CN102761411B - P element field SM2 elliptic curve key agreement system - Google Patents

P element field SM2 elliptic curve key agreement system Download PDF

Info

Publication number
CN102761411B
CN102761411B CN201110107526.6A CN201110107526A CN102761411B CN 102761411 B CN102761411 B CN 102761411B CN 201110107526 A CN201110107526 A CN 201110107526A CN 102761411 B CN102761411 B CN 102761411B
Authority
CN
China
Prior art keywords
submodule
territory
point
module
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110107526.6A
Other languages
Chinese (zh)
Other versions
CN102761411A (en
Inventor
徐树民
屈善新
刘振
王绍麟
田心
刘建巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201110107526.6A priority Critical patent/CN102761411B/en
Publication of CN102761411A publication Critical patent/CN102761411A/en
Application granted granted Critical
Publication of CN102761411B publication Critical patent/CN102761411B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention relates to a p element field SM2 elliptic curve key agreement system which comprises an initiator subsystem and a responder subsystem, wherein the initiator subsystem is composed of an initiator control center for controlling the work time sequence and data call of other modules in the subsystem and judging whether key agreement succeeds or not, an initiator random number generation module for generating random numbers, an initiator multiple point operation module for implementing multiple point operation, an initiator point addition module for implementing point addition operation, and an initiator key derivation module with a key derivation function; and the responder subsystem is composed of an responder control center for controlling the work time sequence and data call of other modules in the subsystem and judging whether key agreement succeeds or not, an responder random number generation module for generating random numbers, an responder multiple point operation module for implementing multiple point operation, an responder point addition module for implementing point addition operation, and an responder key derivation module with a key derivation function. By using the p element field SM2 elliptic curve key agreement system provided by the invention, the key exchange protocol in the SM2 elliptic curve public key cryptography algorithm can be implemented with hardware.

