CN103944714A - Scalar multiplication method and device for achieving DPA attack based on ECC - Google Patents
Scalar multiplication method and device for achieving DPA attack based on ECC Download PDFInfo
- Publication number
- CN103944714A CN103944714A CN201410179317.6A CN201410179317A CN103944714A CN 103944714 A CN103944714 A CN 103944714A CN 201410179317 A CN201410179317 A CN 201410179317A CN 103944714 A CN103944714 A CN 103944714A
- Authority
- CN
- China
- Prior art keywords
- mould
- random number
- scalar multiplication
- ecc
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a scalar multiplication method for achieving DPA attack based on ECC. The scalar multiplication method comprises the steps: a state controller controls parallel computing of a dual-mode multiplier; meanwhile redundancy calculation is performed based on random number produced by a random number producer. The invention further discloses an encryption device. The encryption device is based on an ECC algorithm and comprises the state controller for controlling the parallel computing of the dual-mode multiplier and performing redundancy calculation based on random number produced by the random number producer, the random number producer for producing the random number, and the dual-mode multiplier controlled by the state controller to perform the mode multiplication calculation. By adopting the scalar multiplication method and the device, the scalar multiplication operation has the DPA attack resisting capacity, and the operation speed is also improved.
Description
Technical field
The present invention relates to elliptic curve encryption algorithm (ECC) technical field, be specifically related to a kind of method and device of realizing the scalar multiplication algorithm of anti-DPA attack based on ECC.
Background technology
ECC cryptographic algorithm is the highest rivest, shamir, adelman of unit bit security performance, and due to hardware, to realize ECC algorithm speed fast more a lot of than software, in a lot of intelligent card chips, reader chip and safety chip.Along with this algorithm application extensively, add the appearance of various novel attack methods, ECC safety problem more and more comes into one's own.At present the attack pattern of ECC cryptographic algorithm is had a variety ofly, effective method is by other channel, analyzes the power consumption producing in hardware calculating process, and it is carried out to power consumption analysis attack.
Power consumption analysis attack mainly comprises simple power consumption analysis (SPA) and differential power consumption analysis (DPA).SPA utilizes equipment under different operating procedures, can produce the feature of different power consumptions, and the power consumption data of target of attack cryptographic operation generation is intercepted, and obtains an operation power consumption curve.This curve is analyzed, and the different power consumption curve producing according to different operating carrys out parse operation, obtains whole operating procedure, completes the attack to encryption and decryption.DPA is different from SPA, and it has adopted the method for adding up, and obtains many power consumption curves of same once-through operation, thereby these power consumption curves are combined and carried out mathematical statistics acquisition key.
In ECC algorithm, the computing of most critical is scalar multiplication, and common scalar multiplication algorithm has binary system scalar multiplication algorithm, the binary coding algorithm of redundancy and Meng Gemali algorithm, and the distortion of these three kinds of algorithms.Binary system scalar multiplication algorithm is the most original scalar multiplication algorithm, and directly according to algorithm, definition realizes for it, and arithmetic speed is very slow, the performance of not anti-SPA and DPA.The binary coding algorithm of redundancy improves radix-2 algorithm, has reduced the Hamming weight of operand, has reduced the number of times calculating, and arithmetic speed is improved, but still slower, does not possess equally the performance of anti-SPA and DPA.And Meng Gemali algorithm is to realize at present the most effectively algorithm of ECC scalar multiplication, it utilizes on elliptic curve and calculates times point in the process realizing, some add operation only need to be used x coordinate a little, do not need this characteristic of y coordinate, make in taking less storage resources, to there is higher arithmetic speed, and there is the characteristic that anti-SPA attacks.But sufficient part is Meng Gemali algorithm and still cannot resists DPA and attack.
Summary of the invention
For the deficiency of above several implementation algorithms, the present invention proposes a kind of ECC and realize method and the device of the scalar multiplication algorithm that anti-DPA attacks.It is improved on original Meng Gemali algorithm basis, to sacrifice fraction area as cost, adopts bimodulus to take advantage of device to carry out parallel computation, adds random number redundant operation step simultaneously, has possessed the speed that has improved calculating when anti-DPA attacks characteristic.
The invention provides a kind of method that realizes the scalar multiplication algorithm of anti-DPA attack based on ECC, described method comprises the steps:
State controller control bimodulus takes advantage of device to carry out parallel computation; And the random number simultaneously producing based on tandom number generator is carried out redundant computation.
Described state controller also controls in scalar multiplication algorithm that mould adds or mould subtracts or mould square or mould is contrary calculates.
Accordingly, the embodiment of the present invention also provides a kind of encryption device, and described encryption device is realized based on ECC algorithm, includes:
State controller, takes advantage of device to carry out parallel computation for controlling bimodulus; And the random number simultaneously producing based on tandom number generator is carried out redundant computation;
Tandom number generator, for generation of random number;
Bimodulus is taken advantage of device, carries out mould and takes advantage of calculating for being controlled by state controller.
Described encryption device also comprises: register group, the variable of using for storage computation process.
Described encryption device also comprises: mould adds module, mould subtracts module, mould square module, mould against module.
By the scalar multiplication implementation method providing, adopt bimodulus to take advantage of the structure of device in the present invention, introduce the random number modular multiplication cycle simultaneously, the ability that makes scalar multiplication computing have anti-DPA to attack on the one hand, has improved arithmetic speed on the one hand.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the encryption device structural representation in the embodiment of the present invention;
Fig. 2 realizes the method flow diagram of the scalar multiplication algorithm that anti-DPA attacks based on ECC in the embodiment of the present invention;
Fig. 3 is the flow chart of realizing scalar multiplication algorithm in the embodiment of the present invention;
Fig. 4 is that in the scalar multiplication algorithm in the embodiment of the present invention, iteration cycle insertion redundancy mould is taken advantage of the flow chart in cycle.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making all other embodiment that obtain under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 shows the encryption device structural representation in the embodiment of the present invention, and this encryption device mainly comprises that state machine, register group and mould take advantage of unit A, mould to take advantage of unit B (take advantage of unit A and mould to take advantage of unit B to form bimodulus by mould and take advantage of device), mould squaring cell and mould against unit etc.Wherein: the process of the whole calculating of state machine control, register group is used for storing the variable of using in computational process, and mould takes advantage of unit A and mould to take advantage of unit B to form two module multiplier structures, to accelerate computational speed.Mould squaring cell and mould have been used for some necessary computings against unit.The present invention mainly utilizes state machine to control whole calculation process, controlling two moulds by this state machine takes advantage of device to carry out modular multiplication, make two moulds take advantage of device all to keep operating state in most moment, make the computing of scalar multiplication can be divided into two parts and carry out simultaneously, greatly improve the time of computing.The modules such as simultaneously state machine also controls that mould adds/subtracts, mould square, mould are contrary, make it jointly complete the process of the calculating of scalar multiplication together with modular multiplication.The random number that tandom number generator produces also inputs to this module by interface, under the control of state machine, and the random redundant computation of carrying out random number.This random number is used for redundant computation in Meng Gemali algorithm, makes the power consumption curve of scalar multiplication module have performance not reproducible and that analyze.
Fig. 2 shows and realizes the method flow diagram of the scalar multiplication algorithm that anti-DPA attacks based on ECC in the embodiment of the present invention, comprises the steps:
S201, state controller control bimodulus take advantage of device to carry out concurrent operation;
The random number that S202, state controller produce based on tandom number generator is simultaneously carried out redundant computation.
Adopt two module multiplier structures, algorithm is optimized simultaneously, make most of the time bimodulus take advantage of device all in running order, to reach the maximum utilization of resource.This algorithm adopts two module multiplier structures in realization, speed can be brought up in theory to original twice.But in order to realize anti-DPA, introduce the random number being produced by true random number generation module, and taken advantage of device to make redundant computation with bimodulus.On algorithm is realized, iteration cycle of Meng Gemali algorithm need to carry out modular multiplication algorithm six times, uses bimodulus to take advantage of device, and three modular multiplication algorithm time cycles are complete at last.In order to make assailant cannot carry out DPA attack, the embodiment of the present invention has added the mould of a redundancy and has taken advantage of the cycle, and within this cycle, bimodulus takes advantage of device in running order, and random number is carried out to modular multiplication.Owing to introducing random number, the power consumption curve of this hardware module no longer has reproducibility, can reach the effect of anti-DPA.
The realization of circular, as shown in Figure 3, state machine carries out concrete control to the data of input, completes the calculating of scalar multiplication.Meng Gemali algorithm has utilized a characteristic, carrying out in the process of loop iteration, asks the x a little adding with doubly the operation of point only need to be used a little to sit target value exactly, and y sits target value not to be needed to use.In the embodiment of the present invention, calculate according to the x coordinate of point, until after loop iteration all completes, the result of the y coordinate of the point of recycling input and iteration output is calculated, and obtains the y coordinate of output point, completes calculating.The scalar of note input is k, k[i] represent the binary value of i position in the binary form of k, making its length is L.First calculate the value of [P, 2P], this is the initial value as iteration, and state machine calls mould squaring cell and complete the calculating of this step herein.Next make i=(L-2), loop iterative operation until i is 0.Each iteration of taking turns all can be according to k[i] value operate, calculate the value of [2tP, (2t+1) P] or [(2t+1) P, (2t+2) P].The process of each calculating comprises that three moulds take advantage of cycle and a redundancy mould to take advantage of computing cycle.Three mould cycles of taking advantage of are designated as cycle A, cycle B and cycle C, x coordinate is carried out to mould and take advantage of calculating.Redundancy mould is taken advantage of computing cycle to carry out mould by the random number that tandom number generator is generated and is taken advantage of calculating, forms one and takes advantage of the analogous computational process of cycle power consumption intensity with other mould, to reach the object of anti-DPA.After (i-1) inferior iteration, state machine calculates iteration result against Ji Mocheng unit, unit accordingly by calling mould, obtains y coordinate a little.Now just obtain complete x coordinate and y coordinate, completed the calculating of scalar multiplication.
The present invention takes advantage of random redundancy mould the position randomization that this mould cycle of taking advantage of is occurred.Remember that there are respectively cycle A, cycle B, cycle C in the mould cycle of taking advantage of in former algorithm.The position that this mould takes advantage of cycle D to occur can be before A, between AB, between BC and after C.We will introduce the random number of two from true random number output module, are used for this mould of STOCHASTIC CONTROL to take advantage of the position of the appearance in cycle, and then realize redundancy mould and take advantage of the randomization of computing cycle position.
Concrete randomisation process as shown in Figure 4, in each scalar multiplication iteration cycle the inside, no matter value is 0 to be still 1, all equally judges by the flow chart shown in Fig. 4, and three moulds take advantage of the random digital-to-analogue of insertion redundancy random during week to take advantage of the cycle.So, what assailant saw is that four moulds are taken advantage of cycle ABCD, and these four moulds take advantage of the power consumption in cycle to have the property of analogy, cannot be made a distinction, and can not find residing position of redundancy cycle.When assailant carries out DPA attack, can only analyze whole power consumption curve.But owing to there being the mould cycle of taking advantage of to carry out modular multiplication to random number, the power consumption that therefore its computing generates has unpredictability.Thereby protect DPA attack from principle.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is can carry out the hardware that instruction is relevant by program to complete, this program can be stored in a computer-readable recording medium, storage medium can comprise: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc.
Method and the device of the realizing the scalar multiplication algorithm that anti-DPA attacks based on ECC that above the embodiment of the present invention are provided are described in detail, applied specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention meanwhile.
Claims (5)
1. a method that realizes the scalar multiplication algorithm of anti-DPA attack based on ECC, is characterized in that, described method comprises the steps:
State controller control bimodulus takes advantage of device to carry out parallel computation; And the random number simultaneously producing based on tandom number generator is carried out redundant computation.
2. the method that realizes the scalar multiplication algorithm that anti-DPA attacks based on ECC as claimed in claim 1, is characterized in that, described state controller also controls in scalar multiplication algorithm that mould adds or mould subtracts or mould square or mould is contrary calculates.
3. an encryption device, is characterized in that, described encryption device is realized based on ECC algorithm, includes:
State controller, takes advantage of device to carry out parallel computation for controlling bimodulus; And the random number simultaneously producing based on tandom number generator is carried out redundant computation;
Tandom number generator, for generation of random number;
Bimodulus is taken advantage of device, carries out mould and takes advantage of calculating for being controlled by state controller.
4. encryption device as claimed in claim 3, is characterized in that, described encryption device also comprises: register group, the variable of using for storage computation process.
