Abstract: A cryptographic device (100) arranged to compute a target block cipher (Bt) on an input message (110), the device comprising a first and second block cipher unit (121, 122) arranged to compute the target block cipher (Bt) on the input message, and a first control unit (130) arranged to take the first block cipher result and the second block cipher result as input, and to produces the first block cipher result only if the block cipher results are equal.

Abstract: A cryptographic device is configured to compute a target block cipher (Bt) on an input message and includes a control unit, and first and second block cipher units for computing the target block cipher (Bt) on the input message. The control unit is configured to take the first block cipher result and the second block cipher result as input, and to produce the first block cipher result only when the first and second block cipher results are equal.

Abstract: Some embodiments are directed to a cryptographic device (100) arranged to compute a block cipher on an input message (110). The device computes a plurality of intermediate block cipher results by computing and re-computing a first intermediate block cipher result (151) of the plurality of intermediate block cipher results by applying the plurality of block cipher rounds sequentially to the input message followed by one or more additional block cipher rounds. A plurality of averaging functions are applied to the plurality of intermediate block cipher results, the results of which are added, after which the inverse of the one or more additional block cipher rounds is applied.

Abstract: Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x0, x1, . . . , xm?1); Y=(y0, y1, . . . , ym?1); 20), said multiplicative shares being represented in the storage as multiple additive shares (xi=(xi,0,xi,1, . . . , xi,n?1); Yi=(yi,0,yi,1, . . . , yi,n?1); 210, 220).

Abstract: A computation device (200) arranged to evaluate a data function (S) mapping a number (n) of input variables to a number of output variables (m). The computation device comprises selection mechanism (220) receiving as input selection variables and an evaluation mechanism (210) arranged to receive the one or more evaluation variables and to evaluate the evaluation functions for the received evaluation variables, an evaluation function receiving as input the evaluation variables.

Abstract: A cryptographic device (100) calculates a block cipher (500) on a block cipher input (105) and produces a block cipher output (106). The block cipher calculation operates on encoded values (210). The cryptographic device includes a round function unit (140; 300) for applying the final round (118) of the multiple rounds of cryptographic processing implementing the block cipher. A first output unit (160) and second output unit (180) decodes encoded output data (132, 152).

Abstract: Some embodiments are directed to an electronic cryptographic device arranged to perform a cryptographic operation on input data obtaining output data. The cryptographic device stores an internal state as sets of shares. Fourier coefficients corresponding to the sets of shares satisfy a predetermined relationship among them. The cryptographic operation is performed by repeatedly updating the internal state.

Abstract: Some embodiments are directed to an electronic cryptographic device arranged to perform a cryptographic operation on input data obtaining output data. The cryptographic device stores an internal state as sets of shares. Fourier coefficients corresponding to the sets of shares satisfy a predetermined relationship among them. The cryptographic operation is performed by repeatedly updating the internal state.

Abstract: A first electronic network node (110) is provided configured for a key exchange (KEX) protocol, the first network node is configured to obtain a shared polynomial (a) shared with a second network node, coefficients of the shared polynomial a being selected modulo a first modulus q, generate a private key polynomial (skI), coefficients of the private key polynomial being bounded in absolute value by a bound (s) generate a public key polynomial (pkI) by computing a polynomial product between the shared polynomial (a) and the private key polynomial (skI) modulo the first modulus (q) and scaling the coefficients of the polynomial product down to a second modulus (p).

Abstract: An electronic point multiplication device (100) is provided for computing a point multiplication (kG) on an elliptic curve between a multiplier (k) and a base point (G) on the elliptic curve (E) for use in a cryptographic protocol. The device being arranged to compute from a first set of multiple joint encodings (Ai) a blinded base multiplier (A, 131), and a second set of multiple joint encodings (Bi) multiple blinded auxiliary multipliers (?i, 136). The device performs obtains the point multiplication (141) (kG) of the multiplier (k) and the base point (G) by computing the point addition of the point multiplication of the blinded base multiplier and the base point on the elliptic curve, and the multiple point multiplications of a blinded auxiliary multiplier and an auxiliary point. The blinded base multiplier and auxiliary multipliers may be represented in a plain format during the performing of the elliptic curve arithmetic.

Abstract: An electronic calculating device (100; 200) arranged to calculate the product of integers, the device comprising a storage (110) configured to store integers (210, 220) in a multi-layer residue number system (RNS) representation, the multi-layer RNS representation having at least an upper layer RNS and a lower layer RNS, the upper layer RNS being a residue number system for a sequence of multiple upper moduli (Mi), the lower layer RNS being a residue number system for a sequence of multiple lower moduli (mi), an integer (x) being represented in the storage by a sequence of multiple upper residues (xi=(x)Mi; 211, 221) modulo the sequence of upper moduli (Mi), upper residues (xj; 210.2, 220.

Abstract: Some embodiments are directed to a cryptographic device (100) arranged to compute a block cipher on an input message (110). The device computes a plurality of intermediate block cipher results by computing and re-computing a first intermediate block cipher result (151) of the plurality of intermediate block cipher results by applying the plurality of block cipher rounds sequentially to the input message followed by one or more additional block cipher rounds. A plurality of averaging functions are applied to the plurality of intermediate block cipher results, the results of which are added, after which the inverse of the one or more additional block cipher rounds is applied.

Abstract: A cryptographic device (200) is provided to compute a key dependent cryptographic function for an input message. The cryptographic device has a data store arranged to store multiple variables (w) on which the cryptographic device acts to compute the cryptographic function, a variable (w) being distributed over multiple shares (wj) and represented in the data store as multiple encoded shares (xj), an encoded share being an encoding (xj=Encj (wj, sj)) of a share (wj) together with a state (sj), the multiple states (sj) corresponding to the same variable (w) having a relationship with the input message (M) so that there exists an injective mapping (?) from the input message (M) to the multiple states (?(M)=(s0, . . . , sn?1)).

Abstract: An electronic key pre-distribution device (110) for configuring multiple network nodes (210, 211) with local key information is provided. The key pre-distribution device comprises applies at least a first hash function (147) and a second hash function (148) to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point (141; H1ID)) and a second public point (142; H2(ID)) on a first elliptic curve (131) and second elliptic curve (132). A first and second secret isogeny (135) is applied to the first and second public elliptic curve point (141, 142), to obtain a first private elliptic curve point (151) and second private elliptic curve point (152) being part of private key material (155) for the network node (210).

Abstract: A network node (110) is provided configured for a cryptographic protocol based on a shared matrix. The network node is arranged to construct the shared matrix (A) in accordance with the selection data and a shared sequence of values. Multiple entries of the shared matrix are assigned to multiple values of the sequence of data as assigned by the selection data. The shared matrix is applied in the cryptographic protocol.

Abstract: A first electronic network node (110) is provided configured for goo a key exchange (KEX) protocol, the first network node is configured to—obtain a shared matrix (A) shared with a second network node, entries in the shared matrix A being selected modulo a first modulus q, generate a private key matrix (SI), entries in the private key matrix being bounded in absolute value by a bound (s) generate a public key matrix (PI) by computing a matrix product between the shared matrix (A) and the private key matrix (SI) modulo the first modulus (q) and scaling the entries in the matrix product down to a second modulus (p).

Abstract: A first device and a second device are disclosed for reaching agreement on a secret value. Herein, the second device comprises a receiver configured to receive information indicative of a reconciliation data h from the first device, a processor configured to compute a common secret s based on an integer value b, an equation, and system parameters. The processor is configured to compute b based on a key exchange protocol. The first device has a number a in approximate agreement with the number b. The first device comprises a processor configured to determine a common secret s based on an integer value a an equation, and system parameters, and determine a reconciliation data h. The first device further comprises a transmitter configured to transmit information indicative of the reconciliation data h to the second device.

Abstract: A cryptographic system is provided comprising multiple configuration servers (200, 201, 202) arranged to configure multiple network devices (300, 350, 360) for key sharing. Each configuration server comprising a computation unit (220) arranged to compute local key material for the network device from root key material specific to the configuration server and the network device identity number of the network device that is being configured. At least two configuration servers of the multiple configuration servers provide computed local key material to said network device. The network devices are configured to determine a shared key with any one of multiple network devices. A network device comprises a shared key unit (330) arranged to derive a shared key from another network device's identity number and at least two of the multiple local key materials of the network device.

Abstract: An electronic calculating device (100) arranged to convert an input number (y) represented ((y1, y2, . . . , yk)) m a residue number system (RNS) to an output number represented in a radix representation ((e0, e1, . . . es?1)), the calculating device comprising an input interface (110) arranged to receive the input number (y) represented in the residue number system, and a processor circuit (120) configured to iteratively update an intermediate number (?) represented in the residue number system, wherein iterations produce the digits (e0, e1, . . . es?1) in the radix representation with respect to the bases (b0, b1, . . . , bs?1), at least one iteration comprises computing the intermediate number modulo a base (bt) of the radix representation to obtain a digit (et=(?)bt) of the radix representation, updating the intermediate number (??(??et+F)/bt) by subtracting the digit from the intermediate number, adding an obfuscating number (F; Ft), and dividing by the base (bt).

Abstract: A key generation device (100) configured to generate a public key (126) for use in a public key encryption device and a corresponding private key (114) for use in a private key decryption device, the key generation device comprising a private key generator (110) configured for obtaining in electronic form a private random value (112, s), and generating the private key (114), the private key comprising the private random value (112), and a public key generator (120) configured for obtaining in electronic form a public set of bivariate polynomials (122, fi (,)), computing a public univariate polynomial (124) by summing over univariate polynomials obtained by substituting the private random value (112, s) into the polynomials of the public set (122, fi (s,)), and generating the public key (126), the public key comprising the public univariate polynomial (124) and the public set (122).