Description

P unit territory SM2 elliptic curve key negotiating system
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of p unit territory SM2 elliptic curve key negotiating system.
Background technology
Along with the development of the communication technology and the information processing technology, the fail safe of information in transmitting procedure more and more receives publicity, and needs to carry out guarantee information by the information processing technology and is not ravesdropping in communication process, distorts and copys.Cryptographic technique can solve the requirement of this respect.
Since Diffie and Hellmann in 1976 proposes the concept of public-key cryptosystem, there is the common key cryptosystem safely and effectively that 3 classes are generally acknowledged, its mathematical problem relied on is respectively integer factors resolution problem (IFP), discrete logarithm problem (DLP) and elliptic curves discrete logarithm problem (ECDLP), and corresponding algorithm is RSA Algorithm, DSA Digital Signature Algorithm, elliptic curve (ECC) successively.These three kinds of problems all ensure the fail safe of key based on the NPC problem (Non-determini sticPolynomial Complete problem) of computational complexity.Relative to other two kinds of algorithms, the security performance of ECC is higher, amount of calculation is less, and faster, required for when fail safe the is identical keys sizes of processing speed is less, lower to the requirement of bandwidth, and therefore, ECC system has more wide application prospect.
SM2 ellipse curve public key cipher algorithm is a kind of ECC algorithm that national Password Management office issues, IKE is an important algorithm wherein, it is applicable to the cipher key change in commercial cipher application, communicating pair can be met through twice or tertiary information transmittance process, calculate acquisition one the common session key shared determined by both party.But the flow process of what national Password Management office had announced is only IKE in SM2 ellipse curve public key cipher algorithm, not yet occurs at present any it being used hard-wired hardware device, is difficult to this outstanding algorithm is put to application.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of p unit territory SM2 elliptic curve key negotiating system, can realize the IKE in SM2 ellipse curve public key cipher algorithm with hardware.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of p unit territory SM2 elliptic curve key negotiating system, and the rank that described elliptic curve has base G and cofactor h, G are n; Initiator's Hash Value and responder's Hash Value are respectively ZA and ZB; Initiator's PKI and initiator's private key are respectively PA and dA, and responder's PKI and responder's private key are respectively PB and dB; The length of the session key of initiator and responder's agreement is klen; This system comprises: initiator's subsystem and responder's subsystem; Described initiator's subsystem comprises: initiator control centre, initiator's random number generation module, initiator's point doubling module, initiator's point add module, initiator's key derivation module; Described responder's subsystem comprises: responder control centre, responder's random number generation module, responder's point doubling module, responder's point add module, responder's key derivation module; Wherein,
Described initiator control centre is used for, rA and G is sent to described initiator's point doubling module as one group of point doubling data; RA is sent to described responder control centre; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x10rA of x10 and rA, calculate tA according to tA=(dA+x10rA) modn; Judge that whether RB is the point on described elliptic curve; X20 and RB is sent to described initiator's point doubling module as one group of point doubling data; Calculate the scalar product htA of h and tA; PB and [x20] RB is sent to described initiator point as one group of point add operation data and adds module; HtA and (PB+ [x20] RB) are sent to described initiator's point doubling module as one group of point doubling data; Judge whether U is infinite point; Bit String Z xU, yU, ZA and ZB are spliced into is sent to described initiator's key derivation module; Bit String KA initiator's key derivation module returned exports as initiator's session key; Judge RB for the point on described elliptic curve, U be the situation of infinite point for the moment, export and consult failure;
Described initiator's random number generation module is used for, and the random number rA between 1 and (n-1) generated is sent to described initiator control centre;
Described initiator's point doubling module is used for, and carries out rA point doubling to G, obtains the some RA that coordinate is (x1, y1), and RA is sent to described initiator control centre; X20 point doubling is carried out to RB, [x20] RB obtained is sent to described initiator control centre; Carry out htA point doubling to (PB+ [x20] RB), the some U obtained is sent to described initiator control centre, the coordinate of described some U is (xU, yU);
Described initiator point add module for, point add operation is carried out to PB and [x20] RB, (PB+ [x20] RB) that generate is sent to described initiator control centre;
Described initiator's key derivation module is used for, and carries out key derivation computing to Bit String Z, is that the Bit String KA of klen is sent to described initiator control centre by the length obtained;
Described responder control centre is used for, rB and G is sent to described responder's point doubling module as one group of point doubling data; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x20rB of x20 and rB, calculate tB according to tB=(dB+x20rB) modn; Judge that whether RA is the point on described elliptic curve; X10 and RA is sent to described responder's point doubling module as one group of point doubling data; Calculate the scalar product htB of h and tB; PA and [x10] RA is sent to described responder point as one group of point add operation data and adds module; HtB and (PA+ [x10] RA) are sent to described responder's point doubling module as one group of point doubling data; Judge whether V is infinite point; The Bit String Z ' xV, yV, ZA and ZB are spliced into is sent to described responder's key derivation module; Bit String KB responder's key derivation module returned responsively square session key exports; RB is sent to described initiator control centre; Judge RA for the point on described elliptic curve, V be the situation of infinite point for the moment, export and consult failure;
Described responder's random number generation module is used for, and the random number rB between 1 and (n-1) generated is sent to described responder control centre;
Described responder's point doubling module is used for, and carries out rB point doubling to G, obtains the some RB that coordinate is (x2, y2), and RB is sent to described responder control centre; X10 point doubling is carried out to RA, [x10] RA obtained is sent to described responder control centre; Carry out htB point doubling to (PA+ [x10] RA), the some V obtained is sent to described responder control centre, the coordinate of described some V is (xV, yV);
Described responder point add module for, point add operation is carried out to PA and [x10] RA, (PA+ [x10] RA) that generate is sent to described responder control centre;
Described responder's key derivation module is used for, and carries out key derivation computing to Bit String Z ', is that the Bit String KB of klen is sent to described responder control centre by the length obtained;
Wherein, w is parameter, and & is for press bit logic AND operator, and mod is modulo operator.
The invention has the beneficial effects as follows: because initiator control centre and responder control centre can arrange corresponding random number generation module respectively, point doubling module, point adds module, the work schedule of key derivation module, make random number rA separately between stochastic generation 1 and (n-1) of initiator's random number generation module and responder's random number generation module and rB, make initiator's point doubling module and responder's point doubling module carry out respectively scalar numeric value and point between point doubling, initiator is put add module and responder's point to add the point add operation that module carries out two points respectively, initiator's key derivation module and responder's key derivation module is made to carry out key derivation computing to Bit String respectively, simultaneously, initiator control centre and responder control centre hold consultation the judgement of success or not respectively, thus the key agreement realized between initiator and responder, when both sides consult successful, initiator and responder obtain same session key respectively by initiator's key derivation module and responder's key derivation module arithmetic, thus carry out the encryption and decryption that communicate, when failing to consultations, export and consult failed information.Therefore, the present invention can utilize initiator control centre, initiator's random number generation module, initiator's point doubling module, initiator point add module, initiator's key derivation module composition initiator's subsystem and responder control centre, responder's random number generation module, responder's point doubling module, responder point add module, responder's key derivation module composition responder's subsystem, realize the IKE in SM2 ellipse curve public key cipher algorithm with hardware.
Accompanying drawing explanation
Fig. 1 is the flow chart of the IKE in the SM2 ellipse curve public key cipher algorithm of national Password Management office issue;
Fig. 2 is the structure chart of p provided by the invention unit territory SM2 elliptic curve key negotiating system;
Fig. 3 is the hardware structure diagram that initiator control centre provided by the invention and responder control centre realize scalar multiplication calculation function;
Fig. 4 is the structure chart of point doubling module provided by the invention;
Fig. 5 is the structure chart that point provided by the invention adds module;
Fig. 6 is the structure chart of key derivation module provided by the invention;
Fig. 7 is the structure chart of the present invention's specific embodiment;
Fig. 8 is the structure chart of another specific embodiment of the present invention.
Embodiment
Be described principle of the present invention and feature below in conjunction with accompanying drawing, example, only for explaining the present invention, is not intended to limit scope of the present invention.
Fig. 1 is the flow chart of the IKE in the SM2 ellipse curve public key cipher algorithm of national Password Management office issue.In the user of intercom mutually two involved by IKE, the user sending first run exchange message is called initiator, and another user is then called responder, and this two Fang Jun has public and private key pair.In the present invention, initiator represents with symbol A, and responder represents with symbol B, and thus initiator's PKI and initiator's private key represent with PA and dA respectively, and responder's PKI and responder's private key represent with PB and dB respectively.As shown in Figure 1, in this flow process, steps A-101 performs to steps A-107 by initiator A, and step B-101 to step B-106 performs by responder B, and when condition meets, initiator A and responder B all can perform step 108.
As shown in Figure 1, steps A-101 is as follows to steps A-107:
Steps A-101: the given data confirming initiator A: session key length klen, the parameter w=|| of rank n, the cofactor h of base G and G of elliptic curve, initiator's Hash Value ZA, responder's Hash Value ZB, initiator's PKI PA and initiator's private key dA, responder's PKI PB, both sides' agreement (|| log 2 n||/2) ||-1.
This step is one and confirms the step of given data, and follow-up steps A-102 to steps A-107 is all enterprising row operations in basis of these given datas determined in this step.
Elliptic curve described in the present invention is the elliptic curve in p unit finite field.In p unit finite field, the equation of elliptic curve is y 2=x 3+ ax+b, p be here be greater than 3 prime number, a and b be p unit territory in numerical value, and meet (4a 3+ 27b 2) mod p be not 0, mod is modulo operator.
Elliptic curve described in the present invention has base, is designated as G, and G is a point on this elliptic curve, and the coordinate of this point is (xG, yG), and G has rank n.In addition, elliptic curve also has a parameter, is called cofactor, represents in the present invention with h.
The Bit String obtained after the abscissa xA of the parameter a in splicing the distinguished mark of A, elliptic curve equation, b, xG, yG, PA and ordinate yA is carried out the Hash Value that cryptographic Hash computing obtains by initiator's Hash Value ZA, equally, the Bit String obtained after abscissa xB, yB of splicing the distinguished mark of B, a, b, xG, yG, PB is carried out the Hash Value that cryptographic Hash computing obtains by responder's Hash Value ZB.Here, after splicing computing refers to and a Bit String is connected to the last position bit of last Bit String, cryptographic Hash computing is then the computing that a kind of Bit String by random length is mapped as fixed-length bits string, and its output valve is called Hash Value.Cryptographic Hash computing has computing irreversibility and input and output one_to_one corresponding, and the Hash Value thus utilizing cryptographic Hash computing to obtain can not reveal the information of its input value.
Before IKE performs, the length of the session key that A and B needs agreement to share, the present invention klen represents this length.
Use when determining parameter w || X || computing is the computing of the smallest positive integral determining to be more than or equal to X, such as, || 7.2||=8, || 8||=9.Therefore, || log 2 n|| be and be more than or equal to log 2 nsmallest positive integral, || (|| log 2 n||/2) || be and be more than or equal to (|| log 2 n||/2) smallest positive integral.
Steps A-102: produce the random number rA between 1 and (n-1), obtain RA according to RA=[rA] G=(x1, y1), and RA is sent to responder.
Random number rA in this step is positive integer, and can not exceed (n-1).
G in computing formula RA=[rA] G=(x1, y1) is the base of elliptic curve, and rA is random number, and [rA] G computing is for carry out rA point doubling to G, and operation result RA is also a point, and its coordinate is (x1, y1).
Steps A-103: calculate tA according to tA=(dA+x10rA) modn, parameter x10 is wherein according to formula x10=2 w+ [x1 & (2 w-1)] calculate.
In this step, the computing of x10rA is the scalar multiplication computing in p unit finite field.X10=2 w+ [x1 & (2 w-1) &] is for press bit logic AND operator.
Steps A-104: the RB that receiving step B-106 sends, and judges whether the coordinate of RB meets the elliptic curve equation in the present invention, and namely whether RB is the point on elliptic curve, is perform steps A-105, otherwise, perform step 108.
This step is a determining step mainly, and the basis of step B-106 performs.
Steps A-105: calculate U according to U=[htA] (PB+ [x20] RB)=(xU, yU), x20 is wherein according to formula x20=2 w+ [x2 & (2 w-1)] calculate.
HtA in this step is scalar multiplication computing, obtains the numerical value in a p unit finite field; [x20] RB is for carry out x20 point doubling to RB, the result obtained and PB carry out the point add operation in p unit finite field again, operation result is still a point, like this, [htA] (PB+ [x20] RB) carries out htA point doubling to point (PB+ [x20] RB), operation result U is the new point of on elliptic curve, and its coordinate is (xU, yU).
Steps A-106: whether the U that determining step A-105 obtains is infinite point, is perform step 108, otherwise perform steps A-107.
Infinite point mentioned here is a particular point on p unit finite field elliptic curve, the computing that steps A-105 is carried out is point doubling, its operation result is likely infinite point, and IKE is consulting the coordinate will using a U when A is in session key successfully, here the some U participating in calculating can not be infinite point, thus needs to judge whether U is infinite point in this step.
Steps A-107: consult successfully, according to KA=KDF (xU-yU-ZA-ZB, klen) session key KA.
Negotiation in this step successfully has two layers of meaning, and the first achieves the key confirmation from B to A, namely achieves A and be sure of that B has the guarantee of session key; In addition, owing to being perform on the basis that steps A-104 receives the RB that B sends in step B-106 due to this step, and step B-106 judges to consult successfully from A to B, namely the key confirmation from A to B is achieved, B be sure of that A has the guarantee of session key, like this, negotiation success in this step has just had another layer of implication, namely AB both sides all be sure of that the other side has session key, namely the negotiation of AB both sides that will carry out of IKE is completely successful, and A only need calculate session key can terminate negotiations process.
Here according to KA=KDF (xU-yU-ZA-ZB, klen) KA calculated is the session key that in the present invention, A and B will share, from the angle of mathematics, after whole IKE to this step, the KB that the KA calculated by this step and step B-106 calculate is identical, thus AB both sides can be encrypted by the data that same session key subtend the other side sends, and are decrypted the enciphered data that the other side sends.
Here xU-yU-ZA-ZB is by the abscissa xU of U, ordinate yU, the Bit String that initiator's Hash Value ZA and responder's Hash Value ZB is spliced, KDF (xU-yU-ZA-ZB, klen) computing carries out key derivation computing to Bit String xU-yU-ZA-ZB, generating length is the Bit String of klen, KDF is wherein the mark of cipher key derivation function, if represent Bit String xU-yU-ZA-ZB with Bit String Z, the counting variable ct of 32 bits is set, and the length being located at the Hash Value of the cryptographic Hash computing generation carried out in this key derivation computing is v bit, then the operation rule of this key derivation computing is:
A initial value that () puts ct is represent with 16 systems 00000001;
B () determines the smallest positive integral being more than or equal to (klen/v) || and klen/v||, is increased to from 1 at cyclic variable i || and the process of klen/v||, circulation performs b1 and b2 step:
(b1) according to Ha i=H v(Z-ct) Ha is obtained i; Wherein, H v(Z-ct) be carry out cryptographic Hash computing to the Bit String that Z and ct is spliced, the length of the Hash Value of generation is v bit;
(b2) ct increases progressively 00000001 of 16 systems;
If c () (klen/v) is integer, then put Ha! || klen/v||=Ha || klen/v||; Otherwise, then by Ha! || klen/v||be set to Bit String Ha || klen/v||in from the highest-order bit bit, wherein for being less than or equal to the smallest positive integral of (klen/v);
D () carries out splicing computing KA=Ha 1-Ha 2-...-Ha (|| klen/v||-1)-Ha! || klen/v||, obtain session key KA.
Thus, from step (a) to step (d), obtain session key KA by key derivation computing, can find out, in this key derivation calculating process, except Bit String splicing computing, most crucial computing is that cryptographic Hash computing is carried out in circulation.The object of step (c) is, in determining step (d) for be spliced into KA last Bit String Ha! || klen/v||, the length klen making the length of KA meet AB to make an appointment.
Step B-101 is as follows to step B-106:
Session key length klen, the parameter w=|| of rank n, the cofactor h of step B-101: the given data of confirmation response side B: base G and G of elliptic curve, initiator's Hash Value ZA, responder's Hash Value ZB, responder's PKI PB and responder's private key dB, initiator's PKI PA, both sides' agreement (|| log 2 n||/2) ||-1.
This step is similar to steps A-101, is also one and confirms the step of given data, and follow-up step B-102 to step B-106 is all enterprising row operations in basis of these given datas determined in this step.
Step B-102: produce the random number rB between 1 and (n-1), obtain RB according to RB=[rB] G=(x2, y2), obtain tB according to tB=(dB+x20rB) modn, parameter x20 is wherein according to formula x20=2 w+ [x2 & (2 w-1)] calculate.
Similar to steps A-102, [rB] G in this step is also the point doubling carried out G, and it is different that difference is doubly to put number of times, and what carry out here is rB point doubling, and operation result RB is also a point, and its coordinate is (x2, y2).
Similar to steps A-103, the x20rB in this step is also the scalar multiplication computing in p unit finite field.
Step B-103: receive the RA that A sends, and judge whether the coordinate of RA meets elliptic curve equation, is perform step B-104, otherwise perform step 108.
The RA that this step receives is the coordinate of the point that A is calculated by steps A-102.
Step B-104: calculate V according to V=[htB] (PA+ [x10] RA)=(xV, yV), x10 is wherein by formula x10=2 w+ [x1 & (2 w-1)] calculate.
Similar to steps A-105, the htB in this step is scalar multiplication computing, obtains the numerical value in a p unit finite field; [x10] RA is for carry out x10 point doubling to RA, the result obtained and PA carry out the point add operation in p unit finite field again, operation result is still a point, like this, [htB] (PA+ [x10] RA) carries out htB point doubling to point (PA+ [x10] RA), operation result V is the new point of on elliptic curve, and its coordinate is (xV, yV).
Whether step B-105: the V that determining step B-104 obtains be infinite point, is perform step 108, otherwise perform step B-106.
Step B-106: the negotiation success from A to B, calculates KB according to KB=KDF (xV-yV-ZA-ZB, klen), and RB is sent to A.
In this step, negotiation success from A to B, mean the key confirmation achieved from A to B, namely B be sure of that A has the guarantee of session key, thus can calculate KB and be used as session key, and terminate the negotiations process of responder, steps A-104 is transferred in the remaining work of IKE, performed by initiator A, if A judges to consult also success, then the negotiations process of this IKE will be completely successful, and in steps A-107, calculate the session key KA of initiator, mathematically, the KA that steps A-107 obtains and the KB that this step obtains is equal, namely initiator A and responder B is in communication process after this, the identical session key of use is come information encryption and deciphering.
In addition, step 108 is: consult unsuccessfully.
Here, no matter be that A execution steps A-101 performs this step to the process of steps A-107, or B performs this step in the process performing step B-101 to step B-106, be the negotiations process failure of whole IKE, then AB both sides need to reopen negotiations process and could obtain the session key that both sides share.
Fig. 2 is the structure chart of p provided by the invention unit territory SM2 elliptic curve key negotiating system.Elliptic curve described in the present invention has base G and cofactor h, and the rank of G are n; Initiator's Hash Value and responder's Hash Value are respectively ZA and ZB; Initiator's PKI and initiator's private key are respectively PA and dA, and responder's PKI and responder's private key are respectively PB and dB; The length of the session key of initiator and responder's agreement is klen.This key agreement system is for realizing the IKE in p unit territory SM2 ellipse curve public key cipher algorithm from hardware, if initiator and responder consult successfully, then the two generates identical session key respectively, and the length of this session key is about measured length klen.
As shown in Figure 2, this system comprises: initiator's subsystem 212 and responder's subsystem 213; Initiator's subsystem 212 comprises: initiator control centre 201, initiator's random number generation module 202, initiator's point doubling module 205, initiator's point add module 204, initiator's key derivation module 203; Responder's subsystem 213 comprises: responder control centre 206, responder's random number generation module 207, responder's point doubling module 208, responder's point add module 209, responder's key derivation module 210; Visible, each module in initiator's subsystem and responder's subsystem is mutually corresponding, can realize with same hardware.In this system,
Initiator control centre 201 for, rA and G is sent to initiator's point doubling module 205 as one group of point doubling data; RA is sent to responder control centre 206; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x10rA of x10 and rA, calculate tA according to tA=(dA+x10rA) modn; Judge that whether RB is the point on elliptic curve; X20 and RB is sent to initiator's point doubling module 205 as one group of point doubling data; Calculate the scalar product htA of h and tA; PB and [x20] RB is sent to initiator's point as one group of point add operation data and adds module 204; HtA and (PB+ [x20] RB) are sent to initiator's point doubling module 205 as one group of point doubling data; Judge whether U is infinite point; Bit String Z xU, yU, ZA and ZB are spliced into is sent to initiator's key derivation module 203; Bit String KA initiator's key derivation module 203 returned exports as initiator's session key; Judge RB for the point on elliptic curve, U be the situation of infinite point for the moment, export and consult failure;
Initiator's random number generation module 202 for, by generate the random number rA between 1 and (n-1) be sent to initiator control centre 201;
Initiator's point doubling module 205 for, rA point doubling is carried out to G, obtains coordinate for the some RA of (x1, y1), and RA is sent to initiator control centre 201; X20 point doubling is carried out to RB, [x20] RB obtained is sent to initiator control centre 201; Carry out htA point doubling to (PB+ [x20] RB), the some U obtained is sent to initiator control centre 201, the coordinate of some U is (xU, yU);
Initiator's point add module 204 for, point add operation is carried out to PB and [x20] RB, (PB+ [x20] RB) that generate is sent to initiator control centre 201;
Initiator's key derivation module 203 for, carrying out key derivation computing to Bit String Z, is that the Bit String KA of klen is sent to initiator control centre 201 by the length obtained;
Responder control centre 206 for, rB and G is sent to responder's point doubling module 208 as one group of point doubling data; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x20rB of x20 and rB, calculate tB according to tB=(dB+x20rB) modn; Judge that whether RA is the point on elliptic curve; X10 and RA is sent to responder's point doubling module 208 as one group of point doubling data; Calculate the scalar product htB of h and tB; PA and [x10] RA is sent to responder's point as one group of point add operation data and adds module 209; HtB and (PA+ [x10] RA) are sent to responder's point doubling module 208 as one group of point doubling data; Judge whether V is infinite point; The Bit String Z ' xV, yV, ZA and ZB are spliced into is sent to responder's key derivation module 210; Bit String KB responder's key derivation module 210 returned responsively square session key exports; RB is sent to initiator control centre 201; Judge RA for the point on elliptic curve, V be the situation of infinite point for the moment, export and consult failure;
Responder's random number generation module 207 for, by generate the random number rB between 1 and (n-1) be sent to responder control centre 206;
Responder's point doubling module 208 for, rB point doubling is carried out to G, obtains coordinate for the some RB of (x2, y2), and RB is sent to responder control centre 206; X10 point doubling is carried out to RA, [x10] RA obtained is sent to responder control centre 206; Carry out htB point doubling to (PA+ [x10] RA), the some V obtained is sent to responder control centre 206, the coordinate of some V is (xV, yV);
Responder's point add module 209 for, point add operation is carried out to PA and [x10] RA, (PA+ [x10] RA) that generate is sent to responder control centre 206;
Responder's key derivation module 210 for, carrying out key derivation computing to Bit String Z ', is that the Bit String KB of klen is sent to responder control centre 206 by the length obtained;
Wherein, w is parameter, and & is for press bit logic AND operator, and mod is modulo operator.
It is pointed out that all refer to the computing carried out the coordinate of this point, such as, point add operation is the computing carried out the coordinate of two points to putting the computing carried out in the present invention, point doubling is the computing carried out the coordinate of a scalar and a point.Therefore, each module mentioned in the present invention or submodule send or acceptance point, and what refer to is exactly the coordinate sending or receive this point.
Initiator control centre in the present invention and responder control centre are the control centre of respective place subsystem, be responsible for the work schedule arranging each module in the subsystem of place, and by data in each intermodule transmission, computing, send the data to the control centre in another subsystem, most important, this Liang Ge control centre is responsible for judging to consult success or not, as initiator control centre can judge that whether RB is the point on elliptic curve, if judged result is no, then export and consult failure, this illustrates the negotiation failure of initiator and responder.Again such as, responder control centre is responsible for judging whether V is infinite point, if so, then exports and consults failure, and this also illustrates the negotiation failure of initiator and responder.
Corresponding with the flow chart that Fig. 1 issues, its steps A-101 is realized to steps A-107 by initiator's subsystem, and step B-101 to step B-106 is realized by responder's subsystem, and step 108 then realizes by both party jointly.Wherein, steps A-101 and step B-101 are realized by the control centre in corresponding subsystem, by the control centre that each given data in these two steps inputs or is stored in corresponding subsystem, and send to corresponding module by this control centre, to use in the calculation; The step of the random number rA produced between 1 and (n-1) in steps A-101 is realized by initiator's random number generation module, according to RA=[rA] G=(x1, y1) step obtaining RA is realized by initiator's point doubling module, RA is sent to the step of responder and steps A-103, A-104 and A-106 realize by initiator control centre; Scalar multiplication computing in steps A-105 between h and tA is realized by initiator control centre, point doubling between x20 and RB and between htA and (PB+ [x20] RB) is realized by initiator's point doubling module, and the point add operation between PB and [x20] RB is put by initiator and added module to realize; Judge in steps A-107 that consulting successful step is realized by initiator control centre, the step according to KA=KDF (xU-yU-ZA-ZB, klen) session key KA is realized by initiator's key derivation module.Corresponding with each module of initiator's subsystem, each module in responder's subsystem also can realize step B-101 to step B-106, be specially: the step of the random number rB produced between 1 and (n-1) in step B-102 is realized by responder's random number generation module, according to RB=[rB] G=(x2, y2) step obtaining RB is realized by responder's point doubling module, obtains tB and according to formula x20=2 according to tB=(dB+x20rB) modn w+ [x2 & (2 w-1) step and the step B-103 that] calculate x20 are realized by responder control centre, in step B-104, scalar multiplication computing between h and tB is realized by responder control centre, point doubling between x10 and RA and between htB and (PA+ [x10] RA) is realized by responder's point doubling module, point add operation between PA and [x10] RA is put by responder and is added module to realize, the step judging the successful step of negotiation from A to B in step B-105 and B-106 and RB is sent to initiator A is realized by responder control centre, according to KB=KDF (xV-yV-ZA-ZB, klen) step calculating KB is realized by responder's key derivation module.According to situation about judging, step 108 is realized by initiator control centre or responder control centre.
As can be seen here, because initiator control centre and responder control centre can arrange corresponding random number generation module respectively, point doubling module, point adds module, the work schedule of key derivation module, make random number rA separately between stochastic generation 1 and (n-1) of initiator's random number generation module and responder's random number generation module and rB, make initiator's point doubling module and responder's point doubling module carry out respectively scalar numeric value and point between point doubling, initiator is put add module and responder's point to add the point add operation that module carries out two points respectively, initiator's key derivation module and responder's key derivation module is made to carry out key derivation computing to Bit String respectively, simultaneously, initiator control centre and responder control centre hold consultation the judgement of success or not respectively, thus the key agreement realized between initiator and responder, when both sides consult successful, initiator and responder obtain same session key respectively by initiator's key derivation module and responder's key derivation module arithmetic, thus carry out the encryption and decryption that communicate, when failing to consultations, export and consult failed information.Therefore, the present invention can utilize initiator control centre, initiator's random number generation module, initiator's point doubling module, initiator point add module, initiator's key derivation module composition initiator's subsystem and responder control centre, responder's random number generation module, responder's point doubling module, responder point add module, responder's key derivation module composition responder's subsystem, realize the IKE in SM2 ellipse curve public key cipher algorithm with hardware.
Because the present invention can utilize hardware to realize the IKE in SM2 ellipse curve public key cipher algorithm, relative to the software simulating of this IKE, arithmetic speed of the present invention is faster, and fail safe is also higher.
As shown in Figure 2, this system comprises w generation module 211 further, for basis calculate parameter w, and it is sent to respectively initiator control centre 201 and responder control centre 206.
Initiator control centre in the present invention and responder control centre all have scalar multiplication calculation function, and this function can be realized by identical hardware configuration.Fig. 3 is the hardware structure diagram that initiator control centre provided by the invention and responder control centre realize scalar multiplication calculation function, and this hardware configuration is contained in initiator control centre and responder control centre is inner.As shown in Figure 3, this hardware configuration comprises: control submodule 301, territory transform subblock 302, territory, Montgomery multiplication submodule 303; Wherein,
Control submodule 301 for, be sent to territory transform subblock 302 by needing both m and j carrying out scalar multiplication computing in the value of finite field; The value in territory, each for m and j comfortable Montgomery is sent to territory, Montgomery multiplication submodule 303; The mj that 1 and territory, Montgomery multiplication submodule 303 return is sent to territory, Montgomery multiplication submodule 303;
Territory transform subblock 302 for, both m and j are returned in the value that the value of finite field is converted to territory, each comfortable Montgomery respectively and control submodule 301;
Territory, Montgomery multiplication submodule 303 for, the multiplying of territory, Montgomery is carried out to the value in territory, m and j each comfortable Montgomery, the product mj obtained is returned control submodule 301; The multiplying of territory, Montgomery is carried out to mj and 1, obtains the scalar product of m and j in the value of finite field; M and j is returned at the scalar product of the value of finite field and controls submodule 301.
Here involved m and j is two scalars carrying out scalar multiplication computing, it can represent x10 and rA being carried out scalar multiplication computing by Tu2Zhong initiator control centre 201, or h and tA, also can represent x20 and rB being carried out scalar multiplication computing by responder control centre 206, or h and tB.
In the present invention, two of scalar multiplication computing data are transformed in territory, Montgomery by finite field and carry out by initiator control centre and responder control centre, can greatly reduce computing difficulty, improve operation efficiency, be conducive to the arithmetic speed improving IKE further.
Certainly, the control submodule in Fig. 3 as the control core in initiator control centre or responder control centre, can also complete other controls of the control centre at its place, computing, arbitration functions.Such as, the control submodule in initiator control centre, except having the controlling functions of the scalar multiplication computing described in Fig. 3, can also be used for: rA and G is sent to initiator's point doubling module as one group of point doubling data; RA is sent to the control submodule in responder control centre; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; TA is calculated according to tA=(dA+x10rA) modn; Judge that whether RB is the point on elliptic curve; X20 and RB is sent to initiator's point doubling module as one group of point doubling data; PB and [x20] RB is sent to initiator's point as one group of point add operation data and adds module; HtA and (PB+ [x20] RB) are sent to initiator's point doubling module as one group of point doubling data; Judge whether U is infinite point; Bit String Z xU, yU, ZA and ZB are spliced into is sent to initiator's key derivation module; Bit String KA initiator's key derivation module returned exports as initiator's session key; Judge RB for the point on elliptic curve, U be the situation of infinite point for the moment, export and consult failure.For another example, the control submodule in responder control centre, except having the controlling functions of the scalar multiplication computing described in Fig. 3, can also be used for: rB and G is sent to responder's point doubling module as one group of point doubling data; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; TB is calculated according to tB=(dB+x20rB) modn; Judge that whether RA is the point on elliptic curve; X10 and RA is sent to responder's point doubling module as one group of point doubling data; PA and [x10] RA is sent to responder's point as one group of point add operation data and adds module; HtB and (PA+ [x10] RA) are sent to responder's point doubling module as one group of point doubling data; Judge whether V is infinite point; The Bit String Z ' xV, yV, ZA and ZB are spliced into is sent to responder's key derivation module; Bit String KB responder's key derivation module returned responsively square session key exports; RB is sent to the control submodule in initiator control centre; Judge RA for the point on elliptic curve, V be the situation of infinite point for the moment, export and consult failure.
In the present invention, initiator's point doubling module and responder's point doubling module are the module of carrying out point doubling, its point doubling carried out is identical, and thus can realize with identical hardware mechanism, this hardware mechanism can be referred to as point doubling module.Fig. 4 is the structure chart of point doubling module provided by the invention, and this point doubling module can be used as initiator's point doubling module, also can be used as responder's point doubling module.
As shown in Figure 4, this point doubling module comprises: point doubling control submodule 401, projective system two point doubling submodule 404, territory transform subblock 403, territory, Montgomery multiplication submodule 405, finite field inversions submodule 402, projection mooring points add submodule 406; Wherein,
Point doubling control submodule 401 for, receive the one group of point doubling data be made up of numerical value f and some C, by the coordinate (xc of C under affine coordinate system, yc) coordinate (xc2 of C under projective coordinate system is converted to, yc2,, and xc2, yc2,1 are sent to territory transform subblock 403 1); (xc3, yc3, zc3) is sent to projection mooring points and adds submodule 406, and it can be used as [f] C at the initial value of the coordinate (xc1, yc1, zc1) in territory, Montgomery, [f] C is wherein the result of C being carried out to f point doubling; Determine the binary bits length L of f; Using the initial value of the secondary higher bit position in the binary form of f as its current bit position, from the secondary higher bit position in the binary form of f, each reduction bit, as current bit position, till its lowest bit position, carries out (L-1) secondary interative computation; Zc1 in the result coordinate (xc1, yc1, zc1) of secondary to (L-1) interative computation is sent to territory, Montgomery multiplication submodule 405; Zc1 is sent to finite field inversions submodule 402 in the value of finite field; By zc1 -1territory transform subblock 403 is sent in the value of finite field; By xc1, yc1 and zc1 in the result coordinate (xc1, yc1, zc1) of secondary to (L-1) interative computation -1territory, Montgomery multiplication submodule 405 is sent in the value in territory, Montgomery; The xc1 that 1 and territory, Montgomery multiplication submodule 405 return is sent to territory, Montgomery multiplication submodule 405 in the value of affine coordinate system; The yc1 that 1 and territory, Montgomery multiplication submodule 405 return is sent to territory, Montgomery multiplication submodule 405 in the value of affine coordinate system; The coordinate (xc1, yc1) both xc1, yc1 formed in the value of finite field exports as the operation result of [f] C; An interative computation wherein comprises: by coordinate (xc1, yc1, zc1) currency is sent to projective system two point doubling submodule 404, when the current bit position of f is binary one, the output coordinate that projective system two point doubling submodule 404 returns is sent to projection mooring points and adds submodule 406;
Territory transform subblock 403 for, the value xc2 of finite field, yc2,1 are converted to respectively the value xc3 in territory, each comfortable Montgomery, yc3, zc3, and returned point doubling control submodule 401; By zc1 -1be converted to its value in territory, Montgomery in the value of finite field, and returned point doubling and control submodule 401;
Projective system two point doubling submodule 404 for, two point doublings are carried out to input coordinate, using operation result as output coordinate be back to point doubling control submodule 401;
Projection mooring points add submodule 406 for, input coordinate and (xc3, yc3, zc3) are carried out point add operation, operation result are sent to point doubling and control submodule 401;
Territory, Montgomery multiplication submodule 405 for, the multiplying of territory, Montgomery is carried out to the value and 1 of zc1 in territory, Montgomery, by the zc1 obtained the value of finite field be sent to point doubling control submodule 401; To xc1 and zc1 -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, to yc1 and zc1 -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, both xc1, yc1 of obtaining respectively is returned point doubling in the value of affine coordinate system and controls submodule 401; In the value of affine coordinate system, the multiplying of territory, Montgomery is carried out to 1 and xc1, in the value and 1 of affine coordinate system, the multiplying of territory, Montgomery is carried out to yc1, both xc1, yc1 of obtaining are turned back to point doubling in the value of finite field and controls submodule 401;
Finite field inversions submodule 402 for, inversion operation is carried out, by the zc1 obtained in the value of finite field to zc1 -1be sent to point doubling in the value of finite field and control submodule 401.
The numerical value f that one group of point doubling data of carrying out point doubling here comprise and some C is received from the control centre the subsystem at its place by point doubling controls submodule, as it is arranged in initiator's subsystem, then be received from initiator control centre, as it is arranged in responder's subsystem, be then received from responder control centre.And f and C is here respectively referring to of numerical value in each group of point doubling data and point, as, f and C can be respectively rA and G that the initiator control centre shown in Fig. 2 sends to initiator's point doubling module, or x20 and RB, or htA and (PB+ [x20] RB), also rB and G of responder's point doubling module or x10 and RA can be sent to for responder control centre, or htB and (PA+ [x10] RA).Certainly, above-mentioned xc2, yc2, xc3, yc3, zc3, xc1, yc1, zc1 and zc1 -1also can respectively to the corresponding computing numerical value one_to_one corresponding in the function of initiator's point doubling module 205 or responder's point doubling module 208 in Fig. 2.
Point doubling module as shown in Figure 4 provided by the invention, first data are transformed into projective coordinate system by affine coordinate system, again it is transformed into territory, Montgomery from finite field, so just can calculate accordingly in territory, Montgomery, after completing, data are transformed into affine coordinate system from projective coordinate system, finite field is transformed into again from territory, Montgomery, the result of point doubling exports the most at last, relative to directly calculating at affine coordinate system, although the present invention adds the data conversion process between coordinate system and between territory, but the efficiency of point doubling still improves a lot.
In system shown in Fig. 2, what initiator's point added that module and responder's point add that module realizes is all that point adds function, and thus can realize with identical hardware, this hardware is called and a little adds module.Fig. 5 is the structure chart that point provided by the invention adds module, and this point adds module can add module as initiator's point, also can be used as responder's point and add module.
As shown in Figure 5, this point adds module and comprises: point add control submodule 501, territory transform subblock 502, projection mooring points add submodule 504, territory, Montgomery multiplication submodule 503, finite field inversions submodule 505; Wherein,
Point add control submodule 501 for, by receive to carry out point add operation the coordinate of point PP1 and PP2 under affine coordinate system (x11 ', y11 ') and (x12 ', y12 ') be converted to respectively coordinate under each comfortable projective coordinate system (x11 ', y11 ', 1) and (x12 ', y12 ', 1), and by x11 ', y11 ', 1 and x12 ', y12 ', 1 be sent to territory transform subblock 502; Coordinate that the coordinate that x111 ', y111 ', z111 ' formed (x111 ', y111 ', z111 ') and x121 ', y121 ', z121 ' form (x121 ', y121 ', z121 ') is sent to projection mooring points and adds submodule 504; The z131 ' added by projection mooring points in coordinate that submodule 504 returns (x131 ', y131 ', z131 ') is sent to territory, Montgomery multiplication submodule 503; The z131 ' that territory, Montgomery multiplication submodule 503 returns is sent to finite field inversions submodule 505 in the value of finite field; By z131 ' -1territory transform subblock 502 is sent in the value of finite field; By x131 ', y131 ' and z131 ' in coordinate (x131 ', y131 ', z131 ') -1territory, Montgomery multiplication submodule 503 is sent in the value in territory, Montgomery; The x131 ' returned 1 with territory, Montgomery multiplication submodule 503 affine coordinate system value, 1 and the y131 ' that returns of territory, Montgomery multiplication submodule 503 be sent to territory, Montgomery multiplication submodule 503 respectively in the value of affine coordinate system; The two coordinate form in the value of finite field of the x131 ', the y131 ' that are returned by territory, Montgomery multiplication submodule 503 (x131 ', y131 ') carries out the result output of point add operation under affine coordinate system as PP1 and PP2;
Territory transform subblock 502 for, respectively by x11 ', y11 ', 1 and x12 ', y12 ', 1 be converted to value x111 ', the y111 ' in territory, each comfortable Montgomery, z111 ' and x121 ', y121 ', z121 ' in the value of finite field, and its reentry point added control submodule 501; By z131 ' -1z131 ' is converted in the value of finite field -1in the value in territory, Montgomery, and its reentry point is added control submodule 501;
Projection mooring points add submodule 504 for, to input coordinate (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 ') carry out point add operation, coordinate (x131 ', y131 ', the z131 ') reentry point obtained is added and controls submodule 501;
Territory, Montgomery multiplication submodule 503 for, to input z131 ' and 1 carry out the multiplying of territory, Montgomery, by the z131 ' obtained the value of finite field be sent to a little add control submodule 501; To x131 ' and z11 ' -1value in territory, Montgomery, y131 ' and z11 ' -1value in territory, Montgomery carries out the multiplying of territory, Montgomery respectively, and by the x131 ' obtained, y131 ', the two adds control submodule 501 at the value reentry point of affine coordinate system; To x131 ', y131 ', the two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system, and by the x131 ' obtained, y131 ', the two adds control submodule 501 at the value reentry point of finite field;
Finite field inversions submodule 505 for, to input z131 ' carry out inversion operation, by the z131 ' obtained in the value of finite field -1be sent to a little to add in the value of finite field and control submodule 501.
Here point PP1 and PP2 a little adds the data controlling submodule and receive from the control centre the subsystem at self place, as it is arranged in initiator's subsystem, then be received from initiator control centre, as it is arranged in responder's subsystem, be then received from responder control centre.
What point PP1 and PP2 here represented is, and initiator puts adds and control submodule or responder's point and add and control the data that submodule carries out point add operation, as, PP1 and PP2 can represent point add operation data PB and [x20] RB that initiator control centre sends to initiator to put to add module respectively, also can represent point add operation data PA and [x10] RA that responder control centre sends to responder to put to add module respectively.
Point as shown in Figure 5 provided by the invention adds module, to projective coordinate system by the Coordinate Conversion of PP1 and PP2 under affine coordinate system, then be transformed into territory, Montgomery from finite field and carry out corresponding calculating, affine coordinate system is transformed into from projective coordinate system again after completing, finite field is transformed into from territory, Montgomery, finally result is exported, although this process than directly under affine coordinate system computing add data conversion step, operation efficiency still improves a lot.
In the present invention, initiator's key derivation module and responder's key derivation module are the module realizing key derivation function, and also can realize with identical hardware configuration, this hardware configuration is called key derivation module.Fig. 6 is the structure chart of key derivation module provided by the invention, and this key derivation module as initiator's key derivation module, also can responsively square key derivation module can be applied.
As shown in Figure 6, this key derivation module comprises: the length of the Hash Value of key derivation control submodule 601, output is the cryptographic Hash submodule 602 of v bit; Wherein,
Key derivation control submodule 601 for, receive input bit string ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Determine the smallest positive integral ‖ klen/v ‖ being more than or equal to (klen/v); Cyclic variable i is incremented to ‖ klen/v ‖ from 1, increases progressively 1 at every turn, performs ‖ klen/v ‖ cryptographic Hash computing; When (klen/v) is for integer, put Ha! || klen/v||=Ha || klen/v||; When (klen/v) is not integer, by Ha! || klen/v||be set to Bit String Ha || klen/v||in from the highest-order bit bit, wherein for being less than or equal to the smallest positive integral of (klen/v); I is incremented to the Ha of (‖ klen/v||-1) from 1 iand Ha! || klen/v||splicing in turn, is that the Bit String of klen bit exports as the result of ZZ being carried out to key derivation computing using the length obtained; Wherein, a cryptographic Hash computing comprises: the currency of ct and ZZ are spliced into Bit String ZZ-ct; ZZ-ct is sent to cryptographic Hash submodule 602; By the H that cryptographic Hash submodule 602 returns v(ZZ-ct) assignment is to the Ha of v bit i; The value of ct increases by 00000001 of 16 systems;
Cryptographic Hash submodule 602 for, cryptographic Hash computing is carried out to input bit string ZZ-ct, by the Hash Value H of v bit exported v(ZZ-ct) " return " key" derives from and controls submodule 601.
Here, Bit String ZZ is that key derivation controls submodule from the control centre's reception the subsystem at self place, as it is arranged in initiator's subsystem, is then received from initiator control centre, as it is arranged in responder's subsystem, be then received from responder control centre.
What Bit String ZZ represented is the Bit String that initiator's key derivation module or responder's key derivation module receive, such as, ZZ can represent that Tu2Zhong initiator control centre sends to the Bit String Z of initiator's key derivation module, also can represent that responder control centre sends to the Bit String Z ' of responder's key derivation module.
Can find out, in this system, the part of module of initiator's subsystem and responder's subsystem corresponding can have identical structure, if initiator's random number generation module and responder's random number generation module can be the random number generation module of same structure; Initiator's point doubling module and responder's point doubling module can be the point doubling module of same structure; Initiator's point adds module and responder's point and adds module and can add module for the point of same structure; Initiator's key derivation module and responder's key derivation module can be the key derivation module of same structure, therefore, can carry out multiplexing to module corresponding in two subsystems, thus save hardware resource, improve level of integrated system, reduce chip area.
Fig. 7 is the structure chart of the present invention's specific embodiment.As shown in Figure 7, this system comprise initiator control centre 701, responder control centre 702, random number generation module 704, point doubling module 705, point add module 706, key derivation module 707, compared with Fig. 2 structure, the initiator's random number generation module in Fig. 2 and responder's random number generation module realize with same random number generation module 704 in the figure 7; Initiator's point doubling module and responder's point doubling module realize by same point doubling module 705 in the figure 7; Initiator's point adds module and responder's point and adds module and add module 706 with same point in the figure 7 and realize; Initiator's key derivation module and responder's key derivation module realize by same key derivation module 707 in the figure 7; In addition, this system, on the basis of system shown in Figure 2 structure, comprises further: upper strata final election module 703;
Initiator control centre 701 for, send initiator's Seize ACK message to upper strata final election module 703;
Responder control centre 702 for, send responder's Seize ACK message to upper strata final election module 703;
Upper strata final election module 703 for, according to initiator's Seize ACK message, by random number generation module 704, point doubling module 705, point adds module 706, the mode of operation of key derivation module 707 is set to initiator's pattern, make that each module has initiator's random number generation module in Fig. 2 respectively, initiator's point doubling module, initiator's point add the function of module, initiator's key derivation module, and forward initiator control centre 701 and random number generation module 704, point doubling module 705, put the communication data added between module 706, key derivation module 707; According to responder's Seize ACK message by random number generation module 704, point doubling module 705, point adds module 706, the mode of operation of key derivation module 707 is set to responder's pattern, make that each module has responder's random number generation module in Fig. 2 respectively, responder's point doubling module, responder's point add the function of module, responder's key derivation module, and control centre of transmitted response side and random number generation module 704, point doubling module 705, put the communication data added between module 706, key derivation module 707.
In addition, in Fig. 7, can further include w generation module 708, to realize generating the function that w sends to initiator control centre 701 and responder control centre 702.
As can be seen here, in embodiment shown in Fig. 7, by setting up the forwarding module of a upper strata final election module as other module communication data in initiator control centre and responder control centre and respective subsystem, initiator control centre and responder control centre only need by the mode of operations of other modules of upper strata final election module controls, the identical module of the counter structure in two subsystems can be made to realize multiplexing, thus greatly reduce the quantity of module, save the resource of hardware.
Further, known by the structure of each module shown in Fig. 3,4,5, the initiator control centre in Fig. 7 embodiment, responder control centre, point doubling module, point add module and can also realize the multiplexing of the submodule of identical function further.The structure chart of another specific embodiment of the present invention shown in Fig. 8 can be obtained thus.
System in Fig. 8 embodiment comprises: initiator control centre as shown in Figure 7, responder control centre, point doubling module, point add module the territory transform subblock 810, territory, the Montgomery multiplication submodule 811 that share; By point doubling module, point add module the projection mooring points that shares add submodule 812, finite field inversions submodule 813;
This system comprises lower floor's final election module 808 further, to realize above-mentionedly adding submodule 812, the sharing of finite field inversions submodule 813 to territory transform subblock 810, territory, Montgomery multiplication submodule 811, projection mooring points;
Initiator control centre in Fig. 7 can also comprise: initiator controls submodule 801; Responder control centre also comprises: responder controls submodule 802; Point doubling module also comprises: point doubling controls submodule 805, projective system two point doubling submodule 809; Point adds module and also comprises: point adds control submodule 806; Random number generation module in Fig. 7, upper strata final election module label are in fig. 8 respectively 804 and 803, identical with Fig. 7 of its function.
Initiator in Fig. 8 controls submodule and is used for, and sends initiator control submodule Seize ACK message to lower floor's final election module; Territory transform subblock is sent to by needing the value of two finite fields of carrying out scalar multiplication computing; The value in the territory, two Montgomeries returned by territory transform subblock is sent to territory, Montgomery multiplication submodule; The product that 1 and territory, Montgomery multiplication submodule return is sent to territory, Montgomery multiplication submodule; Except scalar multiplication calculation function mentioned here, this initiator controls the function that submodule also has data operation that in Fig. 2, initiator center has, judgement and other module work sequential of control, such as: rA and G is sent to point doubling as one group of point doubling data and controls submodule; RA is sent to responder and controls submodule; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; TA is calculated according to tA=(dA+x10rA) modn; Judge that whether RB is the point on elliptic curve; X20 and RB is sent to point doubling as one group of point doubling data and controls submodule; PB and [x20] RB is sent to as one group of point add operation data and a little adds control submodule; HtA and (PB+ [x20] RB) are sent to point doubling as one group of point doubling data and control submodule; Judge whether U is infinite point; Bit String Z xU, yU, ZA and ZB are spliced into is sent to key derivation module; Bit String KA key derivation module returned exports as initiator's session key; Judge RB for the point on elliptic curve, U be the situation of infinite point for the moment, export and consult failure; Thus, this initiator controls submodule by lower floor's final election module, together constitutes the initiator control centre shown in Fig. 3, be also provided with the function of the initiator control centre shown in Fig. 3 with territory transform subblock, territory, Montgomery multiplication submodule.
Responder in Fig. 8 controls submodule and is used for, and sends responder control submodule Seize ACK message to lower floor's final election module; Territory transform subblock is sent to by needing the value of two finite fields of carrying out scalar multiplication computing; The value in the territory, two Montgomeries returned by territory transform subblock is sent to territory, Montgomery multiplication submodule; The product that 1 and territory, Montgomery multiplication submodule return is sent to territory, Montgomery multiplication submodule; Except scalar multiplication calculation function mentioned here, this responder controls the function that submodule also has data operation that in Fig. 2, responder center has, judgement and other module work sequential of control, such as: rB and G is sent to point doubling as one group of point doubling data and controls submodule; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; TB is calculated according to tB=(dB+x20rB) modn; Judge that whether RA is the point on elliptic curve; X10 and RA is sent to point doubling as one group of point doubling data and controls submodule; PA and [x10] RA is sent to as one group of point add operation data and a little adds control submodule; HtB and (PA+ [x10] RA) are sent to point doubling as one group of point doubling data and control submodule; Judge whether V is infinite point; The Bit String Z ' xV, yV, ZA and ZB are spliced into is sent to key derivation module; Bit String KB key derivation module returned responsively square session key exports; RB is sent to initiator and controls submodule; Judge RA for the point on elliptic curve, V be the situation of infinite point for the moment, export and consult failure; Like this, responder controls submodule by lower floor's final election module, together constitutes the responder control centre shown in Fig. 3, be also provided with the function of the responder control centre shown in Fig. 3 with territory transform subblock, territory, Montgomery multiplication submodule.
Point doubling in Fig. 8 controls submodule and is used for, and sends point doubling control submodule Seize ACK message to lower floor's final election module; Receive the one group of point doubling data be made up of numerical value f and some C, the coordinate (xc, yc) of C under affine coordinate system is converted to coordinate (xc2, the yc2 of C under projective coordinate system,, and xc2, yc2,1 are sent to territory transform subblock 1); (xc3, yc3, zc3) is sent to projection mooring points and adds submodule, and it can be used as [f] C at the initial value of the coordinate (xc1, yc1, zc1) in territory, Montgomery, [f] C is wherein the result of C being carried out to f point doubling; Determine the binary bits length L of f; Using the initial value of the secondary higher bit position in the binary form of f as its current bit position, from the secondary higher bit position in the binary form of f, each reduction bit, as current bit position, till its lowest bit position, carries out (L-1) secondary interative computation; Zc1 in the result coordinate (xc1, yc1, zc1) of secondary to (L-1) interative computation is sent to territory, Montgomery multiplication submodule; Zc1 is sent to finite field inversions submodule in the value of finite field; By zc1 -1territory transform subblock is sent in the value of finite field; By xc1, yc1 and zc1 in the result coordinate (xc1, yc1, zc1) of secondary to (L-1) interative computation -1territory, Montgomery multiplication submodule is sent in the value in territory, Montgomery; The xc1 that 1 and territory, Montgomery multiplication submodule return is sent to territory, Montgomery multiplication submodule in the value of affine coordinate system; The yc1 that 1 and territory, Montgomery multiplication submodule return is sent to territory, Montgomery multiplication submodule in the value of affine coordinate system; The coordinate (xc1, yc1) both xc1, yc1 formed in the value of finite field exports as the operation result of [f] C; An interative computation wherein comprises: by coordinate (xc1, yc1, zc1) currency is sent to projective system two point doubling submodule, when the current bit position of f is binary one, the output coordinate that projective system two point doubling submodule returns is sent to projection mooring points and adds submodule;
Projective system two point doubling submodule is used for, and carries out two point doublings to input coordinate, operation result is back to point doubling as output coordinate and controls submodule;
As can be seen here, here point doubling controls submodule by lower floor's final election module, with territory transform subblock, territory, Montgomery multiplication submodule, projective system two point doubling submodule, projection mooring points adds submodule, finite field inversions submodule together constitutes the point doubling module shown in Fig. 4 structure, be also just provided with the function of the point doubling module shown in Fig. 4.
Point in Fig. 8 add control submodule for, add to lower floor's final election module sending point and control submodule Seize ACK message; By receive to carry out point add operation the coordinate of point PP1 and PP2 under affine coordinate system (x11 ', y11 ') and (x12 ', y12 ') be converted to respectively coordinate under each comfortable projective coordinate system (x11 ', y11 ', 1) and (x12 ', y12 ', 1), and by x11 ', y11 ', 1 and x12 ', y12 ', 1 be sent to territory transform subblock; Coordinate that the coordinate that x111 ', y111 ', z111 ' formed (x111 ', y111 ', z111 ') and x121 ', y121 ', z121 ' form (x121 ', y121 ', z121 ') is sent to projection mooring points and adds submodule; The z131 ' added by projection mooring points in coordinate that submodule returns (x131 ', y131 ', z131 ') is sent to territory, Montgomery multiplication submodule; The z131 ' that territory, Montgomery multiplication submodule returns is sent to finite field inversions submodule in the value of finite field; By z131 ' -1territory transform subblock is sent in the value of finite field; By x131 ', y131 ' and z131 ' in coordinate (x131 ', y131 ', z131 ') -1territory, Montgomery multiplication submodule is sent in the value in territory, Montgomery; 1 and x131 ' are sent to territory, Montgomery multiplication submodule in the value of affine coordinate system; 1 and y131 ' are sent to territory, Montgomery multiplication submodule in the value of affine coordinate system; The two coordinate form in the value of finite field of the x131 ', the y131 ' that are returned by territory, Montgomery multiplication submodule (x131 ', y131 ') carries out the result output of point add operation under affine coordinate system as PP1 and PP2; As can be seen here, point in Fig. 8 adds the data retransmission of control submodule by lower floor's final election module, adding submodule with territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points, finite field inversions submodule together constitutes the structure that the point shown in Fig. 5 adds module, also adding the function of module with regard to being provided with the point shown in Fig. 5.
Lower floor's final election module is used for, submodule Seize ACK message is controlled according to initiator, the mode of operation of territory transform subblock, territory, Montgomery multiplication submodule is set to initiator to control submodule and take pattern, and forwards the communication data that initiator controls between submodule and territory transform subblock, territory, Montgomery multiplication submodule; Submodule Seize ACK message is controlled according to responder, the mode of operation of territory transform subblock, territory, Montgomery multiplication submodule is set to responder to control submodule and take pattern, and transmitted response side controls the communication data between submodule and territory transform subblock, territory, Montgomery multiplication submodule; Submodule Seize ACK message is controlled according to point doubling, territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points are added submodule, the mode of operation of finite field inversions submodule is set to point doubling and controls submodule and take pattern, and forward point doubling and control submodule and territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points and add communication data between submodule, finite field inversions submodule; Add according to point and control submodule Seize ACK message, territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points are added submodule, the mode of operation of finite field inversions submodule is set to a little to add and controls submodule and take pattern, and forward point and add and control submodule and territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points and add communication data between submodule, finite field inversions submodule;
As can be seen here, this embodiment by arranging lower floor's final election module further on the basis of Fig. 7, for controlling submodule to initiator, responder controls submodule, point doubling controls submodule, point adds control submodule and territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points adds submodule, communication data between finite field inversions submodule forwards, and control domain transform subblock, territory, Montgomery multiplication submodule, projection mooring points adds submodule, the mode of operation of finite field inversions submodule, thus achieve territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points adds submodule, finite field inversions submodule multiplexing, the basis of Fig. 7 embodiment further saves hardware resource, reduce chip area.
Territory transform subblock in Fig. 8 is used for, and controls under submodule takies pattern initiator, and the value that value initiator being controlled two finite fields that submodule sends is converted to territory, each comfortable Montgomery respectively returns initiator and controls submodule; Control under submodule takies pattern responder, the value that value responder being controlled two finite fields that submodule sends is converted to territory, each comfortable Montgomery respectively returns responder and controls submodule; Under point doubling control submodule takies pattern, the value xc2 of finite field, yc2,1 are converted to respectively the value xc3 in territory, each comfortable Montgomery, yc3, zc3, and are returned point doubling control submodule; By zc1 -1be converted to its value in territory, Montgomery in the value of finite field, and returned point doubling and control submodule; Adding at point controls under submodule takies pattern, respectively by x11 ', y11 ', 1 and x12 ', y12 ', 1 be converted to value x111 ', the y111 ' in territory, each comfortable Montgomery, z111 ' and x121 ', y121 ', z121 ' in the value of finite field, and its reentry point is added control submodule; By z131 ' -1z131 ' is converted in the value of finite field -1in the value in territory, Montgomery, and its reentry point is added control submodule;
Territory, Montgomery multiplication submodule in Fig. 8 is used for, control under submodule takies pattern initiator, value initiator being controlled to the territory, two Montgomeries that submodule sends carries out the multiplying of territory, Montgomery, the product obtained is returned initiator and controls submodule; The product that submodule sends is controlled to 1 and initiator and carries out the multiplying of territory, Montgomery, operation result is returned initiator and controls submodule; Control under submodule takies pattern responder, value responder being controlled to the territory, two Montgomeries that submodule sends carries out the multiplying of territory, Montgomery, the product obtained is returned responder and controls submodule; The described product that submodule sends is controlled to 1 and responder and carries out the multiplying of territory, Montgomery, operation result is returned responder and controls submodule; Under point doubling control submodule takies pattern, the multiplying of territory, Montgomery is carried out to the value and 1 of zc1 in territory, Montgomery, the zc1 obtained is sent to point doubling in the value of finite field and controls submodule; To xc1 and zc1 -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, by yc1 and zc1 -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, both xc1, yc1 of obtaining respectively is returned point doubling in the value of affine coordinate system and controls submodule; In the value of affine coordinate system, the multiplying of territory, Montgomery is carried out to 1 and xc1, in the value and 1 of affine coordinate system, the multiplying of territory, Montgomery is carried out to yc1, both xc1, yc1 of obtaining are turned back to point doubling in the value of finite field and controls submodule; Add at point and control under submodule takies pattern, to carry out the multiplying of territory, Montgomery to the z131 ' and 1 of input, the z131 ' obtained is sent in the value of finite field and a little adds control submodule; To x131 ' and z11 ' -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, by y131 ' and z11 ' -1value in territory, Montgomery carries out the multiplying of territory, Montgomery, and by the x131 ' obtained respectively, y131 ', the two adds control submodule at the value reentry point of affine coordinate system; In the value and 1 of affine coordinate system, the multiplying of territory, Montgomery is carried out to x131 ', carry out the multiplying of territory, Montgomery to y131 ' in the value and 1 of affine coordinate system, by the x131 ' obtained respectively, y131 ', the two adds control submodule at the value reentry point of finite field;
Projection mooring points in Fig. 8 add submodule for, control under submodule takies pattern, input coordinate to be carried out point add operation with (xc3, yc3, zc3), operation result is sent to point doubling and controls submodule at point doubling; Adding at point controls under submodule takies pattern, to the coordinate of input (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 ') carry out point add operation, coordinate (x131 ', y131 ', the z131 ') reentry point obtained is added control submodule;
Finite field inversions submodule in Fig. 8 is used for, and under point doubling control submodule takies pattern, carries out inversion operation, by the zc1 obtained to zc1 in the value of finite field -1be sent to point doubling in the value of finite field and control submodule; Add at point and control under submodule takies pattern, to carry out inversion operation, by the z131 ' obtained to the z131 ' of input in the value of finite field -1be sent in the value of finite field and a little add control submodule.
As can be seen here, territory transform subblock in Fig. 8, territory, Montgomery multiplication submodule, projection mooring points add submodule, finite field inversions submodule can work under the mode of operation set by lower floor's final election module, thus complete scalar multiplication computing, point add operation and point doubling.
In addition, in the system embodiment shown in Fig. 8, can further include w generation module 814, for generating w to be supplied to initiator and to control submodule 801 and responder controls submodule 802.
Key derivation module 807 in Fig. 8 also can have the structure shown in Fig. 6.
As can be seen here, the present invention has the following advantages:
(1) in the present invention, because initiator control centre and responder control centre can arrange corresponding random number generation module respectively, point doubling module, point adds module, the work schedule of key derivation module, make random number rA separately between stochastic generation 1 and (n-1) of initiator's random number generation module and responder's random number generation module and rB, make initiator's point doubling module and responder's point doubling module carry out respectively scalar numeric value and point between point doubling, initiator is put add module and responder's point to add the point add operation that module carries out two points respectively, initiator's key derivation module and responder's key derivation module is made to carry out key derivation computing to Bit String respectively, simultaneously, initiator control centre and responder control centre hold consultation the judgement of success or not respectively, thus the key agreement realized between initiator and responder, when both sides consult successful, initiator and responder obtain same session key respectively by initiator's key derivation module and responder's key derivation module arithmetic, thus carry out the encryption and decryption that communicate, when failing to consultations, export and consult failed information.Therefore, the present invention can utilize initiator control centre, initiator's random number generation module, initiator's point doubling module, initiator point add module, initiator's key derivation module composition initiator's subsystem and responder control centre, responder's random number generation module, responder's point doubling module, responder point add module, responder's key derivation module composition responder's subsystem, realize the IKE in SM2 ellipse curve public key cipher algorithm with hardware.
(2) because the present invention can utilize hardware to realize the IKE in SM2 ellipse curve public key cipher algorithm, relative to the software simulating of this IKE, arithmetic speed of the present invention is faster, and fail safe is also higher.
(3) in the present invention, two of scalar multiplication computing data are transformed in territory, Montgomery by finite field and carry out by initiator control centre and responder control centre, can greatly reduce computing difficulty, improve operation efficiency, be conducive to the arithmetic speed improving IKE further.
(4) point doubling module provided by the invention and point add module, first data are transformed into projective coordinate system by affine coordinate system, again it is transformed into territory, Montgomery from finite field, so just can calculate accordingly in territory, Montgomery, after completing, data are transformed into affine coordinate system from projective coordinate system, finite field is transformed into again from territory, Montgomery, the result of point doubling exports the most at last, relative to directly calculating at affine coordinate system, the efficiency that the present invention carries out point doubling and point add operation improves a lot.
(5) the present invention carries out multiplexing to corresponding module and submodule in initiator's subsystem and responder's subsystem, has greatly saved hardware resource, has improve the integrated level of system, reduced the area of chip.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (8)

1. a p unit territory SM2 elliptic curve key negotiating system, the rank that described elliptic curve has base G and cofactor h, G are n; Initiator's Hash Value and responder's Hash Value are respectively ZA and ZB; Initiator's PKI and initiator's private key are respectively PA and dA, and responder's PKI and responder's private key are respectively PB and dB; The length of the session key of initiator and responder's agreement is klen; It is characterized in that, this system comprises: initiator's subsystem and responder's subsystem; Described initiator's subsystem comprises: initiator control centre, initiator's random number generation module, initiator's point doubling module, initiator's point add module, initiator's key derivation module; Described responder's subsystem comprises: responder control centre, responder's random number generation module, responder's point doubling module, responder's point add module, responder's key derivation module; Wherein,
Described initiator control centre is used for, rA and G is sent to described initiator's point doubling module as one group of point doubling data, and wherein rA is the random number between 1 and (n-1) that described initiator's random number generation module generates; RA is sent to described responder control centre, to be wherein described initiator's point doubling module carry out to G the point that coordinate that rA point doubling obtains is (x1, y1) to RA; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x10rA of x10 and rA, calculate tA according to tA=(dA+x10rA) mod n; Judge that whether RB is the point on described elliptic curve, wherein RB is that described responder's point doubling module carries out rB point doubling to G, obtain the point that coordinate is (x2, y2), rB is the random number between 1 and (n-1) that described responder's random number generation module generates; X20 and RB is sent to described initiator's point doubling module as one group of point doubling data; Calculate the scalar product htA of h and tA; PB and [x20] RB is sent to described initiator point as one group of point add operation data and adds module; HtA and (PB+ [x20] RB) are sent to described initiator's point doubling module as one group of point doubling data; Judge whether U is infinite point, wherein U is operation result point (PB+ [x20] RB) being carried out to htA point doubling, and its coordinate is (xU, yU); Bit String Z xU, yU, ZA and ZB are spliced into is sent to described initiator's key derivation module; Bit String KA initiator's key derivation module returned exports as initiator's session key; Judge RB for the point on described elliptic curve, U be the situation of infinite point for the moment, export and consult failure;
Described initiator's random number generation module is used for, and the random number rA between 1 and (n-1) generated is sent to described initiator control centre;
Described initiator's point doubling module is used for, and carries out rA point doubling to G, obtains the some RA that coordinate is (x1, y1), and RA is sent to described initiator control centre; X20 point doubling is carried out to RB, [x20] RB obtained is sent to described initiator control centre; Carry out htA point doubling to (PB+ [x20] RB), the some U obtained is sent to described initiator control centre, the coordinate of described some U is (xU, yU);
Described initiator point add module for, point add operation is carried out to PB and [x20] RB, (PB+ [x20] RB) that generate is sent to described initiator control centre;
Described initiator's key derivation module is used for, and carries out key derivation computing to Bit String Z, is that the Bit String KA of klen is sent to described initiator control centre by the length obtained;
Described responder control centre is used for, rB and G is sent to described responder's point doubling module as one group of point doubling data; According to x10=2 w+ [x1 & (2 w-1)] and x20=2 w+ [x2 & (2 w-1)] x10 and x20 is calculated respectively; Calculate the scalar product x20rB of x20 and rB, calculate tB according to tB=(dB+x20rB) mod n; Judge that whether RA is the point on described elliptic curve; X10 and RA is sent to described responder's point doubling module as one group of point doubling data; Calculate the scalar product htB of h and tB; PA and [x10] RA is sent to described responder point as one group of point add operation data and adds module; HtB and (PA+ [x10] RA) are sent to described responder's point doubling module as one group of point doubling data; Judge whether V is infinite point, wherein V carries out to (PA+ [x10] RA) point that htB point doubling obtains, and the coordinate of described some V is (xV, yV); The Bit String Z ' xV, yV, ZA and ZB are spliced into is sent to described responder's key derivation module; Bit String KB responder's key derivation module returned responsively square session key exports; RB is sent to described initiator control centre; Judge RA for the point on described elliptic curve, V be the situation of infinite point for the moment, export and consult failure;
Described responder's random number generation module is used for, and the random number rB between 1 and (n-1) generated is sent to described responder control centre;
Described responder's point doubling module is used for, and carries out rB point doubling to G, obtains the some RB that coordinate is (x2, y2), and RB is sent to described responder control centre; X10 point doubling is carried out to RA, [x10] RA obtained is sent to described responder control centre; Carry out htB point doubling to (PA+ [x10] RA), the some V obtained is sent to described responder control centre, the coordinate of described some V is (xV, yV);
Described responder point add module for, point add operation is carried out to PA and [x10] RA, (PA+ [x10] RA) that generate is sent to described responder control centre;
Described responder's key derivation module is used for, and carries out key derivation computing to Bit String Z ', is that the Bit String KB of klen is sent to described responder control centre by the length obtained;
Wherein, w is parameter, and & is for press bit logic AND operator, and mod is modulo operator.
2. system according to claim 1, is characterized in that, this system comprises w generation module further, for basis calculate parameter w, and it is sent to respectively described initiator control centre and described responder control centre.
3. system according to claim 1, is characterized in that, described initiator control centre and responder control centre include: control submodule, territory transform subblock, territory, Montgomery multiplication submodule; Wherein,
Described control submodule is used for, and is sent to described territory transform subblock by needing both m and j carrying out scalar multiplication computing in the value of finite field; The value in territory, each for m and j comfortable Montgomery is sent to territory, described Montgomery multiplication submodule; The mj that 1 and territory, described Montgomery multiplication submodule return is sent to territory, described Montgomery multiplication submodule;
Described territory transform subblock is used for, and the value that both m and j are converted to territory, each comfortable Montgomery respectively in the value of finite field is returned described control submodule;
Territory, described Montgomery multiplication submodule is used for, and carries out the multiplying of territory, Montgomery, the product mj obtained is returned described control submodule to the value in territory, m and j each comfortable Montgomery; The multiplying of territory, Montgomery is carried out to mj and 1, obtains the scalar product of m and j in the value of finite field; M and j is returned described control submodule at the scalar product of the value of finite field.
4. system according to claim 1, it is characterized in that, described initiator's point doubling module and responder's point doubling module include: point doubling control submodule, projective system two point doubling submodule, territory transform subblock, territory, Montgomery multiplication submodule, finite field inversions submodule, projection mooring points add submodule; Wherein,
Described point doubling controls submodule and is used for, receive the one group of point doubling data be made up of numerical value f and some C, by the coordinate (xc of C under affine coordinate system, yc) coordinate (xc2 of C under projective coordinate system is converted to, yc2,, and xc2, yc2,1 are sent to described territory transform subblock 1); (xc3, yc3, zc3) is sent to described projection mooring points and adds submodule, and it can be used as [f] C at the initial value of the coordinate (xc1, yc1, zc1) in territory, Montgomery, [f] C is wherein the result of C being carried out to f point doubling; Determine the binary bits length L of f; Using the initial value of the secondary higher bit position in the binary form of f as its current bit position, from the secondary higher bit position in the binary form of described f, each reduction bit, as current bit position, till its lowest bit position, carries out (L-1) secondary interative computation; Zc1 in the result coordinate (xc1, yc1, zc1) of described (L-1) secondary interative computation is sent to territory, described Montgomery multiplication submodule; Zc1 is sent to described finite field inversions submodule in the value of finite field; By zc1 -1described territory transform subblock is sent in the value of finite field; By xc1, yc1 and zc1 in the result coordinate (xc1, yc1, zc1) of described (L-1) secondary interative computation -1territory, described Montgomery multiplication submodule is sent in the value in territory, Montgomery; By 1 with xc1 affine coordinate system value, 1 and yc1 be sent to territory, Montgomery multiplication submodule respectively in the value of affine coordinate system; The coordinate (xc1, yc1) both xc1, yc1 formed in the value of finite field exports as the operation result of [f] C; Once described interative computation wherein comprises: by coordinate (xc1, yc1, zc1) currency is sent to described projective system two point doubling submodule, when the current bit position of f is binary one, the output coordinate that described projective system two point doubling submodule returns is sent to described projection mooring points and adds submodule;
Described territory transform subblock is used for, and the value xc2 of finite field, yc2,1 is converted to respectively the value xc3 in territory, each comfortable Montgomery, yc3, zc3, and is returned described point doubling control submodule; By zc1 -1be converted to its value in territory, Montgomery in the value of finite field, and returned described point doubling and control submodule;
Described projective system two point doubling submodule is used for, and carries out two point doublings to input coordinate, operation result is back to described point doubling as output coordinate and controls submodule;
Described projection mooring points add submodule for, input coordinate and (xc3, yc3, zc3) are carried out point add operation, operation result are sent to described point doubling and control submodule;
Territory, described Montgomery multiplication submodule is used for, and carries out the multiplying of territory, Montgomery to the value and 1 of zc1 in territory, Montgomery, the zc1 obtained is sent to described point doubling in the value of finite field and controls submodule; To xc1 and zc1 -1at value, yc1 and the zc1 in territory, Montgomery -1value in territory, Montgomery carries out the multiplying of territory, Montgomery respectively, both xc1, yc1 of obtaining is returned described point doubling in the value of affine coordinate system and controls submodule; Described both xc1, yc1 are carried out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system, both xc1, yc1 of obtaining is turned back to described point doubling in the value of finite field and controls submodule;
Described finite field inversions submodule is used for, and carries out inversion operation, by the zc1 obtained to zc1 in the value of finite field -1be sent to described point doubling in the value of finite field and control submodule.
5. system according to claim 1, it is characterized in that, described initiator point adds module and responder's point and adds module and include: point add control submodule, territory transform subblock, projection mooring points add submodule, territory, Montgomery multiplication submodule, finite field inversions submodule; Wherein,
Described point add control submodule for, by receive to carry out point add operation the coordinate of point PP1 and PP2 under affine coordinate system (x11 ', y11 ') and (x12 ', y12 ') be converted to respectively coordinate under each comfortable projective coordinate system (x11 ', y11 ', 1) and (x12 ', y12 ', 1), and by x11 ', y11 ', 1 and x12 ', y12 ', 1 be sent to described territory transform subblock; Coordinate that the coordinate that x111 ', y111 ', z111 ' formed (x111 ', y111 ', z111 ') and x121 ', y121 ', z121 ' form (x121 ', y121 ', z121 ') is sent to described projection mooring points and adds submodule; The z131 ' added by described projection mooring points in coordinate that submodule returns (x131 ', y131 ', z131 ') is sent to territory, described Montgomery multiplication submodule; The z131 ' that territory, described Montgomery multiplication submodule returns is sent to described finite field inversions submodule in the value of finite field; By z131' -1described territory transform subblock is sent in the value of finite field; By x131 ', y131 ' and z131' in coordinate (x131 ', y131 ', z131 ') -1territory, described Montgomery multiplication submodule is sent in the value in territory, Montgomery; X131 ' is sent to territory, described Montgomery multiplication submodule at the value and 1 of affine coordinate system, y131 ' respectively in the value and 1 of affine coordinate system; The two coordinate form in the value of finite field of the x131 ', the y131 ' that are returned by territory, described Montgomery multiplication submodule (x131 ', y131 ') carries out the result output of point add operation under affine coordinate system as PP1 and PP2;
Described territory transform subblock is used for, respectively by x11 ', y11 ', 1 and x12 ', y12 ', 1 be converted to value x111 ', the y111 ' in territory, each comfortable Montgomery, z111 ' and x121 ', y121 ', z121 ' in the value of finite field, and returned described point and added control submodule; By z131' -1z131' is converted in the value of finite field -1in the value in territory, Montgomery, and returned described point and added control submodule;
Described projection mooring points add submodule for, to input coordinate (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 ') carry out point add operation, by obtain coordinate (x131 ', y131 ', z131 ') return described point and add control submodule;
Territory, described Montgomery multiplication submodule is used for, and carries out the multiplying of territory, Montgomery, the z131 ' obtained is sent to described point in the value of finite field and adds control submodule the z131 ' and 1 of input; To x131 ' and z11' -1value in territory, Montgomery, y131 ' and z11' -1value in territory, Montgomery carries out the multiplying of territory, Montgomery respectively, both the x131 ' obtained, y131 ' is returned described point in the value of affine coordinate system and adds control submodule; To described x131 ', y131 ', the two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system, both the x131 ' obtained, y131 ' is returned described point in the value of finite field and adds control submodule;
Described finite field inversions submodule is used for, and carries out inversion operation, by the z131' obtained to the z131 ' of input in the value of finite field -1be sent to described point in the value of finite field and add control submodule.
6. system according to claim 1, is characterized in that, described initiator's key derivation module and responder's key derivation module include: the length of the Hash Value of key derivation control submodule, output is the cryptographic Hash submodule of v bit; Wherein,
Described key derivation controls submodule and is used for, and receives input bit string ZZ; The initial value that the counting variable ct of 32 bits is set be 16 systems represent 00000001; Determine the smallest positive integral being more than or equal to (klen/v) || klen/v||; Cyclic variable i is incremented to from 1 || and klen/v||, increases progressively 1 at every turn, performs || klen/v|| cryptographic Hash computing; When (klen/v) is for integer, put Ha! || klen/v||=Ha || klen/v||; When (klen/v) is not integer, by Ha! || klen/v||be set to Bit String Ha || klen/v||in from the highest-order bit bit, wherein for being less than or equal to the smallest positive integral of (klen/v); By i from 1 being incremented to the Ha of (|| klen/v||-1) iand Ha! || klen/v||splicing in turn, is that the Bit String of klen bit exports as the result of ZZ being carried out to key derivation computing using the length obtained; Wherein, once described cryptographic Hash computing comprises: the currency of ct and ZZ are spliced into Bit String ZZ-ct; ZZ-ct is sent to described cryptographic Hash submodule; By the H that described cryptographic Hash submodule returns v(ZZ-ct) assignment is to the Ha of v bit i; The value of ct increases by 00000001 of 16 systems;
Described cryptographic Hash submodule is used for, and carries out cryptographic Hash computing to input bit string ZZ-ct, by the Hash Value H of the v bit of output v(ZZ-ct) return described key derivation and control submodule.
7. system according to claim 1, is characterized in that, this system comprises further: upper strata final election module;
Described initiator's random number generation module and described responder's random number generation module are same random number generation module; Described initiator's point doubling module and described responder's point doubling module are same point doubling module; Described initiator point adds module and described responder point, and to add module be that same point adds module; Described initiator's key derivation module and described responder's key derivation module are same key derivation module;
Described initiator control centre is used for, and sends initiator's Seize ACK message to described upper strata final election module;
Described responder control centre is used for, and sends responder's Seize ACK message to described upper strata final election module;
Described upper strata final election module is used for, according to described initiator's Seize ACK message, by described random number generation module, point doubling module, point adds module, the mode of operation of key derivation module is set to initiator's pattern, each module is made to have described initiator's random number generation module respectively, described initiator's point doubling module, described initiator's point adds module, the function of described initiator's key derivation module, and forward described initiator control centre and described random number generation module, described point doubling module, described point adds module, communication data between described key derivation module, according to described responder's Seize ACK message by described random number generation module, point doubling module, point adds module, the mode of operation of key derivation module is set to responder's pattern, make that each module has described responder's random number generation module respectively, described responder's point doubling module, described responder point add the function of module, described responder's key derivation module, and forward described responder control centre and described random number generation module, described point doubling module, described point and add communication data between module, described key derivation module.
8. system according to claim 7, is characterized in that, this system comprises lower floor's final election module further;
This system comprises: by described initiator control centre, responder control centre, point doubling module, point add module the territory transform subblock, territory, the Montgomery multiplication submodule that share; By described point doubling module, point add module the projection mooring points that shares add submodule, finite field inversions submodule;
Described initiator control centre also comprises: initiator controls submodule; Described responder control centre also comprises: responder controls submodule; Described point doubling module also comprises: point doubling controls submodule, projective system two point doubling submodule; Described point adds module and also comprises: point adds control submodule;
Described initiator controls submodule and is used for, and sends initiator control submodule Seize ACK message to described lower floor final election module; Described territory transform subblock is sent to by needing the value of two finite fields of carrying out scalar multiplication computing; The value in the territory, two Montgomeries returned by described territory transform subblock is sent to territory, described Montgomery multiplication submodule; The product that 1 and territory, described Montgomery multiplication submodule return is sent to territory, described Montgomery multiplication submodule;
Described responder controls submodule and is used for, and sends responder control submodule Seize ACK message to described lower floor final election module; Described territory transform subblock is sent to by needing the value of two finite fields of carrying out scalar multiplication computing; The value in the territory, two Montgomeries returned by described territory transform subblock is sent to territory, described Montgomery multiplication submodule; The product that 1 and territory, described Montgomery multiplication submodule return is sent to territory, described Montgomery multiplication submodule;
Described point doubling controls submodule and is used for, and sends point doubling control submodule Seize ACK message to described lower floor final election module; Receive the one group of point doubling data be made up of numerical value f and some C, the coordinate (xc, yc) of C under affine coordinate system is converted to coordinate (xc2, the yc2 of C under projective coordinate system,, and xc2, yc2,1 are sent to described territory transform subblock 1); (xc3, yc3, zc3) is sent to described projection mooring points and adds submodule, and it can be used as [f] C at the initial value of the coordinate (xc1, yc1, zc1) in territory, Montgomery, [f] C is wherein the result of C being carried out to f point doubling; Determine the binary bits length L of f; Using the initial value of the secondary higher bit position in the binary form of f as its current bit position, from the secondary higher bit position in the binary form of described f, each reduction bit, as current bit position, till its lowest bit position, carries out (L-1) secondary interative computation; Zc1 in the result coordinate (xc1, yc1, zc1) of described (L-1) secondary interative computation is sent to territory, described Montgomery multiplication submodule; Zc1 is sent to described finite field inversions submodule in the value of finite field; By zc1 -1described territory transform subblock is sent in the value of finite field; By xc1, yc1 and zc1 in the result coordinate (xc1, yc1, zc1) of described (L-1) secondary interative computation -1territory, described Montgomery multiplication submodule is sent in the value in territory, Montgomery; By 1 with xc1 affine coordinate system value, 1 and yc1 be sent to territory, described Montgomery multiplication submodule respectively in the value of affine coordinate system; The coordinate (xc1, yc1) both xc1, yc1 formed in the value of finite field exports as the operation result of [f] C; Once described interative computation wherein comprises: by coordinate (xc1, yc1, zc1) currency is sent to described projective system two point doubling submodule, when the current bit position of f is binary one, the output coordinate that described projective system two point doubling submodule returns is sent to described projection mooring points and adds submodule;
Described projective system two point doubling submodule is used for, and carries out two point doublings to input coordinate, operation result is back to described point doubling as output coordinate and controls submodule;
Described point add control submodule for, add to described lower floor's final election module sending point and control submodule Seize ACK message; By receive to carry out point add operation the coordinate of point PP1 and PP2 under affine coordinate system (x11 ', y11 ') and (x12 ', y12 ') be converted to respectively coordinate under each comfortable projective coordinate system (x11 ', y11 ', 1) and (x12 ', y12 ', 1), and by x11 ', y11 ', 1 and x12 ', y12 ', 1 be sent to described territory transform subblock; Coordinate that the coordinate that x111 ', y111 ', z111 ' formed (x111 ', y111 ', z111 ') and x121 ', y121 ', z121 ' form (x121 ', y121 ', z121 ') is sent to described projection mooring points and adds submodule; The z131 ' added by described projection mooring points in coordinate that submodule returns (x131 ', y131 ', z131 ') is sent to territory, described Montgomery multiplication submodule; The z131 ' that territory, described Montgomery multiplication submodule returns is sent to described finite field inversions submodule in the value of finite field; By z131' -1described territory transform subblock is sent in the value of finite field; By x131 ', y131 ' and z131' in coordinate (x131 ', y131 ', z131 ') -1territory, described Montgomery multiplication submodule is sent in the value in territory, Montgomery; X131 ' is sent to territory, described Montgomery multiplication submodule at the value and 1 of affine coordinate system, y131 ' respectively in the value and 1 of affine coordinate system; The two coordinate form in the value of finite field of the x131 ', the y131 ' that are returned by territory, described Montgomery multiplication submodule (x131 ', y131 ') carries out the result output of point add operation under affine coordinate system as PP1 and PP2;
Described lower floor final election module is used for, submodule Seize ACK message is controlled according to described initiator, the mode of operation of described territory transform subblock, territory, Montgomery multiplication submodule is set to initiator to control submodule and take pattern, and forwards the communication data that described initiator controls between submodule and described territory transform subblock, territory, Montgomery multiplication submodule; Submodule Seize ACK message is controlled according to described responder, the mode of operation of described territory transform subblock, territory, Montgomery multiplication submodule is set to responder to control submodule and take pattern, and forwards the communication data that described responder controls between submodule and described territory transform subblock, territory, Montgomery multiplication submodule; Submodule Seize ACK message is controlled according to described point doubling, described territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points are added submodule, the mode of operation of finite field inversions submodule is set to point doubling and controls submodule and take pattern, and forward described point doubling and control submodule and described territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points and add communication data between submodule, finite field inversions submodule; Add according to described point and control submodule Seize ACK message, described territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points are added submodule, the mode of operation of finite field inversions submodule is set to a little to add and controls submodule and take pattern, and forward described point and add and control submodule and described territory transform subblock, territory, Montgomery multiplication submodule, projection mooring points and add communication data between submodule, finite field inversions submodule;
Described territory transform subblock is used for, and controls under submodule takies pattern described initiator, and the value that the value described initiator being controlled described two finite fields that submodule sends is converted to territory, each comfortable Montgomery respectively returns described initiator and controls submodule; Control under submodule takies pattern described responder, the value that the value described responder being controlled described two finite fields that submodule sends is converted to territory, each comfortable Montgomery respectively returns described responder and controls submodule; Under described point doubling control submodule takies pattern, the value xc2 of finite field, yc2,1 are converted to respectively the value xc3 in territory, each comfortable Montgomery, yc3, zc3, and are returned described point doubling control submodule; By zc1 -1be converted to its value in territory, Montgomery in the value of finite field, and returned described point doubling and control submodule; Adding at described point controls under submodule takies pattern, respectively by x11 ', y11 ', 1 and x12 ', y12 ', 1 be converted to value x111 ', the y111 ' in territory, each comfortable Montgomery, z111 ' and x121 ', y121 ', z121 ' in the value of finite field, and returned described point and added control submodule; By z131' -1z131' is converted in the value of finite field -1in the value in territory, Montgomery, and returned described point and added control submodule;
Territory, described Montgomery multiplication submodule is used for, control under submodule takies pattern described initiator, the value described initiator being controlled to the territory, two Montgomeries that submodule sends carries out the multiplying of territory, Montgomery, the product obtained is returned described initiator and controls submodule; The described product that submodule sends is controlled to 1 and initiator and carries out the multiplying of territory, Montgomery, operation result is returned described initiator and control submodule; Control under submodule takies pattern described responder, the value described responder being controlled to the territory, two Montgomeries that submodule sends carries out the multiplying of territory, Montgomery, the product obtained is returned described responder and controls submodule; The described product that submodule sends is controlled to 1 and responder and carries out the multiplying of territory, Montgomery, operation result is returned described responder and control submodule; Under described point doubling control submodule takies pattern, the multiplying of territory, Montgomery is carried out to the value and 1 of zc1 in territory, Montgomery, the zc1 obtained is sent to described point doubling in the value of finite field and controls submodule; To xc1 and zc1 -1at value, yc1 and the zc1 in territory, Montgomery -1value in territory, Montgomery carries out the multiplying of territory, Montgomery respectively, both xc1, yc1 of obtaining is returned described point doubling in the value of affine coordinate system and controls submodule; Described both xc1, yc1 are carried out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system, both xc1, yc1 of obtaining is turned back to described point doubling in the value of finite field and controls submodule; Add at described point and control under submodule takies pattern, to carry out the multiplying of territory, Montgomery to the z131 ' and 1 of input, the z131 ' obtained is sent to described point in the value of finite field and adds control submodule; To x131 ' and z11' -1value in territory, Montgomery, y131 ' and z11' -1value in territory, Montgomery carries out the multiplying of territory, Montgomery respectively, both the x131 ' obtained, y131 ' is returned described point in the value of affine coordinate system and adds control submodule; To described x131 ', y131 ', the two carries out the multiplying of territory, Montgomery with 1 respectively in the value of affine coordinate system, both the x131 ' obtained, y131 ' is returned described point in the value of finite field and adds control submodule;
Described projection mooring points add submodule for, control under submodule takies pattern, input coordinate to be carried out point add operation with (xc3, yc3, zc3), operation result is sent to described point doubling and controls submodule at described point doubling; Adding at described point controls under submodule takies pattern, to input coordinate (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 ') carry out point add operation, by obtain coordinate (x131 ', y131 ', z131 ') return described point and add control submodule;
Described finite field inversions submodule is used for, and under described point doubling control submodule takies pattern, carries out inversion operation, by the zc1 obtained to zc1 in the value of finite field -1be sent to described point doubling in the value of finite field and control submodule; Add at described point and control under submodule takies pattern, to carry out inversion operation, by the z131' obtained to the z131 ' of input in the value of finite field -1be sent to described point in the value of finite field and add control submodule.
CN201110107526.6A 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system Active CN102761411B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110107526.6A CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110107526.6A CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Publications (2)

