A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed.

A cryptographic calculation includes obtaining a point P(X,Y) from a parameter t on an elliptical curve Y.sup.2=f(X); and from polynomials X1(t), X2(t), X3(t) and U(t) satisfying: f(X1(t)).Math.f(X2(t)).Math.f(X3(t))=U(t).sup.2 in Fq, with q=3 mod 4. Firstly a value of the parameter t is obtained. Next, the point P is determined by: (i) calculating X1=X1(t), X2=X2(t), X3=X3(t) and U=U(t); (ii) if the term f(X1).Math.f(X2) is a square, then testing whether the term f(X3) is a square in Fq and if so calculating the square root of f(X3) in order to obtain the point P(X3); (iii) otherwise, testing whether the term f(X1) is a square and, if so, calculating the square root of f(X1) in order to obtain the point P(X1); (iv) otherwise, calculating the square root of f(X2) in order to obtain the point P(X2). This point P is useful in a cryptographic application.

A method of calculating the x-coordinate(x.sub.M) of a point mapping in an elliptic curve Diffie-Hellman key exchange protocol (EC-DHKF), wherein the point mapping is defined as sG+H, where sG is a point (x.sub.S,y.sub.S) on an elliptic curve and H is a point (x.sub.H,y.sub.H) on the elliptic curve, including: computing V=y.sub.S.sup.2 based upon the elliptic curve and x.sub.S; computing W=y.sub.H.sup.2 based upon the elliptic curve and x.sub.H; computing U=sqrt(W.Math.V) mod p, where p is a large prime number; choosing U=U or U=pU such that U based upon a characteristic agreed upon by the parties to the EC-DHKF; computing x based upon V, W, U, x.sub.S, x.sub.H, and p.

An optimized hardware architecture and method introducing a simple arithmetic processor that allows efficient implementation of an Elliptical Curve Cryptography point doubling algorithm for Jacobian coordinates. The optimized architecture additionally reduces the required storage for intermediate values to one intermediate value.

Embodiments of a system for, and method for using, an elliptic curve cryptography integrated circuit are generally described herein. An elliptic curve cryptography (ECC) operation request may be received. One of a plurality of circuit portions may be instructed to perform the ECC operation. The plurality of circuit portions that may be used include a finite field arithmetic circuit portion, an EC point addition and doubler circuit portion, a finite field exponentiation circuit portion, and a point multiplier circuit portion. The result of the ECC operation may then be output.

The invention relates to a cryptographic processing method comprising multiplication of a point P of an elliptic curve on a Galois field by a scalar k, the multiplication comprising steps of: storing, in a first register, a zero point of the Galois field, executing a loop comprising at least one iteration comprising steps of: selecting a window of w bits in the non-signed binary representation of the scalar k, w being a predetermined integer independent of the scalar k and strictly greater than 1, calculating multiple points of P being each associated with a bit of the window and of the form 2.sup.iP, adding or not in the first register of multiple points stored, depending of the value of the bit of the window with which the multiple points are associated, wherein the loop ends once each bit of the non-signed binary representation of the scalar k has been selected, returning a value stored in the first register. If all the bits of the window selected during an iteration of the loop are zero, the iteration comprises at least one dummy execution of the addition function, and/or if all the bits of the window during an iteration of the loop are non-zero, the multiple points to be added in the first register during the step are determined from a non-adjacent form associated with the window.

Embodiments are directed to elliptic curve cryptography scalar multiplications in a generic field with heavy pipelining between field operations. A bit width is determined of operands in data to be processed by a modular hardware block. It is checked whether the bit width of the operands matches a fixed bit width of the modular hardware block. In response to there being a match, the modular hardware block processes the operands. In response to there being a mismatch, the operands are modified to be accommodated by the fixed bit width of the modular hardware block.

An optimized hardware architecture and method introducing a simple arithmetic processor that allows efficient implementation of an Elliptical Curve Cryptography point doubling algorithm for Jacobian coordinates. The optimized architecture additionally reduces the required storage for intermediate values.

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as sample power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem.

A processor of an aspect includes a decode unit to decode an elliptic curve cryptography (ECC) point-multiplication with obfuscated input information instruction. The ECC point-multiplication with obfuscated input information instruction is to indicate a plurality of source operands that are to store input information for an ECC point-multiplication operation. At least some of the input information that is to be stored in the plurality of source operands is to be obfuscated. An execution unit is coupled with the decode unit. The execution unit, in response to the ECC point-multiplication with obfuscated input information instruction, is to store an ECC point-multiplication result in a destination storage location that is to be indicated by the ECC point-multiplication with obfuscated input information instruction. Other processors, methods, systems, and instructions are disclosed.