# Shay Gueron, Haifa IL

## Shay Gueron, Haifa IL

Patent application number | Description | Published |
---|---|---|

20080229116 | Performing AES encryption or decryption in multiple modes with a single instruction - A machine-readable medium may have stored thereon an instruction, which when executed by a machine causes the machine to perform a method. The method may include combining a first operand of the instruction and a second operand of the instruction to produce a result. The result may be encrypted using a key in accordance with an Advanced Encryption Standard (AES) algorithm to produce an encrypted result. The method may also include placing the encrypted result in a location of the first operand of the instruction. | 09-18-2008 |

20080240423 | SPEEDING UP GALOIS COUNTER MODE (GCM) COMPUTATIONS - Methods and apparatus to speed up Galois Counter Mode (GCM) computations are described. In one embodiment, a carry-less multiplication instruction may be used to perform operations corresponding to verification of an encrypted message in accordance with GCM. Other embodiments are also described. | 10-02-2008 |

20080240426 | Flexible architecture and instruction for advanced encryption standard (AES) - A flexible aes instruction set for a general purpose processor is provided. The instruction set includes instructions to perform a “one round” pass for aes encryption or decryption and also includes instructions to perform key generation. An immediate may be used to indicate round number and key size for key generation for 128/192/256 bit keys. The flexible aes instruction set enables full use of pipelining capabilities because it does not require tracking of implicit registers. | 10-02-2008 |

20090019342 | Determining a Message Residue - A technique of determining a message residue includes accessing a message and simultaneously determining a set of modular remainders with respect to a polynomial for different respective segments of the message. The technique also includes determining a modular remainder with respect to the polynomial for the message based on the set of modular remainders and a set of constants determined prior to accessing the message. The modular remainder with respect to the polynomial for the message is stored in a memory. | 01-15-2009 |

20090052659 | METHOD AND APPARATUS FOR GENERATING AN ADVANCED ENCRYPTION STANDARD (AES) KEY SCHEDULE - An Advanced Encryption Standard (AES) key generation assist instruction is provided. The AES key generation assist instruction assists in generating round keys used to perform AES encryption and decryption operations. The AES key generation instruction operates independent of the size of the cipher key and performs key generation operations in parallel on four 32-bit words thereby increasing the speed at which the round keys are generated. This instruction is easy to use in software. Hardware implementation of this instruction removes potential threats of software (cache access based) side channel attacks on this part of the AES algorithm. | 02-26-2009 |

20090067618 | Random number generator - Systems, methods, and other embodiments associated with random number generators are described. One system embodiment includes a random number generator logic that may produce an initial random number from a first set of three inputs. The system embodiment may receive the three inputs from sources including an internal counter entropy source (ICES), an internal arbitrary entropy source (IAES), and an external entropy source (EES). The system embodiment may generate a first random number from a first set of three inputs (e.g., value from ICES, value from IAES, value from EES) but may then generate subsequent random numbers from a different set of three inputs (e.g., value from ICES, value from IAES, previous random number). | 03-12-2009 |

20090070774 | LIVE LOCK FREE PRIORITY SCHEME FOR MEMORY TRANSACTIONS IN TRANSACTIONAL MEMORY - A method and apparatus for avoiding live-lock during transaction execution is herein described. Counting logic is utilized to track successfully committed transactions for each processing element. When a data conflict is detected between transactions on multiple processing elements, priority is provided to the processing element with the lower counting logic value. Furthermore, if the values are the same, then the processing element with the lower identification value is given priority, i.e. allowed to continue while the other transaction is aborted. To avoid live-lock between processing elements that both have predetermined counting logic values, such as maximum counting values, when one processing element reaches the predetermined counting value all counters are reset. In addition, a failure at maximum value (FMV) counter may be provided to count a number of aborts of a transaction when counting logic is at a maximum value. When the FMV counter is at a predetermined number of aborts the counting logic is reset to avoid live lock. | 03-12-2009 |

20090086981 | Methods and Apparatus for Batch Bound Authentication - A processing system may include a processing unit and nonvolatile storage responsive to the processing unit. The nonvolatile storage may include a candidate boot code module and an authentication code module. The processing unit may be configured to execute code from the authentication code module before executing code from the candidate boot code module. The authentication code module may have instructions which, when executed by the processing unit, cause the processing unit to read a processor identifier from the processing unit and determine whether the processor belongs to a predetermined set of processors associated with a specific vendor, based at least in part on the identifier, before executing any instructions from the candidate boot code module. The processing system may also test authenticity of the candidate boot code module before executing any instructions from the candidate boot code module. Other embodiments are described and claimed. | 04-02-2009 |

20090089564 | Protecting a Branch Instruction from Side Channel Vulnerabilities - Embodiments of an invention to protection a branch instruction from side channel vulnerabilities are described. In one embodiment, a method includes receiving a request to modify the operation of a processor to protect against side channel attacks, and modifying branch prediction operation in response to the request. | 04-02-2009 |

20090158132 | Determining a message residue - In one aspect, circuitry to determine a modular remainder with respect to a polynomial of a message comprised of a series of segment. In another aspect, circuitry to access at least a portion of a first number having a first endian format, determine a second number based on a bit reflection and shift of a third number having an endian format opposite to that of the first endian format, and perform a polynomial multiplication of the first number and the at least a portion of the first number. | 06-18-2009 |

20090168998 | EXECUTING AN ENCRYPTION INSTRUCTION USING STORED ROUND KEYS - Embodiments of an invention for executing an encryption instruction using stored round keys are disclosed. In one embodiment, an apparatus includes instruction logic, encryption logic, a storage region, and control logic. The instruction logic is to receive an encryption instruction. The encryption logic is to perform, in response to the instruction logic receiving the encryption instruction, an encryption operation including a plurality of rounds, each round using a corresponding round key from a plurality of round keys. The storage region is to store the plurality of round keys. The control logic is to fetch, for use during each of the plurality of rounds, the corresponding round key from the storage region. | 07-02-2009 |

20090172068 | METHOD AND APPARATUS FOR EFFICIENTLY IMPLEMENTING THE ADVANCED ENCRYPTION STANDARD - Implementations of Advanced Encryption Standard (AES) encryption and decryption processes are disclosed. In one embodiment of S-box processing, a block of 16 byte values is converted, each byte value being converted from a polynomial representation in GF(256) to a polynomial representation in GF((2 | 07-02-2009 |

20090172304 | Obscuring Memory Access Patterns in Conjunction with Deadlock Detection or Avoidance - Methods, apparatus and systems for memory access obscuration are provided. A first embodiment provides memory access obscuration in conjunction with deadlock avoidance. Such embodiment utilizes processor features including an instruction to enable monitoring of specified cache lines and an instruction that sets a status bit responsive to any foreign access (e.g., write or eviction due to a read) to the specified lines. A second embodiment provides memory access obscuration in conjunction with deadlock detection. Such embodiment utilizes the monitoring feature, as well as handler registration. A user-level handler may be asynchronously invoked responsive to a foreign write to any of the specified lines. Invocation of the handler more frequently than expected indicates that a deadlock may have been encountered. In such case, a deadlock policy may be enforced. Other embodiments are also described and claimed. | 07-02-2009 |

20090172377 | METHOD AND APPARATUS FOR BOOTING A PROCESSING SYSTEM - Machine-readable media, methods, apparatus and system for booting a processing system are described. In an embodiment, whether to launch an open operating system or a closed operating system to boot a processing system may be determined. A key may be retrieved from a processor register of the processing system and used to decrypt an encrypted version of the closed operating system based at least in part on a determination of booting the processing system with the closed operating system. In another embodiment, the processor register stored with the key may be flushed based at least in part on a determination of booting the processing system with the open operating system. | 07-02-2009 |

20090214026 | METHOD AND APPARATUS FOR OPTIMIZING ADVANCED ENCRYPTION STANDARD (AES) ENCRYPTION AND DECRYPTION IN PARALLEL MODES OF OPERATION - The throughput of an encryption/decryption operation is increased in a system having a pipelined execution unit. Different independent encryptions (decryptions) of different data blocks may be performed in parallel by dispatching an AES round instruction in every cycle. | 08-27-2009 |

20090220071 | COMBINING INSTRUCTIONS INCLUDING AN INSTRUCTION THAT PERFORMS A SEQUENCE OF TRANSFORMATIONS TO ISOLATE ONE TRANSFORMATION - The Advanced Encryption Standard (AES) is a symmetric block cipher that can encrypt and decrypt information. Encryption (cipher) performs a series of transformations (Shift Rows, Substitute Bytes, Mix Columns) using the secret key (cipher key) to transforms intelligible data referred to as “plaintext” into an unintelligible form referred to as “cipher text”. The transformations (Inverse Shift Rows, Inverse Substitute Bytes, Inverse Mix Columns) in the inverse cipher (decryption) are the inverse of the transformations in the cipher. Encryption and decryption is performed efficiently through the use of instructions that perform the series of transformations. Combinations of these instructions allow the isolation of the transformations (Shift Rows, Substitute Bytes, Mix Columns, Inverse Shift Rows, Inverse Substitute Bytes, Inverse Mix Columns) to be obtained. | 09-03-2009 |

20090268085 | DEVICE, SYSTEM, AND METHOD FOR SOLVING SYSTEMS OF LINEAR EQUATIONS USING PARALLEL PROCESSING - A method, apparatus and system for multiplying a matrix by a vector, for example, video interpolation (other applications are contemplated). The matrix may be a representation of a large and sparse system of linear equations. The large and sparse system of linear equations may be used to estimate motion between frames of a video file for converting frame rates. The vector may be a first estimation of a solution to the system of linear equations. The matrix may be multiplied by elements of the vector in an order different from the order in which the elements are arranged in the vector. Elements in the vector may be multiplied in parallel. A second vector estimation of the solution to a system of linear equations may be a product of the multiplying. The solution to the system of linear equations may be set, for example, when the first and second vector estimations differ by less than a predetermined amount. Other embodiments are described and claimed. | 10-29-2009 |

20090310775 | Using a single instruction multiple data (SIMD) instruction to speed up galois counter mode (GCM) computations - In one embodiment, an encryption operation may be performed by obtaining a product of a carry-less multiplication using multiple single instruction multiple data (SIMD) multiplication instructions each to execute on part of first and second operands responsive to an immediate datum associated with the corresponding instruction, and reducing the product modulo g to form a message authentication code of a block cipher mode. Other embodiments are described and claimed. | 12-17-2009 |

20100020965 | METHOD FOR SPEEDING UP THE COMPUTATIONS FOR CHARACTERISTIC 2 ELLIPTIC CURVE CRYPTOGRAPHIC SYSTEMS - In some embodiments, an apparatus and method for speeding up the computations for characteristic 2 elliptic curve cryptographic systems are described. In one embodiment, a multiplication routine may be pre-computed using a one iteration graph-based multiplication according to an input operand length. Once pre-computed, the multiplication routine may be followed to compute the products of the coefficients of the polynomials representing a carry-less product of two input operands using a carry-less multiplication instruction. In one embodiment, the pre-computed multiplication routines may be used to extend a carry-less multiplication instruction available from an architecture according to an input operand length of the two input operands. Once computed, the carry-less product polynomial produces a remainder when the product is computed modulo a programmable polynomial that defines the elliptic cryptographic system to form a cryptographic key. Other embodiments are described and claimed. | 01-28-2010 |

20100082718 | COMBINED SET BIT COUNT AND DETECTOR LOGIC - A merged datapath for PopCount and BitScan is described. A hardware circuit includes a compressor tree utilized for a PopCount function, which is reused by a BitScan function (e.g., bit scan forward (BSF) or bit scan reverse (BSR)). Selector logic enables the compressor tree to operate on an input word for the PopCount or BitScan operation, based on a microprocessor instruction. The input word is encoded if a BitScan operation is selected. The compressor tree receives the input word, operates on the bits as though all bits have same level of significance (e.g., for an N-bit input word, the input word is treated as N one-bit inputs). The result of the compressor tree circuit is a binary value representing a number related to the operation performed (the number of set bits for PopCount, or the bit position of the first set bit encountered by scanning the input word). | 04-01-2010 |

20100125728 | METHOD OF IMPLEMENTING ONE WAY HASH FUNCTIONS AND APPARATUS THEREFOR - A cryptographic system for encrypting a data stream to be transported over a network by using a one way hash function constructed according to Merkle-Damgard construction includes a plurality of Davies-Mayer structure modules. A Davies-Mayer module modifies two variables A and B according to at least four words by no more than three Advanced Encryption Standard (AES) block cipher rounds. | 05-20-2010 |

20100158241 | Method and apparatus to perform redundant array of independent disks (RAID) operations - A method and apparatus to compute a Q syndrome for RAID 6 through the use of AES operations is provided. In an embodiment, the result of GF multiplication performed using the AES operations allows RAID-6 support to be provided without the need for a dedicated RAID controller. | 06-24-2010 |

20100169635 | METHOD AND SYSTEM TO FACILITATE CONFIGURATION OF A HARDWARE DEVICE IN A PLATFORM - A method and system to allow the secure configuration of the configurable feature(s) of a hardware device in a platform. The configuration of the configurable feature(s) of the hardware device is performed with protection against software attacks. A management module determines that the platform is authorized to configure at least one configurable feature of the hardware device and configures each of the configurable feature(s) based on a received configuration message. | 07-01-2010 |

20100332574 | Digital random number generator - A hardware-based digital random number generator is provided. The digital random number generator is a randomly behaving random number generator based on a set of nondeterministic behaviors. The nondeterministic behaviors include temporal asynchrony between subunits, entropy source “extra” bits, entropy measurement, autonomous deterministic random bit generator reseeding and consumption from a shared resource. | 12-30-2010 |

20110145683 | Instruction-set architecture for programmable cyclic redundancy check (CRC) computations - A method and apparatus to perform Cyclic Redundancy Check (CRC) operations on a data block using a plurality of different n-bit polynomials is provided. A flexible CRC instruction performs a CRC operation using a programmable n-bit polynomial. The n-bit polynomial is provided to the CRC instruction by storing the n-bit polynomial in one of two operands. | 06-16-2011 |

20110158403 | ON-THE-FLY KEY GENERATION FOR ENCRYPTION AND DECRYPTION - Methods and apparatus to provide on-the-fly key computation for Galois Field (also referred to Finite Field) encryption and/or decryption are described. In one embodiment, logic generates a cipher key, in a second cycle, based on a previous cipher key, generated in a first cycle that immediately precedes the second cycle. Other embodiments are also described. | 06-30-2011 |

20110208907 | Protected Cache Architecture And Secure Programming Paradigm To Protect Applications - Embodiments of the present invention provide a secure programming paradigm, and a protected cache that enable a processor to handle secret/private information while preventing, at the hardware level, malicious applications from accessing this information by circumventing the other protection mechanisms. A protected cache may be used as a building block to enhance the security of applications trying to create, manage and protect secure data. Other embodiments are described and claimed. | 08-25-2011 |

20120002804 | ARCHITECTURE AND INSTRUCTION SET FOR IMPLEMENTING ADVANCED ENCRYPTION STANDARD (AES) - A flexible aes instruction for a general purpose processor is provided that performs aes encryption or decryption using n rounds, where n includes the standard aes set of rounds {10, 12, 14}. A parameter is provided to allow the type of aes round to be selected, that is, whether it is a “last round”. In addition to standard aes, the flexible aes instruction allows an AES-like cipher with 20 rounds to be specified or a “one round” pass. | 01-05-2012 |

20120079285 | TWEAKABLE ENCRYPION MODE FOR MEMORY ENCRYPTION WITH PROTECTION AGAINST REPLAY ATTACKS - A method and apparatus for protecting against hardware attacks on system memory is provided. A mode of operation for block ciphers enhances the standard XTS-AES mode of operation to perform memory encryption by extending a tweak to include a “time stamp” indicator. An incrementing mechanism using the “time stamp” indicator generates a tweak which separates different contexts over different times such that the effect of “Type 2 replay attacks” is mitigated. | 03-29-2012 |

20120106731 | SPEEDING UP GALOIS COUNTER MODE (GCM) COMPUTATIONS - Methods and apparatus to speed up Galois Counter Mode (GCM) computations are described. In one embodiment, a carry-less multiplication instruction may be used to perform operations corresponding to verification of an encrypted message in accordance with GCM. Other embodiments are also described. | 05-03-2012 |

20120124360 | Method and Apparatus for Booting a Processing System - Machine-readable media, methods, apparatus and system for booting a processing system are described. In an embodiment, whether to launch an open operating system or a closed operating system to boot a processing system may be determined. A key may be retrieved from a processor register of the processing system and used to decrypt an encrypted version of the closed operating system based at least in part on a determination of booting the processing system with the closed operating system. In another embodiment, the processor register stored with the key may be flushed based at least in part on a determination of booting the processing system with the open operating system. | 05-17-2012 |

20120137137 | METHOD AND APPARATUS FOR KEY PROVISIONING OF HARDWARE DEVICES - Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform. | 05-31-2012 |

20120224687 | Method and apparatus for optimizing Advanced Encryption Standard (AES) encryption and decryption in parallel modes of operation - The throughput of an encryption/decryption operation is increased in a system having a pipelined execution unit. Different independent encryptions (decryptions) of different data blocks may be performed in parallel by dispatching an AES round instruction in every cycle. | 09-06-2012 |

20120265998 | Methods And Apparatus For Authenticating Components Of Processing Systems - When a processing system boots, it may retrieve an encrypted version of a cryptographic key from nonvolatile memory to a processing unit, which may decrypt the cryptographic key. The processing system may also retrieve a predetermined authentication code for software of the processing system, and the processing system may use the cryptographic key to compute a current authentication code for the software. The processing system may then determine whether the software should be trusted, by comparing the predetermined authentication code with the current authentication code. In various embodiments, the processing unit may use a key stored in nonvolatile storage of the processing unit to decrypt the encrypted version of the cryptographic key, a hashed message authentication code (HMAC) may be used as the authentication code, and/or the software to be authenticated may be boot firmware, a virtual machine monitor (VMM), or other software. Other embodiments are described and claimed. | 10-18-2012 |

20130080493 | MODULAR EXPONENTIATION WITH PARTITIONED AND SCATTERED STORAGE OF MONTGOMERY MULTIPLICATION RESULTS - Embodiments of techniques and systems for side-channel-protected modular exponentiation are described. In embodiments, during a modular exponentiation calculation, Montgomery Multiplication (“MM”) results are produced. These MM results are scattered through a table for storage, such that storage of the values may not lead to discovery of a secret exponent value by a spy process through a side-channel attack. The scattering may be performed in order to reduce a number of per-result memory operations performed during each MM result storage or retrieval. In embodiments, a window size of 4 may be used in the modular exponentiation, along with partitioning of the MM result into 32-bit partition values which are scattered with offsets of 64-bytes. In embodiments, while use of a window size of 4 may result in additional MM calculations during modular exponentiation than other window sizes, the reduction in memory operations may provide a positive performance offset. | 03-28-2013 |

20130179643 | OBSCURING MEMORY ACCESS PATTERNS IN CONJUNCTION WITH DEADLOCK DETECTION OR AVOIDANCE - Methods, apparatus and systems for memory access obscuration are provided. A first embodiment provides memory access obscuration in conjunction with deadlock avoidance. Such embodiment utilizes processor features including an instruction to enable monitoring of specified cache lines and an instruction that sets a status bit responsive to any foreign access (e.g., write or eviction due to a read) to the specified lines. A second embodiment provides memory access obscuration in conjunction with deadlock detection. Such embodiment utilizes the monitoring feature, as well as handler registration. A user-level handler may be asynchronously invoked responsive to a foreign write to any of the specified lines. Invocation of the handler more frequently than expected indicates that a deadlock may have been encountered. In such case, a deadlock policy may be enforced. Other embodiments are also described and claimed. | 07-11-2013 |

20130188789 | METHOD AND APPARATUS FOR GENERATING AN ADVANCED ENCRYPTION STANDARD (AES) KEY SCHEDULE - An Advanced Encryption Standard (AES) key generation assist instruction is provided. The AES key generation assist instruction assists in generating round keys used to perform AES encryption and decryption operations. The AES key generation instruction operates independent of the size of the cipher key and performs key generation operations in parallel on four 32-bit words thereby increasing the speed at which the round keys are generated. This instruction is easy to use in software. Hardware implementation of this instruction removes potential threats of software (cache access based) side channel attacks on this part of the AES algorithm. | 07-25-2013 |

20130191699 | INSTRUCTION-SET ARCHITECTURE FOR PROGRAMMABLE CYCLIC REDUNDANCY CHECK (CRC) COMPUTATIONS - A method and apparatus to perform Cyclic Redundancy Check (CRC) operations on a data block using a plurality of different n-bit polynomials is provided. A flexible CRC instruction performs a CRC operation using a programmable n-bit polynomial. The n-bit polynomial is provided to the CRC instruction by storing the n-bit polynomial in one of two operands. | 07-25-2013 |

20130202106 | Performing AES Encryption Or Decryption In Multiple Modes With A Single Instruction - A machine-readable medium may have stored thereon an instruction, which when executed by a machine causes the machine to perform a method. The method may include combining a first operand of the instruction and a second operand of the instruction to produce a result. The result may be encrypted using a key in accordance with an Advanced Encryption Standard (AES) algorithm to produce an encrypted result. The method may also include placing the encrypted result in a location of the first operand of the instruction. | 08-08-2013 |

20130297664 | NUMBER SQUARING COMPUTER-IMPLEMENTED METHOD AND APPARATUS - Embodiments of the present disclosure describe computer-implemented methods, computer-readable media and computer system associated with big number squaring. A computer-implemented method to square a number x may include storing a t-digit vector representation of x in t b-bit registers of a processor. A 2t-digit intermediate vector may be generated and stored in 2t b-bit registers of the processor, using x stored in said t b-bit registers. A value stored in at least one of the t b-bit or 2t b-bit registers may be shifted to the left by n. n may be an integer at least equal to 1. At some point after the shifting, w, square of the number x, may be represented by the 2t-digit result vector stored in the 2t b-bit registers. Other embodiments may be described and/or claimed. | 11-07-2013 |

20130301826 | SYSTEM, METHOD, AND PROGRAM FOR PROTECTING CRYPTOGRAPHIC ALGORITHMS FROM SIDE-CHANNEL ATTACKS - A system for protecting algorithms from side-channel attacks includes a digital processor having a first register, a second register, and a third register; an execution unit; and a processing unit. The execution unit executes an iterative loop for computing a value of a variable and sets a value of the first register based on either an operation or an instruction (or both) within the iterative loop. The processing unit stores the computed value of the variable in the second register and stores a predefined constant in the third register. Side-channel protection may also be provided by a method, a processor, and a program stored on a computer-readable medium. | 11-14-2013 |

20130332707 | SPEED UP BIG-NUMBER MULTIPLICATION USING SINGLE INSTRUCTION MULTIPLE DATA (SIMD) ARCHITECTURES - A processing apparatus may be configured to include logic to generate a first set of vectors based on a first integer and a second set of vectors based on a second integer, logic to calculate sub products by multiplying the first set of vectors to the second set of vectors, logic to split each sub product into a first half and a second half and logic to generate a final result by adding together all first and second halves at respective digit positions. | 12-12-2013 |

20130332742 | SPEED UP SECURE HASH ALGORITHM (SHA) USING SINGLE INSTRUCTION MULTIPLE DATA (SIMD) ARCHITECTURES - A processing apparatus may comprise logic to preprocess a message according to a selected secure hash algorithm (SHA) algorithm to generate a plurality of message blocks, logic to generate hash values by preparing message schedules in parallel using single instruction multiple data (SIMD) instructions for the plurality of message blocks and to perform compression in serial for the plurality of message blocks, and logic to generate a message digest conforming to the selected SHA algorithm. | 12-12-2013 |

20130332743 | SPEED UP SECURE HASH ALGORITHM (SHA) USING SINGLE INSTRUCTION MULTIPLE DATA (SIMD) ARCHITECTURES - A processing apparatus comprises logic to, according to a selected secure hash algorithm (SHA) algorithm, generate hash values by preparing message schedules for a plurality of message blocks in parallel using single instruction multiple date (SIMD) instructions and performing compression in serial, and logic to generate a message digest conforming to the secure hash algorithm (SHA) algorithm. | 12-12-2013 |