A secure digital communications method is provided in which a Certificate Authority generates an improved RSA key pair having a modulus, a public key exponent, a public key, and a private key. The public key exponent can contain descriptive attributes and a digital signature. The digital signature can be responsive to the descriptive attributes and the modulus. A secure session can be established between a first system and a second system, within a secure digital communication protocol. The second system can verify the digital signature to authenticate the public key.

A bonded structure is disclosed. The bonded structure can include a first semiconductor element having a first front side and a first back side opposite the first front side. The bonded structure can include a second semiconductor element having a second front side and a second back side opposite the second front side, the first front side of the first semiconductor element directly bonded to the second front side of the second semiconductor element along a bond interface without an adhesive. The bonded structure can include security circuitry extending across the bond interface, the security circuitry electrically connected to the first and second semiconductor elements

A cryptographic device is configured to compute a target block cipher (B.sub.t) on an input message and includes a control unit, and first and second block cipher units for computing the target block cipher (B.sub.t) on the input message. The control unit is configured to take the first block cipher result and the second block cipher result as input, and to produce the first block cipher result only when the first and second block cipher results are equal.

An integrated device for physically unclonable functions is based on a set of MOS transistors exhibiting a random distribution of threshold voltages which are obtained by lateral implantations of dopants exhibiting non-predictable characteristics, resulting from implantations through a polysilicon layer. A certain number of these transistors form a group of gauge transistors which makes it possible to define a mean gate source voltage making it possible to bias the gates of certain others of these transistors (which are used to define the various bits of the unique code generated by the function). All these transistors consequently exhibit a random distribution of drain-source currents and a comparison of each drain-source current of a transistor associated with a bit of the digital code with a reference current corresponding to the average of this distribution makes it possible to define the logical value 0 or 1 of this bit.

Provided is a method for generating a digital signature of an input message (M) based on a secret key (d.sub.A) of a client device having access to a first set and a second set of precomputed data stored in a storage unit. The first set of precomputed data comprises private element parts (k.sub.i) protected with an homomorphic encryption. The second set of precomputed data comprises public element parts (Q.sub.i) paired with the private element parts of the first set. Each private element part is a discrete logarithm of the public element part paired therewith. The private element (k), can be homomorphically encrypted, by combining homomorphically encrypted private element parts selected in the first set (k.sub.i). The selection of the public and private element parts depends on the input message. Other embodiments are disclosed.

There is provided a device for protecting the execution of a cryptographic operation from attacks, the cryptographic operation being implemented by a cryptographic algorithm, the cryptographic operation comprising at least one modular operation between a main base (m) representing a data block and at least one scalar (d) in at least one finite starting group. The device is configured to determine at least one intermediary group (E) different from the at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E. The device is further configured to determine at least one final group (E) from the at least one starting group E and the at least one intermediary group E. The base m being mapped to an auxiliary element (x) in the at least one intermediary group and to an auxiliary base (m) in the at least one final group E. The device performs a first elementary operation in each final group (Ei), the first elementary operation consisting in executing the modular operation between the auxiliary base (m) and an auxiliary scalar (d.sub.a) in each final group E, which provides at least one result, the auxiliary scalar (d.sub.a) being determined from the auxiliary element (x) and from the main scalar (d). The device further performs a second elementary operation in each starting group E, the second elementary operation consisting in executing the modular operation between an additional auxiliary base and an additional auxiliary scalar d.sub.b in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation.

Blind injection attacks can compromise computer systems and their data. These attacks can appear in SQL, XML, LDAP, OS commands, or other contexts. Blind injection attacks may be used to obtain information from a data source based on whether a response is returned within a certain time frame. By introducing intentional delay servicing of commands, however, the efficacy of blind injection attacks can be reduced. SQL query statements or other commands can be analyzed to determine if a conditional delay exists, and randomization effects can be used (sometimes based on length of the conditional delay) to make it difficult for an attacker to use blind injection. These techniques may broadly apply to any data source, and include databases exposed to the public via the internet (e.g. via a web server URL). Blind SQL injection, blind XML injection, and other blind injection attacks can be mitigated using techniques described herein.

Some embodiments are directed to a cryptographic device (100) arranged to compute a block cipher on an input message (110). The device computes a plurality of intermediate block cipher results by computing and re-computing a first intermediate block cipher result (151) of the plurality of intermediate block cipher results by applying the plurality of block cipher rounds sequentially to the input message followed by one or more additional block cipher rounds. A plurality of averaging functions are applied to the plurality of intermediate block cipher results, the results of which are added, after which the inverse of the one or more additional block cipher rounds is applied.

A system and method for minimizing the likelihood that the secret key used by a bootloader is compromised is disclosed. A bootloader is installed on the device. The bootloader is a software program that performs many functions. These functions may include checking the checksum of the incoming software image for integrity, decrypting the incoming software image using a secret key, deleting data in the FLASH memory, installing the new software image in the FLASH memory and other functions. The bootloader utilizes various techniques to track the versions of the software image being installed. The method counts the number of incomplete attempts that are made when trying to update the software image. By monitoring these parameters, the bootloader can determine when a malicious actor is attempting a side channel attack. In response, the bootloader may not allow a new software image to be loaded or the secret key to be accessed.

An integrated circuit having a plurality of field-effect transistors, wherein at least a proportion of the field-effect transistors implement a plurality of logic cells, a substrate, a well which is arranged in the substrate, and a supply circuit which is designed to connect the well to a supply potential, wherein the supply circuit is constituted by one or more field-effect transistors of the plurality of field-effect transistors.