CN104917608A

CN104917608A - Key anti-power attack method

Info

Publication number: CN104917608A
Application number: CN201510256515.2A
Authority: CN
Inventors: 乌力吉; 韩晓薇; 张向民; 王蓓蓓
Original assignee: Tsinghua University
Current assignee: Tsinghua University
Priority date: 2015-05-19
Filing date: 2015-05-19
Publication date: 2015-09-16
Anticipated expiration: 2035-05-19
Also published as: CN104917608B

Abstract

The invention discloses a key anti-power attack method. The method includes the step that a preset atomic block is utilized to perform point multiplying and/or point adding operation in scalar multiplication, wherein the preset atomic block contains modular multiplication operation, addition operation and subtraction operation. According to the method, the concept of the atomic algorithm is combined with the characteristics of a public key cryptographic algorithm, and therefore, the procedures of point adding operation and point multiplying operation can be optimized; an corresponding variables are adopted to control the internal loop of the scalar multiplication, and the scalar multiplication is converted to a modular multiplication-addition-subtraction atomic block loop. With the method of the invention adopted, computation burden required by the scalar multiplication can be greatly decreased, and the security of keys can be ensured, and the computation speed of the public key cryptographic algorithm can be improved.

Description

The method of the anti-power consumption attack of a kind of key

Technical field

The present invention relates to field of information security technology, specifically, relate to the method for the anti-power consumption attack of a kind of key.

Background technology

Power consumption attack is that a kind of power consumption of equipment in cryptographic algorithm computational process that utilizes leaks the side-channel attack mode obtaining key.As shown in Figure 1, the power consumption of crypto chip and the instruction and data of algorithm operating closely related, this is also just for power consumption attack provides possibility.Power consumption attack mainly comprises two class power consumption analysis, i.e. simple power consumption analysis (SPA) and differential power consumption analysis (DPA).In SPA process, assailant, by observing the power consumption profile of ciphering process, infers the operation that different time is corresponding, thus Extraction parts or all key.In DPA process, assailant then mainly utilizes the relationship analysis of power consumption and intermediate variable to recover key.

1985, N.Koblitz and V.Miller proposed elliptic curve cryptosystem (ECC) independently of one another.Compare conventional public-key cryptographic algorithm, ECC has that fail safe is high, computational speed is fast, memory space is little, bandwidth requirement is low, calculating parameter is few and the plurality of advantages such as short and small of signing, and it is particularly outstanding in the system of restriction resource.

On December 17th, 2010, for meeting the application demands such as digital certificate service system, national Password Management office has issued SM2 ellipse curve public key cipher algorithm.At present, SM2 algorithm is applied in intelligent card chip more, and power consumption attack has less cipher key search space and higher analysis efficiency, forms very large threat to intelligent card chip fail safe.Along with SM2 algorithm the applying of financial field at home, anti-power consumption attack ability when research SM2 algorithm chip realizes, has great significance to the safety improving China's Financial field.

Summary of the invention

For solving the problem, the invention provides the method for the anti-power consumption attack of a kind of key, described method comprises:

Utilize default atomic block carry out the doubly point in scalar multiplication and/or put add operation, wherein, described default atomic block comprises modular multiplication, add operation and subtraction operation.

According to one embodiment of present invention, described default atomic block comprises a modular multiplication, an add operation and a subtraction operation.

According to one embodiment of present invention, described default atomic block is:

Γ \{\begin{matrix} R_{u_{p, 0}^{*}} &LeftArrow; R_{u_{p, 1}^{*}} \cdot R_{u_{p, 2}^{*}} \\ R_{u_{p, 3}^{*}} &LeftArrow; R_{u_{p, 4}^{*}} + R_{u_{p, 5}^{*}} \\ R_{u_{p, 6}^{*}} &LeftArrow; R_{u_{p, 7}^{*}} - R_{u_{p, 8}^{*}} \end{matrix}

Wherein, Γ is default atomic block, represent the element of the capable q row of p in register index matrix, R represents register.

