An apparatus comprises combined divide/square root processing circuitry to perform, in response to a divide instruction, a given radix-64 iteration of a radix-64 divide operation, and in response to a square root instruction, a given radix-64 iteration of a radix-64 square root operation; in which: the combined divide/square root processing circuitry comprises shared circuitry to generate at least one output value for the given radix-64 iteration on a same data path used for both the radix-64 divide operation and the radix-64 square root operation.

A carry-lookahead adder is provided. A first mask unit performs first mask operation on first input data with the first mask value to obtain first masked data. A second mask unit performs second mask operation on second input data with the second mask value to obtain second masked data. A first XOR gate receives the first and second mask values to provide a variable value. A half adder receives the first and second masked data to generate a propagation value and an intermediate generation value. A third mask unit performs third mask operation on the propagation value with the third mask value to obtain the third masked data. A carry-lookahead generator provides the carry output and the carry value according to carry input, the generation value, and the propagation value. The second XOR gate receives the third masked data and the carry value to provide the sum output.

Various embodiments relate to a method for masked decoding of a polynomial a using an arithmetic sharing a to perform a cryptographic operation in a data processing system using a modulus q, the method for use in a processor of the data processing system, including: subtracting an offset δ from each coefficient of the polynomial a; applying an arithmetic to Boolean (A2B) function on the arithmetic shares of each coefficient a.sub.i of the polynomial a to produce Boolean shares â.sub.i that encode the same secret value a.sub.i; and performing in parallel for all coefficients a shared binary search to determine which of coefficients a.sub.i are greater than a threshold t to produce a Boolean sharing value {circumflex over (b)} of the bitstring b where each bit of b decodes a coefficient of the polynomial a.

A computer-implemented method includes receiving, by a processing unit, an instruction to perform a masked shift add operation with a set of operands. A logical AND operation is performed on a first pair of operands from the set of operands to obtain a first intermediate result. The first intermediate result is shifted by a first shift amount that is based on a first operand from the first pair of operands. A logical AND operation is performed on a second pair of operands from the set of operands to obtain a second intermediate result. The second intermediate result is shifted by a second shift amount that is based on a first operand from the second pair of operands. The shifted first intermediate result is added with the shifted second intermediate result. The method further includes outputting, as a result of the masked shift add operation, an output of the adding.

A device includes a memory, which, in operation, stores one or more look-up tables, and cryptographic circuitry coupled to the memory. The cryptographic circuitry, in operation, multiplies first data masked with a first mask by second data masked with a second mask, and protects the first data and the second data during the multiplying. The multiplying and protecting includes remasking the first data with a third mask, remasking the second data with a fourth mask, executing one or more compensation operations using one or more of the one or more look-up tables, and generating third data masked with a fifth mask. The fifth mask is independent of the first, second, third, and fourth masks. The third data corresponds to the first data multiplied by the second data.

Various embodiments relate to a method for masked decoding of a polynomial a using an arithmetic sharing a to perform a cryptographic operation in a data processing system using a modulus q, the method for use in a processor of the data processing system, including: subtracting an offset δ from each coefficient of the polynomial a; applying an arithmetic to Boolean (A2B) function on the arithmetic shares of each coefficient a.sub.i of the polynomial a to produce Boolean shares â.sub.i that encode the same secret value a.sub.i; and performing in parallel for all coefficients a shared binary search to determine which of coefficients a.sub.i are greater than a threshold t to produce a Boolean sharing value {circumflex over (b)} of the bitstring b where each bit of b decodes a coefficient of the polynomial a.

A first input share value, a second input share value, and a third input share value may be received. The first input share value may be converted to a summation or subtraction between an input value and a combination of the second input share value and the third input share value. A random number value may be generated and combined with the second input share value and the third input share value to generate a combined value. Furthermore, a first output share value may be generated based on a combination of the converted first input share value, the combined value, and additional random number values.

A field programmable gate array (FPGA) including a configurable interconnect fabric connecting a plurality of logic blocks, the configurable interconnect fabric and the logic blocks being configured to implement a data masking circuit configured to: receive input data including data values at a plurality of indices of the input data; select between a data value of the data values and an alternative value using a masking multiplexer to generate masked data, the masking multiplexer being controlled by a mask value of a plurality of mask values at indices corresponding to the indices of the input data; and output the masked data. In some examples, the configurable interconnect fabric and the logic blocks are further configured to implement a mask generation circuit configured to generate the mask values. In some examples, the mask values are received from external memory.

One embodiment provides a processor comprising at least one of a first mask to receive a first input operand and a second input operand and to generate a selected portion of an AND of a sum of the first input operand and the second input operand using an AND chain of the first mask in parallel with generation of the sum by an adder; and a second mask to receive the first input operand and the second input operand and to generate the selected portion of an OR of the sum using an OR chain of the second mask in parallel with generation of the sum.

The present invention relates to a method for securing against N-order side-channel attacks a cryptographic process using in a plurality of encryption rounds an initial Substitution box S.sub.0 comprising the steps of: —generating (E12) a first randomized substitution box S.sub.1 by masking said initial substitution box S.sub.0 such that S.sub.1(x XOR m.sub.1)=S.sub.0(x) XOR m.sub.2, with m.sub.1, m.sub.2 uniformly-distributed random values, for any input value x of the initial substitution box S.sub.0, —generating (E13) a first transrandomized Substitution box S(1,1) from the first randomized substitution box S.sub.1 and from masks m.sub.1,1, m′.sub.1,1 such that S(1, 1)[x]=S.sub.1[x xor (m.sub.1 xor m.sub.1,1)] xor (m.sub.2 xor m′.sub.1,1) for any input value x of the first transrandomized Substitution box S(1,1), —generating (E14) from the first transrandomized Substitution box S(1,1) a N−1th transrandomized Substitution box S(1, N−1) by performing iteratively N−2 times a step of generation of a ith transrandomized Substitution box S(1, i) from a i−1th transrandomized substitution box S(1, i−1) and from a plurality of masks m 1,i, m′.sub.1,i, m.sub.1,i−1, m′.sub.1,i−1 such that S(1, i)[x]=S(1, i−1)[x xor (m.sub.1,i-1 xor m.sub.1,i)] xor (m′.sub.1,i−1 xor m′.sub.1,i) for any input value x of the ith transrandomized substitution box S(1, i), with i an integer comprised in {2, . . . N−1}, —performing the cryptographic process using (E15) the N−1th transrandomized Substitution box S(1, N−1) instead of the initial Substitution box S.sub.0 in at least said first round of the cryptographic process.