DE10201442C1 - Device and method for multiplying or dividing a first operand by or by a second operand - Google Patents

Abstract

Secure arithmetic units for division and multiplication use a control device (18) which uses the bit examinations in the cipher text space necessary for the Radix-2 multiplication algorithm, the booth recoding multiplication algorithm, the restoring division algorithm and the non-restoring division algorithm using encrypted bits and perform encryption parameters to encrypt these bits. Furthermore, registers (16, 22, 24, 30) can be used, in which encrypted operands are stored, and in addition an adder (10) can be used, which adds up with encrypted operands and delivers an encrypted result. Such a multiplier / divider works in secret text space and is less susceptible to physical and / or indirect attacks.

Description

The present invention relates to arithmetic units and especially on safe arithmetic units for multiplication and / or dividing.

Modern microprocessors offer hardware support in the Execution of a division and / or a multiplication. The Number of different algorithms and implementation The procedure is correspondingly large and depends on the requirements changes to the overall system. Parameters the implemen tation are typically the most available Known chip area, the required speed, etc. Known te algorithms work with plain text data and are therefore phy sical vulnerable. The attack scenarios range from different physical attack scenarios, such as B. Well delta attacks, right up to so-called indirect attacks, such as B. SPA (SPA = Single Power Analysis = simple Leis tion analysis) or DPA (DPA = Differential Power Analysis = Differential power analysis).

For the multiplication as well as for the division two basic algorithms are known and are described in "Computer Architecture a Quantitative Approach, Second Edition, Hennessy and Patterson, Morgan Kaufmann Publishers, Inc., 1996, Appendix A. First, the so-called Radix This multiplication method calculates the product of two unsigned numbers bit by bit. The numbers to be multiplied are a _n-1 , a _n-2 , ... a ₀ (the first operand) and b _{n- 1} , b _n-2 ,... B ₀ (the second operand), both operands being placed in registers A for the first operand and B for the second operand, the intermediate result register P is initially set to 0. Each multiplication step exists from two lines:

• a) If the least significant bit (lsb) of A is 1, then the register B, which b _n-1 , b _n-2,. . . b contains ₀ , added to the intermediate result register P. The sum of this addition is then placed again in the intermediate result register P.
• b) Register P and register A are incremented by one bit shifted to the right, d. H. towards lower bits where when the carry is output the sum in the most significant bit is moved by P, the least significant bit of P being moved into the Register A is moved, and being the rightmost bit in A, that is no longer needed in the rest of the algorithm is pushed.

After n steps, the product appears in registers P and A, where A contains the least significant bits.

To multiply signed numbers, use for example, use the so-called booth recoding algorithm det. This is basically the case with the booth recoding algorithm proceeded that instead of the successive addition of B in the Radix-2 multiplication algorithm is a recoding of B is carried out in such a way that B is subtracted first, that 0 is then added a few times, and that at the end B is added. This is more complicated than the sign loose algorithm since addition and subtraction are used the. However, this algorithm is available for negative numbers partial. Generally it is defined as follows:

If the original content of the operand register A, ie the original first operand A with a _n-1 . . . a _{0 is} described, then the following rules apply to the i th multiplication step, in which the least significant bit of register A is designated a _i :

• A) If a _i is 0, and if a _i-1 is 0, nothing is added to P. There is only a shift to the right by one bit of the content of the intermediate result register.
• B) If a _i is 0 and if a _i-1 is 1, then the second operand B is added to the intermediate result P. Then there is again a shift of P by one bit to the right.
• C) If a _i is 1 and if a _i-1 is 0, then B is subtracted from P. The result of this subtraction is then shifted one bit to the right.
• D) If a _i is 1 and if a _i-1 is 1, nothing is added to P. The content of the intermediate result register P is only shifted to the right by one position, ie by one bit.

For the first step, in which i is 0, the agreement stipulates that a _i-1 is 0.

Analogously to this, division algorithms also exist, so-called restoring division algorithms and non-restoring division algorithms being known. If unsigned numbers are processed, the restoring division algorithm is used as follows to calculate the division of the first operand a by the second operand b, ie a / b. First, the first operand is placed in the first operand register A. Then the second operand rand b is placed in the second operand register B. Finally, the interim division result register P is initialized. Then n division steps are carried out, each division step consisting of four parts:

• a) Shifting the register pair (P, A) by one bit left, i.e. in the direction of more significant bits.  
• b) subtracting the contents of register B, ie b _n-1 , b _{n- 2 ,.} . . b ₀ , from register P, the result of this subtraction being written back into register P.
• c) If the result of the second step (step ii) is negative, set the least significant bit from A to 0. On otherwise the least significant bit is set from A to 1.
• d) If the result of step ii is negative, again Restoring the old value of P by adding it the content of register B to P.

After repeating this algorithm for each bit of n bits, i.e. after an n-fold repetition, the A- Register contain the quotient, while the P register the Rest is included. This algorithm is in a way egg ne binary version of the well-known "paper and pencil Procedure ".

The division algorithm described is used as a restoring Algorithm called because if the subtraction from B to egg If the result is negative, restore the P register is set by adding b back into the P register becomes.

The non-restoring algorithm results from the fact that the restoring step is omitted and that the resulting negative numbers are used instead. The step of the non-restoring algorithm has three parts:

• a) if P is negative,
  • 1. Shift the register pair (P, A) one bit to the left.
  • 2. Add the contents of register B to P.
• b) if P is positive,
  • 1. Shift the register pair (P, A) by one bit to the left, ie towards more significant bits.
  • 2. Subtract the contents of register V from P.
• c) if P is negative, setting the least significant bit from A to 0 and, if P is positive, set the lowest bits from A to 1.

