公开(公告)号：US20240137214A1

公开(公告)日：2024-04-25

申请号：US17938564

申请日：2022-10-06

Applicant: NXP B.V.

Inventor： Melissa Azouaoui ,  Joppe Willem Bos ,  Tobias Schneider ,  Joost Roland Renes ,  Björn Fay

IPC: H04L9/08 ,  G06F17/16 ,  H04L9/30

CPC classification number: H04L9/0852 ,  G06F17/16 ,  H04L9/3093

Abstract: Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation including matrix multiplication for lattice-based cryptography in a processor, the instructions, including: applying a first function to the rows of a matrix of polynomials to generate first outputs, wherein the first function excludes the identity function; adding an additional row to the matrix of polynomials to produce a modified matrix, wherein each element in the additional row is generated by a second function applied to a column of outputs associated with each element in the additional row; multiplying the modified matrix with a vector of polynomials to produce an output vector of polynomials; applying a verification function to the output vector that produces an indication of whether a fault occurred in the multiplication of the modified matrix with the vector of polynomials; and carrying out a cryptographic operation using output vector when the verification function indicates that no fault occurred in the multiplication of the modified matrix with the vector of polynomials.

公开(公告)号：US11924346B2

公开(公告)日：2024-03-05

申请号：US17732164

申请日：2022-04-28

Applicant: NXP B.V.

Inventor： Markus Schoenauer ,  Tobias Schneider ,  Joost Roland Renes ,  Melissa Azouaoui

IPC: H04L9/30 ,  G06F9/30

CPC classification number: H04L9/3093 ,  G06F9/30018 ,  H04L9/3026

Abstract: Various embodiments relate to a data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for masked sampling of polynomials for lattice-based cryptography in a processor, the instructions, including: determining a number m of random bits to be sampled based upon a sample bound parameter β; producing a plurality of Boolean masked shares of a polynomial coefficient each having the determined number m of random bits using a uniform random function; determining that the polynomial coefficient is within a range of values based upon the sample bound parameter β; converting the plurality of Boolean masked shares of the polynomial coefficient to a plurality of arithmetic masked shares of the polynomial coefficient; and shifting the plurality of arithmetic masked shares based upon the sample bound parameter β.

公开(公告)号：US11847938B2

公开(公告)日：2023-12-19

申请号：US17392332

申请日：2021-08-03

Applicant: NXP B.V.

Inventor： Joost Roland Renes ,  Joppe Willem Bos ,  Christine van Vredendaal ,  Tobias Schneider

IPC: G09C1/00 ,  G06F7/523

CPC classification number: G09C1/00 ,  G06F7/523

Abstract: Various embodiments relate to a method for multiplying a first and a second polynomial in a ring q [X]/(Xn+1) where q is a positive integer. The method comprising: mapping the first polynomial into k smaller third polynomials over k smaller rings based upon primitive roots of unity, where k is a positive integer; mapping the second polynomial into k smaller fourth polynomials over the k smaller rings based upon primitive roots of unity; applying an isomorphism to the k third polynomials resulting in k fifth polynomials; applying the isomorphism to the k fourth polynomials resulting in k sixth polynomials; applying a Kronecker substitution on the k fifth polynomials and the k sixth polynomials and perform the multiplication of the k fifth polynomials and the k sixth polynomials to produce a multiplication result; applying an inverse of the isomorphism to the multiplication result to obtain the multiplication of the first polynomial and the second polynomial; and mapping the k inverted polynomials to a single polynomial in the ring.

公开(公告)号：US20230395110A1

公开(公告)日：2023-12-07

申请号：US17830197

申请日：2022-06-01

Applicant: NXP B.V.

Inventor： Marcel Medwed ,  Ventzislav Nikov ,  Tobias Schneider

IPC: G11C7/24 ,  G11C7/10 ,  G11C7/20 ,  G06F21/57

CPC classification number: G11C7/24 ,  G11C7/1096 ,  G11C7/20 ,  G06F21/572

Abstract: One example securely updates an integrated circuit to mitigate undesirable modifications and this involves an application circuit accessing an external network while a (e.g., nonvolatile) program memory is write protected; and a reset-boot circuit resetting and booting the application circuit while access to the external network is disabled, and causing an update for the application circuit. In response to an indication that an update is downloaded for installation, the downloaded update is installed in the memory while access to the external network is disabled, and execution of the reset mode is permitted after the update is installed. Also, a retrieval module may download, in response to an indication that an update is not downloaded, an update provided via the external network while the memory is write-protected and thereby permitting execution of the reset mode after the update is downloaded.

公开(公告)号：US20220376892A1

公开(公告)日：2022-11-24

申请号：US17243058

申请日：2021-04-28

Applicant: NXP B.V.

Inventor： Joppe Willem Bos ,  Mario Lamberger ,  Joost Roland Renes ,  Tobias Schneider ,  Christine van Vredendaal

IPC: H04L9/06 ,  H04L9/32

Abstract: Various embodiments relate to a hardware device configured to compute a plurality of chained hash functions in parallel, including: a processor implementing p hash functions configured to operate on a small input, where p is an integer; a data unit connected to the plurality of hash functions, configured to store the outputs of plurality of hash functions that are then used as the input to a next round of computing the hash function, wherein the processor receives a single instruction and p small data inputs, and wherein each of the p hash functions are used to perform a chained hash function operation on a respective small input of the p small inputs.

公开(公告)号：US20220337398A1

公开(公告)日：2022-10-20

申请号：US17226770

申请日：2021-04-09

Applicant: NXP B.V.

Inventor： Tobias Schneider ,  Joppe Willem Bos ,  Björn Fay ,  Marc Gourjon ,  Joost Roland Renes ,  Christine van Vredendaal

IPC: H04L9/08 ,  H04L9/30 ,  G06F7/02 ,  G06F7/76

Abstract: Various embodiments relate to a method for masked decoding of a polynomial a using an arithmetic sharing a to perform a cryptographic operation in a data processing system using a modulus q, the method for use in a processor of the data processing system, including: subtracting an offset δ from each coefficient of the polynomial a; applying an arithmetic to Boolean (A2B) function on the arithmetic shares of each coefficient ai of the polynomial a to produce Boolean shares âi that encode the same secret value ai; and performing in parallel for all coefficients a shared binary search to determine which of coefficients ai are greater than a threshold t to produce a Boolean sharing value {circumflex over (b)} of the bitstring b where each bit of b decodes a coefficient of the polynomial a.

公开(公告)号：US20210133362A1

公开(公告)日：2021-05-06

申请号：US17081589

申请日：2020-10-27

Applicant: NXP B.V.

Inventor： Marcel Medwed ,  Tobias Schneider ,  Ventzislav Nikov ,  Jorge Miguel Ventuzelos Pereira ,  Rudi Verslegers ,  Nikita Veshchikov ,  Joppe Willem Bos ,  Jan Hoogerbrugge

IPC: G06F21/74 ,  G06F21/60

Abstract: A device and methods are described that comprise at least one host application and a rich execution environment. At least one interface is operably coupled to the REE for communicating with a remote server. A security sub-system comprises a security monitoring and control circuit coupled to the REE and connectable to the remote server via the REE and the at least one interface. The security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly following a compromisation of the device. The security monitoring and control circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the analytics circuit, the security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device.

公开(公告)号：US20250097048A1

公开(公告)日：2025-03-20

申请号：US18366384

申请日：2023-08-07

Applicant: NXP B.V.

Inventor： Joost Roland Renes ,  Tobias Schneider ,  Melissa Azouaoui ,  Mohamed ElGhamrawy

IPC: H04L9/32 ,  H04L9/08

Abstract: A method of performing a Dilithium signature operation on a message M using a secret key sk, including: calculating a value {tilde over (r)} based upon w0, c, and s2, where w0 and c are calculated as part of the Dilithium signature operation and s2 is part of the secret key sk; performing a bound check on {tilde over (r)} based upon γ2 and β, where γ2 and β are parameters of the Dilithium signature operation; calculating a hint h based on the value {tilde over (r)} and deleting the value {tilde over (r)} in a memory; regenerating a value y using an ExpandMask function; calculating z based upon y, c, and s1, where s1 is part of the secret key sk and replacing y with z in the memory; performing a bound check on z based on γ1 and β, where γ1 is a parameter of the Dilithium signature operation; and returning a digital signature of the message M where the digital signature includes z and h.

公开(公告)号：US20250080342A1

公开(公告)日：2025-03-06

申请号：US18461831

申请日：2023-09-06

Applicant: NXP B.V.

Inventor： Melissa Azouaoui ,  Mohamed ElGhamrawy ,  Joost Roland Renes ,  Tobias Schneider

IPC: H04L9/08 ,  H04L9/32

Abstract: A method of performing a Dilithium signature operation on a message M using a secret key sk, including: generating a polynomial y using an ExpandMask function; calculating a polynomial z based upon y, c, and s1; performing a bound check on z based upon γ1 and β; performing a bound check on ct0 based upon γ2; calculating a polynomial {tilde over (r)} based upon A, z, c, t, α, and w1; performing a bound check on {tilde over (r)} based upon γ2 and β; calculating a hint polynomial h based on the {tilde over (r)}; and returning a digital signature of the message M where the digital signature includes z and h.

公开(公告)号：US20250007711A1

公开(公告)日：2025-01-02

申请号：US18345351

申请日：2023-06-30

Applicant: NXP B.V.

Inventor： Olivier Bronchain ,  Joost Roland Renes ,  Tobias Schneider

IPC: H04L9/32

Abstract: A data processing system comprising instructions embodied in a non-transitory computer readable medium, the instructions for a cryptographic operation using polynomials for lattice-based cryptography in a processor, the instructions, including: applying a share-wise Kronecker substitution to arithmetic shares of a first polynomial; applying a Kronecker substitution to a second polynomial; multiplying share-wise the Kronecker substitution of the second polynomial and the arithmetic shares of the Kronecker substitution of the shares of the first polynomial to produce arithmetic shares of a first output; converting the shares of the first output to arithmetic shares of a polynomial representation; converting the arithmetic shares of the polynomial representation to Boolean shares of the polynomial representation; adding the Boolean shares of the polynomial representation to Boolean shares of a third polynomial to produce Boolean shares of a second output; and carrying out a cryptographic operation using the Boolean shares of the second output.