A computing apparatus outputs .sub.1 and .sub.2 corresponding to a ciphertext x, a capability providing apparatus uses .sub.1 to correctly compute f(.sub.1) with a probability greater than a certain probability and sets the result of the computation as z.sub.1, uses .sub.2 to correctly compute f(.sub.2) with a probability greater than a certain probability and sets the result of the computation as z.sub.2, the computing apparatus generates a computation result u=f(x).sup.bx.sub.1 from z.sub.1, generates a computation result v=f(x).sup.ax.sub.2 from z.sub.2, and outputs u.sup.bv.sup.a if the computation results u and v satisfy a particular relation, where G and H are groups, f(x) is a function for obtaining an element of the group G for xH, X.sub.1 and X.sub.2 are random variables having values in the group G, x.sub.1 is a realization of the random variable X.sub.1, and x.sub.2 is a realization of the random variable X.sub.2.

Methods and devices are provided for use in detecting relay attacks between devices in a communications network. One method includes sending first data by a first device to a second device, and receiving, by the first device, a communication from the second device where the communication comprises second data generated at the second device and a time parameter related to the generation of the second data. The method also includes measuring a total transmission time at the first device between sending the first data and receiving the communication, and determining a further time parameter related to the generation of the second data based at least in part on the measured total transmission time. The method then further includes determining the presence of a relay attack between the first and second devices in dependence on a comparison of the time parameter and the further time parameter.

From the least significant bit of the current secret key, k bits are retrieved, obtaining a binary window sequence. A binary bit string of concatenation of the random number to the more significant bits of the window sequence is obtained if the most significant bit of the window sequence is 0, subtracting a bit string from the current secret key to obtain a new secret key, or the bit string of a complement of the base number for the window sequence in binary system is calculated if the most significant bit of the window sequence is 1, obtaining a bit string by adding a minus sign to a bit string obtained by concatenating the random number to the more significant bits of the bit string, subtracting the bit string from the current secret key to obtain a new secret key.

In a general aspect, a test method can include acquiring a plurality of value sets, each including values of a physical quantity or of logic signals, linked to the activity of a circuit to be tested when executing distinct cryptographic operations applied to a same secret data, for each value set, counting occurrence numbers of the values of the set, for each operation and each of the possible values of a part of the secret data, computing a partial result of operation, computing sums of occurrence numbers, each sum being obtained by adding the occurrence numbers corresponding to the operations which when applied to a same possible value of the part of the secret data, provide a partial operation result having a same value, and analyzing the sums of occurrence numbers to determine the part of the secret data.

A test method for a circuit can include: acquiring a plurality of value sets including values corresponding to activity of the circuit when the circuit executes an operation of an operation set of distinct cryptographic operations applied to a same secret data, selecting at least two subsets of values in each value set, for each value set and each value subset, counting occurrence numbers of values transformed by a respective first surjective function applied to the values of the subset, for each value set, forming all possible n-tuples associating together one of the occurrence numbers of each value subset of the value set, and computing a combined occurrence number for each n-tuple of the value set by multiplying together the occurrence numbers associated by the n-tuple, to form an occurrence number set for the value set, for each operation of the operation set, and each possible value of a part of the secret data, computing a partial operation result, computing cumulative occurrence number sets, obtained by adding together the occurrence number sets corresponding to the operations of the operation set, which when applied to a same value of the possible values of the secret data part, provide a partial operation result having a same transformed value by a second surjective function, and analyzing the cumulative occurrence number sets to determine the part of the secret data.

In a general aspect, a method for executing, by a circuit, an operation receiving an input data and providing an output data includes: selecting a substitution element in a substitution table as a function of the input data or an intermediary data, the substitution element being a first data set, each substitution element in the substitution table being selectable as a function of an input substitution data being a data set, and providing the first data set as an intermediary or final result of the operation, the first data set including the output data, and being such that in a set of transformed data resulting from a surjective function applied to the first data set, the transformed output data occurs with a probability equal to the probability of occurrence of each transformed data resulting from the application of the surjective function to the other data in the first data set.

A test method can include: acquiring a plurality of value sets including measurements or signals corresponding with activity of a circuit when executing a set of cryptographic operations on secret data, for each value set, selecting at least two subsets of values, computing combined values and counting occurrence numbers of values transformed by a first surjective function applied to the combined values, for each operation and each possible value of a part of the secret data, computing a partial operation result, computing cumulative occurrence number sets by adding the occurrence number sets corresponding to the operations of the operation set, which when applied to a same value of the possible values of the part of the secret data, provide a partial operation result having a same transformed value by a second surjective function, and determine the part of the secret data from the cumulative occurrence number sets.

The present invention relates to a test method of a circuit, comprising: acquiring a plurality of value sets comprising values of a physical quantity linked to the activity of a circuit to be tested when the circuit executes an operation of a set of distinct cryptographic operations applied to a secret data, selecting at least a first subset in each value set, for each value set, counting by a processing unit occurrence numbers of values transformed by a first surjective function applied to the values of the first subset of the value set, to form an occurrence number set for the value set, for each operation of the operation set, and each of the possible values of a part of the secret data, computing a partial operation result, computing cumulative occurrence number sets by adding the occurrence number sets corresponding to the operations of the operation set, which when applied to a same value or equivalent value of the possible values of the part of the secret data, provide a partial operation result having a same transformed value resulting from the application of a second surjective function, merging according to a selected merging scheme, cumulative occurrence numbers in the cumulative occurrence number sets, and analyzing the merged cumulative occurrence number sets to determine the part of the secret data.

Systems and methods for sharing data between a first node and second node are disclosed. The methods may include sharing a first initialization vector between a first node and a second node using a multi-stage cryptography protocol. A first bit stream of first information may be passed from the first node to the second node using a single-stage cryptography protocol that encodes a message with the first initialization vector.

Methods and systems are provided for securing an integrated circuit device against various security attacks, such as side-channel attacks. By limiting the number of different challenge vectors that can be combined with a critical variable of an encryption operation, it becomes more difficult to create enough side channel measurements to successfully perform statistical side-channel analysis.