After repeating this sequence n times the quotient of a / b in the first operand register A. If P is non-negative, it holds the remainder. Otherwise P be restored, d. H. b must be added. Only then does P contain the rest.

There are various ways of representing negative numbers. These are:

• 1. Sign amount. Here the most significant bit is the before character bit and the low-order n - 1 bits are the amount the number. Typically the number is a negative number, if the most significant bit has a 1.
• 2. Two's complement representation. In the two's complement representation, the addition of a number and its negated version gives the value 2 ⁿ .
• 3. A complement representation. In the one's complement representation, the negative version of a number is obtained by complementing each bit, or alternatively by adding the number and its negative version together to give the value 2 ⁿ - 1.
• 4. Bias system. In a bias system, unlike the previous three options, non-negative numbers are not usually represented as unsigned numbers. Instead, all numbers are represented by adding them first to the bias, whereupon the sum is encoded as a normal unsigned number. A negative number k can thus be encoded as long as k plus bias results in greater than or equal to 0. A typical value for the bias is 2 ^n-1 .

The described multiplication or division algorithms work as far as they are suitable for negative numbers, basically using any representation for ne negative numbers. Only the actual implementation of the Examination of whether a number is greater than or equal to 0 is used for the different representations of negative numbers differed Lich designed.

From the above representation of the known multiplication or division algorithms, it can be seen that the heart piece of each multiplier or divider an adder is, an adder can add and / or subtract. The adder is controlled by a control device which the checks necessary for the individual algorithms and makes decisions to match the adder head for. Registers are also used, namely in special for the first operand, the second operand and the interim result, d. H. A, B and P.

A disadvantage of the known multiplication / division Algorithms are the fact that they use plain text. Both the adder and the registers and in particular the control device that controls the adder makes the necessary decisions, requires plain text data. This means that the described direct or indirect An handle scenarios always have a chance of success the. In particular, the control device turns on  handle, since they are typically from the adder for example in the form of a 32-bit adder or 64-bit Adders will be arranged isolated and also from the registers for A, B and P will be arranged in isolation. So are the plain text data during the multiplication algorithm both in the adder itself and in the registers and also on the transmission lines from the registers to Control device and in the control device itself tangible.  

DE 44 09 834 A1 discloses a multiplier circuit and a division circuit. The multiplier circuit includes an addition processing part to which a sub-product group is entered. The addition processing part includes in its first stage half adder and a rounding half adder rer. There are also full adders and 3-bit adders with parallel transfer provided.

The specialist publication entitled "Security in Java", Sandra Kulisch u. a., January 2000, available at Inter net address "www.wi-bw.tfh-wildenau.de/hendrix~/projekte_ students / 96_security / kaht / javasecurity.doc ", disclosed in the Chapter 3.2.2.3 Rivests codes No. 2 and No. 4. These codes ar use keys that are 1 to 1024 bits long can. In particular, it is block-oriented Encryption method similar to DES. It will be an ongoing one Series of random numbers generated with the ones to be encoded Ver. Data by an exclusive OR function (XOR function) be knotted.

The object of the present invention is a si safer concept for multiplying and / or dividing too create.

This task is accomplished by a multiplication device according to a Radix-2 multiplication algorithm according to Patentan saying 1, a device for multiplying by one Booth recoding multiplication algorithm according to claim 3, by a device for dividing after a resto ring division algorithm according to claim 8 or by a device for dividing according to a non-restoring Division algorithm according to claim 10 solved.

The present invention is based on the finding that a safer implementation of the multiplication or divi sions algorithm can already be obtained if the decisions made by the controller to control the adder or bits in various To set or not to set registers in the secret text space and not - as in the prior art - in the plain text space be taken. To the control device data in ciphertext to deliver space including encryption parameters exist Different possibilities according to the invention.

In one embodiment, a plain text adder and Plain text registers are used, with data used for control purposes direction to be used for the algorithms needed  to make decisions before submitting them be encrypted to the control device. Then the Control device only receive encrypted data, the comparisons required for their decisions in Ge Conduct home text space and send the comparison results to corresponding components, such as. B. the adder or Submit registers in encrypted form. The encrypted Data can then rarely be stored in the registers or in the adder be decrypted and processed before use will. This embodiment already provides an Si Security increase in that the control device is not more can be easily attacked.

In an embodiment in which a higher security is reached, all data in the registers A, B and P stored in encrypted form. This represents cher that no attacks on the register to success will lead. Furthermore, data from the register, she says are required by the control device before the transfer can no longer be encrypted since they are in the registers already exist in encrypted form.

In this case, when moving the data to the register tern either z. B. to the left in the case of a Di vision or one bit to the right in the case of a multiplication a re-encryption is carried out that the registrars with the appropriate keys are encrypted. According to the invention, a job or bitwise encryption is used, the closures parameters for each position regardless of the encryption selection parameter for the other positions. Therefore becomes a Shift in a register of a bit from an original jump point to a target point, so it must Bit that is at the point of origin with the encryption para is encrypted for the point of origin, encrypted to be no longer associated with the Ver key parameters for the place of origin but with  encrypt the encryption parameter for the destination to be rare.

A multiplier and / or a divider that operates entirely in the ciphertext space is obtained by not only operating the controller and registers in the ciphertext space, but also the adder being an encrypted data adder that uses encrypted input data to encrypt the output data delivers without interceptible interim results in plain text who generated the. Such an encrypted multiplier or divider receives as input data only an encrypted first operand a ', an encrypted second operand b' and the encryption vector K with k ₀ , k ₁ ,. . ., k _n-1 , and provides an encrypted multiplication result or an encrypted division result, which according to the invention can be stored in encrypted form and / or further processed. An attack on a fully encrypted circuit according to this preferred exemplary embodiment of the present invention is made considerably more difficult since plain text data does not appear anywhere.

Encryption based on the principle of one-time pad encryption is preferably used as the encryption method. In particular, a bitwise XOR or XNOR encryption of a bit to be encrypted with an encryption parameter k _i for this bit is used as the encryption algorithm. The XOR or XNOR operation is advantageous in that the operations of the control device or the re-encryption for the register shift and the adder can be implemented with relatively little effort using conventional logic gates. The security for the XOR encryption is achieved by the encryption key being changed frequently and by the encryption key being generated by a random number generator. In principle, however, any reversible function can be used as an encryption algorithm. For each encryption algorithm, the operation of the control device must be adapted in order to be able to check encrypted bits to determine whether their corresponding plain text version is a 1, a 0, etc.

To ensure security, this review is intended to yet take place in the secret text space, so that attacks on this Job can be made considerably more difficult. To implement the Control devices are therefore only encrypted values and encryption parameters according to the present invention used.

An advantage of the present invention is that we nig or no plain text operands are generated. To none Time exists at least in the control device Intermediate result in plain text. This will cause all types of statistical attack scenarios much more difficult.

It is also advantageous that other security measures, such as B. an implementation of the arithmetic unit with dual-rail Precharge technology, at least partially or even completely ver can be waived, which in turn leads to chip space savings leads. The arithmetic unit that can be synthesized according to the invention is more technology independent than a full custom solution and thus easier and faster to change technology fitable.

Preferred embodiments of the present invention are hereinafter referred to the attached drawing explained in detail. Show it

FIG. 1 is a multiplier for performing a kryp tographischen radix-2 multiplication algorithm or cryptographic Recoding- Booth multiplication algorithm;

Fig. 2 is an illustration of the radix-2 multiplication cryptographic algorithm;

Fig. 3 is a representation of the cryptographic Booth Recoding multiplication algorithm;

Figure 4 is a divider for executing a kryptographi rule restoring division algorithm, or a cryptographic Non-Restoring- division algorithm.

Fig. 5 is an illustration of the cryptographic Non- restoring division algorithm;

Fig. 6 is a representation of the cryptographic Restoring- division algorithm;

FIG. 7 shows a truth table for an XOR combination with an encryption parameter as an encryption algorithm; FIG.

Figure 8a is a detail of an n-bit adder for Locks doubted data.

FIG. 8b shows an equivalent circuit diagram for the n-bit adder;

FIG. 9a is an alternative embodiment of Locks rare adder;

Fig. 9b is a truth table for the encrypted ad dier of Fig. 9a.

Fig. 1 shows a multiplier according to the invention for executing either the cryptographic Radix-2 multiplication algorithm or the cryptographic Booth Recoding multiplication algorithm. The multiplier first comprises an adder 10 for adding and / or subtracting two quantities which are stored in adder input registers 12 a, 12 b. The result of the addition and / or subtraction is shifted by one bit to the right, ie towards lower-order bits, in both multiplication algorithms. This is effected by a slide 14 a. There is also a slide 14 b for shifting a content of the first operand register A, which will be discussed later.

The result of the slide 14 a is stored in a multiplication intermediate result register 16 and fed back to the first adder input register 12 a for processing of the next bit.

The multiplier according to the invention, which is shown in Fig. 1, further comprises a control device 18 , which operates in the secret text space to control the adder 10 or an input multiplexer 20 , as will be explained later. The second operand of multiplication, ie b, is kept available via a second operand register 22 .

The first operand of the multiplication, that is, a, is supplied to a source operand register 24 to a multiplexer 26 and stored by a memory register 28 to be fed into the slider b fourteenth The output signal of the slide 14 b is temporarily stored in a first operand register 30 which, when all the bits of the first opera a have been processed, stores the result of the multiplication together with the multiplication intermediate result register 16 .

The multiplier further comprises an input 32 for the vector K, the vector K encoding parameters k ₀ , k ₁ , k ₂ ,. . ., k _n-1 for the individual digits 0, 1, 2,. . ., n - 1 includes. As will be explained later, all encryption parameters of the vector k or some specific encryption parameters in the control device 18 , in certain exemplary embodiments in a re-encryption device 34 , which can be arranged, for example, between the shifters 14 a and 14 b, play in certain exemplary embodiments in the sliders 14 a, 14 b and possibly also in the adder 10 , in order to calculate the re-encryption key t _i , as is carried out with reference to FIG. 8a.

Depending on the embodiment, the control device 18 also requires the least significant bit of the first operand register 30 or the bits of the origin register 24 for the first operand a, as will be explained later.

FIG. 2 shows an overview of the cryptographic Radix 2 multiplication algorithm if a bitwise XOR encryption with bitwise independent encryption parameters k _{i is} carried out as encryption. The Radix 2 cryptographic multiplication algorithm is as follows:
The control device 18 first receives the encrypted least significant bit of the first operand register 30 and examines this encrypted least significant bit to determine whether it corresponds to a least significant bit of the first operand register in plain text that is 0 or 1. Since there is no plain text data in the control device 18 , the control device 18 also requires the encryption parameter k ₀ for the least significant bit of the first operand register 30 . If the comparison of the least significant bit of the first operand register 30 and the encryption parameter results in the least significant bit of the first operand register being equal to 1, then the second operand, which is provided by the second operand register 22 , is added to the current content of the intermediate result register 16 . The control device 18 will thus control the multiplexer 20 that the value of the register 22 is fed to the adder 10 . After the addition, both the intermediate result register 16 and the first operand register 30 are shifted to the right by one bit, as a result of which the least significant bit of register A 'is shifted out and is no longer required, as is indicated by the arrow "shiftout" in FIG. 1 is indicated. In contrast, by the bit shifting to the right the previously niederstwer significant bit of the register P 'shifted out of this register (shift out) and in the register A' pushed, as it is called in FIG. 1 by the arrow of the shifter 14 a to Umverschlüsselungsein 34 and the arrow from this unit is shown in the shifter 14 b. This way, the transition of the least significant bit from P 'into register A' can be accomplished as in the case of the non-encrypted arithmetic unit. The re-encryption of this bit is necessary due to the different key base for different places. Alternatively, a bit transmission device with encoding could also be between the registers 16 and 30 . However, bit transmission using shifters 14 a and 14 b is easier to implement.

