CN101834723A - RSA (Rivest-Shamirh-Adleman) algorithm and IP core - Google Patents

RSA (Rivest-Shamirh-Adleman) algorithm and IP core Download PDF

Info

Publication number
CN101834723A
CN101834723A CN200910047315A CN200910047315A CN101834723A CN 101834723 A CN101834723 A CN 101834723A CN 200910047315 A CN200910047315 A CN 200910047315A CN 200910047315 A CN200910047315 A CN 200910047315A CN 101834723 A CN101834723 A CN 101834723A
Authority
CN
China
Prior art keywords
module
mould
rsa
make
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN200910047315A
Other languages
Chinese (zh)
Inventor
周玉洁
李佳璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Original Assignee
SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd filed Critical SHANGHAI AISINO CHIP ELECTRONIC TECHNOLOGY Co Ltd
Priority to CN200910047315A priority Critical patent/CN101834723A/en
Publication of CN101834723A publication Critical patent/CN101834723A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Complex Calculations (AREA)

Abstract

The invention discloses an RSA (Rivest-Shamirh-Adleman) algorithm and an IP core, relating to the technical field of electronic information encryption and aiming to solve the technical problems of overlarge IP core area and lower computing speed of the RAS algorithm. The IP core for operating the RAS algorithm comprises an interface module, a control module, a memory module, a modular exponentiation module and a modular reduction module, wherein the control module is respectively connected with the modular reduction module, the memory module, the modular exponentiation module and the interface module; the modular reduction module is respectively connected with the modular exponentiation module and the memory module; and the memory module is respectively connected with the modular exponentiation module and the interface module. The invention has the characteristics of emphasis on small area, high performance, lowend-oriented RAS IP core, adoption of advanced encryption algorithms and proper hardware structures and demand on less addition and storage space.

Description

A kind of RSA Algorithm and IP kernel thereof
Technical field
The present invention relates to the encrypted electronic information technology, particularly relate to the electronic technology of a kind of RSA Algorithm and IP kernel thereof.
Background technology
Along with fast development of information technology, authentication in the network service and information security transmission problem are subjected to people's attention and attention just gradually.Because public-key cryptosystem can effectively solve digital signature, Information Authentication and authentication, so each country has all dropped into great amount of manpower and material resources and has carried out the research of this respect.RSA (Rivest-Shamir-Adleman) cryptographic algorithm just becomes the general public key encryption method that is widely accepted and is implemented from it is born.
Realize cryptographic algorithm, can realize, also can convert hard-wired ASIC (application-specific integrated circuit (ASIC)) chip to, and hardware encipher is the main selection of commercial and military use with software.Compare with traditional software cryptography, the main feature of hardware encipher is: the one, and stability and compatible good, speed is faster; The 2nd, fail safe is good, anti-deciphering attack strength height, can avoid preferably software realize in key leak, internal memory such as is scanned at problem.
Development along with hardware technology, smart card, IC-card (integrated circuit card) and electron key etc. appear in the hardware big family of ecommerce, they integrate data encryption and storage two big functions, have volume little, and are easy to use, powerful, fail safe is good, and characteristics such as low price become one of very strong driving force that promotes e-commerce development, also be widely used in other fields such as traffic, medical treatment, authentication, greatly improved the up-to-dateness of people's live and works.In these small type mobile devices, realize the rsa cryptosystem coprocessor of public-key cryptosystem, extremely important meaning is arranged, but there are two subject matters at present: the one, the VLSI of RSA (very lagre scale integrated circuit (VLSIC)) realizes that area is excessive, the 2nd, the mould power multiplication speed of RSA is lower.
Summary of the invention
At the defective that exists in the above-mentioned prior art, technical problem to be solved by this invention provides a kind of emphasis small size, and high-performance is towards the RSA IP kernel of low side; By improved cryptographic algorithm, and select suitable hardware configuration for use, dwindled area greatly, and obtained good performance, only need the less addition and the RSA Algorithm and the IP kernel (Intellectual Property, IP core) thereof of memory space.
In order to solve the problems of the technologies described above, a kind of RSA Algorithm provided by the present invention is characterized in that, calculates R in the Montgomery algorithm that realization RSA mould power mould is taken advantage of 2The step of mod N:
1) calculates Mont2=2R mod N=2*2 rMod N;
2) call the mould unipotent element, as the truth of a matter, r calculates H=(Mont2) as index with Mont2 rMod N.Mont2 is equivalent to 2 Montgomery and represents, calculating the back through mould power is H=2 in the result who goes to obtain before the R factor rR mod N, i.e. R 2Mod N, thus problem solved cleverly, improved operation efficiency.
Further, in the described step 1), calculate the algorithm following (W is the figure place of word in the IP kernel) of Mont2
1. make Nwords=(n/W);
To j from 0 to Nwords, carry out following cycling:
2.1 make T[j]=" 00..00 "
If 2.2 j=(n-2/W), then making (n-2) position of T is 1
3. make i=r-n+1
4. make sign=0
5. when i 〉=0, carry out following cycling:
5.1 make ca=0
5.2 make cm=0
5.3 j from 0 to Nwords, is carried out following cycling:
If 5.3.1 sign=1, then make ca, Sum}={T[j] (W-2:0), cm}+N[j]+ca
Otherwise make ca, Sum}=T[j] (W-2:0), cm}-N[j]-ca
5.3.2 make cm=T[j] (W-1)
5.3.3 make T[j]=Sum
Sign is ca and cm XOR 5.4. make
5.5 make i=i-1
6. if sign=1 carries out following operation, i.e. R=T+N:
6.1 make ca=0
6.2 j from 0 to Nwords, is carried out following cycling:
6.2.1 make ca, T[j]=T[j]+N[j]+ca
A kind of RSA Algorithm provided by the present invention is characterized in that, the mould square algorithm in the Montgomery algorithm of realization RSA mould power, and specific algorithm is as follows: (k is the number of words of R)
To i from 0 to k-1, carry out following cycling:
1.1 make c=0
1.2 j from 0 to i-1, is carried out cycling (c, T[j])=T[j]+2*A[j] * A[i]+c
1.3 make (c, T[j])=T[j]+A[j] * A[i]+c
1.4 make (T[j+1], T[j])=T[j]+c
1.5 make c=0
1.6 make m=T[0] * nacc mod W
1.7 make (c, s)=T[0]+m*N[0]
1.8 j from 1 to k-1, is carried out cycling (c, T[j-1])=T[j]+m*N[j]+c
1.9 make (c, T[k-1])=T[k]+c
1.10 make T[k]=T[k+1]+c
If 1.11 T>N then makes T=T-N
2. return T
The IP kernel of the described RSA Algorithm of a kind of operation provided by the present invention (realization) comprises that interface module (IFC), control module (CTRL), memory module (MEM), mould power module (EXP) and mould subtract module (RED) approximately; Wherein, control module respectively connection mode subtract module (RED), memory module (MEM), mould power module (EXP) and interface module (IFC) approximately; Mould subtracts module (RED) connection mode power module (EXP), memory module (MEM) respectively approximately; Memory module (MEM) is connection mode power module (EXP), interface module (IFC) respectively;
Interface module is finished the mutual of inside and outside data, the RSA mould is taken advantage of with the operand of mould power sent into memory module, writes control command to control module simultaneously, and the value of sense status register;
Control module realizes the control logic of top layer, is responsible for starting the RSA computing;
Mould subtracts module approximately and calculates Mont2, and the delivery subtraction adjustment after finishing mould sum of powers mould and taking advantage of;
The calculative big number of memory module stores RSA, intermediate object program and final result;
Mould power module is finished its main operational of RSA IP kernel, i.e. mould sum of powers modular multiplication.
Further, described control module is accepted user's instruction by interface module, and arithmetic element---mould power module and Mo Yue subtract module in scheduling, finish whole RSA computing.
Further, described control module is responsible for the memory allocated unit and is given mould power module, and mould subtracts module and interface module approximately, a module accesses memory module can only be arranged at any one time, in order to avoid confusion reigned.
Further, described whole computing (A BMod N or A*B mod N) control logic be divided into for two steps:
1) input precomputation instruction RSA_RR starts Nacc and calculates the N ' [0] of needs in the computing of Montgomery according to big number N, starts mould then and subtracts module approximately and calculate Mont2, starts mould power module at last and obtains R 2Mod N;
2) according to mould power instruction RSA_EXP, or mould takes advantage of instruction RSA_MUL, start mould power module and carry out corresponding calculated, result of calculation and N relatively, if subtract module approximately than the big mould that just starts of N, execution delivery subtraction.Because mould subtracts module itself approximately and result of calculation can not be put into correct memory cell, so carry out the operation of moving by mould power module at last.
Further, be provided with ExpCtrl unit and the MMM unit that is connected described ExpCtrl unit in the described mould power module; Be provided with MMMCtrl unit and core processing unit PE in the described MMM unit.
Further, described ExpCtrl unit is used for realizing four kinds of operations of control module appointment: i.e. EXP_EXP (mould power), and EXP_MUL (mould is taken advantage of), EXP_MV (moving), EXP_RR (calculates R 2Mod N), use RL (Right to Left, scanning from right to left) the binary digit scanning algorithm of mode is calculated mould power, (EXP_EXP reads in B to read in index from the low level to a high position, EXP_RR reads in r), with whole Montgomery Algorithm be decomposed into multiplication, square, move, relatively four operations the most basic, send corresponding instruction to the MMM unit.
Further, described MMMctrl unit is used for realizing four basic operations of ExpCtrl unit appointment: multiplication, square, move, relatively; Be used to control the computing flow process of CIOS montgomery modulo multiplication and mould square, from memory module, read big number,, transmit correct operand to PE according to the instruction of ExpCtrl, carry out (c, T)=T+XY+c, (c, T)=two kinds of computings of T+2XX+c.
Further, described core processing unit PE comprises a multiplier WxW, and an adder W+W, and a 4-2 compressor reducer adopt the design of 2 level production lines.The critical path of IP is optimized, and operating frequency is improved.
Further, described mould takes advantage of device to adopt two level production lines, and the first order is the m=nacc*t that is used for calculating the CIOS Montgomery algorithm 0, x iy j=x i* y j, and n iM=n i* 32 of m multipliers, 32 adders are used in the second level, use the 4-2 compressor reducer that four operands are converted to two operands before the adder.
Further, adopt the single port SRAM (static RAM) of 2W position as scratch-pad storage among the described core processing unit PE.So each read and write can be finished the transfer of data of 2W position, and read-write hockets and just can satisfy calculation requirement, does not influence the performance of IP.
Further, use SRAM storage all operations number and result of calculation in the described memory module.
Utilize RSA Algorithm provided by the invention and IP kernel thereof, its characteristics are as follows:
Support is greater than 32, smaller or equal to 2048 mould sum of powers modular multiplication;
The cryptographic key protection function, IP uses safer;
Under the 100MHz frequency, on average finish 33 per seconds of 1024 Montgomery Algorithm, 3.7 per seconds of 2048 Montgomery Algorithm;
Simple to operate, do not need the outside to do any auxiliary operation;
The IP interface adopts design for Universal Interface, and it is integrated to be more conducive to SOC (System on Chip, SOC (system on a chip));
By stratification control logic and data path efficiently, realize the high-performance of IP kernel;
This storage system has high-performance, small size, the characteristics of high security.
Description of drawings
Fig. 1 is an embodiment of the invention RSA IP entire block diagram;
Fig. 2 is an embodiment of the invention EXP internal frame diagram;
Fig. 3 is an embodiment of the invention MMM internal frame diagram;
Fig. 4 is an embodiment of the invention CTRL module status transition diagram;
Fig. 5 is an embodiment of the invention PE data path.
Embodiment
Below in conjunction with description of drawings embodiments of the invention are described in further detail, but present embodiment is not limited to the present invention, every employing analog structure of the present invention, method and similar variation thereof all should be listed protection scope of the present invention in.
RSA Algorithm of the present invention improves:
Montgomery algorithm is the classic algorithm that realizes that RSA mould power mould is taken advantage of, and the present invention adopts the improvement algorithm CIOS algorithm of Montgomery, and this method needs less addition and memory space, relatively is fit to general processor and realizes.
The citation form of Montgomery algorithm is as follows:
Select parameter N ', R -1, satisfy 0<R -1<N, 0<N '<R makes R*R -1-N*N '=1
Mont (a, b)=a*b*R-1mod N (mod N is promptly to the N delivery)
1. make t=a*b
2. make u=(t+ (t*N ' mod R) * N)/R
Annotate: wherein R and N are coprime, are convenience of calculation, and R is the multiple of machine word-length normally.To 0≤t<R*N, as a result the scope of u be (therefore 0,2N), obtaining needs to carry out the delivery subtraction before the final result and adjusts as follows:
If u 〉=N then return u-N, otherwise return u
The value of R
Montgomery Algorithm in the RSA encryption and decryption is exactly constantly to call Montgomery algorithm to carry out mould and take advantage of and mould square.The present invention gets R=2 rMod N,
Figure B2009100473150D0000071
(n is the bit number of modulus N, and wordlength is multiplier bit wide, i.e. the figure place W of word in the IP kernel in the design).Calculate a bDuring mod N, get 0<a<2N, then can guarantee each mould in the mould power process take advantage of the result that obtains all (0,2N), just in time be in the input range that montgomery modulo multiplication requires next time.That is to say that intermediate steps has been exempted additional delivery subtraction, only need behind the last modular multiplication of mould power, compare the value of u and N, if u>n. carries out the adjustment of delivery subtraction.
Calculate R 2Mod N
Montgomery algorithm can bring certain additional calculations, need convert operand to Montgomery and represent, promptly introduces the R factor.Before calculating S=a*b mod N, earlier will be by calculating Mont (a, R 2), Mont (b, R 2) with a, b is expressed as
Figure B2009100473150D0000072
Calculate
Figure B2009100473150D0000073
Obtain Calculate again
Figure B2009100473150D0000075
Remove the R factor, obtain S=ab mod N.So R 2Mod N is important parameters in the Montgomery algorithm.If the N figure place is very high, directly calculate R 2Mod N can be quite complicated.
For addressing the above problem, the present invention makes full use of algorithm and best the Mont () algorithm of data path optimization in the chip, calculates R in the Montgomery algorithm that realization RSA mould power mould is taken advantage of 2The step of mod N:
1) calculates Mont2=2R mod N=2*2 rMod N
2) call the mould unipotent element, as the truth of a matter, r calculates H=(Mont2) as index with Mont2 rMod N.Mont2 is equivalent to 2 Montgomery and represents, calculating the back through mould power is H=2 in the result who goes to obtain before the R factor rR mod N, i.e. R 2Mod N, thus problem solved cleverly, improved operation efficiency.
The algorithm that calculates the Mont2 in the described step 1) is as follows: (W is the figure place of word in the IP kernel)
1. make Nwords=(n/W);
To j from 0 to Nwords, carry out following cycling:
2.1 make T[j]=" 00..00 "
If 2.2 j=(n-2/W), then making (n-2) position of T is 1
3. make i=r-n+1
4. make sign=0
5. when i 〉=0, carry out following cycling:
5.1 make ca=0
5.2 make cm=0
5.3 j from 0 to Nwords, is carried out following cycling:
If 5.3.1 sign=1, then make ca, Sum}={T[j] (W-2:0), cm}+N[j]+ca
Otherwise make ca, Sum}=T[j] (W-2:0), cm}-N[j]-ca
5.3.2 make cm=T[j] (W-1)
5.3.3 make T[j]=Sum
Sign is ca and cm XOR 5.4. make
5.5 make i=i-1
6. if sign=1 carries out following operation, i.e. R=T+N:
6.1 make ca=0
6.2 j from 0 to Nwords, is carried out following cycling:
6.2.1 make ca, T[j]=T[j]+N[j]+ca
Adopt improved Montgomery mould square algorithm
The mould square algorithm is exactly the equal situation of two multipliers of input, is that a kind of special mould is taken advantage of.By improve can make computing cycle be under the equal length multiplication 3/4ths.Specific algorithm is as follows: (k is the number of words of R)
To i from 0 to k-1, carry out following cycling:
1.1 make c=0
1.2 j from 0 to i-1, is carried out cycling (c, T[j])=T[j]+2*A[j] * A[i]+c
1.3 make (c, T[j])=T[j]+A[j] * A[i]+c
1.4 make (T[j+1], T[j])=T[j]+c
1.5 make c=0
1.6 make m=T[0] * nacc mod W
1.7 make (c, s)=T[0]+m*N[0]
1.8 j from 1 to k-1, is carried out cycling (c, T[j-1])=T[j]+m*N[j]+c
1.9 make (c, T[k-1])=T[k]+c
1.10 make T[k]=T[k+1]+c
If 1.11 T>N then makes T=T-N
2. return T
Different with common multiplication, first loop body in the interior circulation, j are not increased to k-1 from 0 as i, multiply by 2 and improve but adopt, owing to only multiplier need be exported the result to one of high position mapping, it is smaller to improve cost.
IP kernel hardware designs of the present invention:
The present invention rationally divides module, and the stratification control logic designs storage system efficiently, optimizes data path, finally makes chip reach high-performance, small size.IP kernel divides five functional modules on the whole: interface module (IFC), control module (CTRL), memory module (MEM), mould power module (EXP) and mould subtract module (RED) approximately, entire block diagram as shown in Figure 1, wherein, control module respectively connection mode subtract module (RED), memory module (MEM), mould power module (EXP) and interface module (IFC) approximately; Mould subtracts module (RED) connection mode power module (EXP), memory module (MEM) respectively approximately; Memory module (MEM) is connection mode power module (EXP), interface module (IFC) respectively;
The IFC module is finished the mutual of inside and outside data, the RSA mould is taken advantage of with the operand of mould power sent into the MEM module, writes control command to the CTRL module simultaneously, and the value of sense status register.CTRL realizes the control logic of top layer, is responsible for starting the RSA computing.RED calculates Mont2, and the delivery subtraction adjustment after finishing mould sum of powers mould and taking advantage of.MEM module stores RSA calculative big number, intermediate object program and final result.EXP finishes its main operational of RSA IP kernel, i.e. mould sum of powers modular multiplication.The present invention is applicable to smart card homalographic small device, therefore is not suitable for taking advantage of device with the Systolic Array Implementation mould that relatively consumes hardware resource, and is to use the high basic mode of base 32 to take advantage of device.As shown in Figure 2, be provided with ExpCtrl unit and the MMM unit that is connected described ExpCtrl unit in the EXP module; As shown in Figure 3, be provided with MMMCtrl and core processing unit PE in the described MMM unit;
Below respectively at control logic, the Montgomery mould is taken advantage of the device data path, and storage policy is described in detail.
Control logic
Stratification control logic of the present invention makes calculating process clear understandable.Use three layer state machines to realize RSA mould power modular multiplication, from top to bottom, the continuous refinement of computing is specialized: the CTRL module realizes top layer control; ExpCtrl among the EXP realizes the control of modulus-power algorithm flow process, control MMM; MMMctrl among the MMM realizes CIOS Montgomery modular multiplication algorithm, control core processing unit PE.Below set forth respectively.
CTRL: the control logic that realizes top layer.Accept user's instruction by IFC, scheduling arithmetic element EXP and RED finish whole RSA computing.Except the operating state of control and calculation unit, CTRL also is responsible for the memory allocated unit and gives EXP, and RED and IFC can only have a module accesses MEM, at any one time in order to avoid confusion reigned.Fig. 4 is the state transition diagram of CTRL module.
As shown in Figure 4, whole computing (A BMod N or A*B mod N) be divided into for two steps:
1) input precomputation instruction RSA_RR starts the N ' [0] that the big number of Nacc basis N calculates needs in the computing of Montgomery, starts RED then and calculates Mont2, starts EXP at last and obtains R 2Mod N;
2) according to mould power instruction RSA_EXP, or mould takes advantage of instruction RSA_MUL, start EXP and carry out corresponding calculated, result of calculation and N relatively, if than the big RED that just starts of N, execution delivery subtraction.Because RED itself can not be put into result of calculation correct memory cell, so carry out the operation of moving by EXP at last.
ExpCtrl: realize four kinds of operation: EXP_EXP (mould power) of appointment in the CTRL module, EXP_MUL (mould is taken advantage of), EXP_MV (moving), EXP_RR (calculates R 2Mod N), use RL (Right to Left, scanning from right to left) the binary digit scanning algorithm of mode is calculated mould power, (EXP_EXP reads in B to read in index from the low level to a high position, EXP_RR reads in r), with whole Montgomery Algorithm be decomposed into multiplication, square, move, relatively four operations the most basic, send corresponding instruction to MMM.In addition, ExpCtrl controls also that operand and result leave among which SRAM of storage system in per step computing, so that the expense of data-moving is reduced to minimum.
MMMctrl: realize four basic operations of appointment in the ExpCtrl module: multiplication, square, move, relatively.The computing flow process of major control CIOS montgomery modulo multiplication and mould square reads big number from MEM, according to the instruction of ExpCtrl, transmit correct operand to PE, carry out (c, T)=T+XY+c, (c, T)=two kinds of computings of T+2XX+c.
The Montgomery mould is taken advantage of device optimization
The core processing unit PE of RSA IP kernel comprises a multiplier WxW, and an adder W+W, and a 4-2 compressor reducer adopt the design of 2 level production lines.The critical path of IP is optimized, and operating frequency is improved.Montgomery modular multiplier data path after the optimization is as shown in Figure 5:
Mould takes advantage of device to adopt two level production lines.32 multipliers of the first order are used for calculating the m=nacc*t in the CIOS Montgomery algorithm 0, x iy j=x i* y j, and n iM=n i* m.For acreage reduction, 32 adders are used in the second level, so 64 products need divide two clock cycle to send into adder.In this one-level, intermediate object program, product low 32 uses the 4-2 compressor reducer that four operands are converted to two operands before the previous addition carry, and high 32 additions of a preceding product, adder, optimized area and critical path.
For mould square, data path and mould are taken advantage of similar, and difference is to have adopted optimized Algorithm, only multiplication need be exported the result to one of high position mapping, can do some multiplication less.
In the course of work of PE, both needed to read the last result of W position in the one-period, need to write this result of calculation of W position again.Owing to can only read or write a word in SRAM (static RAM) one-period, consider that the dual-port SRAM area is big than single port, the present invention adopts the single port SRAM of 2W position as scratch-pad storage, so each read and write can be finished the transfer of data of 2W position, read-write hockets and just can satisfy calculation requirement, does not influence the performance of IP.
Storage policy
The highest mould power modular multiplication that will carry out 2048 of the present invention, if so big operand register set stores, though easy to use, area overhead will be quite big.Therefore use SRAM storage all operations number and result of calculation, reach 2048 because key length is the longest, handling bit wide is 32, thus use 4 72x32SRAM (A, B, N, R), 1 40x64SRAM (T).
This storage system is according to high-performance, small size, and high security designs, and possesses following characteristics:
1) using the cost of SRAM is cycle of same SRAM can only read or write a word, has therefore designed a cover SRAM storage policy, makes the data-moving expense in the calculating process drop to minimum. SRAM A, B, N are respectively applied to write RSA operand A, B, N. R is used for depositing final result, and T is used for depositing 64 middle results in the Montgomery modular multiplication. In addition, A and R also be used for depositing every apotype in the mould power process is taken advantage of or mould square after middle result. R2Mod N leaves among the R SRAM. The different step that ExpCtrl takes advantage of according to mould power mould is determined concrete SRAM mapping scheme, solves the data relevant issues,
2) consider that to the most situations of the operation of SRAM be that order writes operand, therefore only need to write an address initial value to address register, just can directly read and write SRAM subsequently, the address adds 1 automatically in IP inside, need not on address bus, to provide continuously address signal, be conducive to reduce and crosstalk and reduce power consumption.
3) for improving the speed of computing unit read-write SRAM, adopted SRAM and computing unit to adopt the technology of inversion clock design so that the Speed improving of access data 100%.
4) for the different phase of computing, be provided with different authorities to the SRAM of deposit operation number, comprise read-only, only write, can read and can write, with the security of abundant guarantee encryption and decryption. Such as in the mutual stage of IFC module and MEM module, because what write among the B SRAM may be private key, write authority so only be provided with, can not read.

Claims (14)

1. a RSA Algorithm is characterized in that, calculates R in the Montgomery algorithm that realization RSA mould power mould is taken advantage of 2The step of mod N:
1) calculates Mont2=2R mod N=2*2 rMod N;
2) call the mould unipotent element, as the truth of a matter, r calculates H=(Mont2) as index with Mont2 rMod N.Mont2 is equivalent to 2 Montgomery and represents, calculating the back through mould power is H=2 in the result who goes to obtain before the R factor rR mod N, i.e. R 2Mod N, thus problem solved cleverly, improved operation efficiency.
2. RSA Algorithm according to claim 1 is characterized in that, in the described step 1), the algorithm that calculates Mont2 is as follows: (W is the figure place of word in the IP kernel)
1) makes Nwords=(n/W);
2) to j from 0 to Nwords, carry out following cycling:
2) 1. make T[j]=" 00..00 ";
2) if 2. j=(n-2/W), then making (n-2) position of T is 1;
3) make i=r-n+1;
4) make sign=0;
5) when i 〉=0, carry out following cycling:
5) 1. make ca=0;
5) 2. make cm=0;
5) 3. to j from 0 to Nwords, carry out following cycling:
5) if 3. I sign=1, then make ca, Sum}={T[j] (W-2:0), cm}+N[j]+ca;
Otherwise make ca, Sum}=T[j] (W-2:0), cm}-N[j]-ca;
5) 3. II makes cm=T[j] (W-1);
5) 3. III makes T[j]=Sum;
5) make 4. that sign is ca and cm XOR;
5) 5. make i=i-1;
6) if sign=1 carries out following operation, i.e. R=T+N:
6) 1. make ca=0;
6) 2. to j from 0 to Nwords, carry out following cycling:
6) 2. I makes { ca, T[j] }=T[j]+N[j]+ca.
3. a RSA Algorithm is characterized in that, the mould square algorithm in the Montgomery algorithm of realization RSA mould power, and specific algorithm is as follows: (k is the number of words of R)
1) to i from 0 to k-1, carry out following cycling:
1) 1. makes c=0;
1) 2. to j from 0 to i-1, carry out cycling (c, T[j])=T[j]+2*A[j] * A[i]+c;
1) 3. make (c, T[j])=T[j]+A[j] * A[i]+c;
1) 4. make (T[j+1], T[j])=T[j]+c;
1) 5. makes c=0;
1) 6. make m=T[0] * nacc mod W;
1) 7. make (c, s)=T[0]+m*N[0];
1) 8. to j from 1 to k-1, carry out cycling (c, T[j-1])=T[j]+m*N[j]+c;
1) 9. make (c, T[k-1])=T[k]+c;
1) 10. make T[k]=T[k+1]+c;
1) (11) are if T>N then makes T=T-N;
2) return T.
4. an IP kernel that moves the described RSA Algorithm of claim 1 comprises that interface module, control module, memory module, mould power module and Mo Yue subtract module; Wherein, control module respectively connection mode subtract module, memory module, mould power module and interface module approximately; Mould subtracts module connection mode power module, memory module respectively approximately; Memory module is connection mode power module, interface module respectively;
Interface module is finished the mutual of inside and outside data, the RSA mould is taken advantage of with the operand of mould power sent into memory module, writes control command to control module simultaneously, and the value of sense status register;
Control module realizes the control logic of top layer, is responsible for starting the RSA computing;
Mould subtracts module approximately and calculates Mont2, and the delivery subtraction adjustment after finishing mould sum of powers mould and taking advantage of;
The calculative big number of memory module stores RSA, intermediate object program and final result;
Mould power module is finished its main operational of RSA IP kernel, i.e. mould sum of powers modular multiplication.
5. IP kernel according to claim 4 is characterized in that, described control module is accepted user's instruction by interface module, and arithmetic element---mould power module and Mo Yue subtract module in scheduling, finish whole RSA computing.
6. IP kernel according to claim 4 is characterized in that, described control module is responsible for the memory allocated unit and is given mould power module, and mould subtracts module and interface module approximately, a module accesses memory module can only be arranged at any one time, in order to avoid confusion reigned.
7. IP kernel according to claim 4 is characterized in that, the control logic of described AB mod N or the whole computing of A*B mod N was divided into for two steps:
1) input precomputation instruction RSA_RR starts Nacc and calculates the N ' [0] of needs in the computing of Montgomery according to big number N, starts mould then and subtracts module approximately and calculate Mont2, starts mould power module at last and obtains R 2Mod N;
2) according to mould power instruction RSA_EXP, or mould takes advantage of instruction RSA_MUL, start mould power module and carry out corresponding calculated, result of calculation and N relatively, if subtract module approximately than the big mould that just starts of N, execution delivery subtraction.
8. IP kernel according to claim 4 is characterized in that, is provided with ExpCtrl unit and the MMM unit that is connected described ExpCtrl unit in the described mould power module; Be provided with MMMCtrl unit and core processing unit PE in the described MMM unit.
9. IP kernel according to claim 8, it is characterized in that, described ExpCtrl unit is used for realizing four kinds of operations of control module appointment: i.e. EXP_EXP (mould power), EXP_MUL (mould is taken advantage of), EXP_MV (moving), EXP_RR (calculating R2modN), use RL (Rightto Left, scanning from right to left) the binary digit scanning algorithm of mode is calculated mould power, (EXP_EXP reads in B to read in index from the low level to a high position, EXP_RR reads in r), whole Montgomery Algorithm is decomposed into multiplication, square, move, relatively four operations the most basic are sent corresponding instruction to the MMM unit.
10. IP kernel according to claim 8 is characterized in that, described MMMctrl unit is used for realizing four basic operations of ExpCtrl unit appointment: multiplication, square, move, relatively; Be used to control the computing flow process of CIOS montgomery modulo multiplication and mould square, from the MEM module, read big number,, transmit correct operand to PE according to the instruction of ExpCtrl unit, carry out (c, T)=T+XY+c, (c, T)=two kinds of computings of T+2XX+c.
11. IP kernel according to claim 8 is characterized in that, described core processing unit PE comprises a multiplier WxW, and an adder W+W, and a 4-2 compressor reducer adopt the design of 2 level production lines.
12. IP kernel according to claim 10 is characterized in that, described mould takes advantage of device to adopt two level production lines, and the first order is the m=nacc*t that is used for calculating the CIOS Montgomery algorithm 0, x iy j=x i* y j, and n iM=n i* 32 of m multipliers, 32 adders are used in the second level, use the 4-2 compressor reducer that four operands are converted to two operands before the adder.
13. IP kernel according to claim 8 is characterized in that, adopts the single port SRAM of 2W position as scratch-pad storage among the described control core processing unit PE.
14. IP kernel according to claim 4 is characterized in that, uses SRAM storage all operations number and result of calculation in the described memory module.
CN200910047315A 2009-03-10 2009-03-10 RSA (Rivest-Shamirh-Adleman) algorithm and IP core Pending CN101834723A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910047315A CN101834723A (en) 2009-03-10 2009-03-10 RSA (Rivest-Shamirh-Adleman) algorithm and IP core

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910047315A CN101834723A (en) 2009-03-10 2009-03-10 RSA (Rivest-Shamirh-Adleman) algorithm and IP core

Publications (1)

Publication Number Publication Date
CN101834723A true CN101834723A (en) 2010-09-15

Family

ID=42718662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910047315A Pending CN101834723A (en) 2009-03-10 2009-03-10 RSA (Rivest-Shamirh-Adleman) algorithm and IP core

Country Status (1)

Country Link
CN (1) CN101834723A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102468956A (en) * 2010-11-11 2012-05-23 上海华虹集成电路有限责任公司 Method suitable for RSA modular exponentiation calculation
CN102508798A (en) * 2011-10-18 2012-06-20 国电南京自动化股份有限公司 CPU (Central Processing Unit) and FPGA (Field Programmable Gate Array) interface method based on BURST and flow line
CN103401681A (en) * 2013-07-02 2013-11-20 北京华大信安科技有限公司 Modulus taking method, modulus taking device and chip
CN103699351A (en) * 2013-12-05 2014-04-02 西安交通大学 Two-end-cutting phase shifting circuit
CN103729163A (en) * 2013-12-05 2014-04-16 西安交通大学 Highest point and lowest point removing, left shift and data supplement circuit
CN103888246A (en) * 2014-03-10 2014-06-25 深圳华视微电子有限公司 Low-energy-consumption small-area data processing method and data processing device thereof
CN104104504A (en) * 2014-07-22 2014-10-15 大唐微电子技术有限公司 RSA decoding method and device
CN104579650A (en) * 2013-10-28 2015-04-29 上海复旦微电子集团股份有限公司 Method and device for modular exponentiation operation
CN104750457A (en) * 2013-12-31 2015-07-01 上海复旦微电子集团股份有限公司 Method and device for processing data on basis of modular exponentiation
CN104899527A (en) * 2015-05-12 2015-09-09 广州中大微电子有限公司 On-chip security co-processor
CN104951279A (en) * 2015-05-27 2015-09-30 四川卫士通信息安全平台技术有限公司 Vectorized Montgomery modular multiplier design method based on NEON engine
CN107665109A (en) * 2016-07-28 2018-02-06 中国科学院声学研究所 A kind of Montgomery modular multiplication computational methods suitable for embedded system
CN107888385A (en) * 2017-12-27 2018-04-06 数安时代科技股份有限公司 RSA moduluses generation method, RSA key generation method, computer equipment and medium
WO2024036429A1 (en) * 2022-08-15 2024-02-22 Intel Corporation Paillier cryptosystem with improved performance

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102468956A (en) * 2010-11-11 2012-05-23 上海华虹集成电路有限责任公司 Method suitable for RSA modular exponentiation calculation
CN102508798A (en) * 2011-10-18 2012-06-20 国电南京自动化股份有限公司 CPU (Central Processing Unit) and FPGA (Field Programmable Gate Array) interface method based on BURST and flow line
CN102508798B (en) * 2011-10-18 2014-12-31 国电南京自动化股份有限公司 CPU (Central Processing Unit) and FPGA (Field Programmable Gate Array) interface method based on BURST and flow line
CN103401681A (en) * 2013-07-02 2013-11-20 北京华大信安科技有限公司 Modulus taking method, modulus taking device and chip
CN103401681B (en) * 2013-07-02 2016-08-31 北京华大信安科技有限公司 Model taking method, impression-taking apparatus and chip
CN104579650A (en) * 2013-10-28 2015-04-29 上海复旦微电子集团股份有限公司 Method and device for modular exponentiation operation
CN104579650B (en) * 2013-10-28 2018-11-06 上海复旦微电子集团股份有限公司 The method and apparatus of Montgomery Algorithm
CN103699351A (en) * 2013-12-05 2014-04-02 西安交通大学 Two-end-cutting phase shifting circuit
CN103729163A (en) * 2013-12-05 2014-04-16 西安交通大学 Highest point and lowest point removing, left shift and data supplement circuit
CN103699351B (en) * 2013-12-05 2016-06-29 西安交通大学 One is decaptitated the shift circuit that truncates
CN104750457A (en) * 2013-12-31 2015-07-01 上海复旦微电子集团股份有限公司 Method and device for processing data on basis of modular exponentiation
CN104750457B (en) * 2013-12-31 2018-03-06 上海复旦微电子集团股份有限公司 A kind of data processing method and device based on Montgomery Algorithm
CN103888246A (en) * 2014-03-10 2014-06-25 深圳华视微电子有限公司 Low-energy-consumption small-area data processing method and data processing device thereof
CN104104504A (en) * 2014-07-22 2014-10-15 大唐微电子技术有限公司 RSA decoding method and device
CN104104504B (en) * 2014-07-22 2017-05-10 大唐微电子技术有限公司 RSA decoding method and device
CN104899527A (en) * 2015-05-12 2015-09-09 广州中大微电子有限公司 On-chip security co-processor
CN104951279B (en) * 2015-05-27 2018-03-20 四川卫士通信息安全平台技术有限公司 A kind of design method of the vectorization Montgomery modular multipliers based on NEON engines
CN104951279A (en) * 2015-05-27 2015-09-30 四川卫士通信息安全平台技术有限公司 Vectorized Montgomery modular multiplier design method based on NEON engine
CN107665109A (en) * 2016-07-28 2018-02-06 中国科学院声学研究所 A kind of Montgomery modular multiplication computational methods suitable for embedded system
CN107665109B (en) * 2016-07-28 2020-04-14 中国科学院声学研究所 Montgomery modular multiplication calculation method suitable for embedded system
CN107888385A (en) * 2017-12-27 2018-04-06 数安时代科技股份有限公司 RSA moduluses generation method, RSA key generation method, computer equipment and medium
CN107888385B (en) * 2017-12-27 2020-12-22 数安时代科技股份有限公司 RSA modulus generation method, RSA key generation method, computer device, and medium
WO2024036429A1 (en) * 2022-08-15 2024-02-22 Intel Corporation Paillier cryptosystem with improved performance

Similar Documents

Publication Publication Date Title
CN101834723A (en) RSA (Rivest-Shamirh-Adleman) algorithm and IP core
Lee et al. Elliptic-curve-based security processor for RFID
CN101170406B (en) A realization method for calculation coprocessor based on dual core public key password algorithm
CN101547089B (en) Method for realizing elliptic curve cryptosystem algorithm over prime field in integrated circuit
JPH09274560A (en) Power remainder operation circuit, power remainder operation system and operation method for power remainder operation
CN103942031B (en) Elliptic domain curve operations method
Kocabaş et al. Implementation of binary Edwards curves for very-constrained devices
Bo et al. An RSA encryption hardware algorithm using a single DSP block and a single block RAM on the FPGA
CN100504758C (en) Multiple-word multiplication-accumulation circuit and montgomery modular multiplication-accumulation circuit
CN100583757C (en) ECC/RSA encryption/decryption coprocessor
US7580966B2 (en) Method and device for reducing the time required to perform a product, multiplication and modular exponentiation calculation using the Montgomery method
CN105790939A (en) Prime number field elliptic curve cryptography system of VLSI realization accelerator
CN103793199A (en) Rapid RSA cryptography coprocessor capable of supporting dual domains
Rodríguez-Flores et al. Compact FPGA hardware architecture for public key encryption in embedded devices
CN104536913A (en) Big integer operational circuit based on a plurality of RAMs and data transfer method
Ito et al. The parallel FDFM processor core approach for CRT-based RSA decryption
CN110704109A (en) Elliptic curve password coprocessor
CN103780381B (en) Montgomery algorithm based on base systolic arrays high realizes device and method
Bertoni et al. Power aware design of an elliptic curve coprocessor for 8 bit platforms
Bie et al. An energy-efficient reconfigurable asymmetric modular cryptographic operation unit for RSA and ECC
CN101819519B (en) Multifunctional digital signing circuit
EP1818810B1 (en) Circuit and method for multiplying long integer values
Zode et al. Optimization of elliptic curve scalar multiplication using constraint based scheduling
CN109284085A (en) A kind of high speed modular multiplication and Montgomery Algorithm method and model based on FPGA
CN1392472A (en) Montgomery analog multiplication algorithm for VLSI and VLSI structure of intelligenjt card analog multiplier

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20100915