Abstract: A calculating unit for reducing an input number with respect to a modulus, wherein the input number has input number portions of different significances, wherein the input number portions represent the input number with respect to a division number, wherein the modulus has modulus portions of different significances, and wherein the modulus portions represent the modulus with respect to the division number, includes a unit for estimating a result of an integer division of the input number by the modulus using a stored most significant portion of the number, a stored most significant portion of the modulus and the number, and for storing the estimated result in a memory of the calculating unit, and a unit for calculating a reduction result based on a subtraction of a product of the modulus and a value derived from the estimated result from the number.

Abstract: Methods and systems for slow associated control channel signaling are disclosed. An example method for securing communications in a mobile network disclosed herein comprises transmitting a first variant of a message of a first type on a first slow associated control channel (SACCH) before ciphering is started on the first SACCH, and after ciphering is started on the first SACCH, transmitting a second variant of the message of the first type on the first SACCH, and subsequently transmitting the second variant of the message of the first type on the first SACCH, wherein the subsequently transmitted second variant of the message of the first type is the next transmitted message of the first type on the first SACCH.

Abstract: For an Elliptic Curve Scalar Multiplication (ECSM) operation to be performed on a scalar and a base point, a given previous set of parameters that was used to split the scalar for a previous ECSM operation and a selected random integer are used to determine a new set of parameters for splitting the scalar. By basing the new set of parameters on the previous set of parameters, repeated use of the scalar to determine key-splitting parameters is avoided and susceptibility to a Differential Power Analysis Side Channel attack is minimized.

Abstract: A method for detecting a disturbance of a calculation, by an electronic circuit, of a result of an integral number of applications of an internal composition law on elements of an abelian group, by successive iterations of different steps according to the even or odd character of a current coefficient of a polynomial representation of said integral number, the degree of which determines the number of iterations, each iteration including: in case of an odd current coefficient, updating at least one first variable intended to contain the result at the end of the calculation; and in case of an even current coefficient, of updating a second variable and a comparison of this second variable with an expected value.

Abstract: Example embodiments are directed to a duration computing method in a security module inserted into an apparatus including an internal clock. The apparatus may receive a digital data stream encrypted via control words contained in a control message ECM. The method may include receiving data coming from the internal clock of the apparatus including a current temporal information, storing the data representing the current temporal information in the security module, receiving the control message ECM to decrypt at least one control word, reading previous data representing a previous temporal information at a moment of processing the previous control message ECM, and processing the control message ECM when the current temporal information is temporally ahead of the previous temporal information.

Abstract: Hidden Markov Models (“HMMs”) are used to analyze keystroke dynamics measurements collected as a user types a predetermined string on a keyboard. A user enrolls by typing the predetermined string several times; the enrollment samples are used to train a HMM to identify the user. A candidate who claims to be the user provides a typing sample, and the HMM produces a probability to estimate the likelihood that the candidate is the user he claims to be. A computationally-efficient method for preparing HMMs to analyze certain types of processes is also described.

Abstract: A public key cryptography (PKI or other similar system) is used to sent partial or multiple of encryption or decryption algorithm (cipher or decipher) to the data sender or receiver to encrypt or decrypt the data to be sent or received and destroy itself after each or multiple use. Since the encryption algorithm is protected, it can be devised very small in size in compare to the data to be sent and the user can afford to use large key size in it's transmission to increase protection without significant compact to the overall speed. Without knowing the encryption algorithm, which may also be changing from time to time, it will be impossible to use brut force to break the code provided that the algorithm scheme is designed properly. It is due to that there are unlimited numbers of new or old algorithms with countless variations and it takes years of supper fast computing time to break even few algorithms.

Abstract: A method and a system for privacy-preserving SNA. A plurality of vertices of a first subgraph of a graph is encrypted with a first key of a commutatively encryption scheme. A plurality of vertices of a second subgraph encrypted with a second key of the commutatively encryption scheme are received and encrypted commutatively with the first key. A plurality of commutatively encrypted vertices of the first subgraph and a plurality of commutatively encrypted vertices of the second subgraph are used for computing centrality metrics preserving the privacy of the graph and its structure.

