CN102131198B - Realizing method of elliptic curve cryptography arithmetic device in authentication system - Google Patents

Abstract

The invention relates to the technical field of secure access of a wireless communication system, in particular relating to a realizing method of an elliptic curve cryptography arithmetic device in an authentication system, comprising the following steps: using a key algorithm on the basis of a predefined elliptic curve, and selecting a point P on the elliptic curve; generating a large-number random variable K with n bits for each authentication request; and completing a dot multiplication of the points P and k corresponding to each authentication request, wherein the dot multiplication is equivalently transformed into an algorithm form with a characteristic of concurrent execution; at least one set of arithmetical elements are determined according to a segment rule; an segmentation and recombination operation is executed to each set of arithmetic elements. Under the condition that the number of the subscriber authentication request is less, a system resource can be fully utilized to shorten the processing delay of a single authentication request to improve the subscriber experience; and under the condition that the number of the subscriber authentication request is more, the possibility that the subscriber authentication request processing is overtime can be reduced by adding concurrent processing number, so that the purpose of balancing a contradiction between the single authentication request processing delay and the concurrent processing number is achieved.

Description

The implementation method of elliptic curve cryptography arithmetic device in Verification System

Technical field

The present invention relates to the technical field that wireless communication system accesses safely, relate in particular to the implementation method of elliptic curve cryptography arithmetic device in Verification System.

Background technology

Certificate server is the core network element of safe access technology in wireless communication system, is used for differentiating the identity of the network element (base station, terminal etc.) of other access network.Application number is that 200810027930.0 patent " a kind of safety access method of wireless MAN " provides the identity identification flow that a kind of wireless communication system accesses safely, wherein described certificate server and completed the basic procedure that identity is differentiated, comprised that acceptance certificate differentiates that digital certificate X.509, the structure certificate of request message, checking message signature, checking sign network element identity differentiate the steps such as response message.

Although certificate server is only completed management function, not carrying tool volume grid business transmission, but when network size is larger, and mobile terminal carrying out between base station under the scene such as fast switching, and the treatment effeciency of certificate server has been proposed harsh requirement.In the flow process that above-mentioned certificate server handling user identity is differentiated, the delay that message is processed is generally very little, can not form the bottleneck that certificate server is carried out efficient.Yet, because user certificate adopts X.509 certificate format, and carry out digital signature (with reference to national Password Management office file " ECDSA and ECDH cryptographic algorithm elliptic curve and parameter that Wireless LAN Equipments adopts ") based on the RSA arithmetic of elliptic curve cryptosystem (ECC), this means the ECDSA algorithm in needing to use elliptic curve cryptosystem (ECC) in the process of carrying out the user identity discriminating, the computation complexity of this algorithm is relatively high, especially under the larger condition of key length.

ECDSA signature and signature verification algorithm are based on the public key architecture signature algorithm that elliptic curve cryptosystem (ECC) designs, and international standard ISO/IEC 15946:2002 (E) has defined concrete algorithm flow and related request.The basic principle of elliptic curve cryptosystem (ECC) is execution point multiplication on a predefined elliptic curve

Its mid point P is preset parameter, and k is the random large number that produces.In order to guarantee the fail safe of ECDSA algorithm self, requiring k is real physical random number.Point multiplication operation Q=kP can be decomposed into a little add, the basic operation such as times point, mould are taken advantage of, these basic operations all are based upon finite field F _pFundamentals of Mathematics on.

Finite field F _pOn the elliptic curve equation can have various ways, wherein typical elliptic curve equation shape such as y ²=x ³+ ax+b (4a ³+ 27b ²≠ 0 mod p), on this elliptic curve have a few and infinite point ∞ consists of elliptic curve point set E (F _p)={ (x, y) | x, y ∈ F _p, y ²=x ³+ ax+b} ∪ { ∞ }, elliptic curve point set E (F _p) rank be n=#E (F _p).Define point add operation on elliptic curve, elliptic curve point set E (F _p) Abel group of formation.On the basis of point add operation, can derive point doubling, point multiplication operation, wherein point multiplication operation (kP) is its main operational of elliptic curve cryptosystem.Computing on elliptic curve can adopt different coordinate systems to express, and coordinate system commonly used is affine coordinate system and Jacobi projected coordinate system, below is introduced respectively.

Affine coordinate system: cross a fixed point O on the plane and make two crossing reference axis x and y, their angle of cut is ω.As initial point, defining long measure on every reference axis (is respectively OE with fixed point O ₁, OE ₂), so just set up in the plane an affine coordinate system.For any point M on the plane, cross the parallel lines that M makes two reference axis, meet at respectively M with reference axis ₁, M ₂, they are labeled as respectively x, y at the coordinate of diaxon, so some M is with regard to corresponding subordinate ordered array (x, y).

The Jacobi projected coordinate system: the point (X, Y, Z) under the Jacobi projected coordinate system is corresponding one by one with the point (x, y) under affine coordinate system.Coordinate (x, y) under given affine coordinate system, the coordinate that converts under the Jacobi projected coordinate system is (X, Y, Z), wherein X=x, Y=y, Z=1; Coordinate (X, Y, Z) under given Jacobi projected coordinate system, the coordinate that converts under affine coordinate system is (x, y), and satisfies x=X/Z ², y=Y/Z ³Simultaneously, the infinite point ∞ under affine coordinate system and the point under the Jacobi projected coordinate system (1,1,0) correspondence.

Take up an official post at elliptic curve and get 2 P (x ₁, y ₁), Q (x ₂, y ₂), make O represent infinite point, definition point add operation R (x _R, y _R)=P+Q, its operation rule is as follows:

(1)P+O＝O+P＝P；

(2)-P＝(x ₁，-y ₁)，P+(-P)＝O；

(3) if Q ≠-P, $\left\{\begin{array}{c}{x}_R={\mathrm{\&lambda;}}^2-x_1-x_2\\ y_R=\mathrm{\&lambda;}(x_1-x_R)-{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">y</figure-callout>}}_1\end{array}\right.,$

Wherein, work as x ₁≠ x ₂The time

Work as x ₁=x ₂The time

Take up an official post at elliptic curve and get a P (x, y), make O represent infinite point, definition point doubling R (x _R, y _R)=2P.Point doubling is equal to P=Q in point add operation, and its operation rule is as follows:

(1) if y=0, R=2P=O;

(2) if y ≠ 0, Wherein

Above-mentioned point adds, the point doubling formula all is defined in finite field F _pOn, the computing such as wherein include addition, the multiplication in confinement and invert.At finite field F _pOn, addition, multiplication are mould p computing, for example any x, y ∈ F _p, addition is defined as z=(x+y) mod p, z ∈ F _pDescribed inversion operation refers to provide arbitrfary point x ∈ F _p, find out another y ∈ F _pMake condition xy=1 satisfy.At finite field F _pOn, inversion operation is higher than multiplying complexity, converts Jacobi projection coordinate to and can avoid inversion operation, therefore adopts more the Jacobi projected coordinate system in engineering is used.

In the Jacobi projected coordinate system, take up an official post at elliptic curve and get 2 P (X ₁, Y ₁, Z ₁), Q (X ₂, Y ₂, Z ₂), point add operation R (X ₃, Y ₃, Z ₃The operation rule of)=P+Q is:

$\left\{\begin{array}{c}{\mathrm{<figure-callout\; id="3"\; label="X"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">X</figure-callout>}}_3={(Y_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^3-Y_1)}^2-(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2+X_1){(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)}^2\\ {\mathrm{<figure-callout\; id="3"\; label="Y"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">Y</figure-callout>}}_3=(Y_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^3-Y_1)[X_1{(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)}^2-X_3]-Y_1{(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)}^3\\ {\mathrm{<figure-callout\; id="3"\; label="Z"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">Z</figure-callout>}}_3=Z_1(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)\end{array}\right.$

In the Jacobi projected coordinate system, take up an official post at elliptic curve and get a P (X ₁, Y ₁, Z ₁), point doubling R (X ₃, Y ₃, Z ₃The operation rule of)=2P is:

$\left\{\begin{array}{c}{\mathrm{<figure-callout\; id="3"\; label="X"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">X</figure-callout>}}_3={({3X}_1^2+{\mathrm{<figure-callout\; id="1"\; label="aZ"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">aZ</figure-callout>}}_1^4)}^2-{8X}_1{Y}_1^2\\ {\mathrm{<figure-callout\; id="3"\; label="Y"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">Y</figure-callout>}}_3=({3X}_1^2+{\mathrm{<figure-callout\; id="1"\; label="aZ"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">aZ</figure-callout>}}_1^4)({4X}_1{Y}_1^2-X_3)-{8Y}_1^4\\ {\mathrm{<figure-callout\; id="3"\; label="Z"\; filenames="HSA00000442511300022.png,HSA00000442511300031.png"\; state="\{\{state\}\}">Z</figure-callout>}}_3={2Y}_1{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1\end{array}\right.$

On above-mentioned Fundamentals of Mathematics, can the execution point multiplication

For arbitrary integer k=(k _t-1..., k ₁, k ₀) ₂, P ∈ E (F _p), make O represent infinite point, kP calculates according to the following steps:

(1)Q←O；

(2)For?i?from?0?to?t-1?do

a)If?k _i＝1?then?Q←Q+P

b)P←2P

(3) output Q.

Can find out, the utilization point adds, point doubling can be completed point multiplication operation Q=kP.

Put add, in the process of times point, point multiplication operation, mould is taken advantage of as basic operation and is repeatedly called, and is the key that affects point multiplication operation efficient.Document " P.Montgomery.Modular multiplication without trial division.Mathematics of Computation, 44:519-521,1985. " the Montgomery modular multiplication algorithm proposed, this algorithm utilizes the character of complete residue system, avoid asking the division arithmetic of mould when calculating ab mod n, can effectively improve the speed of modular multiplication.The process of Montgomery modular multiplication algorithm can followingly be explained:

function

Step1. $t:=\stackrel{\&OverBar;}{a}\&CenterDot;\stackrel{\&OverBar;}{b}$

Step2.u：＝(t+(t·n′mod?r)·n)/r

Step3.if?u≥n?then?return?u-n?else?return?u

Hang down the r bit in the Montgomery modular multiplication algorithm in the result of calculation u of step 2 and must be null value, can adopt displacement to replace division, thereby having avoided divide operations consuming time.Yet the citation form of Montgomery modular multiplication algorithm still comprises the multiplication of large integer, therefore also needs to be further refined as the multiplication of small integer.Document " Kaya Koc C, Acar T, Kaliski BSJr.Analyzing and Comparing Montgomery Multiplication Algorithms[J] .IEEE Micro, 1996,16 (3): 26-33 " compared 5 kinds of implementation algorithms (FIOS, CIOS etc.) that the Montgomery mould is taken advantage of, the basic thought of each algorithm is that computing for some short integers is dissolved in the multiplying of lint-long integer.Wherein, the CIOS method is very suitable for realizing in general processor.

Although the anti-attack strength of elliptic curve cryptosystem (ECC) is higher, general 192 bit keys length can reach the intensity of RSA system 1024 bit keys length, and its amount of calculation of such key length is remained considerable.In order to improve the execution efficient of point multiplication operation, the most direct way is to improve its parallelization, point multiplication operation is decomposed into the arithmetic element of several concurrent execution, shortens its time of implementation by consuming more computational resource.At first, utilize equivalent transformation Q=kP=k _m-1P+ ... + k ₁P+k ₀P can realize the parallelization of point multiplication operation.Secondly, because point multiplication operation has called modular multiplication in a large number, the parallelization that improves modular multiplication also can effectively improve the execution efficient of point multiplication operation.Document " J.Fan, K.Sakiyama, and I.Verbauwhede, " Montgomery Modular Multiplication Algorithm for Multi-Core Systems; " IEEE Workshop on Signal Processing Systems, pp.261-266,2007. " by analyzing in the FIOS algorithm interrelated between each time iteration, adopt special design to make the addition carry only in the inner generation of arithmetic element, proposed a kind of more satisfactory Montgomery modular multiplication Parallelization Scheme.In addition, pertinent literature has also proposed other point multiplication operation, the parallel method of modular multiplication.

In order further to improve the treatment effeciency of certificate server, general employing is based on the certificate server system of Clustering structure, and its typical system framework as shown in Figure 1.Front-end server is used for receiving the request of certificate authentication message that the network user sends, then according to predefined scheduling strategy, (as DNS, reverse proxy, NAT etc.) differentiate that with identity request message is forwarded to certain specific certificate server (AS by load-balancing technique _i), work as AS _iComplete that message is processed and Generate Certificate differentiates that response message sends to front-end server, front-end server was differentiated with certificate that response message sends to and was submitted the user of corresponding request of certificate authentication message with it to this moment.Wherein, the device of carrying out the ECC computing is and each certificate server node fully independently, is connected with each certificate server by certain communication link (as Ethernet).When the ECC arithmetic unit receives AS _iThe computing request, carry out corresponding ECC arithmetic operation according to the parameter of request, then operation result is fed back to corresponding A S _iIt is the performance bottleneck of certificate server group system due to the ECC arithmetic unit, can build based on hardware design technique such as special-purpose ECC compute chip, high-speed dsp processors, and a plurality of parallel ECC arithmetic elements will be provided, with the overall data throughput of elevator system.

Must particularly point out, there is very big-difference in the concurrent processing performance requirement of different scales network, and the authentication request business of same network also has burst characteristic, can great variety occur along with the different time periods, therefore the average user authentication request number within per second may change in time.Under the less condition of user authentication request number, the processing delay that shortens the single authentication request by taking full advantage of system resource can improve the user and experience; And under the more condition of user authentication request number, the overtime probability of can the reduce user authentication request processing by increasing the concurrent processing number.For above-mentioned typical certificate server group system, can be by other ECC arithmetic unit of the some different performance levels of configuration, perhaps configuring redundancy equipment is realized the overall performance adjustment, and with the burst characteristic of adaptive authentication requested service, and these measure meetings increase the lower deployment cost of system.

Summary of the invention

The present invention proposes the implementation method of elliptic curve cryptography arithmetic device in a kind of Verification System, with lower cost, makes the certificate server group system possess the ability of dynamically adapting authentication request business burst characteristic.

The technical solution used in the present invention is as follows:

The implementation method of elliptic curve cryptography arithmetic device in a kind of Verification System, described method is based on using public key algorithm on a predefined elliptic curve, being included in Verification System produces in the process of signing, select a some P on elliptic curve, each authentication request is generated the stochastic variable k with n bit, complete corresponding to the some P of each authentication request and the point multiplication operation of k

It is characterized in that, concrete steps are as follows:

Determine at least one group of arithmetic element group according to chopping rule, every group of arithmetic element group comprises at least one concurrent arithmetic element;

For every group of arithmetic element group, carry out and decompose reorganization operation, be the algorithm pattern with a plurality of concurrent computings with point multiplication operation Q=kP equivalent transformation, each concurrent arithmetic element is carried out a concurrent computing, completes the point multiplication operation Q=kP corresponding to an authentication request.

As a kind of preferred version, described chopping rule is:

Design in advance at least one parameter group and form optimization set R, the number of each parameter group definition arithmetic element group, and the number of the concurrent arithmetic element that comprises of every group of arithmetic element group for each parameter group, are calculated

Wherein L is the number of the arithmetic element group of this parameter group, m _lThe number of the concurrent arithmetic element that comprises for l arithmetic element group in this parameter group, l=1,2 ..., L counts Q according to the average authentication request that the measurement period in design in advance receives _avg, select to make c=τ (m _eff) _NormalP (m _eff, nT, Q _avgParameter group when σ) obtaining minimum value is carried out segmentation, wherein τ is the processing delay time of single authentication request, subscript n ormal represents normalized, nT is the length of authentication request formation, σ is that the authentication request in the designated statistics cycle is counted variance, characterizes authentication request sparse property or the uniformity of the time of advent, p (m _eff, nT, Q _avg, be σ) with m _eff, nT, Q _avg, the σ overtime probability that authentication request is processed during as independent variable.

As further preferred version, described chopping rule is specially:

Select successively first parameter group from optimization set R, execution in step 31;

Step 31 is obtained system parameters nT, and calculates m _eff, carry out emulation by Monte Carlo method, respectively according to the Q of appointment _avgAnd σ parameter generating authentication request input sample, then simulation trial unit group is processed the input sample, comes the overtime probable value p of access authentication request processing by statistics;

Step 32 changes Q _avg, repeated execution of steps 31 obtains a plurality of overtime probable value p;

Step 33 is carried out multivariable fitting to a plurality of overtime probable value p that obtains, and sets up authentication request and processes overtime Probability p at m _effUnder empirical equation

Step 34 is selected next parameter group from optimization set, and execution in step 31～step 33, until in optimization set, all parameter group are all selected, thereby obtains the empirical equation under each parameter group

Step 35 is set as follows system parameters: the authentication request of expectation is processed overtime probability limit value p _th, authentication request quene threshold Q _th, order

Execution in step 36;

Step 36 records and calculates at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and counts Q _avg, then carry out following strategy and reselect m _eff:

If a) Q _avg＞Q _th, m _eff=1 and implementation strategy g), otherwise implementation strategy b);

B) select all m from optimization set _effEmpirical equation corresponding to value calculated

Calculate again complex parameter c, then implementation strategy c);

C) if in parameter m _effWhole alternative conditions under, M _eff=1 and implementation strategy g), otherwise implementation strategy d);

D) remove the condition that makes from optimization set

The m that satisfies _effElement produces new optimization set

, implementation strategy e then);

E) for optimization set R ', contrast its complex parameter c, the m in a situation of selection c minimum _effValue, then implementation strategy f);

F) if there are a plurality of m _effValue produces minimum c value, selects m _effBe worth maximum one, then implementation strategy g).

G) output m _effCorresponding parameter group.

As preferred version further, in described optimization set, the m of each parameter group _effBe integer.

As preferred version further, described m _effSatisfy constraints m _eff∈ M, wherein M is the positive integer factor set of the wide n of large numerical digit.

As preferred version further, when the certificate server system works in the chopping rule of light-load conditions be:

Set K parameter constant q that increases successively _k, k=1,2 ..., K, and all parameter constants are less than Q _th, every adjacent two parameter constant q _kForm constant section (q _k-1, q _k), q wherein ₀=0;

Corresponding each constant section (q _k-1, q _k) set the segmentation parameter value m of a correspondence _k, and m _kIncrease progressively successively;

Record and calculate at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and count Q _avgIf, q _k-1＜Q _avg＜q _k, m _eff=m _k, output m _effCorresponding parameter group.

Described light-load conditions is, when the authentication request number of waiting for is less than predefined threshold value Q _thThe time.

As preferred version further, when the certificate server system works in the chopping rule of heavy duty condition be:

Set H parameter constant σ that increases successively _h, h=1,2 ..., H, every adjacent two parameter constant σ _hForm constant section (σ _h-1, σ _h), σ wherein ₀=0;

Corresponding each constant section (σ _h-1, σ _h) set the segmentation parameter value m of a correspondence _h

Record and calculate at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and count Q _avg, and calculate authentication request and count variances sigma, if σ _h-1＜σ＜σ _h, m _eff=m _h, output m _effCorresponding parameter group.

Described heavy duty condition is that processing overtime probability perseverance when authentication request has p＞p _thThe time.

As a kind of preferred version, described concurrent arithmetic element is the point multiplication operation unit, and every group of arithmetic element group comprises at least one point multiplication operation unit and a point add operation unit;

Described decomposition reorganization operation comprises:

Stochastic variable k is decomposed into m segmentation a _i, i=0,1,2 ..., m-1, m is the number of the included point multiplication operation unit of this group arithmetic element group;

Calculate a in i point multiplication operation unit _iThe dot product a of segmentation and P _iP；

Use the point add operation unit to a of all point multiplication operations unit _iP gathers:

$Q=\underset{i=0}{\overset{m-1}{\mathrm{\&Sigma;}}}{a}_{i}P=a_{m-1}P+...+a_{1}P+a_{0}P.$

As further preferred version, the concrete steps of described decomposition reorganization operation are:

K decomposes to stochastic variable, as weights, k is expanded into m segmentation with U, k be unfolded into:

Wherein each is segmented into a _i=U ⁱk _i

In i point multiplication operation unit, calculate in advance and preserve respectively U ⁱThe value of P;

Calculate respectively a in i point multiplication operation unit _iP=(U ⁱk _i) P=k _i(U ⁱP);

The a of point add operation unit to all point multiplication operations unit _iP gathers, and obtains:

$Q=\underset{i=0}{\overset{m-1}{\mathrm{\&Sigma;}}}{a}_{i}P=k_{m-1}\left(U^{m-1}P\right)+...+k_1\left(\mathrm{UP}\right)+k_{0}P.$

As preferred version further, described parameter U is 2 integral number power, i.e. U=2 ^w, w is natural number.

Above-mentioned is olation decomposes restructuring pattern 1 point multiplication operation Q=kP is decomposed into several small integer point multiplication operations for decomposing restructuring pattern 1, and accompanying drawing 2 provides the schematic diagram of arithmetic element group, and wherein the arithmetic element of independent operating is used for carrying out the small integer point multiplication operation.

As another kind of preferred version, described decomposition reorganization operation can also adopt following decomposition restructuring pattern 2:

Adopt the FIOS algorithm to realize the Montgomery modular multiplication, the specific algorithm flow process is as follows:

Input: integer X=(X _s-1..., X ₀) _r, Y=(Y _s-1..., Y ₀) _r, M=(M _s-1..., M ₀) _r, 0≤X wherein, Y≤M,

R=2 ^wAnd satisfy gcd (M, r)=1, R=r ^s, M '=-M ^-1Mod r.

Output: XYR ^-1Mod M

Step:

1：Z＝(Z _s-1，…，Z ₀)←0

2：for?i＝0?to?s-1?do

3：T←(Z ₀+X ₀·Y _i)·M′mod?r

4：Z←(Z+X·Y _i+M·T)/r

5：end?for

6：if?Z＞M?then

7：Z←Z-M

8：end?if

9：return?Z

The FIOS algorithm is decomposed into the s segmentation with integer Y, and wherein the bit wide of each segmentation is w, so comprises s iterative operation in algorithm.By modular multiplication is taked parallel method, with m DSP kernel formation modular multiplication unit, they cooperate to complete an iteration in the FIOS algorithm mutually, and there is exchanges data mutually in the DSP kernel therebetween.After through the several times iteration, each DSP kernel has been preserved respectively a segmentation of Output rusults, they is stitched together can obtains the result of Montgomery modular multiplication.Also need to configure one or more DSP kernels in system as main control unit, by repeatedly calling Montgomery modular multiplication unit, to realize the composition operations such as point adds, times point, dot product.

Decompose restructuring pattern 2 point multiplication operation Q=kP is decomposed into several FIOS modular multiplications unit, accompanying drawing 3 provides the schematic diagram of arithmetic element group, and wherein the arithmetic element of independent operating is used for carrying out a segmentation of FIOS modular multiplication.

The present invention has advantages of: the segmentation parameter m that decomposes by point multiplication operation in elliptic curve cryptosystem (ECC) carries out dynamic optimization, under the less condition of user authentication request number, shorten the processing delay of single authentication request experiences to improve the user by taking full advantage of system resource, and under the more condition of user authentication request number, the overtime probability of processing to reduce user authentication request by increasing the concurrent processing number, thus reach the target of weighing between the contradiction of single authentication request processing delay and concurrent processing number.

The beneficial effect that the present invention can bring: under the prerequisite that does not increase lower deployment cost, make the certificate server group system possess function according to the burst characteristic automatic adjustment system performance of authentication request business in network.

Description of drawings

Accompanying drawing 1 is typical certificate server group system framework.

Accompanying drawing 2 is to decompose the schematic diagram of restructuring pattern 1 in technical solution of the present invention.

Accompanying drawing 3 is to decompose the schematic diagram of restructuring pattern 2 in technical solution of the present invention.

Accompanying drawing 4 is the selection parameter group (L=1 of technical solution of the present invention; M=6) point multiplication operation decomposing schematic representation.

Accompanying drawing 5 is the selection parameter group (L=2 of technical solution of the present invention; M=3) point multiplication operation decomposing schematic representation.

Accompanying drawing 6 is the principle schematic of ECC arithmetic unit in embodiments of the invention 1.

Accompanying drawing 7 is the corresponding relation of parameter group and average per second authentication request number in embodiments of the invention 3.

Accompanying drawing 8 is the corresponding relation of parameter group and complex parameter in embodiments of the invention 4.

Embodiment

The present invention will be further described in detail below in conjunction with the drawings and specific embodiments.

Can prove from mathematical angle, the point multiplication operation Q=kP in elliptic curve cryptosystem (ECC) is a kind of linear transformation, satisfies commutative law of multiplication, distributive law.For any random number k of n bit, available power 2 ^wExpand into m segmentation, wherein

Be natural number, the bit wide of each segmentation is the w bit:

$k=\underset{i=0}{\overset{m-1}{\mathrm{\&Sigma;}}}{2}^{i\&CenterDot;w}{k}_i=2^{(m-1)w}{k}_{m-1}+...+2^{\mathrm{<figure-callout\; id="1"\; label="w\; k"\; filenames="HSA00000442511300012.png,HSA00000442511300021.png"\; state="\{\{state\}\}">w</figure-callout>}}{k}_{}{}_1+{\mathrm{<figure-callout\; id="0"\; label="k"\; filenames="HSA00000442511300032.png"\; state="\{\{state\}\}">k</figure-callout>}}_0,$

Here, when the aliquant w of n, need to k be expanded to n ' bit by the mode of high-order zero padding.Thereby point multiplication operation can be expressed as following form:

$Q=\underset{i=0}{\overset{m-1}{\mathrm{\&Sigma;}}}\left(2^{i\&CenterDot;w}{k}_i\right)P=\underset{i=0}{\overset{m-1}{\mathrm{\&Sigma;}}}{k}_i\left(2^{i\&CenterDot;w}P\right)=k_{m-1}\left(2^{(m-1)w}P\right)+...+k_1\left(2^{w}P\right)+k_{0}P.$

After carrying out above-mentioned conversion, for given parameter m and w, can calculate in advance and store following intermediate object program:

{P，2 ^w?P，2 ^2w?P，…，2 ^(m-1)w?P}，

Thereby point multiplication operation is decomposed into m separate point multiplication operation.According to above-mentioned mathematical principle, by the choose reasonable parameter m, point multiplication operation is decomposed.Although it is infinitely multiple that segments m exists, in Project Realization, the general specific collection M that selects is as its domain of definition.

For specific parameter m, as long as adopt several point multiplication operations unit generating portion long-pending, then carry out point add operation and can obtain final result.In the physics realization of point multiplication operation, can adopt many kernels DSP device that each arithmetic element is shone upon, typical many kernels DSP device comprises the Multi-core dsp chip etc. of picoArray array processor, the Tilera company of picoChip company.

Setup parameter group (L=h; M=M), M={m _l| l=1,2 ..., h}, wherein L is the number of the arithmetic element group of this parameter group, m _lThe number of the point multiplication operation unit that comprises for l arithmetic element group in this parameter group, M is m _lThe set that consists of.Special agreement when L=1, is (L=1 with the parameter group brief note; M=m ₁); Work as m ₀=m ₁=m ₂=...=m _hThe time, the parameter group brief note is (L=h; M=m ₀).

As shown in Figure 4, will adopt parameter group (L=1; M=6) the 192 bit point multiplication operations that decompose are mapped to respectively 6 DSP kernels; Perhaps as shown in Figure 5, will adopt parameter group (L=2; M=3) the 192 bit point multiplication operations that decompose are mapped to respectively two groups of totally 6 DSP kernels, and first group has 3 DSP kernels, and second group has 3 DSP kernels.Be noted that the DSP kernel hardware mapping that provides in accompanying drawing only is illustrative nature.As configurable device, many kernels DSP provides design option fully flexibly to user's design, both can adopt a plurality of DSP kernels to realize an arithmetic element, also can adopt a DSP kernel to realize a plurality of arithmetic elements.Therefore, can use a plurality of DSP kernel system works to complete the computing of a w bit segments in design, thereby greatly improve arithmetic speed.

Due under specific system works clock frequency condition, the instruction number that the DSP kernel was carried out within the unit interval is invariable, that is to say, it possesses fixing operational capability.Defined parameters group (L=h; M=1) corresponding single point multiplication operation processing delay is τ ₀, parameter group is for given arithmetic system and the realization of specific point multiplication operation, and this parameter is constant, can be by τ ₀Expression formula characterize the DSP kernel at different parameters group (L=h; M=m ₀) single point multiplication operation processing delay under condition.Be divided into m segmentation as point multiplication operation and come concurrent execution, single point multiplication operation processing delay is τ=τ ₀/ m.

The kernel of supposing system adds up to C, according to the mode of one group of m kernel, it is divided into L=C/m arithmetic element group, and m the kernel that wherein comprises in each arithmetic element group be execution parameter group (L=h respectively; M=m ₀) m Piecewise Operation dividing, the single point multiplication operation processing delay of each point multiplication operation unit is τ=τ ₀/ m, its throughput are r=1/ τ=m/ τ ₀, and the throughput of system is:

$R=r\&times;L=\left(\frac{m}{{\mathrm{\&tau;}}_0}\right)\left(\frac{C}{m}\right)=\frac{C}{{\mathrm{\&tau;}}_0}.$

From following formula as seen, due to parameters C and τ in specific dsp system ₀Be constant, so throughput R is also constant, itself and segments m are irrelevant.That is to say, can shorten single point multiplication operation processing delay although point multiplication operation is decomposed, for DSP number of cores limited system, the throughput of system is changeless.

The below is illustrated above-mentioned principle with the example that is configured to of accompanying drawing 4, accompanying drawing 5.Without loss of generality, can suppose that the individual bit of processing input k in the execution point multiplication will consume T instruction cycle, will consume ST instruction cycle and process the w bit.Therefore, decompose for computing shown in accompanying drawing 4,6 DSP kernels should be processed 1 group of input data within 32T instruction cycle, process 2 groups of input data within 64T instruction cycle.Decompose for computing shown in accompanying drawing 5,3 DSP kernels should be processed 1 group of input data within 64T instruction cycle, because 6 DSP kernels are divided into two groups of concurrent operations, so 6 DSP kernels also will be processed 2 groups of input data within 64T instruction cycle.By above-mentioned analysis as seen, be 6 DSP kernels equally, consume 64T instruction cycle and can reach same treatment effect, the operational capability of system is not because the difference that point multiplication operation decomposes and difference to some extent.Yet under the condition that adopts 6 DSP kernels, when adopting computing shown in accompanying drawing 4 to decompose, two input data are processed according to time order and function; And adopt computing shown in accompanying drawing 5 to decompose, and two input data will be simultaneously processed, and its operation result can be exported simultaneously.

This shows, as the segments m that changes arithmetic element, the concurrent processing number that the DSP kernel can be realized changes thereupon, but the overall throughput of system is substantially constant.When the m minimizing, the hop count of executed in parallel reduces (taking DSP unit minimizing), and the processing delay of single authentication request increases, and the concurrent processing number also increases; When the m increase, the hop count of executed in parallel increases (taking DSP unit increase), and the processing delay of single authentication request shortens, and the concurrent processing number also reduces.The business of sending authentication request due to the user is a kind of random process, from the angle of statistics analysis, begins as soon as possible user authentication request is processed, and processes overtime probability and will reduce, and need to realize by increasing system concurrency processing number this moment.And under the less condition of authentication request number, process overtime probability itself just enough low within the unit interval, and process number by reducing system concurrency this moment, shorten the processing delay of single authentication request, be conducive to improve the user and experience.

Because the business of authentication request has burst characteristic, can not adopt a kind of fixing computing resolution parameter group (L=h; M=M) satisfy all business scenarios, only have the statistical property according to business, the concurrent processing number on suitable opportunity to system adjusts, and could realize self-reacting function.

The means that system is reconstructed exist multiple, as specify the operation code of DSP kernel by dynamic load, the Code Design of DSP kernel can also be become allow the form of dynamically adjusting.The bit wide w that different segments m causes single DSP kernel to calculate is different, this can embody by the cycle-index that the adjustment operation part is performed, need to increase corresponding collocation channel this moment for the DSP kernel, so that master control DSP kernel is notified parameter group the DSP kernel of appointment.

Automatically select parameter group (L=h according to the burst characteristic of authentication request business; M=M) technical scheme is described below:

The definition complex parameter:

c＝τ(m) _normal·p(m，nT，Q _avg，σ)，

Wherein, τ is the processing delay time (subscript n ormal represents normalized) of single authentication request, and p is the overtime probability that authentication request is processed, and m is the segments that point multiplication operation decomposes, and nT is the length of authentication request formation, Q _avgAuthentication request number average value for designated statistics in the cycle, σ is that the authentication request in the designated statistics cycle is counted variance, characterizes authentication request sparse property or the uniformity of the time of advent.

Described complex parameter c has considered the processing delay time τ of single authentication request, these two most important system performance index of overtime Probability p that authentication request is processed, optimum design should be in the processing delay time τ that shortens as far as possible single authentication request, reduce the overtime Probability p that authentication request is processed, so the criterion of system optimization is by selecting suitable parameter group (L=h; M=M) make described complex parameter c minimum.

For above-mentioned point multiplication operation decomposition algorithm, in order to determine best computing segmentation parameter m, carry out following optimization:

$\underset{m\&Element;M}{\arg \min }\{c=\mathrm{\&tau;}{\left(m\right)}_{\mathrm{normal}}\&CenterDot;p(m,\mathrm{nT},Q_{\mathrm{avg}},\mathrm{\&sigma;})\}.$

When changing computing segmentation parameter m, the divided hop count of large several k changes thereupon, this means that the resource of arithmetic element group consumption is also different, and the single treatment of arithmetic element group postpones also difference thereupon.When the m minimizing, the hop count of executed in parallel reduces (taking DSP unit minimizing), and the single treatment of arithmetic element group postpones to increase; When the m increase, the hop count of executed in parallel increases (taking DSP unit increase), the single treatment delay reduction of arithmetic element group.Because DSP unit sum in single-chip immobilizes, and the system works clock frequency is constant, and when the more DSP of single arithmetic element group consumption unit, total concurrent processing number reduces; When single arithmetic element group consumes still less DSP unit, total concurrent processing number increases, although the overall throughput of system can not change, but postpone but can be along with parameter m is dynamically adjusted for the single treatment of arithmetic element group.

Suppose to have L arithmetic element group in system, these arithmetic element groups can be configured to mutual incoherent parameter m independently.Mix for the DSP kernel and use different parameters group (L=h; M=M) system, because the parameter m of these arithmetic element groups is uncorrelated mutually, their segments m may be identical, may be not identical yet, but so the set M of m value to satisfy repeated combination regular, its number of combinations is given by the following formula:

$H_n^k=C_{n+k-1}^k=\left(\begin{array}{c}n+k-1\\ k\end{array}\right),$

For the technological system that the present invention describes, segments m chooses from set M, and the element number of note set M is C _M=#M, n=C in formula _M, k=L, so in L arithmetic element group, the number of combinations of different segments m is:

$H_{C_M}^L=C_{C_M+L-1}^L=\left(\begin{array}{c}{C}_M+L-1\\ L\end{array}\right).$

When mixing, the DSP kernel uses different parameters group (L=h; M=M), for the optimizing application algorithm, need to introduce equivalent segments m _effDefinition, its physical significance is: if each arithmetic element group has segments m _eff, the overall throughput of system is used different parameters group (L=h with mixing; M=M) situation is equal to.

The segments of L arithmetic element group of note is m _l(l=1,2 ..., L), their throughput is respectively r _l=m _l/ τ ₀, this moment, the average throughput of system was characterized by its mathematic expectaion:

$r_{\mathrm{avg}}=E\left(r_l\right)=E\left(\frac{m_l}{{\mathrm{\&tau;}}_0}\right)=\frac{E\left(m_l\right)}{{\mathrm{\&tau;}}_0}.$

On the other hand, according to processing delay τ and the equivalent segments m of authentication request _effDefinition, average throughput can also be expressed as:

$r_{\mathrm{avg}}=\frac{m_{\mathrm{eff}}}{{\mathrm{\&tau;}}_0},$

Contrast two of fronts formula as can be known, equivalent segments m _effAlso characterized by its mathematic expectaion:

$m_{\mathrm{eff}}=E\left(m_l\right)=\underset{l}{\mathrm{\&Sigma;}}{m}_l/L,$

Introducing equivalent segments m _effAfterwards, previously described optimization method just goes for DSP kernel mixing use different parameters group (L=h in system; M=M) situation, thus the control granularity of adaptive algorithm effectively improved, and can adjust flexibly by total number packets L.

Introduce equivalent segments m _effOptimization can be expressed as:

$\underset{m_{\mathrm{eff}}}{\arg \min }\{c=\mathrm{\&tau;}{\left(m_{\mathrm{eff}}\right)}_{\mathrm{normal}}\&CenterDot;p(m_{\mathrm{eff}},\mathrm{nT},Q_{\mathrm{avg}},\mathrm{\&sigma;})\}.$

Also should particularly point out equivalent segments m _effDiffer and be decided to be natural number.

Adopt the certificate server group system of technique scheme as shown in Figure 6, the segmentation parameter m that decomposes by point multiplication operation carries out dynamic optimization, can realize weighing between the contradiction of the processing delay of single authentication request and concurrent processing number, thereby adapt to the different requirements that propose under different burst service conditions.

Embodiment 1

Parameter group (L=h to the ECC arithmetic unit; M=M) technical scheme that is optimized can followingly design:

At first DSP kernel in system is divided into L arithmetic element group.Suppose that these arithmetic element groups can use different parameter m, wherein the segments of each point multiplication operation unit is labeled as m _l, l=1,2 ..., L, they consist of set M={m _l| l=1,2 ..., h}.

Defining equivalent segments is m _lMathematic expectaion:

$m_{\mathrm{eff}}=E\left(m_l\right)=\frac{\underset{l}{\mathrm{\&Sigma;}}{m}_l}{L},$

For L point multiplication operation unit, can consist of

Plant combination, therefrom select equivalent segments m corresponding to several combination _effConsist of set M '.

For given system parameters nT and the elaboration of other necessity, be the system made Mathematical Modeling, then for m _effThe different condition of ∈ M ∪ M ' is carried out emulation by Monte Carlo method, respectively according to the Q of appointment _avgAnd σ parameter generating authentication request input sample, then check concurrent processing process and the strategy thereof of inputting sample in analog D SP, obtain by statistics the overtime Probability p that the authentication request under predetermined condition is processed.Then the result that obtains is carried out multivariable fitting, set up the empirical equation of the overtime Probability p of authentication request processing

For example, for parameter group (L=2; M={3,4}), m _eff=(3+4)/2=3.5, by setting up Mathematical Modeling, analog D SP realizes that two groups of arithmetic element groups are to the concurrent processing process of input sample, first group of arithmetic element group has 3 arithmetic elements, second group of arithmetic element group has 4 arithmetic elements, one of them arithmetic element both can adopt one or more DSP kernels to realize, also can adopt a DSP kernel to realize a plurality of arithmetic elements.Obtain by statistics the overtime Probability p that the authentication request under predetermined condition is processed.Then the result that obtains is carried out multivariable fitting, set up the empirical equation p of the overtime Probability p of authentication request processing _3.5(Q _avg, σ), in order to be characterized in operation parameter group (L=2; M={3,4}) time, the empirical equation of the overtime Probability p that authentication request is processed.

Be set as follows system parameters: the authentication request of expectation is processed overtime probability limit value p _th, authentication request quene threshold Q _th, they satisfy as Q＞Q _thThe time p＞p arranged _th

For above-mentioned point multiplication operation decomposition algorithm, in order to determine best computing segmentation parameter m _eff, carry out following optimization:

$\underset{m_{\mathrm{eff}}\&Element;M}{\arg \min }\{c=\left(\frac{p_{\mathrm{th}}}{m_{\mathrm{eff}}}\right)\&CenterDot;p_{\mathrm{meff}}(Q_{\mathrm{avg}},\mathrm{\&sigma;})\}.$

Here utilized parameter p _thParameter τ is carried out normalized, make it consistent with the parameter p span.

Concrete Optimization Steps is as follows:

Record and calculate at the measurement period that designs in advance (for example 60 minutes) authentication request that receives in the average per second of certificate server system and count Q _avg, then carry out following strategy and reselect parameter m _eff:

If a) Q _avg＞Q _th, m _eff=1 and implementation strategy g), otherwise implementation strategy b);

B) according to the optimization set of selecting in advance

, with different m _effEmpirical equation corresponding to ∈ R value calculated

Calculate again complex parameter c, then implementation strategy c);

C) if in parameter m _effWhole alternative conditions under,

M _eff=1 and implementation strategy g), otherwise implementation strategy d);

D) remove the condition that makes from optimization set R

The m that satisfies _effElement produces new optimization set

, implementation strategy e then);

E) for optimization set R ', contrast its complex parameter c, the m in a kind of situation of selection c minimum _effValue, then implementation strategy f);

F) if there are a plurality of m _effValue produces minimum c value, selects m _effBe worth a kind of of maximum, then implementation strategy g).

G) output m _effCorresponding parameter group (L=h; M=M).

After carrying out above-mentioned strategy, one group of new parameter group (L=h; M=M) be determined, check the current parameter group that adopts of ECC arithmetic unit this moment, if consistent with new parameter group, any change need not made by system, otherwise system sends parameter replacement order to the ECC arithmetic unit, makes it work in optimum state.

Also should particularly point out, the value of measurement period should suitably be chosen by simulation analysis or according to engineering experience.May cause system frequently to be reset if measurement period is too short; May cause system in time not make response to the burst characteristic of business if measurement period is oversize, system works is increased in the duration of non-optimum state.

The implementation case uses by controlling the DSP kernel parameter group (L=h that mixes; M=M), effectively improve the control granularity of adaptive algorithm, and can adjust flexibly by total number packets L.

Embodiment 2

Embodiment 2 works as m to embodiment 1 _effBe integer, namely for same parameter group, be divided into L arithmetic element group, the segments m of each arithmetic element group is all identical, according to a preconcerted arrangement can be parameter group (L=h; M=M) brief note is (L=h; M=m ₀), m wherein ₀=m ₁=m ₂=...=m _L

Parameter group (L=h to the ECC arithmetic unit; M=m ₀) technical scheme that is optimized can followingly design:

For given system parameters nT and the elaboration of other necessity, be the system made Mathematical Modeling, then for the different condition of m ∈ M, carry out emulation by Monte Carlo method, respectively according to the Q of appointment _avgAnd σ parameter generating authentication request input sample, then check concurrent processing process and the strategy thereof of inputting sample in analog D SP, obtain by statistics the overtime Probability p that the authentication request under predetermined condition is processed.Then the result that obtains is carried out multivariable fitting, set up the empirical equation p that authentication request is processed overtime Probability p _m(Q _avg, σ).

For example, for parameter group (L=2; M={3,3}), m _eff=(3+3)/2=3 can be parameter group (L=2; M={3,3}) brief note is for (L=2; M=3), by setting up Mathematical Modeling, analog D SP realizes that two groups of arithmetic element groups are to the concurrent processing process of input sample, first group of arithmetic element group has 3 arithmetic elements, second group of arithmetic element group has 3 arithmetic elements, one of them arithmetic element both can adopt one or more DSP kernels to realize, also can adopt a DSP kernel to realize a plurality of arithmetic elements.Obtain by statistics the overtime Probability p that the authentication request under predetermined condition is processed.Then the result that obtains is carried out multivariable fitting, set up the empirical equation p of the overtime Probability p of authentication request processing ₃(Q _avg, σ), in order to be characterized in operation parameter group (L=2; M=3) time, the empirical equation of the overtime Probability p that authentication request is processed.

Be set as follows system parameters: the authentication request of expectation is processed overtime probability limit value p again _th, authentication request quene threshold Q _th, they satisfy as Q＞Q _thThe time p＞p arranged _th

For above-mentioned point multiplication operation decomposition algorithm, in order to determine best computing segmentation parameter m, carry out following optimization:

$\underset{m\&Element;M}{\arg \min }\{c=\left(\frac{p_{\mathrm{th}}}{m}\right)\&CenterDot;p_m(Q_{\mathrm{avg}},\mathrm{\&sigma;})\}.$

Here utilized parameter p _thParameter τ is carried out normalized, make it consistent with the parameter p span.

Concrete Optimization Steps is as follows:

Record and calculate at the measurement period that designs in advance (for example 60 minutes) authentication request that receives in the average per second of certificate server system and count Q _avg, then carry out following strategy and reselect parameter group (L=h; M=m ₀):

If a) Q _avg＞Q _th, m=1 and implementation strategy g), otherwise implementation strategy b);

B) according to the optimization set of selecting in advance , calculate p with different empirical equation corresponding to m ∈ R value _m(Q _avg), then calculate complex parameter c, then implementation strategy c);

C) if under whole alternative conditions of parameter m, p _m(Q _avg)＞p _thM=1 and implementation strategy g), otherwise implementation strategy d);

D) remove from optimization set R and make condition p _m(Q _avg)＞p _thThe m element that satisfies produces new optimization set

, implementation strategy e then);

E) for optimization set R ', contrast its complex parameter c, the m value in a kind of situation of selection c minimum, then implementation strategy f);

F) if exist a plurality of m values to produce minimum c value, select a kind of of m value maximum, then implementation strategy g).

G) output parameter group (L=h; M=m ₀).

After carrying out above-mentioned strategy, one group of new parameter group (L=h; M=m ₀) be determined, check the current parameter group that adopts of ECC arithmetic unit this moment, if consistent with new parameter group, any change need not made by system, otherwise system sends parameter replacement order to the ECC arithmetic unit, makes it work in optimum state.

Usually, in order to design conveniently, can make parameter m satisfy constraints m ∈ M when selecting parameter, wherein M is the positive integer factor set of n, like this can be so that the wide n of large numerical digit of point multiplication operation can be divided exactly the bit wide w of each segmentation.Such as n=192, m ∈ M={1,2,3,4,6,8,12,16,24,32,48,64,96}.When parameter m not being used restraint, must the bit wide n of large number be expanded, can guarantee that just the processing mode of all DSP cores is consistent.Also may choose the subset of M as the constraints of optimizing in the middle of Project Realization, such as M '={ 1,2,4,8, it is to go forward one by one by 2 times that efficient is carried out in this subset representative of 16}, and such design can reduce the difficulty that realizes of optimized algorithm, but has given up to a certain extent the control granularity of adaptive algorithm.

In order to obtain optimum, the DSP number of cores that each arithmetic element group comprises should suitably be chosen, and can divide exactly all elements in the set M of selected parameter m.Only in this way, at the parameter group (L=h of DSP kernel of certain grouping of change; M=m ₀) afterwards, the whole DSP kernels of guarantee all are used effectively, have more than needed otherwise may exist to exist when distributing the DSP kernel, but DSP kernel more than needed is not enough to again consist of an arithmetic element group.

Embodiment 3

Embodiment 3 is a kind of special case to embodiment 2, and in light-load conditions, the authentication request number of for example waiting for is less than predefined threshold value Q when the certificate server system works _th, can make reasonable assumption this moment: the overtime Probability p ≈ 0 that authentication request is processed.With this understanding, to the parameter group (L=h of ECC arithmetic unit; M=m ₀) technical scheme that is optimized also can followingly design:

Determine following some parameter constants: q according to simulation analysis and incorporation engineering experience ₁, q ₂, q ₃, q ₄, its unit is authentication request number/second.These constants should satisfy condition: q ₁＜q ₂＜q ₃＜q ₄＜Q _thRecord and calculate at the measurement period that designs in advance (for example 60 minutes) authentication request that receives in the average per second of certificate server system and count Q _avg, then the parameter corresponding relation shown in 7 with reference to the accompanying drawings, carry out following strategy and reselect parameter group (L=h; M=m ₀):

If a) Q _avg＜q ₁, parameter m=16 and implementation strategy f), otherwise implementation strategy b);

B) if q ₁＜Q _avg＜q ₂, parameter m=8 and implementation strategy f), otherwise implementation strategy c);

C) if q ₂＜Q _avg＜q ₃, parameter m=4 and implementation strategy f), otherwise implementation strategy d);

D) if q ₃＜Q _avg＜q ₄, parameter m=2 and implementation strategy f), otherwise implementation strategy e);

E) parameter m=1, and implementation strategy f);

F) parameter m of determining according to above-mentioned steps, and the wide n calculating parameter of the large numerical digit w=n/m of point multiplication operation.

After carrying out above-mentioned strategy, one group of new parameter group (L=h; M=m ₀) be determined, check the current parameter group that adopts of ECC arithmetic unit this moment, if consistent with new parameter group, any change need not made by system, otherwise system sends parameter replacement order to the ECC arithmetic unit, makes it work in optimum state.

Embodiment 4

Embodiment 4 is a kind of special case to embodiment 2, and in the heavy duty condition, authentication request was processed and occured to be high-probability event, to suppose p＞p overtime this moment when the certificate server system works _thWith this understanding, to the parameter group (L=h of ECC arithmetic unit; M=m ₀) technical scheme that is optimized also can followingly design:

Determine following some parameter constants: σ according to simulation analysis and incorporation engineering experience ₁, σ ₂, σ ₃, σ ₄, these constants should satisfy condition: σ ₁＜σ ₂＜σ ₃＜σ ₄Record and calculate the authentication request of certificate server system at the measurement period (for example 60 minutes) of design in advance and count variances sigma, then the parameter corresponding relation shown in 8 with reference to the accompanying drawings, carry out following strategy and reselect parameter group (L=h; M=m ₀):

If a) σ＜σ ₁, parameter m=16 and implementation strategy f), otherwise implementation strategy b);

B) if σ ₁＜σ＜σ ₂, parameter m=8 and implementation strategy f), otherwise implementation strategy c);

C) if σ ₂＜σ＜σ ₃, parameter m=4 and implementation strategy f), otherwise implementation strategy d);

D) if σ ₃＜σ＜σ ₄, parameter m=2 and implementation strategy f), otherwise implementation strategy e);

E) parameter m=1, and implementation strategy f);

F) parameter m of determining according to above-mentioned steps, and the wide n calculating parameter of the large numerical digit w=n/m of point multiplication operation.

After carrying out above-mentioned strategy, one group of new parameter group (L=h; M=m ₀) be determined, check the current parameter group that adopts of ECC arithmetic unit this moment, if consistent with new parameter group, any change need not made by system, otherwise system sends parameter replacement order to the ECC arithmetic unit, makes it work in optimum state.

The above is only the preferred embodiment of the present invention; should be pointed out that for the person of ordinary skill of the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (9)

1. the implementation method of elliptic curve cryptography arithmetic device in a Verification System, described method is based on using public key algorithm on a predefined elliptic curve, being included in Verification System produces in the process of signing, select a some P on elliptic curve, each authentication request is generated the stochastic variable k with n bit, complete some P and k point multiplication operation corresponding to each authentication request

It is characterized in that, concrete steps are as follows:

Determine at least one group of arithmetic element group according to chopping rule, every group of arithmetic element group comprises at least one concurrent arithmetic element;

For every group of arithmetic element group, carry out and decompose reorganization operation, be the algorithm pattern with a plurality of concurrent computings with point multiplication operation Q=kP equivalent transformation, each concurrent arithmetic element is carried out a concurrent computing, completes the point multiplication operation Q=kP corresponding to an authentication request;

Described concurrent arithmetic element is the point multiplication operation unit, and every group of arithmetic element group comprises at least one point multiplication operation unit and a point add operation unit;

Described decomposition reorganization operation comprises:

Stochastic variable k is decomposed into m segmentation a _i, i=0,1,2 ..., m-1, m is the number of the included point multiplication operation unit of this group arithmetic element group;

Calculate a in i point multiplication operation unit _iThe dot product a of segmentation and P _iP；

Use the point add operation unit to a of all point multiplication operations unit _iP gathers;

2. implementation method according to claim 1, is characterized in that, described chopping rule is:

Design in advance at least one parameter group and form optimization set R, the number of each parameter group definition arithmetic element group, and the number of the arithmetic element that comprises of every group of arithmetic element group for each parameter group, are calculated

Wherein L is the number of the arithmetic element group of this parameter group, m ₁The number of the concurrent arithmetic element that comprises for l arithmetic element group in this parameter group, l=1,2 ..., L counts Q according to the average authentication request that the measurement period in design in advance receives _avg, select order

Parameter group when obtaining minimum value, wherein τ is the processing delay time of single authentication request, subscript n ormal represents normalized, nT is the length of authentication request formation, σ is that the authentication request in the designated statistics cycle is counted variance, characterize authentication request sparse property or the uniformity of the time of advent, p (m _eff, nT, Q _avg, be σ) at m _eff, nT, Q _avg, the σ overtime probability that authentication request is processed during as independent variable.

3. implementation method according to claim 2, is characterized in that, described chopping rule is:

Select successively the first parameter group from optimization set R, execution in step 31:

Step 31 is obtained system parameters nT, and calculates m _eff, carry out emulation by Monte Carlo method, respectively according to the Q of appointment _avgAnd σ parameter generating authentication request input sample, then simulation trial unit group is processed the input sample, comes the overtime probable value p of access authentication request processing by statistics;

Step 32 changes Q _avg, repeated execution of steps 31 obtains a plurality of overtime probable value p;

Step 33 is carried out multivariable fitting to a plurality of overtime probable value p that obtains, and sets up authentication request and processes overtime Probability p at m _effUnder empirical equation

Step 34 is selected next parameter group from optimization set, and execution in step 31～step 33, until in optimization set, all parameter group are all selected, thereby obtains the empirical equation under each parameter group

Step 35 is set as follows system parameters: the authentication request of expectation is processed overtime probability limit value P _th, authentication request quene threshold Q _th, order

Execution in step 36;

Step 36 records and calculates at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and counts Q _avg, then carry out following strategy and reselect m _eff:

If a) Q _avgQ _th, m _eff=1 and implementation strategy g), otherwise implementation strategy b);

B) select all m from optimization set _effEmpirical equation corresponding to value calculated

Calculate again complex parameter c, then implementation strategy c);

C) if in parameter m _effWhole alternative conditions under,

M _eff=1 and implementation strategy g), otherwise implementation strategy d);

D) remove the condition that makes from optimization set The m that satisfies _effElement produces new optimization set

Then implementation strategy e);

E) for optimization set R', contrast its complex parameter c, the m in a situation of selection c minimum _effValue, then implementation strategy f);

F) if there are a plurality of m _effValue produces minimum c value, selects m _effBe worth maximum one, then implementation strategy g);

G) output m _effCorresponding parameter group.

4. implementation method according to claim 3, is characterized in that, in described optimization set, and the m of each parameter group _effBe integer.

5. implementation method according to claim 4, is characterized in that, described m _effSatisfy constraints m _eff∈ M, wherein M is the positive integer factor set of the wide n of large numerical digit.

6. implementation method according to claim 4, is characterized in that, when the certificate server system works in the chopping rule of light-load conditions is:

Set K parameter constant q that increases progressively successively _k, k=1,2 ..., K, and all parameter constant q _kLess than Q _th, every adjacent two parameter constant q _kForm constant section (q _k-1, q _k), q wherein ₀=0;

Corresponding each constant section (q _k-1, q _k) set the segmentation parameter value m of a correspondence _k, and m _kIncrease progressively successively;

Record and calculate at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and count Q _avgIf, q _k-1＜Q _avg＜q _k, m _eff=m _k, output m _effCorresponding parameter group;

Described light-load conditions is, when the authentication request number of waiting for is less than predefined threshold value Q _thThe time.

7. implementation method according to claim 4, is characterized in that, when the certificate server system works in the chopping rule of heavy duty condition is:

Set H parameter constant σ that increases progressively successively _h, h=1,2 ..., H, every adjacent two parameter constant σ _hForm constant section (σ _h-1, σ _h), σ wherein ₀=0;

Corresponding each constant section (σ _h-1, σ _h) set the segmentation parameter value m of a correspondence _h

Record and calculate at the measurement period that designs in advance the authentication request that receives in the average per second of certificate server system and count Q _avg, calculate authentication request and count variances sigma, if σ _h-1＜σ＜σ _h, m _eff=m _h, output m _effCorresponding parameter group;

Described heavy duty condition is that processing overtime probability perseverance when authentication request has P〉P _thThe time.

8. implementation method according to claim 1, is characterized in that, the concrete steps of described decomposition reorganization operation are:

K decomposes to stochastic variable, as weights, k is expanded into m segmentation with U, k be unfolded into:

Wherein each is segmented into a _i=U ⁱk _i

In i point multiplication operation unit, calculate in advance and preserve respectively U ⁱThe value of P;

Calculate respectively a in i point multiplication operation unit _iP=(U ⁱk _i) P=k _i(U ⁱP);

The a of point add operation unit to all point multiplication operations unit _iP gathers, and obtains;

9. implementation method according to claim 8, is characterized in that, described parameter U is 2 integral number power, i.e. U=2 ^w, w is natural number.

Images