An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

A decomposition unit (211) decomposes an exponent portion of a final exponentiation computation portion of pairing computation in an elliptic curve into an easy part and a hard part, the elliptic curve being expressed by a polynomial r(x), a polynomial p(x), a polynomial t(x), an embedding degree k, and an integer u. A factorization unit (212) factorizes the hard part with using a homogeneous cyclotomic polynomial Ψ.sub.n(x, p). An exponentiation computation unit (22) performs computation of final exponentiation with using the easy part and the factorized hard part.

The present disclosure relates to a cryptographic method comprising: multiplying a point belonging to a mathematical set with a group structure by a scalar by performing: the division of a scalar into a plurality of groups formed of a same number w of digits, w being greater than or equal to 2; and the execution, by a cryptographic circuit and for each group of digits, of a sequence of operations on point, the sequence of operations being identical for each group of digits, at least one of the operations executed for each of the groups of digits being a dummy operation.

An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

The present disclosure relates to a cryptographic method including the execution, by a cryptographic circuit, of an algorithm applied to a scalar in order to generate an output vector, of length L+n, which digits are d.sub.0, . . . , d.sub.L+n−1, the algorithm comprising iterations i, each iteration i taking an input data value, initially equal to said scalar and an input vector of length c, which digits are d′.sub.i, . . . , d′.sub.i+c−1, where for each j∈{i, . . . , i+c−1}, the digit d′.sub.j is such that:

[00001]$d_j^{\prime }=\{\begin{array}{c}{d}_j\mathrm{if}j<L\\ d_{j-m}\mathrm{otherwise}\end{array}.$

Systems and methods described herein relate to techniques in which multiple parties each generate and exchange quantities that are based on a shared secret (e.g., powers of the shared secret) without exposing the shared secret. According to a protocol, two or more parties may exchange sets of elliptic curve points generated over polynomials that can be used, by each of the two or more parties, to determine a power of a shared secret. The protocol may be utilised as part of determining parameters for a smart contract that is broadcast to a blockchain network (e.g., Bitcoin). Based on the protocol, an additional party (e.g., a third party different from the two or more parties) may perform a computational task such as execution of the smart contract.

Provided are embodiments for a circuit comprising for performing hardware acceleration for elliptic curve cryptography (ECC). The circuit includes a code array comprising instructions for performing complex modular arithmetic; and a data array storing values corresponding to one or more complex numbers. The modular arithmetic unit includes a first multiplier and a first accumulation unit, a second multiplier and a second accumulation unit, and a third multiplier and a third accumulation unit, wherein the first, second, and third multiplier and accumulation units are cascaded and configured to perform hardware computation of complex modular operations. Also provided are embodiments of a computer program product and a method for performing the hardware acceleration of super-singular isogeny key encryption (SIKE) operations.

A system for securely computing an elliptic curve scalar multiplication in an unsecured environment, including: a secure processor including secure memory, the secure processor configured to: split a secure scalar K into m.sub.2 random values k.sub.i, where i is an integer index; randomly select m.sub.1−m.sub.2 values k.sub.i for the indices m.sub.2<i≦m.sub.1; select m.sub.1 mask values δ.sub.i; compute m.sub.1 residues c.sub.i based upon random residues a.sub.i, δ.sub.π(i).sup.−1, and k.sub.π(i), wherein π(i) is a random permutation; compute m.sub.1 elliptic curve points G.sub.i based upon random residues a.sub.i and an elliptic point to be multiplied; receive m.sub.1 elliptic curve points; and compute the elliptic curve scalar multiplication by combining a portion of the received elliptic curve points and removing the mask values δ.sub.i from the portion of the received elliptic curve points; a memory device; and a processor in communication with the memory device, the processor being configured to: receive m.sub.1 residues c.sub.i and elliptic curve points G.sub.i; compute m.sub.1 elliptic curve points P.sub.i based upon the m.sub.1 residues c.sub.i and elliptic curve points G.sub.i; send the m.sub.1 elliptic curve points P.sub.i to the secure processor.

A system, method and computer-readable medium provide secure communication between a first and a second computer system based on supersingular isogeny elliptic curve cryptography. The first computer system and the second computer system each determine kernels K.sub.A and K.sub.B including computing mP+nQ by accessing a lookup table stored in a memory that contains a range of doubles of an end point of the respective kernels, where P and Q are points on the public elliptic curve and m and n are integers. The first computer system and the second computer system compute secret isogenies by determining a respective kernel K.sub.BA and K.sub.AB using mixed-base multiplicands with a single inversion, including computing the respective kernel K.sub.BA and K.sub.AB by converting the multiplicands to base 32, and computing scalar multiplications using the base 32 multiplicands.

A method in an elliptic curve cryptographic system, the method being executed by an electronic device and including a multiplication operation of multiplying a point of an elliptic curve by a scalar number, the point having affine coordinates belonging to a Galois field, the multiplication operation including steps of detecting the appearance of a point at infinity during intermediate calculations of the multiplication operation, and of activating an error signal if the point at infinity is detected and if the number of bits of the scalar number processed by the multiplication operation is lower than the rank of the most significant bit of an order of a base point of the cryptographic system.