Calculating unit and method for performing an arithmetic operation with encrypted operands
First Claim
1. A calculating unit for performing an operation on operands, wherein at least one of the operands is encrypted using an encryption algorithm and an encryption parameter so as to obtain an encrypted result of the operation, the calculating unit comprising:
- a processing unit having an input for an operand or a negated version of the operand, an input for the at least one encrypted operand or a negated version of the at least one encrypted operand, having an input for the encryption parameter with which the at least one operand is encrypted, and having an output for the encrypted result, the processing unit being formed to perform one or several mathematical sub-operations which together result in a ciphertext calculating specification derived from a clear-text calculating specification for the operation with non-encrypted operands such that the non-encrypted operand is replaced, in the clear-text calculating specification from which the at least one encrypted operand results, by a mathematical combination of the at least one encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, and the clear-text calculating specification being transformed, due to the mathematical combination, into the one or several mathematical sub-operations representing the ciphertext calculating specification, which mathematical sub-operations obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands.
1 Assignment
0 Petitions
Accused Products
Abstract
A calculating unit for performing an arithmetic operation with at least two operands, the at least two operands being encrypted, includes an arithmetic-logic unit with a first input for the first encrypted operand, a second input for the second encrypted operand, a third input for an encryption parameter and an output for an encrypted result of the operation, the arithmetic-logic unit being formed so as to operate on the first input, the second input and the third input by means of arithmetic sub-operations, while considering the type of encryption of the operands, such that at the output, an encrypted result is obtained which equals a value that would be obtained if the first operand was subjected to the arithmetic operation in a non-encrypted state and if the second operand would be subjected to the arithmetic operation in a non-encrypted state, and a result obtained was subsequently encrypted, no decryption of the operands being performed in the arithmetic-logic unit. In this manner, a processor system may be obtained in which no data whatsoever occurs in clear text, i.e. in a non-encrypted form, since no decryption upstream of an arithmetic-logic unit and no encryption downstream of the arithmetic-logic unit are required, as the arithmetic-logic unit operates with encrypted input operands to obtain an encrypted result. Interception attacks on transmission lines of the calculating unit are thus ruled out.
41 Citations
37 Claims
-
1. A calculating unit for performing an operation on operands, wherein at least one of the operands is encrypted using an encryption algorithm and an encryption parameter so as to obtain an encrypted result of the operation, the calculating unit comprising:
-
a processing unit having an input for an operand or a negated version of the operand, an input for the at least one encrypted operand or a negated version of the at least one encrypted operand, having an input for the encryption parameter with which the at least one operand is encrypted, and having an output for the encrypted result, the processing unit being formed to perform one or several mathematical sub-operations which together result in a ciphertext calculating specification derived from a clear-text calculating specification for the operation with non-encrypted operands such that the non-encrypted operand is replaced, in the clear-text calculating specification from which the at least one encrypted operand results, by a mathematical combination of the at least one encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, and the clear-text calculating specification being transformed, due to the mathematical combination, into the one or several mathematical sub-operations representing the ciphertext calculating specification, which mathematical sub-operations obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A carry select adder for adding first and second encrypted operands to obtain an encrypted result, the first and second encrypted operands each comprising a plurality of bits, an encryption parameter being provided for each bit of the same order of the operands, the carry select adder comprising:
-
a first ripple carry adder with a plurality of bit slice means for adding the encrypted bits of the operands from a least significant bit of the operands up to a first boundary bit of the operands to produce an encrypted carry output bit of the first ripple carry adder;
first and second ripple carry adders with a plurality of bit slice means for adding the encrypted bits of the operands from a bit which is by one position more significant than the first boundary bit, up to a second boundary bit, wherein each bit slice means comprises a calculating unit for performing an operation on operands, wherein at least one of the operands is encrypted using an encryption algorithm and an encryption parameter so as to obtain an encrypted result of the operation, the calculating unit comprising;
a processing unit having an input for an operand or a negated version of the operand, an input for the at least one encrypted operand or a negated version of the at least one encrypted operand, having an input for the encryption parameter with which the at least one operand is encrypted, and having an output for the encrypted result, the processing unit being formed to perform one or several mathematical sub-operations which together result in a ciphertext calculating specification derived from a clear-text calculating specification for the operation with non-encrypted operands such that the non-encrypted operand is replaced, in the clear-text calculating specification from which the at least one encrypted operand results, by a mathematical combination of the at least one encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, and the clear-text calculating specification being transformed, due to the mathematical combination, into the one or several mathematical sub-operations representing the ciphertext calculating specification, which mathematical sub-operations obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands, the mathematical operation being an adder operation so as to produce, at a carry input, an internal encrypted aggregate bit and an internal encrypted carry output bit using an encrypted bit of the first operand, an encrypted bit of the second operand and an encrypted carry input bit, wherein all bit slice means further comprise an associated re-encryptor to achieve a re-encryption of the carry input bit encrypted in accordance with an encryption parameter for the bit slice means from which same is derived, into an encryption with the encryption parameter for current bit slice means, wherein the second ripple carry adder and the third ripple carry adder being arranged in parallel, wherein a key (kn+1) for the least significant bit slice means of the second ripple carry adder can be applied as a carry input bit for a least significant bit slice means of the second ripple carry adder, and wherein an inverted key (NOT kn+1) for the least significant bit slice means of the third ripple carry adder may be applied as a carry input bit for a least significant bit slice means of the third ripple carry adder;
a re-encryptor for re-encrypting the carry output bit of the first ripple carry adder on a key basis of the least significant bit slice means of the second ripple carry adder; and
select means for selecting the encrypted aggregate bits of the second ripple carry adder if the re-encrypted carry output bit of a most significant bit slice means of the first ripple carry adder is identical with a logical “
0”
, or for selecting the encrypted aggregate bits of the third ripple carry adder if the re-encrypted carry output bit of the first ripple carry adder is identical with a logical “
1”
, as encrypted aggregate bits.
