Abstract: A decimal floating point finite number in a decimal floating point format is composed from the number in a different format. A decimal floating point format includes fields to hold information relating to the sign, exponent and significand of the decimal floating point finite number. Other decimal floating point data, including infinities and NaNs (not a number), are also composed. Decimal floating point data are also decomposed from the decimal floating point format to a different format.

Abstract: A decimal floating point finite number in a decimal floating point format is composed from the number in a different format. A decimal floating point format includes fields to hold information relating to the sign, exponent and significand of the decimal floating point finite number. Other decimal floating point data, including infinities and NaNs (not a number), are also composed. Decimal floating point data are also decomposed from the decimal floating point format to a different format. For composition and decomposition, one or more instructions may be employed, including an insert biased exponent or extract biased exponent instruction.

Abstract: a round-far-reround mode (preferably in a BID encoded Decimal format) of a floating point instruction prepares a result for later rounding to a variable number of digits by detecting that the least significant digit may be a 0, and if so changing it to 1 when the trailing digits are not all 0. A subsequent reround instruction is then able to round the result to any number of digits at least 2 fewer than the number of digits of the result. An optional embodiment saves a tag indicating the fact that the low order digit of the result is 0 or 5 if the trailing bits are non-zero in a tag field rather than modify the result. Another optional embodiment also saves a half-way-and-above indicator when the trailing digits represent a decimal with a most significant digit having a value of 5. An optional subsequent rewound instruction is able to round the result to any number of digits fewer or equal, to the number of digits of the result using the saved tags.

Abstract: A cryptographic engine for modulo N multiplication, which is structured as a plurality of almost identical, serially connected Processing Elements, is controlled so as to accept input in blocks that are smaller than the maximum capability of the engine in terms of bits multiplied at one time. The serially connected hardware is thus partitioned on the fly to process a variety of cryptographic key sizes while still maintaining all of the hardware in an active processing state.

Abstract: In an array of groups of cryptographic processors, the processors in each group operate together but are securely connected through an external shared memory. The processors in each group include cryptographic engines capable of operating in a pipelined fashion. Instructions in the form of request blocks are supplied to the array in a balanced fashion to assure that the processors are occupied processing instructions.

Abstract: In a network computing environment having a plurality of central processing units, a high performance locking facility coupled to said plurality of central processing units comprising: a processing means for processing multiple requests for locking operations simultaneously and a lock table for creating entries including lock names and lock states. A high-speed searching mechanism for searching any particular lock entry in the table is also provided, as well as means for altering and modifying said table accordingly depending upon any lock status that is being processed. Finally a response and status generator is provided for providing an appropriate response and status of any lock state to other requestors requesting a particular lock.

Abstract: A method and apparatus of assigning and releasing locks, in a network computing environment having a plurality of central processing units coupled to a high performance locking facility. The method comprises of the steps of first receiving and processing a lock operation synchronous to any requesting central processor unit requesting a lock and then recording lock names and lock states in entry records of a lock table based on the requests. When a request is being processed, providing high-speed searching to search any particular lock entry in the table and altering and modifying the table accordingly. Finally an appropriate response and the status of the lock state will be generated and sent to other requesters requesting the lock.

Abstract: A method of assigning and releasing locks, in a network computing environment having a plurality of central processing units coupled to a high performance locking facility. The method comprises of the steps of first processing multiple requests for locking operations simultaneously and then recording lock names and lock states in entry records of a lock table based on the requests. When a request is being processed, providing high-speed searching to search any particular lock entry in the table and altering and modifying the table accordingly. Finally an appropriate response and the status of the lock state will be generated and sent to other requestors requesting the lock.

Abstract: The present invention provides for a computer program product and device including instructions executable by a digital processing apparatus for conducting a high-performance locking facility. At first multiple requests for locking operations are processed and received simultaneously and their lock names and lock states are recorded in entry records of a lock table based on the requests. Next high-speed searching of any particular lock entry in this table is performed followed. The table can be altered and modified at this time as well accordingly depending upon lock status that is being processed. Finally an appropriate response is generated and the status of the lock state is provided to those requesting the lock.

Abstract: A system and method for dispatching logical central processing units (CPUs) among physical CPUs in a multiprocessor computer system having multiple logical partitions, wherein the cryptographic facilities may not be interchangeable. According to the present invention, the logical CPUs are dispatched among the physical CPUs according to either an affinity, floating, or disabled scheduling method. The affinity scheduling method is used when the crypto facilities are not interchangeable or when non-interchangeable crypto functions are performed. The floating scheduling method is used when the cryptographic facilities are interchangeable and interchangeable crypto functions are performed. The disabled scheduling method is used when the logical CPU is not authorized to issue cryptographic instructions.

Abstract: A cryptographic facility implements a multiple key part import procedure. The installation manager can verify that a key part has been correctly entered and has not been compromised. The security requirement for the procedure is that no single party can subvert the system security by misusing the procedure. This is accomplished by the use of a control-vector-dependent verification pattern to indicate that each key part has been accepted by using the proper control vector and the use of different key switch positions to specify whether the key part is a master key part or an operational key part and whether the key part is a first part or a subsequent key part. The apparatus provides an automatic reset of the key part register at the completion of each key-entry instruction so that each key part can be imported only once. This prevents the same key part from being imported twice as different key part types. The apparatus also prevents a key part from being combined with itself to create a known key.

Abstract: A working key of a certain key type is to be transmitted from a first system (having a first usage-control value associated with keys of the certain type) and a second system (having a second usage-control value associated with keys of the certain type). A translation control value, associated with the certain key type, is generated, functionally relating the first and second usage-control values. The translation control value is used in a cryptographic function to send or receive the working key between systems, the cryptographic function being designed to produce valid results when the correct translation control value, and usage-control values, are employed, and unpredictable results otherwise. Effectively, the first usage-control value is translated to the second usage-control value.

Abstract: A facility for making dynamic changes to a system master key without stopping the system, and without loss of integrity to ongoing cryptographic operations. A version number is generated and associated with the current master key. A dynamic change is made to the master key, resulting in the then current master key becoming the old master key, and a "new" current master key (with a new version number) being placed into operation. Subsequent cryptographic requests using a supplied key enciphered under the old master key are identified by means of a supplied version number associated with the supplied key. This identification triggers a reencipher operation, reenciphering the supplied key under the now current master key--after which the cryptographic operation proceeds. Unique patterns are generated to verify the contents of the master key registers, and to authorize normal use of the cryptographic facility, and issuers of key-change operations.

Abstract: A cryptographic system and method is provided which accepts a key K encrypted under a key formed by exclusive-ORing a key-encrypting key KK with a first control vector C5 and outputs the same key K encrypted under a key formed by exclusive-ORing KK with a second control vector C6. The set (C5, C6) represents a mapping of the type and usage of the key K defined by the control vector C5 to the type and usage defined by the control vector C6. The set of allowable control vector mappings, that is from C5 to C6, are defined in a control vector translation table, which is specified in advance by authorized installation personnel.

Abstract: The invention is an apparatus and method for validating that key management functions requested for a cryptographic key by the program have been authorized by the originator of the key. The invention includes a cryptographic facility characterized by a secure boundary through which passes an input path for receiving the cryptographic service requests, cryptographic keys and their associated control vectors, and an output path for providing responses thereto. There can be included within the boundary a cryptographic instruction storage coupled to the input path, a control vector checking unit and a cryptographic processing unit coupled to the instruction storage, and a master key storage coupled to the processing means, for providing a secure location for executing key management functions in response to the received service requests. The cryptographic instruction storage receives over the input path a cryptographic service request for performing a key management function on a cryptographic key.

Abstract: Cryptographic PIN processing is achieved in an improved manner by associating control vectors with the PIN generating (verification) keys and PIN encrypting keys which provide authorization for the uses of the keys intended by the originator of the keys. The originator may be the local cryptographic facility (CF) and a utility program under the control of a security administrator, or the originator may be another network node which uses the key management methods described in the above-referenced copending patent applications to distribute said keys.Among the uses specified by the control vector are limitations on the authority to use the associated key with certain PIN processing instructions, such as PIN generation, verification, translation and PIN block creation. Furthermore, the control vector may limit the authority of certain instructions to process clear PIN inputs (such as in PIN verification).

Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention.