ENCRYPTION DEVICE AND METHOD

Abstract

Encryption techniques are disclosed that implement a transformation network having at least two stages of butterfly operations, wherein the transformation network is designed to carry out a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals. An error detection device is also described that is designed to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network and to carry out an error analysis. The error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

Claims

1. A device for encryption, having the following features: a transformation network comprising at least two stages of butterfly operations, wherein the transformation network is configured to carry out a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals; and an error detection device configured to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network, and to carry out an error analysis, wherein the error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

2. The device as claimed in claim 1, wherein the first linear combination is determined using first weights for each input signal, and wherein the second linear combination is determined using second weights for each output signal.

3. The device as claimed in claim 2, wherein the first weights and the second weights depend on the transformation network, or are determined in advance depending on the transformation network.

4. The device as claimed in claim 2, further comprising: a memory configured to store the first weights for each input signal and the second weights for each output signal.

5. The device as claimed in claim 2, wherein: the first weights are defined by a first weighting vector a, the second weights are defined by a second weighting vector b, the first weighting vector a and the second weighting vector b are determined on the basis of the formula b=a.Math.A, and A represents a matrix that describes a behavior or an inverse behavior of the transformation network.

6. The device as claimed in claim 2, wherein: the first weights and the second weights are determined based upon satisfying the following inequations: $S_{\frac{N}{2^l{m}_2+n_2}}^l\left(a\right)=\underset{m_1=0}{\overset{\frac{N}{2^l}-1}{.Math.}}{}_{2N}^{\left(2\left(2^l{m}_1+m_2\right)+1\right)n_2}{a}_{2^l{m}_1+m_2}0$ $0l{\log }_2\left(N\right),$ $0n_2{2}^l-1,$ $0m_2\frac{N}{2^l}-1,$ N indicates a dimension of the transformation network, l=0, . . . , log.sub.2 N, for each stage of the at least two stages, and m.sub.2 {0, . . . , 2.sup.l1} and $n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

7. The device as claimed in claim 1, wherein the error detection device is configured to identify an individual error in response to a calculated value of the first linear combination of the subset of the multiple input signals deviates from a calculated value of the second linear combination of the subset of the multiple output signals.

8. The device as claimed in claim 2, wherein the first weights are defined by two first partial weighting vectors, and wherein the second weights are defined by two second partial weighting vectors.

9. The device as claimed in claim 8, wherein: the weights of the two first partial weighting vectors and the weights of the two second partial weighting vectors are determined that satisfy the following inequations: $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)0$ $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(2\right)}\right)0$ $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{(\left(2\right)}\right)S_{\frac{N}{2^{\tilde{l}}}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(1\right)}\right)-S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)S_{\frac{N}{2^l}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(2\right)}\right)0,$ $0l,\stackrel{}{l}{\log }_2\left(N\right),$ $0n_2,{\tilde{n}}_2{2}^l-1,$ $0m_2,{\tilde{m}}_2\frac{N}{2^l}-1$ a triple l, n.sub.2 and m2 is not equal to a triple {tilde over (l)}, .sub.2 and {tilde over (m)}.sub.2, N indicates the dimension of the transformation network, l and {tilde over (l)}=0, . . . , log.sub.2 N for each stage, and {tilde over (m)}.sub.2 and m.sub.2{0, . . . , 2.sup.l1} and .sub.2 and $n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

10. The device as claimed in claim 8, wherein the error detection device is configured to identify a double error in response to (i) a calculated value of the first linear combination calculated using one of the two first partial weighting vectors deviating from a calculated value of the second linear combination calculated using one of the two second partial weighting vectors, or (ii) a calculated value of the first linear combination calculated using a further one of the two first partial weighting vectors deviating from a calculated value of the second linear combination calculated using a further one of the two partial weighting vectors.

11. The device as claimed in claim 1, wherein: the transformation network comprises one or more split transformation network components, and the subset of the multiple input signals and the subset of the multiple output signals comprise the multiple input signals and the multiple output signals of a one of the one or more split transformation network components; or the subset of the multiple input signals and the subset of the multiple output signals comprise all input signals and all output signals of the transformation network.

12. The device as claimed in claim 2, wherein each n-th of the first weights or each n-th of the second weights are specified with n>=2 by a predefined weighting factor.

13. The device as claimed in claim 1, wherein the error detection device is implemented in hardware; or wherein the error detection device is implemented as a software component that is executed on a calculation unit of the device for encryption, the transformation network being implemented via execution of the calculation unit.

14. A non-transitory computer readable medium having instructions stored thereon that, when executed by one or more processors: implement a transformation network having at least two stages of butterfly operations, wherein the transformation network is configured to carry out a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals; and implement an error detection device to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network, and to carry out an error analysis, wherein the error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

15. A method for encryption, comprising: executing, via a transformation network having two stages of butterfly operations, a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals; obtaining at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network, and performing an error analysis based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

16. A device for determining first weights and second weights as a function of a transformation network having at least two stages of butterfly operations and being configured to perform a discrete Fourier transform over rings of multiple input signals to obtain at least multiple output signals, wherein the device is configured to, using the first weights, calculate a first linear combination of the subset of the multiple input signals, wherein the device is configured to, using the second weights, calculate a second linear combination of the subset of the multiple output signals, and wherein the device is configured to determine the first and second weights such that a calculated value of the first linear combination equals a calculated value of the second linear combination when the discrete Fourier transform over rings of the multiple input signals has been performed without error.

17. The device as claimed in claim 16, wherein the first weights and the second weights depend on the transformation network or are determined depending on the transformation network.

18. The device as claimed in claim 17, wherein: the first weights are defined by a first weighting vector a, the second weights are defined by a second weighting vector b, the first weighting vector a and the second weighting vector b are determined on the basis of the formula b=a.Math.A, and A represents a matrix that describes a behavior or an inverse behavior of the transformation network.

19. The device as claimed in claim 17, wherein: the first weights and second weights are determined that satisfy the following inequations: $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a\right)={.Math.}_{m_1=0}^{\frac{N}{2^l}-1}{}_{2N}^{\left(2\left(2^l{m}_1+m_2\right)+1\right)n_2}{a}_{2^l{m}_1+m_2}0$ $0l{\log }_2\left(N\right),$ $0n_2{2}^l-1,$ $0m_2\frac{N}{2^l}-1,$ N indicates the dimension of the transformation network (100), l=0, . . . , log.sub.2 N, for each stage, and m.sub.2{0, . . . , 2.sup.l1} and $n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

20. The device as claimed in claim 17, wherein the first weights are defined by two first partial weighting vectors and the second weights are defined by two second partial weighting vectors.

21. The device as claimed in claim 20, wherein: the two first partial weighting vectors and the two second partial weighting vectors are determined that satisfy the following inequations: $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)0$ $S_{\frac{N}{2^l}2+n_2}^l\left(a^{\left(2\right)}\right)0$ $S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{(\left(2\right)}\right)S_{\frac{N}{2^{\tilde{l}}}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(1\right)}\right)-S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)S_{\frac{N}{2}{\tilde{l}}_{\tilde{l}}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(2\right)}\right)0,$ $0l,\stackrel{}{l}{\log }_2\left(N\right),$ $0n_2,{\tilde{n}}_2{2}^l-1,$ $0m_2,{\tilde{m}}_2\frac{N}{2^l}-1$ a triple l, n.sub.2 and m2 is not equal to a triple {tilde over (l)}, .sub.2 and {tilde over (m)}.sub.2, N indicates the dimension of the transformation network, l and {tilde over (l)}=0, . . . , log.sub.2 N for each stage, and {tilde over (m)}.sub.2 and m.sub.2{0, . . . , 2.sup.l1} and .sub.2 and $n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

22. A method for determining first and second weights as a function of a transformation network, comprising: performing, via the transformation network using at least two stages of butterfly operations, a discrete Fourier transform over rings of multiple input signals to obtain at least multiple output signals; calculating, using the first weights, a first linear combination of the subset of the multiple input signals; and calculating, using the second weights, a second linear combination of the subset of the multiple output signals, wherein the first and second weights are determined such that a calculated value of the first linear combination equals a calculated value of the second linear combination when the discrete Fourier transform over rings of the multiple input signals has been performed without error.

Description

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

[0005] The accompanying drawings, which are incorporated herein and form a part of the specification, illustrate the aspects of the present disclosure and, together with the description, further serve to explain the principles of the aspects and to enable a person skilled in the pertinent art to make and use the aspects.

[0006] Exemplary embodiments of the present disclosure are explained below with reference to the accompanying drawings. In the drawings:

[0007] FIG. 1 shows an exemplary block diagram of a transformation network to explain the underlying transformation;

[0008] FIG. 2 shows a schematic block diagram to illustrate a butterfly operation;

[0009] FIG. 3 shows a schematic block diagram of a transformation network in combination with an error detection device according to exemplary embodiments;

[0010] FIG. 4 shows a schematic flowchart for error detection;

[0011] FIG. 5 shows a schematic block diagram of a device with transformation network and error detection device for individual error identification according to exemplary embodiments;

[0012] FIG. 6 shows a schematic block diagram of a device with transformation network and an error detection device for double error identification according to further exemplary embodiments; and

[0013] FIG. 7 shows a schematic block diagram of a device with a divided transformation network and error identification device according to exemplary embodiments.

[0014] The example aspects of the present disclosure will be described with reference to the accompanying drawings. The drawing in which an element first appears is typically indicated by the leftmost digit(s) in the corresponding reference number.

SUMMARY

[0015] The object of the present disclosure is to provide a concept for error detection in encryptions, which has an improved compromise between efficiency and reliability.

[0016] This object is achieved by means of the subject matter of the various embodiments as discussed herein, including the claims.

[0017] Exemplary embodiments of the present disclosure provide a device for encryption having a transformation network and an error detection device. The transformation network has at least two stages of butterfly operations and is designed to carry out a discrete Fourier transform via, for example, commutative or algebraic rings of multiple input signals to obtain multiple output signals. The error detection device is designed to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network and to carry out an error analysis, wherein the error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

[0018] A further exemplary embodiment provides a data carrier comprising a first and a second software component. The first software component is designed to implement a transformation network having at least two stages of butterfly operations, wherein the transformation network is designed to carry out a discrete Fourier transform via rings of multiple input signals to obtain multiple output signals. The second software component is designed to implement an error detection device, which is designed to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network and to carry out an error analysis. The error analysis is based on a comparison of a first linear combination of the subset of multiple input signals to a second linear combination of the subset of multiple output signals.

[0019] A further exemplary embodiment provides a method for encryption comprising the steps: [0020] carrying out a transformation of multiple input signals using a transformation network having at least two stages of butterfly operations to obtain multiple output signals; [0021] The error detection device is designed to obtain at least a subset of the multiple input signals and at least a subset of the multiple output signals of the transformation network and to carry out an error analysis, wherein the error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

[0022] A further exemplary embodiment provides a device for determining first weights and second weights as a function of a transformation network that has at least two stages of butterfly operations and is designed to carry out a discrete Fourier transform via rings of multiple input signals, so as to obtain at least multiple output signals, [0023] wherein, using the first weights, a first linear combination of the subset of the multiple input signals can be calculated, and wherein, using the second weights, a second linear combination of the subset of the multiple output signals can be calculated, [0024] wherein the first and second weights are determined such that a calculated value of the first linear combination equals a calculated value of the second linear combination if the encryption has been carried out without error.

[0025] A further exemplary embodiment provides a device for determining first weights and second weights as a function of a transformation network that has at least two stages of butterfly operations and is designed to carry out a discrete Fourier transform via rings of multiple input signals, so as to obtain at least multiple output signals, [0026] wherein, using the first weights, a first linear combination of the subset of the multiple input signals can be calculated, and wherein, using the second weights, a second linear combination of the subset of the multiple output signals can be calculated, [0027] wherein the first and second weights are determined such that a calculated value of the first linear combination equals a calculated value of the second linear combination if the encryption has been carried out without error.

[0028] A further exemplary embodiment provides a computer program for carrying out the above-described methods.

DETAILED DESCRIPTION

[0029] Before the following exemplary embodiments of the present disclosure are explained with reference to the accompanying drawings, it should be noted that the identically acting elements and structures are provided with identical reference numerals, and therefore the description thereof is applicable to one another or interchangeable.

[0030] Before exemplary embodiments of the present disclosure are explained, transformation networks with butterfly operations as well as butterfly operations with reference to FIGS. 1 and 2 are explained by way of example.

[0031] FIG. 1 shows an NTT network or generally a transformation network 100 with three stages 110a-110c. The transformation network has eight inputs 102a-102h on the input side to the three stages 110a-110c and eight outputs 106a-106h on the output side. Each of the stages has so-called butterfly operations 120a-1201. The butterfly operations 120a-120d belong to the first stage 110a, the butterfly operations 120e-120h to the second stage 110b and the butterfly operations 120i-1201 to the third stage 110c. It should be noted that the transformation network may also have only two or more than three stages 110a and 110c with significantly fewer or more butterfly operations, e.g. two butterfly operations for each stage. On the basis of this, the number of inputs and the number of outputs will of course also be reduced. For example, there are usually 8 stages with N=256 inputs. Background information. In the focus of the exemplary embodiments are complete NTTs, i.e. log.sub.2 (N) stages, wherein N is the number of inputs. Typical values are N=256 or N=1024, wherein the actual function is also given for other values of N (powers of 2, but this is always given with NTT) as described.

[0032] Each butterfly operation 120a has two inputs 103a and 103b as well as two outputs 104a and 104b (see FIG. 2). With reference to FIG. 2, the element 120a is explained by way of example, wherein the explanation is transferable to all elements 120b-120l.

[0033] The first stage 110a has butterfly operands 120a-120d, each connected to two inputs 102a/b, 102c/d, . . . and on the output side to two butterfly operands 120e-120h of the second stage 110b. The butterfly operands 120i-120l of the third stage 110c are connected on the output side to two outputs 106a/b, 106c/d, . . . and on the input side in each case to two butterfly operands 120e-120h of the second stage 110b. Conversely, this means that there is always cross-linking between stages 110a and 110b and between stages 110b and 110c. For example, the butterfly operand 120e is connected to 120a and 120c on the input side and to 120i and 120j on the output side. The butterfly operand 120f is connected to 120a and 120c on the input side and to 120k and 120l on the output side. Thus, the operands 120e and 120f have the same connections on the input side, wherein these are each arranged with other outputs of the preceding butterfly operands 120a and 120c of the first stage 110a. For the sake of completeness, it should also be noted that 120g is connected to 120b and 120d on the input side and 120i and 120j on the output side, while 120h on the input side is linked to 120b and 120d on the input side and 120k and 120l on the output side. This link is shown here by way of example, i.e. it can also vary both on the input side and on the output side and varies especially if more butterfly operands or fewer butterfly operands are provided for each stage 110a-110c or if more stages were available. In general, the transformation networks considered here, e.g. NTTs or inverse NTTs, have in common that a multiplicity of stages 110a-110c are provided, wherein each stage has a fixed number of butterfly operations 120a-120l.

[0034] Each butterfly operation correspondingly has exemplary embodiments, thus the inputs 103a and 103b as well as the outputs 104a and 104b. For example, 103a can be linked to 102a and 103b to 102b. For example, 104a can be linked to the butterfly operand 120e, while 104b is connected to the butterfly operand 120f. Each butterfly operand (butterfly block) has an internal interconnection, and therefore each input 103a, 103b can be linked to a mathematical operation on each output 104a and 104b. Multiplications 105m, additions 105a and subtractions 105s are typically provided as the mathematical operation. The butterfly operations are typically executed sequentially, wherein intermediate results are stored or loaded from a corresponding memory (not depicted).

[0035] Any path in this network or the butterfly operands thereof can fail, either due to random HW errors or error injection by malicious attackers. The prior art for recording these errors consists in recalculating the arithmetic operations in the butterfly operations. These schemes are referred to below as recalculation schemes. For better coverage of different types of errors, some modifications such as negating input signals and rearranging coefficients so as to modify the paths through the butterfly unit are also considered.

[0036] Different variations of this strategy were published by Sarker et al..sup.[3] Although this strategy identifies some errors, it has two major drawbacks. First, the same can only locate errors that occur in the butterfly operand. If a coefficient is loaded incorrectly due to corruption in the memory while reading or writing the previous result, these schemes cannot record these errors. Secondly, since all arithmetic operations are carried out twice, the same cause a significantly increased computational outlay, which is reflected in increased computational time and/or computational range, as well as a high dynamic power consumption. In addition, this increased outlay scales linearly with the number of butterflies that are calculated in the network. There is therefore a need for an improved approach.

[0037] Exemplary embodiments of the present disclosure provide a device for encryption 300 with a transformation network 100, e.g. an NTT or inverse NTT, which has a plurality of inputs 102a-102n or a plurality of outputs 106a-106n. In addition, the device 300 has an error detection device 310. This error detection device 310 is arranged parallel to the transformation network 100 and receives as input signals both the input signals f.sub.0-f.sub.7 of the inputs 102a-102n and the output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of the outputs 106a-106n.

[0038] The transformation network 100 can be configured like the transformation network from FIG. 1 with the butterfly operations from FIG. 2, or can also have at least two stages of butterfly operations in the minimum configuration. The transformation network 100 is designed to carry out a discrete Fourier transform over, for example, algebraic rings of multiple input signals f.sub.0-f.sub.7 of the inputs 102a-102n, in order to output multiple output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of the outputs 106a-106n. According to exemplary embodiments, the transformation network 100 can be part of an encryption device, such as a so-called post-quantum encryption device.

