公开(公告)号：US10333718B2

公开(公告)日：2019-06-25

申请号：US15441001

申请日：2017-02-23

Applicant: STMicroelectronics S.r.l.

Inventor： Ruggero Susella ,  Sofia Montrasio

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/30

Abstract: A device includes digital signature generation circuitry. The digital signature generation circuitry, in operation, generates a digital signature of a digital message by computing a first public curve point as a scalar product of a first secret integer key and a base point of an elliptic curve and applying a transform to data of the received digital message. The applying the transform to the data of the received digital message includes generating a second secret curve point as a scalar product of a second secret integer key and the base point of the elliptic curve, generating a modified secret integer nonce as a modular multiplication of the second secret integer and a secret integer nonce, generating a third curve point as a scalar product of the secret integer nonce and the second secret curve point and generating a signature component as a function of at least the modified secret nonce, the third curve point, and a hash value generated by applying a hash function to at least the data of the received digital message. The digital signature is generated based on the signature component.

公开(公告)号：US12206778B2

公开(公告)日：2025-01-21

申请号：US17857633

申请日：2022-07-05

Applicant: STMICROELECTRONICS S.r.l.

Inventor： Ruggero Susella

IPC: H04L9/08

Abstract: One or more keys are derived from a master key by executing a plurality of encryption operations. A first encryption operation uses the master key to encrypt a plaintext input having a plurality of bytes. Multiple intermediate encryption operations are performed using a respective intermediate key generated by a previous encryption operation to encrypt respective plaintext inputs having a number of bytes. At least two bytes of a plaintext input have values based on a respective set of bits of a plurality of sets of bits of an initialization vector, wherein individual bits of the respective set of bits are introduced into respective individual bytes of the plaintext input and the respective set of bits has at least two bits and at most a number of bits equal to the number of bytes of the plaintext input.

公开(公告)号：US11502836B2

公开(公告)日：2022-11-15

申请号：US17149623

申请日：2021-01-14

Applicant: STMICROELECTRONICS S.r.l.

Inventor： Ruggero Susella ,  Guido Marco Bertoni

IPC: H04L9/40 ,  H04L9/30 ,  G06F7/523 ,  H04L9/08

Abstract: A scalar multiplication operation includes an iterative procedure performing a set of operations at each iteration on a bit or on a group of consecutive bits of a secret key. The multiplication operation includes multiplying values of projective format coordinates by a random value. The random value is a product of a random number generated over a range having as end value a first value, with a second value, which is larger than said first value. The first value is a power of two of a word size multiplied by a multiplier value, minus one. The second value is equal to a power of two of a number of bits of the coordinates divided by the first value. The multiplier value is an integer greater than or equal to one and smaller than a ratio of said number of bits to the word size.

公开(公告)号：US20150270967A1

公开(公告)日：2015-09-24

申请号：US14660569

申请日：2015-03-17

Applicant: STMicroelectronics S.r.l.

Inventor： Ruggero Susella ,  Silvia Mella

IPC: H04L9/30 ,  H04L9/14

CPC classification number: H04L9/3093 ,  H04L9/003 ,  H04L9/008 ,  H04L9/0631 ,  H04L9/14 ,  H04L2209/24

Abstract: A polynomial representation (bi(x)) in an AES finite field ( Z 2  [ x ] ( r  ( x ) ) ) of input bytes (bi) of a state matrix (B) is obtained. A plurality (1) of irreducible polynomials (fi(y)) and a moving map (ψi) are used to map each polynomial (bi(x)) of the polynomial representation into a respective field of polynomials ( Z 2  [ y ] ( f i  ( y ) ) ) computed with respect to one of the irreducible polynomials (fi(y)), to obtain respective moved polynomials (αi(y)). The moved polynomials (αi(y)) are mapped into a polynomial (a(z)) of a polynomial ring ( Z 2  [ z ] ( p  ( z ) ) ) , obtained by applying an isomorphism (ω) between the fields of polynomials ( Z 2  [ y ] ( f i  ( y ) ) ) and the polynomial ring ( Z 2  [ z ] ( p  ( z ) ) ) based upon the Chinese remainder theorem (CRT). AES encryption is applied to the polynomial (a(z)). The polynomial (a(z)) is reconverted into the AES finite field ( Z 2  [ x ] ( r  ( x ) ) ) to obtain an encrypted state matrix (CB).

Abstract translation: 获得状态矩阵（B）的输入字节（bi）的AES有限域（Z 2 [x]（r（（x）））中的多项式表示（bi（x））。 使用多个（1）不可约多项式（fi（y））和运动图（ψi）来将多项式表示的各个多项式（bi（x））映射到多项式（Z 2 [y] （fi（y））中的一个计算的（fi（y））），以获得各自的移动多项式（αi（y））。 移动多项式（αi（y））被映射到多项式环（Z 2 [z]（p（z）））的多项式（a（z））中，通过在 基于中国余数定理（CRT），多项式（Z 2 [y]（fi（y）））和多项式环（Z 2 [z]（p（z）））。 AES加密应用于多项式（a（z））。 将多项式（a（z））重新转换为AES有限域（Z 2 [x]（r（x））），以获得加密状态矩阵（CB）。

公开(公告)号：US20190165928A1

公开(公告)日：2019-05-30

申请号：US15827994

申请日：2017-11-30

Applicant: STMICROELECTRONICS S.r.l.

Inventor： Ruggero Susella

IPC: H04L9/00 ,  G06F21/72 ,  G06F7/72 ,  G06F21/44

Abstract: A modular reduction calculation on a first number and a second number is protected from side-channel attacks, such as timing attacks. A first intermediate modular reduction result is calculated. A value corresponding to four times the first number is added to the first intermediate modular reduction result, generating a second intermediate modular reduction result. A value corresponding to the first number multiplied by a most significant word of the second intermediate modular reduction result plus 1, is subtracted from the second intermediate modular reduction result, generating a third intermediate modular reduction result. A cryptographic operation is performed using a result of the modular reduction calculation.

公开(公告)号：US11582039B2

公开(公告)日：2023-02-14

申请号：US17129688

申请日：2020-12-21

Applicant: STMICROELECTRONICS S.r.l.

Inventor： Ruggero Susella ,  Filippo Melzani ,  Guido Marco Bertoni

IPC: H04L9/30 ,  H04L9/08 ,  H04L9/14

Abstract: A method performs cryptographic operations on data in a processing device. An iterative operation between a first operand formed by a given number of words and a second operand using a secret key is performed. The iterative operation includes, for each bit of the secret key, applying one of a first set operations and a second set of operations to the first operand and to the second operand depending on of the bit, and conditionally swapping words of the first and the second operand based on a control bit value obtained by applying a logic XOR function to a random bit.

公开(公告)号：US09425961B2

公开(公告)日：2016-08-23

申请号：US14660569

申请日：2015-03-17

Applicant: STMicroelectronics S.r.l.

Inventor： Ruggero Susella ,  Silvia Mella

IPC: H04L29/06 ,  H04L9/30 ,  H04L9/14 ,  H04L9/00 ,  H04L9/06

CPC classification number: H04L9/3093 ,  H04L9/003 ,  H04L9/008 ,  H04L9/0631 ,  H04L9/14 ,  H04L2209/24

Abstract: A polynomial representation (bi(x)) in an AES finite field ( Z 2 ⁡ [ x ] ( r ⁡ ( x ) ) ) of input bytes (bi) of a state matrix (B) is obtained. A plurality (1) of irreducible polynomials (fi(y)) and a moving map (ψi) are used to map each polynomial (bi(x)) of the polynomial representation into a respective field of polynomials ( Z 2 ⁡ [ y ] ( f i ⁡ ( y ) ) ) computed with respect to one of the irreducible polynomials (fi(y)), to obtain respective moved polynomials (αi(y)). The moved polynomials (αi(y)) are mapped into a polynomial (a(z)) of a polynomial ring ( Z 2 ⁡ [ z ] ( p ⁡ ( z ) ) ) , obtained by applying an isomorphism (ω) between the fields of polynomials ( Z 2 ⁡ [ y ] ( f i ⁡ ( y ) ) ) and the polynomial ring ( Z 2 ⁡ [ z ] ( p ⁡ ( z ) ) ) based upon the Chinese remainder theorem (CRT). AES encryption is applied to the polynomial (a(z)). The polynomial (a(z)) is reconverted into the AES finite field ( Z 2 ⁡ [ x ] ( r ⁡ ( x ) ) ) to obtain an encrypted state matrix (CB).

Abstract translation: 获得状态矩阵（B）的输入字节（bi）的AES有限域（Z 2⁡[x]（r⁡（x）））中的多项式表示（bi（x））。 使用多个（1）不可约多项式（fi（y））和运动图（ψi）将多项式表示的各个多项式（bi（x））映射到多项式的相应的多项式（Z 2⁡[y] （fi（y））），以获得相应的移动多项式（αi（y）））。 移动多项式（αi（y））被映射到多项式环（Z 2⁡[z]（p⁡（z）））的多项式（a（z））中，通过在 基于中国余数定理（CRT），多项式（Z 2⁡[y]（fi⁡（y）））和多项式环（Z 2⁡[z]（p⁡（z）））。 AES加密应用于多项式（a（z））。 将多项式（a（z））重新转换为AES有限域（Z 2⁡[x]（r⁡（x））），以获得加密状态矩阵（CB）。

公开(公告)号：US09152383B2

公开(公告)日：2015-10-06

申请号：US13669213

申请日：2012-11-05

Applicant: STMicroelectronics S.r.l.

Inventor： Guido Marco Bertoni ,  Ruggero Susella

IPC: H04K1/00 ,  G06F7/72 ,  H04L9/30

CPC classification number: G06F7/728 ,  G06F2207/7238 ,  H04L9/3006 ,  H04L9/302

Abstract: An embodiment concerns a method for encrypting a message through a cryptographic algorithm including a computation of a mathematical function including the computation of one or more modular multiplications. Such a cryptographic algorithm has a respective module. The method, carried out with an electronic device, includes: providing a first parameter; generating a random number; calculating a Montgomery parameter based on said first parameter and on a integer multiple of said random number; generating a representation of the message to be encrypted in a Montgomery domain through a Montgomery conversion function applied to the message and to the Montgomery parameter; carrying out the calculation of the mathematical function on the message represented in the Montgomery domain.

Abstract translation: 实施例涉及通过密码算法加密消息的方法，包括计算包括一个或多个模乘法的计算的数学函数。 这样的密码算法具有相应的模块。 该方法用电子设备进行，包括：提供第一参数; 产生随机数; 基于所述第一参数和所述随机数的整数倍计算蒙哥马利参数; 通过应用于消息的蒙哥马利转换功能和蒙哥马利参数生成要在蒙哥马利域加密的消息的表示; 对Montgomery域中表示的消息进行数学函数的计算。