Abstract: A system and method to transform a block of data is disclosed. A block of original data is retrieved from a data store, block of original data including a N number of words, each word including one or more bits of data. A multiplier matrix is provided, the multiplier matrix having N×N words, a plurality of sub matrices arranged diagonally within the N×N matrix, with each of the sub matrix arranged as a binomial matrix. All the words in the multiplier matrix not part of the sub matrix are set to zero. Each of the sub matrix is represented as a product of a plurality of lower factorized matrix, a plurality of upper factorized matrix and a shift matrix. The block of original data is multiplied with the multiplier matrix to generate a transformed block of original data with N number of words.

Abstract: Systems, apparatus, methods, and techniques for functional safe execution of encryption operations are provided. A fault tolerant counter and a complementary pair of encryption flows are provided. The fault tolerant counter may be based on a gray code counter and a hamming distance checker. The complementary pair of encryption flows have different implementations. The output from the complementary pair of encryption flows can be compared, and where different, errors generated.

Abstract: A crypto processor, a method of operating a crypto processor, and an electronic device including a crypto processor. A method of operating a crypto processor for performing a polynomial multiplication of lattice-based texts includes transferring coefficients of polynomials for the polynomial multiplication to multipliers, performing multiplications for a portion of the coefficients in parallel using the multipliers, performing an addition for a portion of results of the multiplications using an adder, and determining a result of the polynomial multiplication based on another portion of the results of the multiplications and a result of the addition.

Abstract: Aspects of the present disclosure involves receiving an input message, generating a first random value that is used to blind the input message to prevent a side-channel analysis (SCA) attack, computing a second random value using the first random value and a factor used to compute the Montgomery form of a blinded input message without performing an explicit Montgomery conversion of the input message, and computing a signature using Montgomery multiplication, of the first random value and the second random value, wherein the signature is resistant to the SCA attack.

Abstract: Cryptographic circuitry, in operation, conditionally swaps a first operand and a second operand of a cryptographic operation based on a control value. The conditional swapping includes setting a first mask of a number of bits and a second mask of the number of bits based on the control value, the first mask and the second mask being complementary and having a same Hamming weight. A result of a bitwise XOR operation on the first operand and the second operand is stored as a temporary value. A combination of bitwise logical operations are performed to conditionally swap the first operand and the second operand.

Abstract: A power is computed at high speed with a small number of communication rounds. A secret computation system that includes three or more secret computation apparatuses computes a share [a?] of the ?-th power of data “a” from a share [a] of data “a” while data “a” is concealed. The share [a] of data “a” and an exponent ? are input to an input unit (step S11). A local operation unit computes the pu-th power of a share [at] of the t-th power of data “a” without communication with the other secret computation apparatuses (step S12). A secret computation unit uses secret computation that requires communication with the other secret computation apparatuses to compute a multiplication in which at least one of the multiplicands is [ a ( t * p ^ u ) ] , the computation result of the local operation unit, to obtain the share [a?] (step S13). An output unit outputs the share [a?] (step S14).

Abstract: This disclosure provides systems, methods, and devices for wireless communication that support managing allocation of configured grant (CG) resources for uplink transmissions using a polynomial over Galois field in a wireless communication system. In particular, a user equipment (UE) may be configured (e.g., by a base station) to determine a resource to access, from a resource pool configured for each CG occasion of a CG configuration, based on a polynomial over Galois field configured for the UE. The polynomial over Galois field may include a parameter p, and the UE may be configured with a mapping that maps the absolute time (e.g., a slot index or a symbol index) of a GC occasion to an index between 0 and p?1 that is used as input to the polynomial The result of the polynomial is used to determine the resource to access by the UE at the CG occasion.

Abstract: A method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit.

Abstract: The group of inventions relates to computing techniques and can be used for computing a hash function. The technical effect relates to increased speed of computations and improved capability of selecting a configuration of an apparatus. The apparatus comprises: a preliminary preparation unit having M inputs with a size of k bits, where M>1; M pipelined computation units running in parallel, each comprising: a memory module, a feedback disable module, an adder, a pipeline multiplier having L stages, a feedback unit, and an accumulation unit; and a combining unit.

