According to an embodiment, a number-theoretic transform processing apparatus for a noise in lattice-based cryptography includes a processor configured to perform number-theoretic transform of the noise using a precomputation table including a combination of products of one or more elements that belong to a subspace of a finite field Zq and indicate coefficients of the noise, with one or more number-theoretic transform constants.

A scalar multiplication system computes a scalar multiplication for a point on an elliptic curve. The scalar multiplication system includes a computer including a memory and a processor configured to execute computing a pre-computation table T including d points e.sub.iP having the same Z coordinate in Jacobian coordinates using elliptic curve point addition or elliptic curve point doubling according to a CoZ method for a point P on the elliptic curve and d integers e.sub.i(i[1, d]); converting a scalar value k into a scalar value k expressed as k=k.sub.02.sup.0+k.sub.12.sup.1+ . . . +k.sub.n12.sup.n1 (k.sub.i{0, e.sub.1, . . . , e.sub.d}); and using the pre-computation table T and the scalar value k to compute a scalar multiplication kP using the elliptic curve point addition according to the CoZ method.

A method for providing Cheon-resistance security for a static elliptic curve Diffie-Hellman cryptosystem (ECDH), the method including providing a system for message communication between a pair of correspondents, a message being exchanged in accordance with ECDH instructions executable on computer processors of the respective correspondents, the ECDH instructions using a curve selected from a plurality of curves, the selecting including choosing a range of curves; selecting, from the range of curves, curves matching a threshold efficiency; excluding, within the selected curves, curves which may include intentional vulnerabilities; and electing, from non-excluded selected curves, a curve with Cheon resistance, the electing comprising a curve from an additive group of order q, wherein q is prime, such that q1=cr and q+1=ds, where r and s are primes and c and d are integer Cheon cofactors of the group, such that cd48.

A calculation is performed on a first number and a second number. For each bit of the second number a first function is performed. The first function inputs include contents of a first register, contents of a second register and the first number. A result of the first function is placed in a third register. For each bit of the second number, a second function is performed which has as inputs contents of the third register and the contents of a selected one of the first and the second register according to a state of a current bit of the second number. A result of the second function is stored in the selected one of the first and second register.

In a method for determining the modular inverse of a number, successive iterations are applied to two pairs each including a first variable and a second variable, such that at the end of each iteration and for each pair, the product of the second variable and of the number is equal to the first variable modulo a given module. Each iteration includes at least one division by two of the first variable of a first pair or of a second pair, or a combination of the first variable of the first pair and of the first variable of the second pair by addition or subtraction. At least some of the iterations including a combination by addition or subtraction include a step of storing the result of the combination in the first variable of a pair determined randomly from among the first pair and the second pair. An associated cryptographic processing device is also described.

A modular reduction calculation on a first number and a second number is protected from side-channel attacks, such as timing attacks. A first intermediate modular reduction result is calculated. A value corresponding to four times the first number is added to the first intermediate modular reduction result, generating a second intermediate modular reduction result. A value corresponding to the first number multiplied by a most significant word of the second intermediate modular reduction result plus 1, is subtracted from the second intermediate modular reduction result, generating a third intermediate modular reduction result. A cryptographic operation is performed using a result of the modular reduction calculation.

Embodiments are directed to a digital signature verification engine for reconfigurable circuit devices. An embodiment of an apparatus includes one or more processors; and a reconfigurable circuit device, the reconfigurable circuit device including digital signal processing (DSP) blocks and logic elements (LEs), wherein the one or more processors are to configure the reconfigurable circuit device to operate as a signature verification engine for a bit stream, the signature verification engine including a hybrid multiplication unit, the hybrid multiplication unit combining a set of LEs and a set of the DSPs to multiply operands for signature verification.

Methods, apparatus, and computer readable storage medium for performing interleaved scalar multiplication are described. The method includes obtaining a bit-number of a scalar; factorizing the bit-number of the scalar into a product of a plurality of factors, the plurality of factors comprising s, d, and w; generating d tables based on a parameter, each table comprising N entries; for each iteration of s iterations: multiplying a result by two, constructing an index for each table from w bits in the scalar in the binary format, selecting a value from each table based on the constructed index for each table, and adding the value selected from each table to the result and starting next iteration; and in response to completing the s iterations, determining the result for a scalar multiplication between the scalar and the parameter.

Subject matter disclosed herein may relate to arithmetic units of processors, and may relate more particularly to configurable arithmetic units. Configurable arithmetic units may comprise a plurality of basic units, and may further comprise a programmable fabric to selectively connect the plurality of basic units at least in part to process one or more sets of parameters in accordance with one or more specified arithmetic operations.

The invention relates to a computer-implemented method for enabling zero-knowledge proof or verification of a statement in which a prover proves to a verifier that a statement is true while keeping a witness to the statement a secret. The method includes the prover sending to the verifier a set of data including a statement, which for a given function circuit output and an elliptic curve point, the function circuit input is equal to the corresponding elliptic curve point multiplier. The data includes individual wire commitments and/or a batched commitment for wires of the circuit, a function circuit output, and a prover key, which enables the verifier to determine that the circuit is satisfied and calculate the elliptic curve point and validate the statement, thus determining that the prover holds the witness to the statement.