5. encryption device as claimed in claim 4, is characterized in that, described encryption device also comprises: mould adds module, mould subtracts module, mould square module, mould against module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410179317.6A CN103944714A (en) | 2014-04-26 | 2014-04-26 | Scalar multiplication method and device for achieving DPA attack based on ECC |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410179317.6A CN103944714A (en) | 2014-04-26 | 2014-04-26 | Scalar multiplication method and device for achieving DPA attack based on ECC |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103944714A true CN103944714A (en) | 2014-07-23 |
Family
ID=51192214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410179317.6A Pending CN103944714A (en) | 2014-04-26 | 2014-04-26 | Scalar multiplication method and device for achieving DPA attack based on ECC |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103944714A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254059A (en) * | 2016-07-26 | 2016-12-21 | 华为技术有限公司 | A kind of operation method and safety chip |
| CN112131616A (en) * | 2020-09-15 | 2020-12-25 | 郑州信大捷安信息技术股份有限公司 | Mask operation method and device for SM2 algorithm |
| CN112232523A (en) * | 2020-12-08 | 2021-01-15 | 湖南航天捷诚电子装备有限责任公司 | Domestic artificial intelligence computing equipment |
-
2014
- 2014-04-26 CN CN201410179317.6A patent/CN103944714A/en active Pending
Non-Patent Citations (1)
| Title |
|---|
| 李默然 等: ""Montgomery标量乘算法的抗DPA攻击改进算法"", 《电子技术应用》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254059A (en) * | 2016-07-26 | 2016-12-21 | 华为技术有限公司 | A kind of operation method and safety chip |
| CN106254059B (en) * | 2016-07-26 | 2020-03-20 | 华为技术有限公司 | Operation method and security chip |
| US10601577B2 (en) | 2016-07-26 | 2020-03-24 | Huawei Technologies Co., Ltd. | Operation method and security chip |
| CN112131616A (en) * | 2020-09-15 | 2020-12-25 | 郑州信大捷安信息技术股份有限公司 | Mask operation method and device for SM2 algorithm |
| CN112131616B (en) * | 2020-09-15 | 2022-02-18 | 郑州信大捷安信息技术股份有限公司 | Mask operation method and device for SM2 algorithm |
| CN112232523A (en) * | 2020-12-08 | 2021-01-15 | 湖南航天捷诚电子装备有限责任公司 | Domestic artificial intelligence computing equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103427997B (en) | A kind of method generating digital signature and device | |
| US20190026626A1 (en) | Neural network accelerator and operation method thereof | |
| CN107797962B (en) | Neural network based computational array | |
| CN104579656A (en) | Hardware acceleration coprocessor for elliptic curve public key cryptosystem SM2 algorithm | |
| CN112865954B (en) | Accelerator, chip and system for Paillier decryption | |
| CN102306091B (en) | Method for rapidly implementing elliptic curve point multiplication hardware | |
| CN104917608B (en) | A kind of method of the anti-power consumption attack of key | |
| CN105471855A (en) | Low power elliptical curve encryption engine for electronic label rapid identity discrimination | |
| CN105897400A (en) | Masking method and device for SM4 algorithm | |
| CN114021734B (en) | Parameter calculation device, system and method for federal learning and privacy calculation | |
| CN105022961A (en) | Computer data protection method and computer data protection device | |
| CN103944714A (en) | Scalar multiplication method and device for achieving DPA attack based on ECC | |
| Dong et al. | Ec-ecc: Accelerating elliptic curve cryptography for edge computing on embedded gpu tx2 | |
| CN113114462B (en) | Small-area scalar multiplication circuit applied to ECC (error correction code) safety hardware circuit | |
| CN100518058C (en) | Method for accelerating common key code operation and its system structure | |
| CN109933304A (en) | Quick Montgomery modular multiplier operation optimization method suitable for the close sm2p256v1 algorithm of state | |
| CN113342310A (en) | Serial parameter configurable fast number theory transformation hardware accelerator applied to lattice password | |
| Peng et al. | Realization of a tri-valued programmable cellular automata with ternary optical computer | |
| CN109284085B (en) | High-speed modular multiplication and modular exponentiation operation method and device based on FPGA | |
| CN101702646B (en) | Data encryption method | |
| CN111917548B (en) | Elliptic curve digital signature method based on GPU and CPU heterogeneous structure | |
| CN114594925A (en) | Efficient modular multiplication circuit suitable for SM2 encryption operation and operation method thereof | |
| CN110633574B (en) | Elliptic curve cryptography ECC (error correction code) encryption module for power system safety transmission | |
| CN105373366A (en) | Method and device for generating big prime number | |
| CN104461469A (en) | Method for achieving SM2 algorithm through GPU in parallelization mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 528000 South Road, Foshan, Guangdong, Shunde Applicant after: Internation combination research institute of Carnegie Mellon University of Shunde Zhongshan University Applicant after: Sun Yat-sen University Applicant after: Hu Jianguo Address before: 510800 Guangdong province Guangzhou City Huadu District days Road No. 88 Applicant before: Hu Jianguo Applicant before: Internation combination research institute of Carnegie Mellon University of Shunde Zhongshan University Applicant before: Sun Yat-sen University |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 510800 GUANGZHOU, GUANGDONG PROVINCE TO: 528000 FOSHAN, GUANGDONG PROVINCE Free format text: CORRECT: APPLICANT; FROM: HU JIANGUO TO: SYSU-CMU SHUNDE INTERNATIONAL JOINT RESEARCH INSTITUTE Free format text: CORRECT: APPLICANT; FROM: SYSU-CMU SHUNDE INTERNATIONAL JOINT RESEARCH INSTITUTE ZHONGSHAN UNIVERSITY TO: ZHONGSHAN UNIVERSITY HU JIANGUO |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140723 |