: 91
02-11-2017 дата публикации

CIRCUITRY AND METHODS FOR IMPLEMENTING GALOIS-FIELD REDUCTION

Номер: US20170315781A1
Автор: Chu Pohrong Rita
Принадлежит: Altera Corporation

Galois-field reduction circuitry for reducing a Galois-field expansion value, using an irreducible polynomial, includes a plurality of memories, each for storing a respective value derived from the irreducible polynomial and a respective combination of expansion bit values, wherein expansion bits of the expansion value address the plurality of memories to output one or more of the respective values. The Galois-field reduction circuitry also includes exclusive-OR circuitry for combining output of the plurality of memories with in-field bits of said expansion value. There are also a method of operating such Galois-field reduction circuitry to reduce a Galois-field expansion value, a programmable integrated circuit device incorporating the circuitry, a method of performing a Galois-field multiplication operation on such a programmable integrated circuit device, and a method of configuring a programmable integrated circuit device to perform such a Galois-field multiplication operation. 1. A method of performing a Galois-field multiplication operation on two m-bit numbers using an irreducible polynomial , on a programmable integrated circuit device having a plurality of specialized processing blocks , each of said specialized processing blocks comprising a multiplier stage including an adder having carry circuitry and AND-gate circuitry for selectably deactivating said carry circuitry , an input stage upstream of said multiplier stage , said input stage comprising , a plurality of memories addressable by inputs of said specialized processing block , and exclusive-OR circuitry for combining output of said plurality of memories with other inputs of said specialized processing block , and a cascade connection from an output of said multiplier stage to another of said specialized processing blocks; said method comprising:for each potential expansion bit position in a Galois-field expansion value, deriving a respective value from said potential expansion bit position and said ...

Подробнее
Номер записи: 92
01-10-2020 дата публикации

HARDWARE ACCELERATOR METHOD, SYSTEM AND DEVICE

Номер: US20200310761A1
Автор: BOESCH Thomas, CAPPETTA Carmine, Desoli Giuseppe, ROSSI Michele
Принадлежит:

A system includes an addressable memory array, one or more processing cores, and an accelerator framework coupled to the addressable memory. The accelerator framework includes a Multiply ACcumulate (MAC) hardware accelerator cluster. The MAC hardware accelerator cluster has a binary-to-residual converter, which, in operation, converts binary inputs to a residual number system. Converting a binary input to the residual number system includes a reduction modulo 2and a reduction modulo 2−1, where m is a positive integer. A plurality of MAC hardware accelerators perform modulo 2multiply-and-accumulate operations and modulo 2−1 multiply-and-accumulate operations using the converted binary input. A residual-to-binary converter generates a binary output based on the output of the MAC hardware accelerators. 1. A system , comprising:an addressable memory array;one or more processing cores; and [{'sup': m', 'm, 'a binary-to-residual converter, which, in operation, converts binary inputs to a residual number system, wherein converting a binary input to the residual number system includes a reduction modulo 2and a reduction modulo 2−1, where m is a positive integer;'}, {'sup': m', 'm, 'a plurality of MAC hardware accelerators, which, in operation, perform modulo 2multiply-and-accumulate operations and modulo 2−1 multiply-and-accumulate operations; and'}, 'a residual-to-binary converter., 'an accelerator framework coupled to the addressable memory and including a Multiply ACcumulate (MAC) hardware accelerator cluster, the MAC hardware accelerator cluster having2. The system of claim 1 , wherein the accelerator framework comprises a plurality of MAC hardware accelerator clusters.3. The system of claim 1 , wherein the reduction modulo 2−1 is performed based on a property of a periodicity.4. The system of claim 1 , wherein the residual-to-binary converter claim 1 , in operation claim 1 , performs reduction operations on outputs of the MAC hardware accelerators.5. The system of ...

Подробнее
Номер записи: 93
26-11-2015 дата публикации

Cryptography Method Comprising an Operation of Multiplication by a Scalar or an Exponentiation

Номер: US20150339102A1
Автор: CLAVIER Christophe, FEIX Benoît, VERNEUIL Vincent
Принадлежит: INSIDE SECURE

A cryptographic data processing method, implemented in an electronic device including a processor, the method including steps of providing a point of an elliptic curve in a Galois field, and a whole number, and of calculating a scalar product of the point by the number, the coordinates of the point and the number having a size greater than the size of words that may be processed directly by the processor, the scalar multiplication of the point by the number including steps of: storing scalar multiples of the point multiplied-by the number 2 raised to a power belonging to a series of whole numbers, setting a resulting point for each non-zero bit of the first number, adding the resulting point and one of the stored multiple points, and providing at the output of the processor the resulting point as result of the scalar product. 1. A cryptographic data processing method , implemented in an electronic device comprising a processor , the method comprising steps of providing a point of an elliptic curve in a Galois field , and a first whole number , and of calculating a scalar multiplication of the point by the first number , the coordinates of the point and the first number having a size greater than the size of words that may be processed directly by the processor ,wherein the scalar multiplication calculation of the point by the first number comprises steps of:storing a series of multiple points each resulting from the scalar product of the point by 2 raised to a power belonging to a series of whole numbers,setting a resulting point belonging to the elliptic curve,executing several iterations to take into account each of the bits of the first number only once, each iteration comprising a calculation of a combination of several bits of the first number, and if the combination is non-zero, an addition between the resulting point and one of the stored multiple points corresponding to ranks of the bits of the combination of bits of the first number, andproviding at the ...

Подробнее
Номер записи: 94
08-11-2018 дата публикации

ELLIPTIC CURVE ISOGENY-BASED CRYPTOGRAPHIC SCHEME

Номер: US20180323973A1
Автор: SOUKHAREV Vladimir
Принадлежит:

Elliptic curve cryptographic schemes performed between a pair of cryptographic correspondent computing devices. In an aspect, a first entity generates a first basis point in a first selected basis being, either a first basis (A) or a second basis (B), and performs a first key generation in the selected basis. A second entity receives the public key and determines the product of a predetermined scalar in a second selected basis being either the first basis (A) or the second basis (B) and one of the first auxiliary points. If the product is an identity point, performs second key generation in the second selected basis, otherwise performing second key generation in either of the first basis (A) or the second basis (B). A common key is generated using the private keys and public keys. In another aspect, a scheme is performed symmetrically between two entities to generate a common key. 1. An elliptic curve cryptographic scheme performed between a first entity on a first computing device and a second entity on a second computing device communicating over a data communication system , the cryptographic scheme comprising: selecting a first selected basis being either a first basis or a second basis;', 'performing first key generation with respect to the first selected basis to generate a first private key and a first public key; and', 'communicating the first public key to the second entity;, 'performing, by the first entity determining if a linear combination, in a second selected basis being either the first basis or the second basis, is an identity point;', 'performing second key generation with respect to the first basis if the scalar multiplication product is the identity point, otherwise performing second key generation with respect to the second basis, the second key generation generating a second private key and a second public key; and', 'communicating a second public key to the second entity;, 'performing, by the second entity 'generating a common key by combining ...

Подробнее
Номер записи: 95
17-10-2019 дата публикации

HARDWARE ACCELERATION OF BIKE FOR POST-QUANTUM PUBLIC KEY CRYPTOGRAPHY

Номер: US20190319787A1
Автор: Ghosh Santosh, Misoczki Rafael, Reinders Andrew H., Sastry Manoj
Принадлежит: Intel Corporation