According to one embodiment of present invention,

When the some P carrying out scalar multiplication operation is fixing point, the dimension of the register index matrix of described default atomic block is 19 × 9;

When the some P carrying out scalar multiplication operation is on-fixed point, the dimension of the register index matrix of described default atomic block is 24 × 9.

According to one embodiment of present invention, carry out, in the process of key related operations, comprising in the step of carrying out scalar multiplication operation:

According to variable a and the variable p of last circulation, calculate the variable p of previous cycle;

According to variable b _iwith the variable p of previous cycle, calculate the variable a of previous cycle;

According to variable p and the register index matrix of previous cycle, perform the operation preset in atomic block;

Variable i of next circulation is calculated according to the variable i of previous cycle and variable a;

Judge whether next variable i circulated is more than or equal to 0, if so, then repeat above process, otherwise obtain scalar multiplication operating result according to the execution result of default atomic block.

According to one embodiment of present invention, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is fixing point, calculate variable p and the variable a of previous cycle according to following expression:

Wherein, b _irepresent the value of i-th of the binary number corresponding to integer b.

According to one embodiment of present invention, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is on-fixed point, calculate variable p and the variable a of previous cycle according to following expression:

According to one embodiment of present invention, when the some P carrying out scalar multiplication operation is on-fixed point, the process of carrying out scalar multiplication operation comprises:

If variable j is in the first preset range, then circulate execution:

Variable j is added 1 and enters next circulation;

Judge whether next variable i circulated is more than or equal to 0, if so, then repeat above process, otherwise obtain scalar multiplication operating result according to the operating result of default atomic block.

According to one embodiment of present invention, in the process generating digital signature, described method generates the variable s in digital signature according to following expression:

s＝[(1+d _A) ^-1·(k+r)-r]modn

Wherein, d _athe private key of user A, r represents known variables, and k represents random number, and n represents the rank of basic point.

According to one embodiment of present invention, if the s generated equals 0, then regenerate new random number, and based on described new generating random number s.

According to one embodiment of present invention, the step of the variable r generated in digital signature comprises:

By message M to be signed and the first Hash Value Z _asplicing, combining cipher hash function H _vgenerate variable e;

The k times of point of basic point G on elliptic curve is determined according to random number x;

According to the k times of point of variable e and basic point G, generate the variable r in digital signature.

Atomic arithmetic concept combines with the particularity of SM2 by the anti-power consumption attack method of key provided by the present invention, optimize the flow process of an add operation and doubly point operation, control the inner loop of scalar multiplication by introducing relevant variable, scalar multiplication is converted to the atomic block circulation that mould takes advantage of-Jia-be kept to a group.

Compare existing Atomic arithmetic, method provided by the present invention makes each atomic block operate and saves process of once negating, and register index matrix is optimized for 19 × 9 or 24 × 9 rank by 26 × 10 rank.So also just greatly save the operand required for scalar multiplication, not only ensure that the fail safe of key, also improve the arithmetic speed of SM2 algorithm.

Meanwhile, the expression formula that method provided by the present invention adopts when generating variable s also no longer contains pregnable multiplier rd _a, therefore also just can improve the anti-power consumption attack of key further.In addition, method provided by the present invention only containing once to invert and a mould is taken advantage of when generating variable s, generates the process of s, The method reduces a mould and take advantage of, so not only achieve anti-power consumption attack, also improve service speed in primal algorithm.

Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in specification, claims and accompanying drawing and obtain.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, do simple introduction by accompanying drawing required in embodiment or description of the prior art below:

Fig. 1 is the schematic diagram of existing SM2 power consumption attack;

Fig. 2 is the flow chart of existing scalar multiplication operation;

Fig. 3 is the flow chart of scalar multiplication operation according to an embodiment of the invention;

Fig. 4 is the flow chart of scalar multiplication operation according to an embodiment of the invention;

Fig. 5 is the flow chart generating digital signature (r, s) according to an embodiment of the invention.

Embodiment

Describe embodiments of the present invention in detail below with reference to drawings and Examples, to the present invention, how application technology means solve technical problem whereby, and the implementation procedure reaching technique effect can fully understand and implement according to this.It should be noted that, only otherwise form conflict, each embodiment in the present invention and each feature in each embodiment can be combined with each other, and the technical scheme formed is all within protection scope of the present invention.

