Realize method and the device of the scalar multiplication algorithm of anti-DPA attack based on ECC
Technical field
The present invention relates to elliptic curve encryption algorithm (ECC) technical field, be specifically related to a kind of method and device of realizing the scalar multiplication algorithm of anti-DPA attack based on ECC.
Background technology
ECC cryptographic algorithm is the highest rivest, shamir, adelman of unit bit security performance, and due to hardware, to realize ECC algorithm speed fast more a lot of than software, in a lot of intelligent card chips, reader chip and safety chip.Along with this algorithm application extensively, add the appearance of various novel attack methods, ECC safety problem more and more comes into one's own.At present the attack pattern of ECC cryptographic algorithm is had a variety ofly, effective method is by other channel, analyzes the power consumption producing in hardware calculating process, and it is carried out to power consumption analysis attack.
Power consumption analysis attack mainly comprises simple power consumption analysis (SPA) and differential power consumption analysis (DPA).SPA utilizes equipment under different operating procedures, can produce the feature of different power consumptions, and the power consumption data of target of attack cryptographic operation generation is intercepted, and obtains an operation power consumption curve.This curve is analyzed, and the different power consumption curve producing according to different operating carrys out parse operation, obtains whole operating procedure, completes the attack to encryption and decryption.DPA is different from SPA, and it has adopted the method for adding up, and obtains many power consumption curves of same once-through operation, thereby these power consumption curves are combined and carried out mathematical statistics acquisition key.
In ECC algorithm, the computing of most critical is scalar multiplication, and common scalar multiplication algorithm has binary system scalar multiplication algorithm, the binary coding algorithm of redundancy and Meng Gemali algorithm, and the distortion of these three kinds of algorithms.Binary system scalar multiplication algorithm is the most original scalar multiplication algorithm, and directly according to algorithm, definition realizes for it, and arithmetic speed is very slow, the performance of not anti-SPA and DPA.The binary coding algorithm of redundancy improves radix-2 algorithm, has reduced the Hamming weight of operand, has reduced the number of times calculating, and arithmetic speed is improved, but still slower, does not possess equally the performance of anti-SPA and DPA.And Meng Gemali algorithm is to realize at present the most effectively algorithm of ECC scalar multiplication, it utilizes on elliptic curve and calculates times point in the process realizing, some add operation only need to be used x coordinate a little, do not need this characteristic of y coordinate, make in taking less storage resources, to there is higher arithmetic speed, and there is the characteristic that anti-SPA attacks.But sufficient part is Meng Gemali algorithm and still cannot resists DPA and attack.
Summary of the invention
For the deficiency of above several implementation algorithms, the present invention proposes a kind of ECC and realize method and the device of the scalar multiplication algorithm that anti-DPA attacks.It is improved on original Meng Gemali algorithm basis, to sacrifice fraction area as cost, adopts bimodulus to take advantage of device to carry out parallel computation, adds random number redundant operation step simultaneously, has possessed the speed that has improved calculating when anti-DPA attacks characteristic.
The invention provides a kind of method that realizes the scalar multiplication algorithm of anti-DPA attack based on ECC, described method comprises the steps:
State controller control bimodulus takes advantage of device to carry out parallel computation; And the random number simultaneously producing based on tandom number generator is carried out redundant computation.
Described state controller also controls in scalar multiplication algorithm that mould adds or mould subtracts or mould square or mould is contrary calculates.
Accordingly, the embodiment of the present invention also provides a kind of encryption device, and described encryption device is realized based on ECC algorithm, includes:
State controller, takes advantage of device to carry out parallel computation for controlling bimodulus; And the random number simultaneously producing based on tandom number generator is carried out redundant computation;
Tandom number generator, for generation of random number;
Bimodulus is taken advantage of device, carries out mould and takes advantage of calculating for being controlled by state controller.
Described encryption device also comprises: register group, the variable of using for storage computation process.
Described encryption device also comprises: mould adds module, mould subtracts module, mould square module, mould against module.
By the scalar multiplication implementation method providing, adopt bimodulus to take advantage of the structure of device in the present invention, introduce the random number modular multiplication cycle simultaneously, the ability that makes scalar multiplication computing have anti-DPA to attack on the one hand, has improved arithmetic speed on the one hand.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the encryption device structural representation in the embodiment of the present invention;
Fig. 2 realizes the method flow diagram of the scalar multiplication algorithm that anti-DPA attacks based on ECC in the embodiment of the present invention;
Fig. 3 is the flow chart of realizing scalar multiplication algorithm in the embodiment of the present invention;
Fig. 4 is that in the scalar multiplication algorithm in the embodiment of the present invention, iteration cycle insertion redundancy mould is taken advantage of the flow chart in cycle.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making all other embodiment that obtain under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 shows the encryption device structural representation in the embodiment of the present invention, and this encryption device mainly comprises that state machine, register group and mould take advantage of unit A, mould to take advantage of unit B (take advantage of unit A and mould to take advantage of unit B to form bimodulus by mould and take advantage of device), mould squaring cell and mould against unit etc.Wherein: the process of the whole calculating of state machine control, register group is used for storing the variable of using in computational process, and mould takes advantage of unit A and mould to take advantage of unit B to form two module multiplier structures, to accelerate computational speed.Mould squaring cell and mould have been used for some necessary computings against unit.The present invention mainly utilizes state machine to control whole calculation process, controlling two moulds by this state machine takes advantage of device to carry out modular multiplication, make two moulds take advantage of device all to keep operating state in most moment, make the computing of scalar multiplication can be divided into two parts and carry out simultaneously, greatly improve the time of computing.The modules such as simultaneously state machine also controls that mould adds/subtracts, mould square, mould are contrary, make it jointly complete the process of the calculating of scalar multiplication together with modular multiplication.The random number that tandom number generator produces also inputs to this module by interface, under the control of state machine, and the random redundant computation of carrying out random number.This random number is used for redundant computation in Meng Gemali algorithm, makes the power consumption curve of scalar multiplication module have performance not reproducible and that analyze.
Fig. 2 shows and realizes the method flow diagram of the scalar multiplication algorithm that anti-DPA attacks based on ECC in the embodiment of the present invention, comprises the steps:
S201, state controller control bimodulus take advantage of device to carry out concurrent operation;
The random number that S202, state controller produce based on tandom number generator is simultaneously carried out redundant computation.
Adopt two module multiplier structures, algorithm is optimized simultaneously, make most of the time bimodulus take advantage of device all in running order, to reach the maximum utilization of resource.This algorithm adopts two module multiplier structures in realization, speed can be brought up in theory to original twice.But in order to realize anti-DPA, introduce the random number being produced by true random number generation module, and taken advantage of device to make redundant computation with bimodulus.On algorithm is realized, iteration cycle of Meng Gemali algorithm need to carry out modular multiplication algorithm six times, uses bimodulus to take advantage of device, and three modular multiplication algorithm time cycles are complete at last.In order to make assailant cannot carry out DPA attack, the embodiment of the present invention has added the mould of a redundancy and has taken advantage of the cycle, and within this cycle, bimodulus takes advantage of device in running order, and random number is carried out to modular multiplication.Owing to introducing random number, the power consumption curve of this hardware module no longer has reproducibility, can reach the effect of anti-DPA.
The realization of circular, as shown in Figure 3, state machine carries out concrete control to the data of input, completes the calculating of scalar multiplication.Meng Gemali algorithm has utilized a characteristic, carrying out in the process of loop iteration, asks the x a little adding with doubly the operation of point only need to be used a little to sit target value exactly, and y sits target value not to be needed to use.In the embodiment of the present invention, calculate according to the x coordinate of point, until after loop iteration all completes, the result of the y coordinate of the point of recycling input and iteration output is calculated, and obtains the y coordinate of output point, completes calculating.The scalar of note input is k, k[i] represent the binary value of i position in the binary form of k, making its length is L.First calculate the value of [P, 2P], this is the initial value as iteration, and state machine calls mould squaring cell and complete the calculating of this step herein.Next make i=(L-2), loop iterative operation until i is 0.Each iteration of taking turns all can be according to k[i] value operate, calculate the value of [2tP, (2t+1) P] or [(2t+1) P, (2t+2) P].The process of each calculating comprises that three moulds take advantage of cycle and a redundancy mould to take advantage of computing cycle.Three mould cycles of taking advantage of are designated as cycle A, cycle B and cycle C, x coordinate is carried out to mould and take advantage of calculating.Redundancy mould is taken advantage of computing cycle to carry out mould by the random number that tandom number generator is generated and is taken advantage of calculating, forms one and takes advantage of the analogous computational process of cycle power consumption intensity with other mould, to reach the object of anti-DPA.After (i-1) inferior iteration, state machine calculates iteration result against Ji Mocheng unit, unit accordingly by calling mould, obtains y coordinate a little.Now just obtain complete x coordinate and y coordinate, completed the calculating of scalar multiplication.
The present invention takes advantage of random redundancy mould the position randomization that this mould cycle of taking advantage of is occurred.Remember that there are respectively cycle A, cycle B, cycle C in the mould cycle of taking advantage of in former algorithm.The position that this mould takes advantage of cycle D to occur can be before A, between AB, between BC and after C.We will introduce the random number of two from true random number output module, are used for this mould of STOCHASTIC CONTROL to take advantage of the position of the appearance in cycle, and then realize redundancy mould and take advantage of the randomization of computing cycle position.
Concrete randomisation process as shown in Figure 4, in each scalar multiplication iteration cycle the inside, no matter value is 0 to be still 1, all equally judges by the flow chart shown in Fig. 4, and three moulds take advantage of the random digital-to-analogue of insertion redundancy random during week to take advantage of the cycle.So, what assailant saw is that four moulds are taken advantage of cycle ABCD, and these four moulds take advantage of the power consumption in cycle to have the property of analogy, cannot be made a distinction, and can not find residing position of redundancy cycle.When assailant carries out DPA attack, can only analyze whole power consumption curve.But owing to there being the mould cycle of taking advantage of to carry out modular multiplication to random number, the power consumption that therefore its computing generates has unpredictability.Thereby protect DPA attack from principle.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is can carry out the hardware that instruction is relevant by program to complete, this program can be stored in a computer-readable recording medium, storage medium can comprise: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc.
Method and the device of the realizing the scalar multiplication algorithm that anti-DPA attacks based on ECC that above the embodiment of the present invention are provided are described in detail, applied specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention meanwhile.