Abstract: A method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit.

Abstract: A method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit.

Abstract: Cryptographic circuitry masks sensitive data values. The masking includes extracting unique combinations of random mask values from one or more sets of random mask values. Each sensitive data value is masked using a respective unique combination. The unique combinations have a combination class greater than or equal to a determined integer corresponding to a protection-level against side-channel attacks, and a number of unique combinations greater than or equal to a number of the sensitive data values. A number of random mask values in the one or more sets of random mask values is based on the number of unique combinations and the class of the plurality of unique combinations.

Abstract: An encryption method includes accessing a look-up table (LUT) to implement countermeasures against side-channel attacks, such as embedding masks. The LUT is initialized by writing initialization values in the LUT by applying an address-mask to input data that identify a location of said LUT and a data-mask to data to be stored at a location of the LUT. The method includes carrying out an initialization of the LUT that includes providing at least one second address-mask and one second data-mask; and computing corresponding initialization values as a function of a logic combination of the aforesaid first address-mask and second address-mask and of a logic combination of the aforesaid first data-mask and second data-mask. In the resulting table the address data are masked only by the second address-mask and the data are masked only by the second data-mask. The structure of the LUT may allow convenient implementation by initializing all the values of the LUT in parallel in one cycle.

Abstract: A device of the Substitution-Box (S-Box) type, which is suitable for operating in a symmetric-key encryption apparatus, in particular an AES (Advanced Encryption Standard) encryption apparatus, and includes at least one module configured for carrying out a non-linear operation in a finite field (GF(28)) of an encryption method implemented by the above encryption apparatus, the module including at least one reprogrammable look-up table to, for example, implement countermeasures against side-channel attacks. When no countermeasures are employed, the tables may be set to fixed values, instead of being reprogrammable. The above module includes a plurality of composite look-up tables that implement the non-linear operation in a composite field of finite subfields (GF(24)2; GF((22)2)2) deriving from the finite field (GF(28)), each of the above composite look-up tables being smaller than a look-up table that is able to implement autonomously the non-linear operation in a finite field (GF(28)).

Abstract: Cryptographic circuitry masks sensitive data values. The masking includes extracting unique combinations of random mask values from one or more sets of random mask values. Each sensitive data value is masked using a respective unique combination. The unique combinations have a combination class greater than or equal to a determined integer corresponding to a protection-level against side-channel attacks, and a number of unique combinations greater than or equal to a number of the sensitive data values. A number of random mask values in the one or more sets of random mask values is based on the number of unique combinations and the class of the plurality of unique combinations.

Abstract: An encryption method includes accessing a look-up table (LUT) to implement countermeasures against side-channel attacks, such as embedding masks. The LUT is initialized by writing initialization values in the LUT by applying an address-mask to input data that identify a location of said LUT and a data-mask to data to be stored at a location of the LUT. The method includes carrying out an initialization of the LUT that includes providing at least one second address-mask and one second data-mask; and computing corresponding initialization values as a function of a logic combination of the aforesaid first address-mask and second address-mask and of a logic combination of the aforesaid first data-mask and second data-mask. In the resulting table the address data are masked only by the second address-mask and the data are masked only by the second data-mask. The structure of the LUT may allow convenient implementation by initializing all the values of the LUT in parallel in one cycle.

Abstract: A device of the Substitution-Box (S-Box) type, which is suitable for operating in a symmetric-key encryption apparatus, in particular an AES (Advanced Encryption Standard) encryption apparatus, and includes at least one module configured for carrying out a non-linear operation in a finite field (GF(28)) of an encryption method implemented by the above encryption apparatus, the module comprising at least one reprogrammable look-up table to, for example, implement countermeasures against side-channel attacks. When no countermeasures are employed, the tables may be set to fixed values, instead of being reprogrammable.