DE10201450B4 - Carry-skip adder for encrypted data - Google Patents

Abstract

Carry-skip adder for adding a first operand (a) and a second operand (b), the first and the second operand being able to be represented by bits which have an increasing order from a least significant bit, with the following features:
a first adder (10) for supplying sum bits for a first plurality of bits in ascending order, starting from the least significant bit, and for supplying a first carry signal (c ₄ ) for a most significant bit of the first plurality of bits;
a second adder (12) for supplying sum bits for a second plurality of bits in ascending order, starting from a next higher bit than the most significant bit of the first plurality of bits, for supplying a second carry signal of the most significant bit of the second plurality of bits and for Providing a propagate value (P) of the second plurality of bits;
a third adding device (18) for supplying sum bits for a third plurality of bits in ascending order, starting from ...

Description

The present invention relates on adder arithmetic units and especially on carry-skip adders.

6 shows a three-stage carry-skip adder described in "Computer Architecture a Quantitative Approach", Hennessy and Patterson, Morgan Kaufmann Publishers, Inc., 1996, Appendix A. The adder in 6 comprises three adder stages 600 . 601 and 602 , The first stage is only exemplary 600 an adder with a bit width of 4 to add the least significant four bits of the operands a, b, ie a ₀ , a ₁ , a ₂ , a ₃ and b ₀ , b ₁ , b ₂ , b _3, respectively. The first adder 600 In addition to the result bits or sum bits r ₀ , r ₁ , r ₂ , r _{3, it} also outputs a carry from the most significant bit slice, which in 6 is denoted by c ₄ . This carry bit c _{4 of} the first adder stage 600 is in the least significant bit slice of the second adder stage 601 fed. The second adder stage comprises in 6 also four bits and sums up the next four bits of operands a and b.

Up to this point, he was working adders like a normal ripple carry adder. The well-known carry-skip adder as in 6 is shown, however, is characterized in that the second adder stage 601 a propagate value P _4.7 603 generated with the carry bit c4 604 in an AND gate 605 is linked to a skip signal 606 to create. The skip signal 606 becomes with a carry signal cs ₈ from the most significant bit slice (for bit no. 7) of the second adder stage 601 , this in 6 With 607 is designated by means of an OR gate 608 OR-linked to the transmission input bit for the lowest bit slice (bit 8) of the third adder stage 602 to deliver. This circuit from AND gate 605 and OR gates 608 is then continued for possible further stages of the adder.

Before the operation of the known carry-skip adder is discussed, the calculation of the propagate signal is first carried out 603 Referred. As is known, the propagate signal of the second adder stage P _4.7 is calculated by ANDing the propagate values of the individual bit slices. Expressed in the form of an equation: P 4.7 = P 4 · P 5 · P 6 · P 7 (1)

A propagate value for a bit slice i is calculated as follows: p i = a i + b i (2)

The propagate value indicates whether a carry bit of a lower bit slice is absorbed by the bit slice whose propagate value is known. This is the case if a _i and b _{i are} 0, ie the propagate value pi is 0. On the other hand, a carry bit of a lower bit slice is passed on by the current bit slice, ie "propagated" if either a _i or b _i is 1. If both a _i and b _i are 1, this bit is used -Slice not only passes on a carry bit, but even generates it. The value that indicates whether a bit slice is generating a carry is also known as the generate value. The generate value results from the AND operation of the two operand bits.

Generally speaking, the carry-skip adder is based on the fact that if, for example, the second adder block 601 in 6 has a propagate value of 1 overall, ie no bit slice absorbs a carry, so the carry signal of the lowest adder 600 are immediately passed on to the next but one adder 602 , Due to the propagate signal from 1 of the second adder 601 becomes a carry c ₄ by the lowest adder 600 is generated, in no case absorbed in the second adder. The carry output signal cs ₈ is therefore skipped when the carry signal of the first adder c ₄ is 1 and the propagate signal is also 1.

