Abstract: Techniques include replacing many of the functions used in finite-field-based arithmetic with lookup tables (LUTs) and combining such LUTs with redundancy-based protection. Advantageously, using LUTs makes it possible to dramatically decrease the redundancy level (e.g., from d=8 to d=3 or 4) and the power consumption and increase the maximal frequency, while preserving the same protection level, latency and performance. The improvement is applicable not only to AES, but also to other algorithms based on a finite field arithmetic, and in particular SM4, ARIA, and Camellia which use Sboxes very similar to or the same as the AES Sbox.

Abstract: In a general aspect, a method for testing vulnerability of a cryptographic function (CF) to a side-channel attack includes providing a plurality of input values to the function, where the CF, for each input value calculates a sum of the input value and a first value of the CF, and replaces a second value of the CF with the sum. The method further includes measuring a set of samples including a respective side-channel leakage sample for each input value. The method also includes iteratively performing a series of operations including splitting the set of samples into a plurality of subsets based on the input values, calculating a respective value for each subset based on samples of the subset, and comparing the respective values for different subsets to discover respective bit values of the first value and the second value from their least significant bits to most significant bits.

Abstract: In a general aspect, a GHASH semiconductor intellectual property (IP) core can include circuitry for calculating a GHASH function. The IP core can be configured to calculate the GHASH function by calculating the following quantities: X 0 = 0 ; X i + 1 = H k X i + ? j = 0 k ? 1 ? n = 0 m ? 1 C k i + j h i j n , ? where for any i ? and j ; ? and ? n = 0 m ? 1 h i j n = H j , ? where k > 1 and m ? > 1.

Abstract: A method for testing an HMAC implementation for vulnerability to a side-channel attack can include mounting a template attack. The attack can include generating, based on first side-channel leakage information associated with execution of a hash function of the HMAC implementation, a plurality of template tables. Each template table can correspond, respectively, with a subset of bit positions of an internal state of the hash function. The attack can further include generating, based on second side-channel leakage information, a plurality of hypotheses for an internal state of an invocation of the hash function based on a secret key. The method can further include generating, using the hash function, respective hash values generated from each of the plurality of hypotheses and a message. The method can also include comparing each of the respective hash values with a hash value generated using the secret key to determine vulnerability of the HMAC implementation.

Abstract: A method of improving performance of a data processor comprising: in a field of characteristic 2 computing XY by performing a series of: (i) multiplications of two different elements of the field; and (ii) raising an element of the field to a power Z wherein Z is a power of 2; wherein the number of multiplications (i) is at least two less than the number of ones (1s) in the binary representation of Y.

Abstract: A semiconductor intellectual property (IP) core comprising a transformation engine designed and configured to represent each element of a field GF(28) using a polynomial of degree no higher than 7+d, where d>0 is a redundancy parameter. Also disclosed in the specification are several other IP cores and several different methods.

Abstract: A semiconductor intellectual property (IP) core comprising a transformation engine designed and configured to represent each element of a field GF(28) using a polynomial of degree no higher than 7+d, where d>0 is a redundancy parameter. Also disclosed in the specification are several other IP cores and several different methods.

Abstract: A server on the Internet detects that a mobile device communicating with the server may have been stolen, and a telephone call is made to a call center to initiate action in response to the alert.