CN111966324A - Multi-elliptic curve scalar multiplier oriented implementation method, device and storage medium - Google Patents
Multi-elliptic curve scalar multiplier oriented implementation method, device and storage medium Download PDFInfo
- Publication number
- CN111966324A CN111966324A CN202010836415.8A CN202010836415A CN111966324A CN 111966324 A CN111966324 A CN 111966324A CN 202010836415 A CN202010836415 A CN 202010836415A CN 111966324 A CN111966324 A CN 111966324A
- Authority
- CN
- China
- Prior art keywords
- point
- calculation
- scalar
- curve
- secp256r1
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004364 calculation method Methods 0.000 claims abstract description 97
- 230000009467 reduction Effects 0.000 claims description 14
- 125000004122 cyclic group Chemical group 0.000 claims description 6
- 238000012805 post-processing Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/38—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
- G06F7/48—Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
- G06F7/52—Multiplying; Dividing
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Complex Calculations (AREA)
Abstract
The invention provides a method, a device and a storage medium for realizing a scalar multiplier oriented to multiple elliptic curves, wherein the method can be compatible with two elliptic curves of secp256r1 and Curve25519 simultaneously, a fixed base point G is considered independently, different point addition control and point doubling control are called according to curves and algorithms, an operation unit is used for completing calculation results in the middle of corresponding operations and storing the calculation results in a register file, less hardware resources are occupied, corresponding algorithm operation is carried out according to different Curve forms and functional operation requirements, the area required by hardware is reduced, the operation speed is improved, and the problems that the scalar multiplier in the prior art cannot be compatible with multiple curves, the operation speed is low, and the universality of an algorithm for solving the problem that special conditions are not considered are solved.
Description
Technical Field
The invention relates to the field of cryptography, in particular to a multi-elliptic curve scalar multiplier oriented implementation method, a multi-elliptic curve scalar multiplier oriented implementation device and a storage medium.
Background
As the computing power of computer processors is continuously enhanced, the security of the conventional encryption algorithm is increasingly under scrutiny, and more complex encryption algorithms are required to ensure the security of data. The elliptic curve encryption algorithm is an active asymmetric encryption algorithm in recent years, various elliptic curves are used for data encryption in The latest Transport Layer Security Protocol Version 1.3 (The Transport Layer Security (TLS) Protocol Version 1.3), and The increasingly important position of elliptic curve encryption is highlighted in both quantity and actual use frequency.
The performance of scalar multiplication operation is an important index for measuring the encryption performance of the elliptic curve, and in order to obtain a faster encryption speed, the scalar multiplication operation needs to be completed as fast as possible. The main methods for scalar multiplication operation improvement in the prior art are divided into three categories: optimizing scalar multiplication algorithm, converting coordinate system and optimizing module operation algorithm.
The first type of optimized scalar multiplication algorithm is to change the operation process of scalar multiplication kG and reduce the total operation amount. Using an earlier algorithm with left-to-right and right-to-left, for a k value of n bits, n times of point addition and n/2 times of point addition need to be calculated, and the point addition and point addition of the left-to-right algorithm can be operated in parallel, but an additional modular operation unit is needed; the k can be relatively simply preprocessed, a Non-adjacent form-form (NAF) algorithm is realized, and the number of point addition is further reduced to n/3; m bits of segmentation processing can be carried out on k, a window NAF method is realized, 2m point operation results in a window are required to be calculated in a pre-calculation mode, and the pre-calculation amount is large; the Comb algorithm can be used for quickly completing scalar multiplication operation, but the required pre-calculation amount is huge; and a Shamir algorithm adapted for multiple scalar multiplication, which can complete the addition of two scalar multiplications in the time of one scalar multiplication; and a multi-base chain algorithm can be adopted, and triple points and quintuplet points are added to form a multi-base chain to accelerate scalar multiplication.
The second method, the coordinate system transformation algorithm, is to optimize the point addition and doubling operation in scalar multiplication. The original curve equation uses a binary coordinate system, the dot addition operation needs 1 time of modular inversion and 3 times of modular multiplication, the point multiplication operation needs 1 time of modular inversion and 4 times of modular multiplication, and the modular inversion operation consumes a large number of clock cycles. The modular inversion operation can be eliminated by changing the point addition and multiplication formula through the transformation of a coordinate system, for example, an affine coordinate system, and converting the coordinates (X, Y) into (X, Y, Z) according to the transformation formula X ═ X/Z, Y ═ Y/Z, the point addition operation requires 14 modular multiplications, and the multiplication operation requires 12 modular multiplications; the Jacobian coordinate system is commonly used, the conversion formula is X-X/Z2, Y-Y/Z3, 16 times of modular multiplication are needed to complete the point addition operation, and 10 times of modular multiplication are needed to complete the point multiplication operation. In addition, the transformation of a modified Jacobian coordinate system, a mixed coordinate system and the like is also carried out, the method is carried out once at the beginning, the modular inversion operation is eliminated in the process of calculating point addition and doubling points, the final calculation result is converted into binary coordinates, and the whole scalar multiplication only needs to use the modular inversion operation once.
The third kind of optimization method starts from basic modular operation, improves the speed of modular operation, and mainly comprises modular multiplication and modular inverse operation. The modular multiplication operation uses Montgomery modular multiplication algorithm, decomposes the multi-bit modular multiplication into 2 m-bit modular multiplication, and obtains the final modular multiplication result by utilizing the characteristic of binary system and carrying out repeated iterative operation. The theoretical formula of the modular inverse operation generally adopts the Fermat theorem, can also adopt a special modular inverse module to finish the modular inverse operation, can use the Montgomery modular inverse algorithm in cooperation with Montgomery modular multiplication, can finish the modular inverse operation without conversion, can also use a binary system right shift algorithm, calculates the modular inverse through multiple simple comparison and addition and subtraction, has low resource expenditure, independently designs the modular inverse operation mainly for releasing the modular multiplication unit, achieves the parallel purpose, and simultaneously reduces the calculation period number.
The prior art mainly has the following defects:
1. it is not possible to accommodate multiple types of curves. Most of the existing scalar multipliers are only suitable for a single elliptic curve, or a plurality of fields (such as prime number field and 2m field), or a plurality of similar curves, and can not support multi-class curves. For example, to complete hardware encryption of the TLS1.3 protocol, scalar multipliers of the two types of Weierstrass curve and Montgomery curve are required.
2. The operation speed is slow. Because the existing encryption is mostly used for the Internet of things equipment, the required area is small, and meanwhile, the modular multiplication of Montgomery modular multiplication and other modular multiplication methods is mostly divided into multiple times of short-bit-width multiplication iterative operation, the operation speed is reduced, and the operation speed cannot meet the use requirement of a server side.
3. The algorithm generality is over-taught. Ignoring special conditions which are easily encountered in practical use, the signature and the verification are two main functions of an elliptic curve, and for signature operation, scalar multiplication of a base point G is used, and the scalar multiplication is a point with a fixed value, and the special conditions are not considered separately in the algorithm of the prior art.
Disclosure of Invention
Based on the existing problems, the invention provides a method, a device and a storage medium for realizing a multi-elliptic curve scalar multiplier, which are used for solving the problems that the scalar multiplier in the prior art cannot be compatible with multiple curves, has low operation speed and does not consider special conditions in the process of teaching algorithm universality.
The embodiment of the invention discloses a multi-elliptic curve-oriented scalar multiplier implementation method, which is characterized by comprising the following steps:
pre-calculating 16 point coordinates of a base point G of the secp256r1 Curve, storing the coordinates into a Comb pre-stored point coordinate part of the register file, and storing a characteristic value P1 of the secp256r1 Curve, a characteristic value P2 of the Curve25519 Curve and five times of characteristic values 5P1 and 5P2 of the Curve into the register file;
calculating 2P 1-4P 2 or 2P 2-4P 2 by a modular arithmetic unit according to an elliptic curve form, and storing the coordinates of P points into a register file if the coordinates of the P points exist;
judging the form of the elliptic curve and the functional operation requirement;
if the elliptic curve is in the form of the secp256r1 and signature operation is required, calculating the scalar multiplication mu G of the base point G, performing cyclic iteration by combining the coordinate of the pre-calculated base point G of the secp256r1 curve, performing one-time doubling point and one-time point plus 1 operation in each iteration, and performing cyclic iteration for 64 times to complete the scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing doubling point and point addition operation, pre-calculating coordinates of two points, namely 2P and 3P, storing the coordinates into a Shamir pre-calculated point coordinate area of a register file, performing loop iteration by combining the 2P and 3P point coordinates of the general point P of the pre-calculated secp256r1 curve, performing operations of doubling the point twice and adding 1 point once for each iteration, and performing loop iteration for 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and the label checking operation is to be carried out, calculating multi-scalar multiplication lambda P + mu G of a base point G and a general point P, carrying out 5 times of pre-calculation of a multiplying point and a point addition operation cycle to obtain 13 pre-calculation point coordinates, storing the coordinates into a Shamir pre-calculation point coordinate area of a register file, combining 13 pre-calculation point coordinate loop iterations of the pre-calculated secp256r1 curve, carrying out twice times of multiplying point and one time of adding point Z operation in each iteration, and finishing the scalar multiplication operation 128 times of loop iteration;
if the elliptic Curve is in the form of Curve25519 and key exchange operation is required, calculating scalar times lambda P, performing step operation 255 times, performing cswap operation once before and after each step operation, and exchanging two groups of coordinate points according to the flag bit condition;
and performing data post-processing according to the obtained scalar multiplication result, restoring the ternary coordinate obtained by calculation to the binary coordinate, finishing scalar multiplication calculation and outputting a final result.
Further, the pre-calculating and pre-calculating 16 point coordinates of the secp256r1 curve base point G specifically includes:
precomputed 16 coordinate points {0000} G through {1111} G, where:
{0000} G calculation: (0X 2)192+0×2128+0×264+0×20)G;
{0001} G calculation: (0X 2)192+0×2128+0×264+1×20)G;
{0010} G calculates: (0X 2)192+0×2128+1×264+0×20)G;
{0011} G calculates: (0X 2)192+0×2128+1×264+1×20)G;
{0100} G calculates: (0X 2)192+1×2128+0×264+0×20)G;
{0101} G calculation: (0X 2)192+1×2128+0×264+1×20)G;
{0110} G calculation: (0X 2)192+1×2128+1×264+0×20)G;
{0111} G calculation: (0X 2)192+1×2128+1×264+1×20)G;
{1000} G calculates: (1X 2)192+0×2128+0×264+0×20)G;
{1001} G calculates: (1X 2)192+0×2128+0×264+1×20)G;
{1010} G calculates: (1X 2)192+0×2128+1×264+0×20)G;
{1011} G calculates: (1X 2)192+0×2128+1×264+1×20)G;
{1100} G calculates: (1X 2)192+1×2128+0×264+0×20)G;
{1101} G calculates: (1X 2)192+1×2128+0×264+1×20)G;
{1110} G calculates: (1X 2)192+1×2128+1×264+0×20)G;
{1111} G calculates: (1X 2)192+1×2128+1×264+1×20)G。
Further, the storing the eigenvalue P1 of the secp256r1 Curve, the eigenvalue P2 of the Curve25519 Curve, and the five-fold eigenvalues 5P1 and 5P2 into the register file together comprises: the characteristic values P1 and P2 are fixed parameter values of a secp256r1 Curve and a Curve25519 Curve respectively, and P1 is 2224(232-1)+2192+296-1,P2=2255–19。
Further, if the elliptic curve is in the form of the secp256r1 and a signature operation is to be performed, calculating a scalar multiplication μ G of the base point G, and performing a doubling point and a point plus 1 operation for each iteration in combination with a coordinate loop iteration of the base point G of the pre-calculated secp256r1 curve, where the loop iteration completes the scalar multiplication operation 64 times, specifically:
inputting 256-bit binary number mu ═ mu255μ254μ253…μ1μ0And a base point G of the elliptic curve secp256r 1;
calculating the scalar product Q ═ μ G;
constructing a pre-calculation table of a comb algorithm: precomputed {0000} G to {1111} G, 16 precomputed coordinate points;
extraction of comb algorithm coding coefficient alphai={μi+192,μi+128,μi+64,μi};
Assigning an initial value Q as 0, which is an infinite point;
making i equal to 63-0, and circularly performing the following calculation;
Q=2Q;
Q=Q+αiG;
regarding the selection of the G coordinate point, the following method is employed: in the ith loop calculation, selecting the 192+ i, 128+ i, 64+ i, i four-digit numerical values of mu in mu G to form a four-digit binary number, and constructing a pre-calculation table by a comb algorithm: comparing {0000} to {1111} of {0000} G to {1111} G16 pre-calculation coordinate points, and if the comparison result is the same, selecting the pre-calculation coordinate points to participate in point addition operation;
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Further, if the elliptic curve is in the form of secp256r1 and the label checking operation is to be performed, then the multi-scalar product λ P + μ G of the base point G and the general point P is calculated, specifically:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0},μ={μ255μ254μ253…μ1μ0H, and an arbitrary point P and a base point G on the elliptic curve secp256r 1;
calculating a scalar product Q ═ λ P + μ G;
constructing pre-calculation tables (00) P + (00) G to (11) P + (11) G, and 16 point coordinates in total, wherein (00) P + (00) G, (01) P + (00) G, (00) P + (01) G do not need calculation;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P+(μ2i+1μ2i)G};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Further, if the elliptic curve is in the form of secp256r1 and a key exchange operation is to be performed, then the scalar product λ P of the general point P is calculated, specifically:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0And an arbitrary point P on the elliptic curve secp256r 1;
calculating scalar product Q as lambda P;
constructing pre-calculation tables (00) P to (11) P, and 16 point coordinates in total, wherein (00) P does not need to be calculated;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Further, if the elliptic Curve is in the form of Curve25519 and a key exchange operation is to be performed, a scalar times λ P is calculated, a step operation is performed 255 times, cswap operation is performed before and after each step operation, and two sets of coordinate points are exchanged according to a flag bit condition, specifically:
inputting 255 bit binary number k ═ (k)255k254……k0) Point coordinate P1=(x1,y1) Abscissa x of1;
Calculating scalar multiplication result kP1=(x2,y2) Abscissa x of2;
Let X1=x1;X2=x1;Z2=0;X3=x1;Z31 is ═ 1; the flag swap is equal to 0;
and (4) making i equal to 254-0, and circularly performing the following calculation:
swap=swap^k[i];
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
swap=k[i];
calculating by adopting a step algorithm: (X)2,Z2,X3,Z3)=Ladder step(X1,X2,Z2,X3,Z3);
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
Until i is equal to 0, ending the calculation and outputting X2=X2/Z2;
The cswap operation is performed before and after each step operation, and two groups of coordinate points are exchanged according to the swap flag bit condition, specifically: when the swap flag bit is 1, exchanging two groups of coordinate points; and when the swap flag bit is 0, no swap is performed.
