Abstract: A system and method are described that provide an alternative way in which to produce a Montgomery reduction from below by storing a new precomputed value used to substantially replace the ? and n values used in Montgomery reduction with a single value. By modifying the Montgomery reduction mechanism in this way, the number of multiplications and registers required to effect the Montgomery reduction can be reduced. To avoid having to store both ? and n, a modified reduction value or a logical shift or signed version of such a value can be used in place of ? and n for the bulk of the low-order reduction.

Abstract: An authentication device is used to authenticate a component to a product using a secret key. The life cycle of the authentication device is controlled by selective deletion of the secret key. An attestation message is sent by the authentication device upon deletion of the secret key. Authentication devices from faulty components or over supply of the authentication devices ma}? be rendered inoperable and audited.

Abstract: A potential bias in the generation of a private key is avoided by selecting the key and comparing it against the system parameters. If a predetermined condition is attained it is accepted. If not it is rejected and a new key is generated.

Abstract: A method and apparatus are disclosed for using a single credential request (e.g., registered public key or ECQV certificate) to obtain a plurality of credentials in a secure digital communication system having a plurality of trusted certificate authority CA entities and one or more subscriber entities A. In this way, entity A can be provisioned onto multiple PKI networks by leveraging a single registered public key or implicit certificate as a credential request to one or more CA entities to obtain additional credentials, where each additional credential can be used to derive additional public key-private key pairs for the entity A.

Abstract: Methods and systems for squaring a binary finite field element are described. In some aspects, a data processing apparatus includes registers and processor logic. A first register stores a sequence of binary values that define a binary finite field element input. The processor logic accesses input components from the first register according to intervals in the sequence. Each input component includes a binary value from each interval in the sequence. In some cases, the intervals are periodic and the binary finite field element corresponds to a sum of phase-shifted input components. The processor logic generates output components based on the input components. The processor logic generates a square of the binary finite field element in the second register based on the output components. The number of input components can be selected, for example, to balance costs of additional processing time against benefits associated with reduced processing hardware.

Abstract: Methods, systems, and computer programs for managing authentication data for an authentication device are disclosed. An authentication device may be included, for example, in a mobile device battery so that the battery can be authenticated by a mobile device. In some implementations, encrypted certificate data are stored on an authentication device. The encrypted certificate data are accessed, and unencrypted certificate data are generated by decrypting the encrypted certificate data. The unencrypted certificate data are stored on the authentication device. The unencrypted certificate data enable the authentication device to provide a valid reply message, for example, in response to receiving an interrogation message from an interrogation device. In some implementations, the reply message includes the unencrypted certificate data and a response value generated by the authentication device based on a secret value.

Abstract: An efficient implementation of SHA-512, and similarly SHA-384, on an ARM processor. The implementation maximizes reuse of the register values between iterations so as to minimize the need to load these values from memory. This is achieved by categorizing the iterations into even and odd ones such that the sequence of computation in the even iteration is reversed in the odd iteration and the register values at the end of one iteration are consumed at the beginning of the following one.

Abstract: Methods, systems, and computer programs for interrogating an authentication device are disclosed. For example, a mobile device can include an interrogator module that interrogates an authentication module in a mobile device accessory, for example, upon installation of the mobile device accessory. In some implementations, challenge-response pairs and a challenge-response distribution are stored in a memory of an interrogator module. The challenge-response distribution defines selection probabilities for the challenge values. In some instances, the interrogator module receives an authentication request from an authentication module, and in response to the authentication request, the interrogator module selects an initial challenge value according to the challenge-response distribution. The interrogator module sends the authentication module an interrogation message that includes the initial challenge value.

Abstract: A cryptographic module and a computing device implemented method for securing data using a cryptographic module is provided. The cryptographic module may include an input component for receiving a password, an output component for outputting data to the computing device, a random number generator for generating a random number and a module processor operative to generate at least one cryptographic key using the generated random number, and to record an association between the received password linking the received password with the at least one cryptographic key in a data store accessible to the cryptographic module.

Abstract: A signature scheme is provided in which a message is divided in to a first portion which is hidden and is recovered during verification, and a second portion which is visible and is required as input to the verification algorithm. A first signature component is generated by encrypting the first portion alone. An intermediate component is formed by combining the first component and the visible portion and cryptographically hashing them. A second signature component is then formed using the intermediate component and the signature comprises the first and second components with the visible portion. A verification of the signature combines a first component derived only from the hidden portion of the message with the visible portion and produces a hash of the combination. The computed hash is used together with publicly available information to generate a bit string corresponding to the hidden portion.

Abstract: A method for hindering a cold boot attack on a user equipment (UE) is provided. The method includes, in response to detection of the cold boot attack, executing prioritized security procedures. A user equipment (UE) is also provided that includes a processor configured to execute prioritized security procedures responsive to detection of a cold boot attack.

Abstract: A system and method are provided which employs a key agreement scheme, wherein the agreed-upon-shared key is used in a protocol message in the authentication rather than being employed as a session key.

Abstract: Techniques are disclosed for utilizing a block Montgomery machine designed only to operate at a fixed block length to perform operations using non-block length (flexible)moduli. In one embodiment, a new modulus n? is obtained having a block length equal to the fixed block length of the Montgomery machine or a multiple thereof. At least one modular additive operation is performed with the new modulus n?, and at least one modular multiplicative operation is performed with the non-block length modulus n. In this way, the result of the at least one additive operation is sufficiently reduced when a carry stems from the additive operation.

Abstract: A potential bias in the generation of a private key is avoided by selecting the key and comparing it against the system parameters. If a predetermined condition is attained it is accepted. If not it is rejected and a new key is generated.

Abstract: A system and method are described that provide an alternative way in which to produce a Montgomery reduction from below by storing a new precomputed value used to substantially replace the ? and n values used in Montgomery reduction with a single value. By modifying the Montgomery reduction mechanism in this way, the number of multiplications and registers required to effect the Montgomery reduction can be reduced. To avoid having to store both ? and n, a modified reduction value or a logical shift or signed version of such a value can be used in place of ? and n for the bulk of the low-order reduction.

Abstract: There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value.

Abstract: A modulo reduction is performed on a value a represented as an ordered sequence of computer readable words. The lowest order words are eliminated by substituting an equivalent value represented by higher order words for each of the lower order words. The lowest order words are eliminated until the sequence has a word length corresponding to the modulus. Carries and borrows resulting from the substitution are propagated from lower order words to higher order words. Further reduction is performed to maintain the word length of the sequence to that of the modulus. The further reduction may be determined by examination of a carryover bit or may be performed a predetermined number of times without examination.

Abstract: A finite field multiplier with intrinsic modular reduction includes an interface unit (1208) that translates an n bit wide data path to a m bit wide data path where n is less than m. Also included is a finite field data unit (1204) with m bit wide registers that is coupled to a finte field control unit (1202). The finite field control unit (1202) includes a microsequencer (1402) and a finite state machine multiplier (1404). The microsequencer (1402) controls the finite state machine multiplier (1404) which performs a finite field multiply operation with intrinsic modular reduction and presents a finite field multiplication product to the finite field data unit (1204).

Abstract: An elliptic curve (EC) processor circuit (120) comprising a finite field arithmetic logic unit (122), operation registers (124) an EC control unit (123) and a register file (127). A storage element (250) is coupled to the finite field arithmetic logic unit (122). The EC control unit (123) controls the various components of the EC processor circuit (120) to decompress a compressed one-bit representation of a Y coordinate of an elliptic curve point (X, Y). The EC control unit (123) controls the use of the operation register (124), the storage element (250) and the finite field arithmetic logic unit (122) to recursively compute the decompressed version of the compressed Y coordinate based upon the X coordinate and the compressed one-bit representation of the Y coordinate. The circuit and method employ minimal additional hardware and processing in an EC processor circuit (120).

Abstract: A finite field inverse circuit has a finite field data unit (1112) and an inverse control unit (1110). The inverse control unit includes (1110) a k.sub.l and k.sub.u decrementer pair (1108, 1122), a k.sub.l -k.sub.u difference unit (1106), an inverse control finite state machine (1102), and a one-bit memory (1104) coupled to the inverse control finite state machine (1102). The finite field data unit (1112) includes four m bit wide registers that are shift registers designated as B (1120), A (1118), M (1114), and C (1116), where B- is a first register, A- is a second register, M- is a irreducible polynomial register, and C- is a field element register. An the irreducible polynomial is loaded left justified in the M-register, a field element to be inverted is loaded left justified in the C-register, and a single "1" is loaded in an LSB bit of the B-register. The field element is then inverted in 2n+2 system clock cycles where n is a field size associated with the field element.