Abstract: The present invention concerns an anti-SPA modular exponentiation algorithm in an electronic component using a public key ciphering algorithm. A pair of registers and an indicator are used to provide symmetrical processing of bits in the algorithm, so that the values of individual bits cannot be determined from power consumption.

Abstract: In an exponentiation device, a relatively large table is generated outside of a coprocessor so as to enable high-speed exponentiation to be performed using the small window method. The selection of data from the table and transfer of data to the coprocessor are conducted in parallel with a multiple-length arithmetic operation performed in the coprocessor. So as to avoid bottlenecks occurring in the data transfer between a CPU and the coprocessor, two data banks are provided in the coprocessor for storing the data to be used in the arithmetic operation. By providing two banks in the coprocessor, it is possible to use one for transferring data while data stored in the other is being used in the arithmetic operation. When the operation using the stored data has been completed, the banks are switched, and the arithmetic operation is then repeated using the newly transferred data while at the same time conducting data transfer in readiness for the following operation.

Abstract: A countermeasure method in an electronic component which uses an RSA-type public key cryptographic algorithm. A first countermeasure method uses a random calculation for each new execution of the decryption algorithm with CRT. The calculations are made modulo p*r and q*t, r and t being random numbers. A second countermeasure makes the recombination random using the CRT theorem.

Abstract: A method and apparatus for performing cryptographic computations employing recursive algorithms to accelerate multiplication and squaring operations. Products and squares of long integer values are recursively reduced to a combination of products and squares reduced-length integer values in a host processor. The reduced-length integer values are passed to a co-processor. The values may be randomly ordered to prevent disclosure of secret data.

Abstract: An extension of the serial/parallel Montgomery modular multiplication method with simultaneous reduction as previously implemented by the applicants, adapted innovatively to perform both in the prime number and in the GF(2q) polynomial based number field, in such a way as to simplify the flow of operands, by performing a multiple anticipatory function to enhance the previous modular multiplication procedures.

Abstract: Described herein is one or more implementations for compressing one or more keys.

Abstract: A digital logic circuit comprises a programmable logic device and a programmable security circuit. The programmable security circuit stores a set of authorized configuration security keys. The programmable security circuit compares the authorized configuration security keys with an incoming configuration request, and selectively enables a new configuration for the programmable logic device in response to the configuration request. In another exemplary embodiment, a programmable security circuit also stores a set of authorized operation security keys. The programmable security circuit compares the authorized operation security keys with an incoming operation request from the programmable logic device, and selectively enables an operation within the programmable logic device in response to the operation request.

Abstract: Various embodiments pertain to an integrated circuit (IC) device, such as smart cards, electronic wallets, PC cards, and the like, and various methods for steganographically authenticating identities and authorizing transactions based on the authenticated identities.

Abstract: A pre-computation and dual-pass modular operation approach to implement encryption protocols efficiently in electronic integrated circuits is disclosed. An encrypted electronic message is received and another electronic message generated based on the encryption protocol. Two passes of Montgomery's method are used for a modular operation that is associated with the encryption protocol along with pre-computation of a constant based on a modulus. The modular operation may be a modular multiplication or a modular exponentiation. Modular arithmetic may be performed using the residue number system (RNS) and two RNS bases with conversions between the two RNS bases. A minimal number of register files are used for the computations along with an array of multiplier circuits and an array of modular reduction circuits. The approach described allows for high throughput for large encryption keys with a relatively small number of logical gates.

Abstract: A pre-computation and dual-pass modular operation approach to implement encryption protocols efficiently in electronic integrated circuits is disclosed. An encrypted electronic message is received and another electronic message generated based on the encryption protocol. Two passes of Montgomery's method are used for a modular operation that is associated with the encryption protocol along with pre-computation of a constant based on a modulus. The modular operation may be a modular multiplication or a modular exponentiation. Modular arithmetic may be performed using the residue number system (RNS) and two RNS bases with conversions between the two RNS bases. A minimal number of register files are used for the computations along with an array of multiplier circuits and an array of modular reduction circuits. The approach described allows for high throughput for large encryption keys with a relatively small number of logical gates.

Abstract: A mobile terminal for use in a mobile communications system includes a SIM card storing subscriber related data. For security, the SIM card performs secret cryptographic calculations with secret numbers. Secret information is hidden from outside observation by scheduling the calculations using a precomputed, fixed randomization schedule in such a way that externally observable parameters of the device cannot be associated to particular pieces, bits, symbols or values of the secret information.

Abstract: In a data communications system a remote data source outputs data as a series of application data units (ADUs). Each ADU is individually encrypted with a different key. The keys are transmitted (for example using Internet multicasting) via a communications network to one or more customer terminals. At the terminals a sequence of keys is generated for use in decrypting the ADUs. A record is kept of the keys generated, and this record may subsequently be used to generate a receipt for the data received by the customer. The keys may be generated, and the record stored within a secure module such as a smartcard.

Abstract: A method of exchanging a cryptographic key between two users that includes the steps of selecting a value p from p=(2dk?2ck?1)/r, p=(2dk?2(d?1)k+2(d?2)k? . . .

Abstract: In a communication system, an authentication ciphering offset (ACO) is generated as a function of one or more parameters, wherein at least one of the one or more parameters is derived from earlier-computed values of the ACO. This enables each device to avoid generating an ACO value that is out of synchronization with a counterpart ACO value generated in another communication device.

Abstract: Various embodiments pertain to an integrated circuit (IC) device, such as smart cards, electronic wallets, PC cards, and the like, and various methods for steganographically authenticating identities and authorizing transactions based on the authenticated identities.

Abstract: An encryption device of the present invention eliminates data contention and minimizes area by using a faster memory that can access data multiple times within a given time.

Abstract: A circuit for the implementation of modular multiplication of numbers comprises an alternative formation of the algorithm first proposed by R. C. Montgomery. The modified Montgomery algorithm is implemented in one of a plurality of circuits comprising full adders, half adders, registers and gates.

Abstract: An encryption mechanism tightly-couples hardware data encryption functions with software-based protocol decode processing within a pipelined processor of a programmable processing engine. Tight-coupling is achieved by a micro-architecture of the pipelined processor that allows encryption functions to be accessed as a novel encryption execution unit of the processor. Such coupling substantially reduces the latency associated with conventional hardware/software interfaces.

Abstract: Disclosed herein are an IC card and a microcomputer which have implemented the strengthening of security and the speeding up and enhancement of signal processing for the security. In an IC card, which is supplied with an operating voltage by an electrical connection between each of external terminals and a read/write device, and includes an input-output operation of data with an encoding process or a decoding process, a disturbance-aimed processing operation is included in the encoding process or decoding process to uniformalize timings provided to operate an internal circuit and its operating current. In a microcomputer having a module configuration including an input-output operation of data with an encoding process or a decoding process, a disturbance-aimed processing operation is included in the encoding process or decoding process to uniformalize timings provided to operate an internal circuit and its operating current.

Abstract: A method of identifying user, generating digital signature, and verifying digital signature by selecting a modulus p in the form of p=(2dk?2ck?1)/r, p=(2dk?2(d?1)k+2(d?2)k? . . . ?2k+1)/r, p=(2dk?2ck?1)/r, p=(2dk?2ck+1)/r, and p=(24k?23k+22k+1)/r, selecting an elliptic curve E and an order q; selecting a basepoint G; generating a private key w; generating a public key W=wG; distributing p, E, q, G, and W to at least a prover, a verifier, and a signer; generating the prover's private key wp and public key Wp=wpG; retrieving the prover's public key Wp; generating a private integer kp; combining kp and G to form K using p; sending K to the verifier; sending a challenge integer c to the prover; combining c, kp, and wp to form a response integer v; sending v to the verifier; combining cG, K, and Wp using p and checking to see if the combination is equal to vG. If not so, stop.

Abstract: The present invention is a key conversion system for deterministically and reversibly converting a first key value of a first communications system into a second key value of a second communication system. For example, the key conversion system generates a first intermediate value from at least a portion of the first key value using a first random function. At least a portion of the first intermediate value is provided to a second random function to produce a second value. An exclusive-or is performed on at least a portion of the first key value and at least a portion of the second value to generate a second intermediate value. At least a portion of the second intermediate value is provided to a third random function to produce a third value.

Abstract: This invention concerns an integrated circuit (IC) device, such as smart cards, electronic wallets, PC cards, and the like, and various methods for steganographically authenticating identities and authorizing transactions based on the authenticated identities. The IC device has a memory and a processor. The IC device maintains an identity authentication table in the memory to hold an arbitrary number of identities. The identity authentication table correlates identities with authentication structures. In preferred embodiments, the authentication structures each comprise a collection of commands, such as data processing commands, that are normally associated with data handling capabilities of the IC device. The commands are arranged into unique groupings that serve to identify the identity with which they are associated. Authentication can then take place outside of detectable cryptographic protocols.

Abstract: A circuit is designed with a first register circuit (364) arranged to store a state matrix. A memory circuit (710) is arranged to store a plurality of addressable matrices. A control circuit (700) is coupled to receive a delay value and a clock signal. The control circuit is arranged to address a selected matrix from the plurality of addressable matrices in response to the delay value and the clock signal. A backward register circuit (420) is coupled (712) to receive the selected matrix. The backward register circuit is arranged to produce a plurality of shifted matrices from the selected matrix in response to the clock signal. A logic circuit (330-354) is coupled to receive the state matrix, the selected matrix and the plurality of shifted matrices. The logic circuit produces a logical combination of the state matrix and each of the selected matrix and the plurality of shifted matrices.

Abstract: A walled garden contains links to one or more servers providing network-based services. A walled garden proxy server (WGPS) controls access to the walled garden. When a user of a client wishes to access a service in the walled garden, the client sends a request to the WGPS including a plot number identifying the service and a ticket granting the client access to the service. The WGPS denies access to clients lacking a ticket or presenting invalid tickets. In response, the client contacts a gateway server (GS) having a database of users and associated access rights. The user presents authentication information to the GS. If the user positively authenticates, the GS generates a ticket containing a Box ID from the client, an expiration date, and set of bits representing the access rights of the user. The GS encrypts the ticket and gives it to the client.

Abstract: In an IC card incorporating residual multiplier hardware for implementing a high-speed algorithm for a residual multiplication arithmetic, a method and a device capable of executing a public key encryption processing such as an elliptic curve encryption processing at a high speed. Residual arithmetic succeeding to generation of a random number and residual arithmetic in a signature generating processing can be executed by using a residual multiplier. Further, in order to use effectively the residual multiplier for arithmetic operation on an elliptic curve, the point on the elliptic curve is transformed from a two-dimensional affine coordinate system to a three-dimensional coordinate system. Additionally, multiplicative inverse arithmetic for realizing reverse transformation from the three-dimensional coordinate system to the two-dimensional affine coordinate system as well as for determining a signature s can be executed only with the residual multiplication arithmetic.

Abstract: A storage device includes a tamper-resistant module and a flash memory. In correspondence with a command, a CPU inside the tamper-resistant module judges the security of data received from the outside, then recording the data as follows: High-security and small-capacity data is recorded into a memory inside the tamper-resistant module. High-security and large-capacity data is encrypted, then being recorded into the flash memory. Low-security data is recorded as it is into the flash memory. This recording method permits large-capacity data to be stored while ensuring a security (i.e., a security level) corresponding thereto.

Abstract: In an IC card incorporating residual multiplier hardware for implementing a high-speed algorithm for a residual multiplication arithmetic, a method and a device capable of executing public key encryption processing such as an elliptic curve encryption processing at a high speed. Residual arithmetic succeeding to generation of a random number and residual arithmetic in a signature generating processing can be executed by using a residual multiplier. Further, in order to use effectively the residual multiplier for arithmetic operation on an elliptic curve, the point on the elliptic curve is transformed from a two-dimensional affine coordinate system to a three-dimensional coordinate system. Additionally, multiplicative inverse arithmetic for realizing reverse transformation from the three-dimensional coordinate system to the two-dimensional affine coordinate system as well as for determining a signature s can be executed only with the residual multiplication arithmetic.

Abstract: An IC card having a storage memory including a program storage unit for storing a program and a data storage unit for storing data and a central processing unit for executing a predetermined process in accordance with the program to process the data, the program including one or more data process units each having a process instruction for giving an execution instruction to the central processing unit, wherein a data process order is randomly exchanged and a dummy process is added to thereby reduce the dependency of consumption current of an IC chip upon the data process.

Abstract: Ownership of a secure process is enabled with a cryptographic system. Methods initializing and operating the cryptographic system transfer control from the loading program to the loaded program and, in essence from the cryptographic system vendor to its end-user. As a result, ownership of the secure process can be relinquished to the end-user so that it alone can subsequently use the cryptographic system to control the secure process of loading and running its user-programs. The cryptographic system and methods allow for secure operations and protect against tampering with application software. The application program is retrieved from an encrypted file in external memory and authenticated by the cryptographic system before being executed.

Abstract: Techniques are provided for generation of an RSA modulus having a predetermined portion. The predetermined portion may be the leading digits of the modulus, or split between the leading and trailing digits of the modulus. The resulting RSA modulus has the same security level as conventional RSA moduli, but requires less storage space. Significant performance improvements may be obtained for encryption, decryption, digital signature generation and digital signature verification when using RSA moduli in a specifically chosen format, as the division portion of a modulo operation is accomplished using only multiplication operations, and without using division operations.

Abstract: The present invention provides a method and apparatus for securing cryptographic devices against attacks involving external monitoring and analysis. A “self-healing” property is introduced, enabling security to be continually re-established following partial compromises. In addition to producing useful cryptographic results, a typical leak-resistant cryptographic operation modifies or updates secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system. Exemplary leak-proof and leak-resistant implementations of the invention are shown for symmetric authentication, certified Diffie-Hellman (when either one or both users have certificates), RSA, ElGamal public key decryption, ElGamal digital signing, and the Digital Signature Algorithm.

Abstract: This invention provides a method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists an endomorphism &PSgr;, where &PSgr;(Q)=&lgr;.Q for all points Q(x,y) on the elliptic curve: and using smaller representations ki of the scalar k in combination with the mapping &PSgr; to compute the scalar multiple of the elliptic curve point Q.

Abstract: A co-processor (44) executes a mathematical algorithm that computes modular exponentiation equations for encrypting or decrypting data. A pipelined multiplier (56) receives sixteen bit data values stored in an A/B RAM (72) and generates a partial product. The generated partial product is summed in an adder (58) with a previous partial product stored in a product RAM (64). A modulo reducer (60) causes a binary data value N to be aligned and added to the summed value when a particular data bit location of the summed value has a logic one value. An N RAM (70) stores the data value N that is added in a modulo reducer (60) to the summed value. The co-processor (44) computes the Foster-Montgomery Reduction Algorithm and reduces the value of (A*B mod N) without having to first compute the value of &mgr; as is required in the Montgomery Reduction Algorithm.

Abstract: A method for determining a result of a group operation performed an integral number of times on a selected element of the group, the method comprises the steps of representing the integral number as a binary vector; initializing an intermediate element to the group identity element; selecting successive bits, beginning with a left most bit, of the vector. For each of the selected bits; performing the group operation on the intermediate element to derive a new intermediate element; replacing the intermediate element with the new intermediate element; performing the group operation on the intermediate element and an element, selected from the group consisting of: the group element if the selected bit is a one; and an inverse element of the group element if the selected bit is a zero; replacing the intermediate element with the new intermediate element.

Abstract: A security document processing apparatus is provided having a feed path for receiving documents and at least one imaging assembly for capturing image data from documents received in the apparatus. The apparatus may include a material detection imaging assembly for detecting the material composition of certain materials on documents received in the apparatus. The material detection imaging assembly may detect material on a document by detecting transmissivity characteristics, or by sensing radiation emission characteristics of a document in the case received documents are of a type including radiation wavelength sensitive additives incorporated therein.

Abstract: A computationally efficient multiplication method and apparatus for modular exponentiation. The apparatus uses a preload register, coupled to a multiplier at a second input port via a KN bit bus to load the value of the “a” multiplicand in the multiplier in a single clock pulse. The “b” multiplicand (which is also KN bits long) is supplied to the multiplier N bits at a time from a memory output port via an N bit bus coupled to a multiplier first input port. The multiplier multiplies the N bits of the “b” multiplicand by the KN bits of the “a” multiplicand and provides that product at a multiplier output N bits at a time, where it can be supplied to the memory via a memory input port.

Abstract: A fixed-point multiple calculation apparatus, for use in an encryption method and a signature method that use elliptic curves, finds multiples of a fixed point and an arbitrary point at high speed. The fixed-point multiple calculation apparatus generates a pre-computation tables for multiples of digits at one-word intervals and for multiples of digits at half-word intervals. Using the tables, multiples of points on an elliptic curve are calculated using a doubling process, but with a reduced number of additions. This reduces the overall amount of required calculation.

Abstract: Disclosed is a method for designing public key cryptosystems against fault-based attacks in which secret information stored in a tamperfree device is revealed during the encryption/decryption or signature generation processes due to fault-based attacks. A new fault-resistant system which enables any fault existing in modular multiplications and exponential computations to be detected with a very high probability based on a coding approach. This method can be used to implement all cryptosystems whose basic operations are modular multiplications for resisting both memory and computational fault-based attacks with a very low computational overhead.

Abstract: A user sets n=0, his mail account A and password S, then computes V.sub.0 =E(A,S), W.sub.0 =E(A,V.sub.0), V.sub.1 =E(A,A.sym.1), W.sub.1 =E(A,V.sub.1) and M.sub.0 =E(W.sub.1, V.sub.0), and initially registers W.sub.0, W.sub.1, M.sub.0 and A by e-mail in a mail server. At a visiting site the user sends a service request and A to the mail server form an arbitrary terminal connected to the Internet, and the mail server reads out the authentication session number n corresponding to the identifier A and sends it back to the user. The user computes V.sub.n-1 =E(A,S.sym.(n-1)), V.sub.n+1 =E(A,S.sym.(n+1)), W.sub.n+1 =E(A,V.sub.n+1). V.sub.n =E(A,S.sym.n) and M.sub.n =E(W.sub.n+1, V.sub.n) and sends V.sub.n-1, W.sub.n+1 and M.sub.n to the mail server. The mail server computes E(A,V.sub.n-1) and E(W.sub.n, V.sub.n-1) and if they agree with preregistered W.sub.n-1 and M.sub.n-1, respectively, the mail server accepts the user as valid and sends a mail message of the user.

Abstract: The present invention relates to an electronic module used for secure transactions. More specifically, the electronic module is capable of passing information back and forth between a service provider's equipment via a secure, encrypted technique so that money and other valuable data can be securely passed electronically. The module is capable of being programmed, keeping track of real time, recording transactions for later review, and creating encryption key pairs.