However, if the control device 18 examines the least significant bit of the first operand register 30 so that an unencrypted version of the least significant bit of the first operand register is 0, then a 0 would have to be added to the intermediate result register in plain text space. However, since the control device 18 works in the ciphertext space, according to the invention a number is supplied to the adder which, when decrypted, speaks the value 0. This symbolizes in Fig. 1 that the control device 18 controls the multiplexer 20 in order not to supply the value of the second operand register 22 but the key, which is obtained via the key input 32 , to the adder 10 .

It is preferred to use an XOR combination of an operand bit x _i with an encryption parameter k _i for this operand bit as the encryption algorithm. A truth table for XOR encryption and XOR decryption is given in FIG. 7. The clear text space condition x _i is 0 in the cipher text space x _i 'is k _i . Gen Dage the plaintext space condition is x _i equal to 1 in the ciphertext space x _i 'is not equal k _i. If a bit x _i equal to 0 is required in the plain text space, then k _i must be set in the secret text space for the encrypted bit x _i '. Similarly, if a bit x _i equal to 1 is required in plain text space, the corresponding encrypted bit x _i 'must be set to ki ge. Therefore, as in step (ii) of the crypt tographic radix-2 multiplication algorithm of FIG. 2, if the lsb of the first operand register in the plain text space is 0, which means in the cipher text space that the lsb of the first operand register is k ₀ , If a value of "0" is added to the intermediate result register in plain text space, the key vector K must be added to the intermediate result register instead of "0" in the secret text space.

To execute the cryptographic Radix-2 multiplication algorithm according to a first exemplary embodiment of the multiplication device, in which only the control device 18 works in the ciphertext space, the control device 18 will cause the plaintext lsb stored in the register 30 to be encrypted at the output of the register and is supplied in encrypted form to the control device 18 . Furthermore, the control device 18 supplies on the output side via the multiplexer the encryption vector 32 , which is decrypted before it is fed into the adder 10 , which also works in clear text space, in order to give a "0".

In the second embodiment of the Multiplikationsvor direction, which provides greater security, all operands are in the ciphertext. This means that the registers 16 , 22 and 30 store encrypted operands or an encrypted intermediate result, and that the intermediate registers 12 a, 12 b, 24 and 28 hold encrypted operands. Then the lsb of the register 30 can be fed directly to the Steuerein device 18 , since the same is already available in encrypted form. In this case, however, when shifting in the encrypted registers for the intermediate multiplication result 16 and the first operands 30 , it should be noted that a re-encryption must be carried out. First, the lsb of the intermediate multiplication result is introduced out of the shifter 14 a and as msb into the shifter 14 b. A re-encryption by means of the re-encryption device 34 must be carried out so that the lsb of the multiplication intermediate result register 16 , which is encrypted with k ₀ , and which becomes the msb of the first operand register 30 , which is to be encrypted with k _n-1 , due to the shift. is correctly encrypted.

In XOR encryption, as is preferred, a re-encryption from one key to another key is achieved in that a re-encryption key t _{i is} calculated, which is based on an XOR combination of the one key involved and the other involved Key results. For re-encryption, the encrypted original value must then also be XOR-linked with the re-encryption key in order to obtain the value correctly encrypted for the destination. Therefore, the re-encryption device 34 also needs key parameters as input signals in order to be able to carry out the re-encryption correctly. Of course, the encoding must be carried out within the shifters 14 a, 14 b, which is why the sliders 14 a and 14 b in their design as encrypted sliders also require the encryption parameters as an input signal. There are two options for re-encryption. Either the encrypted original bit can first be re-encrypted and then written to the target bit in re-encrypted form, or the original bit can first be written to the target bit, then re-encrypted and finally re-written to the target bit in a correctly encrypted form.

In this case, ie if only the adder 10 works with plain text data, the adder must be provided on the input side with a decryption unit and on the output side with an encryption unit.

In a third embodiment of the Multiplikationsvor direction also the adder 10 works directly with ver encrypted input data and provides an encrypted result without plain text data as intermediate results he is generated. In this case, the adder 10 also requires the encryption parameters for the individual digits as input signals, as shown in FIG. 1.

The third embodiment of the Multiplikationsvorrich device, in which all components work next to the Steuereinrich device 18 in the secret text space, is characterized in that there is no plain text data at any point of the multiplier circuit that can be tapped.

The cryptographic booth recoding multiplication algorithm according to the present invention is illustrated below with reference to FIG. 3. In Fig. 3, the conditions for the various combinations of the current bit of the first operand a ' _i and the previous ver encrypted bit of the operand a' _{i-1 are} given. The example shown in FIG. 3 in turn relates to an XOR encryption with an encryption parameter k _i for a bit i. In line (i) the conditions are given in the event that the encrypted bits a ' _i have a relationship with respect to the encryption parameter which means in plain text that a _i and a _{i-1 are} 0. In line (ii) the relationships of a ' _i and a' _i-1 with respect to the encryption parameter k _i or k _{i-1 are} given, which in plain text correspond to the case where a _i is 0 and where a _i-1 is 1.

