Abstract: A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a fault detection in a digital signature algorithm in a processor, the instructions, including: computing vector z based on a secret nonce vector y, a first secret key vector s1, and a challenge polynomial c, wherein vectors z, y, and s1 include l polynomials having n coefficients, wherein polynomial c has n coefficients, and wherein l and n are integers; computing a difference value between all of the coefficients of the polynomials in the vector z; computing a number of how many of the computed difference values are outside a specified value range; computing a digital signature for an input message; and rejecting the digital signature when the computed number is greater than a threshold value.

Abstract: A method of performing a Dilithium signature operation on a message M using a secret key sk, including: generating a polynomial y using an ExpandMask function; calculating a polynomial z based upon y, c, and s1; performing a bound check on z based upon ?1 and ?; performing a bound check on ct0 based upon ?2; calculating a polynomial {tilde over (r)} based upon A, z, c, t, ?, and w1; performing a bound check on {tilde over (r)} based upon ?2 and ?; calculating a hint polynomial h based on the {tilde over (r)}; and returning a digital signature of the message M where the digital signature includes z and h.

Abstract: A method for checking a computation of a discrete Fourier transform (DFT), including: computing a first layer of the DFT using a plurality of butterfly operations on inputs to the first layer to produce first outputs; computing a second layer of the DFT using a plurality of butterfly operations on the first outputs to produce second outputs; performing an invariant check on the first outputs after the computation of the second layer based upon the inputs to the first layer; and indicating a fault in the computation of the DFT when the invariant check fails.

Abstract: A method of performing a Dilithium signature operation on a message M using a secret key sk, including: calculating a value {tilde over (r)} based upon w0, c, and s2, where w0 and c are calculated as part of the Dilithium signature operation and s2 is part of the secret key sk; performing a bound check on {tilde over (r)} based upon ?2 and ?, where ?2 and ? are parameters of the Dilithium signature operation; calculating a hint h based on the value {tilde over (r)} and deleting the value {tilde over (r)} in a memory; regenerating a value y using an ExpandMask function; calculating z based upon y, c, and s1, where s1 is part of the secret key sk and replacing y with z in the memory; performing a bound check on z based on ?1 and ?, where ?1 is a parameter of the Dilithium signature operation; and returning a digital signature of the message M where the digital signature includes z and h.

Abstract: A method of performing a Dilithium signature operation on a message M using a secret key sk, including: generating a polynomial y using an ExpandMask function; calculating a polynomial z based upon y, c, and s1; performing a bound check on z based upon ?1 and ?; performing a bound check on ct0 based upon ?2; calculating a polynomial {tilde over (r)} based upon A, z, c, t, ?, and w1; performing a bound check on {tilde over (r)} based upon ?2 and ?; calculating a hint polynomial h based on the {tilde over (r)}; and returning a digital signature of the message M where the digital signature includes z and h.

Abstract: A secure processing system configured to produce a hash based digital signature of a message, including: random number generator (RNG); a monotonic counter device configured to produce a monotonically increasing counter value; a hash accelerator configured to produce a hash of the message based upon a random number from the RNG and the counter value; and a run time integrity check (RTIC) device configured to check the integrity of the operation of the hash accelerator based upon the counter value.

Abstract: Various embodiments relate to a fault detection system and method for a digital signature algorithm, including: producing a digital signature of a message using a digital signature algorithm; storing parameters from a last round of the digital signature algorithm; executing the last round of the digital signature algorithm using the stored parameters to produce a check signature; comparing the digital signature to the check signature; and outputting the digital signature when the digital signature is the same as the check signature.

Abstract: A device includes a computer readable memory storing a plurality of one-time signature (OTS) keypairs and a processor that is configured to execute a hash function on a message using a first private key of a first OTS keypair of the plurality of OTS keypairs to determine a message signature, execute the hash function to calculate a leaf node value of a hash tree using the first OTS keypair, determine a plurality of authentication path nodes in the hash tree, retrieve, from the computer readable memory, values of a first subset of the plurality of authentication path nodes, calculate values for each node in a second subset of the plurality of authentication path nodes, and store, in the computer readable memory, the values for each node in the authentication path and the value of the leaf node.

Abstract: A system and method of carrying out a binary arithmetic operation in a cryptographic operation for lattice-based cryptography. The variables used in the binary arithmetic operation may have their bits randomly rotated to counter side channel attacks. An addition and multiplication operation on variables with rotated bits are disclosed.

Abstract: A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for generating keys in a hash based signature system in a processor, the instructions, including: generating, by a random number generator, a seed; repeatedly hashing the seed with a first hash function to produce n/k chained seeds, wherein n is a total number secret keys generated and k is a number of secret keys generated from each chained seed; and generating k secret keys from each of the n/k chained seeds using a second hash function, wherein at least one of the k secret keys is generated from another of the k secret keys in a sequential chain.

Abstract: A plurality of objects that comprise an input to a cryptographic signing function. For each object in the plurality of objects, an output value yi of a hash function is calculated, where the value i is equal to an index value of the object, a compressed output value xi of a compression function is calculated, the output value yi from the computer readable memory, and the compressed output value xi is stored. For each object in the plurality of objects, an output value y?i of the hash function is calculated, where the value i is equal to the index value of the object, a compressed output value x?i of the compression function executed on the output value y?i is calculated, the output value x?i is determined to be equal to the output value xi, and the output value y?i is transmitted in an output data stream.

Abstract: A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a fault detection in a digital signature algorithm in a processor, the instructions, including: computing vector z based on a secret nonce vector y, a first secret key vector s1, and a challenge polynomial c, wherein vectors z, y, and s1 include l polynomials having n coefficients, wherein polynomial c has n coefficients, and wherein l and n are integers; computing a difference value between all of the coefficients of the polynomials in the vector z; computing a number of how many of the computed difference values are outside a specified value range; computing a digital signature for an input message; and rejecting the digital signature when the computed number is greater than a threshold value.

Abstract: In accordance with a first aspect of the present disclosure, a method of protecting a cryptographic device against side-channel attacks is conceived, the cryptographic device comprising a cryptographic unit and a processing unit, and the method comprising: performing, by the cryptographic unit, a cryptographic operation on input data, wherein said cryptographic operation generates at least one intermediate result; generating, by the processing unit, a set of possible values of the intermediate result; leaking, by the cryptographic device, said set of possible values of the intermediate result. In accordance with a second aspect of the present disclosure, a computer program is provided for carrying out said method. In accordance with a third aspect of the present disclosure, a corresponding cryptographic device is provided.

Abstract: A device may include a computer-readable memory and an integrated circuit including a processor configured to implement a cryptographic operation, wherein the cryptographic operation enables computation of a cryptographic result using a bit masking value y. The processor may be configured to access the computer-readable memory to determine a set of bit indexes, wherein each bit index in the set of bit indexes is associated with a bit value in the bit masking value y, for each bit index in the set of bit indexes, calculate an adaptive share value in which the bit value associated with the bit index is masked, and execute a cryptographic operation using the adaptive share value.

Abstract: Various implementations relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation including a masked decomposition of a polynomial a having ns arithmetic shares into a high part a1 and a low part a0 for lattice-based cryptography in a processor, the instructions, including: performing a rounded Euclidian division of the polynomial a by a base ? to compute t(?)A; extracting Boolean shares a1(?)B from n low bits of t by performing an arithmetic share to Boolean share (A2B) conversion on t(?)A and performing an AND with ??1, where ?=???1 is a power of 2; unmasking a1 by combining Boolean shares of a1(?)B; calculating arithmetic shares a0(?)A of the low part a0; and performing a cryptographic function using a1 and a0(?)A.

Abstract: Various embodiments relate to a fault detection system and method for polynomial operations, including: selecting a plurality of evaluation points; evaluating a first polynomial at the plurality of evaluation points to produce first results; applying a first function to the first polynomial to produce a second polynomial; evaluating the second polynomial at the plurality of evaluation points second results; evaluating a second scalar function on the first results to produce third results; comparing the second results to the third results; and performing a polynomial operation using the second polynomial when the second results match the third results.

Abstract: Various embodiments relate to a fault detection system and method for a digital signature algorithm, including: producing a digital signature of a message using a digital signature algorithm; storing parameters from a last round of the digital signature algorithm; executing the last round of the digital signature algorithm using the stored parameters to produce a check signature; comparing the digital signature to the check signature; and outputting the digital signature when the digital signature is the same as the check signature.

Abstract: Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation including matrix multiplication for lattice-based cryptography in a processor, the instructions, including: applying a first function to the rows of a matrix of polynomials to generate first outputs, wherein the first function excludes the identity function; adding an additional row to the matrix of polynomials to produce a modified matrix, wherein each element in the additional row is generated by a second function applied to a column of outputs associated with each element in the additional row; multiplying the modified matrix with a vector of polynomials to produce an output vector of polynomials; applying a verification function to the output vector that produces an indication of whether a fault occurred in the multiplication of the modified matrix with the vector of polynomials; and carrying out a cryptographic operation using

Abstract: Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation using masked compressing of coefficients of a polynomial having ns arithmetic shares for lattice-based cryptography in a processor, the instructions, including: shifting a first arithmetic share of the ns arithmetic shares by an input mask ?1; scaling the shifted first arithmetic share by a value based on a first compression factor ? and a masking scaling factor ?1; shifting the scaled first arithmetic share by a value based on the masking scaling factor ?1; scaling a second to ns shares of the ns arithmetic shares by a value based on the first compression factor ? and the masking scaling factor ?1; converting the ns scaled arithmetic shares to ns Boolean shares; right shifting the ns Boolean shares based upon the masking scaling factor ?1 and a second compression factor ?2; XORing an output mask ?2 with the shifted first Boolean s

Abstract: plurality of objects that comprise an input to a cryptographic signing function. For each object in the plurality of objects, an output value yi of a hash function is calculated, where the value i is equal to an index value of the object, a compressed output value xi of a compression function is calculated, the output value yi from the computer readable memory, and the compressed output value xi is stored. For each object in the plurality of objects, an output value y?i of the hash function is calculated, where the value i is equal to the index value of the object, a compressed output value x?i of the compression function executed on the output value y?i is calculated, the output value x?i is determined to be equal to the output value xi, and the output value y?i is transmitted in an output data stream.