929results about "Computations using residue arithmetic" patented technology

To provide a secure cryptographic device such as an IC card which can endure TA (Timing Attack), DPA (Differential Power Analysis), SPA (Simple Power Analysis), or the like as an attaching method of presuming secret information held therein, when the secret information held in the card or another information which is used in the secret information or an arithmetic operation using such secret information when such an arithmetic operation is performed is shown by a plurality of expressing methods and the arithmetic operation is performed, thereby making an arithmetic operation processing method different each time the arithmetic operation is performed and making each of an arithmetic operation time, an intensity of a generated electromagnetic wave, and a current consumption different.

An arithmetic apparatus for performing a long product-sum operation includes an integer unit arithmetic circuit, a finite field GF(2^m) based unit arithmetic circuit logically adjacent to the integer unit arithmetic circuit, a selector for selecting the integer unit arithmetic circuit or the finite field GF(2^m) based unit arithmetic circuit, and an adder circuit which has a buffer for storing interim result data, adds the interim result data to the result data obtained by one of the integer unit arithmetic circuit and the finite field GF(2^m) based unit arithmetic circuit which is selected by the selector, propagates a carry in an integer unit arithmetic operation, and propagates no carry in a finite field GF(2^m) based unit arithmetic operation.

Circuitry which performs modular mathematics to solve the equation C=Mk mod n and n is performed in a manner to mask the exponent k's signature from timing or power monitoring attacks. The modular exponentation function is performed in a normalized manner such that binary ones and zeros in the exponent are calculated by being modulo-squared and modulo-multiplied.

A data encryption method performed with ring arithmetic operations using a residue number multiplication process wherein a first conversion to a first basis is done using a mixed radix system and a second conversion to a second basis is done using a mixed radix system. In some embodiments, a modulus C is be chosen of the form 2w-L, wherein C is a w-bit number and L is a low Hamming weight odd integer less than 2(w-1)/2. And in some of those embodiments, the residue mod C is calculated via several steps. P is split into 2 w-bit words H1 and L1. S1 is calculated as equal to L1+(H12x1)+(H12x2)+ . . . +(H12xk)+H1. S1 is split into two w-bit words H2 and L2. S2 is computed as being equal to L2+(H22x1)+(H22x2)+ . . . +(H22xk)+H2. S3 is computed as being equal to S2+(2x1+ . . . +2xk+1). And the residue is determined by comparing S3 to 2w. If S3<2w, then the residue equals S2. If S3>2w, then the residue equals S3-2w.

The present invention makes it difficult for unauthorized parties to estimate processing and a secret key based upon the waveforms of power consumption of an IC card chip by changing a processing order in the IC card chip so that it is not estimated by the attackers. In an information processing apparatus comprising storing means having a program storing part for storing programs and a data storing part for storing data, an operation processing unit, means for inputting data to be operated on in the operation processing unit, and means for outputting operation processing results on the data by the operation processing unit, an arithmetic operation method is provided which comprises the steps of: for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2, A)=F(K1, A)◯F(K2, A) (◯ denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+ . . . K[m−1]; using T(0), T(1), . . . T(m−1) resulting from rearranging a string of the m integers 0, 1, . . . m−1 by permutation T (the result corresponds one for one to the integer string 0, 1, . . . m−1); and operating on terms F(K[T(0)], A) to F(K[T(m−1)], A) on the right side of

F(K, A)=F(K[T(0)], A)◯F(K[T(1)], A)◯ . . . F(K[T(m−1)], A) . . .   (expression 1)

in the order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−1)], A) to find F(K, A).

A method and an apparatus capable of realizing at a high speed an elliptic curve cryptography in a finite field of characteristic 2, in which the elliptic curve is given by y²+xy=x³+ax²+b (b≠0) and an elliptic curve cryptography method which can protect private key information against leaking from deviation information of processing time to thereby defend a cipher text against a timing attack and a differential power analysis attack are provided. To this end, an arithmetic process for executing scalar multiplication arithmetic d(x, y) a constant number of times per bit of the private key d is adopted. Further, for the scalar multiplication d(x, y), a random number k is generated upon transformation of the affine coordinates (x, y) to the projective coordinates for thereby effectuating the transformation (x, y)→[kx, ky, k] or alternatively (x, y)→[k²x, k³y, k]. Thus, object for the arithmetic is varied by the random number (k).

The present invention takes advantage of a quadratic-only ambiguity for x-coordinates in elliptic curve algebra as a means for encrypting plaintext directly onto elliptic curves. The encrypting of plaintext directly onto elliptic curves is referred to herein as "direct embedding". When performing direct embedding, actual plaintext is embedded as a "+" or "-" x-coordinate. The sender specifies using an extra bit whether + or - is used so that the receiver can decrypt appropriately. In operation their are two public initial x-coordinates such that two points P1+ and P1- lie respectively on two curves E+ and E-. A parcel of text xtext is selected that is no more than q bits in length. The curve (E+ or E-) that contains xtext is determined. A random number r is chosen and used to generate a coordinate xq using the public key of a receiving party. An elliptic add operation is used with the coordinate xq and the parcel of text to generated a message coordinate xm. A clue xc is generated using the random number and the point P from the appropriate curve E±. The sign that holds for xtext is determined and called g. The message coordinate xm, the clue xc, and the sign g are sent as a triple to the receiving party. The receiving party uses the clue xc and its private key to generate coordinate xq. Using the sign g and coordinate xq, the text can be recovered.

A cryptographic system (CS) is provided. The CS (500) is comprised of a data stream receiving device (DSRD), a chaotic sequence generator (CSG) and an encryptor. The DSRD (602) is configured to receive an input data stream. The CSG (300) includes a computing means (302₀, . . . , 302_N-1) and a mapping means (304). The computing means is configured to use RNS arithmetic operations to respectively determine solutions for polynomial equations. The solutions are iteratively computed and expressed as RNS residue values. The mapping means is configured to determine a series of digits in the weighted number system based on the RNS residue values. The encryptor is coupled to the DSRD and CSG. The encryptor is configured to generate a modified data stream by incorporating or combining the series of digits with the input data stream.

A method is provided for generating a chaotic sequence. The method includes selecting a plurality of polynomial equations. The method also includes using residue number system (RNS) arithmetic operations to respectively determine solutions for the polynomial equations. The solutions are iteratively computed and expressed as RNS residue values. The method further includes determining a series of digits in a weighted number system (e.g., a binary number system) based on the RNS residue values. According to an aspect of the invention, the method includes using a Chinese Remainder Theorem process to determine a series of digits in the weighted number system based on the RNS residue values. According to another aspect of the invention, the determining step comprises identifying a number in the weighted number system that is defined by the RNS residue values.

A method and apparatus are disclosed for performing modular multiplication. Modular multiplication in accordance with the present invention includes precalculating a 2's complement of a given modulus and multiples of the 2's complement and calculating a total magnitude of end-around carries during the modular multiplication. The calculated multiples are selected depending on the total magnitude of the end-around carries, and the selected multiples are added. The disclosure includes array structures in accordance with the present invention. The invention includes an algorithm designed for Rivest-Shamir-Adelman (RSA) cryptography and based on the familiar iterative Homer's rule, but uses precalculated complements of the modulus. The problem of deciding which multiples of the modulus to subtract in intermediate iteration stages has been simplified using simple look-up of precalculated complement numbers, thus allowing a finer-grain pipeline. Regularity and local connections make the algorithm suitable for high-performance array implementation in FPGA's (field programmable gate arrays) or deep submicron VLSI's.

A side channel attack utilizes information gained from the physical implementation of a cryptosystem. Software and hardware-based systems and methods for preventing side channel attacks are presented. Cryptographic hardware may introduce dummy operations to compensate for conditional math operations in certain functions such as modular exponentiation. Cryptographic hardware may also introduce random stalls of the data path to introduce alterations in the power profile for the operation. A cryptographic function may be mapped to a micro code sequence having a plurality of instructions. Firmware in the cryptosystem may alter the micro code sequence by altering the order of instructions, add dummy operations in the micro code sequence, break the micro code sequence into multiple sub micro code sequences and/or change the register location for source and destination operands used in the sequence. These alterations are designed to randomly change the timing and power profile of the requested function.

A method, system, and apparatus for performing computations.

In a method, arguments X and K are loaded into session memory, and X mod P and X mod Q are computed to give, respectively, X_P and X_Q. X_P and X_Q are exponentiated to compute, respectively, C_P and C_Q. C_P and C_Q are merged to compute C, which is then retrieved from the session memory.

A system includes a computing device and at least one computational apparatus, wherein the computing device is configured to use the computational apparatus to perform accelerated computations.

An apparatus includes a chaining controller and a plurality of computational devices. A first chaining subset of the plurality of computational devices includes at least two of the plurality of computational devices, and the chaining controller is configured to instruct the first chaining subset to operate as a first computational chain.

A cryptographic system (CS) is provided. The CS (800) comprises a data stream receiving means (DSRM), a generator (702), a mixed radix converter (MRC) and an encryptor (908). The DSRM (902) is configured to receive a data stream (DS). The generator is configured to selectively generate a random number sequence (RNS) utilizing a punctured ring structure. The MRC (704) is coupled to the generator and configured to perform a mixed radix conversion to convert the RNS from a first number base to a second number base. The encryptor is coupled to the DSRM and MRC. The encryptor is configured to generate an altered data stream by combining the RNS in the second number base with the DS. The punctured ring structure and the MRC are configured in combination to produce an RNS in the second number base which contains a priori defined statistical artifacts after the mixed radix conversion.

A cryptographic system (1000) is provided. The cryptographic system includes a data stream receiving means (DSRM), a number generator (NG), a mixed radix accumulator (MRA) and an encryptor. The DSRM (1002) receives a data stream (DS). The NG (702) generates a first number sequence (FNS) contained within a Galois Field GF[M]. The MRA (750) is configured to perform a first modification to a first number (FN) in FNS. The first modification involves summing the FN with a result of a modulo P operation performed on a second number in FNS that proceeds FN. The MRA is also configured to perform a second modification to FN utilizing a modulo P operation. The MRA is further configured to repeat the first and second modification for numbers in FNS to generate a second number sequence (SNS). The encryptor (1004) is configured to generate a modified data stream by combining SNS and DS.

A method and apparatus are shown for performing efficient arithmetic on binary vectors in a finite field. Typically, there is an efficient algorithm within an execution context, such as hardware or software, for performing a selected arithmetic operation on an operand. When the operand is in a first representative format and the efficient algorithm operates in an alternative representation format, then the operand is permutated from the first representative format to the alternative representation format. The efficient algorithm is then performed on the operand in the alternative representation format in order to obtain a result in the alternative representation format. The result is then permutated from the alternative representation format to the first representation format. Thus, efficient arithmetic is obtained by using the most efficient algorithm available in either the first representation format or the alternative representation format and permuting operands and results to the representation format corresponding to the most efficient algorithm available.

A reduction operation is utilized in an arithmetic operation on two binary polynomials X(t) and Y(t) over GF(2), where an irreducible polynomial Mm(t)=t<m>+am-1t<m-1>+am-2t<m-2>+ . . . +a1t+a0, where the coefficients as are equal to either 1 or 0, and m is a field degree. The reduction operation includes partially reducing a result of the arithmetic operation on the two binary polynomials to produce a congruent polynomial of degree less than a chosen integer n, with m<=n. The partial reduction includes using a polynomial M'=(Mm(t)-t<m>)*t<n-m>, or a polynomial M''=Mm(t)*t<n-m >as part of reducing the result to the degree less than n and greater than or equal to m. The integer n can be the data path width of an arithmetic unit performing the arithmetic operation, a multiple of a digit size of a multiplier performing the arithmetic operation, a word size of a storage location, such as a register, or a maximum operand size of a functional unit in which the arithmetic operation is performed.

A method and apparatus for multiplication in a Galois field. The method of multiplication in a Galois field (GF) for preventing an information leakage attack by performing a transformation of masked data and masks in GF(2ⁿ) includes: receiving a plurality of first and second masked input data, a plurality of first and second input masks and an output mask; calculating a plurality of intermediate values by performing a multiplication of the plurality of masked input data and the plurality of input masks in GF(2ⁿ); and calculating a final masked output value by performing an XOR operation of the intermediate values and the output masks.

The present invention improves speed and reduces complexity in a digital signature scheme that uses elliptic algebra. The signature scheme generates two points that are compared. If the points do not match, the signature is not authentic. The present invention reduces computations by comparing only the x coordinates of the two generated points. The invention provides a scheme for deducing the possible values of the x-coordinate of a sum of two points using only the x coordinates of the original two points in question. The present invention provides a scheme that limits the possible solutions that satisfy the equation to two (the authentic signature and one other). Because of the large number of possible inauthentic solutions, the chance of a false authentic signature is statistically insignificant.

An elliptic curve cryptosystem apparatus performing an elliptic curve cryptosystem process has a coordinate transforming unit for transforming coordinates (X:Y:Z) on a point P on an elliptic curve over a finite field GF(pˆm) to coordinates (r1×(X−s1):r2×(Y−s2):r3×(Z−s3)) (where, p is a prime number, m is an integer not less than 1, r1, r2 and r3 are integers not less than 1 and not larger than (p−1), s1, s2 and s3 are integer not less than 0 and not larger than (p−1), and a code “ˆ” represents power), and a scalar multiplication operating unit for performing scalar multiplication on the point on the elliptic curve transformed by the coordinate transforming unit, wherein at least one of the parameters s1, s2 and s3 has a value other than 0. The apparatus can perform the scalar multiplication in the elliptic curve cryptosystem, with resistance to side channel attacks.

In scalar multiplication method in which a point on an elliptic curve is randomized, but yet scalar multiplication can be calculated by the computational cost as much as that without randomization, an operation is carried out upon a point randomized and a point not randomized in a scalar multiplication method to calculate a scalar-multiplied point from a scalar value and a point on an elliptic curve. The result of the operation is randomized while the computational cost becomes as much as that without randomization.

A cryptographic method is described. The method comprises storing binary data representing at least a portion of a field element of an odd-characteristic finite field GF(p^k) in a register, p being an odd prime number, the field element comprising k coefficients in accordance with a polynomial-basis representation, the binary data comprising plural groups of data bits, wherein each group of data bits represents an associated one of the k coefficients and processing the binary data in accordance with a cryptographic algorithm such that the plural groups of data bits are processed in parallel. An apparatus comprising a memory and a processing unit coupled to the memory to carry out the method is also described.