Abstract: A data storage device includes a plurality of data storage units, a physical random number generator with a noise source based on a physical noise process, for generating a random number, and a replacer for selecting a data storage unit wherein data is to be stored, depending on the random number. Selecting, on the basis of genuine random numbers, data storage units and/or lines to be replaced in the cache.

Abstract: A cryptographic operation includes calculating a multiplication of an element of an additively denoted group by a scalar. After two registers R0+R1, are initialized, iterations are carried out over the components Ki of the scalar K. If Ki of the scalar equals 0, then the value in register R1 is replaced by 2(R0+R1) If Ki equals 1, the value in register R0 is replaced by 2(R0+R1). At the end of the algorithm, the value of the register R0 is returned as the calculated result. This method poses the advantage of carrying out a calculation of multiplying by a scalar by carrying out only doubling and adding operations of the type 2(A+B).

Abstract: A cryptanalysis method comprising: (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output; The solution of the equations gives the internal state of RI, R2, and R3; Together with R4, this gives the full internal state which gives a suggestion for the key.

Abstract: Execution of the Elliptic Curve Digital Signature Algorithm (ECDSA) requires determination of a signature, which determination involves arithmetic operations. Some of the arithmetic operations employ a long term cryptographic key. It is the execution of these arithmetic operations that can make the execution of the ECDSA vulnerable to a power analysis attack. In particular, an attacker using a power analysis attack may determine the long term cryptographic key. By modifying the sequence of operations involved in the determination of the signature and the inputs to those operations, power analysis attacks may no longer be applied to determine the long term cryptographic key.

Abstract: A method described herein includes acts of executing a cryptographic function over input data utilizing a processor on a computing device and generating a data packet that indicates how the cryptographic function interacts with hardware of the computing device, wherein the hardware of the computing device comprises the processor. The method also includes acts of analyzing the data packet, and generating an indication of security of the cryptographic function with respect to at least one side channel attack based at least in part upon the analyzing of the data packet.

Abstract: A first Exclusive OR circuit operates an Exclusive OR between input data and a predetermined random number. An operation circuit performs one operation of encryption and decryption of output data from the first Exclusive OR circuit. A data register circuit, which has a plurality of data hold units, holds data from the operation circuit in one data hold unit of the plurality of data hold units in response to a selection signal, and supplies the data from the one data hold unit to the operation circuit. A second Exclusive OR circuit performs an Exclusive OR between output data from the data register circuit and the random number. The operation circuit recursively performs the one operation of the data from the data register circuit and outputs next data to the data register circuit.

Abstract: In a cellular interception system, an information processing method for converting information of several cellular-network wireless messages from a first encrypted format under a session key, where each message is encrypted by a cellular ciphering algorithm chosen out of a collection of one or more cellular ciphering algorithms under the session key, to a second unencrypted format comprising: (A) divide the messages in the first format into two sets; the first set containing messages encrypted under the same encryption algorithm, and a second set containing the remaining messages. (B) subject the messages in the first set to a ciphertext-only cryptanalysis of a cellular encryption algorithm to recover the session key. (C) for each message in the second set, subject the message together with the recovered session key to the corresponding cellular ciphering algorithm to receive the message's information in the second format.

Abstract: System and method for digitally watermarking data. A preferred embodiment comprises a quantizer to limit a data value provided by a signal input to a set of values, a rounder unit coupled to the quantizer, a control unit coupled to the rounder unit and to a watermark input, and a multiplexer having a first input coupled to the rounder unit and a control input coupled to the control unit. The rounder unit rounds a quantized data value to a nearest integer, the control unit provides a control signal based on the rounded, quantized data value and a parity of a watermark provided by the watermark input, and the multiplexer selects between an output of the rounder unit, an incremented output of the counter unit, and a decremented output of the counter unit, based on the control signal provided by the control unit.

Abstract: Modern cellular wireless communications providers strive to keep their network and subscribers secure through various means. The identity of the subscriber may be obfuscated through the use of a temporary identifier for most network transactions including signaling events, voice calls, SMS messages and data sessions. A subscriber's unique identity may only be transmitted over the air in an encrypted form. Similarly, the content of voice calls, SMS messages and data sessions may also be encrypted when transmitted over the air and even when transferred over internal network interfaces. However, the use of encryption presents significant challenges for law enforcement communities when court ordered lawful intercept is required to monitor and locate subscribers utilizing the wireless networks for illegal and/or terrorist purposes. A technique to aid in the determination of a subscriber's unique wireless identity and the decryption of encrypted signals would be very useful for lawful intercept.

Abstract: Provided are a method and a system for decrypting a password in multi-node parallel-processing environment including a master node and a plurality of work nodes. The master node receives information on encrypted file selection from a user. The master node generates password candidate information generation information and transmits the password candidate to the plurality of work nodes together with a password decryption command. The password candidate generation information allows the plurality of work nodes to have different password candidate ranges using password decryption information comprising a maximum password length, a minimum password length, and a string set constituting the password. The work node decrypts the password using the password candidate generation information. The work node transmits the password decryption result to the master node.

Abstract: A parameter generation apparatus for generating parameters causing no decryption error for an NTRU cryptosystem so that an encrypted communication can be carried out between an encryption apparatus and a decryption apparatus in a secure and reliable manner. The parameter generation apparatus includes: a provisional parameter generation unit operable to generate a set of provisional parameters that do not cause any decryption errors, based on error condition information that is provided in advance, the error condition information indicating a condition for causing no decryption error; and an output parameter generation unit operable to generate an output parameter that does not cause any decryption errors, using the set of provisional parameters, based on a lattice constant that is calculated from the set of provisional parameters.

Abstract: A wireless network probe method intercepts a data packet sent from a certain station, which has established communication with an access point (AP) connected to a wireless network before a service set identifier (SSID) of the wireless network has been closed. The method further amends data in the data packet to generate two attacked data packets, transmits the two attacked data packets using a media control access (MAC) address of the certain station, to interrupt the communication between the AP and the certain station. Furthermore, the method intercepts a re-association data packet sent to the AP from the certain station, retrieves the SSID from the re-association data packet, and stores the SSID into a second station, so as to connect the second station to the wireless network.

Abstract: An electronic circuit for cryptographic processing, comprising a first combinatorial logical circuit, arranged to perform a first set of logical operations on input data and to produce output data, the output data having a functional relation to the input data, further comprising at least a second combinatorial logical circuit, arranged to perform a second set of logical operations on the same input data and to produce output data, the output data having an identical functional relation to the input data, wherein the first set of logical operations is different from the second set of logical operations, and wherein the electronic circuit is arranged to dynamically select one combinatorial logical circuit, of a set comprising at least the first combinatorial logical circuit and the second combinatorial logical circuit, for performing logical operations on the input data and producing output data.

Abstract: Provided are an apparatus and a method for deciphering a password. The password deciphering apparatus includes a host control unit and at least two graphic processing units. The host control unit generates candidate passwords for detection of a password of a ciphered document file, and allocates the generated candidate passwords to at least two graphic processing units in a non-overlapping manner. The graphic processing units output password detection information when detecting the password of the document file by searching the allocated candidate passwords. Herein, upon receiving the password detection information from one of the graphic processing units, the host control unit uses the password detection information to detect the password.

Abstract: A method for testing the resistance of an algorithm using at least one secret quantity against attacks measuring physical effects of the execution of the algorithm by an integrated circuit, consisting of implementing statistical key search functions based on hypotheses about at least some bits thereof, by exploiting the input and output values of steps of the algorithm.

Abstract: The invention relates to a method for decoding a probabilistic anti-collusion code intended to identify at least one sequence of code present in a multimedia content having been used to create an illegal copy of this multimedia content, this method comprising a step of estimating the collusion strategy used to constitute the illegal copy associated with a step of identifying the sequences having been used in creating the illegal copy.

Abstract: The invention concerns a method to secure an electronic assembly implementing any algorithm against attacks by error introduction. The method according to the invention consists in performing an additional calculation using a verification function on at least one intermediate result in order to obtain a calculation signature and in performing a least once more all or part of the calculation in order to recalculate said signature and compare them in order to detect a possible error.

Abstract: A system, method and computer program product for recovering a password including, for each possible password to be tested, generating a periodicity unit based on a number of symbols in the password and a size of a chunk used by a one-way function to encrypt the password. The periodicity unit is substantially shorter than an input string, that includes replicated actual password used to encrypt the password. Based on the periodicity unit, using the one-way function, generating a control value for the periodicity unit. The control value is tested for a match with a control value generated from the actual password. An indication of a match is provided to a user.

Abstract: Provided is a side channel attack tolerance evaluation device capable of evaluating the propriety of the estimation of an encryption algorism, processing timing, and determination of a processing sequence of the encryption algorism using side channel information. The side channel attack tolerance evaluation device, which performs evaluation of tolerance to a side channel attack by using side channel information leaking from an encryption device, is provided with a storage unit (character data storage device), a measurement unit (side channel information measurement device), and a processing unit (side channel attack tolerance evaluation unit). The storage unit stores side channel information that has been previously acquired by executing a predetermined encryption algorithm in an encryption device or information obtained by applying predetermined processing to the side channel information. The measurement unit measures the side channel information generated from an encryption device to be evaluated.

Abstract: Methods and apparatuses are disclosed for improving DES and other cryptographic protocols against external monitoring attacks by reducing the amount (and signal-to-noise ratio) of useful information leaked during processing. An improved DES implementation of the invention instead uses two 56-bit keys (K1 and K2) and two 64-bit plaintext messages (M1 and M2), each associated with a permutation (i.e., K1P, K2P and M1P, M2P) such that K1P{K1} XOR K2P{K2} equals the “standard” DES key K, and M1P{M1} XOR M2P{M2} equals the “standard” message. During operation of the device, the tables are preferably periodically updated, by introducing fresh entropy into the tables faster than information leaks out, so that attackers will not be able to obtain the table contents by analysis of measurements. The technique is implementable in cryptographic smartcards, tamper resistant chips, and secure processing systems of all kinds.

Abstract: An interval centroid-based watermark encoder encodes a watermark into a packet flow. Intervals are defined for the packet flow. Some of the intervals are selected as group A intervals while other intervals are selected as group B intervals. Group A and group B intervals are paired and assigned to watermark bits. A first or second value may be encoded by increasing the relative packet time between packets in either the group A (for the first bit value) or group B (for the second bit value) interval(s) of the interval pair(s) assigned to the watermark bits that are to represent the first or second bit value and the beginning of the same group interval(s). The relative packet times may be measured by a decoder and used to calculate a centroid difference for each interval pair. The centroid differences may be used to reconstruct the watermark.

Abstract: An install control module allows installation of a software application onto a computer in presence of malicious code that is attempting to prevent installation. A metamorphic installation program is generated randomly to be substantially unique using metamorphic stealthing techniques. The program can be installed and is executed on the computer. Identifying information in the metamorphic installation program is substantially disguised from the malicious code so the program is substantially unrecognizable. The software application is installed onto the computer, and the metamorphic program protects the installation to allow the software application to be installed without substantial interference from the malicious code. In another embodiment, installation occurs by booting a preinstall environment on the computer without running a primary operating system. The software application is installed offline without the primary operating system running and before malicious code present on the computer is executed.

Abstract: Methods and systems for performing electronic commerce using mutating identifiers. One method can include encrypting buyer transaction data with a first mutating identifier, transmitting the buyer transaction data to an authenticator device, decrypting the buyer transaction data, generating a payment request, encrypting the payment request with a third mutating identifier, and transmitting the payment request to a payment authenticator device.

Abstract: A content recording/reproducing system, which records and reproduces a sub-content relating to a main content, includes a distribution device, first and second recording media, a recording device and a reproducing device. The first recording medium that is non-rewritable prestores key data based on which a public key is derivable, and the main content. The distribution device outputs verification information that includes the sub-content and is generated by applying a digital signature to relative information relating to the sub-content based on a secret key corresponding to the public key. The recording device acquires and records the verification information on the second recording medium that is rewritable.

Abstract: A method of managing content, and in particular, managing content on the Internet retrieves a web page that includes an image and detects whether the image included within the web page is embedded with a digital watermark. It generates an indicia associated with an image included in the web page that is embedded with a digital watermark. The indicia indicate to the user which images include watermarks. The watermarks may be used to convey links to related web pages or specific information about the images, such as usage rights and licensing information. Variations of this method create image bookmarks to web pages including images using thumbnails of those images. A content management system comprises a first program for retrieving web pages including images. It also includes a second program for extracting an image from a web page, creating a thumbnail of the image, and forming an image bookmark linking the thumbnail to the web page that the image has been extracted from.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: A processor including general-purpose and cryptographic functionality, in which cryptographic operations are visible to user-specified software. According to one embodiment, a processor may include instruction execution logic configured to execute instructions specified by a user of the processor, where the instructions are compliant with a general-purpose instruction set architecture. The processor may further include a cryptographic functional unit configured to implement a plurality of cryptographic operations, and further configured to process the cryptographic operations independently of the instruction execution logic. A subset of the instructions may be executable to cause individual ones of the cryptographic operations to be processed by the cryptographic functional unit.

Abstract: A mechanism is provided for protecting a plurality of electronic files. A portable access control lock is adapted for automatically maintaining an audit trail and allowing for configuring of access control rules for constraining user access based on a mandatory presence of specified users before granting access for each electronic file including any copies of the each electronic file of the plurality of electronic files. The constraining user access based on the mandatory presence of specified users comprises specifying persons P1 and P2 both of whose presence are required in order to update or view any of the each electronic file including the copies of the each electronic file. Persons P1 and P2 are prompted by a same access agent on a same access computer for authentication credentials to access the each electronic file and the each electronic file is accessed only when persons P1 and P2 are properly authenticated.

Abstract: Authentication mechanisms for accessing one or more applications by a user by using collaborative agents for automating authentication to the one or more applications. The use of collaborative agents obviates a need for the user to remember fortified authentication credentials for each application.

Abstract: Systems and methods configured for recoding an odd integer and elliptic curve point multiplication are disclosed, having general utility and also specific application to elliptic curve point multiplication and cryptosystems. In one implementation, the recoding is performed by converting an odd integer k into a binary representation. The binary representation could be, for example, coefficients for powers of two representing the odd integer. The binary representation is then configured as comb bit-columns, wherein every bit-column is a signed odd integer. Another implementation applies this recoding method and discloses a variation of comb methods that computes elliptic curve point multiplication more efficiently and with less saved points than known comb methods. The disclosed point multiplication methods are then modified to be Simple Power Analysis (SPA)-resistant.

Abstract: Methods and apparatuses are provided that can inform certain processes and/or even the user about the relative strength/weakness of cryptography services being used. In certain methods, for example, at least one cryptography service parameter threshold is established. The method further includes, selectively detecting a request for at least one cryptography service, and selectively performing at least one correctness detection action based on the requested cryptography service and the cryptography service parameter threshold. The cryptography service parameter threshold identifies acceptable/unacceptable cryptography algorithms, acceptable/unacceptable cryptography key size parameters, acceptable/unacceptable cryptography seed size parameters, and other like parameters that the requested cryptography service information can be compared with.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: Accumulated proof-of-work approaches for protecting network resources against denial-of-service attacks are disclosed. A client computer or other requester is required to perform work, such as repeatedly hashing a message until a specified number of bits is zero, as a condition for accessing a resource. Proof of the work performed by a legitimate requester is accumulated across multiple requests, so that established users of a resource are not penalized when proof-of-work is used to prevent a denial of service attack. Requesters who cannot show accumulated work greater than a specified threshold are required to perform additional work. In certain embodiments, work may be accumulated only within a specified time window, and the threshold may vary according to resource capacity or loading. Proof-of-work values may be communicated between the user and the resource in cookies.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: This invention relates to an encryption communication apparatus using encryption processing. It is an object of this invention to obtain the encryption communication apparatus with excellent tamper-resistance while ensuring sufficient securities. A communicating unit 1 sends and receives communication data including a length field and a data field. A length comparing unit 6 compares a value of the length field and a minimum length value stored in the apparatus in advance. When it is judged that the value of the length field is less than the minimum length value, a controlling unit 7 controls an encryption processing unit 5 not to perform encryption processing or decryption processing of the data in the data field.

Abstract: To provide increased security against differential power analysis attacks, a data processing device is provided with a current converter that draws current from an external supply and cyclically apportions drawn current between a charge storage device and a processor such that the drawn current varies independently of the instantaneous power demand of the processor. The data processing device includes: a processor; a charge storage device coupled to the processor; and a current source for supplying the processor with operating current, and adapted to vary its output current independently of the instantaneous power demand of the processor.

Abstract: A method, computer readable medium and system for determining whether a data stream is in cyphertext format statistically analyzes the data stream to compute a resultant value indicative of a level of uniformity for a frequency distribution of the data stream's byte values. When applied to one or more files an average byte value may be computed for the data stream and a chi-square statistical analysis of the data bytes performed, with the resultant value computed based on the chi-square value. The resultant is then compared to a pre-determined threshold value to determine whether the file has been encrypted. The computer-readable medium has executable instructions for reading the data stream portions of files to compute a resultant value for each file and control an output device to display appropriate output. The encryption detection system comprises a storage device, an output device and a processor programmed in accordance with the foregoing.

Abstract: An object of the invention is to allow cipher strength evaluation when available resources such as the complexity and the number of plaintext available for decryption have conditions, and to allow comparison of cipher strength under given conditions. The invention combines the exhaustive search with an algebraic method, sets conditions for resources such as the complexity and the number of plaintext available for decryption beforehand, and utilizes the linear dependency of a decryption equation for use in decryption to optimize a decryption method as the maximum number of available plaintext is secured. Thus, it reduces the complexity and allows efficient search of solutions for the decryption equation.

Abstract: One embodiment of the present invention provides a system that camouflages business-activity information in telemetry signals from a computer system. During operation, the system monitors telemetry signals from the computer system to obtain a time series containing a telemetry metric which provides business-activity information. Next, for each telemetry-metric value contained in the time series, the system compares the telemetry-metric value with a predetermined threshold level. If the telemetry-metric value is below the predetermined threshold level, the system then generates artificial activity associated with the telemetry metric in the computer system, so that the artificial activity causes the telemetry-metric value to exceed the predetermined threshold level.

Abstract: One embodiment of the present invention provides a system that camouflages business-activity information in telemetry signals from a computer system. During operation, the system monitors telemetry signals from the computer system to obtain a time series containing a telemetry metric which provides business-activity information. Next, the system computes a serial correlation between data values in the time series. The system then determines if the computed serial correlation between the data values in the time series is above a predetermined threshold level. If so, the system performs frequency domain analysis on the time series. The system then generates artificial activity on the computer system which causes the frequency spectra of the time series to reduce the serial correlation between the data values in the time series.

Abstract: An object is to evaluate the strength in consideration of the relationship held between keys, to allow the detection of a weak key condition to lower the difficulty in decrypting ciphertext, and to detect a weak key based on the weak key condition. Based on the relationship between keys in a key schedule and based on estimated keys, a certain estimated extended key can be calculated by utilizing the relationship between the estimated extended key in the key schedule and an estimated extended key having been calculated, and cost information required for calculation is outputted to allow the verification of a weak key condition. A weak key can be detected based on the weak key condition, and the difficulty in decrypting ciphertext can be increased without modifying an encryption apparatus.

Abstract: In a method for protecting a calculation in a cryptographic algorithm, the calculation obtaining input data so as to create output data, input data for the calculation are initially provided. Subsequently, the calculation is performed so as to obtain the output data of the calculation. After the calculation has been performed, a verification is carried out as to whether the input data was changed during the calculation, to be precise using a verification algorithm which differs from the calculation itself. If the verification proves that the input data was changed during the calculation, forwarding of the output data is suppressed. By doing so, outputting of incorrect results of the calculation of the cryptographic algorithm is prevented with a high degree of certainty, since the input data is particularly susceptible to hardware attacks. In addition, the input data may be examined with a view to their integrity with little expenditure compare to calculating the cryptographic algorithm itself.