In line (iii) the conditions for a ' _i and a' _{i-1 are} given, which in plain text correspond to the case where a _i is 1 and where a _i-1 is 0. In line (iv) the conditions in the ciphertext space between a ' _i and a' _{i-1 are given} for the encryption parameters k _i and k _i-1 , in which an unencrypted version of the operands a _i and a _i-1 im Clear text space have a 1.

It should also be pointed out that in line (i) and (iv) in the ciphertext space no 0 is added, as in the plaintext space, but a value that corresponds to an encrypted 0. In the encryption chosen in FIG. 3, a 0 in the plain text space is equal to the key parameter in the cipher text space.

In order to execute the cryptographic booth recoding multiplication algorithm, the control device 18 shown in FIG. 1 does not require a connection to the first operand register 30 , but only a connection to the operand origin register 24 , since the indices a _i and a _{i -1} do not refer to the current first operand register 30 , which is shifted one bit to the right in each step.

Fig. 4 shows an inventive apparatus for carrying out a cryptographic restoring division algorithm, or a cryptographic non-restoring division algorithm. The divider again comprises, as a central element, an adding device 40 , an intermediate division result register 42 , a first operand register 44 and a second operand register 46 . Furthermore, a control device 48 is provided, which works in the ciphertext space and therefore receives the most significant bit of the intermediate division result register 42 in encrypted form in the case of a sign-amount representation or, in the case of a cryptographic restoring division algorithm, the least significant bit of the first operand register 44 issues. The controller 48 is further adapted to drive the adder 40 to effect either an addition of B or a subtraction of B.

In a first embodiment, the control device 48 operates in the cipher text space, while the adder 40 and the registers 42 , 44 and 46 operate in the plain text space. In this case, the most significant bit of the divisional intermediate result register 42 , that is, p ' _{n + 1} , which is supplied to the control device 48 , must be encrypted at the output of the register 42 . Furthermore, it must the cryptographic restoring division algorithm, the encrypted by the control device 48 produced significant bit of the first Ope be decrypted edge of registers 44 at the input in the first operand register 44 in the case.

In order to achieve more security, it is preferred to assign the registers 42 , 44 and 46 in such a way that they are assigned ver parameters A ', B' and P '. In this case, for the bit shift to the left that occurs in the division algorithms, appropriate encryption must be provided. The same applies to the most significant bit of the first operand register 44 (a ' _n ) which, when shifted to the right, becomes the least significant bit p' _{0 of} the divisional intermediate result register 42 . In order to obtain a common key basis, the most significant bit of the first operand register must therefore be re-encrypted by means of the keys k ₀ and k _n , as has been explained with reference to FIG. 1, by means of a re-encryption device 50 . The same naturally applies to a shift within the register. Here too, re-encryption must be carried out so that no value encrypted for a bit i ends up in another location in the register without re-encryption.

Another re-encryption unit 52 is used to re-encrypt the most significant bit of the register.

As shown in Fig. 5, an examination of whether the current content of the divisional intermediate result is negative can be performed using the encrypted most significant bit p ' _{m + 1} . The controller 48 now compares the encrypted most significant bit of the divisional intermediate result register with the key k _{n + 1} for this bit to determine whether this corresponds to the most significant bit of the divisional intermediate result in an unencrypted form a 1, which is a negative value in the sign. Amount representation would correspond. In the case of XOR encryption, the unencrypted version of the most significant bit of the divisional intermediate result is 1 if the encrypted version of this bit is equal to the encryption parameter k _{n + 1} . Then the register pair P ', A' is shifted one bit to the left, and the new register value results from the old register value to which the encrypted second operand B is added.

Conversely, if the most significant bit of the intermediate division result in encrypted form is equal to the encryption parameter k _{n + 1} , which means in unencrypted form that the unencrypted form of the most significant bit of the divisional intermediate result register is 0 (a positive number), then the register pair P ', A' also shifted one bit to the left. Furthermore, the value of the new register results from the fact that the value of the old register is taken and the first operand B is subtracted from it.

Fig. 6 shows an overview of the cryptographic Resto ring division algorithm according to the present invention. The controller is arranged to drive the adder to subtract the second operand from the intermediate division result register and to load the result into the division intermediate result register. Prior to this, the register pair is shifted to the left by one bit, as in the non-restoring division algorithm.

The control device is further arranged to ver encoded the contents of the divisional interim results register in the To investigate the encryption used, whereby, if a first test result is obtained, a least significant bit of the first operand register a value is set that corresponds to an encrypted 0 speaks, and the second operand to the division result is added, and if a second Result of the examination is obtained, a least significant bit of the first operand is set to a value that is one corresponds to unencrypted "1".

The first test result indicates that the content of the Divisional interim results register is negative. The second The result of the investigation indicates that the content of the division intermediate result register is positive.

Fig. 6 shows the cryptographic Restoring- division algorithm the example of a sign-Betrag- representation. In this case, the examination of whether the current content of the divisional intermediate result register is negative or positive can be examined on the basis of the most significant bit. The content is negative if the most significant bit has a logical "1". In ciphertext space, as has been explained, this corresponds to the case where the most significant encrypted bit of the divisional intermediate result register un is equal to the key k of this bit. If, on the other hand, the encrypted most significant bit of the intermediate division result register is equal to the encryption parameter for this bit, then this means that in clear text space the most significant bit of the division intermediate result register is 0, which indicates a positive number.

According to the invention, both in the case of FIG. 5 and in the case of FIG. 6, the least significant bit of the first operand register a ' _{0 is set} equal to the encryption parameter k ₀ for the 0th bit, which in the plain text space of setting this one bit to 0 corresponds. If, on the other hand, a 1 is required for the bit in plain text space, this corresponds to the setting of the bit not to 0 (plain text) but to the negated value of the encryption parameter k _{0 in} the cipher text space in the example of XOR encryption used.

At this point it should be noted that the divider in Fig. 4 can also be performed in different safe forms. A certain degree of security is already achieved in that the control device operates completely in the secret text space. Security is further improved if all registers store ciphertext data. Ultimately, the best security is achieved when the adder 40 in FIG. 4 also works in the ciphertext space.

Different methods can be used for the bit shifts in the registers 42 , 44 . Either a re-encryption of every bit of the register can be carried out. Alternatively, however, the key vector k can be k ₀ , k ₁ ,. . ., k _n-1 are stored in a key register and are also shifted to registers A and P in synchronism. In this case, however, each de component that needs keys must be able to access the current key register or the current state of the key register.

A pointer can also be used for the comparison, the the corresponding bit positions in the key register and in compares the other registers to those in the cryptographi algorithms required comparisons of bits with the in to perform its key bit corresponding to its order, whereby these comparisons in plain text correspond to the determination of whether a bit is zero or one. So it becomes a pointer uses the key register, which always points to the Comparison shows the key bit required, so the key register cannot be moved. If further the pointer is there is also used to point to the multiplier register  would not be a second shift register for the Multi plicator necessary. The sliding operation can thus be complete dig by a pointer with corresponding incrementation be replaced.

With regard to the multiplication algorithms, please note sen that both multiplication algorithms shif to the right ten, and that both a new encrypted most significant Have to generate bit. While the unsigned Multi application with the cryptographic Radix-2 Multiplication algorithm this bit the most significant bit of the key, forms in the case of cryptography Booth recoding algorithm is the highest value to be shifted bit the sign information and is after the shift Process - in encrypted form - to the top position ko pierced.

It should be noted that by using Spei elements in which one result with another Key K is cached, a key change possible between individual arithmetic steps and is desired. Through a periodic key change the security of the encryption process can be set. A frequent key change leads to a more secure ver drive while a rare key change to one doesn't procedure that is so safe, but because of the less frequent key change is less computational, because a re-encryption for each new key less often must be carried out.

Reference is now made to FIG. 9a to explain an ADD operation between the encrypted operands a _kn and b _kn . The determination equation for this is the following equation:

The operation of three operands or three bits of operands when a bit slice of a parallel adder is considered leads to a carry c, with the truth table shown in FIG. 9b in the penultimate column and the third-last column Carryover in the ADD operation between the unencrypted operands a, b and c is listed as cp, where p stands for "plain" = unencrypted, and wherein the transfer from the ADD operation of the ALU ck according to the invention is shown in the penultimate line.

The carry ckn _{(n + 1)} results from the following equation:

The implementation of the above equation is shown in Figure 9a. The ALU of FIG. 9a for an encrypted arithmetic unit in turn comprises a large number of arithmetic sub-operations, namely AND operations 171 to 173 and OR operations 179 and 180 . On the output side there is then the carry (ckn) _{n + 1} for the ADD combination of the three input operands, which again corresponds to the carry according to the truth table shown in FIG. 9b if the three operands are added in unencrypted form and then encrypted will. In particular, (ckn) _{n + 1 means} the carry (carry-in) for the next higher ((n + 1) th) position (bit slice), encrypted with the key k _n , that is to say with the key of the current position n, not encrypted with the key k _{n + 1} for the next higher position. This means that depending on the execution of a bit slice, an encoding of (ckn) _{n + 1} from the key k _n into the key k _{n + 1} will take place.

The above two equations provide an implementation for an encrypted operand adder that outputs an encrypted sum bit s '(s' = s _kn ) and an encrypted carry bit c '(c' = (ckn) _{n + 1} ), the same receives an encrypted transmission input bit on the input side in addition to the two encrypted operands. Such an ad dier is also referred to in the prior art - with unencrypted data - as a one-bit full adder.

A one-bit full adder is used to build an n-bit wide full adder as the inventive arithmetic unit. In this case, the one-bit full adder is referred to as a bit slice o of the bit slice device according to an exemplary embodiment of the present invention. The interconnection of two bit slice devices is shown in Fig. 8a. In detail, FIG. 8a has a first bit slice 1200 N for the bit of order and a bit-slice 1202 n for the bit of order + 1 heart of each bit slice is the ALU for encrypted operand, which in Fig. 8a is designated with 1204 . As has been stated, any other implementations for an encrypted adder are possible, as long as encrypted input operands and an encrypted transmission input are used to generate encrypted output quantities, ie encrypted sum bits and encrypted carry bits.

The one-bit full adder shown in FIG. 8a is defined by the following two determination equations:

The adder equations are selected here in such a way that no encryption key has to be entered in the one-bit full adder 1204 itself, but very well in the bit slice 1202 or 1200 according to an exemplary embodiment of the present invention. In addition, the one-bit full adder 1204 is arranged such that the encrypted carry bit c 'itself is not passed on to the next higher bit slice device for an adder function, but rather that the inverted encrypted carry bit is passed on. In the first input x of the one-bit full adder of the bit slice for the bit n + 1, the current bit of the encrypted operand a, that is, a ' _{n + 1, is} entered. The current encrypted bit of the second operand, ie b ' _{n + 1, is} entered into the second input y. A bit is entered into the third input z, which depends on the carry output bit c ' _{n of} the previous bit slice 1200 .

It is pointed out that the carry output bit of the preceding bit slice cannot be used directly, since different encryption keys k _{n + 1} and k _n are available for the two different bit slice devices 1200 and 1202 . Therefore, the carry-out bit of the previous bit slice device must be re-encrypted from the encryption key k _n for the previous bit slice device to the encryption key k _{n + 1 of} the current bit slice device.

In the case of encryption using an XOR link, re-encryption can be achieved simply by XOR linking the encrypted carry output bit of the bit slice 1200 with a re-encryption key t _{n + 1} . This is represented by an XOR gate 1206 . The re-encryption key t _{n + 1} is calculated as intended by the XOR combination of the two keys concerned for the two bit slices, ie by an XOR combination of k _{n + 1} for the bit slice 1202 and k _n for the Bit slice 1200 .

The bit-slice device 1202 again outputs a carry-out bit, which is, however, encrypted with the key k _{n + 1} and must be re-encrypted accordingly from the next higher level (not shown in FIG. 8a). The same applies to the transmission input of bit slice 1200 . Here, a carry output bit of the next lower level n - 1 is obtained, this bit having to be re-encrypted by the re-encryption XOR gate 1206 .

If a plurality of bit slices are connected to one another, as shown in FIG. 8a, this generally results in a ripple carry adder ( FIG. 8b) which, as input variables, the two encrypted operands a ', b' and the re-encapsulations Key for the individual bits t _i receives. The ripple carry adder shown in FIG. 8b also receives as input a carry input signal which is set to 0 for a conventional ripple carry adder which operates in the add mode.

Of course, a 1 can be created instead of a subtraction instead of a 0. On the output side, the adder of FIG. 8b supplies the sum bits in encrypted form, namely s ₀ ', s ₁ ' to s _N '. In addition, the adder shown in Fig. 8b provides as an output a carry bit of the highest bit slice within the adder, if such is generated.

Reference symbol list

10th

Adder

12

a Interim results register

12

b Interim results register

14

a slider

14

b slider

16

Intermediate result register

18th

Control device

20th

multiplexer

22

second operand register

24th

first operand origin register

26

multiplexer

28

Interim results register

30th

first operand register

32

Encryption parameter input

34

Encryption facility

40

Adder

42

Divisional interim results register

44

first operand register

46

second operand register

48

Control device

50

Encryption facility

52

Encryption facility

171

AND gate

172

AND gate

173

AND gate

179

OR gate

180

OR gate

1200

Bit slice for bit n

1202

Bit slice for bit n + 1

1204

One-bit full adder for encrypted input data

Claims (13)

1. Device for multiplying a first operand (A) by a second operand (B) according to a radix-2 multiplication algorithm in order to obtain a multiplication result (P), having the following features:
a first operand register ( 30 ) for storing the first operand (A);
a second operand register ( 22 ) for storing the second operand (B);
an intermediate multiplication result register ( 16 ) for storing an intermediate multiplication result (P);
an adder ( 10 );
a control device ( 18 ) having an input for receiving a least significant bit of the first operand register ( 30 ) encrypted with an encryption parameter, where the control device ( 18 ) is arranged to receive the least significant bit of the first operand register ( 30 ) encrypted using the encryption parameter to investigate to
if a first examination result is obtained, the adder ( 10 ) is driven, the second operand (B) is added to a current content of the multiplication intermediate result register ( 16 ), and a content of the first operand register ( 30 ) and the multiplication intermediate result register ( 16 ) in the direction of low-order bits in order to obtain new content for the first operand register ( 30 ) and the multiplication intermediate result register ( 16 ), or
if a second examination result is obtained, which is different from the first examination result, the adder ( 10 ) is driven in order to add an encrypted value to a current intermediate multiplication result, which corresponds to a logical "0" in the unencrypted state, and to a content of the first operand register ( 30 ) and the multiplication intermediate result register ( 16 ) in the direction of low-order bits, and
wherein the first test result means that the encrypted least significant bit of the first operand register ( 30 ) has a value which corresponds to a logical "0" in the unencrypted state, and wherein the second test result means that the encrypted least significant bit of the first operand register has one Has a value that corresponds to a logical "1" in the unencrypted state. 2. Device according to claim 1, in which a bit-wise encryption can be used by XORing an operand bit with an encryption parameter for the operand bit,
the first examination result comprising an inequality of the encrypted least significant bit of the first operand register with the encryption parameter for the bit,
wherein the second test result includes an equality of the encrypted least significant bit of the first operand register with the encryption parameter for the location, and
the value that corresponds to a 0 in the unencrypted state is equal to an encryption parameter for a corresponding location. 3. Device for multiplying a first operand (A) by a second operand (B) according to a cryptographic Booth recoding algorithm, with the following features:
a first operand register ( 30 ) for storing the first operand (A);
a second operand register ( 22 ) for storing the second operand (B);
an intermediate multiplication result register ( 16 ) for storing an intermediate multiplication result (P);
an adder ( 10 ); and
a control device ( 18 ) for examining a current bit of the first operand and a bit of the first operand that is low by one digit, taking into account an encryption parameter for the current digit and an encryption parameter for the least significant digit,
wherein if the encrypted current digit and the encrypted least significant digit have a value with respect to the encryption parameters which corresponds to a logical "0" in the unencrypted state, the control device ( 18 ) is arranged to drive the adder in order to unite the intermediate multiplication result Add a value which corresponds to a logical "0" in the unencrypted state and to shift a content of the multiplication intermediate result register and the first operand register by one position to bits of no significance,
wherein if the encrypted current digit has a value that corresponds to a logical "0" in the unencrypted state, and if the encrypted least significant digit has a value that corresponds to a logical "1" in the unencrypted state, the control device ( 18 ) is arranged to control the adder, to add the value of the second operand (B) to the intermediate multiplication result and to shift a content of the intermediate multiplication result register and the first operand register by one position to lower-order bits,
wherein if the encrypted current digit has a value that corresponds to a logical "1" in the unencrypted state, and if the encrypted least significant digit has a value that corresponds to a logical "0" in the unencrypted state, the control device ( 18 ) is arranged is to subtract the second operand from the intermediate multiplication result and to shift a content of the multiplication intermediate result register and the first operand register by one position to lower-order bits, or
wherein if the encrypted current position of the first operand has a value that corresponds to a logical "1" in the unencrypted state, and if the encrypted low-order position of the first operand has a value that corresponds to a logical "1" in the unencrypted state Control device ( 18 ) is arranged to control the adder, to add a value to the intermediate multiplication result which corresponds to a "0" in the unencrypted state, and to shift a content of the multiplication intermediate result register and the first operand register by one position to lower-order bits. 4. The device according to claim 3,
in which bit-wise encryption by XORing an operand bit with an encryption parameter for the operand bit can be used,
the value of an encrypted position then corresponds to 0 in the unencrypted state if the value of the encrypted position is equal to the encryption parameter for this position,
the value, which corresponds to a "0" in the unencrypted state, is equal to the encryption parameter, and
the value of an encrypted position in the unencrypted state corresponds to a logical "1" if the value is not equal to the encryption parameter for this position. 5. Device according to one of the preceding claims, in which encrypted values are stored in the first operand register ( 30 ), in the second operand register ( 22 ) and in the multiplication intermediate result register ( 16 ). 6. The device according to claim 5, wherein when moving egg ner position in a register first one with a ver Encryption key parameters for an origin ter value using an encryption key is encrypted and then written to a destination is, or one with an encryption parameter for a Origin encrypted value first to the destination place is pushed and then using an order encryption parameters is re-encrypted, where the re-encryption parameter is a combination of the encryption parameter for the origin and the Encryption parameter for the destination is. 7. Device according to one of the preceding claims, wherein the adder ( 10 ) is an adder for encrypted operands in order to deliver an encrypted output result using encrypted input operands without using intermediate results in plain text. 8. Device for dividing a first operand (A) by a second operand (B) according to a cryptographic restoring division algorithm in order to obtain a division result (P), having the following features:
a first operand register ( 44 ) for storing the first operand (A),
a second operand register ( 46 ) for storing the second th operand (B),
an intermediate division result register ( 42 ) for storing an intermediate division result;
an adder ( 40 );
a control device ( 48 ) for shifting a content of the first operand register ( 44 ) and the division between registers ( 42 ) by one position to higher-order positions,
wherein said control means is arranged (48) to control the ad decoder (40) for subtracting the second operand from the Di vision intermediate result register (42), and to load the result into the Division intermediate result register (42),
the control device ( 48 ) being further arranged to examine an encrypted content of the divisional interim results register using an encryption parameter,
if, if a first examination result is obtained, a least significant bit of the first operand is set to a value which corresponds to a logical "0" in the unencrypted state, and the second operand (B) is added to the intermediate division result register ( 42 ), and
if, if a second examination result is obtained which is different from the first examination result, a least significant bit of the first operand register ( 44 ) is set to a value which corresponds to a "1" in the unencrypted state,
wherein the first test result indicates that the content of the divisional interim result register is negative, and wherein the second test result indicates that the content of the divisional interim result register ( 42 ) is positive. 9. Device for dividing a first operand (A) by a second operand (B) according to a cryptographic non-restoring division algorithm in order to obtain a division result (P), having the following features:
a first operand register ( 44 ) for storing the first operand (A),
a second operand register ( 46 ) for storing the second th operand (B),
an intermediate division result register ( 42 ) for storing an intermediate division result;
an adder ( 40 );
a control device ( 48 ) for shifting a content of the first operand register ( 44 ) and the divisional intermediate result register ( 42 ) by one position to more significant positions, the control device ( 48 ) being arranged to, if a content of the Intermediate division register is negative to add the second operand (B) to the division intermediate result register and
wherein, if an encrypted content of the divisional intermediate result register is positive in an unencrypted state, subtract the second operand (B) from the divisional intermediate result register. 10. The device according to claim 8 or 9, where a negative number by sign bit and a Be is shown, where a most significant bit of a number acts as a sign bit. 11. The device according to claim 10,
in which bit-wise encryption by XORing an operand bit with an encryption parameter for the operand bit can be used,
wherein the content of the divisional interim result register is recognized as negative if an encrypted most significant bit of the divisional interim result register is not equal to an encryption parameter for the bit, and
wherein a content of the divisional interim result register is recognized as positive if an encrypted most significant bit of the divisional interim result register is equal to an encryption parameter for the location. 12. The device according to one of claims 8 to 11,
in which values are stored encrypted in registers, whereby when a position in a register is shifted, a value encrypted with an encryption parameter for an origin is first re-encrypted using a re-encryption key and then written to a destination, or one with an encryption parameter for a Value encrypted at the origin is first pushed to the destination and then encrypted using a re-encryption parameter,
wherein the re-encryption parameter is a combination of the encryption parameter for the origin and the encryption parameter for the destination. 13. The device according to any one of claims 8 to 12, wherein the adder ( 10 ) is an adder for encrypted operands in order to provide an encrypted output result using encrypted input operands without using intermediate results in plain text.