Abstract: Embodiments relate to modular reductions. An aspect includes a system to perform modular reductions. The system includes a shift register to store an input string or number. The system also includes a plurality of processing elements arranged in a pipeline configuration to convert the input string to a predefined alphabet or to convert the number to a different base based on a plurality of modular reductions, an output of one of the plurality of processing elements being an input to a subsequent one of the plurality of processing elements in the pipeline as part of a recursive division, and an input of a first one of the plurality of processing elements in the pipeline being an output of the shift register.

Abstract: A memory device receives a plurality of read commands and/or write commands in parallel. The memory device transmits data corresponding to respective read commands on respective portions of a data bus and receives data corresponding to respective write commands on respective portions of the data bus. The memory device includes I/O logic to receive the plurality of read commands in parallel, to transmit the data corresponding to the respective read commands on respective portions of the data bus, and to receive the data corresponding to the respective write commands on respective portions of the data bus.

Abstract: Systems and methods for using carry-less multiplication (CLMUL) to implement erasure code are provided. An embodiment method of using CLMUL to implement erasure code includes initiating, with a processor, a first CLMUL call to calculate a first product of a data bit word and a constant, partitioning, with the processor, the first product into a high portion and a low portion, and initiating, with the processor, a second CLMUL call to calculate a second product of the high portion and a hexadecimal number portion, a bit size of the second product less than a bit size of the first product. The second product, or a third product generated by a third CLMUL call, is used to calculate a parity bit. Because the second product or the third product has a number of bits equivalent to the number of bits used by the processor, the erasure codes are more efficiently implemented.

Abstract: A method and apparatus for optimizing the yield of tested electronics devices is provided. A sample device is characterized to derive a specification for each device in the group. The sample size is chosen to provide reliable data and to minimize the effect of outlier devices on the characterization. After characterization, boundaries are set for the group of tested devices. Boundaries may be set based on voltages optimized for power consumption. The group of devices may be further subdivided into sub-groups based on the results of testing. The sub-groups are each assigned a unique code that reflects the results of the testing. This code is programmed into automated test equipment and is also stored in system software in order to ensure consistent values across the group of tested devices. The automated test equipment and system software are correlated using the same code to ensure higher test yield.

Abstract: A modular arithmetic unit includes a first input generator receiving first data to generate a first operand; a second input generator receiving second data to generate a second operand; an accumulator performing an accumulate/shift operation to add the first and second operands and outputting the carry and sum; a carry propagation adder adding the carry and the sum to output a result; and a data handler receiving either external data or the result and outputting the first data and the second data.

Abstract: Methods and systems for residue number system based ALUs, processors, and other hardware provide the full range of arithmetic operations while taking advantage of the benefits of the residue numbers in certain operations. In one or more embodiments, an RNS ALU or processor comprises a plurality of digit slices configured to perform modular arithmetic functions. Operation of the digit slices may be controlled by a controller. Residue numbers may be converted to and from fixed or mixed radix number systems for internal use and for use in various computing systems.

Abstract: A method for calculating the modular inverse of a value in relation to a module is used for cryptographic calculations on a portable data carrier. The method includes determining a breakdown of the module into at least two factors, calculating a respective auxiliary value for each of the factors, wherein each auxiliary value is the modular inverse of the value in relation to the respective factor as module, and calculating the modular inverse of the value in relation to the module using the calculated auxiliary values. The method offers an increase in efficiency, with greater efficiency obtained the stronger the computing outlay depends on the length of the module in the inversion method. The method is suitable for execution by relatively low-power processors, and security of the calculation against spying attacks is not impaired. If security requirements are high, combining the method with suitable measures against spying presents no problems.

Abstract: A Montgomery inverse calculation device includes a plurality of registers each storing a value of a variable, a modulus register storing a modulus, a multiplier performing multiplication on the modulus. A comparator compares the value of the variable stored in each of the registers with an output value of the multiplier and generates a plurality of control signals. A plurality of shifters shifts bits of a value of a variable stored in a corresponding register among the registers in response to at least one first control signal, and a quotient generation block calculates a quotient of mod 2m with respect to values output from some of the shifters in response to a second control signal. A calculation block calculates an updated value of an output value of each of the shifters using the quotient in response to at least one third control signal.

Abstract: A method and apparatus for performing modular exponentiation using iterative modular multiplications steps and taking as input a first modulus N, a secret exponent d and a base x. During at least one modular multiplication step aiming at computing a result c from two values a, b and the first modulus N so that c=a·b mod N, a processor takes as input the two values a, b and the first modulus N from which are obtained two operands a?, b? and a second modulus N? using operations with at most linear complexity—at least one of the two operands a?, b? is different from the two values a, b, and the two operands a?, b? are different when a is equal to b—so that the modular multiplication c=a·b mod N from a side-channel viewpoint behaves like a modular squaring except for when a? equals b? . An intermediate result c?=a?·b? mod N? is computed, and the result c is derived from the intermediate result c? using an operation with at most linear complexity; and the result c is used in the modular exponentiation.

Abstract: A residue generating circuit for an execution unit that supports vector operations includes an operand register and a residue generator coupled to the operand register. The residue generator includes a first residue generation tree coupled to a first section of the operand register and a second residue generation tree coupled to a second section of the operand register. The first residue generation tree is configured to generate a first residue for first data included in the first section of the operand register. The second residue generation tree is configured to generate a second residue for second data included in a second section of the operand register. The first section of the operand register includes a different number of register bits than the second section of the operand register.

Abstract: The subject invention pertains to a method and apparatus for performing computations using residue arithmetic. The subject method and apparatus can utilize logic gates for performing calculations such as multiplication by a constant, computing a number theoretic logarithm of a residue for a given base ?i and modulus pi, and computing the product of two residues, modulo pi. The use of logic gates can offer advantages when compared with the use of ROMs for table look-up functions in integrated RNS digital signal processor implementations.

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g(z)?i=0n?1(v(?i)?z), where ?0, ?1, . . . , ?n?1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).

Abstract: A remainder by division of a sequence of bytes interpreted as a first number by a second number is calculated. A first remainder by division associated with a first subset of the sequence of bytes is calculated with a first processor. A second remainder by division associated with a second subset of the sequence of bytes is calculated with a second processor. The calculating of the second remainder by division may occur at least partially during the calculating of the first remainder by division. A third remainder by division is calculated based on the calculating of the first remainder by division and the calculating of the second remainder by division.

Abstract: A remainder by division of a sequence of bytes interpreted as a first number by a second number is calculated. A first remainder by division associated with a first subset of the sequence of bytes is calculated with a first processor. A second remainder by division associated with a second subset of the sequence of bytes is calculated with a second processor. The calculating of the second remainder by division may occur at least partially during the calculating of the first remainder by division. A third remainder by division is calculated based on the calculating of the first remainder by division and the calculating of the second remainder by division.

Abstract: According to one embodiment, a first shift amount calculation unit counts the number of continuous zeros from a less significant bit toward a more significant bit of an intermediate result of a computation of Montgomery multiplication result z and calculates a first shift amount. A second shift amount calculation unit counts the number of continuous zeros from a less significant bit toward a more significant bit of redundant-binary-represented integer x and calculates a second shift amount. An addition/subtraction unit calculates the intermediate result by adding/subtracting, with respect to the intermediate result which has been bit-shifted by the first shift amount, the integer p, and the integer y which has been bit-shifted by the second shift amount. An output unit outputs, as the Montgomery multiplication result z, the intermediate result when the sum of the first shift amounts is equal to the number of bits of the integer p.

Abstract: The present invention provides a modulo operation method. The modulo operation method, in a case where the square of a divisor N is greater than or equal to a dividend C, includes: determining the number of computation stages n satisfying 2n<N?2n+1; performing an initialization operation by initializing a constant a to the smallest integer greater than or equal to half of N; performing a first operation by subtracting, when C is greater than or equal to N·a (product of N and a), the value of C by the value of N·a; and performing a second operation by assigning the smallest integer greater than or equal to half of a to the value of a, wherein the value of C is output as the result of modulo operation after the first operation and the second operation are repeated n times. In the first operation, when C is less than N·a, the value of C is unchanged.

Abstract: A modulo reduction is performed on a value a represented as an ordered sequence of computer readable words. The lowest order words are eliminated by substituting an equivalent value represented by higher order words for each of the lower order words. The lowest order words are eliminated until the sequence has a word length corresponding to the modulus. Carries and borrows resulting from the substitution are propagated from lower order words to higher order words. Further reduction is performed to maintain the word length of the sequence to that of the modulus. The further reduction may be determined by examination of a carryover bit or may be performed a predetermined number of times without examination.

Abstract: A binary logic circuit is provided for determining a rounded value of px q , where p and q are coprime constant integers with p<q and q?2i, i is any integer, and x is an integer variable between 0 and integer M where M?2q, the binary logic circuit implementing in hardware the optimal solution of the multiply-add operation ax + b 2 k where a, b and k are fixed integers.

Abstract: Methods, computer systems, and computer program products for calculating a remainder by division of a sequence of bytes interpreted as a first number by a second number is provided. A pseudo-remainder by division associated with a first subsequence of the sequence of bytes is calculated. A property of this pseudo-remainder is that the first subsequence of the sequence of bytes, interpreted as a third number, and the pseudo-remainder by division have the same remainder by division when divided by the second number. A second subsequence of the sequence of bytes interpreted as the first number is appended to the pseudo-remainder, interpreted as a sequence of bytes, so as to create a sequence of bytes interpreted as a fourth number. The first number and the fourth number have the same remainder by division when divided by the second number.

Abstract: Embodiments of techniques and systems for side-channel-protected modular exponentiation are described. In embodiments, during a modular exponentiation calculation, Montgomery Multiplication (“MM”) results are produced. These MM results are scattered through a table for storage, such that storage of the values may not lead to discovery of a secret exponent value by a spy process through a side-channel attack. The scattering may be performed in order to reduce a number of per-result memory operations performed during each MM result storage or retrieval. In embodiments, a window size of 4 may be used in the modular exponentiation, along with partitioning of the MM result into 32-bit partition values which are scattered with offsets of 64-bytes. In embodiments, while use of a window size of 4 may result in additional MM calculations during modular exponentiation than other window sizes, the reduction in memory operations may provide a positive performance offset.

Abstract: A circuit for calculating a sum of products, each product having a q-bit binary operand and a k-bit binary operand, where k is a multiple of q, includes a q-input carry-save adder (CSA); a multiplexer (10) by input of the adder, having four k-bit channels respectively receiving the value 0, a first (Yi) of the k-bit operands, the second k-bit operand (M[63:0], mi), and the sum of the two k-bit operands, the output of a multiplexer of rank t (where t is between 0 and q?1) being taken into account by the adder with a t-bit left shift; and each multiplexer having first and second path selection inputs, the bits of a first of the q-bit operands being respectively supplied to the first selection inputs, and the bits of the second q-bit operand being respectively supplied to the second selection inputs.

Abstract: A system for performing public key encryption is provided. The system supports mathematical operations for a plurality of public key encryption algorithms such as Rivert, Shamir, Aldeman (RSA) and Diffie-Hellman key exchange (DH) and Elliptic Curve Cryptosystem (ECC). The system supports both prime fields and different composite binary fields.

Abstract: An error detection unit including one or more register files that store at least one operand and at least one operand residue, an operand multiplexor operable to receive the operand, a residue multiplexor operable to receive the operand residue, a source operand residue generator operable to generate at least one generated residue from the operand, a first comparator that compares the operand residue to the generated residue, the result of the first comparator being sent to a reorder buffer, an execution unit that supplies the operand to a residue calculator and a result residue generator, wherein the residue calculator operable to determine an expected residue and the result residue generator operable to generate a result residue, and a second comparator that compares the expected residue with the result residue, the result of the second comparator being sent to the reorder buffer.

Abstract: A radix-2k Montgomery multiplier including an input coefficient generation unit to receive a multiplier, a multiplicand, a modulus, a sum and a previous sum, to generate and to output a partial product and a multiple modulus by using at least one of the multiplier, the multiplicand, the modulus and the sum, and to divide and to output the received previous sum into units of k bits, an accumulator circuit to receive the partial product, the multiple modulus and k bits of the previous sum from the input coefficient generation unit, and to generate and to output a carry and a sum by summing the partial product, the multiple modulus and the previous sum, and a carry propagation adder (CPA) circuit to generate and to output an ultimate sum by using the carry and the sum.

Abstract: A technique for checking an exponent calculation for an execution unit that supports floating point operations includes generating, using a residue prediction circuit, a predicted exponent residue for a result exponent of a floating point operation. The technique also includes generating, using an exponent calculation circuit, the result exponent for the floating point operation and generating, using the residue prediction circuit, a result exponent residue for the result exponent. Finally, the technique includes comparing the predicted exponent residue to the result exponent residue to determine whether the result exponent generated by the exponent calculation circuit is correct and, if not, signaling an error.

Abstract: A residue generating circuit for an execution unit that supports vector operations includes an operand register and a residue generator coupled to the operand register. The residue generator includes a first residue generation tree coupled to a first section of the operand register and a second residue generation tree coupled to a second section of the operand register. The first residue generation tree is configured to generate a first residue for first data included in the first section of the operand register. The second residue generation tree is configured to generate a second residue for second data included in a second section of the operand register. The first section of the operand register includes a different number of register bits than the second section of the operand register.

Abstract: A new hardware architecture is disclosed that performs the modular exponentiation operation, i.e., the computation of c=me mod n where c, m, e, n are large integers. The modular exponentiation operation is the most common operation in public-key cryptography. The new method, named the Spectral Modular Exponentiation method, uses the Discrete Fourier Transform over a finite ring, and relies on new techniques to perform the modular multiplication and reduction operations. The method yields an efficient and highly parallel architecture for hardware implementations of public-key cryptosystems which use the modular exponentiation operation as the basic step, such as the RSA and Diffie-Hellman algorithms. The method is extended to perform the multiplication operation in extension fields which is necessary to perform exponentiation or various other operations over these extension fields.

Abstract: A modular calculator and a method of performing a modular calculation are provided. The modular calculator includes a first register to receive and to store a first integer, a second register to receive and to store a second integer, a calculator connected to an output terminal of the first register and an output terminal of the second register, and a controller to determine an arithmetic operation of the calculator by referring to a sign of the first integer and a sign of the second integer and to control the calculator to perform the determined arithmetic operation on one of an addition and a subtraction of the first integer and the second integer and a modulus value.

Abstract: A data processing method, whereby an element is subjected to a first operation with a given operand. The method includes a step of updating by a second operation a first variable (B; a0; S?p, S?q) or a second variable (A; a1; Sp, Sq), depending on whether a corresponding bit of the operand=0 or 1; and a step of testing a relationship between a first value (B; a0; S?) derived from the first variable and a second value (A; a1; S) derived from the second variable. A related device is also disclosed.

Abstract: Systems and/or methods that facilitate secure electronic communication of data are presented. A cryptographic component facilitates securing data associated with messages in accordance with a cryptographic protocol. The cryptographic component includes a randomized exponentiation component that facilitates decryption of data and generation of digital signatures by exponentiating exponents associated with messages. An exponent is divided into more than one subexponent at an exponent bit that corresponds to a random number. Exponentiation of the first subexponent can be performed based on a left-to-right-type of exponentiation algorithm, and exponentiation of the second subexponent can be performed based on a right-to-left square-and-multiply-type of exponentiation algorithm. The final value is based on the exponentiations of the subexponents and can be decrypted data or a digital signature, which can be provided as an output.

Abstract: Techniques are disclosed for utilizing a block Montgomery machine designed only to operate at a fixed block length to perform operations using non-block length (flexible)moduli. In one embodiment, a new modulus n? is obtained having a block length equal to the fixed block length of the Montgomery machine or a multiple thereof. At least one modular additive operation is performed with the new modulus n?, and at least one modular multiplicative operation is performed with the non-block length modulus n. In this way, the result of the at least one additive operation is sufficiently reduced when a carry stems from the additive operation.

Abstract: Methods and systems for residue number system based ALUs, processors, and other hardware provide the full range of arithmetic operations while taking advantage of the benefits of the residue numbers in certain operations. In one or more embodiments, an RNS ALU or processor comprises a plurality of digit slices configured to perform modular arithmetic functions. Operation of the digit slices may be controlled by a controller. Residue numbers may be converted to and from fixed or mixed radix number systems for internal use and for use in various computing systems.

Abstract: A modular multiplier and a modular multiplication method are provided. The modular multiplier includes: a first register which stores a previous accumulation value calculated at a previous cycle; a second register which stores a previous quotient calculated at the previous cycle; a quotient generator which generates a quotient using the stored previous accumulation value output from the first register; and an accumulator which receives an operand, a bit value of a multiplier, the stored previous accumulation value, and the stored previous quotient to calculate an accumulation value in a current cycle, wherein the calculated accumulation value is updated to the first register, and the generated quotient is updated to the second register.

Abstract: Techniques are disclosed relating to a processor including instruction support for performing a Montgomery multiplication. The processor may issue, for execution, programmer-selectable instruction from a defined instruction set architecture (ISA). The processor may include an instruction execution unit configured to receive instructions including a first instance of a Montgomery-multiply instruction defined within the ISA. The Montgomery-multiply instruction is executable by the processor to operate on at least operands A, B, and N residing in respective portions of a general-purpose register file of the processor, where at least one of operands A, B, N spans at least two registers of general-purpose register file. The instruction execution unit is configured to calculate P mod N in response to receiving the first instance of the Montgomery-multiply instruction, where P is the product of at least operand A, operand B, and R^?1.

Abstract: In a computing device that calculates a square of an element in a finite field, a vector representation of the element in the finite field is accepted. The vector representation includes a plurality of elements. The computing device performs a multiplication operation on a base field using the accepted elements, and obtains a multiplication value. The multiplication operation is determined by a condition under which the element in the finite field is placed in an algebraic torus. The computing device performs an addition and subtraction operation using the obtained multiplication value and the accepted elements, and obtains a calculation result of the square of the element. The addition and subtraction operation is determined by the condition. The computing device then outputs the calculation result.

Abstract: 2D nearest-neighbor quantum architectures for Shor's factoring algorithm may be accomplished using the form of three arithmetic building blocks: modular addition using Gossett's carry-save addition, modular multiplication using Montgomery's method, and non-modular multiplication using an original method. These arithmetic building blocks may assume that ancillae are cheap, that concurrent control may be available and scalable, and that execution time may be the bottleneck. Thus, the arithmetic building blocks may be optimized in favor of circuit width to provide improved depth existing nearest-neighbor implementations.

Abstract: In one exemplary embodiment of the invention, a method for computing a resultant and a free term of a scaled inverse of a first polynomial v(x) modulo a second polynomial fn(x), including: receiving the first polynomial v(x) modulo the second polynomial fn(x), where the second polynomial is of a form fn(x)=xn±1, where n=2k and k is an integer greater than 0; computing lowest two coefficients of a third polynomial g(z) that is a function of the first polynomial and the second polynomial, where g ? ( z ) ? = def ? ? i = 0 n - 1 ? ? ( v ? ( ? i ) - z ) , where ?0, ?1, . . . , ?n?1 are roots of the second polynomial fn(x) over a field; outputting the lowest coefficient of g(z) as the resultant; and outputting the second lowest coefficient of g(z) divided by n as the free term of the scaled inverse of the first polynomial v(x) modulo the second polynomial fn(x).

Abstract: A system to perform Montgomery multiplication includes a first multiplier array configured to multiply w bits of an operand X by W bits of an operand Y, where w and W are integers and w is less than W. A second multiplier array is configured to multiply w bits of an operand Q by W bits of a modulo M. An adder array is configured to add outputs of the first and second multiplier arrays to generate a sum. A partial sum array is configured to store a left portion of the sum. A memory is configured to store a right portion of the sum. Q computation logic includes a lookup table and a half-multiplier that compute W bits of the operand Q sequentially in 2 · W w cycles or W w cycles. The W bits of the operand Q are stored in the fourth buffer for use by subsequent W×W operations.

Abstract: A math engine is provided capable of supporting large complex mathematical computations, such as modulo math computations involved in cryptography, while remaining easily reconfigurable, upgradeable and scalable. As new algorithms and specifications are desired to be solved, the math engine can be easily updated to accommodate the new requirements. These systems employ layers of cells, wherein individual cells are responsible for calculations. Thus, the complexity of the mathematical computation is broken down into cells which are easily added, removed, changed or substituted. The cells may be interchangeable and programmable, and provide flexibility and reconfigurability to the system at low or near-zero cost. When additional algorithms are desired, additional appropriate cells are simply added or changed.

Abstract: Hardware and processes are provided for efficient interpretation of multi-value signals. The multi-value signals have a first voltage range with is used to indicate multiple numerical or logical values, and a second voltage range that is used to provide control functions. In one example, the multi-value circuitry is arranged as a set of rows and columns, which may be cascaded together. The control function can be implemented to cause portions of rows, columns, or cascaded connections to be powered off, thereby saving power and enabling more efficient operation.

Abstract: A method for protecting the generation, by an electronic circuit, of at least one prime number by testing the primality of successive candidate numbers, including for each candidate number tests of primality with respect to prime numbers of at least one set of consecutive prime numbers, wherein the order of application of the tests is modified at least from one prime number generation to another.

Abstract: A residue generating circuit for an execution unit that supports vector operations includes an operand register and a residue generator coupled to the operand register. The residue generator includes a first residue generation tree coupled to a first section of the operand register and a second residue generation tree coupled to a second section of the operand register. The first residue generation tree is configured to generate a first residue for first data included in the first section of the operand register. The second residue generation tree is configured to generate a second residue for second data included in a second section of the operand register. The first section of the operand register includes a different number of register bits than the second section of the operand register.

Abstract: A modular multiplication processing apparatus is provided that can process modular multiplication of data exceeding a bit length which a coprocessor can readily process, by using the coprocessor based upon Montgomery multiplication In the modular multiplication processing apparatus, data to be subjected to modular multiplication is decomposed, and the decomposed data elements are transformed into a form suitable for Montgomery multiplication, respectively. Further, after respective data elements are transformed to have sizes that can be inputted into a coprocessor, Montgomery multiplication is repeatedly performed in the coprocessor. A remainder of Montgomery multiplication of an original bit length is restored from the obtained remainder.

Abstract: Provided is a method of calculating a negative inverse of a modulus, wherein the negative inverse, which is an essential element in Montgomery multiplication, is quickly obtained. The method includes setting a modulus, defining P obtained by converting the modulus to a negative number, and defining S obtained by subtracting 1 from P, and calculating a negative inverse of the modulus by using P and S.

Abstract: A dividing unit sets an actual packet length transferred from a packet receiving section to a variable U, and then sets 2? to a variable V. If a positive number determining section determines that a subtraction result of subtracting a remainder N0 from a quotient M0, both found by dividing U by V, is a positive number, the dividing unit overwrites the subtraction result to U. The dividing unit repeats such operations of dividing the subtraction result by V, until the positive number determining section determines that the subtraction result of subtracting the remainder from the quotient, both found by dividing U by V, is a non-positive number. When the subtraction result becomes a non-positive number and the quotient and the remainder match, a packet length determining section determines that received data has a normal size, and notifies it to a discard determining section.

Abstract: Safeguarding communication channels is required in particular in wireless networks. The use of encryption mechanisms in the form of software is limited by the required calculation and energy capacities of mobile terminals. Costs are of significance when using hardware solutions for cryptographic operations. The present invention provides an approach which simultaneously tackles all those points. It concerns a hardware accelerator for polynomial multiplication in extended Galois fields (GF), wherein the per se known Karatsuba method is iteratively applied in accordance with the invention. When using the invention the area requirement can be reduced for example from 6.2 mm2 to 2.1 mm2. The solution according to the invention also reduces the energy consumption in comparison with solutions in accordance with the state of the art by 30%.

Abstract: The RNS-based cryptographic system and method uses a symmetric residue number system (RNS) for encryption and decryption of messages, i.e., the sender and receiver agree upon a set of relatively prime numbers, referred to as the basis, whose product is an integer, and both the RNS and the integer are kept secret. To break the cipher, an attacker must factor the secret integer, which is unknown to the attacker, given only the upper bound of the unknown integer, a problem referred to as blind factorization of the unknown integer, which is a computationally hard problem. The method may be combined with a discrete logarithm problem, and the ciphertext may be padded with random values to hide the upper bound of the unknown integer. When the ciphertext requires multiple blocks, subsets of the basis and/or the random number padding may be used to prevent collision attacks.

Abstract: Provided are a modular multiplier apparatus in which a value of a long path carry (LPC) is predicted to reduce a critical path of an arithmetic operation of Montgomery modular multiplication, and a method of reducing the critical path of the arithmetic operation.

Abstract: In a computing device that calculates a square of an element in a finite field, a vector representation of the element in the finite field is accepted. The vector representation includes a plurality of elements. The computing device performs a multiplication operation on a base field using the accepted elements, and obtains a multiplication value. The multiplication operation is determined by a condition under which the element in the finite field is placed in an algebraic torus. The computing device performs an addition and subtraction operation using the obtained multiplication value and the accepted elements, and obtains a calculation result of the square of the element. The addition and subtraction operation is determined by the condition. The computing device then outputs the calculation result.

Abstract: During a method, a modulus circuit determines a modulus base p of a first number and a modulus base p of a second number. Also, the modulus circuit performs the operation using the modulus base p of the first number and the modulus base p of the second number, and calculates a modulus base p of the result of the operation involving the first number and the second number. Next, the modulus circuit compares the result of the operation carried out on the modulus base p of the first number and the modulus base p of the second number with the modulus base p of the operation performed on the first number and the second number to identify potential errors associated with the operation. Moreover, the modulus circuit repeats the method to identify additional potential errors associated with the operation, where the determining and calculating operations are repeated using moduli base q.