The OR gate 608 at the output of the second adder stage 601 is only effective. if the skip signal 606 is 0 and a carry for the third adder 602 from the second adder 601 is produced.

It should be noted that calculating the propagate value P is easier than calculating the generate value G. Therefore, only the propagate values P are calculated in the carry-skip adder. The carry-overs begin to "ripple" through each block at substantially the same time. If a block produces a carry, the carry output of that block will be true even if the carry input to the block is not yet correct At the beginning of each add operation, the carry input in each block is 0, then no carry output signals are generated, so the carry output signal of each block can also be interpreted as being the G signal, as soon as the carry output signal is off the least significant block (adder 600 ) is generated, it will not only be in the next block fed, but it is also linked by the AND gate with the P signal from the next block. If the carry output signal (c ₄ ) and the P signal are both true, the carry skips the second block and is fed directly into the third block, etc. This provides a significant speed advantage over a simple ripple carry adder , This is all the more true if the adder stages are made unequal in size, as is known.

A disadvantage of the carry-skip adder described is the fact that it is only of limited suitability for cryptographic applications, since it is used for needle attacks to intercept processed data or result data and in particular also for SPA attacks (SPA = Single Power Analysis) or DPA (differential power analysis) attacks are vulnerable. In the well-known carry-skip adder, the in 6 plain text data is processed everywhere. Especially the Propagate line 603 who have favourited Carry Line 604 , and the skip signal line 606 are of considerable length if larger adder stages are used and are therefore suitable for physical attack scenarios such as e.g. B. needle attacks, vulnerable.

The lecture script of the University of Hanover, Issue 11/00, in particular chapter 2.1.4 pages 2-16 to 2.23, researched on the Internet at the address URL: http://www.sra.unihannover.de/lehre/vorlesungen/hlr/kapitel.2.pdf discloses a carry lookahead adder to accelerate the addition, in which Propagate signals, generate signals and carry signals calculated from them be used. Carry skip adders or carry select adders are also described.

The DE 69222174 T2 discloses nonlinear dynamic methods for interchanging blocks in connection with an encryption method in which an associated unique encrypted block of n bits of binary numbers is substituted for each of 2 ⁿ unique plain text blocks of n bits of binary numbers.

The object of the present invention is to create a more secure carry-skip adder.

This is done by a carry-skip adder according to claim 1 solved.

The present invention lies based on the knowledge that the Security of the carry-skip adder can be increased significantly can, if at least partially counted with encrypted operands becomes. This is especially true for the carry signal line, the propagate line and the skip line and for the AND gate and the OR gate of the carry-skip adder to. These structures are characteristic of the carry-skip adder and possibly in a design recognizable. About that in addition, these lines are longer than in a real design Lines of a bit slice of the adders, so that, for. B. physical attacks on these signals are easier.

It is also preferred, not only the carry signals, to encrypt the propagate signals and the skip signals, but also perform the AND and OR calculations in encrypted form, and about that also in the adder blocks Adder for encrypted Use data.

Although basically any reversible encryption algorithm for encryption the operands of the AND gate and the OR gate are used can, it will for reasons preference for speed and circuitry, encryption in the form of an XOR link as an encryption algorithm and an encryption parameter or alternatively an XNOR link with an encryption parameter use, the encryption bitwise, d. H. that the encryption parameters for each Operand bit, i. H. For every bit slice is different. This ensures a high level of security achieved that the key now and then or even for every operand is changed.

In a preferred embodiment the entire arithmetic unit works directly on encrypted operands. The encryption can be done according to the principle of one-time pad encryption. The result is also encrypted Form without ever generating an intermediate result in plain text. This will allow all types of statistical attack scenarios, such as z. B. DPA and SPA, much more difficult. This is - as known safe alternative - one Full custom solution avoided with dual-rail pre-charge. The arithmetic unit according to the invention is therefore more technology independent and typically also if a simple encryption algorithm is used to save space than a full custom solution in Dual rail precharge technique. However, if maximum security is searched, the arithmetic unit according to the invention can also be found in Dual rail precharge technology will be realized.

Preferred embodiments of the present Invention are hereinafter referred to with reference to the accompanying Drawings explained in detail. Show it:

1 a block diagram of an inventive carry-skip adder with encrypted AND operation and encrypted OR operation and encrypted adders;

2 an exemplary implementation for the encrypted AND operation;

3 an exemplary implementation for the encrypted OR operation;

4a a section of an n-bit wide ripple carry adder for encrypted operands;

4b a schematic diagram of an n-bit wide ripple carry adder;

5a an exemplary implementation for an encrypted ADD operation for a bit slice;

5b a truth table for an encrypted ADD operation for a bit slice; and

6 a block diagram of a known carry-skip adder.

1 shows a block diagram of a preferred embodiment of a more secure carry-skip adder, in which bit-by-bit encryption of operands a, b, with its own encryption parameter k _i per operand bit is used. Regarding the notation, it should be noted that sizes are encoded with an apostrophe. At the in 1 shown embodiment all operations take place in the secret text space. Specifically, the in 1 shown carry-skip adder according to a preferred embodiment of the present invention a first adder block 10 for adding a first plurality of bits of the two operands a, b, the first plurality of bits being 4, for example. The first adder 10 thus adds the encrypted operand bits a ₀ , b ₀ to a ₃ and b ₃ . The adder 10 outputs a first carry signal c ' ₄ as an output signal, which is also encrypted. The first carry signal c ' ₄ is converted into a re-encryption unit UV 11 fed in, in order to be re-encrypted from the key base k ₃ to the key base k ₄ , using the re-encryption key t ₄ , which is equal to the XOR combination of the keys k ₃ and k ₄ .

The re-encrypted carry bit is then in a second adder 12 for encrypted data, the second adder adding a second plurality of operand bits, the second plurality in 1 4 is also exemplary. The second adder 12 for encrypted operands, in addition to the encrypted sum bits contained in 1 are not shown, a second carry signal cs' ₈ , which, as the apostrophe shows, is also encrypted.

The carry-skip adder for encrypted data 1 also includes an R-Box for implementing the AND operation of the propagate signal of the second adder 12 and the first carry signal c ' _{4 of} the first adder 10 to generate a skip signal R that is in a C-box 16 with the second carry signal of the second adder 12 , this in 1 denoted by cs' ₈ is to be OR'ed to the carry input signal for a third adder 18 to deliver.

It should be noted that in the 1 shown carry-skip adder according to the present invention all signals on lines that have a significant length due to the system, ie the first carry signal c ' ₄ , the propagate signal P' _4.7 , the skip signal R ' _4.7 and the second carry signal cs' _{8 are} encrypted. This ensures that these lines, which can already have a considerable length due to the design of the carry-skip adder, are secured against eavesdropping.

There are various options for generating the encrypted carry signals, propagate signals and skip signals. An easy way to generate these signals is to use plain text adders 10 . 12 . 18 to use, and to encrypt the carry signals and the propagate signals directly at the output of the adders, so that encrypted values are transmitted via signal lines. The encrypted signals are then encrypted via the required signal lines, for example to the R-Box 14 transmitted (the first carry signal and the first propagate signal). If an AND operation is to be carried out in plain text space, the signals at the R-Box input are decrypted again. Then the AND operation is carried out in clear text space, and the result of the AND operation is immediately encrypted again at the exit of the R-Box in order to be supplied to the C-Box in an encrypted state. The same can be done with the second carry output signal cs' ₈ . This can be done at the output of the second adder 12 , which can then be a plain text adder, encrypted and just like the encrypted skip signal R of the C-Box 16 are supplied, where both signals are decrypted, the OR operation is carried out in plain text space, and then the result of the OR operation is encrypted again.

The embodiment described above already provides a certain degree of certainty that no encrypted data are transmitted over longer lines. In this context it also makes sense to add the sum bits of the adders 10 . 12 . 18 also encrypted after its creation and transmitted to its destination in an encrypted state.