In one example an apparatus comprises an unsatisfied parity check (UPC) memory, an unsatisfied parity check (UPC) compute block communicatively coupled to the UPC memory, a first error memory communicatively coupled to the UPC compute block, a polynomial multiplication syndrome memory, a polynomial multiplication compute block communicatively coupled to the polynomial multiplication syndrome memory, a second error memory communicatively coupled to the polynomial multiplication compute block, a codeword memory communicatively coupled to the UPC compute block and the polynomial multiplication compute block, a multiplexer communicatively coupled to first error memory and to the polynomial multiplication compute block, and a controller communicatively coupled to the UPC memory, the polynomial multiplication syndrome memory, the codeword memory, and the multiplexer. Other examples may be described. 1. An apparatus , comprising:an unsatisfied parity check (UPC) memory;an unsatisfied parity check (UPC) compute block communicatively coupled to the UPC memory;a first error memory communicatively coupled to the UPC compute block;a polynomial multiplication syndrome memory;a polynomial multiplication compute block communicatively coupled to the polynomial multiplication syndrome memory;a second error memory communicatively coupled to the polynomial multiplication compute block;a codeword memory communicatively coupled to the UPC compute block and the polynomial multiplication compute block;a multiplexer communicatively coupled to first error memory and to the polynomial multiplication compute block; anda controller communicatively coupled to the UPC memory, the polynomial multiplication syndrome memory, the codeword memory, and the multiplexer.2. The apparatus of claim 1 , the controller to:initiate a process to load the codeword memory with a set of 256 codewords, each codeword comprising a first private key portion and a second private key portion.3. The apparatus of claim 2 ...

Подробнее
Номер записи: 96
17-10-2019 дата публикации

DIGITAL SIGNATURE VERIFICATION ENGINE FOR RECONFIGURABLE CIRCUIT DEVICES

Номер: US20190319805A1
Автор: Ghosh Santosh, Iyer Prakash, Lu Ting, Sastry Manoj
Принадлежит: Intel Corporation

Embodiments are directed to a digital signature verification engine for reconfigurable circuit devices. An embodiment of an apparatus includes one or more processors; and a reconfigurable circuit device, the reconfigurable circuit device including digital signal processing (DSP) blocks and logic elements (LEs), wherein the one or more processors are to configure the reconfigurable circuit device to operate as a signature verification engine for a bit stream, the signature verification engine including a hybrid multiplication unit, the hybrid multiplication unit combining a set of LEs and a set of the DSPs to multiply operands for signature verification. 1. An apparatus comprising:one or more processors; and a plurality of digital signal processing (DSP) blocks, and', 'a plurality of logic elements (LEs);, 'a reconfigurable circuit device, the reconfigurable circuit device including 'a hybrid multiplication unit, the hybrid multiplication unit combining a set of the plurality of LEs and a set of the plurality of DSPs to multiply operands for signature verification.', 'wherein the one or more processors are to configure the reconfigurable circuit device to operate as a signature verification engine for a bit stream, the signature verification engine including2. The apparatus of claim 1 , wherein the reconfigurable circuit device is one of an FPGA (Field Programmable Gate Array) or CPLD (Complex Programmable Logic Device).3. The apparatus of claim 1 , wherein the signature verification engine is an ECDSA (Elliptic Curve Digital Signature Algorithm) engine.4. The apparatus of claim 3 , wherein the hybrid multiplication unit is to iterate a calculation a plurality of times to generate a product of a multiplication operation.5. The apparatus of claim 4 , wherein the hybrid multiplication unit is to perform multiplication for Galois field computations.6. The apparatus of claim 3 , wherein the reconfigurable circuit device further includes a block random access memory (BRAM ...

Подробнее
Номер записи: 97
01-12-2016 дата публикации

Cryptographic Accelerator

Номер: US20160350077A1
Автор: Eric Thierry PEETERS, Hamza Fraz
Принадлежит: Texas Instruments Inc

A cryptographic accelerator performs various modular arithmetic operations producing unreduced results bounded by the double of the modulus (i.e.: 2*M). In doing so, various processing elements of an ALU of the cryptographic accelerator can begin to process respective data word portions of a modular arithmetic operations before the entirety of one or more operands are loaded. Similarly, various processing elements may begin to store their respective data word portions of a modular arithmetic result before the entirety of the result is calculated.

Подробнее
Номер записи: 98
22-11-2018 дата публикации

QUANTUM RESOURCE ESTIMATES FOR COMPUTING ELLIPTIC CURVE DISCRETE LOGARITHMS

Номер: US20180336015A1
Автор: Lauter Kristin, Roetteler Martin, Svore Krysta
Принадлежит: Microsoft Technology Licensing, LLC

In this application, example methods for performing quantum Montgomery arithmetic are disclosed. Additionally, circuit implementations are disclosed for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. This application also shows that elliptic curve discrete logarithms on an elliptic curve defined over an n-bit prime field can be computed on a quantum computer with at most 9n+2 ┌log(n)┐+10 qubits using a quantum circuit of at most 512nlog(n)+3572nToffoli gates. 1. A computer-implemented method , comprising:inputting a prime number;generating reversible circuits for performing a modular arithmetic operation on the prime number, the modular arithmetic operation being one of addition, subtraction, multiplication, or division; andstoring the reversible circuits as quantum-computer executable instructions.2. The method of claim 1 , further comprising configuring a quantum computer to implement the reversible circuits using the quantum-computer executable instructions.3. The method of claim 1 , wherein the data on which the modular arithmetic operation acts is encoded using Montgomery encoding for the underlying prime number.4. The method of claim 1 , wherein the modular arithmetic operation performed is addition claim 1 , and wherein the addition operation is implemented using a quantum circuit for integer addition claim 1 , followed by a reversible circuit that tests for overflows and reduces an output modulo by the prime number if necessary.5. The method of claim 1 , wherein the modular arithmetic operation performed is subtraction claim 1 , and wherein the subtraction operation is implemented using a quantum circuit for integer addition claim 1 , followed by a reversible circuit that tests for overflows and reduces an output modulo by the prime number if necessary.6. The method of claim 1 , wherein the modular arithmetic operation performed is multiplication claim 1 , and ...

Подробнее
Номер записи: 99
24-10-2019 дата публикации

ENCRYPTING AND DECRYPTING UNIT FOR RSA CRYPTOGRAPHIC SYSTEM, RESISTANT TO FAULTS INJECTION

Номер: US20190327074A1
Автор: JABLONSKI Janusz, WENDROWSKI Witold
Принадлежит: ADIPS SPOLKA Z OGRANICZONA ODPOWIEDZIALNOSCIA

A digital encrypting and decrypting unit (PMEU) that operates according to a Rivest-Shamir-Adleman (RSA) cryptosystem based on Residue Numeral System (RNS) and Chinese Reminder Theorem (CRT). The unit includes two modular exponentiation calculating units (MES-, MES-) to process a two residual signals (X mod p; X mod q) to calculate a result of a modular exponentiation by a binary method. The calculating units have inputs (I-k[i], I-SM, I-MM) and outputs (O-k[i], O-SM, O-MM) for signals representing partial results of the modular exponentiation. A modular exponentiation controlling unit (MECU) is connected to the inputs and outputs of the calculating units to control flow of the signals representing the partial results of the modular exponentiation. 1a first modular exponentiation calculating unit configured to process a first residual signal to calculate a result of a modular exponentiation by a binary method;a second modular exponentiation calculating unit configured to process a second residual signal to calculate a result of a modular exponentiation by a binary method;wherein the first modular exponentiation calculating unit and the second modular exponentiation calculating unit have inputs and outputs for signals representing partial results of the modular exponentiation; when the clock signal has a first level, directing the signals representing the partial results of the modular exponentiation from the outputs of the first modular exponentiation calculating unit to the inputs of the second modular exponentiation calculating unit and directing the signals representing the partial results of the modular exponentiation from the outputs of the second modular exponentiation calculating unit to the inputs of the first modular exponentiation calculating unit; and', 'when the clock signal has a second level, directing the signals representing the partial results of the modular exponentiation from the outputs of the first modular exponentiation calculating unit to the ...

Подробнее
Номер записи: 100