Abstract: Techniques include replacing many of the functions used in finite-field-based arithmetic with lookup tables (LUTs) and combining such LUTs with redundancy-based protection. Advantageously, using LUTs makes it possible to dramatically decrease the redundancy level (e.g., from d=8 to d=3 or 4) and the power consumption and increase the maximal frequency, while preserving the same protection level, latency and performance. The improvement is applicable not only to AES, but also to other algorithms based on a finite field arithmetic, and in particular SM4, ARIA, and Camellia which use Sboxes very similar to or the same as the AES Sbox.

Abstract: In a general aspect, a method for testing vulnerability of a cryptographic function (CF) to a side-channel attack includes providing a plurality of input values to the function, where the CF, for each input value calculates a sum of the input value and a first value of the CF, and replaces a second value of the CF with the sum. The method further includes measuring a set of samples including a respective side-channel leakage sample for each input value. The method also includes iteratively performing a series of operations including splitting the set of samples into a plurality of subsets based on the input values, calculating a respective value for each subset based on samples of the subset, and comparing the respective values for different subsets to discover respective bit values of the first value and the second value from their least significant bits to most significant bits.

Abstract: In a general aspect, a GHASH semiconductor intellectual property (IP) core can include circuitry for calculating a GHASH function. The IP core can be configured to calculate the GHASH function by calculating the following quantities: X 0 = 0 ; X i + 1 = H k X i + ? j = 0 k ? 1 ? n = 0 m ? 1 C k i + j h i j n , ? where for any i ? and j ; ? and ? n = 0 m ? 1 h i j n = H j , ? where k > 1 and m ? > 1.

Abstract: A method for testing an HMAC implementation for vulnerability to a side-channel attack can include mounting a template attack. The attack can include generating, based on first side-channel leakage information associated with execution of a hash function of the HMAC implementation, a plurality of template tables. Each template table can correspond, respectively, with a subset of bit positions of an internal state of the hash function. The attack can further include generating, based on second side-channel leakage information, a plurality of hypotheses for an internal state of an invocation of the hash function based on a secret key. The method can further include generating, using the hash function, respective hash values generated from each of the plurality of hypotheses and a message. The method can also include comparing each of the respective hash values with a hash value generated using the secret key to determine vulnerability of the HMAC implementation.

Abstract: A method of improving performance of a data processor comprising: in a field of characteristic 2 computing XY by performing a series of: (i) multiplications of two different elements of the field; and (ii) raising an element of the field to a power Z wherein Z is a power of 2; wherein the number of multiplications (i) is at least two less than the number of ones (1s) in the binary representation of Y.

Abstract: A semiconductor intellectual property (IP) core comprising a transformation engine designed and configured to represent each element of a field GF(28) using a polynomial of degree no higher than 7+d, where d>0 is a redundancy parameter. Also disclosed in the specification are several other IP cores and several different methods.

Abstract: A semiconductor intellectual property (IP) core comprising a transformation engine designed and configured to represent each element of a field GF(28) using a polynomial of degree no higher than 7+d, where d>0 is a redundancy parameter. Also disclosed in the specification are several other IP cores and several different methods.

Abstract: The present disclosure is directed to systems and methods to protect against SCA and fault injection attacks through the use of a temporary or ephemeral key to cryptographically alter input data portions. Universal resistant block (URB) circuitry receives a seed data value and a at least one secret key data value and generates an ephemeral key output data value. Cryptographic circuitry uses the ephemeral key data value to transform an input data portion to produce an transformed output data portion. The use of an SCA or fault injection attack on the transformed output data portion will reveal only the ephemeral key data value and not the at least one secret key data value. Further, where a unique ephemeral key data value is used to transform each input data portion, an attacker cannot discover the ephemeral key in a piecemeal manner and must instead discover the complete ephemeral key data value—significantly increasing the difficulty of performing a successful SCA or fault injection attack.

Abstract: In one embodiment a device is described, the device including a memory operative to store an program, a storage operative to store a reference check value for at least one operation in the program, a processor operative to execute the program, including, determining a run-time check value upon execution of the at least one operation in the program, comparing the stored reference check value with the run-time check value, storing the run-time check value as a pre-branch run-time check value prior to entering a conditional branch of the program when the compared stored reference check value and the run-time check value are equal values, resetting the run-time check value of the executing program to the pre-branch run-time check value upon exiting the conditional branch of the program, wherein the reference check value, the run-time check value, and the pre-branch run-time check value are determined as a result of a single function. Related apparatus, methods and systems are also described.

Abstract: The present disclosure is directed to systems and methods to protect against SCA and fault injection attacks through the use of a temporary or ephemeral key to cryptographically alter input data portions. Universal resistant block (URB) circuitry receives a seed data value and a at least one secret key data value and generates an ephemeral key output data value. Cryptographic circuitry uses the ephemeral key data value to transform an input data portion to produce an transformed output data portion. The use of an SCA or fault injection attack on the transformed output data portion will reveal only the ephemeral key data value and not the at least one secret key data value. Further, where a unique ephemeral key data value is used to transform each input data portion, an attacker cannot discover the ephemeral key in a piecemeal manner and must instead discover the complete ephemeral key data value—significantly increasing the difficulty of performing a successful SCA or fault injection attack.

Abstract: In one embodiment a device is described, the device including a memory operative to store an program, a storage operative to store a reference check value for at least one operation in the program, a processor operative to execute the program, including, determining a run-time check value upon execution of the at least one operation in the program, comparing the stored reference check value with the run-time check value, storing the run-time check value as a pre-branch run-time check value prior to entering a conditional branch of the program when the compared stored reference check value and the run-time check value are equal values, resetting the run-time check value of the executing program to the pre-branch run-time check value upon exiting the conditional branch of the program, wherein the reference check value, the run-time check value, and the pre-branch run-time check value are determined as a result of a single function. Related apparatus, methods and systems are also described.

Abstract: In one embodiment, a system and method is described for dynamic encryption of CPU registers. A data item, encrypted according to a first key is stored in one register in a CPU register file. A second data item is encrypted according to a second key, and is written to another of the registers. A flag, associated with each of the registers, is stored, indicating whether the data item is encrypted according to the first or second key. One of the data items is decrypted by retrieving its associated flag, thereby determining according to which key the data item is encrypted. Thereupon, the data item is decrypted according to the determined key. The keys are updated by a controller once each of the flags are set. The controller changes the second key to be the first key, stores a new second key, and clears each of the flags. Related apparatus, systems and methods are also described.

Abstract: An electronic device includes a plurality of logic units, which have respective inputs and outputs and are arranged in a ring topology, such that an input of each of the logic units is coupled to an output of another of the logic units. Each of the logic units includes respective processing logic, which is identical to and operates in synchrony with the processing logic of the other logic units to process respective data values using at least one secret value stored in the device. The logic units are coupled, at an initial cycle of the device, to receive respective input values that are mutually uncorrelated. At subsequent cycles of the device, each of the logic units receives and operates on intermediate values that are output by another of the logic units.

Abstract: A state sensitive device is described, the device including a state register which stores a record of the effective-state of the device, a mask field having a value which varies according to a value of the state register, and a processor which changes the value of the mask field to a new value of the mask field when there is a change in the value of the state register, wherein, the processor performs a state dependent calculation requiring the value of the mask field as an operand in the state dependent calculation which will yield an incorrect result if the value of the mask field does not properly correspond to the value of the state register. Related methods, systems and apparatus are also described.

Abstract: A method, system and apparatus for deriving a secondary secret from a root secret are described, the method, system and apparatus including reserving a memory buffer included in an integrated circuit, the memory buffer being large enough to contain all of the bits which will include the secondary secret, receiving a plurality of bits from a root secret, the root secret being stored in a secure memory of the integrated circuit, inputting the plurality of bits from the root secret and at least one control bit into a permutation network, and thereby producing a multiplicity of output bits, the at least one control bit including one of one bit of a value g, and one bit an output of a function which receives g as an input, receiving the multiplicity of output bits from the permutation network, inputting the multiplicity of output bits from the permutation network into a plurality of logic gates, thereby combining the multiplicity of output bits, wherein a fixed number of bits is output from the logic gates, inputt

Abstract: An electronic device includes a plurality of logic units, which have respective inputs and outputs and are arranged in a ring topology, such that an input of each of the logic units is coupled to an output of another of the logic units. Each of the logic units includes respective processing logic, which is identical to and operates in synchrony with the processing logic of the other logic units to process respective data values using at least one secret value stored in the device. The logic units are coupled, at an initial cycle of the device, to receive respective input values that are mutually uncorrelated. At subsequent cycles of the device, each of the logic units receives and operates on intermediate values that are output by another of the logic units.

Abstract: A method, system and apparatus for deriving a secondary secret from a root secret are described, the method, system and apparatus including reserving a memory buffer included in an integrated circuit, the memory buffer being large enough to contain all of the bits which will include the secondary secret, receiving a plurality of bits from a root secret, the root secret being stored in a secure memory of the integrated circuit, inputting the plurality of bits from the root secret and at least one control bit into a permutation network, and thereby producing a multiplicity of output bits, the at least one control bit including one of one bit of a value g, and one bit an output of a function which receives g as an input, receiving the multiplicity of output bits from the permutation network, inputting the multiplicity of output bits from the permutation network into a plurality of logic gates, thereby combining the multiplicity of output bits, wherein a fixed number of bits is output from the logic gates, inputt

Abstract: A method for computation is described, the method including configuring a processor to expand input seed values into respective output data values using an approximated expansion process such that the output data values are not guaranteed to satisfy a required output data criterion, selecting a seed value so that an output data value generated by the processor by application of the approximated expansion process to the selected seed value will yield an output data value that satisfies the required output data criterion, and storing the selected seed value in a non-volatile memory to be accessed by the processor. Related apparatus and systems are also described.

Abstract: A method is described for defining a reserved pattern of symbols, receiving in a crypto-module an input stream including sequential input symbols, applying a cipher to the input stream in the crypto-module so as to generate an intermediate stream including sequential output symbols corresponding respectively to the input symbols, and converting the intermediate stream to an output stream from the crypto-module by comparing successive groups of the input symbols and the corresponding output symbols to the reserved pattern and, upon finding a match to the reserved pattern in a given group, substituting the input symbols in the group into the intermediate stream in place of the corresponding output symbols. Related hardware and systems are also described.

Abstract: A method for data security includes receiving, in a processor having a one-time programmable (OTP) memory, which includes multiple bits and has a current state defined by the bits of the OTP that have been programmed, new information to be written to a data memory. Based on the new information and the current state, at least one further bit of the OTP memory is selected to be programmed, thereby defining a new state of the OTP memory. A new digital signature is computed over the new information and the new state. The new information and the new digital signature are saved in the data memory. After saving the new information and the new digital signature in the data memory, the at least one further bit of the OTP memory is programmed, whereby the new state becomes the current state. Related apparatus and methods are also disclosed.