In one embodiment, a processing device includes a symmetric block cipher configured to encrypt plaintext blocks yielding respective ciphertext blocks, obfuscation circuitry configured to obfuscate the respective ciphertext blocks responsively to an obfuscation secret yielding respective obfuscated ciphertext blocks and an interface to send the respective obfuscated ciphertext blocks to at least one remote processing device. In one embodiment, the processing device provides side-channel attack protection within a symmetric key scheme by data obfuscation and by changing encryption/decryption keys using key manipulation so that different blocks or group of blocks of data are encrypted/decrypted using respective encryption/decryption keys.

Polynomial multiplication for side-channel protection in cryptography is described. An example of a apparatus includes one or more processors to process data; a memory to store data; and polynomial multiplier circuitry to multiply a first polynomial by a second polynomial, the first polynomial and the second polynomial each including a plurality of coefficients, the polynomial multiplier circuitry including a set of multiplier circuitry, wherein the polynomial multiplier circuitry is to select a first coefficient of the first polynomial for processing, and multiply the first coefficient of the first polynomial by all of the plurality of coefficients of the second polynomial in parallel using the set of multiplier circuits.

A method of performing a cryptographic process in a secured manner, wherein the cryptographic process generates output data based on input data, the generating of the output data involving generating a value y based on an amount of data x, the value y representing a combination, according to a linear transformation L, of respective outputs from a plurality of S-boxes S.sub.n (n=0, . . . , N−1) for integer N>1, wherein each S-box S.sub.n (n=0, . . . , N−1) implements a respective function H.sub.n that is either (a) the composition of a respective first function F.sub.n and a respective linear or affine second function G.sub.n so that H.sub.n=G.sub.n∘F.sub.n, or (b) the composition of a respective first function F.sub.n, a respective linear or affine second function G.sub.n and a respective third function W.sub.n so that H.sub.n=G.sub.n∘F.sub.n∘W.sub.n, wherein the method comprises: performing a first processing stage and a second processing stage to generate the value y based on the amount of data x, wherein: the first processing stage uses a plurality of first lookup tables to generate respective outputs, each output being based on at least part of the amount of data x, wherein, for each S-box S.sub.n (n=0, . . . , N−1), the respective first function F.sub.n is implemented by a corresponding first lookup table; and the second processing stage combines outputs from a plurality of second lookup tables to generate the value y, wherein the input to each second lookup table is formed from the output of a plurality of the first lookup tables, and wherein the set of second lookup tables is based on the second functions G.sub.n (n=0, . . . , N−1) and the linear transformation L.

The present disclosure relates to a cryptographic method comprising: multiplying a point belonging to a mathematical set with a group structure by a scalar by performing: the division of a scalar into a plurality of groups formed of a same number w of digits, w being greater than or equal to 2; and the execution, by a cryptographic circuit and for each group of digits, of a sequence of operations on point, the sequence of operations being identical for each group of digits, at least one of the operations executed for each of the groups of digits being a dummy operation.

A method for cryptographic processing includes: storing an initial value as the current value; implementing a predetermined number of first steps, including one involving obtaining second data by applying a first cryptographic algorithm to first data, the others each involving the application of the first cryptographic algorithm to the current value and the storage of the result as the new current value; implementation of the predetermined number of second steps, including one involving the obtaining of fourth data by applying, to third data, a second cryptographic algorithm that is the inverse of the first cryptographic algorithm, the others each involving the application of the second cryptographic algorithm to the current value and the storage of the result as the new current value; and verification of the equality of the first data and the fourth data, and of the equality of the current value and the initial value.

A method is proposed for copying a source array into a target array, wherein both the source array and the target array have at least two elements, wherein each element has a value, in which the elements of the source array are copied into the target array in the sequence of a random permutation, wherein, after a step of copying an element of the source array into the target array, the source array, the target array or the source array and the target array are rotated. A device is also indicated accordingly.

A method of operation concealment for a cryptographic system includes randomly selecting which one of at least two cryptographic operation blocks receives a key to apply a valid operation to data and outputs a result that is used for subsequent operations. Noise can be added by operating the other of the at least two cryptographic operation blocks using a modified key. The modified key can be generated by mixing the key with a block-unique-identifier, a device secret, a slowly adjusting output of a counter, or a combination thereof. In some cases, noise can be added to a cryptographic system by transforming input data of the other cryptographic operation block(s) by mixing the input data with the block-unique-identifier, device secret, counter output, or a combination thereof. A cryptographic system with operation concealment can further include a distributed (across a chip) or interweaved arrangement of subblocks of the cryptographic operation blocks.

A device for providing side-channel protection to a data processing circuit is provided and includes a chaotic oscillator and a counter. The data processing circuit has an input for receiving an input signal, a power supply terminal, and an output for providing an output signal. The chaotic oscillator circuit has an input coupled to receive a control signal, and an output coupled to provide an output signal for controlling a voltage level of a power supply voltage of the data processing circuit. The counter has an input coupled to receive a clock signal, and an output coupled to control a variable parameter of the chaotic oscillator in response to the clock signal. In another embodiment, a method is provided providing the side-channel protection to the device.

A substitute box includes a target input terminal, an obfuscation input terminal, a first output terminal and a second output terminal. The target input terminal is configured to receive a target input data. The obfuscation input terminal is configured to receive an obfuscation input data unrelated to a plaintext. The first output terminal is configured to output a first output data. The second output terminal is configured to output a second output data associated with the first output data. The first output data and the second output data are generated according to both the target input data and the obfuscation input data.

Embodiments include cryptographic circuits having isolated operation with respect to embedded sensor operations to mitigate side-channel attacks. A cryptographic circuit, a sensor, and an analog-to-digital converter (ADC) circuit are integrated into an integrated circuit along with a cryptographic circuit. A sensed signal is output with the sensor, and the sensed signal is converted to digital data using the ADC circuit. Further, cryptographic data is generated using one or more secret keys and the cryptographic circuit. The generation of the cryptographic data has isolated operation with respect to the operation of the sensor and the ADC circuit. The isolated operation mitigates side-channel attacks. The isolated operation can be achieved using power supply, clock, and/or reset circuits for the cryptographic circuit that are electrically isolated from similar circuits for the sensor and ADC circuit. The isolated operation can also be achieved using time-division multiplex operations. Other variations can also be implemented.