Abstract: In a method for modular multiplication using a multiplication look-ahead process for computing a multiplication shift value and a reduction look-ahead process for computing a reduction shift value, a modulus is first transformed into a transformed modulus that is greater than said modulus. The transformation is carried out such that a predetermined fraction of the transformed modulus has a higher-order digit with a first predetermined value that is followed by at least one low-order digit having a second predetermined value. During the iterative working off of the modular multiplication using the multiplication look-ahead process and the reduction look-ahead process, the transformed modulus is utilized so as to obtain at the end of the iteration a transformed result for the modular multiplication. Finally, the transformed result is re-transformed by modular reduction using the original modulus.

Abstract: A processor means includes calculating means, a plurality of electronic fuses for storing secret data and means for reading out the plurality of electronic fuses to determine the secret data. By storing the secret data, like for example a secret key for the identification of the processor means or a chip card, respectively, in which the processor means is arranged, in electronic fuses, a secure and efficient and simultaneously flexible way for introducing sensitive information into an integrated circuit is achieved.

Abstract: A device for generating a pseudorandom sequence of numbers includes a feedforward coupler, which has a plurality of memory units, and a feedback coupler connected between an input and an output of the feedforward coupler. The feedback coupler includes a changeable feedback characteristic and is embodied to change the feedback characteristic depending on a state of a memory unit of the plurality of memory units of the feedforward coupler.

Abstract: A device for calculating a multiplication of a multiplier and a multiplicand includes a first performer that performs an exact three operand addition and a second performer that performs an approximated operand addition and a calculator that calculates current look-ahead parameters using the approximated intermediate results. The first performer is further implemented to perform an exact three operand addition in the current iteration step using the exact intermediate result for the current iteration step and using the look-ahead parameters calculated for the current iteration step.

Abstract: For calculating the result of an exponentiation Bd, B being a base and d being an exponent which can be described by a binary number from a plurality of bits, a first auxiliary quantity X is at first initialized to a value of 1. Then a second auxiliary quantity Y is initialized to the base B. Then, the bits of the exponent are sequentially processed by updating the first auxiliary quantity X by X2 or by a value derived from X2 and by updating the second auxiliary quantity Y by X*Y or by a value derived from X*Y, if a bit of the exponent equals 0. If a bit of the exponent equals 1, the first auxiliary quantity X is updated by X*Y or by a value derived from X*Y and the second auxiliary quantity Y is updated by Y2 or by a value derived from Y2. After sequentially processing all the bits of the exponent, the value of the first auxiliary quantity X is used as the result of the exponentiation. Thus a higher degree of security is obtained by homogenizing the time and current profiles.

Abstract: In a method for modular multiplication of a multiplicand by a multiplier using a modulus, l multiplication shift values are initially determined by means of a multiplication-lookahead method while taking into account l blocks of consecutive digits of the multiplier. Subsequently, l reduction shift values are determined by means of a reduction-lookahead method for the l blocks of digits of the multiplier. The l multiplication shift values and the l reduction shift values are applied to an intermediate result from a previous iteration step, to the modulus or to a value derived from the modulus, and to the multiplicand, so as to obtain the 2l+1 operands. By means of a multi-operands adder, the 2l+1 operands are combined to obtain an updated intermediate result for an iteration step following the previous iteration step, the iteration being continued for such time until all digits of the multiplier have been processed.

Abstract: A register cell includes a first input for a data unit to be written into the register cell. The register cell includes further a second input for a negated data unit to be written into the register cell. A first pair of oppositely coupled inverters as a first storage circuit is adapted to be coupled to the first input. A second pair of oppositely coupled inverters as a second storage circuit is adapted to be coupled to a second input. Using two oppositely coupled pairs of inverters makes it possible to initialize both the first input and the second input of the register either to a high voltage state (precharge) or to a low voltage state (discharge), such that the power consumption of the register cell is homogenized from one working clock to the next.

Abstract: An apparatus for calculating a modular multiplication includes an examiner for examining digits of the multiplier with a lookahead algorithm to obtain a multiplication shift value. In addition, a determinator and intermediate-result shift value are provided which determine a positive intermediate-result shift value. A calculator for calculating a multiplicand shift value as the difference between the intermediate-result shift value and the multiplication shift value. The intermediate result from the preceding iteration step as well as the multiplicand are then shifted by the corresponding shifting magnitudes to then perform a three-operands addition with the shifted values, if need be while considering lookahead parameters.

Abstract: Calculating unit having adder blocks, each having single adders, a carry input, a carry output, and a carry pass output, wherein a signal at the carry pass output is indicative of a carry passing through the adder block. Depending on the carry pass output signal, a clock generator for feeding the adder blocks with operands to be processed is decelerated. A determining unit determines in which of the adder blocks a least significant bit of an operand to be subtracted is disposed. A deactivating unit deactivates a carry pass output of adder block(s) provided for lower order digits with respect to the adder block in which the least significant bit is disposed, and a feeding unit feeds a carry into the carry input of this adder block in which the least significant bit is disposed.

Abstract: A calculating unit comprises several adder blocks with single adders, a clock generator and control means. A carry pass means is associated with each adder block, which determines whether a carry passes fully through the respective adder block. If it is determined that the carry does not pass through any of the adder blocks, the calculating unit is clocked with a clock period, which is sufficient that the carry passes almost fully through an adder block, and passes through at least part of the upstream adder block. If it is determined, that the carry passes fully through an adder block, a panic signal is generated. The adder block is decelerated, so that the clock period is high enough that the carry additionally fully passes through another adder block. Only in a case of panic signals of two adjacent adder blocks, is the calculating unit is decreased so much, that the carry passes from the least significant digit of the calculating unit to the most significant digit of the calculating unit.

Abstract: A multiplicand is multiplied by a multiplier using a modulus. The multiplicand, the multiplier and the modulus are polynomials of variable. A multiplication look-ahead method to obtain a multiplication shift value is carried out. An intermediate result polynomial is shifted to the left by the number of digits of the multiplication shift value. A reduction shift value equalling the difference of the degree of the shifted intermediate result polynomial and the degree of the modulus polynomial is obtained in a reduction look-ahead method. The modulus polynomial is then shifted by a number of digits equalling the reduction shift value. In a three-operands addition, the shifted polynomial and the multiplicand are summed and the shifted modulus polynomial is subtracted. The modular multiplication are iteratively executed and processed progressively until all the powers of the multiplier polynomial have been processed.

Abstract: A device for converting a term comprising a product of a first operand and a second operand into a representation having an integer quotient regarding a modulus and a remainder, the integer quotient being defined by T/N, T being the term and N being the modulus, and the remainder being defined by T mod N, N being the modulus, includes means for modularly reducing the term using the modulus on the one hand and for modularly reducing the term using an auxiliary modulus, which is greater than the modulus, on the other hand to obtain the remainder on the one hand and the auxiliary remainder on the other hand. Both the remainder and the auxiliary remainder are fed into means for combining to obtain the integer quotient. The inventive device makes it possible to calculate even the integer quotient, that is the result of the DIV operation, by performing a command for a modular multiplication existing on conventional cryptoprocessors two times.

Abstract: Apparatus for calculating a result of a modular multiplication of a first operand and a second operand with regard to a modulus, each having a length of 2 n bits, the operands and the modulus are split into sub-operands of half the length and are fed to controller controlling MMD unit for performing a MultModDiv operation in accordance with a predetermined step sequence with corresponding input operands and MMD moduli to obtain integer quotient values and residual values with regard to the MMD modulus at an output. The combiner is operable to combine integer quotient values and residual values from predetermined steps of the step sequence to obtain the result.

Abstract: A processor includes a source register having a source register content, a destination register, a calculating unit for performing a calculation using the source register content, wherein the calculation is performed in several calculation cycles, and wherein in each cycle only one portion of the source register content is useable, a data bus connected to the source register, the destination register and the calculating unit, and a processor controller. The processor controller is operable to supply the source register content in portions to the calculating unit on the one hand and to the destination register on the other hand during the calculation via the data bus, so that after an execution of the calculation the source register content is written into the destination register. Therefore it is possible to obtain a register copy of a source register the destination register via a limited data bus without additional machine cycles for long operands to be processed in portions.

Abstract: A calculating unit comprises several adder blocks with single adders, a clock generator and control means. A carry pass means is associated with each adder block, which determines whether a carry passes fully through the respective adder block. If it is determined that the carry does not pass through any of the adder blocks, the calculating unit is clocked with a clock period, which is sufficient that the carry passes almost fully through an adder block, and passes through at least part of the upstream adder block. If it is determined, that the carry passes fully through an adder block, a panic signal is generated. The adder block is decelerated, so that the clock period is high enough that the carry additionally fully passes through another adder block. Only in a case of panic signals of two adjacent adder blocks, is the calculating unit is decreased so much, that the carry passes from the least significant digit of the calculating unit to the most significant digit of the calculating unit.

Abstract: Calculating unit having adder blocks, each having single adders, a carry input, a carry output, and a carry pass output, wherein a signal at the carry pass output is indicative of a carry passing through the adder block. Depending on the carry pass output signal, a clock generator for feeding the adder blocks with operands to be processed is decelerated. A determining unit determines in which of the adder blocks a least significant bit of an operand to be subtracted is disposed. A deactivating unit deactivates a carry pass output of adder block(s) provided for lower order digits with respect to the adder block in which the least significant bit is disposed, and a feeding unit feeds a carry into the carry input of this adder block in which the least significant bit is disposed.

Abstract: A register cell includes a first input for a data unit to be written into the register cell. The register cell includes further a second input for a negated data unit to be written into the register cell. A first pair of oppositely coupled inverters as a first storage circuit is adapted to be coupled to the first input. A second pair of oppositely coupled inverters as a second storage circuit is adapted to be coupled to a second input. Using two oppositely coupled pairs of inverters makes it possible to initialize both the first input and the second input of the register either to a high voltage state (precharge) or to a low voltage state (discharge), such that the power consumption of the register cell is homogenized from one working clock to the next.

Abstract: A device for generating an operation code having a plurality of operation code words includes a means for providing an operation group with operations from a set of operations, wherein the operations from the operation group are performable alternatively to one another depending on a decision within a program. The device further includes a means for associating operation code words with the operations of the operation group, wherein the associated code words are different from one another and implemented such that a characteristic of a circuit depending on a processing of the operation code words is located within a predetermined range for the operation code words of the operation group. Decisions within the program which depend on secret data may therefore not be tapped any more by detecting the characteristic, like for example a current reception of a circuit, by side-channel attacks, so that a cryptoprocessor works more efficient and safe without an additional circuit complexity.

Abstract: For a secure encryption of original data the original data are first of all encrypted using an encryption key or an encryption algorithm. The thus obtained data are then again decrypted using a decryption algorithm and a decryption key in order to obtain decrypted data. These data are again used together with the original data in order to calculate an auxiliary key. The decrypted data are then encrypted using the calculated auxiliary key in order to obtain output data. In case of a DFA attack no output of the device is suppressed, but the output result is encrypted using the auxiliary key which deviates from the original encryption key in case of the DFA attack so that an attacker cannot use the output data anymore and the DFA attack is useless.

Abstract: In a method for protecting a calculation in a cryptographic algorithm, the calculation obtaining input data so as to create output data, input data for the calculation are initially provided. Subsequently, the calculation is performed so as to obtain the output data of the calculation. After the calculation has been performed, a verification is carried out as to whether the input data was changed during the calculation, to be precise using a verification algorithm which differs from the calculation itself. If the verification proves that the input data was changed during the calculation, forwarding of the output data is suppressed. By doing so, outputting of incorrect results of the calculation of the cryptographic algorithm is prevented with a high degree of certainty, since the input data is particularly susceptible to hardware attacks. In addition, the input data may be examined with a view to their integrity with little expenditure compare to calculating the cryptographic algorithm itself.