Further, the post-processing of data is performed according to the obtained scalar multiplication result, the ternary coordinate obtained by calculation is restored to the binary coordinate, the scalar multiplication calculation is completed, and the final result is output, specifically:
the method for converting the ternary coordinates (X, Y, Z) into the common binary coordinates (X, Y) is as follows: x is X/Z2,y=Y/Z3。
The embodiment of the invention also provides an implementation device for the multi-elliptic curve scalar multiplier, which comprises:
the system comprises an algorithm controller, a register file and an arithmetic unit, wherein the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller and the arithmetic unit carry out data operation exchange;
the register file and the arithmetic unit carry out data operation exchange.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement a method for implementing a multi-elliptic curve scalar multiplier according to any one of the preceding claims 1 to 8.
Compared with the prior art, the implementation method, the implementation device and the storage medium for the multi-elliptic curve scalar multiplier, provided by the invention, at least realize the following beneficial effects: the invention provides a realization method, a device and a storage medium for a multi-elliptic Curve scalar multiplier, wherein the method can be compatible with two elliptic curves of secp256r1 and Curve25519 at the same time, and solves the problem that most scalar multipliers in the prior art are only suitable for a single elliptic Curve, or a plurality of domains (such as prime number domain and 2m domain), or a plurality of similar curves, and can not be compatible with a plurality of elliptic curves; the method separately considers the fixed base point G, and solves the technical problems that the existing scalar multiplier implementation method is easy to ignore the special conditions when in actual use, the signature and the signature verification are two main functions of an elliptic curve, the signature operation uses scalar multiplication of the base point G and is a fixed base point, and the special conditions are not separately considered in the algorithm of the prior art; the method calls different point addition control and multiple point control according to curves and algorithms, uses the operation units to complete all scalar multiplication and modular operation units to complete the intermediate calculation results of corresponding operations, and stores the intermediate calculation results in the register file, occupies less hardware resources, and performs corresponding algorithm operation according to different curve forms and functional operation requirements, thereby reducing the required hardware area and improving the operation speed, and solving the technical problems that the required hardware area is smaller in the application scene of encrypting the Internet of things equipment in the prior art, and meanwhile, the Montgomery modular multiplication algorithm is mostly adopted in the existing scalar multiplication algorithm, the modular multiplication can be divided into multiple times of short-bit-width multiplication iterative operation, so that the operation speed is reduced, and the operation speed can not meet the requirement of using the server.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a flowchart of an implementation method for a multi-elliptic curve scalar multiplier according to an embodiment of the present invention;
fig. 2 is a structural diagram of an implementation apparatus for a multi-elliptic curve scalar multiplier according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, specific embodiments of an implementation method, an implementation device and a storage medium for a multi-elliptic curve scalar multiplier according to embodiments of the present invention are described in detail below with reference to the accompanying drawings. It should be understood that the preferred embodiments described below are only for illustrating and explaining the present invention and are not to be used for limiting the present invention. And the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
To more clearly explain the technical scheme of the scheme, the following explanation is made:
the ellipses in TLS1.3 are of two types, one is the Weierstrass curve, and the curve equation is satisfied: y is2=x3+ ax + b. TLS1.3 selects three curves secp256r1, secp384r1 and secp521r1 proposed by the National Institute of Standards and Technology (NIST), which belong to the Weierstrass curve. Yet another type of elliptic curve is the Montgomery curve, whose equation is: y is2=x3+Ax2+x
The Curve25519 Curve belongs to the Montgomery Curve and was adopted by TLS1.3 by Bernstein in 2005.
The arithmetic data bit number of the secp256r1 curve is 256 bits; the number of operation data bits of the Curve25519 Curve is 255 bits.
The embodiment of the invention discloses a multi-elliptic curve-oriented scalar multiplier implementation method, which is characterized by comprising the following steps:
pre-calculating 16 point coordinates of a base point G of the secp256r1 Curve, storing the coordinates into a Comb pre-stored point coordinate part of the register file, and storing a characteristic value P1 of the secp256r1 Curve, a characteristic value P2 of the Curve25519 Curve and five times of characteristic values 5P1 and 5P2 of the Curve into the register file;
calculating 2P 1-4P 2 or 2P 2-4P 2 by a modular arithmetic unit according to an elliptic curve form, and storing the coordinates of P points into a register file if the coordinates of the P points exist;
judging the form of the elliptic curve and the functional operation requirement;
if the elliptic curve is in the form of the secp256r1 and signature operation is required, calculating the scalar multiplication mu G of the base point G, performing cyclic iteration by combining the coordinate of the pre-calculated base point G of the secp256r1 curve, performing one-time doubling point and one-time point plus 1 operation in each iteration, and performing cyclic iteration for 64 times to complete the scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing doubling point and point addition operation, pre-calculating coordinates of two points, namely 2P and 3P, storing the coordinates into a Shamir pre-calculated point coordinate area of a register file, performing loop iteration by combining the 2P and 3P point coordinates of the general point P of the pre-calculated secp256r1 curve, performing operations of doubling the point twice and adding 1 point once for each iteration, and performing loop iteration for 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and the label checking operation is to be carried out, calculating multi-scalar multiplication lambda P + mu G of a base point G and a general point P, carrying out 5 times of pre-calculation of a multiplying point and a point addition operation cycle to obtain 13 pre-calculation point coordinates, storing the coordinates into a Shamir pre-calculation point coordinate area of a register file, combining 13 pre-calculation point coordinate loop iterations of the pre-calculated secp256r1 curve, carrying out twice times of multiplying point and one time of adding point Z operation in each iteration, and finishing the scalar multiplication operation 128 times of loop iteration;
if the elliptic Curve is in the form of Curve25519 and key exchange operation is required, calculating scalar times lambda P, performing step operation 255 times, performing cswap operation once before and after each step operation, and exchanging two groups of coordinate points according to the flag bit condition;
and performing data post-processing according to the obtained scalar multiplication result, restoring the ternary coordinate obtained by calculation to the binary coordinate, finishing scalar multiplication calculation and outputting a final result.
Preferably, the pre-calculated and pre-calculated 16 point coordinates of the secp256r1 curve base point G are specifically:
precomputed 16 coordinate points {0000} G through {1111} G, where:
{0000} G calculation: (0X 2)192+0×2128+0×264+0×20)G;
{0001} G calculation: (0X 2)192+0×2128+0×264+1×20)G;
{0010} G calculates: (0X 2)192+0×2128+1×264+0×20)G;
{0011} G calculates: (0X 2)192+0×2128+1×264+1×20)G;
{0100} G calculates: (0X 2)192+1×2128+0×264+0×20)G;
{0101} G calculation: (0X 2)192+1×2128+0×264+1×20)G;
{0110} G calculation: (0X 2)192+1×2128+1×264+0×20)G;
{0111} G calculation: (0X 2)192+1×2128+1×264+1×20)G;
{1000} G calculates: (1X 2)192+0×2128+0×264+0×20)G;
{1001} G calculates: (1X 2)192+0×2128+0×264+1×20)G;
{1010} G calculates: (1X 2)192+0×2128+1×264+0×20)G;
{1011} G calculates: (1X 2)192+0×2128+1×264+1×20)G;
{1100} G calculates: (1X 2)192+1×2128+0×264+0×20)G;
{1101} G calculates: (1X 2)192+1×2128+0×264+1×20)G;
{1110} G calculates: (1X 2)192+1×2128+1×264+0×20)G;
{1111} G calculates: (1X 2)192+1×2128+1×264+1×20)G。
Preferably, the step of storing the eigenvalue P1 of the secp256r1 Curve, the eigenvalue P2 of the Curve25519 Curve, and the five-fold eigenvalues 5P1 and 5P2 into the register file comprises: the characteristic values P1 and P2 are fixed parameter values of a secp256r1 Curve and a Curve25519 Curve respectively, and P1 is 2224(232-1)+2192+296-1,P2=2255–19。
Preferably, if the elliptic curve is in the form of the secp256r1 and a signature operation is to be performed, a scalar multiplication μ G of the base point G is calculated, and in combination with a coordinate loop iteration of the base point G of the pre-calculated secp256r1 curve, a doubling point and a point plus 1 operation are performed for each iteration, and the loop iteration completes the scalar multiplication operation 64 times, specifically:
inputting 256-bit binary number mu ═ mu255μ254μ253…μ1μ0And a base point G of the elliptic curve secp256r 1;
calculating the scalar product Q ═ μ G;
constructing a pre-calculation table of a comb algorithm: precomputed {0000} G to {1111} G, 16 precomputed coordinate points;
extraction of comb algorithm coding coefficient alphai={μi+192,μi+128,μi+64,μi};
Assigning an initial value Q as 0, which is an infinite point;
making i equal to 63-0, and circularly performing the following calculation;
Q=2Q;
Q=Q+αiG;
regarding the selection of the G coordinate point, the following method is employed: in the ith loop calculation, selecting the 192+ i, 128+ i, 64+ i, i four-digit numerical values of mu in mu G to form a four-digit binary number, and constructing a pre-calculation table by a comb algorithm: comparing {0000} to {1111} of {0000} G to {1111} G16 pre-calculation coordinate points, and if the comparison result is the same, selecting the pre-calculation coordinate points to participate in point addition operation;
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic curve is in the form of secp256r1 and the label checking operation is to be performed, then the multi-scalar product λ P + μ G of the base point G and the general point P is calculated, specifically:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0},μ={μ255μ254μ253…μ1μ0H, and an arbitrary point P and a base point G on the elliptic curve secp256r 1;
calculating a scalar product Q ═ λ P + μ G;
constructing pre-calculation tables (00) P + (00) G to (11) P + (11) G, and 16 point coordinates in total, wherein (00) P + (00) G, (01) P + (00) G, (00) P + (01) G do not need calculation;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P+(μ2i+1μ2i)G};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic curve is in the form of secp256r1 and a key exchange operation is to be performed, then the scalar product λ P of the general point P is calculated, specifically:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0And an arbitrary point P on the elliptic curve secp256r 1;
calculating scalar product Q as lambda P;
constructing pre-calculation tables (00) P to (11) P, and 16 point coordinates in total, wherein (00) P does not need to be calculated;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic Curve is in the form of Curve25519 and a key exchange operation is to be performed, the scalar is multiplied by λ P, a step operation is performed 255 times, cswap operation is performed once before and after each step operation, and two groups of coordinate points are exchanged according to the flag bit condition, specifically:
inputting 255 bit binary number k ═ (k)255k254……k0) Point coordinate P1=(x1,y1) Abscissa x of1;
Calculating scalar multiplication result kP1=(x2,y2) Abscissa x of2;
Let X1=x1;X2=x1;Z2=0;X3=x1;Z31 is ═ 1; the flag swap is equal to 0;
and (4) making i equal to 254-0, and circularly performing the following calculation:
swap=swap^k[i];
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
swap=k[i];
calculating by adopting a step algorithm: (X)2,Z2,X3,Z3)=Ladder step(X1,X2,Z2,X3,Z3);
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
Until i is equal to 0, ending the calculation and outputting X2=X2/Z2;
The cswap operation is performed before and after each step operation, and two groups of coordinate points are exchanged according to the swap flag bit condition, specifically: when the swap flag bit is 1, exchanging two groups of coordinate points; and when the swap flag bit is 0, no swap is performed.
Preferably, the post-processing of data is performed according to the obtained scalar multiplication result, the ternary coordinate obtained by calculation is restored to the binary coordinate, the scalar multiplication calculation is completed, and the final result is output, specifically:
the method for converting the ternary coordinates (X, Y, Z) into the common binary coordinates (X, Y) is as follows: x is X/Z2,y=Y/Z3。
Preferably, the doubling point operation is specifically:
solving for ternary coordinates (X)3,Y3,Z3)=2(X1,Y1,Z1) (ii) a Presetting an intermediate variable t1,t2,t3,t4,t5And assigning an initial value of null;
step 1, performing modular multiplication operation Z1·Z1And storing the operation result in the intermediate variable t1Performing the following steps;
step 2, carrying out modular multiplication operation Y1·Y1And storing the operation result in the intermediate variable t2In, the modulo addition operation X is carried out simultaneously1+t1And storing the operation result in the intermediate variable t3In, calculating the modulo reduction operation X1-t1And storing the operation result in the intermediate variable t4Performing the following steps;
step 3, the intermediate variable t in the step 2 is compared3And t4Performing a modular multiplication operation t3·t4And updating the operation result to the intermediate variable t1Performing the following steps;
step 4, carrying out modular multiplication operation Y1·Z1And updating the operation result to the intermediate variable t3In (1), calculating an intermediate variable t28 times value of 8t2And updating the operation result to the intermediate variable t4Performing the following steps;
step 5, performing modular multiplication operation X1 t4And storing the operation result in an intermediate variable t5In (1), calculating an intermediate variable t13 times value of 3t1And updating the operation result to the intermediate variable t1Performing the following steps;
step 6, the intermediate variable t obtained in the step 5 is subjected to1Performing a modular multiplication operation t1·t1And updating the operation result to the intermediate variable t3Then proceed to the updated intermediate variable t3Performing modulo addition and subtraction operation t3+t3And storing the operation result in Z3Performing the following steps;
step 7, the intermediate variable t obtained in the step 2 is subjected to2And obtaining the intermediate variable t in step 44Performing a modular multiplication operation t2·t4And updating the operation result to the intermediate variable t2In, the modulo reduction operation t is carried out simultaneously3-t5And storing the operation result in X3Performing the following steps; performing modulo reduction operation for 1.5t5-t3And updating the operation result to the intermediate variable t4Performing the following steps;
step 8, the intermediate variable t obtained in the step 5 is subjected to1And for the intermediate variable t obtained in step 74Performing modular multiplication operation and updating the operation result to the intermediate variable t1Performing the following steps;
step 9. for the intermediate variable t obtained in step 81And for the intermediate variable t obtained in step 72Performing a modulo reduction operation t1-t2And storing the operation result in Y3In (1).
Preferably, the dot plus 1 operation specifically includes:
solving for ternary coordinates (X)3,Y3,Z3)=(X1,Y1,Z1)+(X2,Y21); presetting an intermediate variable t1,t2,t3,t4And assigning an initial value of null;
step 1, carrying out modular multiplication operation Z1. Z1And updating the operation result inInterval variable t1Performing the following steps;
step 2, carrying out modular multiplication operation Y2·Z1And updating the operation result to the intermediate variable t2Performing the following steps;
step 3, updating the intermediate variable t obtained in the step 11And X2Performing a modular multiplication operation t1·X2And updating the operation result to the intermediate variable t3Performing the following steps;
step 4, updating the intermediate variable t obtained in the step 11And updating the obtained intermediate variable t in step 12Performing a modular multiplication operation t1·t2And updating the operation result to the intermediate variable t1Performing the following steps; t obtained by updating in step 33And X1Performing a modulo reduction operation t3-X1And updating the operation result to the intermediate variable t2Performing the following steps; t obtained by updating in step 33And X1Performing a modulo addition operation t3+X1And updating the operation result to the intermediate variable t3Performing the following steps;
step 5, updating the intermediate variable t obtained in the step 22Performing a modular multiplication operation t2·t2And updating the operation result to the intermediate variable t4Performing the following steps; for the intermediate variable t obtained by updating in step 41And Y1Performing a modulo reduction operation t1-Y1And updating the operation result to the intermediate variable t1Performing the following steps;
step 6, updating the intermediate variable t obtained in the step 22And Z1Performing modular multiplication operation and storing the operation result in Z3Performing the following steps;
step 7, updating the intermediate variable t obtained in the step 22And updating the obtained intermediate variable t in step 54Performing a modular multiplication operation t2 t4And updating the operation result to the intermediate variable t2Performing the following steps;
step 8, updating the intermediate variable t obtained in the step 23And updating the obtained intermediate variable t in step 54Performing a modular multiplication operation t 3t4And updating the operation result to the intermediate variable t3Performing the following steps;
step 9, updating the intermediate variable t obtained in the step 51Performing a modular multiplication operation t1 t1And updating the operation result to the intermediate variable t5Performing the following steps;
step 10, updating the intermediate variable t obtained in the step 54And X1Performing a modular multiplication operation t4 t1And updating the operation result to the intermediate variable t4Performing the following steps; for the intermediate variable t obtained by updating in step 83And updating the obtained intermediate variable t in step 95Performing a modulo reduction operation t5-t3And storing the operation result in X3Performing the following steps;
step 11, updating the intermediate variable t obtained in the step 72And Y1Performing modular multiplication operation Y1·t2And updating the operation result to the intermediate variable t2Performing the following steps; for the intermediate variable t obtained by updating in step 104And X3Performing a modular subtraction operation and updating the operation result to an intermediate variable t3Performing the following steps;
step 12, updating the intermediate variable t obtained in the step 51And the intermediate variable t obtained by updating in step 113Performing a modular multiplication operation t3·t1And updating the operation result to the intermediate variable t1Performing the following steps;
step 13, updating the intermediate variable t obtained in the step 121And updating the obtained intermediate variable t in step 112Performing modulo reduction operation and storing the operation result in Y3In (1).
Preferably, the point-plus-Z operation specifically comprises:
solving for ternary coordinates (X)3,Y3,Z3)=(X1,Y1,Z1)+(X2,Y2,Z2) (ii) a Presetting an intermediate variable t1,t2,t3,t4,t5,t6And assigning an initial value of null;
step 1, performing modular multiplication operation Z1·Z1And updating the operation result to the intermediate variable t1Performing the following steps;
step 2, performing modular multiplication operationZ2·Z1And updating the operation result to the intermediate variable t2Performing the following steps;
step 3, updating the intermediate variable t obtained in the step 11And X2Performing a modular multiplication operation t1·X2And updating the operation result to X3Performing the following steps;
step 4, updating the intermediate variable t obtained in the step 22And X1Performing a modular multiplication operation t2·X1And updating the operation result to the intermediate variable t3Performing the following steps;
step 5, updating the intermediate variable t obtained in the step 11And Z1Performing a modular multiplication operation t1·Z1And updating the operation result to the intermediate variable t1Performing the following steps; for X obtained by updating in step 33And the intermediate variable t obtained by updating in the step 43Performing a modulo addition operation t3+X3And updating the operation result to the intermediate variable t6Performing the following steps; for X obtained by updating in step 33And the intermediate variable t obtained by updating in the step 43Performing a modulo reduction operation X3-t3And updating the operation result to the intermediate variable t4Performing the following steps;
step 6, updating the intermediate variable t obtained in the step 54Performing a modular multiplication operation t4 t4And updating the operation result to the intermediate variable t5Performing the following steps;
step 7, updating the intermediate variable t obtained in the step 22And Z2Performing a modular multiplication operation t2·Z2And updating the operation result to the intermediate variable t2Performing the following steps;
step 8, updating the intermediate variable t obtained in the step 51And Y2Performing a modular multiplication operation t1·Y2And updating the operation result to the intermediate variable t1Performing the following steps;
step 9, updating the intermediate variable t obtained in the step 72And Y1Performing a modular multiplication operation t2·Y1And updating the operation result to the intermediate variable t2Performing the following steps;
step 10, updating and obtaining in step 5Intermediate variable t of6And updating the obtained intermediate variable t in step 65Performing a modular multiplication operation t5·t6And storing the operation result in Y3Performing the following steps;
step 11, updating the intermediate variable t obtained in the step 54And updating the obtained intermediate variable t in step 65Performing a modular multiplication operation t4·t5And updating the operation result to the intermediate variable t6Performing the following steps; for the intermediate variable t obtained by updating in step 81And updating the obtained intermediate variable t in step 92Performing a modulo reduction operation t1-t2And updating the operation result to the intermediate variable t3Performing the following steps; for the intermediate variable t obtained by updating in step 81And updating the obtained intermediate variable t in step 92Performing a modulo addition operation t1+t2And updating the operation result to the intermediate variable t2Performing the following steps;
step 12, updating the intermediate variable t obtained in the step 113Performing a modular multiplication operation t3·t3And updating the operation result to the intermediate variable t1Performing the following steps;
step 13, updating the intermediate variable t obtained in the step 112And an intermediate variable t6Step by step, carry out the modular multiplication operation t2·t6And updating the operation result to the intermediate variable t5Performing the following steps; for the intermediate variable t obtained by updating in step 121And Y3Performing a modulo reduction operation and storing the result in X3Performing the following steps;
step 14, for Z1And Z2Performing a modular multiplication operation Z1·Z2And store the result in Z3Performing the following steps; for Y3And 2X in step 133Performing a modulo reduction operation Y3-2X3And updating the operation result to the intermediate variable t6Performing the following steps;
step 15, updating the intermediate variable t obtained in the step 113And the intermediate variable t obtained by updating in step 146Performing a modular multiplication operation t 3t6And updating the result into Y3Performing the following steps;
step 16, updating and obtaining in step 14Z of (A)3And the intermediate variable t obtained by updating in the step 54Performing modular multiplication operation Z3 t4(ii) a For Y obtained by updating in step 153And the intermediate variable t obtained by updating in step 135Performing a modulo reduction operation Y3-t5And updating the result into Y3Performing the following steps;
step 17, updating the Y obtained in the step 163Performing modulo addition operation of 0.5. Y3And updating the result into Y3In (1).
The embodiment of the invention also provides an implementation device for the multi-elliptic curve scalar multiplier, which comprises:
the system comprises an algorithm controller, a register file and an arithmetic unit, wherein the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller and the arithmetic unit carry out data operation exchange;
the register file and the arithmetic unit carry out data operation exchange.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement a method for implementing a multi-elliptic curve scalar multiplier according to any one of the preceding claims 1 to 8.
The invention provides a method, a device and a storage medium for realizing a multi-elliptic curve scalar multiplier, which at least realize the following beneficial effects: the technical scheme of the invention can be compatible with two elliptic curves of secp256r1 and Curve25519 at the same time, and solves the problem that most of scalar multipliers in the prior art are only suitable for a single elliptic Curve, or a plurality of fields (such as prime number field and 2m field), or a plurality of similar curves, and can not be compatible with a plurality of elliptic curves; the method separately considers the fixed base point G, and solves the technical problems that the existing scalar multiplier implementation method is easy to ignore the special conditions when in actual use, the signature and the signature verification are two main functions of an elliptic curve, the signature operation uses scalar multiplication of the base point G and is a fixed base point, and the special conditions are not separately considered in the algorithm of the prior art; the method calls different point addition control and multiple point control according to curves and algorithms, uses the operation units to complete all scalar multiplication and modular operation units to complete the intermediate calculation results of corresponding operations, and stores the intermediate calculation results in the register file, occupies less hardware resources, and performs corresponding algorithm operation according to different curve forms and functional operation requirements, thereby reducing the required hardware area and improving the operation speed, and solving the technical problems that the required hardware area is smaller in the application scene of encrypting the Internet of things equipment in the prior art, and meanwhile, the Montgomery modular multiplication algorithm is mostly adopted in the existing scalar multiplication algorithm, the modular multiplication can be divided into multiple times of short-bit-width multiplication iterative operation, so that the operation speed is reduced, and the operation speed can not meet the requirement of using the server.
Through the above description of the embodiments, those skilled in the art will clearly understand that the embodiments of the present invention may be implemented by hardware, or by a combination of software and a necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods according to the embodiments of the present invention.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A multi-elliptic curve-oriented scalar multiplier implementation method is characterized by comprising the following steps:
pre-calculating 16 point coordinates of a base point G of the secp256r1 Curve, storing the coordinates into a Comb pre-stored point coordinate part of the register file, and storing a characteristic value P1 of the secp256r1 Curve, a characteristic value P2 of the Curve25519 Curve and five times of characteristic values 5P1 and 5P2 of the Curve into the register file;
judging the form of the elliptic curve and the functional operation requirement;
if the elliptic curve is in the form of the secp256r1 and signature operation is required, calculating the scalar multiplication mu G of the base point G, performing cyclic iteration by combining the coordinate of the pre-calculated base point G of the secp256r1 curve, performing one-time doubling point and one-time point plus 1 operation in each iteration, and performing cyclic iteration for 64 times to complete the scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing doubling point and point addition operation, pre-calculating coordinates of two points, namely 2P and 3P, storing the coordinates into a Shamir pre-calculated point coordinate area of a register file, performing loop iteration by combining the 2P and 3P point coordinates of the general point P of the pre-calculated secp256r1 curve, performing operations of doubling the point twice and adding 1 point once for each iteration, and performing loop iteration for 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of the secp256r1 and the label checking operation is to be carried out, calculating multi-scalar multiplication lambda P + mu G of a base point G and a general point P, carrying out 5 times of pre-calculation of a multiplying point and a point addition operation cycle to obtain 13 pre-calculation point coordinates, storing the coordinates into a Shamir pre-calculation point coordinate area of a register file, combining 13 pre-calculation point coordinate loop iterations of the pre-calculated secp256r1 curve, carrying out twice times of multiplying point and one time of adding point Z operation in each iteration, and finishing the scalar multiplication operation 128 times of loop iteration;
if the elliptic Curve is in the form of Curve25519 and key exchange operation is required, calculating scalar times lambda P, performing step operation 255 times, performing cswap operation once before and after each step operation, and exchanging two groups of coordinate points according to the flag bit condition;
and performing data post-processing according to the obtained scalar multiplication result, restoring the ternary coordinate obtained by calculation to the binary coordinate, finishing scalar multiplication calculation and outputting a final result.
2. The method according to claim 1, wherein the pre-calculating of the 16 point coordinates of the base point G of the pre-calculated secp256r1 curve is:
precomputed 16 coordinate points {0000} G through {1111} G, where:
{0000} G calculation: (0X 2)192+0×2128+0×264+0×20)G;
{0001} G calculation: (0X 2)192+0×2128+0×264+1×20)G;
{0010} G calculates: (0X 2)192+0×2128+1×264+0×20)G;
{0011} G calculates: (0X 2)192+0×2128+1×264+1×20)G;
{0100} G calculates: (0X 2)192+1×2128+0×264+0×20)G;
{0101} G calculation: (0X 2)192+1×2128+0×264+1×20)G;
{0110} G calculation: (0X 2)192+1×2128+1×264+0×20)G;
{0111} G calculation: (0X 2)192+1×2128+1×264+1×20)G;
{1000} G calculates: (1X 2)192+0×2128+0×264+0×20)G;
{1001} G calculates: (1X 2)192+0×2128+0×264+1×20)G;
{1010} G calculates: (1X 2)192+0×2128+1×264+0×20)G;
{1011} G calculates: (1X 2)192+0×2128+1×264+1×20)G;
{1100} G calculates: (1X 2)192+1×2128+0×264+0×20)G;
{1101} G calculates: (1X 2)192+1×2128+0×264+1×20)G;
{1110} G calculates: (1X 2)192+1×2128+1×264+0×20)G;
{1111} G calculates: (1X 2)192+1×2128+1×264+1×20)G。
3. The method as claimed in claim 1, wherein said storing together in the register file the eigenvalue P1 of the secp256r1 Curve, the eigenvalue P2 of the Curve25519 Curve, and its five-fold eigenvalues 5P1 and 5P2 comprises: the characteristic values P1 and P2 are fixed parameter values of a secp256r1 Curve and a Curve25519 Curve respectively, and P1 is 2224(232-1)+2192+296-1,P2=2255–19。
4. The method according to claim 2, wherein if the elliptic curve is in the form of a secp256r1 and a signature operation is to be performed, then calculating a scalar multiplication μ G of the base point G, and in combination with a circular iteration of coordinates of the base point G of a pre-calculated secp256r1 curve, performing a doubling point and a point plus 1 operation for each iteration, and performing the scalar multiplication operation 64 times in the circular iteration:
inputting 256-bit binary number mu ═ mu255μ254μ253…μ1μ0And a base point G of the elliptic curve secp256r 1;
calculating the scalar product Q ═ μ G;
constructing a pre-calculation table of a comb algorithm: precomputed {0000} G to {1111} G, 16 precomputed coordinate points;
extraction of comb algorithm coding coefficient alphai={μi+192,μi+128,μi+64,μi};
Assigning an initial value Q as 0, which is an infinite point;
making i equal to 63-0, and circularly performing the following calculation;
Q=2Q;
Q=Q+αiG;
regarding the selection of the G coordinate point, the following method is employed: in the ith loop calculation, selecting the 192+ i, 128+ i, 64+ i, i four-digit numerical values of mu in mu G to form a four-digit binary number, and constructing a pre-calculation table by a comb algorithm: comparing {0000} to {1111} of {0000} G to {1111} G16 pre-calculation coordinate points, and if the comparison result is the same, selecting the pre-calculation coordinate points to participate in point addition operation;
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
5. The method according to claim 1, characterized in that if the elliptic curve is of the form secp256r1 and a signature verification operation is to be performed, a multi-scalar product λ P + μ G of the base point G and the generic point P is calculated, in particular:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0},μ={μ255μ254μ253…μ1μ0H, and an arbitrary point P and a base point G on the elliptic curve secp256r 1;
calculating a scalar product Q ═ λ P + μ G;
constructing pre-calculation tables (00) P + (00) G to (11) P + (11) G, and 16 point coordinates in total, wherein (00) P + (00) G, (01) P + (00) G, (00) P + (01) G do not need calculation;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P+(μ2i+1μ2i)G};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
6. The method according to claim 1, wherein if the elliptic curve is in the form of secp256r1 and a key exchange operation is to be performed, then calculating the scalar product λ P of the generic point P by:
inputting 256-bit binary number lambda ═ lambda255λ254λ253…λ1λ0And an arbitrary point P on the elliptic curve secp256r 1;
calculating scalar product Q as lambda P;
constructing pre-calculation tables (00) P to (11) P, and 16 point coordinates in total, wherein (00) P does not need to be calculated;
let Q be 0, an infinity point;
and (3) making i be 127-0, and circularly performing the following calculation:
Q=4Q;
Q=Q+{(λ2i+1λ2i)P};
and ending the operation until the calculation result is that i is equal to 0, and outputting a final scalar multiplication result Q.
7. The method according to claim 1, wherein if the elliptic Curve is in the form of Curve25519 and a key exchange operation is to be performed, a scalar times λ P is calculated, a step operation is performed 255 times, cswap operation is performed before and after each step operation, and two sets of coordinate points are exchanged according to the flag bit condition, specifically:
inputting 255 bit binary number k ═ (k)255k254……k0) Point coordinate P1=(x1,y1) Abscissa x of1;
Calculating scalar multiplication result kP1=(x2,y2) Abscissa x of2;
Let X1=x1;X2=x1;Z2=0;X3=x1;Z31 is ═ 1; the flag swap is equal to 0;
and (4) making i equal to 254-0, and circularly performing the following calculation:
swap=swap^k[i];
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
swap=k[i];
calculating by adopting a step algorithm: (X)2,Z2,X3,Z3)=Ladder step(X1,X2,Z2,X3,Z3);
(X2,X3)=cswap(swap,X2,X3);
(Z2,Z3)=cswap(swap,Z2,Z3);
Until i is equal to 0, ending the calculation and outputting X2=X2/Z2;
The cswap operation is performed before and after each step operation, and two groups of coordinate points are exchanged according to the swap flag bit condition, specifically: when the swap flag bit is 1, exchanging two groups of coordinate points; and when the swap flag bit is 0, no swap is performed.
8. The method of claim 1, wherein the post-processing of the data according to the obtained scalar multiplication result, the reduction of the calculated ternary coordinate back to the binary coordinate, the completion of the scalar multiplication calculation, and the output of the final result, specifically:
the method for converting the ternary coordinates (X, Y, Z) into the common binary coordinates (X, Y) is as follows: x is X/Z2,y=Y/Z3。
9. An apparatus for implementing a multi-elliptic curve-oriented scalar multiplier, comprising: the system comprises an algorithm controller, a register file and an arithmetic unit, wherein the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller and the arithmetic unit carry out data operation exchange;
the register file and the arithmetic unit carry out data operation exchange.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any one of the preceding claims 1 to 8 for implementing a multi-elliptic curve scalar multiplier oriented implementation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010836415.8A CN111966324B (en) | 2020-08-19 | 2020-08-19 | Implementation method and device for multi-elliptic curve scalar multiplier and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010836415.8A CN111966324B (en) | 2020-08-19 | 2020-08-19 | Implementation method and device for multi-elliptic curve scalar multiplier and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111966324A true CN111966324A (en) | 2020-11-20 |
CN111966324B CN111966324B (en) | 2024-01-30 |
Family
ID=73388511
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010836415.8A Active CN111966324B (en) | 2020-08-19 | 2020-08-19 | Implementation method and device for multi-elliptic curve scalar multiplier and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111966324B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113691543A (en) * | 2021-08-25 | 2021-11-23 | 苏州国芯科技股份有限公司 | Data encryption method and device based on elliptic curve, computer equipment and medium |
CN114531241A (en) * | 2022-04-22 | 2022-05-24 | 北京智芯微电子科技有限公司 | Data encryption method and device, electronic equipment using data encryption method and storage medium |
CN114527956A (en) * | 2022-01-25 | 2022-05-24 | 北京航空航天大学 | Computing method for non-fixed point scalar multiplication in SPA attack resistant SM2 cryptographic algorithm |
CN114879934A (en) * | 2021-12-14 | 2022-08-09 | 中国科学院深圳先进技术研究院 | Efficient zero-knowledge proof accelerator and method |
CN115129297A (en) * | 2022-08-30 | 2022-09-30 | 北京象帝先计算技术有限公司 | Multi-point multiplication operation system, method, graphic processor, electronic device and equipment |
CN116820394A (en) * | 2023-08-29 | 2023-09-29 | 无锡沐创集成电路设计有限公司 | Scalar multiplication circuit oriented to elliptic curve encryption algorithm |
CN117972761A (en) * | 2024-04-01 | 2024-05-03 | 杭州金智塔科技有限公司 | Data processing method and device based on SM2 cryptographic algorithm |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005015526A1 (en) * | 2003-08-06 | 2005-02-17 | Fujitsu Limited | Elliptic curve encrypting device, elliptic curve encryp-ting method, elliptic curve encrypting program andcomputer-readable recording medium recording that program |
US20080205638A1 (en) * | 2007-02-07 | 2008-08-28 | Al-Gahtani Theeb A | Method for elliptic curve scalar multiplication |
CN105094746A (en) * | 2014-05-07 | 2015-11-25 | 北京万协通信息技术有限公司 | Method for achieving point addition/point doubling of elliptic curve cryptography |
CN108875416A (en) * | 2018-06-22 | 2018-11-23 | 北京智芯微电子科技有限公司 | Elliptic curve multi point arithmetic method and apparatus |
CN109117677A (en) * | 2018-09-21 | 2019-01-01 | 阿里巴巴集团控股有限公司 | A kind of circuit for elliptic curve multi point arithmetic |
-
2020
- 2020-08-19 CN CN202010836415.8A patent/CN111966324B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005015526A1 (en) * | 2003-08-06 | 2005-02-17 | Fujitsu Limited | Elliptic curve encrypting device, elliptic curve encryp-ting method, elliptic curve encrypting program andcomputer-readable recording medium recording that program |
US20080205638A1 (en) * | 2007-02-07 | 2008-08-28 | Al-Gahtani Theeb A | Method for elliptic curve scalar multiplication |
CN105094746A (en) * | 2014-05-07 | 2015-11-25 | 北京万协通信息技术有限公司 | Method for achieving point addition/point doubling of elliptic curve cryptography |
CN108875416A (en) * | 2018-06-22 | 2018-11-23 | 北京智芯微电子科技有限公司 | Elliptic curve multi point arithmetic method and apparatus |
CN109117677A (en) * | 2018-09-21 | 2019-01-01 | 阿里巴巴集团控股有限公司 | A kind of circuit for elliptic curve multi point arithmetic |
Non-Patent Citations (2)
Title |
---|
姜久兴等: "低面积复杂度AES低熵掩码方案的研究", 通信学报, vol. 40, no. 5, pages 201 - 210 * |
王敏等: "抗SPA 攻击的椭圆曲线NAF 标量乘实现算法", 通信学报, vol. 33, no. 1, pages 228 - 232 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113691543A (en) * | 2021-08-25 | 2021-11-23 | 苏州国芯科技股份有限公司 | Data encryption method and device based on elliptic curve, computer equipment and medium |
CN114879934A (en) * | 2021-12-14 | 2022-08-09 | 中国科学院深圳先进技术研究院 | Efficient zero-knowledge proof accelerator and method |
CN114527956A (en) * | 2022-01-25 | 2022-05-24 | 北京航空航天大学 | Computing method for non-fixed point scalar multiplication in SPA attack resistant SM2 cryptographic algorithm |
CN114527956B (en) * | 2022-01-25 | 2024-05-10 | 北京航空航天大学 | Calculation method for non-fixed point scalar multiplication in SM2 algorithm for resisting SPA attack |
CN114531241A (en) * | 2022-04-22 | 2022-05-24 | 北京智芯微电子科技有限公司 | Data encryption method and device, electronic equipment using data encryption method and storage medium |
CN114531241B (en) * | 2022-04-22 | 2022-08-30 | 北京智芯微电子科技有限公司 | Data encryption method and device, electronic equipment using data encryption method and storage medium |
CN115129297B (en) * | 2022-08-30 | 2022-12-13 | 北京象帝先计算技术有限公司 | Multi-point multiplication operation system, method, graphic processor, electronic device and equipment |
WO2024045665A1 (en) * | 2022-08-30 | 2024-03-07 | 北京象帝先计算技术有限公司 | Multiple-point multiplication operation system and method, and graphics processor, electronic apparatus and device |
CN115129297A (en) * | 2022-08-30 | 2022-09-30 | 北京象帝先计算技术有限公司 | Multi-point multiplication operation system, method, graphic processor, electronic device and equipment |
CN116820394A (en) * | 2023-08-29 | 2023-09-29 | 无锡沐创集成电路设计有限公司 | Scalar multiplication circuit oriented to elliptic curve encryption algorithm |
CN116820394B (en) * | 2023-08-29 | 2023-11-03 | 无锡沐创集成电路设计有限公司 | Scalar multiplication circuit oriented to elliptic curve encryption algorithm |
CN117972761A (en) * | 2024-04-01 | 2024-05-03 | 杭州金智塔科技有限公司 | Data processing method and device based on SM2 cryptographic algorithm |
CN117972761B (en) * | 2024-04-01 | 2024-08-06 | 杭州金智塔科技有限公司 | Data processing method and device based on SM2 cryptographic algorithm |
Also Published As
Publication number | Publication date |
---|---|
CN111966324B (en) | 2024-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111966324A (en) | Multi-elliptic curve scalar multiplier oriented implementation method, device and storage medium | |
CN110351087B (en) | Pipelined Montgomery modular multiplication operation method | |
CN113628094B (en) | High-throughput SM2 digital signature computing system and method based on GPU | |
CN112865954B (en) | Accelerator, chip and system for Paillier decryption | |
CN109145616B (en) | SM2 encryption, signature and key exchange implementation method and system based on efficient modular multiplication | |
CN113783702A (en) | Hardware implementation method and system for elliptic curve digital signature and signature verification | |
CN102306091B (en) | Method for rapidly implementing elliptic curve point multiplication hardware | |
CN101782845A (en) | High speed arithmetic device and method of elliptic curve code | |
CN114021734B (en) | Parameter calculation device, system and method for federal learning and privacy calculation | |
CN115344237A (en) | Data processing method combining Karatsuba and Montgomery modular multiplication | |
CN117155572A (en) | Method for realizing large integer multiplication in cryptographic technology based on GPU (graphics processing Unit) parallel | |
CN113794572A (en) | Hardware implementation system and method for high-performance elliptic curve digital signature and signature verification | |
CN114527956A (en) | Computing method for non-fixed point scalar multiplication in SPA attack resistant SM2 cryptographic algorithm | |
CN112799634B (en) | Based on base 2 2 MDC NTT structured high performance loop polynomial multiplier | |
CN113467754A (en) | Lattice encryption modular multiplication operation method and framework based on decomposition reduction | |
Liu et al. | Efficient digit-serial KA-based multiplier over binary extension fields using block recombination approach | |
CN116561819A (en) | Encryption and decryption method based on from-Cook on-loop polynomial multiplication and on-loop polynomial multiplier | |
CN110445611A (en) | A kind of secrecy Enhancement Method and device based on modular arithmetic hash function | |
CN114594925B (en) | Efficient modular multiplication circuit suitable for SM2 encryption operation and operation method thereof | |
CN112631546B (en) | High-performance modular multiplier based on KO-8 algorithm | |
CN106126193A (en) | Elliptic curve point based on Zynq adds arithmetic accelerator and accelerated method | |
CN111756538B (en) | Method and device for realizing ECC scalar multiplier based on prime preprocessing | |
CN116820394B (en) | Scalar multiplication circuit oriented to elliptic curve encryption algorithm | |
CN114510273B (en) | Processor and method for realizing scalar multiplication operation of elliptic curve password | |
CN106911475A (en) | The implementation method and its circuit structure of a kind of Tate pairings |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |