Abstract: This application provides a key negotiation method, apparatus, and system, and may be applied to the communications field, for example, short-range communication (including a cockpit domain). During key negotiation between a first device and a second device, the first device notifies, by using first information, the second device of all key negotiation algorithms supported by the first device, and the second device selects, from the received key negotiation algorithms supported by the first device, a key negotiation algorithm supported by the second device. In this way, the key negotiation algorithm selected by the second device is supported by both the first device and the second device.

Abstract: According to an embodiment, an arithmetic device outputting an arithmetic result on a finite field with characteristic P includes a hardware processor. The hardware processor performs readout processing of a plurality of input values. The hardware processor performs, for each word, arithmetic operations with respect to the plurality of input values by using a value being based on the characteristic P and a comparison value between each input value of the plurality of input values and the characteristic P. The hardware processor outputs a first output value resulting from computing a value being based on each input value of the plurality of input values, the comparison value, and the characteristic P. The hardware processor outputs a second output value resulting from comparing the first output value and the characteristic P.

Abstract: Provided is an apparatus for a low CNOT count quantum point doubling circuit targeting to minimize resource consumption during quantum cryptanalysis, particularly in elliptic curve cryptography (ECC). The apparatus, according to an embodiment of this present invention, is designed to reduce the overall depth of cryptographic analysis by implementing an efficient point-doubling mechanism.

Abstract: A system for verifying the execution of requested computation tasks, delegated by a computerized delegator device, to one or more computerized devices executing the tasks, comprising one or more computerized devices that contain one or more processors being adapted to define an input data for each delegated computation task; add to the input data, one or more computation fingerprints being executable encrypted input control bits, capable of detecting deviation from each requested computation task; allow the delegator to calculate the computation fingerprints once, by executing the requested computation tasks on predetermined random base values, to obtain an a-priori fingerprint result; couple the base values to each requested computation task; allow the one or more computerized devices to execute each requested computation task along with the base values, for returning an output consisting of a combination of a computed task result section and a calculated fingerprint result section; verify the returned outpu

Abstract: Montgomery multiplier architectures are provided. A circuit can include an initial processing element (PE) circuit configured to generate a first output including (i) a radix of a carry out and (ii) a radix of an intermediate result based on radixes of respective operands, a radix of an inverse of a modulus, and a radix of the modulus, middle PE circuits configured to generate a second output including (i) respective radixes of a Montgomery multiplication result and (ii) further respective radixes of a carry out on two consecutive clock cycles based on the first output, and a final PE circuit configured to generate further radixes of the Montgomery multiplication results on two consecutive, subsequent clock cycles based on the second output.

Abstract: A binary logic circuit for determining y=x mod(2m?1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer ? and a second m-bit integer ?; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; and the binary value 1.

Abstract: A device can be used to implement a neural network in hardware. The device can include a processor, a memory, and a neural network accelerator. The neural network accelerator can be configured to implement, in hardware, a neural network by using a residue number system (RNS). At least one function of the neural network can have a corresponding approximation in the RNS system, and the at least one function can be provided by implementing the corresponding approximation in hardware.

Abstract: A Montgomery multiplication apparatus (MMA), for multiplying two multiplicands modulo a predefined number, includes a pre-compute circuit and a Montgomery multiplication circuit. The pre-compute circuit is configured to compute a Montgomery pre-compute value by performing a series of iterations. In a given iteration, the pre-compute circuit is configured to modify one or more intermediate values by performing bit-wise operations on the intermediate values calculated in a preceding iteration. The Montgomery multiplication circuit is configured to multiply the two multiplicands, modulo the predefined number, by performing a plurality of Montgomery reduction operations using the Montgomery pre-compute value computed by the pre-compute circuit.

Abstract: A method of compressing a frame in an image compression and storage system, the method including applying a modulo addition to a residue of an original sample of the frame to generate a biased residue based on a bit depth of the original sample and a maximum allowed error, quantizing the biased residue based on the maximum allowed error to generate a quantized biased residue, and encoding a value corresponding to the quantized biased residue to generate an encoded value that has a non-negative reconstruction error.

Abstract: A method of communicating a secret (k0, k1) on the Bitcoin blockchain is disclosed. The method comprises sending information identifying secrets selectable by the recipient and receiving a first public key (Ui) of an elliptic curve cryptography system, corresponding to a first secret (Si) selected for access by the recipient and for which a first private key (m) is accessible to the recipient. A second public key (U1-i) is received, corresponding to a second secret not selected for access by the recipient, wherein a corresponding second private key is not available to the recipient. First and second secrets encrypted by means of the respective first and second public keys (X0, X1) are sent to the recipient, wherein the first secret is accessible to the recipient by means of the first private key, the second secret is inaccessible to the recipient, and the sender is unable to distinguish between the first and second secrets.

Abstract: A signal processing circuit has a plurality of first circuits each including a first-time-length-signal output circuit that outputs a first time-length signal representing a time length between first timing at which a first input signal changes and second timing at which a second input signal changes and a second-time-length-signal output circuit that outputs the first time-length signal as a second time-length signal at timing based on a control signal. The signal processing circuit includes a second circuit that outputs the second time-length signal having the longest time length among a plurality of the second time-length signals output respectively from the plurality of first circuits.

Abstract: A systolic array cell is described, the cell including two general-purpose arithmetic logic units (ALUs) and register-file. A plurality of the cells may be configured in a matrix or array, such that the output of the first ALU in a first cell is provided to a second cell to the right of the first cell, and the output of the second ALU in the first cell is provided to a third cell below the first cell. The two ALUs in each cell of the array allow for processing of a different instruction in each cycle.

Abstract: A modular multiplication circuit includes a main operation circuit, a look-up table, and an addition unit. The main operation circuit updates a sum value and a carry value according to 2iA corresponding to a first operation value A and m bits of a second operation value B currently under operation, m is a positive integer, i is from 0 to m?1. The look-up table records values related to a modulus, and selects one of the values as a look-up table output value according to the sum value. The addition unit updates the sum value and the carry value according to the look-up table output value and outputs the updated sum value and the updated carry value to the main operation circuit. The modular multiplication circuit updates the sum value and the carry value in a recursive manner by using m different bits of the second operation value B.

Abstract: Cryptographic-related processing is performed using an n-bit accelerator. The processing includes providing a binary operand to a multiply-and-accumulate unit of the n-bit accelerator. The multiply-and-accumulate unit performs an operation using the binary operand and a predetermined fractional constant F to obtain an operation result, and rounds the operation result by discarding x least-significant bits of the operation result to obtain a fractionally-scaled result, where x is a configurable number of bits to discard from the operation result, and the fractionally-scaled result facilitates performing the cryptographic-related processing.

Abstract: A method of compressing a frame in an image compression and storage system, the method including applying a modulo addition to a residue of an original sample of the frame to generate a biased residue based on a bit depth of the original sample and a maximum allowed error, quantizing the biased residue based on the maximum allowed error to generate a quantized biased residue, and encoding a value corresponding to the quantized biased residue to generate an encoded value that has a non-negative reconstruction error.

Abstract: The present disclosure advantageously provides a modulo operation unit that includes a first input configured to receive operand data, a second input configured to receive modulus data, an initial modulo stage, a sequence of intermediate modulo stages, and a final modulo stage.

Abstract: A mechanism is described for facilitating unified accelerator for classical and post-quantum digital signature schemes in computing environments. A method includes unifying classical cryptography and post-quantum cryptography through a unified hardware accelerator hosted by a trusted platform of the computing device. The method may further include facilitating unification of a first finite state machine associated with the classical cryptography and a second finite state machine associated with the post-quantum cryptography though one or more of a single the hash engine, a set of register file banks, and a modular exponentiation engine.

Abstract: A method of communicating a secret (k0, k1) on the Bitcoin blockchain is disclosed. The method comprises sending information identifying secrets selectable by the recipient and receiving a first public key (Ui) of an elliptic curve cryptography system, corresponding to a first secret (Si) selected for access by the recipient and for which a first private key (m) is accessible to the recipient. A second public key (U1-i) is received, corresponding to a second secret not selected for access by the recipient, wherein a corresponding second private key is not available to the recipient. First and second secrets encrypted by means of the respective first and second public keys (X0, X1) are sent to the recipient, wherein the first secret is accessible to the recipient by means of the first private key, the second secret is inaccessible to the recipient, and the sender is unable to distinguish between the first and second secrets.

Abstract: A binary logic circuit for determining y=x mod(2m?1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer ? and a second m-bit integer ?; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; and the binary value 1.

Abstract: An apparatus and method for performing multiply-accumulate operations.

Abstract: Embodiments are directed to homomorphic encryption for machine learning and neural networks using high-throughput Chinese remainder theorem (CRT) evaluation. An embodiment of an apparatus includes a hardware accelerator to receive a ciphertext generated by homomorphic encryption (HE) for evaluation, decompose coefficients of the ciphertext into a set of decomposed coefficients, multiply the decomposed coefficients using a set of smaller modulus determined based on a larger modulus, and convert results of the multiplying back to an original form corresponding to the larger modulus.

Abstract: Modulus operation is performed by a system in an efficient manner taking into account the system's processor and memory architecture. Other features are also provided.

Abstract: A method of operating neural networks such as convolutional neural networks including, e.g., an input layer, an output layer and at least one intermediate layer between the input layer and the output layer, with the network layers including operating circuits performing arithmetic operations on input data to provide output data. The method includes: selecting a set of operating circuits in the network layers, performing arithmetic operations in operating circuits in the selected set of operating circuits by performing Residue Number System or RNS operations on RNS-converted input data by obtaining RNS output data in the Residue Number System, backward converting from the Residue Number System the RNS output data resulting from the RNS operations.

Abstract: A method includes generating an extended result from a first operation circuitry having a result register bit width greater than a bus width associated with a residue check path of a second operation circuitry associated with a floating point unit. An extended result residue less a first portion residue of the extended result received from the residue check path is stored as a first partial result residue. The first partial result residue is compared with a first result residue of the second operation circuitry. The extended result residue less both the first partial result residue and a second portion residue of the extended result received from the residue check path as a second partial result residue is compared with a second result residue of the second operation circuitry.

Abstract: A short pointer mode application is loaded in an address space configured for use by a plurality of types of applications including the short pointer mode application and a long pointer mode application. The address space has a first portion addressable by short pointers of a defined size and a second portion addressable by long pointers of another defined size. The other defined size is different from the defined size. Based on executing the short pointer mode application, one or more short pointers of the short pointer mode application are converted to one or more long pointers; and the one or more long pointers are used to access memory within the first portion of the address space addressable by short pointers.

Abstract: In a method for determining the modular inverse of a number, successive iterations are applied to two pairs each including a first variable and a second variable, such that at the end of each iteration and for each pair, the product of the second variable and of the number is equal to the first variable modulo a given module. Each iteration includes at least one division by two of the first variable of a first pair or of a second pair, or a combination of the first variable of the first pair and of the first variable of the second pair by addition or subtraction. At least some of the iterations including a combination by addition or subtraction include a step of storing the result of the combination in the first variable of a pair determined randomly from among the first pair and the second pair. An associated cryptographic processing device is also described.

Abstract: Data is supplied in a circular manner and overlapping memory accesses is suppressed in a processor. The processor includes a circular buffer and an instruction executing part. The circular buffer has a function of holding a plurality of pieces of data and reading the plurality of pieces of data in circulation. The instruction executing part executes an instruction that designates the circular buffer as an operand. That is, this processor has an instruction that designates the circular buffer as an operand, as an instruction set. With this configuration, the data is supplied in a circular manner from the circular buffer in the execution of the instruction by the processor.

Abstract: A number of RSA computing tasks that have different word lengths which are less than a maximum word length of an operand register are processed at the same time by combining a number of different word lengths to be equal to or less than the maximum word length of the operand register.

Abstract: A method and apparatus are disclosed to perform the circular addressing to emulate a virtually unlimited memory space despite the fixed capacity of a physical memory by readdressing the portion of the data that exceeds the pre-defined length of the circular addressing region to another pre-defined address in the circular addressing region. Data segments in a data sample can be loaded and computed with recalculated circular addresses for different applications.

Abstract: A binary logic circuit for determining y=x mod(2m?1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer ? and a second m-bit integer ?; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; and the binary value 1.

Abstract: A hardware implementations of Montgomery modular multiplication are described. The number of components as well as the number of cycles may be reduced by using a lookup table and multiplexer for selecting terms to be added during calculations. Also a loop unrolling technique may be used improve performance. A chain of pipeline adder modules and a chain of delay and shift modules may be used to pipeline calculations of multiple sets of operands.

Abstract: An arithmetic logic unit is disclosed that includes a first logical circuit that generates a first partial sum result from three operands in a first stage of a single clock cycle of a processor; a second circuit that generates a second partial result in the same first stage of the clock cycle of the processor; and an adder that receives the first partial result from the first logical circuit and the second partial result from the second circuit and generates a secondary result during a second stage of the single clock cycle of the processor. The arithmetic logic unit may optionally further include a backend circuit that performs additional arithmetic and logic functions in the same single clock cycle of the processor.

Abstract: Compressed domain processors configured to perform operations on data compressed in a format that preserves order. The Compressed domain processors may include operations such as addition, subtraction, multiplication, division, sorting, and searching. In some cases, compression engines for compressing the data into the desired formats are provided.

Abstract: A binary logic circuit for determining y=x mod(2m?1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer ? and a second m-bit integer ?; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; and the binary value 1.

Abstract: Arithmetic circuits and methods that perform efficient matrix multiplication for hardware acceleration of neural networks, machine learning, web search and other applications are disclosed herein. Various arrays of multiplier-accumulators may be coupled to form a matrix multiplier which processes data using high precision, fixed point residue number arithmetic.

Abstract: The invention relates to the field of computer engineering and cryptography and, in particular, to methods for implementing linear transformations that operate with a specified speed and require minimum amount of memory, for further usage in devices for cryptographic protection of data. The technical result enables the selection of interrelated parameters (performance and required amount of memory) for a particular computing system when implementing a high-dimensional linear transformation. The use of the present method allows for a reduction of the amount of consumed memory at a given word size of processors employed. To this end, based on a specified linear transformation, a modified linear shift register of Galois-type or Fibonacci-type is generated according to the rules provided in the disclosed method, and the usage thereof enables to obtain the indicated technical result.

Abstract: A method for protecting against faults in a computation of a point multiplication Q=[k]P on an elliptic curve E defined over a prime field p, including: defining an integer r and a group ?={?()|?/r} represented with elements having a group law that coincides with a group law used in the representation for E(p) and isomorphic to an additive group (/r)+ through isomorphism ?; forming a combined group E(p)×?E(p)×(/r)+ which is isomorphic to a cross product of the groups E(p) and (/r)+; selecting an element in /r and defining an element P?=?() in group ?; forming a combined element {circumflex over (P)}=CRT(P,P?) in the group E(p)×?; calculating {circumflex over (Q)}=[k]{circumflex over (P)} in the combined group E(p)×?; calculating k in /r; and checking whether {circumflex over (Q)}?Q?(mod r) where Q?=?(k).

Abstract: In one embodiment, an apparatus comprises a multiplier circuit to: identify a plurality of partial products associated with a multiply operation; partition the plurality of partial products into a first set of partial products, a second set of partial products, and a third set of partial products; determine whether the multiply operation is associated with a square operation; upon a determination that the multiply operation is associated with the square operation, compute a result based on the first set of partial products and the third set of partial products; and upon a determination that the multiply operation is not associated with the square operation, compute the result based on the first set of partial products, the second set of partial products, and the third set of partial products.

Abstract: Hardware logic is described which is arranged to efficiently perform modulo calculation with respect to a constant value b. The hardware logic comprises a series of addition units (each comprising a plurality of binary adders). A first stage addition unit in the series groups bits from an input number into a number of strings, multiplies each string by a corresponding coefficient using adders and left-shifting and adds the resulting strings together to generate an intermediate value which, in most examples, has a smaller range of possible values than the input number. The series of addition units also includes a second stage addition unit and/or a final stage addition unit. A second stage addition unit uses similar methods to generate an updated intermediate value in a pre-defined terminating range. A final stage addition unit generates a final result from the final intermediate result output by an immediately previous addition unit in the series.

Abstract: A modular reduction calculation on a first number and a second number is protected from side-channel attacks, such as timing attacks. A first intermediate modular reduction result is calculated. A value corresponding to four times the first number is added to the first intermediate modular reduction result, generating a second intermediate modular reduction result. A value corresponding to the first number multiplied by a most significant word of the second intermediate modular reduction result plus 1, is subtracted from the second intermediate modular reduction result, generating a third intermediate modular reduction result. A cryptographic operation is performed using a result of the modular reduction calculation.

Abstract: An electronic calculating device for performing arithmetic in a commutative ring includes a storage configured to store an increment table defined for an increment ring element, the increment table mapping an input ring element to an output integer-list encoding an output ring element, such that the output ring element equals the increment ring element ring-added to the input ring element. Using the increment table, a ring addition unit adds a first addition-input integer-list encoding a first addition-input ring element and a second addition-input integer list encoding a second addition-input ring element. The device may include a ring multiplication unit also using the increment table.

Abstract: A device for multiplying two bit sequences has a controller that selects and activates exactly one multiplier unit from a plurality of parallel multiplier units, according to a random signal. A partial multiplier unit shared by all the multiplier units receives and multiplies operands formed by the respectively activated multiplier unit. Each multiplier unit implements a different multiplication method with a respective selector unit that selects segments of the bit sequences to be multiplied, in accordance with a selection plan adapted to the respective multiplication method, to form operands from one or more segments and outputs the operands. The respective accumulation unit receives step by step partial products from the partial multiplier unit, accumulates the partial products in accordance with an accumulation plan adapted to the implemented multiplication method and matching the selection plan, and outputs the calculated product of after accumulation has been completed.

Abstract: A fault tolerant multi-threaded processor uses the temporal and/or spatial separation of instructions running in two or more different threads. An instruction is fetched, decoded and executed by each of two or more threads to generate a result for each of the two or more threads. These results are then compared using comparison hardware logic and if there is a mismatch between the results obtained, then an error or event is raised. The comparison is performed on an instruction by instruction basis so that errors are identified (and hence can be resolved) quickly.

Abstract: The subject of the invention is a countermeasure method for an electronic component implementing a public-key cryptography algorithm on an elliptic curve E defined over a field and comprising an iterative scalar multiplication operation making it possible to obtain a point [k]P on the basis of a point P of the curve E and of an integer k that must remain secret, the electrical consumption of the electronic component being dependent on the value taken by at least one so-called critical point used during said operation to iteratively determine the point [k]P.

Abstract: A binary logic circuit for determining y=x mod(2m?1), where x is an n-bit integer, y is an m-bit integer, and n>m, includes reduction logic configured to reduce x to a sum of a first m-bit integer ? and a second m-bit integer ?; and addition logic configured to calculate an addition output represented by the m least significant bits of the following sum right-shifted by m: a first binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; a second binary value of length 2m, the m most significant bits and the m least significant bits each being the string of bit values represented by ?; and the binary value 1.

Abstract: Methods are disclosed to determine if wiring resources are available in the neighborhood of a physically routed net in all three dimensions. Such a method can select a wire trait based on an amount of usage of each wire segment in the net and the total percentage usage of the net. The method can also re-route a net using new wiring resources after determining that wiring resources are available. The new resources can provide improved RC (delay) characteristics and reduced signal coupling. The method can be applied to a VLSI design with multiple fails.

Abstract: An aspect includes fetching a computer instruction, the fetching by an instruction fetch unit. It is determined that the instruction is a decimal divide instruction that specifies a decimal divisor and a decimal dividend. The decimal divisor is converted into a floating-point divisor and the decimal dividend is converted into a floating-point dividend. A floating-point division of the floating-point dividend by the floating-point divisor is performed by an instruction execution unit. It is determined that the floating-point division resulted in a quotient overflow. A reduced size floating-point dividend is generated based on the quotient overflow, the floating-point divisor, and the floating-point dividend. The floating point division of the reduced size floating-point dividend by the floating-point divisor is performed by the instruction execution unit, and a specified number of rightmost bits of the result is output as the quotient.

Abstract: One embodiment provides a system. The system includes a register to store an operand; a multiplier; and optimizer logic to initiate a first reduction stage to operate on the operand, initiate a second reduction stage prior to completion of the first reduction stage, and determine whether a carry propagation has occurred.

Abstract: A Montgomery modular multiplication device and an embedded security chip. The Montgomery modular multiplication device includes a first Montgomery modular multiplication module, a power calculation module and a second Montgomery modular multiplication module. The first Montgomery modular multiplication module obtains a first operation result A according to two first preset parameters. The power calculation module obtains a second operation result B according to the first operation result A output by the first Montgomery modular multiplication module, the first preset parameters, the second preset parameter and a power calculation function. The first Montgomery modular multiplication module further obtains a Montgomery modular multiplication conversion coefficient according to the first operation result A and the second operation result B.

Abstract: In some applications, such as randomization and cryptography, remainder computation for a number is required. The remainder computation is also used in modulo arithmetic. The remainder computation can be simplified when the divisor belongs to a certain class of numbers. A method and apparatus are disclosed that enable low complexity implementation of remainder computation of any number when the divisor belongs to a type of numbers that can be represented as 2k+1.