Publication Number Publication Date
CN102761411A CN102761411A (en) 2012-10-31
CN102761411B true CN102761411B (en) 2015-06-10

Family

ID=47055738

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110107526.6A Active CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Country Status (1)

Country Link
CN (1) CN102761411B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601322A (en) * 2013-10-31 2015-05-06 上海华虹集成电路有限责任公司 Montgomery step algorithm for ternary extension field in cryptographic chip
FR3024808B1 (en) * 2014-08-05 2016-07-29 Inside Secure ELLIPTICAL CURVED CRYPTOGRAPHY METHOD COMPRISING ERROR DETECTION
CN108270563A (en) * 2016-12-30 2018-07-10 航天信息股份有限公司 A kind of method for interchanging data and system based on SM2 Encryption Algorithm
CN113114462B (en) * 2021-03-31 2022-10-04 南京航空航天大学 Small-area scalar multiplication circuit applied to ECC (error correction code) safety hardware circuit

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296072A (en) * 2007-04-29 2008-10-29 四川虹微技术有限公司 Sharing cryptographic key generation method of elliptic curve
CN101610153A (en) * 2008-06-20 2009-12-23 航天信息股份有限公司 Electronic signature authentication method based on ellipse curve signature algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296072A (en) * 2007-04-29 2008-10-29 四川虹微技术有限公司 Sharing cryptographic key generation method of elliptic curve
CN101610153A (en) * 2008-06-20 2009-12-23 航天信息股份有限公司 Electronic signature authentication method based on ellipse curve signature algorithm

Also Published As

Publication number Publication date
CN102761411A (en) 2012-10-31

Similar Documents

Publication Publication Date Title
CN102761413B (en) Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN102761415B (en) System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
Huang et al. Fast authenticated key establishment protocols for self-organizing sensor networks
US6490352B1 (en) Cryptographic elliptic curve apparatus and method
CN102318260B (en) The acceleration of key agreement protocol
US20120221858A1 (en) Accelerated Key Agreement With Assisted Computations
EP2707990A1 (en) Procedure for a multiple digital signature
CN101702804A (en) Two-party key agreement method based on self-certified public key
CN102761411B (en) P element field SM2 elliptic curve key agreement system
CN102761412A (en) P-element domain SM2 elliptic curve public key encryption, decryption and encryption-decryption hybrid system
WO2012156254A1 (en) A method for performing a group digital signature
Jeng et al. An ECC-based blind signature scheme
Farouk et al. Efficient pairing-free, certificateless two-party authenticated key agreement protocol for grid computing
CN102035646A (en) Mixed key agreement method for enhancing protection
Chatterjee et al. Mutual Authentication Protocol Using Hyperelliptic Curve Cryptosystem in Constrained Devices.
EP2493112A1 (en) Accelerated key agreement with assisted computations
Wahid et al. Implementation of certificateless signcryption based on elliptic curve using Javascript
US20060002562A1 (en) Method and apparatus for geometric key establishment protocols based on topological groups
Manajaih Modular arithmetic in RSA cryptography
Arazi Certification of dl/ec keys
Chen et al. Blockchain as a CA: A provably secure signcryption scheme leveraging blockchains
WO2021080449A1 (en) Method and system for anonymous identification of a user
Wu et al. Provably secure proxy convertible authenticated encryption scheme based on RSA
Vasundhara Elliptic curve cryptography and Diffie-hellman key exchange
Singh et al. A Note on Public Key Cryptosystems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant