In one embodiment, a processor comprises a multiplier circuit to operate in an integer multiplication mode responsive to a first value of a configuration parameter; and operate in a carry-less multiplication mode responsive to a second value of the configuration parameter.

A method of securely storing a target number is provided based on the Chinese-Remainder Theorem, A set of n congruence pairs of numbers are generated, wherein a target number (a secret) can be uniquely derived from any t out of the n pairs. In one aspect the divisors are pre-selected such that any randomly selected n integers from the sequence are a valid Asmuth-Bloom sequence for any access structure (t, n) where 1<tnN. In another aspect, means are provided for prestoring members of a Mignotte or Asmuth-Bloom sequence of N divisors in a look-up table from which n divisors can be selected. In this way a flexible access structure is supported. CRT secret shares for a selected access structure can be generated without having to perform the laborious process of calculating Mignotte sequences for each secret and access structure. Storage required to store the secret shares is also reduced by storing and retrieving congruence pairs in the form of an index and a remainder.

A method for generating a key stream according to an embodiment includes generating r round keys that are each N-dimensional integer vectors including elements of an integer set defined based on a prime number t, based on a random bit string, an encryption counter, and a secret key that is an N-dimensional integer vector consisting of elements of the integer set , generating a first round output vector x.sub.1 by performing a modular addition operation on an initial vector and a first round key RK.sub.1 of the r round keys with the prime number t as a modulus, and generating a key stream that is an N-dimensional integer vector consisting of elements of the integer set from the first round output vector x.sub.1 by using a second to r-th round keys of the r round keys, and one or more first round functions and a second round function.

There is provided a modular multiplication device for performing a multiplication of a first multiplicand and a second multiplicand modulo a given modulus, each of the multiplicand comprising a given number of digits, each digit having a given word size. The modular multiplication device comprises: a multiplier for multiplying at least one digit of the first multiplicand with the second multiplicand to produce a multiplier output; a modular reduction unit configured to reduce a quantity derived from the multiplier output by the product of an extended modulus and an integer coefficient, the extended modulus being the product of the given modulus with an extension parameter, which provides a reduction output, the reduction output being a positive integer strictly smaller than the extended modulus, wherein the modular multiplication device further comprises a selection unit configured to select the extension parameter such that the time taken for the device to perform the multiplication is independent from the multiplicands.

In one embodiment, a processor comprises a multiplier circuit to operate in an integer multiplication mode responsive to a first value of a configuration parameter; and operate in a carry-less multiplication mode responsive to a second value of the configuration parameter.

An apparatus and method for modular multiplication. The modular multiplication apparatus includes a first operation unit for performing a first operation based on a structure of at least one of a serial multiplier and a serial squarer-based multiplier; a second operation unit for performing a second operation based on a structure of at least one of the serial multiplier and the serial squarer-based multiplier; an adder unit for outputting the sum of results of the first operation and the second operation, inputting an intermediate value stream to the first input unit, which calculates the product of the intermediate value stream and a zeta parameter, and outputting a High-Order Term as a result of Montgomery Modular Multiplication, wherein the first and second operation units output a result in digit-serial format in order from the least significant digit to the most significant digit.

A number of RSA computing tasks that have different word lengths which are less than a maximum word length of an operand register are processed at the same time by combining a number of different word lengths to be equal to or less than the maximum word length of the operand register.

A multi-thread processor computes a function requiring only modular additions and multiplications. Memories store constants, multi-bit elements, and multiple instruction sets. A multiplier receives first and second multiplier operands, generates their product, which is fed to an adder as a first operand and added to a second adder operand, the sum being stored in an accumulator memory. Each instruction set is executed on a successive clock, and includes instructions for defining respective addresses in the memories from which constants, elements and sums are to be accessed. A scheduler maintains a schedule of threads executable by the processor in parallel, and is configured on each successive clock to cycle through the threads and initiate a first available thread. Selectors responsive to instructions received from the program memory select the required multiplier and adder operands. A multi-core system executes multiple parallel threads on multiple processors allowing complex functions to be computed efficiently.

A processor includes a decode unit to decode an instruction. The instruction indicates a first 64-bit source operand having a first 64-bit value, indicates a second 64-bit source operand having a second 64-bit value, indicates a third 64-bit source operand having a third 64-bit value, and indicates a fourth 64-bit source operand having a fourth 64-bit value. An execution unit is coupled with the decode unit. The execution unit is operable, in response to the instruction, to store a result. The result includes the first 64-bit value multiplied by the second 64-bit value added to the third 64-bit value added to the fourth 64-bit value. The execution unit may store a 64-bit least significant half of the result in a first 64-bit destination operand indicated by the instruction, and store a 64-bit most significant half of the result in a second 64-bit destination operand indicated by the instruction.

A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for performing a modular multiplication of a first operand a and a second operand b in a DILITHIUM digital signature algorithm in a processor, the instructions, including: calculate S=c.sub.1.Math.2.sup.13?c.sub.1+c.sub.0 (mod q) wherein a.Math.b.sub.1=c.sub.1.Math.2.sup.23+c.sub.0, 0?a.Math.b.sub.1<2.sup.33, the modulus q=2.sup.23?2.sup.13+1, and b=b.sub.1.Math.2.sup.13+b.sub.0; calculate T=d.sub.1?d.sub.0.Math.2.sup.10+d.sub.0 (mod q) wherein d=a.Math.b.sub.0=d.sub.1.Math.2.sup.13+d.sub.0, 0?d<2.sup.36, 0?d.sub.1<2.sup.23, and 0?d.sub.0<2.sup.13; calculate c=S+T?a.Math.b.Math.2.sup.?13 (mod q); and calculate a digital signature of a message using the calculated a.Math.b.