Some embodiments are directed to an electronic computation device (100) arranged for obfuscated execution of a multiplication. The device comprises a storage (120) arranged for storing multiple variables used in the execution of an arithmetic operation, a variable (x: y; 2) of the multiple variables being represented as multiple multiplicative shares (X=(x.sub.0, x.sub.1, . . . , x.sub.m−1); Y=(y.sub.0, y.sub.1, . . . , y.sub.m−1); 20), said multiplicative shares being represented in the storage as multiple additive shares (x.sub.i=(x.sub.i,0,x.sub.i,1, . . . , x.sub.i,n−1); Yi=(y.sub.i,0,y.sub.i,1, . . . , y.sub.i,n−1); 210, 220).

Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

Described is a lattice cryptography processor with configurable parameters. The lattice cryptography processor includes a sampling circuit configured to operate in accordance with a Secure Hash Algorithm 3 (SHA-3)-based pseudo-random number generator (PRNG), a single-port random access memory (RAM)-based number theoretic transform (NTT) memory architecture and a modular arithmetic unit. The described lattice cryptography processor is configured to be programmed with custom instructions for polynomial arithmetic and sampling. The configurable lattice cryptography processor may operate with lattice-based CCA-secure key encapsulation and a variety of different lattice-based protocols including, but not limited to: Frodo, NewHope, qTESLA, CRYSTALS-Kyber and CRYSTALS-Dilithium, achieving up to an order of magnitude improvement in performance and energy-efficiency compared to state-of-the-art hardware implementations.

Various embodiments relate to a method for multiplying a first and a second polynomial in the ring [X]/(X.sup.N−1) to perform a cryptographic operation in a data processing system, the method for use in a processor of the data processing system, including: receiving the first polynomial and the second polynomial by the processor; mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map; mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map; multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result; multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; and combining the first multiplication result and the second multiplication result using the map.

Various embodiments relate to a method for multiplying a first and a second polynomial in the ring [X]/(X.sup.N−1) to perform a cryptographic operation in a data processing system, the method for use in a processor of the data processing system, including: receiving the first polynomial and the second polynomial by the processor; mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map; mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map; multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result; multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; and combining the first multiplication result and the second multiplication result using the map.

A system includes an addressable memory array, one or more processing cores, and an accelerator framework coupled to the addressable memory. The accelerator framework includes a Multiply ACcumulate (MAC) hardware accelerator cluster. The MAC hardware accelerator cluster has a binary-to-residual converter, which, in operation, converts binary inputs to a residual number system. Converting a binary input to the residual number system includes a reduction modulo 2.sup.m and a reduction modulo 2.sup.m−1, where m is a positive integer. A plurality of MAC hardware accelerators perform modulo 2.sup.m multiply-and-accumulate operations and modulo 2.sup.m−1 multiply-and-accumulate operations using the converted binary input. A residual-to-binary converter generates a binary output based on the output of the MAC hardware accelerators.

Efficient polynomial multiplication for Accelerated Fully Homomorphic Encryption (FHE). An efficient method for large integer and polynomial multiplication in a ring using negacyclic convolution and discrete Galois transform with arbitrary primes is described. The method is adapted to work with arbitrary primes that support Gaussian arithmetic. Dealing with non-Gaussian primes gives rise to another problem of how to find primitive roots of unity and of (i). An efficient solution to find those roots of interest is provided.

Embodiments are directed to aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates. An embodiment of a system includes a controller comprising circuitry, the controller to generate an error correction code for a memory line, the memory line comprising a plurality of first data blocks, generate a metadata block corresponding to the memory line, the metadata block comprising the error correction code for the memory line and at least one metadata bit, generate an aggregate GHASH corresponding to a region of memory comprising a cacheline set comprising at least the memory line, encode the first data blocks and the metadata block, encrypt the aggregate GHASH as an aggregate message authentication code (AMAC), provide the encoded first data blocks and the encoded metadata block for storage on a memory module comprising the memory line, and provide the AMAC for storage on a device separate from the memory module.

An apparatus and method are provided for maintaining a counter value. The apparatus has first counter control circuitry for maintaining a first counter value representing a first portion of a hybrid counter value, and second counter control circuitry for maintaining a second counter value representing a second portion of the hybrid counter value, wherein the second portion is a higher order portion of the hybrid counter value than the first portion. The first counter control circuitry is arranged to maintain the first counter value as a binary value that indicates a magnitude of the first counter value, the first counter control circuitry comprising adder circuitry that is responsive to an adjustment value to update the first counter value by performing an addition operation to add the adjustment value to a current binary value of the first counter value, and to generate a carry out signal which is set when a carry out is generated by the addition operation. The second counter control circuitry is arranged to maintain the second counter value as a bit sequence having N discrete states, and is responsive to the carry out signal being set to transition the second counter value from the current discrete state to a new discrete state. This allows an arbitrary value to be used as the adjustment value, that is smaller than or equal to the maximum value of the first counter, whilst avoiding the need for the generation and handling of carry bits to be managed across the entire bit range of the hybrid counter value.

A circuit for generating twiddle factors for an NTT processor. The circuit includes a cache management manager, a modular multipliers bank, and a central controller. The cache management module includes a local controller and a cache memory in which operands are stored for calculating future twiddle factors. The modular multipliers bank includes an interconnection matrix at the input distributing operands on the modular multiplier inputs. The circuit can be configured to minimise the size of the cache memory and/or reduce the latency of the twiddle factor sequence calculation. Finally, the generating circuit may include several calculation management modules sharing the same modular multipliers bank to generate sequences of twiddle factors on several finite fields.