[0039] The error detection device 310 is designed to obtain at least a subset of the multiple input signals f.sub.0-f.sub.7 of the inputs 102a-102n and at least a subset of the multiple output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of the outputs 106a-106n, in order to carry out an error analysis. The error analysis comprises a comparison of a first linear combination of the subset of the multiple input signals f.sub.0-f.sub.7 of the inputs 102a-102n to a second linear combination of the subset of the multiple output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of the outputs 106a-106n. For example, a checksum can be determined for input signals f.sub.0-f.sub.7 of inputs 102a-102n and also for output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of outputs 106a-106n. This checksum can be identical according to exemplary embodiments if no error has occurred. In an embodiment, the checksum is not formed as a simple sum, even if this would of course be possible, but as a weight to the sum. This therefore means that each input signal f.sub.0-f.sub.7 of inputs 102a-102n or output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 of outputs 106a-106n is weighted with a corresponding weight.

[0040] In other words, FIG. 3 shows the functional structure of such an error recording scheme at a high level. The error recording block 310 receives the input signals f.sub.0-f.sub.7 and output signal {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7, the NTT/transformation network 100 as inputs and, using weights a.sub.0-a.sub.7 or b.sub.0-b.sub.7 of these, determines the presence of errors that occur in the entire (inverse) NTT calculation. This is in contrast to the recalculation schemes, where errors are recorded at the level of individual butterfly operations.

[0041] For the sake of completeness, it should be noted that in order to identify an error, the calculated values/checksums differ if an error has occurred. For the selected weights, this is guaranteed for a single error and is very likely for multiple random errors. According to exemplary embodiments, multiple first and second weighting vectors, e.g. with different weights, can be used to identify double errors, as will be explained in connection with FIG. 6.

[0042] According to exemplary embodiments, the straight inputs f.sub.0, f.sub.4, f.sub.2 and f.sub.6 can be processed by the elements 120a and 120b, while the odd inputs f.sub.1, f.sub.5, f.sub.3 and f.sub.7 are processed by the elements 120c and 120d. The same nomenclature is used on the output side, and therefore the following sequence of output signals is output by the elements 120i, 120j, 120k and 120l: {circumflex over (f)}.sub.0, {circumflex over (f)}.sub.4, {circumflex over (f)}.sub.2, {circumflex over (f)}.sub.6, {circumflex over (f)}.sub.1, {circumflex over (f)}.sub.5, {circumflex over (f)}.sub.3 and {circumflex over (f)}.sub.7. According to exemplary embodiments, of course, another arrangement or a different arrangement is possible. According to further exemplary embodiments, elements 120a to 120l can also be interconnected differently.

[0043] The weights for the input signals are called first weights, while the weights for the output signals are called second weights. According to exemplary embodiments, the weights are selected in such a way that the condition of the same results of the first and second linear combination is fulfilled, in the event that no error is present. For this purpose, the first and second weights depend on the transformation network and can be determined in advance. For example, the first and second weights belonging to the transformation network are stored in a memory of the device. This means that according to exemplary embodiments, the device has a memory in which the first and second weights for the transformation network to be applied are present. According to exemplary embodiments, the transformation network can be implemented in software, i.e. the weights belonging to a software component in which the transformation network is implemented are stored.

[0044] In other words, this means that both unit 100 and unit 310 can be present as a software component. The calculation of linear combinations or checksums in unit 310 is based on multiplication and addition. These mathematical operands are also present in the respective butterfly cell 120a-1201. This allows the transformation network itself to carry out the calculation of the first and second linear combination, thus comprising the task of unit 310.

[0045] One exemplary embodiment therefore provides a data carrier comprising a first and second software component. The first and/or second software component can be run on a corresponding processor or both can be run on the same processor. The first software component is designed to implement a transformation network having at least two stages of butterfly operations, wherein the transformation network is designed to carry out a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals. The second software component is designed to implement an error detection device which is designed to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network, in order to carry out an error analysis, wherein the error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.

[0046] A further exemplary embodiment provides a method for encryption, as shown in FIG. 4. The method 400 consists of two central steps 410 and 420. A discrete Fourier transform over rings of multiple input signals using a transformation network with two or more stages of butterfly operations is carried out in step 410, in order to obtain multiple output signals. In the second step 420, at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network (cf. 422) is obtained and an error analysis 424 is carried out. The error analysis is based on a comparison of a first linear combination of the subset of multiple input signals to a second linear combination of the subset of multiple output signals. In other words, the proposed error recording scheme functions by calculating weighted sums of the input signals (in terms of values of the input signals or of input values) or output signals (in terms of values of the output signals) of the (inverse) NTT.

[0047] According to exemplary embodiments, a method is therefore described for recording errors in the calculation of transformations, such as (inverse) NTT, which are not based on recalculation, but instead exploit the mathematical structure inherent in the NTT. Methods for a guaranteed correction of single errors and double errors and the application of the same principles in incomplete NTT will be described in more detail.

[0048] This method can be computer-implemented according to further exemplary embodiments. In this respect, a computer program is created for carrying out the method or the method steps 410, 420, 422 and 424, if the method 400 runs on a processor.

[0049] At this point, it should be noted that the first weights can be defined by a first weighting vector a and the second weights can be defined by a second weighting vector b. The two weighting vectors a and b are based on the formula b=a.Math.A, wherein A represents a matrix representing the behavior or inverse behavior of the transformation network 100.

[0050] The following is a detailed technical description in the case of a negatively enveloped convolution-based NTT. This is the most relevant case for cryptographic applications. This is followed by a more abstract definition that covers the different variations of the NTT and the inverse NTT.

[0051] Since the error correction scheme considered in this disclosure may function using the input signals and output signals of the (inverse) NTT, the implementation units of the (inverse) NTT block are abstracted below. Instead, only the linear transformation, which can be described by an NN matrix A, is taken into account, where the output signals f refer to the input signals f, by {circumflex over (f)}=A.Math.f.

[0052] By defining the negatively enveloped convolution-based NTT, matrix A is given by

[00001]$A=\left(\begin{array}{cccc}{}_{2N}^0& {}_{2N}^{\left(2.Math.0+1\right).Math.1}& .Math.& {}_{2N}^{\left(2.Math.0+1\right).Math.\left(N-1\right)}\\ {}_{2N}^0& {}_{2N}^{\left(2.Math.1+1\right).Math.1}& .Math.& {}_{2N}^{\left(2.Math.1+1\right).Math.\left(N-1\right)}\\ .Math.& .Math.& & .Math.\\ {}_{2N}^0& {}_{2N}^{\left(2.Math.\left(N-1\right)+1\right).Math.1}& .Math.& {}_{2N}^{\left(2.Math.\left(N-1\right)+1\right).Math.\left(N-1\right)}\end{array}\right),$

wherein .sub.2N is the 2N-th primitive unit root. The inverse NTT is defined as the mathematical inverse of this matrix.

[0053] In this respect, a further exemplary embodiment provides a calculation concept in order to find the first and second weights or the first weighting vector a and the second weighting vector b. For this purpose, according to exemplary embodiments, a device can be provided, which is designed to determine the first and second weights as a function of the transformation network 100. This device determines the weights under the following two premises: [0054] wherein, using the first weights, a first linear combination of the subset of the multiple input signals can be calculated, and wherein, using the second weights, a second linear combination of the subset of the multiple output signals can be calculated, [0055] wherein the first and second weights are determined such that a calculated value of the first linear combination equals a calculated value of the second linear combination, if the discrete Fourier transform over rings has been carried out without error.

[0056] Generally speaking, for all the schemes described, the conditions for the weightings lead to a space for solutions. From this space, it is possible to select weightings that allow efficient implementation. For example, it is possible to set every second weight for the input signals (input values) and the output signals (output values) to be equal to one, that is, one of the inputs/outputs for each of the butterfly operations in the first/last stage. Then, by setting up and solving the linear system of equations b=a.Math.A, a solution is obtained where half of the weightings for the weighted sums are equal to one. This reduces the number of required multiplications from 2N to N.

[0057] A further exemplary embodiment provides a corresponding method for determining the first and second weights, also under the conditions: [0058] wherein, using the first weights, a first linear combination of the subset of the multiple input signals can be calculated, and wherein, using the second weights, a second linear combination of the subset of the multiple output signals can be calculated, [0059] wherein the first and second weights are determined such that a calculated value of the first linear combination equals a calculated value of the second linear combination, if the discrete Fourier transform over rings has been carried out without error.

[0060] The method can, according to exemplary embodiments, comprise setting up and solving a system of equations, wherein each equation is set up for a possible error position (in the path considered). Thus, the number of equations is determined by the number of butterfly operations in the transformation network or, in general, the transformation network.

[0061] Of course, this method can also be computer-implemented. This means that an exemplary embodiment comprises a computer program for carrying out the method or the method steps.

[0062] According to exemplary embodiments, the first and second weights are determined depending on the transformation network or in dependence thereon. According to exemplary embodiments, the determination takes place on the basis of the formula b=a.Math.A already introduced above, wherein A represents a matrix that describes the behavior or inverse behavior of the transformation network 100. According to further exemplary embodiments, further conditions can be taken into account, namely wherein the first weights are defined by a first weighting vector a and the second weights are defined by a second weighting vector b, wherein the first weighting vector a and the second weighting vector b are determined on the basis of the formula b=a.Math.A, wherein A represents a matrix that describes the behavior or inverse behavior of the network.

[0063] According to one exemplary embodiment, the first weights b.sub.0-b.sub.7 and second weights a.sub.0-a.sub.7 can be determined on the condition that they fulfil the following inequations:

[00002]$S_{\frac{N}{2^l{m}_2+n_2}}^l\left(a\right)={.Math.}_{m_1=0}^{\frac{N}{2^l}-1}{}_{2N}^{\left(2\left(2^l{m}_1+m_2\right)+1\right)n_2}{a}_{2^l{m}_1+m_2}0$$0l{\log }_2\left(N\right),$$0n_2{2}^l-1,$$0m_2\frac{N}{2^l}-1,$

wherein N indicates the dimension of the transformation network (100), wherein l=0, . . . , log.sub.2 N, for each stage and wherein m.sub.2{0, . . . , 2.sup.l1} and

[00003]$n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

[0064] The use of a first weighting vector and of a second weighting vector aims to identify a single error. According to exemplary embodiments, the error detection device can be designed to identify an individual error if a calculated value of the first linear combination deviates from a calculated value of the second linear combination. For this purpose, a comparator (see FIG. 5) is used, for example.

[0065] The recording of an individual error is carried out by comparing two weighted sums over the input signals f or output signals {circumflex over (f)}. To record a single error, the block calculates

[00004]$C_{\mathrm{out}}=a.Math.\hat{f}$$C_{\mathrm{in}}=b.Math.f.$

[0066] If C.sub.out==C.sub.in, the block concludes that no error has occurred. Otherwise, the block signals an error. The weightings are selected in such a way that b=a.Math.A. This ensures that C.sub.out==C.sub.in if no error has occurred. In order to ensure that each individual error can be recorded during the calculation, the weightings are additionally selected to fulfil the inequations:

[00005]$S_{\frac{N}{2^l{m}_2+n_2}}^l\left(a\right)={.Math.}_{m_1=0}^{\frac{N}{2^l}-1}{}_{2N}^{\left(2\left(2^l{m}_1+m_2\right)+1\right)n_2}{a}_{2^l{m}_1+m_2}0$$0l{\log }_2\left(N\right),$$0n_2{2}^l-1,$$0m_2\frac{N}{2^l}-1,$

(negatively enveloped convolution-based NTT). The set of these equations is marked by .

[0067] According to exemplary embodiments, it would also be conceivable that the concept need not be determined for each position when finding the weights, but rather that a simplification can take place by specifying individual weights in advance, for example as zero or as one, in order to simplify the calculation outlay in determining the weights.

[0068] FIG. 5 shows an NTT butterfly network 100 together with the unit 310. The unit 310 has a comparator 322, which compares the result c.sub.in the first linear combination with the result c.sub.out of the second linear combination: [0069] C.sub.in is the sum of the input signals f.sub.0-f.sub.7 weighted with the first weights b.sub.0-b.sub.7. [0070] C.sub.out represents the summed result of the weighted outputs {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 with the second weights a.sub.0a.sub.7.

[0071] By selecting the weightings as described above, each individual error in this network is guaranteed to be recorded. This includes errors under a strong-attacker model, in which the error value and the error position are controlled by the attacker.

[0072] According to one exemplary embodiment, the weights can also be defined by two first partial weighting vectors and two second partial weighting vectors. In this case, according to exemplary embodiments, the two first and the two second weighting vectors are determined in such a way that the following inequations are fulfilled:

[00006]$S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)0$$S_{\frac{N}{2^l}2+n_2}^l\left(a^{\left(2\right)}\right)0$$S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{(\left(2\right)}\right)S_{\frac{N}{2^{\tilde{l}}}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(1\right)}\right)-S_{\frac{N}{2^l}{m}_2+n_2}^l\left(a^{\left(1\right)}\right)S_{\frac{N}{2}{\tilde{l}}_{\tilde{l}}{\tilde{m}}_2+{\tilde{n}}_2}\left(a^{\left(2\right)}\right)0,$$0l,\stackrel{}{l}{\log }_2\left(N\right),$$0n_2,{\tilde{n}}_2{2}^l-1,$$0m_2,{\tilde{m}}_2\frac{N}{2^l}-1,$ [0073] wherein a triple l, n.sub.2 and m2 is not equal to a triple {tilde over (l)}, .sub.2 and {tilde over (m)}.sub.2, [0074] wherein N indicates the dimension of the transformation network, wherein l and {tilde over (l)}=0, . . . , log.sub.2 N for each stage and wherein {tilde over (m)}.sub.2 and m.sub.2{0, . . . , 2.sup.l1} and .sub.2 and

[00007]$n_2\left\{0,...,\frac{N}{2^l}-1\right\}.$

[0075] By using the partial weighting vectors, the error detection device is designed to identify a double error if a calculated value of the first linear combination calculated using one of the two first partial weighting vectors deviates from a calculated value of the two second linear combinations calculated using a second of the two partial weighting vectors or if a calculated value of the first linear combination calculated using a further one of the two first two partial weighting vectors deviates from a calculated value of the two second linear combinations calculated using a second one of the two partial weighting vectors.

[0076] To record two errors, two weighted sums are calculated both for the values of the input signals and values of the output signal values. As far as can be established, there are no known methods for double error recording based on weighted sums, either for the FFT or for the NTT.

[0077] The coefficients of the outputs are denoted by the two vectors a.sup.(1) and a.sup.(2). The coefficients of the inputs are again given by the NTT of the output coefficients. The above-mentioned inequations are fulfilled for error recording in order to be successful for each combination of two errors in the network. The set of these equations is denoted by .

[0078] FIG. 6 illustrates a double error identification of this type in the NTT network 100. Here, two comparators 122a are present in the error detection device 310. The two comparators are illustrated with the reference signs 322a and 322b. To calculate the two linear combinations c.sub.in.sup.1 and c.sub.in.sup.2 on the input side, each input signal f.sub.0-f.sub.7 is multiplied by two different weights

[00008]$b_0^1$

-b.sub.7.sup.1 and b.sub.0.sup.2 and b.sub.7.sup.2. The same applies to the initial values {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7, which are multiplied once by a.sub.0.sup.1-a.sub.7.sup.1 and once by a.sub.0.sup.2-a.sub.7.sup.2. The sum c.sub.in.sup.1 is calculated from the sum of the input values f.sub.0-f.sub.7 multiplied by b.sub.0.sup.1-b.sub.7.sup.1, while the sum c.sub.in.sup.2 is determined using the weights b.sub.0.sup.2-b.sub.7.sup.2. On the output side, c.sub.out.sup.1 is determined on the basis of the output signals {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7 weighted by a.sub.0.sup.1-a.sub.7.sup.1 (sum), while c.sub.out.sup.2 is determined using the weights a.sub.0.sup.2-a.sub.7.sup.2 (sum). By selecting the weightings as described above, each combination of two errors in this network is guaranteed to be recorded. This includes errors under a strong-attacker model, in which the error values and the error positions are controlled by the attacker.

[0079] If some of the above-described details are abstracted, the conditions for the weightings for the input signals and output signals, i.e. the inequations and are derived by evaluating parts of the butterfly network starting from the assumed error position. Each position (or combination of two positions in the case of double error recording) corresponds to such an inequation and therefore condition for the weightings. These concepts are formulated more abstractly below:

[0080] An exemplary embodiment provides a method in which errors are recorded by calculating weighted sums of the input signals and output signals of the (inverse) NTT and comparing the results. The weightings are selected in such a way that the same are the (inverse) NTT of one another.

[0081] An exemplary embodiment provides a concept for determining the weights based on one or more conditions and/or using inequations: [0082] e.g. the weightings are selected in such a way that the set of inequations is fulfilled. [0083] e.g. the weightings can be determined by carrying out a partial transformation. [0084] e.g. the weightings are determined by carrying out parts of the butterfly network.

[0085] A further exemplary embodiment provides a method in which two weighted sums are calculated and the weightings are selected in such a way that the set of equations is fulfilled.

[0086] In one exemplary embodiment, the weightings of the two weighted sums are derived by partial transformations, and therefore the weighted sums of these partial transformations, which are interpreted as vectors, are linearly independent.

[0087] In one exemplary embodiment, the weighted sums are calculated on a subset of inputs and outputs corresponding to an incomplete (inverse) NTT.

[0088] Advantageously, the weightings are selected in such a way as to allow efficient multiplication.

[0089] According to one exemplary embodiment, two half-sized NTTs can be used equivalent to create an error recording scheme.

[0090] According to one exemplary embodiment, each transformation network can be split into multiple subnetworks. FIG. 7 shows a transformation network 310 with two transformation network parts 100a and 100b for illustration of individual error recording schemes for the case of log.sub.2 (N)1 stages. Here, in the network parts 100a and 100b, two stages are each provided with two butterfly operations, which are marked by the reference signs 120a, 120b, 120e and 120f for the network part 100a and by the reference signs 120c and 120d and 120g and 120h for the network part 100b. 100a processes the even input signals f.sub.0, f.sub.4, f.sub.2 and f.sub.6 (corresponds to a subset of the multiple input signals) and outputs the even output signals {circumflex over (f)}.sub.0, {circumflex over (f)}.sub.4, {circumflex over (f)}.sub.2 and {circumflex over (f)}.sub.6 (corresponds to a subset of the multiple output signals). The network 100b processes the odd input signals f.sub.1, f.sub.5, f.sub.3 and f.sub.7 (corresponds to a further subset of the multiple input signals) and outputs the odd output signals {circumflex over (f)}.sub.1, {circumflex over (f)}.sub.5, {circumflex over (f)}.sub.3 and {circumflex over (f)}.sub.7 (corresponds to a subset of the multiple output signals). For each network part 100a and 100b, a separate c.sub.in value and c.sub.out value of the linear combination is calculated by the error detection device 320 for each network part 100a and 100b and compared by the comparators 322a and 322b. For this purpose, partial weighting vectors according to exemplary embodiments are used, wherein the first partial weighting vector has the weights b.sub.0, b.sub.4, b.sub.2 and b.sub.6 and the other first partial weighting vector has the weights b.sub.1, b.sub.5, b.sub.3 and b.sub.7. One second partial weighting vector has the weights a.sub.0, a.sub.4, a.sub.2 and a.sub.6, while the other second partial weighting vector has the weights a.sub.1, a.sub.5, a.sub.3 and a.sub.7. These are used for multiplication with respective inputs f.sub.0-f.sub.7 and respective outputs {circumflex over (f)}.sub.0-{circumflex over (f)}.sub.7, which are then summed for each network part 100a and 100b on the input side and on output side.

[0091] Some cryptographic schemes use incomplete NTT (also referred to as not fully divided) in their calculations. In this case, the NTT does not consist of the full log.sub.2 (N) stages, but instead stops before the power stage is reached. The same error recording concept as described above can be applied to this type of NTT by dividing same into subsections, which in turn act as smaller NTTs.

[0092] For the exemplary embodiment from FIG. 7 it should be noted that, according to exemplary embodiments, the number of butterfly operations for each network part 100a and 100b can also be different. Of course, multiple network parts can also be provided. By dividing the network into multiple network parts, it is advantageously possible not only to output an error signal, as shown in FIG. 3, which indicates that an error is present, but also to locate the error, at least seen on the network part.

[0093] Even if, in the above exemplary embodiment, it is always assumed that negatively enveloped convolution-based NTTs are used, the principle is transferable to all types of transformation networks. For example, a positively enveloped convolution-based NTT or a corresponding inverse thereof can also be used.

[0094] For the sake of simplicity, the preceding detailed descriptions are for the negatively enveloped convolution-based NTT. However, the same concepts also apply to positively enveloped convolution-based NTTs and their respective inverse.

[0095] Although the functional architecture shown in FIG. 3 recalls an implementation in HW, it should be noted that this is a functional view and multiple implementations are conceivable, including, but not limited to:

[0096] Parallel HW: The NTT and error recording are carried out by separate HW blocks, wherein the respective calculations are carried out in parallel (where possible).

[0097] Alternative, sequential HW: The NTT and the error recording are carried out by the same HW blocks that carry out the calculations sequentially. This setting covers the general configuration of (inverse) NTT accelerators consisting of some memories, an HW block that implements the butterfly operation, and control logic. In this case, the additional HW outlay would be more complex control logic.

[0098] Alternative, HW/SW: A system consisting of a CPU and an HW accelerator for the (inverse) NTT that can be used by the CPU is taken into consideration. The CPU outputs a new NTT calculation to the HW. While the acceleration block is busy, same CPU begins processing the input signals and, upon receiving the results of the acceleration block, it checks whether errors occurred during this calculation by carrying out the remaining operations at the outputs.

[0099] Applications for transformation networks explained above are coding applications, such as asymmetric cryptography for example, which are used in many automotive applications. For example, many control devices use encryption functions for key exchange or key exchange protocol or for verifying software updates. In this respect, an exemplary embodiment provides a control unit, e.g. a control unit of a vehicle with a corresponding device for encryption, e.g. based on a post-quantum or asymmetric encryption. Exemplary embodiments of the present disclosure reduce the space and/or time overhead in the calculation of such algorithms by simple realization of error identifications, as is used in some NTTs. It is also advantageous in this regard that this type of error identification also identifies the errors that occur when data is transmitted from one butterfly operation to the next butterfly operation and not only the errors that can happen in the butterfly cell during the calculation. The calculation of the checksum or of the linear combination in general is simple and can be carried out using the same elements that also form the transformation network, e.g. serially, that is to say after the transformation. In this respect, exemplary embodiments of the present disclosure increase reliability and safety.

[0100] Although some aspects have been described in connection with a device, it is to be understood that these aspects also constitute a description of the corresponding method, with the result that a block or a structural element of a device should also be understood to be a corresponding method step or as a feature of a method step. Analogously thereto, aspects which have been described in connection with a method step or as a method step also constitute a description of a corresponding block or detail or feature of a corresponding device. Some or all of the method steps can be performed by a hardware apparatus (or using a hardware apparatus), such as a microprocessor, a programmable computer or an electronic circuit. In some exemplary embodiments, some or a plurality of the most important method steps can be performed by such an apparatus.

[0101] Depending on certain implementation requirements, exemplary embodiments of the disclosure can be implemented in hardware or in software. The implementation can be carried out using a digital storage medium, for example a floppy disk, a DVD, a Blu-ray disc, a CD, a ROM, a PROM, an EPROM, an EEPROM or a FLASH memory, a hard disk or another magnetic or optical memory, on which electronically readable control signals are stored that can interact or do interact with a programmable computer system in such a way that the respective method is carried out. For this reason, the digital storage medium can be computer-readable.

[0102] Some exemplary embodiments according to the disclosure thus comprise a data carrier, which has electronically readable control signals that are capable of interacting with a programmable computer system in such a way that one of the methods described herein is carried out.

[0103] In general, exemplary embodiments of the present disclosure can be implemented as a computer program product having a program code, wherein the program code is effective in carrying out one of the methods if the computer program product runs on a computer.

[0104] The program code can also be stored, for example, on a machine-readable carrier.

[0105] Other exemplary embodiments comprise the computer program for carrying out one of the methods described here, wherein the computer program is stored on a machine-readable carrier. In other words, an exemplary embodiment of the method according to the disclosure is thus a computer program that has a program code for carrying out one of the methods described here if the computer program runs on a computer.

[0106] A further exemplary embodiment of the methods according to the disclosure is thus a data carrier (or a digital storage medium or computer-readable medium), on which the computer program for carrying out one of the methods described herein is recorded.

[0107] A further exemplary embodiment of the method according to the disclosure is thus a data stream or sequence of signals, which represents or represent the computer program for carrying out one of the methods described herein. The data stream or the sequence of signals can be configured, for example, so as to be transferred via a data communication connection, for example via the Internet.

[0108] A further exemplary embodiment comprises a processing device, for example a computer or a programmable logic device, which is configured or adapted for carrying out one of the methods described herein.

[0109] A further exemplary embodiment comprises a computer, on which the computer program for carrying out one of the methods described herein is installed.

[0110] A further exemplary embodiment according to the disclosure comprises a device or a system, which is designed to transmit a computer program for carrying out at least one of the methods described herein to a receiver. The transmission can be done electronically or optically, for example. The receiver can be, for example, a computer, a mobile device, a storage device or a similar device. The apparatus or the system can comprise, for example, a file server for transmitting the computer program to the receiver.

[0111] In some exemplary embodiments, a programmable logic device (for example a field-programmable gate array, FPGA) can be used to perform some or all functionalities of the methods described herein. In some exemplary embodiments, a field-programmable gate array can interact with a microprocessor to carry out one of the methods described herein. In general, the methods in some exemplary embodiments are carried out by any desired hardware apparatus. The latter can be universally usable hardware, such as a computer processor (CPU) or hardware that is specific to the method, such as an ASIC.

[0112] The above-described exemplary embodiments are merely an illustration of the principles of the present disclosure. It is to be understood that modifications and variations of the arrangements and details described herein will be obvious to others skilled in the art. For this reason, the disclosure is intended to be limited merely by the scope of protection of the following claims rather than by the specific details which have been presented on the basis of the description and the explanation of the exemplary embodiments herein.

CONCLUSION

[0113] Although specific embodiments have been illustrated and described herein, it should be appreciated that any arrangement calculated to achieve the same purpose may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the above description.

[0114] It is further to be noted that specific terms used in the description and claims may be interpreted in a very broad sense. For example, the terms circuit or circuitry used herein are to be interpreted in a sense not only including hardware but also software, firmware or any combinations thereof. The term data may be interpreted to include any form of representation data. The term information may in addition to any form of digital information also include other forms of representing information. The term entity or unit may in embodiments include any device, apparatus circuits, hardware, software, firmware, chips, or other semiconductors as well as logical units or physical implementations of protocol layers etc. Furthermore, the terms coupled or connected may be interpreted in a broad sense not only covering direct but also indirect coupling.

[0115] It is further to be noted that methods disclosed in the specification or in the claims may be implemented by a device having means for performing each of the respective steps of these methods.

[0116] Although specific embodiments have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific embodiments shown and described without departing from the scope of the present disclosure. This disclosure is intended to cover any adaptations or variations of the specific embodiments discussed herein.

REFERENCES

[0117] The following references are cited throughout this disclosure as applicable to provide additional clarity, e.g. with regards to terminology. These citations are made by way of example and ease of explanation and not by way of limitation.

[0118] Citations to the following references are made throughout the application using a matching bracketed number, e.g., [1]. [0119] [1] 1 N. I. for Standards and T. (NIST), Post-Quantum Cryptography, Selected Algorithms 2022. https://.csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022. [Online], available at: https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022. [0120] [2] C. A. for Cryptologic Research (CACR), Chinese Post-Quantum Competition. 2020. Accessed: Jun. 29, 2023. [Online], available at: https://www.cacrnet.org.cn/site/content/854.html [0121] [3] A. Sarker, M. Mozaffari-Kermani, and R. Azarderakhsh, Hardware Constructions for Error Detection of Number-Theoretic Transform Utilized in Secure Cryptographic Architectures, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 27, no. 3, pp. 738-741, March 2019, doi: 10.1109/TVLSI.2018.2881097. [0122] [4] A. Sarker, M. M. Kermani, and R. Azarderakhsh, Error Detection Architectures for Ring Polynomial Multiplication and Modular Reduction of Ring LWE in $\boldsymbol\frac\mathbbZ/p\mathbbZ[x]x{circumflex over ()}n+1$. Benchmarked on ASIC, IEEE Transactions on Reliability, vol. 70, no. 1, pp. 362-370, March 2021, doi: 10.1109/TR.2020.2991671. [0123] [5] A. Sarker, A. C. Canto, M. M. Kermani, and R. Azarderakhsh, Error Detection Architectures for Hardware/Software Co-design Approaches of Number-Theoretic Transform, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pp. 1-1, 2022, doi: 10.1109/TCAD.2022.3218614. [0124] [6] D. L. Tao and C. R. P. Hartmann, A novel concurrent error detection scheme for FFT Networks,. IEEE Transactions on Parallel and Distributed Systems, vol. 4, no. 2, pp. 198-221, February 1993, doi: 10.1109, 71.207595.