-
-
28. A cryptography processor, comprising:
-
a memory for storing data encrypted with a first encryption algorithm;
a first decryptor for decrypting data which is stored in the memory and is encrypted with the first encryption algorithm;
a second encryptor for encrypting data, which are obtained from the first decryptor, with a second encryption algorithm;
a calculating unit for performing an operation on operands, wherein at least one of the operands is encrypted using an encryption algorithm and an encryption parameter so as to obtain an encrypted result of the operation, the calculating unit comprising;
a processing unit having an input for an operand or a negated version of the operand, an input for the at least one encrypted operand or a negated version of the at least one encrypted operand, having an input for the encryption parameter with which the at least one operand is encrypted, and having an output for the encrypted result, the processing unit being formed to perform one or several mathematical sub-operations which together result in a ciphertext calculating specification derived from a clear-text calculating specification for the operation with non-encrypted operands such that the non-encrypted operand is replaced, in the clear-text calculating specification from which the at least one encrypted operand results, by a mathematical combination of the at least one encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, and the clear-text calculating specification being transformed, due to the mathematical combination, into the one or several mathematical sub-operations representing the ciphertext calculating specification, which mathematical sub-operations obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands, which is arranged to obtain data output from the second encryptor;
a second decryptor for decrypting data output from the calculating unit in accordance with the second encryption algorithm; and
a first encryptor for encrypting the data, which are output from the second decryptor, in accordance with the first encryption algorithm, the first encryptor being coupled to the memory so that the data encrypted with the first encryption algorithm may be fed to the memory. - View Dependent Claims (29, 30, 31, 32, 33, 34)
-
-
35. A method for performing an operation on operands, wherein at least one of the operands is encrypted using an encryption algorithm and an encryption parameter to obtain an encrypted result of the operation, the method comprising:
-
performing one or several mathematical sub-operations which together result in a ciphertext calculating specification derived from a clear-text calculating specification for the operation with non-encrypted operands, such that the non-encrypted operand, from which the at least one encrypted operand results, is replaced by a mathematical combination of the at least one encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, and the clear-text calculating specification being transformed, due to the mathematical combination, into the one or several mathematical sub-operations representing the ciphertext calculating specification, which mathematical sub-operations obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands.
-
-
36. A method for forming a calculating-unit means for performing an operation on operands, at least one of the operands being encrypted using an encryption algorithm and an encryption parameter to obtain an encrypted result of the operation, the method comprising:
-
providing a clear-text calculating specification for the operation;
replacing, in the clear-text calculating specification, a non-encrypted operand corresponding to the encrypted operand, by a mathematical combination of the encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, so as to obtain ciphertext calculating specification;
transforming the ciphertext calculating specification obtained into one or several mathematical sub-operations which obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands; and
implementing the one or several mathematical sub-operations to obtain the calculating-unit means.
-
-
37. An apparatus for forming a calculating-unit means for performing an operation on operands, at least one of the operands being encrypted using an encryption algorithm and an encryption parameter to obtain an encrypted result of the operation, the apparatus comprising:
-
means for providing a clear-text calculating specification for the operation;
means for replacing, in the clear-text calculating specification, a non-encrypted operand corresponding to the encrypted operand, by a mathematical combination of the encrypted operand and the encryption parameter, the mathematical combination being a reversal of the encryption algorithm, so as to obtain ciphertext calculating specification;
means for transforming the ciphertext calculating specification obtained into one or several mathematical sub-operations which obtain, as an input quantity, merely the encrypted operand or a negated version of same, or a combination of the encrypted operand or of the negated version of the encrypted operand with the other operands; and
means for implementing the one or several mathematical sub-operations to obtain the calculating-unit means.
-
Specification