Abstract: Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.

Abstract: Systems, apparatuses, and methods for implementing a metadata tweak for channel encryption differentiation are disclosed. A memory controller retrieves a device-unique identifier (ID) from a memory device coupled to a given memory channel slot. The memory controller uses the device-unique ID to generate a tweak value used for encrypting data stored in the device. In one scenario, the device-unique ID is embedded in the address bits of the tweak process. In this way, the memory device can be migrated to a different memory channel since the data can be decrypted independently of the channel. This is possible since the device-unique ID used for the tweak operation is retrieved from the metadata stored locally on the memory device. In one implementation, the memory device is a persistent dual in-line memory module (DIMM). In some implementations, the link between memory controller and memory device is a compute express link (CXL) compliant link.

Abstract: Restricting peripheral device protocols in confidential compute architectures, the method including: receiving a first address translation request from a peripheral device supporting a first protocol, wherein the first protocol supports cache coherency between the peripheral device and a processor cache; determining that a confidential compute architecture is enabled; and providing, in response to the first address translation request, a response including an indication to the peripheral device to not use the first protocol.

Abstract: Systems, apparatuses, and methods for implementing a metadata tweak for channel encryption differentiation are disclosed. A memory controller retrieves a device-unique identifier (ID) from a memory device coupled to a given memory channel slot. The memory controller uses the device-unique ID to generate a tweak value used for encrypting data stored in the device. In one scenario, the device-unique ID is embedded in the address bits of the tweak process. In this way, the memory device can be migrated to a different memory channel since the data can be decrypted independently of the channel. This is possible since the device-unique ID used for the tweak operation is retrieved from the metadata stored locally on the memory device. In one implementation, the memory device is a persistent dual in-line memory module (DIMM). In some implementations, the link between memory controller and memory device is a compute express link (CXL) compliant link.

Abstract: A system and method for using mixing functions to generate and manipulate authentication keys based on the data being decrypted to mitigate the effect of side channel attacks based on differential power analysis (DPA). The mixing function may be based on a XOR tree, substitution-permutation networks, or double-mix Feistel networks. The mixing function uses some secret key material, which diversifies its behavior between different instantiations.

Abstract: A system and method for providing a scrambled counter mode encryption for a device that mitigates the effect of side channel attacks based on differential power analysis (DPA). The scrambled counter mode encryption engine creates noise at the start of the encryption process by obfuscating the counter value with the use of the very fast mixing function, such as a mixing function based on a XOR tree, substitution-permutation networks, or double-mix Feistel networks. The mixing function uses some secret key material, which diversifies its behavior between different instantiations. Because the counter values are scrambled and the mixing functions operate very fast in parallel hardware, the input of the block cipher is pseudorandom and groups of blocks can't be correlated. The output of the block cipher is XORed with a plaintext message to obtain a cipher text message.

Abstract: A system and method for providing a scrambled counter mode encryption for a device that mitigates the effect of side channel attacks based on differential power analysis (DPA). The scrambled counter mode encryption engine creates noise at the start of the encryption process by obfuscating the counter value with the use of the very fast mixing function, such as a mixing function based on a XOR tree, substitution-permutation networks, or double-mix Feistel networks. The mixing function uses some secret key material, which diversifies its behavior between different instantiations. Because the counter values are scrambled and the mixing functions operate very fast in parallel hardware, the input of the block cipher is pseudorandom and groups of blocks can't be correlated. The output of the block cipher is XORed with a plaintext message to obtain a cipher text message.

Abstract: A system and method for using mixing functions to generate and manipulate authentication keys based on the data being decrypted to mitigate the effect of side channel attacks based on differential power analysis (DPA). The mixing function may be based on a XOR tree, substitution-permutation networks, or double-mix Feistel networks. The mixing function uses some secret key material, which diversifies its behavior between different instantiations.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: Apparatus and method for providing data security through cascaded encryption. In accordance with various embodiments, input data are encrypted in relation to a first auxiliary data value to provide first level ciphertext. The first level ciphertext are encrypted using a second auxiliary data value associated with a selected physical location in a memory to produce second level ciphertext, which are thereafter stored to the selected physical location. In some embodiments, migration of the stored data to a new target location comprises partial decryption and re-encryption of the data using a third auxiliary data value associated with a new target physical location to produce third level ciphertext, and the storage of the third level ciphertext to the new target physical location.

Abstract: A method of establishing security in an electronic device. The method includes generating a statistically unique root key value and storing the root key value in a one-time programmable memory of the device. The method also includes isolating firmware in the device from access to the root key value. The root key value is used as a root of trust that ensures that each electronic device has its own key. In general, the root key is used to encrypt other keys in the device. In different aspects, a root key test value, which is utilized to test the root key, and other security features such as a re-purpose number and a cipher block chaining re-purpose value are included to protect the electronic device from unauthorized access. An electronic device that includes these security features is also provided.

Abstract: A method of establishing security in an electronic device. The method includes generating a statistically unique root key value and storing the root key value in a one-time programmable memory of the device. The method also includes isolating firmware in the device from access to the root key value. The root key value is used as a root of trust that ensures that each electronic device has its own key. In general, the root key is used to encrypt other keys in the device. In different aspects, a root key test value, which is utilized to test the root key, and other security features such as a re-purpose number and a cipher block chaining re-purpose value are included to protect the electronic device from unauthorized access. An electronic device that includes these security features is also provided.

Abstract: Methods and apparatus are provided for improving ARC4 processing in a cryptography engine. A multiple ported memory can be used to allow pipelined read and write access to values in memory. Coherency checking can be applied to provide that read-after-write and write-after-write consistency is maintained. Initialization of the memory can be improved with a reset feature occurring in a single cycle. Key shuffle and key stream generation can also be performed using a single core.

Abstract: The system and method of the present invention facilitates encrypting and decrypting files using a fast hardware implementation of the RC4 method to enable secure access to information resources in a computer network. The network system includes a sender computer coupled via a computer network to a receiver computer. The RC4 algorithm as implemented in hardware and its associated multiport memory (included within both the sender computer and the receiver computer) enables a fast hardware implementation of the respective encryption circuit and decryption circuit. Multi-port memory allows for at either computer site a fast hardware implementation of the RC4 encryption/decryption method where reads and writes are synchronously performed.

Abstract: Method and apparatus is provided for securely configuring a programmable hardware device from a remote source. The programmable hardware device includes a plurality of programmable logic modules. A host receives configuration information from the remote source, where the configuration information defines a function of the programmable logic modules. The host encrypts the configuration information according to a cryptographic algorithm. The encrypted information is transferred to a special download engine at the programmable hardware device, which decrypts the information according to the same cryptographic algorithm. The programmable logic modules are thus configured by the decrypted configuration information, which has been securely downloaded from the remote source.

Abstract: A system and method are provided for performing modulo multiplication of two numbers N bits long with a modulus of 2N+1, where the resulting modulus is determined without a need to perform successive reductions. Without a need to perform successive reductions, a hardware implementation does not require a divider circuit.

Abstract: A keyboard input device includes a processor repeatedly executing a scan routine to detect key press events while masking the events from an external monitoring means. The keyboard input device has a number of finger-activatable keys, each connected at the intersection of row signal lines and column signal lines, which are in turn connected to the processor. The processor systematically activates the rows and randomly activates the columns. A key press event causes the key's associated row and column to create a closed switch. The processor monitors the columns for a signal forced on pairs of rows. Obfuscating signals forced onto the columns inhibit detection of the key press event signals by an external source.