公开(公告)号：US20250007711A1

公开(公告)日：2025-01-02

申请号：US18345351

申请日：2023-06-30

Applicant: NXP B.V.

Inventor： Olivier Bronchain ,  Joost Roland Renes ,  Tobias Schneider

IPC: H04L9/32

Abstract: A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation using polynomials for lattice-based cryptography in a processor, the instructions, including: applying a share-wise Kronecker substitution to arithmetic shares of a first polynomial; applying a Kronecker substitution to a second polynomial; multiplying share-wise the Kronecker substitution of the second polynomial and the arithmetic shares of the Kronecker substitution of the shares of the first polynomial to produce arithmetic shares of a first output; converting the shares of the first output to arithmetic shares of a polynomial representation; converting the arithmetic shares of the polynomial representation to Boolean shares of the polynomial representation; adding the Boolean shares of the polynomial representation to Boolean shares of a third polynomial to produce Boolean shares of a second output; and carrying out a cryptographic operation using the Boolean shares of the second output.

公开(公告)号：US12047491B2

公开(公告)日：2024-07-23

申请号：US17243058

申请日：2021-04-28

Applicant: NXP B.V.

Inventor： Joppe Willem Bos ,  Mario Lamberger ,  Joost Roland Renes ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/06 ,  H04L9/32 ,  H04L9/00

CPC classification number: H04L9/0643 ,  H04L9/3236 ,  H04L9/50

Abstract: Various embodiments relate to a hardware device configured to compute a plurality of chained hash functions in parallel, including: a processor implementing p hash functions configured to operate on a small input, where p is an integer; a data unit connected to the plurality of hash functions, configured to store the outputs of plurality of hash functions that are then used as the input to a next round of computing the hash function, wherein the processor receives a single instruction and p small data inputs, and wherein each of the p hash functions are used to perform a chained hash function operation on a respective small input of the p small inputs.

公开(公告)号：US11528124B2

公开(公告)日：2022-12-13

申请号：US17224359

申请日：2021-04-07

Applicant: NXP B.V.

Inventor： Marc Gourjon ,  Joppe Willem Bos ,  Joost Roland Renes ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/00 ,  H04L9/30

Abstract: Various embodiments relate to a method for securely comparing a first polynomial represented by a plurality of arithmetic shares and a second compressed polynomial represented by a bitstring where the bits in the bitstring correspond to coefficients of the second polynomial, including: performing a first masked shift of the shares of the coefficients of the first polynomial based upon the start of the interval corresponding to the compressed coefficient of the second polynomial and a modulus value; performing a second masked shift of the shares of the coefficients of the first polynomial based upon the end of the interval corresponding to the compressed coefficient of the second polynomial; bitslicing the most significant bit of the first masked shift of the shares coefficients of the first polynomial; bitslicing the most significant bit of the second masked shift of the shares coefficients of the first polynomial; and combining the first bitsliced bits and the second bitsliced bits using an AND function to produce an output including a plurality of shares indicating that the first polynomial would compress to a bitstream matching the bitstream representing the second compressed polynomial.

公开(公告)号：US20220337389A1

公开(公告)日：2022-10-20

申请号：US17224359

申请日：2021-04-07

Applicant: NXP B.V.

Inventor： Marc GOURJON ,  Joppe Willem Bos ,  Joost Roland Renes ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/00 ,  H04L9/30

Abstract: Various embodiments relate to a method for securely comparing a first polynomial represented by a plurality of arithmetic shares and a second compressed polynomial represented by a bitstring where the bits in the bitstring correspond to coefficients of the second polynomial, including: performing a first masked shift of the shares of the coefficients of the first polynomial based upon the start of the interval corresponding to the compressed coefficient of the second polynomial and a modulus value; performing a second masked shift of the shares of the coefficients of the first polynomial based upon the end of the interval corresponding to the compressed coefficient of the second polynomial; bitslicing the most significant bit of the first masked shift of the shares coefficients of the first polynomial; bitslicing the most significant bit of the second masked shift of the shares coefficients of the first polynomial; and combining the first bitsliced bits and the second bitsliced bits using an AND function to produce an output including a plurality of shares indicating that the first polynomial would compress to a bitstream matching the bitstream representing the second compressed polynomial.

公开(公告)号：US20220286286A1

公开(公告)日：2022-09-08

申请号：US17190986

申请日：2021-03-03

Applicant: NXP B.V.

Inventor： Joost Roland Renes ,  Joppe Willem Bos ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/30 ,  G06F7/72

Abstract: Various embodiments relate to a method for multiplying a first and a second polynomial in the ring [X]/(XN−1) to perform a cryptographic operation in a data processing system, the method for use in a processor of the data processing system, including: receiving the first polynomial and the second polynomial by the processor; mapping the first polynomial into a third polynomial in a first ring and a fourth polynomial in a second ring using a map; mapping the second polynomial into a fifth polynomial in the first ring and a sixth polynomial in the second ring using the map; multiplying the third polynomial in the first ring with the fifth polynomial in the first ring to produce a first multiplication result; multiplying the fourth polynomial in the second ring with the sixth polynomial in the second ring to produce a second multiplication result using Renes multiplication; and combining the first multiplication result and the second multiplication result using the map.

公开(公告)号：US20220231831A1

公开(公告)日：2022-07-21

申请号：US17154116

申请日：2021-01-21

Applicant: NXP B.V.

Inventor： Tobias Schneider ,  Joppe Willem Bos ,  Joost Roland Renes ,  Christine van Vredendaal

IPC: H04L9/00

Abstract: Various embodiments relate to a method and system for securely comparing a first and second polynomial, including: selecting a first subset of coefficients of the first polynomial and a second subset of corresponding coefficients of the second polynomial, wherein the coefficients of the first polynomial are split into shares and the first and second polynomials have coefficients; subtracting the second subset of coefficients from one of the shares of the first subset of coefficients; reducing the number of elements in the first subset of coefficients to elements by combining groups of / elements together; generating a random number for each of the elements of the reduced subset of coefficients; summing the product of each of the elements of the reduced subset of coefficients with their respective random numbers; summing the shares of the sum of the products; and generating an output indicating that the first polynomial does not equal the second polynomial when the sum does not equal zero.

公开(公告)号：US11206136B1

公开(公告)日：2021-12-21

申请号：US16884136

申请日：2020-05-27

Applicant: NXP B.V.

Inventor： Joost Roland Renes ,  Joppe Willem Bos ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/30 ,  G06F7/53

Abstract: A method is provided for multiplying two polynomials. In the method, first and second polynomials are evaluated at 2t inputs, where t is greater than or equal to one, and where each input is a fixed power of two 2l/(2t) multiplied with a different power of a primitive root of unity, thereby creating 2 times 2t integers, where l is an integer such that 2l is at least as large as the largest coefficient of the resulting product multiplying the first and second polynomials. The 2 times 2t integers are then multiplied pairwise, and a modular reduction is performed to get 2t integers. A linear combination of the 2t integers multiplied with primitive roots of unity is computed to get 2t integers whose limbs in the base 2l-bit representation correspond to coefficients of the product of the first and second polynomials. The method can be implemented on a processor designed for performing RSA and/or ECC type cryptographic operations.

公开(公告)号：US20210377026A1

公开(公告)日：2021-12-02

申请号：US16884136

申请日：2020-05-27

Applicant: NXP B.V.

Inventor： Joost Roland Renes ,  Joppe Willem Bos ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/30 ,  G06F7/53

Abstract: A method is provided for multiplying two polynomials. In the method, first and second polynomials are evaluated at 2t inputs, where t is greater than or equal to one, and where each input is a fixed power of two multiplied with a different power of a primitive root of unity, thereby creating 2 times 2t integers, where is an integer such that is at least as large as the largest coefficient of the resulting product multiplying the first and second polynomials. The 2 times 2t integers are then multiplied pairwise, and a modular reduction is performed to get 2t integers. A linear combination of the 2t integers multiplied with primitive roots of unity is computed to get 2t integers whose limbs in the base -bit representation correspond to coefficients of the product of the first and second polynomials. The method can be implemented on a processor designed for performing RSA and/or ECC type cryptographic operations.

公开(公告)号：US20210306852A1

公开(公告)日：2021-09-30

申请号：US16829401

申请日：2020-03-25

Applicant: NXP B.V

Inventor： Marcel Medwed ,  Pim Vullers ,  Joost Roland Renes ,  Stefan Lemsitzer

IPC: H04W12/06 ,  H04L9/32 ,  H04W12/00

Abstract: A method is provided for authenticating one device to another device. In the method, a first device proves to a second device that a first credential comprising multiple first attributes is valid. The second device proves to the first device that a second credential comprising multiple second attributes is valid. The first device reveals a first attribute of the multiple first attributes to the second device. The second device verifies the first attribute and decides whether to continue revealing attributes. If continuing, the second device reveals to the first device a first attribute of the multiple second attributes. The first device verifies the first attribute of the multiple second attributes. The first device decides whether to continue revealing attributes. Attributes can be revealed until one of the first or second devices end the method or until no attributes of the multiple first and second attributes remain to be revealed.