Abstract: A descrambler receives data from a memory device. The descrambler calculates a sub-syndrome weight for multiple bits in each of the plurality of descrambled sequences using a set parity check matrix to generate multiple sub-syndrome weights, one for each of the plurality of descrambled sequences. The descrambler selects a sub-syndrome weight among the multiple sub-syndrome weights. The descrambler determines, as a correct scrambler sequence for descrambling the data, a scrambler sequence corresponding to the selected sub-syndrome weight, among the plurality of scrambler sequences.

Abstract: A method for providing Cheon-resistance security for a static elliptic curve Diffie-Hellman cryptosystem (ECDH), the method including providing a system for message communication between a pair of correspondents, a message being exchanged in accordance with ECDH instructions executable on computer processors of the respective correspondents, the ECDH instructions using a curve selected from a plurality of curves, the selecting including choosing a range of curves; selecting, from the range of curves, curves matching a threshold efficiency; excluding, within the selected curves, curves which may include intentional vulnerabilities; and electing, from non-excluded selected curves, a curve with Cheon resistance, the electing comprising a curve from an additive group of order q, wherein q is prime, such that q?1=cr and q+1=ds, where r and s are primes and c and d are integer Cheon cofactors of the group, such that cd?48.

Abstract: An operating method of a memory controller is provided. The operating method includes receiving a first read data and a second conversion information, the second conversion information including data obtained by converting a second read data based on a linear operation, and the first read data and the second read data including data read from same memory cells; converting the first read data based on the linear operation to generate a first conversion information; performing a logical operation on the first conversion information and the second conversion information to generate an operation information; performing an inverse operation of the linear operation on the operation information to generate a reliability information; and correcting an error of the first read data based on the first read data and the reliability information.

Abstract: An adaptive file storage method and apparatus is disclosed. The method includes determining a cold and hot attribute of a file, and performing coding storage processing or transcoding storage processing on the file according to the cold and hot attribute of the file. Therefore, a requirement of the cold and hot attribute of the file for storage overheads and restoration costs can be fully considered. In addition, the used coding technology has high reliability and a high coding speed. Therefore, comprehensive performance in multiple dimensions of storage overheads, restoration costs, reliability, and an coding speed can be improved.

Abstract: A computer processing system for reducing a processing footprint in cryptosystems utilizing quadratic extension field arithmetic such as pairing-based cryptography, elliptic curve cryptography, code-based cryptography and post-quantum elliptic curve cryptography that includes at least one computer processor having a register file with three processor registers operably configured to implement quadratic extension field arithmetic equations in a finite field of Fp2 and a multiplexer operably configured to selectively shift from each of the three processor registers in sequential order to generate modular additional results and modular multiplication results from the three processor registers.

Abstract: A system and method to encrypt a block of data is disclosed. A block of original data is retrieved from a data store, block of original data including a N number of words, each word including one or more bits of data. A multiplier matrix is provided, the multiplier matrix having N×N words, a plurality of sub matrices arranged diagonally within the N×N matrix, with each of the sub matrix arranged as a binomial matrix. All the words in the multiplier matrix not part of the sub matrix are set to zero. The block of original data is multiplied with the multiplier matrix to generate a block of modified original data with N number of words.

Abstract: A programmable digital data encoder employs error correcting coding that uses Galois field multiplication logic wherein each bit of the product is produced by first applying pre-calculated mask values or mask values calculated via a processor executing code, and then applying an XOR circuit together with the mask bits from the pre-calculated or generated mask. In one example, a set of Galois field multipliers is used wherein each multiplier in the set includes a plurality of 2-bit input AND gate circuits and an m-bit input XOR gate circuit to produce a bit of the product. In one example, there are “m” mask values in a mask table wherein m is the symbol width. A different mask value is applied for each bit of the product. The mask values are each m-bits wide, and are stored, for example, in memory as a small look-up table with m m-bit entries or in m m-bit wide registers.

Abstract: A data storage and retrieval system employs online supervised hashing for indexing a data set and retrieving data items therefrom. A hash-based mapping is used to generate hash codes for indexing content items. Data items may be retrieved based on either/both a query label (using corresponding codewords) and the content item itself (using the hash codes). The hash-based mapping is updated using an objective function of distance between the hash codes and respective codewords for labels of labelled content items, preserving semantic similarities of content items. The codewords may be error-correcting codes. Techniques for efficiently updating the index include (1) cycle-based updating and ternary codewords, and (2) reservoir sample-based method of determining when to trigger an update.

Abstract: A Vector Galois Field Multiply Sum and Accumulate instruction. Each element of a second operand of the instruction is multiplied in a Galois field with the corresponding element of the third operand to provide one or more products. The one or more products are exclusively ORed with each other and exclusively ORed with a corresponding element of a fourth operand of the instruction. The results are placed in a selected operand.

Abstract: Modifications to Advanced Encryption Standard (AES) hardware acceleration circuitry are described to allow hardware acceleration of the key operations of any non-AES block cipher, such as SMT and Camellia. In some embodiments the GF(28) inverse computation circuit in the AES S-box is used to compute X?1 (where X is the input plaintext or ciphertext byte), and hardware support is added to compute parallel GF(28) matrix multiplications. The embodiments described herein have minimal hardware overhead while achieving greater speed than software implementations.

Abstract: Implementations described herein utilize redundancy information for packet data portions. For instance, a first packet includes multiple data portions. A second packet is generated that includes redundancy information for one or more of the multiple data portions of the first packet. In at least some implementations, the redundancy information can be used to determine whether an error condition occurs related to the first packet, such as data errors and/or a dropped data portion.

Abstract: Systems, methods, and computer-readable media are disclosed for performing message padding of input messages in a manner that preserves the integrity of the input data regardless of whether the input message is in a bit-oriented format or a bit-reversed format. Each byte of a partial input message block of an input message may be converted from a bit-reversed format to a bit-oriented format prior to performing message padding in order to ensure that input data bits are not lost during the message padding. Subsequent to the message padding that generates one or more padded message blocks, the padded message block(s) may be converted from a bit-oriented format to a bit-reversed format to enable further processing of the input message to be performed to obtain a message digest.

Abstract: Aspects of the invention include receiving a specified number of frames of bits at a receiver. At least one of the received frames includes cyclic redundancy code (CRC) bits. The specified number of frames is based at least in part on a CRC rate. It is determined, by performing a CRC check on the received frames, whether a change in transmission errors has occurred in the received frames. An increase in the CRC rate is initiated at the receiver based at least in part on determining that a change in transmission errors has occurred in the received frames. The increase in the CRC rate is synchronized between the receiver and the transmitter; and performed in parallel with functional operations performed by the receiver.

Abstract: A data block may be identified. A first decoding operation may be performed on the data block. An unsuccessful correction of an error of the data block associated with the first decoding operation may be determined. A set of bits of the data block that caused the unsuccessful correction of the error of the data block may be identified. In response to identifying the set of bits of the data block that is associated with the unsuccessful correction of the error, a second decoding operation on the set of bits of the data block may be performed. The second decoding operation may be different than the first decoding operation.

Abstract: N-state switching tables are transformed by a Lab-transform into a Lab-transformed n-state switching table. Memory devices, processors and combinational circuits with inputs and an output are characterized by the Lab-transformed n-state switching table and perform switching operations between physical states in accordance with a Lab-transformed n-state switching table. The devices characterized by Lab-transformed n-state switching tables are applied in cryptographic devices. The cryptographic devices perform standard cryptographic operations that are modified in accordance with a Lab-transform.

Abstract: In one embodiment, a processor comprises a multiplier circuit to operate in an integer multiplication mode responsive to a first value of a configuration parameter; and operate in a carry-less multiplication mode responsive to a second value of the configuration parameter.

Abstract: CRC generation circuitry includes a lookup-table storing N-bit CRC values for M one-hot data frames. N AND gates for each bit of a M-bit data frame receive that bit of the M-bit data frame and a different bit of a N-bit CRC value from the lookup-table corresponding to a position of the bit in the M-bit data frame. N exclusive-OR gates each receive output from one of the N AND gates for each bit of the M-bit data frame. The N exclusive-OR gates generate a final N-bit CRC value for the M-bit data frame. The CRC value is therefore generated with a purely combinational circuit, without clock cycle latency. Area consumption is small due to the small lookup-table, which itself permits use of any generator polynomial, and is independent of the width of the received data frame. This device can also generate a combined CRC for multiple frames.

Abstract: To reduce the processing amount of a field multiplication. A matrix application apparatus computes a vector b by multiplying a vector a and a matrix A, provided that a denotes a k-th order vector having elements a0, . . . , ak?1 (a0, . . . , ak?1?GF(xq)), b denotes an m-th order vector having elements b0, . . . , bm?1 (b0, . . . , bm?1?GF(xq)), and A denotes a m-by-k Vandennonde matrix. A polynomial multiplication part computes a value bi. An order reduction part designates gi?hif? as the value bi by using a polynomial hi obtained by dividing a part of the value bi having an order equal to or higher than q by Xq and a polynomial gi formed by a part of the value bi having an order lower than q.

Abstract: Apparatus and a corresponding method are disclosed relating to circuitry to perform an arithmetic operation on one or more input operands, where the circuitry is responsive to an equivalence of a result value of the arithmetic operation with at least one of the one or more input operands, when the one or more input operands are not an identity element for the arithmetic operation, to generate a signal indicative of the equivalence. Idempotency (between at least one input operand and the result value) is thus identified.

Abstract: Methods and apparatus related to enhanced Cyclical Redundancy Check (CRC) circuit based on Galois-Field arithmetic are described. In one embodiment, a plurality of exclusive OR logic include first exclusive OR logic and second exclusive OR logic. First Galois Field multiplier logic multiplies a first output from the first exclusive OR logic and a first portion of a plurality of portions of the input data. Second Galois Field multiplier logic multiplies a second output from the second exclusive OR logic and a second portion of the plurality of portions of the input data. Other embodiments are also disclosed and claimed.

Abstract: Hardware logic arranged to perform modulo calculation with respect to a constant value b is described. The modulo calculation is based on a finite polynomial ring with polynomial coefficients in GF(2). This ring is generated using a generator polynomial which has a repeat period (or cycle length) which is a multiple of b. The hardware logic comprises an encoding block which maps an input number into a plurality of encoded values within the ring and a decoding block which maps an output number back from the ring into binary. A multiplication block which comprises a tree of multipliers (e.g. a binary tree) takes the encoded values and multiplies groups (e.g. pairs) of them together within the ring to generate intermediate values. Groups (e.g. pairs) of these intermediate values are then iteratively multiplied together within the ring until there is only one intermediate value generated which is the output number.

Abstract: The inventive concepts relate to an operation method of an error correction decoder correcting an error of data read from a nonvolatile memory. The operation method may include receiving the data from the nonvolatile memory, performing a first error correction with respect to the received data in a simplified mode, and performing, when the first error correction fails in the simplified mode, a second error correction with respect to the received data in a full mode. When the first error correction of the simplified mode is performed, a part of operations of the second error correction of the full mode may be omitted.

Abstract: A decoder includes a syndrome generator for receiving a codeword and generating at least two syndromes based on the codeword, an error location polynomial generator for generating an error-location polynomial based on the syndromes, an error location determiner for determining at least one error location based on the error-location polynomial, and an error corrector for correcting the codeword based on the one error location. The error location polynomial generator includes a logic for receiving the syndromes and generating a combination of the syndromes as a combination of coefficients of the error-location polynomial, and a key equation solver for generating the error-location polynomial based on the combination of the coefficients and finding at least one root of the error-location polynomial. The error location determiner determines the error location based on a combination of the root and one of the syndromes.

Abstract: Instructions and logic provide general purpose GF(28) SIMD cryptographic arithmetic functionality. Embodiments include a processor to decode an instruction for a SIMD affine transformation specifying a source data operand, a transformation matrix operand, and a translation vector. The transformation matrix is applied to each element of the source data operand, and the translation vector is applied to each of the transformed elements. A result of the instruction is stored in a SIMD destination register. Some embodiments also decode an instruction for a SIMD binary finite field multiplicative inverse to compute an inverse in a binary finite field modulo an irreducible polynomial for each element of the source data operand. Some embodiments also decode an instruction for a SIMD binary finite field multiplication specifying first and second source data operands to multiply each corresponding pair of elements of the first and second source data operand modulo an irreducible polynomial.

Abstract: The techniques and/or systems described herein are directed to improvements in homomorphic operations within a homomorphic encryption scheme. The homomorphic operations may be performed on encrypted data received from a client device without decrypting the data at a remote computing device, thereby maintaining the confidentiality of the data. In addition to the operations of addition, subtraction, and multiplication, the homomorphic operations may include an approximate division, a sign testing, a comparison testing, and an equality testing. By combining these operations, a user may perform optimized operations with improved processor and memory requirements.

Abstract: A device of the Substitution-Box (S-Box) type, which is suitable for operating in a symmetric-key encryption apparatus, in particular an AES (Advanced Encryption Standard) encryption apparatus, and includes at least one module configured for carrying out a non-linear operation in a finite field (GF(28)) of an encryption method implemented by the above encryption apparatus, the module including at least one reprogrammable look-up table to, for example, implement countermeasures against side-channel attacks. When no countermeasures are employed, the tables may be set to fixed values, instead of being reprogrammable. The above module includes a plurality of composite look-up tables that implement the non-linear operation in a composite field of finite subfields (GF(24)2; GF((22)2)2) deriving from the finite field (GF(28)), each of the above composite look-up tables being smaller than a look-up table that is able to implement autonomously the non-linear operation in a finite field (GF(28)).

Abstract: A modular multiplier and a modular multiplication method are provided. The modular multiplier includes: a first register which stores a previous accumulation value calculated at a previous cycle; a second register which stores a previous quotient calculated at the previous cycle; a quotient generator which generates a quotient using the stored previous accumulation value output from the first register; and an accumulator which receives an operand, a bit value of a multiplier, the stored previous accumulation value, and the stored previous quotient to calculate an accumulation value in a current cycle, wherein the calculated accumulation value is updated to the first register, and the generated quotient is updated to the second register.

Abstract: A Montgomery multiplier includes a partial product computing unit for multiplying a multiplicand and a multiplier; a modulus reduction computing unit for performing a multiplication of a modulus and a quotient that reflects a quotient sign; an accumulation unit for accumulating in a intermediate value an output value of the partial product computing unit and an output value of the modulus reduction computing unit from a previous cycle; a quotient computing unit for receiving an accumulation value of the accumulation unit during a current cycle and calculating a quotient sign to be used during a next cycle; and a quotient sign determination unit for determining a quotient sign to be used during a next cycle from the multiplicand, the multiplier and the quotient.

Abstract: A Vector Galois Field Multiply Sum and Accumulate instruction. Each element of a second operand of the instruction is multiplied in a Galois field with the corresponding element of the third operand to provide one or more products. The one or more products are exclusively ORed with each other and exclusively ORed with a corresponding element of a fourth operand of the instruction. The results are placed in a selected operand.

Abstract: A method includes receiving a first element of a Galois Field of order qm, where q is a prime number and m is a positive integer. The first element is raised to a predetermined power so as to form a second element z, wherein the predetermined power is a function of qm and an integer p, where p is a prime number which divides qm?1. The second element z is raised to a pth power to form a third element. If the third element equals the first element, the second element multiplied by a pth root of unity raised to a respective power selected from a set of integers between 0 and p?1 is output as at least one root of the first element.

Abstract: Galois-field reduction circuitry for reducing a Galois-field expansion value using an irreducible polynomial includes a plurality of memories, each for storing a respective value derived from the irreducible polynomial and a respective expansion bit position. Gates select ones of said the plurality of memories corresponding to ones of the respective expansion bit positions that contain ‘1’, and an exclusive-OR gate combines outputs of the gates that select. A specialized processing block includes a multiplier stage, and an input stage upstream of the multiplier stage, with such Galois-field reduction circuitry in the input stage with its output selectably connectable to the multiplier stage and selectably connectable to an output of the specialized processing block. A programmable integrated circuit device includes a plurality of such specialized processing blocks, and additional multiplier and additional exclusive OR gates for concatenating a plurality of specialized processing blocks.

Abstract: A method and system for storage and retrieval of blockchains with Galois Fields. One or more blocks for a blockchain are securely stored and retrieved with a modified Galois Fields on a cloud or peer-to-peer (P2P) communications network. The modified Galois Field provides at least additional layers for security and privacy for blockchains. The blocks and blockchains are securely stored and retrieved for cryptocurrency transactions including, but not limited to, BITCOIN transactions and other cryptocurrency transactions.

Abstract: A processor includes an input-circuit and a Simon block cipher. The Simon block cipher includes a data transformation circuit, a constant generator, and a key expansion circuit. The data transformation circuit includes logic to shift content of data storage registers. The key expansion circuit includes logic to determine a round key based upon an input symmetric key and data input, a previous round key, and a value from the constant generator. The constant generator includes logic to output a successive one of a list of constants each clock cycle, and to store the outputted constants in storage units. The number of storage units is less than the size of the list of constants.

Abstract: A pipelined multiply-scan circuit that may be used for high-performance computing. The pipelined multiply-scan circuit may comprise dedicated hardware configured to execute one or more sub-calculations associated with a pipelined multiply-scan process utilizing one or more serially-connected left-shift modules, and one or more serially-connected adder.

Abstract: A method for calculating a plurality (M) of redundancy blocks for multiple (N) data blocks of a plurality (D) of words each, the method comprises: receiving the number (M) of redundancy blocks by a calculator that comprises multiple (R) calculation units; configuring the calculator according to M and R; concurrently calculating, if M equals R, by the multiple (R) calculation units of the calculator, R sets of parity vectors, each set includes a plurality (D) of parity vectors; and calculating the plurality (M) of the redundancy blocks based on the R sets of parity vectors.

Abstract: A modular multiplier and a modular multiplication method are provided. The modular multiplier includes: a first register which stores a previous accumulation value calculated at a previous cycle; a second register which stores a previous quotient calculated at the previous cycle; a quotient generator which generates a quotient using the stored previous accumulation value output from the first register; and an accumulator which receives an operand, a bit value of a multiplier, the stored previous accumulation value, and the stored previous quotient to calculate an accumulation value in a current cycle, wherein the calculated accumulation value is updated to the first register, and the generated quotient is updated to the second register.

Abstract: According to one embodiment, a chien search device includes n operation units configured to perform exclusive-OR operations, for each of the coefficients. Further, the chien search device includes first register configured to hold operation results of a highest order operation unit, for each of the coefficients. Furthermore, the chien search device includes exclusive-OR operation unit configured to perform exclusive-OR operations of the results of the first exclusive-OR operations of the highest order operation unit, for each of the coefficients. Moreover, the chien search device includes second register configured to hold operation results of the exclusive-OR operation unit, for each of the coefficients. The respective operation units reduce the number of stages of exclusive-OR operations by using the second register values.

Abstract: A method and system for electronic content storage and retrieval using Galois Fields and geometric shapes on cloud computing networks. Plaintext electronic content is divided into plural portions and stored in plural cloud storage objects based on a created Xth dimensional geometric shape and a path through selected components of the geometric shape. Storage locations for the plural cloud storage objects are selected using a Galois field and the geometric shape. The plural cloud storage objects are distributed across the cloud network. When the electronic content is requested, the plural portions are retrieved and transparently combined back into the original electronic content.

Abstract: In one embodiment, a shift register is provided. The LFSR includes a plurality of processing stages coupled in series, each configured to implement N taps of the LFSR. N single-tap circuits are coupled together in series and arranged to implement the last N taps of the LFSR. Each coefficient(s) of a feedback polynomial of the LFSR is implemented by one of the taps of the plurality of processing stages or the N single-tap circuits. A feedback generation circuit is configured to provide, for each of the plurality of processing stages, a respective feedback signal as a function of polynomial coefficients implemented by the processing stage and output from one or more of the N single tap circuits.

Abstract: In a method of performing a multiplication operation in a binary extension finite field, a polynomial defined by ? n = 0 W - 1 ? C n · z n is produced by expanding polynomial basis multiplication for multiplication of two polynomials a(z) and b(z) in a binary extension finite field. A mapping table is generated in which bit values having pieces of information about respective terms of the produced polynomial are mapped to respective rows. A code for calculating the polynomial, produced by expanding the polynomial basis multiplication for the multiplication of the two polynomials, with reference to the mapping table is generated.

Abstract: According to an embodiment, a computing device includes a receiving unit, a calculating unit, a solving unit, a selecting unit, and a determining unit. The receiving unit is configured to receive pieces of input data indicative of elements of a subgroup of a multiplicative group in a finite field and pieces of first additional data for identifying conjugates of the respective pieces of input data. The elements are represented by traces. The calculating unit is configured to calculate a coefficient of an equation based on the pieces of input data. The solving unit is configured to obtain solutions of the equation. The selecting unit is configured to select one of the solutions as a result of computation, based on the first additional data. The determining unit is configured to determine second additional data for identifying a conjugate of the selected result of computation based on the first additional data.