Another security enhancement is to no longer carry out the AND operation of the R-Box and the OR operation of the C-Box in plain text space, but rather the AND operation using the R-Box 14 and the OR combination of the C-Box 16 Execute directly in the ciphertext space without intermediate results being generated in the plaintext space. The determination equation for the AND operation in the R-Box 14 in plain text space reads as follows: R = cP (3)

The operation of the R-Box in the secret text space can be specified as follows: R '= (cP)' (4)

It is desirable that only encrypted operands are available. An encrypted carry signal c 'is defined as follows, where VA indicates an encryption algorithm and where i is the key for the encryption algorithm: c '= VA (c, i) (5)

The plaintext carry signal can be calculated from equation 5 as follows: c = VA -1 (c ', i) (6) where VA ^{-1 is} the inverse of the encryption algorithm VA. If equation 6 is inserted into equation 4 and an analog substitution is made for the propagate signal P, the following expression results for equation 4: R '= VA {[VA -1 (c ', i) VA - 1 (P ', j)], k (7)

In equation 7, i, j and k different keys, where i is the key for the carry signal c is where j is the key for the Propagate signal P and where k is the key for the result, that is, for the skip signal.

Equation 7 can for one concrete encryption algorithm be reshaped accordingly to form a shape at that without calculating intermediate results in plain text space encrypted Skip signal R from the encrypted carry signal c and the encrypted Propagate signal P can be calculated.

This is explained below using the following encryption algorithm. x '= x ⊕ k; x = x '⊕ k (8)

The encryption algorithm is the XOR function, the reverse of which is also the XOR operation. Equation 8 in Equation 7 is replaced by the following expression: R '= [(c' ⊕ i) · (P '⊕ j)] ⊕ k (9)

If the keys i, j and k are assumed to be equal and this key is designated k, and if equation 9 is transformed using standard mathematical transformation laws, a logical equation for R 'is obtained, which is generally expressed as follows: R '= P'k + c'k + P'c' (10)

2 shows an implementation of equation 10, the three AND gates 22 . 23 . 24 and an OR gate 25 includes. After in the R-Box from 2 only the key k _{4 is} fed in, the output R _4.7 ⁽⁴⁾ is also encrypted with this key.

Regarding the notation in 2 and 3 it should be noted that a superscript number in brackets instead of the apostrophe indicates on which key basis the value is encrypted. So c ₄ ^{(4) means} the carry input bit for the fourth bit slice 1 , but encrypted with the key k ₉ , what by the re-encryption device 11 out 1 is achieved.

The same procedure as in 2 can be chosen to OR the C-Box 16 to implement in the ciphertext space. If equation 8 is used as the encryption algorithm, the determination equation is as follows: c '= [(c's ⊕ i) + (R' ⊕ j)] ⊕ k (11)

In equation 11, c 'is the carry output of the C-box 16 , c's is the second carry output of the second adder 12 , and R 'is the output of the R-Box as the encrypted skip signal. If all keys are selected the same again and set equal to k, the following expression results after some conversion: C '= t ik · Cs' + R j · T jk · K k + cs' · t ik · R j · T ik (12)

A direct logic implementation of Equation 12 is shown in 3 shown. It comprises three AND gates 29 . 30 . 31 and an OR gate 32 ,

The logic implementations of 2 and 3 therefore only apply if there is a common key basis for each invoice, ie if the same key is selected for sizes involved in this invoice, for which purpose corresponding re-encryption with re-encryption keys is necessary, as shown in the figures.

A re-encryption for the encryption algorithm shown in equation 8 is generally defined as follows: x (i) = t ij ⊕ x (J) ; t ij = i ⊕ j (13)

In equation 13, x ^{(i) means} a value x encrypted with the key i, while x ^{(j) represents} a value x encrypted with j. t _ij is the re-encryption key that is calculated for the encryption algorithm discussed here from an XOR combination of the two keys i and j.

As will be explained below, it is preferred to have a carry-skip adder that works completely in the ciphertext space and in which encryption keys or encryption parameters are assigned bit by bit. This means if 1 it is considered that the first carry signal c ' _{4 is} generated encrypted with the key k ₃ for the operand bits b ₃ and a ₃ and is then re-encrypted that the propagate signal here with the key for the least significant bit of the second adder 12 , that is encrypted with k ₄ , and that a skip signal R is generated which is encrypted with the key k ₈ , such that the skip signal is already correctly encrypted for the common key base k ₈ chosen for the C-Box ,

For It is obvious to experts that it is for the implementations of the Equations based on the R-Box for encrypted data and the C-Box for encrypted data be implemented, and especially for the re-encryption a variety of different ways there, taking the various options can be obtained by that under Using mathematical transformation laws the corresponding equations be reshaped, or that different Keybases used become. Which implementation is preferred in practice, hangs too depending on the technology used, d. H. whether z. B. OR gate or exclusive OR gate better to implement, or whether AND gates or NAND gates for a particular Technology are more appropriate.

As has already been stated, it is preferred for the adders 10 . 12 . 18 To use adders that can work with encrypted operands and deliver an encrypted result without generating intermediate results in plain text. It is further preferred to use bit-by-bit encryption using different keys k _i for the different bits a _i and b _i . The following explains how an encrypted propagate signal P ' _4,7 can be calculated for the encryption algorithm of equation 8. The propagate signal P _{4.7 is} calculated in the plain text space as follows: P 4.7 = p 4 · P 5 · P 6 · P 7 (14)

In relation to the operand bits a _i , b _i , this means: P 4.7 = (a 4 + b 4 ) · (A 5 + b 5 ) (A 6 + b 6 ) (A 7 + b 7 ) (15)

The encrypted propagate signal P'a is therefore calculated using the systematics of Equation 9 and Equation 11: P (4) 4.7 = {[(a ' 4 ⊕ k 4 + b ' 4 ⊕ k 4 ) ⊕ k 4 ⊕ k 5 ]. [(A ' 5 ⊕ k 5 + B ' 5 ⊕ k 5 ) ⊕ k 5 ⊕ k 6 ]. [(A ' 6 ⊕ k 6 + b ' 6 ⊕ k 6 ) ⊕ k 6 ⊕ k 7 , [(A ' 7 ⊕ k 7 + b ' 7 ⊕ k 7 )]} ⊕ k 7 ⊕ k 4 (16)

Equation 16 can also be transformed using conventional mathematical laws to arrive at a form in which no intermediate plain-text results occur. In particular, it can be seen from equation 16 that for each encrypted propagate value of a bit slice, a re-encryption for the next higher bit slice is to be carried out in order to obtain a common key base again. The XOR combination of the overall result with the result of the XOR combination of k ₇ and k ₄ at the end of equation 16 provides the re-encoding of the propagate value to the key k ₄ . If, on the other hand, the propagate value is required encrypted with the key k ₇ , this re-encryption operation can be dispensed with.

It is obvious to experts that as an adder 10 . 12 . 18 any adders can be used. So, of course, a conventional ripple carry adder can be used. When speed counts, however, it is preferred to use a carry lookahead adder as the adder 10 . 12 and 18 use. In principle, for the adding devices 10 . 12 . 18 any means used under Ver supply input bits provide sum bits and a carry bit for the highest level. These means can either work in the clear text space, which requires subsequent encryption of the carry bits, the propagate values and also the sum bits, or these additive means can work in the cipher text space.

The following are different possibilities to implement an adder in ciphertext space.

The following is on 5a Reference is made to explain an ADD operation between the encrypted operands a _{k n} and b _kn . The determination equation for this is the following equation:

The operation of three operands or of three bits of operands, if a bit slice of a parallel adder is considered, leads to a carry c, wherein in the penultimate column and the third last column the in 5b Truth table shown the carry-over in the ADD operation between the unencrypted operands a, b and c is listed as cp, where p stands for "plain" = unencrypted, and wherein in the penultimate line the carry of the ADD operation of the ALU ck according to the invention is shown is.

The carry ckn _{(n + i)} results from the following equation:

The implementation of the above equation is in 5a shown. The ALU from 5a for an encrypted arithmetic unit again comprises a large number of arithmetic sub-operations, namely AND operations 171 to 173 and OR operations 179 and 180 , On the output side, the carry (ckn) _{n + 1} results for the ADD combination of the three input operands, which again according to the in 5b shown truth table matches the carry if the three operands are added in unencrypted form and then encrypted. In particular, (ckn) _{n + 1 means} the carry-in for the next higher ((n + 1) th) position (bit slice), encrypted with the key k _n , that is to say with the key of the current position n, not encrypted with the key k _{n + 1} for the next higher position. This means that depending on the execution of a bit slice, a re-encryption from (ckn) _{n + 1} from the key k _n to the key k _{n + 1} will take place.

The two equations above provide an implementation for an adder with encrypted operands, which outputs an encrypted sum bit s '(s' = s _kn ) and an encrypted carry bit c '(c' = (ckn) _{n + 1} ), the same on the input side in addition to the two encrypted operands receives an encrypted transmission input bit. Such an adder is also referred to in the prior art - in the case of unencrypted data - as a one-bit full adder.

A one bit full adder is used to make an n bit full adder 10 . 12 . 18 build. In this case, the one-bit full adder is referred to as a bit slice or bit slice device. The interconnection of two bit slice devices is in 4a shown. In detail shows 4a a first bit slice 1200 for the bit of order n and a bit slice 1202 for the bit of order n + 1. At the heart of every bit slice is the arithmetic unit for encrypted operands, which in 4a With 1204 is designated. As has been stated, any other implementations for an encrypted adder are possible as long as encrypted input operands and an encrypted transmit input are used to generate encrypted outputs, ie encrypted sum bits and encrypted carry bits.

The one-bit full adder that is in 4a is shown, is defined by the following two equations: s = x ⊕ y ⊕ z c = x · y + z x + z y

The adder equations are chosen here such that in the one-bit full adder 1204 no encryption key itself needs to be entered, but it does in the bit slice 1202 or 1200 according to an embodiment of the present invention. In addition, the one-bit full adder 1204 arranged such that the encrypted carry bit c 'itself is not passed on to the next higher bit slice device for an adder function, but rather that the inverted encrypted carry bit is passed on. The current bit of the encrypted operand a, that is, a ' _{n + 1, is} entered into the first input x of the one-bit full adder of the bit slice for bit n + 1. The current encrypted bit of the second operand, that is, b'n _{+ 1, is} entered into the second input y. A bit is input into the third input z, which is derived from the carry output bit c ' _{n of} the previous bit slice 1200 depends.

It is pointed out that the carry output bit of the preceding bit slice cannot be used directly, since it is for the two different bit slice devices 1200 and 1202 different encryption keys k _{n + 1} or k _n are present. Therefore, the carry-out bit of the previous bit slice device must be re-encrypted from the encryption key k _n for the previous bit slice device to the encryption key k _{n + 1 of} the current bit slice device.

In the case of encryption using an XOR operation, re-encryption can be carried out simply by XOR operation of the encrypted carry output bit of the bit slice 1200 can be achieved with a re-encryption key t _{n + 1} . This is through an XOR gate 1206 shown. The re-encryption key t _{n + 1} is calculated as intended by the XOR combination of the two keys concerned for the two bit slices, that is to say by an XOR combination of k _{n + 1} for the bit slice 1202 and k _n for the bit slice 1200 ,

The bit slice facility 1202 again outputs a carry output bit, which, however, is encrypted with the key k _{n + 1} and from the next higher level (in 4a not shown) must be re-encrypted accordingly. The same applies to the transmission input of the bit slice 1200 to. Here a carry output bit of the next lower levels n-1 is obtained, this bit again by the re-encryption XOR gate 1206 must be encrypted.

If several bit slices are connected to one another, as in 4a is shown, a ripple carry adder generally results ( 4b ), which receives the two encrypted operands a ', b' and the re-encryption key for the individual bits t _i as input variables. The ripple carry adder, which in 4b a transmission input signal, which is set to 0 for a conventional ripple carry adder, which operates in the addition mode, is also received as an input signal.

Of course, instead of a 0, a 1 can also be created, as is explained for the carry select adder explained below. On the output side, the adder delivers from 4b the sum bits in encrypted form, namely s ₀ ', s ₁ ' to s _N '. In addition, the in 4b shown adder as an output signal a carry bit of the highest bit slice within the adder, if such is generated.

10

first adder

11

Umverschlüsselungseinrichtung

12

second adder

14

R-Box

16

C-Box

18

third adder

22-24

AND gate

25

OR gate

29-31

AND gate

32

OR gate

171-173

AND gate

179-180

OR gate

600

first adder

601

second adder

602

third adder

603

Propagate line

604

Carry output signal line

605

AND gate

606

Skip signal line

607

Carry output signal line for the second adder

608

OR gate

1200

Bit-slice for bit n

1202

Bit-slice for bit n + 1

1204

1-bit full adder

1206

Umverschlüsselungseinrichtung

Claims (11)

Carry-skip adder for adding a first operand (a) and a second operand (b), the first and the second operand being able to be represented by bits which start from a least significant bit have increasing order, with the following features: a first adder ( 10 ) for supplying sum bits for a first plurality of bits in ascending order, starting from the least significant bit, and for supplying a first carry signal (c ₄ ) for a most significant bit of the first plurality of bits; a second adding device ( 12 ) for supplying sum bits for a second plurality of bits in ascending order, starting from a next higher bit than the most significant bit of the first plurality of bits, for supplying a second carry signal of the most significant bit of the second plurality of bits and for supplying a propagate value (P) the second plurality of bits; a third adding device ( 18 ) for supplying sum bits for a third plurality of bits in ascending order, starting from a bit higher than the most significant bit of the second plurality of bits, for supplying a third carry signal of the most significant bit of the third plurality of bits, and for providing a propagate- Value of the third plurality of bits; a facility ( 14 ) for ANDing the first carry bit of the first adder ( 10 ) and the propagate value of the second adder ( 12 ) to obtain a skip signal (R), the first carry bit from the first adder ( 10 ) and the propagate value from the second adder ( 12 ) to the facility ( 14 ) can be transmitted encrypted for AND linking; a facility ( 16 ) for OR-linking the second carry signal with the skip signal to form a carry input signal for a carry input of the third adder ( 18 ), the second carry signal from the second adder ( 12 ) and the skip signal from the facility ( 14 ) for AND linking encrypted to the device ( 16 ) are transferable for OR linking. Carry-skip adder according to claim 1, in which the device ( 14 ) is arranged for AND linking, in order to generate an encrypted skip signal (R ') from the encrypted first carry signal (c') and the encrypted propagate signal (P '), the device for AND linking further comprising an encryption parameter for the first carry signal (c '), an encryption parameter for the propagate signal (P') and an encryption parameter for the encrypted skip signal (R '), wherein the device for AND linking is further arranged to receive the encrypted To calculate skip signal (R ') without generating plain text data. Carry-skip adder according to claim 1, in which the device ( 14 ) is arranged for OR linking in order to generate an encrypted carry input signal from the encrypted second carry signal (c ') and the encrypted skip signal, the device for OR linking furthermore an encryption parameter for the second carry signal, an encryption parameter for can receive the skip signal and an encryption parameter for the encrypted carry signal, wherein the device for OR-linking is further arranged to calculate the encrypted carry signal without generating plain text data. Carry-skip adder according to one of the preceding claims, in which encryption of the carry bit, the propagate value and the skip signal is based on an encryption algorithm and one or more encryption parameters, the device ( 14 ) is implemented for AND linking in order to implement a calculation rule using a plurality of mathematical operations, which is given as follows: R '= VA {⎣VA -1 (c ', i) VA -1 (P ', j) ⎦, k} where R 'is the encrypted skip signal, where c "is the encrypted carry signal, where P' is the encrypted propagate signal, where VA is the encryption algorithm, where VA ^{-1 is} the inverted encryption algorithm, where i is the encryption parameter for encrypting the Carry signal, where j is the encryption parameter for encrypting the propagate signal, and k is the encryption parameter for encrypting the skip signal. Carry-skip adder according to claim 4, in which the encryption algorithm has an XOR operation, and in which the device for AND operation is arranged to implement the following calculation rule: R '= [(c' ⊕ i) · (P '⊕ j)] ⊕ k. Carry-skip adder according to one of the preceding claims, in which encryption of the carry bit, the propagate value and the skip signal is based on an encryption algorithm and one or more encryption parameters, the facility ( 14 ) is implemented for AND linking in order to implement a calculation rule using a plurality of mathematical operations, which is given as follows: c '= VA {⎣VA -1 (R ', i) + VA -1 (Cs', j) ⎦, k} where R 'is the encrypted skip signal, where c' is the encrypted carry signal for the third adder, where (cs') is the carry output signal from the second adder, where (VA) is the encryption algorithm, where (VA ^-1 ) is inverted encryption algorithm, where (i) is the encryption parameter for encrypting the skip signal, where (j) is the encryption parameter for encrypting the carry output of the second adder, and (k) is the encryption parameter for encrypting the carry signal for the third adder. Carry-skip adder according to claim 6, in which the encryption algorithm has an XOR operation, and in which the device for AND operation is arranged to implement the following calculation rule: c '= [(c's ⊕ i) + (R'⊕j)] ⊕ k. Carry-skip adder according to Claim 5, in which the encryption parameters for the carry signal (c), the propagate signal (P) and the skip signal are the same, and in which the device ( 14 ) for AND linking has the following features: a first AND gate ( 23 ) for ANDing the encrypted propagate signal and the encryption parameter; a second AND gate ( 24 ) for ANDing the encryption parameter and the encrypted carry signal; a third AND gate ( 22 ) for ANDing the encrypted propagate signal and the encrypted carry signal; and an OR gate for combining a result of the first AND gate ( 23 ), a result of the second AND gate ( 24 ) and a result of the third AND gate ( 22 ) to receive the encrypted skip signal. Carry-skip adder according to Claim 7, in which the encryption parameters for the encrypted skip signal, for the encrypted second carry signal and for the carry input signal are the same, and in which the device ( 16 ) for OR-linking has the following features: a first AND gate ( 29 ) for ANDing the encrypted second carry signal, a first re-encryption key and an inverted encryption parameter; a second AND gate ( 30 ) for ANDing the skip signal, the inverted encryption parameter and a second re-encryption key; a third AND gate ( 31 ) for ANDing the skip signal, the first re-encryption key, the second re-encryption key and the encrypted second carry signal; and an OR gate ( 32 ) for linking a result of the first AND gate ( 29 ), a result of the second AND gate ( 30 ) and a result of the third AND gate ( 31 ) to receive the encrypted transmission input signal. Carry-skip adder according to one of the preceding claims, in which the first and the second operand (a, b) are encrypted, and in which the first, second and third adding device ( 10 . 12 . 18 ) comprises an adder for encrypted operands, which supplies encrypted output signals using mathematical sub-operations without generating intermediate results of the mathematical sub-operations in plain text. A carry-skip adder according to claim 10, wherein the first, second and third adding means ( 10 . 12 . 18 ) in bit slices ( 1200 . 1202 ), with each bit slice being assigned an encryption parameter (k _i ), each bit slice being a one-bit full adder ( 1204 ) for encrypted input signals, and wherein each bit slice has a re-encryption unit ( 1206 ) to re-encrypt a carry signal of a lower order bit slice using a re-encryption key for the current bit slice.