Meanwhile, in the following description, many details have been set forth for illustrative purposes, to provide thorough understanding of embodiments of the invention.But, it will be apparent to those skilled in the art that the present invention can detail here or described ad hoc fashion implement.

In addition, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, but in some cases, can be different from the step shown or described by order execution herein.

The processes such as digital signature generation, digital signature authentication, public key encryption, public key decryptions and cipher key exchange operations are generally included in public key algorithm (such as SM2 algorithm); and in aforesaid operations process, usually there will be scalar multiplication operation, scalar multiplication is by repeatedly doubly point and some add operation form.

The principle of side channel Atomic arithmetic is that the middle flow process (such as putting add operation and times point operation) operated by cryptographic algorithm is expressed as atomic structure, make the atomic block of instructions that in algorithm implementation, circular treatment is identical, react on power consumption profile and just present identical change rule, thus successfully resist SPA.Since being proposed first from Atomic arithmetic, the Atomic arithmetic of different structure is proposed in succession.But existing atomic structure is all longer, bulk redundancy operation need be added.

For the above-mentioned problems in the prior art, present embodiments provide the method for the anti-power consumption attack of a kind of new key, in the method, utilize default atomic block to carry out scalar multiplication operation, wherein, default atomic block comprises modular multiplication, add operation and subtraction operation.Preferably, a modular multiplication, an add operation and/or a subtraction operation is all comprised in each default atomic block that the present embodiment provides.

As shown in Figure 2, in traditional scalar multiplication calculating process according to b _idifference (b _irepresent the value of i-th of the binary number corresponding to integer b) perform different instructions.For the binary number corresponding to integer b, judge present bit b _ibe whether before 0, first perform 2 times of point operations and (namely perform P ₀← 2P ₀, namely by 2P ₀assignment is to P ₀), judge present bit b subsequently _iwhether be 0.

If present bit b _ibe 0, then direct binary number corresponding to integer b moved to right one (namely performing i ← i-1), and continue to perform next circulation.If present bit b _ibe not 0 (i.e. present bit b _ibe 1), then after execution point add operation, the binary number corresponding to integer b is moved to right one (namely performing i ← i-1), continue subsequently to perform next circulation.

This shows, traditional Method for Scalar Multiplication is according to judging b _idetermine whether execution point add operation, and doubly put different from putting the power consumption adding consumption, assailant just can utilize this characteristic to carry out simple power consumption attack SPA to key, judges that doubly some point adds order, thus infer the private key user by observing power consumption.

Atomic arithmetic then by doubly with point add the atomic block being all expressed as same form, make the atomic block of instructions that in algorithm implementation, circular treatment is identical, react on power consumption profile and just present identical change rule, thus successfully resist SPA.

The Atomic arithmetic of existing multiple different structure is proposed in succession at present, finds that its atomic structure is all longer, need add bulk redundancy computing through statistics.The method of the anti-power consumption attack of the key that the present embodiment provides adopts the unified default atomic block optimized to carry out times point operation and some add operation.

In the present embodiment, introduce the change that variable a controls variable i in atomic block implementation.Because point adds different from the default atomic block number of times doubly performed by point operation, and execution point add operation still performs a times point operation is by b _idetermine.Therefore, in the present embodiment, utilize b _idetermine variable a.Particularly, when variable a equals 1, i moves to right one, and jumps into times point next time; If when variable a is not equal to 1 (namely a equals 0), still an add operation or doubly point operation inside perform the operation of corresponding atomic block and do not jump out.In the present embodiment, introduce the register index matrix that variable p controls to choose in line number.Wherein, represent the element of the capable q row of p in register index matrix.

Particularly, in the present embodiment, presetting atomic block Γ can be expressed as:

Γ \{\begin{matrix} R_{u_{p, 0}^{*}} &LeftArrow; R_{u_{p, 1}^{*}} \cdot R_{u_{p, 2}^{*}} \\ R_{u_{p, 3}^{*}} &LeftArrow; R_{u_{p, 4}^{*}} + R_{u_{p, 5}^{*}} \\ R_{u_{p, 6}^{*}} &LeftArrow; R_{u_{p, 7}^{*}} - R_{u_{p, 8}^{*}} \end{matrix} - - - (1)

Wherein, represent the element of the capable q row of p in register index matrix, R represents register.In expression formula (1), represent register value be multiplied by register value after be assigned to register

Fig. 3 shows the flow chart carrying out scalar multiplication operation in the present embodiment.

As shown in Figure 3, in the present embodiment, when carrying out scalar multiplication operation, according to the variable a of last circulation and variable p in step S301, calculate the variable p of previous cycle.And in step s 302 according to according to variable b _iwith the variable p of previous cycle, calculate the variable a of previous cycle.

Particularly, in the present embodiment, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is fixing point, calculate the variable p of previous cycle and the variable a of previous cycle according to following expression:

In the present embodiment, the value of variable a is 0 or 1, represent the value negate of variable a.That is, when variable a value is 1, value be 0; When variable a value is 0, value be 1. represent by add with the variable p of last circulation after the variable a negate of last circulation the value after 1 carry out product after assignment to the variable p of previous cycle.

In the present embodiment, when the some P carrying out scalar multiplication operation is fixing point, register index matrix have employed the matrix that dimension is 19 × 9.Particularly, this register index matrix can be expressed as:

{(u_{p, q}^{*})}_{0 \leq p \leq 18, 0 \leq q \leq 8} = (\begin{matrix} 3 & 2 & 2 & 3 & 0 & 3 & 4 & 0 & 3 \\ 3 & 3 & 4 & 4 & 3 & 3 & * & * & * \\ 5 & 1 & 1 & 3 & 3 & 4 & * & * & * \\ 4 & 3 & 3 & 5 & 5 & 5 & * & * & * \\ 0 & 0 & 5 & 6 & 0 & 0 & * & * & * \\ 2 & 1 & 2 & 0 & 6 & 6 & 0 & 4 & 0 \\ 5 & 5 & 5 & 2 & 5 & 2 & 5 & 6 & 0 \\ 3 & 3 & 5 & 5 & 5 & 5 & 1 & 3 & 5 \\ 3 & 2 & 2 & * & * & * & * & * & * \\ 4 & 2 & 3 & * & * & * & * & * & * \\ 6 & 6 & 3 & * & * & * & * & * & * \\ 7 & 7 & 4 & * & * & * & 6 & 6 & 0 \\ 2 & 2 & 6 & * & * & * & * & * & * \\ 5 & 6 & 6 & * & * & * & 7 & 7 & 1 \\ 6 & 5 & 6 & * & * & * & * & * & * \\ 4 & 7 & 7 & * & * & * & 4 & 4 & 6 \\ 5 & 0 & 5 & 3 & 5 & 5 & 0 & 4 & 3 \\ 1 & 1 & 6 & * & * & * & 5 & 5 & 0 \\ 5 & 7 & 5 & * & * & * & 1 & 5 & 1 \end{matrix}) - - - (4)

In step S303, the variable p of the previous cycle obtained according to step S301 and register following table matrix perform the associative operation in default atomic block.In step s 304, variable i of next circulation is calculated according to the variable i of previous cycle and variable a.After the variable i obtaining next circulation, can judge in step S305 whether the variable i of next obtained circulation is more than or equal to 0.If the variable i that step S304 obtains is more than or equal to 0, then enters next circulation (by next circulation as previous cycle) and return step S301; Otherwise jump out circulation, and the result data that the data obtained by step S304 operate as scalar multiplication.

In the present embodiment, when the b calculating fixing point P doubly puts, the initial value of i is set to m-2 (m represents the figure place that b comprises when being converted to binary system), the initial value of a is set to 1.The key anti-power consumption attack side ratio juris provided in order to elaboration the present embodiment clearly and advantage, be described for the 2 times of points calculating fixing point P below.

When calculating 2 times of points (namely b is 2) of fixing point P, the initial value of i is 0, and the initial value of a is set to 1.Like this, according to above-mentioned register index matrix the process calculating 2 times of points of fixing point P can adopt table 1 to be expressed as follows:

Table 1

In Table 1, not specifiedly in each default atomic block redundant operation is operating as.As can be seen from Table 1, P (X ₁, Y ₁, Z ₁) 2 times of some P'(X ₂, Y ₂, Z ₂) can try to achieve by performing 8 default atomic block.

When being fixed a P (X ₁, Y ₁, Z ₁) and some Q (X ₂, Y ₂, Z ₂) some add operation time, the initial value of i is 0, and the initial value of a is set to 1.Like this, according to above-mentioned register index matrix the process calculating 2 times of points of fixing point P can adopt table 2 to be expressed as follows:

Table 2

In table 2, not specifiedly in each default atomic block redundant operation is operating as.As can be seen from Table 2, P (X is put ₁, Y ₁, Z ₁) can try to achieve by performing 11 default atomic block with the some add operation of putting Q.

As can be seen here, in the method that the present embodiment provides, in the process of carrying out scalar multiplication operation, no matter carry out an add operation or carry out a times point operation, its process is all perform according to register index matrix circular the corresponding operating preset in atomic block.So not only make key related operations process effectively can resist power consumption attack, also shorten the atomic block length in conventional atom block method and decrease the cycle-index of atomic block.

The default atomic block that the present embodiment provides is that mould takes advantage of-addition-subtraction (MUL-ADD-SUB) structure, because SM2 carries out based on the elliptic curve customized, therefore utilizes this default atomic block can simplify more doubly and puts the calculation process adding centre.Meanwhile, namely the sequential transformations utilizing this default atomic block can also realize pilot process divides into groups, and in addition, can also add pseudo-operation, thus heightens the anti-power consumption attack of password further.

In the present embodiment, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is on-fixed point, calculate the variable p of previous cycle and the variable a of previous cycle according to following expression:

Now, register index matrix have employed the matrix that dimension is 24 × 9.Particularly, this register index matrix for:

{(u_{p, q}^{*})}_{0 \leq p \leq 23, 0 \leq q \leq 8} = (\begin{matrix} 3 & 2 & 2 & 3 & 0 & 3 & 4 & 0 & 3 \\ 3 & 3 & 4 & 4 & 3 & 3 & * & * & * \\ 5 & 1 & 1 & 3 & 3 & 4 & * & * & * \\ 4 & 3 & 3 & 5 & 5 & 5 & * & * & * \\ 0 & 0 & 5 & 6 & 0 & 0 & * & * & * \\ 2 & 1 & 2 & 0 & 6 & 6 & 0 & 4 & 0 \\ 5 & 5 & 5 & 2 & 2 & 2 & 5 & 6 & 0 \\ 3 & 3 & 5 & 5 & 5 & 5 & 1 & 3 & 5 \\ 3 & 2 & 2 & * & * & * & * & * & * \\ 4 & 8 & 8 & * & * & * & * & * & * \\ 5 & 3 & 6 & * & * & * & * & * & * \\ 0 & 4 & 0 & * & * & * & 5 & 5 & 0 \\ 3 & 3 & 2 & * & * & * & * & * & * \\ 4 & 4 & 8 & * & * & * & * & * & * \\ 2 & 2 & 8 & * & * & * & * & * & * \\ 2 & 2 & 5 & * & * & * & * & * & * \\ 6 & 5 & 5 & * & * & * & * & * & * \\ 5 & 6 & 5 & * & * & * & * & * & * \\ 6 & 0 & 6 & 8 & 6 & 5 & * & * & * \\ 3 & 3 & 7 & 8 & 8 & 6 & * & * & * \\ 4 & 4 & 1 & * & * & * & 3 & 3 & 4 \\ 0 & 3 & 3 & * & * & * & 3 & 3 & 4 \\ 5 & 5 & 4 & * & * & * & 6 & 6 & 0 \\ 6 & 3 & 6 & * & * & * & 1 & 6 & 5 \end{matrix}) - - - (7)

When a P is on-fixed point, need execution 8 subatom block operations when carrying out times point operation, carrying out an added-time needs execution 16 subatom block operations.Due to 16 and 8 be 8 multiple, therefore in one embodiment of the invention, can also adopt circulation nested inside one-period be 8 for circulation mode to carry out scalar multiplication operation.Now, using for circulation as new atomic block Γ ', by the change of variable p and a control i.Work as b _ia Γ ' is performed when being 0; Work as b _ithree Γ ' are performed when being 1.That is, doubly put execution Γ ', point adds execution twice Γ '.Like this, just on the basis that there is same security with said method, further reduce the number of times calculating variable p, a and i, also just further increase the efficiency of the associative operation (generation of such as digital signature, the checking etc. of digital signature) of public key cryptography.

Particularly, as shown in Figure 4, in the present embodiment, when carry out more doubly or some add operation some P be on-fixed point time, carrying out more doubly and/or putting in the process of add operation, first in step S401 according to the variable a (initial value of variable a is 1) of last circulation and variable p, calculate the variable p of previous cycle, and according to variable b in step S402 _iwith the variable p of previous cycle, calculate the variable a of previous cycle.

In the present embodiment, calculate the variable k of previous cycle and the variable a of previous cycle according to following expression:

Subsequently, in step S403, according to variable p and the register index matrix of previous cycle, perform the operation preset in atomic block.Now, default atomic block is expressed as:

Γ \{\begin{matrix} R_{u_{(p + j), 0}^{*}} &LeftArrow; R_{u_{(p + j), 1}^{*}} \cdot R_{u_{(p + j), 2}^{*}} \\ R_{u_{(p + j), 3}^{*}} &LeftArrow; R_{u_{(p + j), 4}^{*}} + R_{u_{(p + j), 5}^{*}} \\ R_{u_{(p + j), 6}^{*}} &LeftArrow; R_{u_{(p + j), 7}^{*}} - R_{u_{(p + j), 8}^{*}} \end{matrix} - - - (10)

In step s 404, the value of variable j is added 1, i.e. j ← j+1.In step S405, judge that the value of this variations per hour j is whether in the first preset range subsequently.In the present embodiment, whether the value of judgment variable j namely judges in the first preset range whether j ∈ [0,7] sets up.If the value of variable j is in the first preset range, then returns step S403 and carry out next circulation new; Otherwise in step S406, the variable i of next circulation is calculated according to the variable i of previous cycle and variable a.

In the present embodiment, calculate the variable i of next circulation according to following expression:

i←i-a (11)

Judge whether next variable i circulated is more than or equal to 0 subsequently in step s 507, if so, then enter next and be cycled to repeat above process; Otherwise just can determine corresponding scalar multiplication result according to the result of the corresponding register obtained in step S403.

As can be seen from foregoing description, Atomic arithmetic concept combines with the particularity of SM2 by the anti-power consumption attack method of key provided by the present invention, optimize an add operation and doubly point operation equiscalar take advantage of the flow process of operation, control the inner loop of scalar multiplication by introducing relevant variable, scalar multiplication is converted to the atomic block circulation that mould takes advantage of-Jia-be kept to a group.

In existing SM2 endorsement method, generate in the process of digital signature and need to calculate s according to following expression:

s＝[(1+d _A) ^-1·(k-r·d _A)]mod n (12)

Wherein, d _arepresent the private key of user A, r represents known variables, and k represents random number, and n represents the rank of basic point.

As can be seen from expression formula (12), in existing SM2 signature algorithm, when generating the s in digital signature (r, s), need to perform mould and take advantage of rd _a.And large digital-to-analogue is taken advantage of and will be related to a large amount of intermediate data, assailant also just can release and known variables d according to known variables r is counter _arelevant intermediate data, then just can determine private key d by the correlation analyzed between power consumption and intermediate data _a, this is differential power attack DPA.

The essence that this method is attacked is attacked multiplier, and for preventing this attack, someone proposes a kind of safeguard procedures of known variables r being carried out to mask.Particularly, the method, when generating the s in digital signature (r, s), first gets random number rand, calculates the inverse rand' of random number rand under mould n subsequently.Calculate variable t again ₁=rrand mod n, and then according to variable t ₁calculate variable t ₂=t ₁d _amod n, finally calculates t=t ₂rand'mod n=rd _amod n.

Because rand is random number, each mask is all random, therefore compared to original account form (i.e. t=rd _amod n), the variable r originally determined successfully is covered.The energy ezpenditure so also coming in analog chip with regard to making assailant cannot set up suitable power consumption model, thus opposing is attacked.But this method needs extra generation random number rand, and increase is once inverted and twice mould is taken advantage of, and this needs to pay a high price on operating time and resource consumption.

This is to the above-mentioned problems in the prior art, and the method for the anti-power consumption attack of the key that the present embodiment provides is improved the process generating digital signature (r, s).Particularly, as shown in Figure 5, in the present embodiment, generate digital signature time, first in step S501 by signature information M and the first Hash Value Z _asplicing, forms message namely have:

\overset{&OverBar;}{M} = Z_{A} | | M - - - (13)

In step S502, combining cipher hash function H _vgenerate variable e, namely have:

e = H_{v} (\overset{&OverBar;}{M}) - - - (14)

In the present embodiment, in step S502, the data type conversion of the variable e also expression formula (14) obtained is integer.

In step S503, randomizer is utilized to generate random number k, wherein x ∈ [1, n-1].The k times of point of basic point G on arbitrary elliptical curve is determined subsequently according to random number k.In the present embodiment, utilize and preset the k times of point that atomic block calculates basic point G.Certainly, in other embodiments of the invention, other rational methods can also be utilized to calculate the k times of point (such as adopting existing times of point calculating method etc.) of basic point G, the present invention is not limited thereto.

In step S503, after the k calculating basic point G doubly puts, be also integer by obtaining the data type conversion that k doubly puts.After the k obtaining basic point G doubly puts, in step S504, according to the k times of point of variable e and basic point G, generate the r in digital signature.

Particularly, in the present embodiment, generate the variable r in digital signature according to following expression:

r＝(e+x ₁)mod n (15)

Wherein, x ₁represent the abscissa that the k of basic point basic point G doubly puts.

In the present embodiment, after generating the r in digital signature, also judge in step S505 r whether equal 0 or r+k whether equal n, as long as meet one of them condition, then return step S503 to regenerate random number k, and regenerate the r in digital signature based on this new random number k.

In step S506, according to the private key d of the variable r obtained, random number k and user A _agenerate the s in digital signature.Although the method that existing employing mask generates s originally can determine that r successfully covers, the method needs additionally to generate random number, and needs increase to invert and mould takes advantage of process, and this also just makes, and the operating time is long, resource consumption is excessive.

By analyzing the method for existing generation s, present embodiments provide a kind of method of generation s newly.Particularly, the method that the present embodiment provides generate s time, by existing calculating s expression formula s=[(1+d _a) ^-1(k-rd _a)] mod n is out of shape, make in the expression formula after being out of shape no longer containing pregnable multiplier rd _a.Like this, assailant also just cannot for rd _acarry out differential power attack.

Particularly, in the present embodiment, be two parts by multiplication factorization, utilize (1+d _a-1) d is represented _a, continue factorization, utilize (1+d _a) ^-1(1+d _a) ≡ 1 carrys out the above-mentioned factor of cancellation, finally merges the multinomial with same factors, thus obtain with former expression formula equivalence not containing multiplier rd _adistortion expression formula, that is:

\begin{matrix} s = [{(1 + d_{A})}^{- 1} \cdot (k - r \cdot d_{A})] \mod n \\ = [{(1 + d_{A})}^{- 1} \cdot k - {(1 + d_{A})}^{- 1} \cdot r \cdot d_{A}] \mod n \\ = [{(1 + d_{A})}^{- 1} \cdot k - {(1 + d_{A})}^{- 1} \cdot r \cdot (1 + d_{A} - 1)] \mod n \\ = [{(1 + d_{A})}^{- 1} \cdot k - {(1 + d_{A})}^{- 1} \cdot r \cdot (1 + d_{A}) + {(1 + d_{A})}^{- 1} \cdot r] \mod n \\ = [{(1 + d_{A})}^{- 1} \cdot k + {(1 + d_{A})}^{- 1} \cdot r - r] \mod n \\ = [{(1 + d_{A})}^{- 1} \cdot (k + r) - r] \mod n \end{matrix} - - - (16)

In the present embodiment, also judge whether the s generated equals 0 in step s 507.If s equals 0, then return step S503 and regenerate random number k, and utilize new random number k to generate r and s.If s is not equal to 0, is then character string by the data type conversion of r and s of generation in step S508, thus obtains the signature (r, s) of message M.

As can be seen from foregoing description, in the present embodiment, the expression formula adopted when generating s also no longer contains pregnable multiplier rd _a, therefore also just can improve the anti-power consumption attack of key further.Meanwhile, the method that the present embodiment provides only containing once to invert and a mould is taken advantage of when generating s, generates the process of s, The method reduces a mould and take advantage of, so not only achieve anti-power consumption attack, also improve service speed in primal algorithm.

It should be understood that disclosed embodiment of this invention is not limited to treatment step disclosed herein, and the equivalent of these features that those of ordinary skill in the related art understand should be extended to substitute.It is to be further understood that term is only for describing the object of specific embodiment as used herein, and and do not mean that restriction.

Special characteristic, structure or characteristic that " embodiment " mentioned in specification or " embodiment " mean to describe in conjunction with the embodiments comprise at least one embodiment of the present invention.Therefore, specification various places throughout occur phrase " embodiment " or " embodiment " might not all refer to same embodiment.

Conveniently, multiple project and/or component units can appear in common list as used herein.But each element that these lists should be interpreted as in this list is identified as member unique separately respectively.Therefore, when not having reverse side to illustrate, in this list, neither one member only can appear in common list the actual equivalent of other member any being just interpreted as same list based on them.

Although above-mentioned example is for illustration of the principle of the present invention in one or more application, but for a person skilled in the art, when not deviating from principle of the present invention and thought, obviously can in form, the details of usage and enforcement does various amendment and need not creative work be paid.Therefore, the present invention is limited by appending claims.

Claims

1. a method for the anti-power consumption attack of key, is characterized in that, described method comprises:

2. the method for claim 1, is characterized in that, described default atomic block comprises a modular multiplication, an add operation and a subtraction operation.

3. method as claimed in claim 1 or 2, it is characterized in that, described default atomic block is:

Γ \{\begin{matrix} R_{u_{p, 0}^{*}} &LeftArrow; R_{u_{p, 1}^{*}} \cdot R_{u_{p, 2}^{*}} \\ R_{u_{p, 3}^{*}} &LeftArrow; R_{u_{p, 4}^{*}} + R_{u_{p, 5}^{*}} \\ R_{u_{p, 6}^{*}} &LeftArrow; R_{u_{p, 7}^{*}} - R_{u_{p, 8}^{*}} \end{matrix}

4. method as claimed in claim 3, is characterized in that,

5. the method according to any one of Claims 1 to 4, is characterized in that, carries out, in the process of key related operations, comprising in the step of carrying out scalar multiplication operation:

6. method as claimed in claim 5, is characterized in that, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is fixing point, calculates variable p and the variable a of previous cycle according to following expression:

7. the method as described in claim 5 or 6, is characterized in that, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is on-fixed point, calculates variable p and the variable a of previous cycle according to following expression:

8. the method according to any one of claim 1 ~ 7, is characterized in that, when the some P carrying out scalar multiplication operation is on-fixed point, the process of carrying out scalar multiplication operation comprises:

If variable j is in the first preset range, then circulate execution:

Variable j is added 1 and enters next circulation;

9. method as claimed in claim 8, is characterized in that, in the process of carrying out scalar multiplication operation, when the some P carrying out scalar multiplication operation is on-fixed point, calculates variable p and the variable a of previous cycle according to following expression:

10. the method according to any one of claim 1 ~ 9, is characterized in that, in the process generating digital signature, described method generates the variable s in digital signature according to following expression:

s＝[(1+d _A) ^-1·(k+r)-r]modn

11. methods as claimed in claim 10, is characterized in that, if the s generated equals 0, then regenerate new random number, and based on described new generating random number s.

12. methods as described in claim 10 or 11, is characterized in that, the step generating the variable r in digital signature comprises: