Abstract: A system and method for controlling a production process for producing a product is provided in which overproduction may be inhibited by introducing a separation of duties within a production process. Typically a producer will contract out the various stages of a production process to multiple contractors. In general, separation of duties involves purposefully separating production stages, for silicon chips or other products, so that the end product has been handled or “touched”, by each subcontractor, in order for the end product to be fully functional.

Abstract: A method and system are provided for authenticating and securing an embedded device using a secure boot procedure and a full non-volatile memory encryption process that implements Elliptic Curve Pinstov-Vanstone Signature (ECPV) scheme with message recovery on a personalized BIOS and master boot record. The signature includes code that is recovered in order to unlock a key that is in turn used to decrypt the non-volatile memory. The use of ECPVS provides an implicit verification that the hardware is bound to the BIOS since the encrypted memory is useless unless properly decrypted with the proper key.

Abstract: The applicants have recognized an alternate method of performing modular reduction that admits precomputation. The precomputation is enabled by approximating the inverse of the truncator T, which does not depend on the scalar. The applicants have also recognized that the representation of a scalar in a ?-adic representation may be optimized for each scalar that is needed. The applicants have further recognized that a standard rounding algorithm may be used to perform reduction modulo the truncator. In general terms, there is provided a method of reducing a scalar modulo a truncator, by pre-computing an inverse of the truncator. Each scalar multiplication then utilizes the pre-computed inverse to enable computation of the scalar multiplication without requiring a division by the truncator for each scalar multiplication.

Abstract: The present invention provides an inexpensive, software-based security-retrofit solution to verify the integrity of program code in embedded systems, or accessories, without resorting to expensive hardware changes. All unused memory on an accessory that could be used to store a program code image is filled with random data. A host system also locally stores a copy of the accessory's program image containing the random data. The host system sends the accessory a list of memory addresses or memory ranges on the accessory, which is always different and random in nature. The accessory will then produce a digest using values stored in the memory addresses as inputs to a secure hash function. The host system verifies the integrity of the embedded program code by verifying the resulting digest produced by and returned from the accessory.

Abstract: A method of generating a key by a first correspondent. The key is computable by a second correspondent. The method comprises the steps of: a) making available to the second correspondent a first short term public key, b) obtaining a second short term public key from the second correspondent; c) computing a first exponent derived from the first short term private key, the first short term public key, and the first long term private key; d) computing a second exponent derived from the first short term private key, the first long term public key, the second short term public key and the first long term private key; computing a simultaneous exponentiation of the first exponent with the second short term public key and the second exponent with the second long term public key.

Abstract: The applicants have recognized an alternate method of performing modular reduction that admits precomputation. The precomputation is enabled by approximating the inverse of the truncator T, which does not depend on the scalar. The applicants have also recognized that the representation of a scalar in a ?-adic representation may be optimized for each scalar that is needed. The applicants have further recognized that a standard rounding algorithm may be used to perform reduction modulo the truncator. In general terms, there is provided a method of reducing a scalar modulo a truncator, by pre-computing an inverse of the truncator. Each scalar multiplication then utilizes the pre-computed inverse to enable computation of the scalar multiplication without requiring a division by the truncator for each scalar multiplication.

Abstract: A system and method for remote device registration, to monitor and meter the injection of keying or other confidential information onto a device, is provided. A producer who utilizes one or more separate manufacturers, operates a remote module that communicates over forward and backward channels with a local module at the manufacturer. Encrypted data transmissions are sent by producer to the manufacturer and are decrypted to obtain sensitive data used in the devices. As data transmissions are decrypted, credits from a credit pool are depleted and can be replenished by the producer through credit instructions. As distribution images are decrypted, usage records are created and eventually concatenated, and sent as usage reports back to the producer, to enable the producer to monitor and meter production at the manufacturer.

Abstract: A method of generating a key by a first correspondent. The key is computable by a second correspondent. The method comprises the steps of: a) making available to the second correspondent a first short term public key; b) obtaining a second short term public key from the second correspondent; c) computing a first exponent derived from the first short term private key, the first short term public key, and the first long term private key; d) computing a second exponent derived from the first short term private key, the first long term public key, the second short term public key and the first long term private key; computing a simultaneous exponentiation of the first exponent with the second short term public key and the second exponent with the second long term public key.

Abstract: A partial revocation list and a system and method for using the partial revocation list for tracking the authenticity of replacement cartridges in a manufactured device to inhibit cloning of the cartridges is provided. A revocation pool is maintained by a manufacturer who chooses a partial revocation list from the revocation pool to store in the memory of the cartridge. The device stores its own revocation list, informs the manufacturer of cartridges which have been used and checks when a new device is installed to ensure a cloned replacement is not being used. The partial revocation list distributes enough revocation information to devices to statistically impair the cartridge yield of a cloning operation.

Abstract: A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element.

Abstract: A method of generating a key stream for a precomputed state information table. The method comprises initialising a counter and an accumulator with non-zero values; combining state information identified by the counter with the accumulator; swapping state information identified by the counter with state information identified by the accumulator; combining the two pieces of state information; outputting the state information identified by the combination as a byte of the key stream; adding a predetermined number odd number to the counter; and repeating the above steps to produce each byte of the key stream.

Abstract: The applicants have recognized an alternate method of performing modular reduction that admits precomputation. The precomputation is enabled by approximating the inverse of the truncator T, which does not depend on the scalar.

Abstract: A method of generating a key by a first correspondent. The key is computable by a second correspondent.

Abstract: A method of authenticating a pair of correspondents C,S to permit the exchange of information therebetween, each of the correspondents having a respective private key, e, d and a public key, Qu, and Qs derived from a generator element of a group and a respective ones of the private keys e,d, the method comprising the steps of: a first of the correspondents C generating a session value x; the first correspondent generating a private value t, a public value derived from the private value t and the generator and a shared secret value derived from the private value t and the public key Qs of the second correspondent; the second correspondent generating a challenge value y and transmitting the challenge value y to the first correspondent; the first correspondent in response thereto computing a value h by applying a function H to the challenge value y, the session value x, the public value an of the first correspondent; the first correspondent signing the value h utilizing the private key e; the first correspondent

Abstract: A potential bias in the generation or a private key is avoided by selecting the key and comparing it against the system parameters. If a predetermined condition is attained it is accepted. If not it is rejected and a new key is generated.

Abstract: A method of computing the product D of two finite field elements B and C modulo an irreducible polynomial f1(x), wherein the finite field elements B and C are represented in terms of an optimal normal basis (ONB) of Type 1 over a field F2n and the irreducible polynomial f1(x) being of degree n, which comprises the steps of representing the element B as a vector of binary digits bi, where bi is a co-efficient of an ith basis element of the ONB representation of element B, in polynomial order, representing the element C as a vector of binary digits ci, where ci is a co-efficient of an ith basis element of the ONB representation of element C, arranged in polynomial order, initializing a register A, selecting a digit ci of vector C, computing a partial product vector A of the ith digit ci of the element C and the vector B, adding the partial product to the register A, shifting the register A, reducing the partial product A by a multiple f2(x) of the irreducible polynomial f1(x) if bits in a position above n are s

Abstract: A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element.

Abstract: A system for efficiently controlling the exchange of data between a host bus (190) and an input/output (I/O) register (125) of an elliptic curve (EC) processor (120) having a much wider datapath than that of the host device (100) . A spreading/despreading pattern is determined which spans multiple bit positions of the input/output register (125). In one embodiment, a full combinational circuit (300) is provided to connect a bit position of the host bus (190) to a bit position of the input/output register (125). In another embodiment, a combinational circuit (300) and an intermediate register (410) are provided. In still another embodiment, a spreading-by shifting system (500) is provided which comprises a plurality of subfield modules (520) into which data from the host bus (190) is shifted. The spreading/despreading pattern is achieved through multiplexers (540) connected between the subfield modules (520).

Abstract: A finite field multiplier with intrinsic modular reduction includes an interface unit (1208) that translates an n bit wide data path to a m bit wide data path where n is less than m. Also included is a finite field data unit (1204) with m bit wide registers that is coupled to a finte field control unit (1202). The finite field control unit (1202) includes a microsequencer (1402) and a finite state machine multiplier (1404). The microsequencer (1402) controls the finite state machine multiplier (1404) which performs a finite field multiply operation with intrinsic modular reduction and presents a finite field multiplication product to the finite field data unit (1204).

Abstract: An elliptic curve (EC) processor circuit (120) comprising a finite field arithmetic logic unit (122), operation registers (124) an EC control unit (123) and a register file (127). A storage element (250) is coupled to the finite field arithmetic logic unit (122). The EC control unit (123) controls the various components of the EC processor circuit (120) to decompress a compressed one-bit representation of a Y coordinate of an elliptic curve point (X, Y). The EC control unit (123) controls the use of the operation register (124), the storage element (250) and the finite field arithmetic logic unit (122) to recursively compute the decompressed version of the compressed Y coordinate based upon the X coordinate and the compressed one-bit representation of the Y coordinate. The circuit and method employ minimal additional hardware and processing in an EC processor circuit (120).