An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

A method of performing finite field addition and doubling operations in an elliptic curve cryptography (ECC) authentication scheme as a countermeasure to side-channel attack. The addition and doubling operations are executed using atomic patterns that involve the same sequence and number of operation types, so that the noise consumption and electromagnetic emanation profile of circuitry performing the operations is identical regardless of operation. A subtraction operation using such an atomic pattern is also disclosed.

In one embodiment, an apparatus comprises a multiplier circuit to: identify a point multiply operation to be performed by the multiplier circuit, wherein the point multiply operation comprises point multiplication of a first plurality of operands; identify a point add operation associated with the point multiply operation, wherein the point add operation comprises point addition of a second plurality of operands, wherein the second plurality of operands comprises a first point and a second point, and wherein the first point and the second point are associated with a first coordinate system; convert the second point from the first coordinate system to a second coordinate system; perform the point add operation based on the first point associated with the first coordinate system and the second point associated with the second coordinate system; and perform the point multiply operation based on a result of the point add operation.

A method and protocol for determining linear combinations of a first and second point for an elliptic curve cryptography scheme, including determining a first scalar multiplication of the first point with a first scalar, the first scalar multiplication including performing iteratively in relation to the value of the first scalar either one of: doubling of the first point in Jacobian projective coordinates; or mixed addition with the first point in affine coordinates; determining a combination point by adding the second point to the resultant of the first scalar multiplication; obtaining an affine coordinate representation of the combination point; determining a second scalar multiplication of the combination point with a second scalar, the second scalar multiplication including performing iteratively in relation to the value of the second scalar either one of: doubling of the combination point in Jacobian projective coordinates; or mixed addition with the combination point in affine coordinates.

The cyber owner of the asset can transfer cyber ownership to a second entity based on a transaction and using an escrow entity. An escrow service in association with an escrow entity is utilized to secure transfer of ownership to the second entity in accordance with the conditions of the transaction. The cyber owner initiates an escrow process by transmitting an escrow instruction to the access configuration controller. A new cryptographic key is generated responsive to the escrow instruction and is managed by a generated escrow policy indicating an escrow period. Different components of the cryptographic key are transmitted to the second entity and the escrow service. When the conditions of the transaction are satisfied during the escrow period, the escrow service transmits the component of the cryptographic key to the second entity. The second entity may use the recomposed cryptographic key to assert ownership of the asset.

An electronic key pre-distribution device (110) for configuring multiple network nodes (210, 211) with local key information is provided. The key pre-distribution device comprises applies at least a first hash function (147) and a second hash function (148) to a digital identifier of a network node. The first and second hash functions map the digital identifier to a first public point (141; H.sub.1ID)) and a second public point (142; H.sub.2(ID)) on a first elliptic curve (131) and second elliptic curve (132). A first and second secret isogeny (135) is applied to the first and second public elliptic curve point (141, 142), to obtain a first private elliptic curve point (151) and second private elliptic curve point (152) being part of private key material (155) for the network node (210).

Systems and methods described herein relate to techniques that allow for multiple parties to jointly generate or jointly agree upon the parameters for generation of a smart contract, such as a verification key. Execution of the smart contract may be performed by a third party, for example, a worker node on a blockchain network. Techniques described herein may be utilised as part of a protocol in which parties of a smart contract share powers of a secret in a manner that allows each party to determine an identical common reference string, agree on parameters for a smart contract, agree and/or make proportionate contributions the smart contract, and combinations thereof. The smart contract may be published to a blockchain network (e.g., Bitcoin Cash). The protocol may be a zero-knowledge protocol.

An obfuscation process is described for obfuscating a cryptographic parameter of cryptographic operations such as calculations used in elliptical curve cryptography and elliptical curve point multiplication. Such obfuscation processes may be used for obfuscating device characteristics that might otherwise disclose information about the cryptographic parameter, cryptographic operations or cryptographic operations more generally, such as information sometimes gleaned from side channel attacks and lattice attacks.

A hardware accelerator computes a scalar dot product given by .sub.i=0.sup.N1d.sub.iP.sub.i where d.sub.i is a scalar of length b bits and P.sub.i is an element in a group. The hardware accelerator includes a plurality A of accumulators addressed by corresponding contiguous partitions of the scalar d.sub.i, each partition being of length c such that

[00001]$A=.Math.\frac{b}{c}.Math.$

and each accumulator containing a plurality B of buckets where B=2.sup.c. The value of P.sub.i is entered into each empty accumulator bucket whose value corresponds to the weight of the respective partition associated with the corresponding accumulator or is added to a non-zero value that is already in the bucket, the sum replacing the previous value. An accumulator sums the values in the respective buckets of each accumulator so as to derive A sums, and sums the A computed sums to derive the scalar dot product.

The invention relates to a method of enabling zero-knowledge proof or verification of a statement (S) for enabling exchange of data between a prover and a verifier, wherein the prover has access to first data on a first blockchain, and the verifier has access to second data on a second blockchain. In the method, a prover sends to a verifier a set of data including a statement, which for a given function circuit output and an elliptic curve point, the function circuit input is equal to the corresponding elliptic curve point multiplier. The statement can be that the prover knows a private key for an address on a blockchain network.