Abstract: A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

Abstract: A method for the transition is provided from a Boolean masking of a value to be kept secret to an additive masking of the value to be kept secret. The value to be kept secret is present in the Boolean masking as a representation masked with a first Boolean mask and a second Boolean mask. A first additive mask and a second additive mask are determined for the value to be kept secret. A first masking transition is executed in which the first Boolean mask is converted into the first additive mask. A second masking transition is executed in which the obfuscation value is converted into an additive correction value, and a third masking transition is executed in which the second Boolean mask is converted into the second additive mask.

Abstract: A processor device has an executable implementation of a cryptographic algorithm implemented thereon, which algorithm is adapted to produce an output text from an input text employing a secret key K. The implementation of the algorithm comprises a key-dependent computing step S which comprises a key combination of input values x derived directly or indirectly from the input text with key values SubK derived directly or indirectly from the key; the key-dependent computing step S is represented by a table which is masked with input masking and/or output masking to form a masked table TabSSubK; and a new masked table TabSKneu is generated in the processor device.

Abstract: A processor device has an executable implementation of the cryptographic algorithm DES implemented with an XOR linkage operation at the round exit and an implemented computation step S arranged to map expanded right input values r? as computation step entry values x=r? onto exit values s=S[x]. The computation step S is implemented as a key-dependent computation step further comprises a key linkage operation for linking input values of the round with key values of the round derived directly or indirectly from the key. The computation step S is implemented as a combined key-dependent computation step T which further comprises: a permutation operation P associated with the round, arranged to be applied to exit values s of the computation step S and to supply the exit values s of the computation step in permutated form to the XOR linkage operation at the round exit.

Abstract: The invention provides a processor device having an executable, white-box-masked implementation of a cryptographic algorithm implemented thereon. The white-box masking comprises an affine mapping A, which is so designed that every bit in the output values w of the affine mapping A depends on at least one bit of the obfuscation values y, thereby attaining that the output values w of the affine mapping A are statistically balanced.

Abstract: A processor device has an executable implementation of a cryptographic algorithm implemented thereon that is white-box-masked by a function f. The implementation comprises an implemented computation step S by which input values x are mapped to output values s=S[x], and which is masked to a white-box-masked computation step T? by means of an invertible function f. As a mapping f there is provided a combination (f=(c1, c2, . . . )*A) of an affine mapping A having an entry width BA and a number of one or several invertible mappings c1, c2, . . . having an entry width Bc1, Bc2, . . . respectively, wherein BA=Bc1+Bc2+ . . . . Output values w are generated altogether by the mapping f. The affine mapping A is constructed by a construction method coordinated with the invertible mappings c1, c2, and etc.

Abstract: A processor device has an executable implementation of a cryptographic algorithm implemented being white-box-masked by a function f. The implementation comprises an implemented computation step S by which input values x are mapped to output values s=S[x], and which is masked to a white-box-masked computation step T? by means of an invertible function f. As a mapping f there is provided a combination (f=(c1, c2, . . . )*A) of an affine mapping A having an entry width BA and a number of one or several invertible mappings c1, c2, . . . having an entry width Bc1, Bc2, . . . respectively, wherein BA=Bc1+Bc2+ . . . . Output values w are generated altogether by the mapping f. Multiplicities of sets Mxi, i=1, 2, . . . =Mx11, Mx12, . . . Mx21, Mx22, . . . are formed from the output values a of the affine mapping A.

Abstract: The invention provides a method, in a processor, for executing a cryptographic computation. Upon the execution of the computation there is applied a base masking through which intermediate values are incorporated into the computation as masked intermediate values. Upon the execution of the computation a secondary masking is additionally applied, wherein for each intermediate value masked by means of the base masking the one's complement of the masked intermediate value is formed, the masked intermediate value and the one's complement of the masked intermediate value are made available, and randomly the computation is executed either with the masked intermediate value or with the one's complement of the masked intermediate value.

Abstract: In a method for checking whether a value represents a prime number, for a cryptographic application, a Fermat test is carried out, which includes a modular exponentiation of a base with an exponent (e) and a module (m). The exponent (e) and the module (m) respectively depend on the value to be checked, and the modular exponentiation is executed employing Montgomery operations. A device and a computer program product have corresponding features. The method can be particularly efficiently implemented on suitable platforms.

Abstract: The invention provides a method, in a processor, for executing a cryptographic computation. Upon the execution of the computation there is applied a base masking through which intermediate values are incorporated into the computation as masked intermediate values. Upon the execution of the computation a secondary masking is additionally applied, wherein for each intermediate value masked by means of the base masking the one's complement of the masked intermediate value is formed, the masked intermediate value and the one's complement of the masked intermediate value are made available, and randomly the computation is executed either with the masked intermediate value or with the one's complement of the masked intermediate value.

Abstract: A method in a portable data carrier for executing a cryptographic operation on security-relevant data comprises a step of determining a remainder (r) of a dividend (a) modulo a divisor (b). In so doing, the remainder (r) is determined iteratively by means of a division device of the data carrier. In each iteration there is carried out a Montgomery multiplication with the divisor (b) as the modulus and an additive linkage of an output value of the Montgomery multiplication with a coefficient (ai) derived from the dividend (a) and associated with the respective iteration. The Montgomery multiplication is carried out here by means of a multiplication device of the data carrier, preferably a corresponding coprocessor. The Montgomery multiplication of a subsequent iteration receives a result of a preceding iteration as an input value.

Abstract: In a method for checking whether a value represents a prime number, for a cryptographic application, a Fermat test is carried out, which includes a modular exponentiation of a base with an exponent (e) and a module (m). The exponent (e) and the module (m) respectively depend on the value to be checked, and the modular exponentiation is executed employing Montgomery operations. A device and a computer program product have corresponding features. The method can be particularly efficiently implemented on suitable platforms.

Abstract: A device and/or computer program uses a method including determining the division remainder of a first value (b) modulo a second value (p?) and executing a first Montgomery multiplication with the first value (b) as one of the factors and the second value (p?) as a module. A correction factor is determined, and a second Montgomery multiplication is executed with the result of the first Montgomery multiplication as one of the factors and the correction factor as the other factor and the second value (p?) as a module. A method for ascertaining prime number candidates includes determining a base value (b) for a sieve, and several sieve iterations are executed, in which respectively one marking value (p?) is ascertained and multiples of the marking value (p?) in the sieve are marked as composite numbers.

Abstract: A method in a portable data carrier for executing a cryptographic operation on security-relevant data comprises a step of determining a remainder (r) of a dividend (a) modulo a divisor (b). In so doing, the remainder (r) is determined iteratively by means of a division device of the data carrier. In each iteration there is carried out a Montgomery multiplication with the divisor (b) as the modulus and an additive linkage of an output value of the Montgomery multiplication with a coefficient (ai) derived from the dividend (a) and associated with the respective iteration. The Montgomery multiplication is carried out here by means of a multiplication device of the data carrier, preferably a corresponding coprocessor. The Montgomery multiplication of a subsequent iteration receives a result of a preceding iteration as an input value.

Abstract: In a method for the transition from a first masked representation of a value to be kept secret to a second masked representation of the value, according to a first aspect of the invention at least one previously calculated table with a plurality of entries is used, and the calculation is carried out depending on at least one veiling parameter, in order to prevent the value to be kept secret from being spied out. According to a second aspect of the invention, at least one comparison table is used, which, for each table index, provides the result of a comparison between a value dependent on the table index and a value dependent on at least one masking value. A computer program product and a device have corresponding features. The invention provides a technique for protecting the transition between masked representations of a value from being spied out, wherein the masked representations are based on different masking rules.

Abstract: In a method for the transition from a first masked representation of a value to be kept secret to a second masked representation of the value, according to a first aspect of the invention at least one previously calculated table with a plurality of entries is used, and the calculation is carried out depending on at least one veiling parameter, in order to prevent the value to be kept secret from being spied out. According to a second aspect of the invention, at least one comparison table is used, which, for each table index, provides the result of a comparison between a value dependent on the table index and a value dependent on at least one masking value. A computer program product and a device have corresponding features. The invention provides a technique for protecting the transition between masked representations of a value from being spied out, wherein the masked representations are based on different masking rules.