CN113660087B - SM9 identification cipher algorithm hardware realization system based on finite field - Google Patents

SM9 identification cipher algorithm hardware realization system based on finite field Download PDF

Info

Publication number
CN113660087B
CN113660087B CN202110763602.2A CN202110763602A CN113660087B CN 113660087 B CN113660087 B CN 113660087B CN 202110763602 A CN202110763602 A CN 202110763602A CN 113660087 B CN113660087 B CN 113660087B
Authority
CN
China
Prior art keywords
module
algorithm
domain
calculation
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110763602.2A
Other languages
Chinese (zh)
Other versions
CN113660087A (en
Inventor
陈华锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Media and Communications
Original Assignee
Zhejiang University of Media and Communications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Media and Communications filed Critical Zhejiang University of Media and Communications
Priority to CN202110763602.2A priority Critical patent/CN113660087B/en
Publication of CN113660087A publication Critical patent/CN113660087A/en
Application granted granted Critical
Publication of CN113660087B publication Critical patent/CN113660087B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Abstract

The application belongs to the field of information security, and discloses a SM9 identification cipher algorithm hardware realization system based on a finite field, which comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module; the bottom operation of the system realizes modular design, has multiple operation functions and flexible interfaces, and can support the core operation steps of SM2 cryptographic algorithm, ECDSA and other public key cryptographic algorithms while supporting the realization of SM9 upper operation. All operation steps of the system are realized by hardware, the total area is small, and meanwhile, the higher operation performance is maintained, and compared with the performance realized by software, the system has greatly improved performance.

Description

SM9 identification cipher algorithm hardware realization system based on finite field
Technical Field
The application belongs to the field of information security, and particularly relates to an SM9 identification cryptographic algorithm hardware implementation system based on a finite field.
Background
In 1984, the concept of an identification cryptographic algorithm was first proposed. In the identification cipher algorithm system, the private key of the user is calculated by the key generation center according to the master key and the user identification, and the public key of the user is uniquely determined by the user identification, so that the user does not need to guarantee the authenticity of the public key through a third party. The national secret SM9 algorithm is a public key cryptographic algorithm constructed based on elliptic curve pairs, the security of the public key cryptographic algorithm is based on the bilinear property of the elliptic curve pairs, and when the solving difficulty of the elliptic curve discrete logarithm problem and the domain expansion discrete logarithm problem is quite high, an identification cryptographic algorithm with both security and realization efficiency can be constructed by using the elliptic curve pairs.
The SM9 identification cipher algorithm is used as a public key cipher algorithm based on bilinear pairs, so that certificate authentication of a third party organization is omitted, and meanwhile, the security is high. However, the calculation of elliptic curve and finite field is involved, so that the calculation complexity is high, the calculation is slow, and the application of the algorithm is restricted. Therefore, it is important to increase the operation speed of the SM9 algorithm.
Disclosure of Invention
In order to solve the problems, the application designs a SM9 identification password algorithm hardware implementation system based on a finite field under the condition of following the national password SM9 algorithm standard so as to realize the quick operation of an SM9 algorithm. The application relates to a SM9 identification cipher algorithm hardware realization system based on a finite field, which comprises the following specific technical scheme:
the SM9 identification cipher algorithm hardware realization system based on the finite field comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module;
the register module is used for reading configuration information and control information of a user;
the data path module is used for completing various operations on data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operation on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, wherein the initial parameters, the identification and the plaintext data written into the register by a user are transmitted to the memory through the data path module;
the memory module is used for storing various operation data, including initial parameters, calculated intermediate values and calculation results;
the bottom layer control module is used for calling an algorithm module of the bottom layer to finish various finite field calculation, elliptic curve calculation and encryption operations;
the auxiliary function module is used for realizing a cipher function H1/H2 and a key derivation function KDF in the SM9 algorithm, and the key derivation function is used for generating an encryption and decryption key in the SM9 algorithm;
the random number module is used for generating random numbers between 1 and (N-1) required by an algorithm;
the algorithm function module is used for calling other modules to realize various algorithm functions in the SM9 algorithm.
Further, the specific functions of the register module include: the user writes the control information and the configuration information into a register module, the register module transmits the initial parameters, the identifiers and the plaintext data written by the user to a memory module, and then corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to a user; if the operation fails, the register module transmits a calculation failure signal to a user.
Further, the data path module can realize carrying operation of data among different addresses in the memory, and comprises the steps of comparing two data, splicing the two data end to end and shifting the data.
Further, the algorithm module of the bottom layer comprises a bilinear pair module, an SM3 operation module and an SM4 operation module, wherein the bilinear pair module comprises the functions of finite field calculation, elliptic curve calculation and bilinear pair calculation; the SM3 operation module is a SM3 algorithm function module realized by hardware, and the SM3 algorithm is a hash algorithm, and is suitable for digital signature and verification in SM9 algorithm application and generation and verification of a message authentication code; the SM4 operation module is a SM4 algorithm function module realized by hardware, and the SM4 algorithm is a block cipher algorithm and is used for encrypting and decrypting public keys in the SM9 algorithm.
Further, the bilinear pair module comprises a prime domain calculation module, a secondary domain expansion operation module, a quaternary domain expansion operation module, a twelve-time domain expansion operation module, a secondary domain expansion elliptic curve operation module, a linear function operation module, a final power operation module and a bilinear pair calculation state machine;
the prime domain calculation module is used for completing the modular operation in the prime domain and the operation of elliptic curve points;
the secondary expansion domain operation module is used for realizing various operations in a secondary expansion domain obtained by secondarily expanding a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quadratic domain element frobenius operation;
the four-expansion domain operation module is used for realizing various operations in four-expansion domain obtained by four-expansion of a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and four domain element frobenius operation;
the twelve-time domain expansion operation module is used for realizing various operations in twelve-time domain expansion obtained by expanding a prime domain for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation and twelve-degree domain element frebenius operation;
the secondary expanded domain elliptic curve operation module is used for realizing various operations of elliptic curves under the secondary expanded domain, and comprises the following steps: coordinate system conversion of the secondary domain point, secondary domain point addition, secondary domain point multiplication and frebenius operation of the secondary domain point; the coordinate transformation of the secondary domain points refers to the transformation of elliptic curve points in the secondary domain between an affine coordinate system and a projective coordinate system;
the line function operation module is used for realizing a function g in R-ate pair calculation U,V The operation of (Q), namely the calculation of a connection equation of two elliptic curve points; function g U,V (Q) the calculation flow is realized according to the definition in the SM9 algorithm standard rule; in the calculation, if the two elliptic curve points are different points and are not infinity points, the result is a straight line equation passing through the two points; if the two elliptic curve points are the same point and are not infinity points, the result is a tangent equation of the elliptic curve passing through the points; if one elliptic curve point is an infinity point, the result is an equation of an x-axis perpendicular line passing through the other point;
the final power operation module is used for realizing the last step of R-ate pair calculation steps, namely
The bilinear pair computing state machine is used for controlling and calling each module to complete the computation of the bilinear pair.
Further, the prime domain calculation module comprises a module addition and subtraction calculation hardware module, a Montgomery module multiplication hardware module, a module inverse calculation hardware module and a prime domain elliptic curve calculation module; the module adding and subtracting calculation hardware module is used for realizing module adding, module subtracting and module extracting operation in the prime domain operation; the Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a pixel domain, and is realized based on an optimized Montgomery modular multiplication algorithm; the module of the module inverse calculation hardware is used for realizing modular inversion operation in a pixel domain; the prime domain elliptic curve calculation module is used for realizing point addition, point multiplication and point inspection operation in the prime domain.
Further, the operation steps of the cipher function H1/H2 and the key derivation function KDF of the auxiliary function module are realized according to the steps in the SM9 algorithm standard; the cipher function H1/H2 and the key derivation function KDF need to call the cipher hash function Hv (), and the cipher hash function Hv () is realized by an SM3 operation module.
Further, the algorithm functions of the SM9 algorithm include: digital signature generation, digital signature verification, key exchange protocol, public key encryption and public key decryption; the algorithm function performs the calculation according to steps in the SM9 algorithm standard.
The SM9 identification cipher algorithm hardware implementation system based on the finite field has the following advantages:
1. the bottom operation of the system realizes modular design, has multiple operation functions and flexible interfaces, and can support the core operation steps of SM2 cryptographic algorithm, ECDSA and other public key cryptographic algorithms while supporting the realization of SM9 upper operation.
2. All operation steps of the system are realized by hardware, the total area is small, and meanwhile, the higher operation performance is maintained, and compared with the performance realized by software, the system has greatly improved performance.
Drawings
FIG. 1 is a flow chart of an SM9 digital signature generation algorithm;
FIG. 2 is a flow chart of an SM9 digital signature verification algorithm;
figure 3 is a flow chart of the SM9 key exchange protocol;
FIG. 4 is a flow chart of an SM9 public key encryption algorithm;
FIG. 5 is a flowchart of an SM9 decryption algorithm;
FIG. 6 is a schematic diagram of a hardware implementation system of SM9 identification cryptographic algorithm based on finite fields;
figure 7 is a diagram of a dual linear pair module architecture of the present application.
Detailed Description
The application will be further elucidated with reference to specific examples. The application provides a SM9 identification cipher algorithm hardware realization system based on a finite field under the condition of following the national cipher SM9 identification cipher algorithm standard so as to realize the quick operation of an SM9 algorithm. The embodiment of the application shows the architecture of an SM9 identification cryptographic algorithm hardware implementation system under a finite field. The hardware implementation system embodiment follows the national secret SM9 algorithm standard, and adopts 256-bit BN curves and R-ate pairs recommended by the algorithm standard.
Embodiments of the present application will be described more clearly below with reference to the accompanying drawings. The examples are, of course, merely illustrative of the present application and are not intended to limit the scope of the application.
As shown in fig. 6, a finite field-based SM9 identification cryptographic algorithm hardware implementation system includes a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module, and an algorithm function module.
The register module is used for reading configuration information and control information of a user. The user writes control information such as selection of algorithm functions and configuration information such as data to be calculated into a register module, the register module transmits initial parameters, identifications, plaintext data and the like written by the user to a memory module, and corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to a user; if the operation fails, the register module transmits a calculation failure signal to a user.
The data path module is used for completing various operations of data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operation on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, wherein the initial parameters, the identification, the plaintext data and the like written into the register by a user are transmitted to the memory through the data path module. The data path module can also realize carrying operation between different addresses in the memory, including comparing two data, splicing the two data end to end, shifting the data, etc.
The memory module is used for storing various operation data, including initial parameters, calculated intermediate values and calculation results;
the bottom layer control module is used for calling an algorithm module of the bottom layer to finish various finite field calculation, elliptic curve calculation and encryption operations; the bottom algorithm module comprises the functions of a bilinear pairing module, an SM3 operation module and an SM4 operation module. The bilinear pair module is a core calculation module of an SM9 algorithm and comprises finite field calculation, elliptic curve calculation and bilinear pair calculation; the SM3 operation module is a SM3 algorithm function module realized by hardware, and the SM3 algorithm is a hash algorithm, and is suitable for digital signature and verification in SM9 algorithm application and generation and verification of a message authentication code; the SM4 operation module is a SM4 algorithm function module realized by hardware, and the SM4 algorithm is a block cipher algorithm and is used for encrypting and decrypting public keys in the SM9 algorithm.
The bilinear pair module is used for realizing finite field calculation, elliptic curve calculation and bilinear pair calculation, and is a core calculation module of an SM9 algorithm. The embodiment of the application provides a hardware architecture of a bilinear pair module, as shown in fig. 7, the bilinear pair module in the embodiment comprises a prime domain calculation module, a secondary domain expansion operation module, a four-time domain expansion operation module, a twelve-time domain expansion operation module, a secondary domain expansion elliptic curve operation module, a linear function operation module, a final power operation module and a bilinear pair calculation state machine.
The prime domain calculation module is used for completing the modular operation in the prime domain and the operation of elliptic curve points. The prime domain calculation module comprises a module addition and subtraction calculation hardware module, a Montgomery module multiplication hardware module, a module inverse calculation hardware module and a prime domain elliptic curve calculation module. The modular add-subtract calculation hardware module is used for realizing modular addition, modular subtraction and modular extraction operation in the prime domain operation. The Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a pixel domain, is realized based on an optimized Montgomery modular multiplication algorithm and has higher operation efficiency. The module of calculation hardware of module of inverse is used for realizing the module of inverse operation in the pixel domain. The prime domain elliptic curve calculation module is used for realizing point addition, point multiplication and point inspection operation in the prime domain.
The secondary expansion domain operation module is used for realizing various operations in a secondary expansion domain obtained by secondarily expanding a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quadratic field element frobenius operation.
The four-expansion domain operation module is used for realizing various operations in four-expansion domain obtained by four-expansion of a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion, and four domain element frobenius operations.
The twelve-time domain expansion operation module is used for realizing various operations in twelve-time domain expansion obtained by expanding a prime domain for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation, and twelve-degree domain element frebenius operation.
The secondary expanded domain elliptic curve operation module is used for realizing various operations of elliptic curves under the secondary expanded domain, and comprises the following steps: coordinate system conversion of the secondary domain point, secondary domain point addition, secondary domain point multiplication and frebenius operation of the secondary domain point. Wherein the coordinate system conversion of the secondary domain points refers to the conversion of elliptic curve points in the secondary domain between an affine coordinate system and a projective coordinate system.
The line function operation module is used for realizing a function g in R-ate pair calculation U,V The operation of (Q), namely the calculation of the connection equation of the two elliptic curve points. Function g U,V (Q) the calculation flow is realized according to the definition in the SM9 algorithm standard rule; in the calculation, if the two elliptic curve points are different points and are not infinity points, the result is a straight line equation passing through the two points; if the two elliptic curve points are the same point and are not infinity points, the result is a tangent equation of the elliptic curve passing through the points; if one of the elliptic curve points is an infinity point, the result is an equation for the x-axis perpendicular to the other point.
The final power operation module is used for realizing the last step of R-ate pair calculation steps, namely
The bilinear pair computing state machine is used for controlling and calling each module to complete the computation of the bilinear pair.
The bilinear pair calculation in this example uses the calculation of the R-ate pair on the BN curve, with the following calculation procedure:
π q is of the Frobenius self-homomorphism, pi q :E→E,π q (x,y)=(x q ,y q )。
E→E,/>
Calculation of R-ate pair:
input: plain field F p Point P, second spread F in (a) p2 Point Q, a=6t+2 in (a)
And (3) outputting: twelve spread domains F p12 Element f of (a).
Step 1: is provided witha L-1 =1;
Step 2: setting t=q, f=1;
step 3: for i going from L-2 to 0, perform:
a) Calculating f=f 2 ·g T,T (P),T=[2]T;
b) If a is i =1, calculate f=f·g T,Q (P),T=T+Q;
Step 4: calculate Q 1 =π q (Q),
Step 5: calculation ofT=T+Q 1
Step 6: calculation ofT=T-Q 2
Step 7: calculation of
Step 8: and outputting f.
The auxiliary function module is used for realizing a cipher function H in an SM9 algorithm 1 /H 2 And a key derivation function KDF used for generating encryption and decryption keys in the SM9 algorithm. Cipher function H 1 /H 2 The operation steps of the key derivation function KDF are realized according to the steps in the SM9 algorithm standard. Cipher function H 1 /H 2 The key derivation function KDF needs to call the cipher hash function H v () The SM9 algorithm standard specifies the use of a cryptographic hash function H approved by the national cryptographic management authority v () For example, the SM3 cryptographic hash algorithm is implemented by an SM3 operation module in the embodiment of the present application.
The random number module is used for generating random numbers between 1 and (N-1) required by the algorithm.
The algorithm function module is used for calling other modules to realize various algorithm functions in the SM9 algorithm, and the algorithm functions of the SM9 algorithm comprise: digital signature generation, digital signature verification, key exchange protocol, public key encryption, public key decryption. The algorithm function realizes calculation according to the steps in the SM9 algorithm standard, and the calculation steps of each algorithm are as follows:
1) Digital signature generation algorithm, as shown in figure 1,
the message to be signed is a bit string M, and in order to obtain the digital signature (h, S) of the message M, the user a as the signer should implement the following operation steps:
step 1: computing group G by invoking bilinear pairing module T Element g=e (P 1 ,P pub-s );
Step 2: generating a random number r epsilon [1, N-1] through a random number module;
step 3: computing group G by bilinear pairing module T Element w=g in (a) r Converting the data type of w into a bit string;
step 4: calculating the integer h=h by the auxiliary function module 2 (M||w,N),H 2 Is a cryptographic function in the SM9 algorithm;
step 5: calculating an integer l= (r-h) mod N by a submodule prime domain calculation module of the bilinear pairing module, and returning to the step 2 if l=0;
step 6: computing group G by a prime domain computing module 1 Element s= [ l ]]d SA
Step 7: s and h are converted into byte strings, and the signature of message M is (h, S).
2) Digital signature verification algorithm, as shown in figure 2,
in order to verify the received message M ' and its digital signature (h ', S '), the user B as verifier should implement the following operation steps:
step 1: checking whether h 'E [1, N-1] is true, if not, checking that the h' E [1, N-1] is not passed;
step 2: converting the data type of S 'into points on the elliptic curve, and checking S' ∈G 1 Whether the verification is established is judged, if the verification is not established, the verification is not passed;
step 3: computing group G by invoking bilinear pairing module T Element g=e (P 1 ,P pub-s );
Step 4: the calculation module calculates group G T Element t=g in (a) h’
Step 5: calculating an integer h by an auxiliary function module 1 =H 1 (ID A ||hid,N),H 1 Is a cryptographic function in the SM9 algorithm;
step 6: computing group G 2 The element p= [ h ] 1 ]P 2 +P pub-s
Step 7: computing group G by invoking bilinear pairing module T Element u=e (S', P);
step 8: computing group G T The element w '=u·t in (a), converting the data type of w' into a bit string;
step 9: calculating an integer h by an auxiliary function module 2 =H 2 (M '| w', N), checking h by means of a datapath module 2 Whether or not h' is established, if so, passing the verification; otherwise, the verification is not passed.
3) The key exchange protocol, as shown in figure 3,
the length of key data obtained by negotiation of the users A and B is klen bit, the user A is an initiator, and the user B is a responder. In order for both users a and B to obtain the same key, the following operation steps should be implemented:
user a:
step A1: computing group G 1 Element Q of (B) B =[H 1 (ID B ||hid,N)]P 1 +P pub-e
Step A2: generating random number r A ∈[1,N-1];
Step A3: computing group G 1 Element R in (a) A =[r A ]Q B
Step A4: r is R A Sending to the user B;
user B:
step B1: computing group G 1 Element Q of (B) A =[H 1 (ID A ||hid,N)]P 1 +P pub-e
Step B2: generating random number r B ∈[1,N-1];
Step B3: computing group G 1 Element R in (a) B =[r B ]Q A
Step B4: validating R A ∈G 1 Whether the negotiation is established or not, if the negotiation is not established, the negotiation fails; otherwise, calling bilinear pairing module to calculate group G T Element g of (3) 1 =e(R A ,de B ),g 2 =e(P pub-e ,P 2 ) rB ,g 3 =g 1 rB Will g 1 ,g 2 ,g 3 Is converted into a bit string;
step B5: handle R A And R is B Is converted into bit strings, and SK is calculated through an auxiliary function module B =KDF(ID A ||ID B ||R A ||R B ||g 1 ||g 2 ||g 3 Klen), KDF is a key derivation function in SM9 algorithm;
(optional) step B6: calculation of S by invoking SM3 operation Module B =Hash(0x82||g 1 ||Hash(g 2 ||g 3 ||ID A ||ID B ||R A ||R B ));
Step B7: r is R B (optional) S B Sending to the user A;
user a:
step A5: validating R B ∈G 1 Whether the negotiation is established or not, if the negotiation is not established, the negotiation fails; otherwise, calling bilinear pairing module to calculate group G T Element g of (3) 1 ’=e(P pub-e ,P 2 ) rA ,g 2 ’=e(R B ,de A ),g 3 ’=(g 2 ’) rA Will g 1 ’,g 2 ’,g 3 ' data type is converted into bit strings;
step A6: handle R A And R is B Conversion of data types into bit strings, (optional) calculation of S by invoking SM3 operation module 1 =Hash(0x82||g 1 ’||Hash(g 2 ’||g 3 ’||ID A ||ID B ||R A ||R B ) And check S through the datapath module 1 =S B Whether the equation is satisfied, if the equation is not satisfied, the key confirmation from B to A fails;
step A7: calculation of SK by an auxiliary function module A =KDF(ID A ||ID B ||R A ||R B ||g 1 ’||g 2 ’||g 3 ’,klen);
(optional) step A8: calculation of S by invoking SM3 operation Module A =Hash(0x83||g 1 ’||Hash(g 2 ’||g 3 ’||ID A ||ID B ||R A ||R B ) And S is to A To user B.
User B:
(optional) step B8: calculation of S by invoking SM3 operation Module 2 =Hash(0x83||g 1 ||Hash(g 2 ||g 3 ||ID A ||ID B ||R A ||R B ) And check S through the datapath module 2
=S A If the equation is not satisfied, the key confirmation from A to B fails.
4) The public key encryption algorithm, as shown in figure 4,
the message to be sent is a bit string M, mlen is the bit length of M, K 1 _lenFor key K in a block cipher algorithm 1 Bit length, K of (1) 2 And _len is a function MAC (K 2 Key K in Z) 2 Is a bit length of (c).
In order to encrypt the plaintext M to the user B, the user a as the encryptor should implement the following operation steps:
step 1: computing group G 1 Element Q of (B) B =[H 1 (ID B ||hid,N)]P 1 +P pub-e
Step 2: generating a random number r epsilon [1, N-1];
step 3: computing group G 1 Element C of (3) 1 =[r]Q B C is carried out by 1 Is converted into a bit string;
step 4: computing group G by invoking bilinear pairing module T Element g=e (P pub-e ,P 2 );
Step 5: computing group G T Element w=g in (a) r Converting the data type of w into a bit string;
step 6: the calculation is carried out according to the classification of the encryption plaintext:
a) If the method of encrypting plaintext is a sequence cipher algorithm based on a key derivation function, then
1) Calculating the integer klen=mlen+k 2 Calculating k=kdf (C by the auxiliary function module 1 ||w||ID B Klen). Let K 1 For the leftmost mlen bit of K, K 2 To leave K 2 The bit is _len, and K is judged by the data path module 1 If the string is the full 0 bit string, returning to the step 2 if the string is the full 0 bit string;
2) Computing C through datapath module 2 =M⊕K 1
b) If the method of encrypting plaintext is a block cipher algorithm incorporating a key derivation function, then
1) Calculating the integer klen=k 1 _len+K 2 Calculating k=kdf (C by auxiliary function 1 ||w||ID B Klen). Let K 1 K being the leftmost K 1 _len
Bits, K 2 To be left behindK 2 The bit is _len, and K is judged by the data path module 1 If the string is the full 0 bit string, returning to the step 2 if the string is the full 0 bit string;
2) Invoking SM4 operation module to calculate C 2 =Enc(K 1 ,M)。
Step 7: invoking SM3 operation module to calculate C 3 =MAC(K 2 ,C 2 );
Step 8: output ciphertext c=c 1 ||C 3 ||C 2
5) The decryption algorithm, as shown in figure 5,
mlen is ciphertext c=c 1 ||C 3 ||C 2 Middle C 2 Bit length, K of (1) 1 And (len) is the key K in the block cipher algorithm 1 Bit length, K of (1) 2 And _len is a function MAC (K 2 Key K in Z) 2 Is a bit length of (c).
In order to decrypt C, user B as the decryptor should implement the following operation steps:
step 1: extracting bit string C from C 1 C is carried out by 1 Is converted into points on an elliptic curve, verification C 1 ∈G 1 If not, reporting error and exiting;
step 2: computing the element w' =e (C) in group T by bilinear pairing module 1 ,de B ) Converting the data type of w' into a bit string;
step 3: the calculation is carried out according to the classification of the encryption plaintext:
a) If the method of encrypting plaintext is a sequence cipher algorithm based on a key derivation function, then
1) Calculating the integer klen=mlen+k 2 Calculating K' =kdf (C by an auxiliary function 1 ||w’||ID B Klen). Let K 1 'K' leftmost mlen
Bits, K 2 ' K is left 2 The bit is _len, and K is judged through a data path module 1 ' whether the bit string is an all 0 bit string, if so, reporting an error and exiting;
2) Calculating M' =c by the datapath module 2 ⊕K 1 ’。
b) If the method of encrypting plaintext is a block cipher algorithm incorporating a key derivation function, then
1) Calculating the integer klen=k 1 _len+K 2 Calculating K 'by an auxiliary function'
=KDF(C 1 ||w’||ID B Klen). Let K 1 ' K is the leftmost K of K 1 _len
Bits, K 2 ' K is left 2 The bit is _len, and K is judged through a data path module 1 ' whether the bit string is an all 0 bit string, if so, reporting an error and exiting;
2) Invoking SM4 operation module to calculate M' =dec (K 1 ’,C 2 )。
Step 4: invoking SM3 operation module to calculate u=mac (K) 2 ’,C 2 ) Extracting bit string C from C 3 Judging u=c by the data path module 3 If yes, reporting error and exiting if not;
step 5: and outputting a plaintext M'.
And (3) system parameter selection:
the selection of system parameters of the embodiment follows the system parameter selection rules in the standard GM/T0044.1-2016 SM9 identification cryptographic algorithm general rule. The embodiment of the application adopts 256-bit BN curve recommended by algorithm standard as elliptic curve, and the curve equation of the selected BN curve is as follows:
E:y 2 =x 3 +b;
where x and y are the abscissa and ordinate of the elliptic curve, respectively, and b is a constant parameter other than 0, which can be customized. The number of embedding times k=12 of the curve, and the order N of the curve is also a prime number. The main parameters of the curve include the base domain feature q, the curve order N, the trace tr of the Frobenius map, which can be determined by the parameter t:
q(t)=36t 4 +36t 3 +24t 2 +6t+1;
N(t)=36t 4 +36t 3 +18t 2 +6t+1;
tr(t)=6t 2 +1;
since the number of embedding times k=12 of the elliptic curve is selected, the bilinear pairing operation is calculated in twelve spread domains. The application performs tower expansion on the finite field according to the method described in SM9 algorithm standard, and the tower expansion mode is as follows:
the base domain is secondarily expanded into a secondary expanded domain, and the reduced polynomial is as follows: x is x 2 -α,α=-2;
The secondary expansion domain is expanded into a fourth expansion domain by secondary expansion, and the reduced polynomial is as follows: x is x 2 -u,u 2 =α;
The fourth expansion domain is expanded into twelve expansion domains through three times, and the reduced polynomial is as follows: x is x 3 -v,v 2 =u;
All numbers involved in calculation in the SM9 algorithm must be in the constructed finite field and its expansion field, and all points involved in calculation must be on the constructed BN curve. The operation also needs to be given to group G 1 Is (are) generated by the generator P 1 And group G 2 Is (are) generated by the generator P 2
The embodiment of the application is realized through Verilog HDL. According to the SM9 identification cryptographic algorithm hardware accelerator realized by the SM9 algorithm hardware realization system architecture, the realized algorithm function and the operation result obtained by the test are consistent with the SM9 algorithm standard and the provided calculation example. The calculation efficiency of the software implementation of the SM9 algorithm and the calculation efficiency pair obtained by testing the present embodiment are shown in table 1.
Table 1SM9 software and implementation of computational efficiency comparisons in this embodiment
As can be seen from the data in Table 1, the calculation time required by the SM9 algorithm hardware implementation scheme provided by the application in the algorithm function calculation is only about 1/10-1/9 of that of the software implementation scheme, and the calculation speed is greatly improved compared with that of the software implementation.
It will be understood that the application has been described in terms of several embodiments, and that various changes and equivalents may be made to these features and embodiments by those skilled in the art without departing from the spirit and scope of the application. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the application without departing from the essential scope thereof. Therefore, it is intended that the application not be limited to the particular embodiment disclosed, but that the application will include all embodiments falling within the scope of the appended claims.

Claims (5)

1. The SM9 identification cipher algorithm hardware realization system based on the finite field comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module; it is characterized in that the method comprises the steps of,
the register module is used for reading configuration information and control information of a user;
the data path module is used for completing various operations on data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operation on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, wherein the initial parameters, the identification and the plaintext data written into the register by a user are transmitted to the memory through the data path module;
the memory module is used for storing various operation data, including initial parameters, calculated intermediate values and calculation results;
the bottom layer control module is used for calling an algorithm module of the bottom layer to finish various finite field calculation, elliptic curve calculation and encryption operations;
the algorithm module of the bottom layer comprises a bilinear pair module, an SM3 operation module and an SM4 operation module, wherein the bilinear pair module comprises the functions of finite field calculation, elliptic curve calculation and bilinear pair calculation; the SM3 operation module is a SM3 algorithm function module realized by hardware, and the SM3 algorithm is a hash algorithm, and is suitable for digital signature and verification in SM9 algorithm application and generation and verification of a message authentication code; the SM4 operation module is an SM4 algorithm function module realized by hardware, and the SM4 algorithm is a block cipher algorithm and is used for encrypting and decrypting a public key in the SM9 algorithm;
the bilinear pair module comprises a prime domain calculation module, a secondary domain expansion operation module, a quaternary domain expansion operation module, a twelve-order domain expansion operation module, a secondary domain expansion elliptic curve operation module, a linear function operation module, a final power operation module and a bilinear pair calculation state machine;
the prime domain calculation module is used for completing the modular operation in the prime domain and the operation of elliptic curve points;
the prime domain calculation module comprises a module addition and subtraction calculation hardware module, a Montgomery module multiplication hardware module, a module inverse calculation hardware module and a prime domain elliptic curve calculation module; the module adding and subtracting calculation hardware module is used for realizing module adding, module subtracting and module extracting operation in the prime domain operation; the Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a pixel domain, and is realized based on an optimized Montgomery modular multiplication algorithm; the module of the module inverse calculation hardware is used for realizing modular inversion operation in a pixel domain; the prime domain elliptic curve calculation module is used for realizing point addition, point multiplication and point verification operation in the prime domain;
the secondary expansion domain operation module is used for realizing various operations in a secondary expansion domain obtained by secondarily expanding a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quadratic domain element frobenius operation; the four-expansion domain operation module is used for realizing various operations in four-expansion domain obtained by four-expansion of a prime domain, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and four domain element frobenius operation; the twelve-time domain expansion operation module is used for realizing various operations in twelve-time domain expansion obtained by expanding a prime domain for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation and twelve-degree domain element frebenius operation;
the secondary expanded domain elliptic curve operation module is used for realizing various operations of elliptic curves under the secondary expanded domain, and comprises the following steps: coordinate system conversion of the secondary domain point, secondary domain point addition, secondary domain point multiplication and frebenius operation of the secondary domain point; the coordinate transformation of the secondary domain points refers to the transformation of elliptic curve points in the secondary domain between an affine coordinate system and a projective coordinate system;
the line function operation module is used for realizing a function g in R-ate pair calculation U,V The operation of (Q), namely the calculation of a connection equation of two elliptic curve points; function g U,V (Q) the calculation flow is realized according to the definition in the SM9 algorithm standard rule; in the calculation, if the two elliptic curve points are different points and are not infinity points, the result is a straight line equation passing through the two points; if the two elliptic curve points are the same point and are not infinity points, the result is a tangent equation of the elliptic curve passing through the points; if one elliptic curve point is an infinity point, the result is an equation of an x-axis perpendicular line passing through the other point;
the final power operation module is used for realizing the last step of R-ate pair calculation steps, namely
The bilinear pair calculation state machine is used for controlling and calling each module to complete the calculation of bilinear pairs;
the auxiliary function module is used for realizing a cipher function H in an SM9 algorithm 1 /H 2 And a key derivation function KDF, the key derivation function is used for generating encryption and decryption keys in SM9 algorithm;
the random number module is used for generating random numbers between 1 and (N-1) required by an algorithm;
the algorithm function module is used for calling other modules to realize various algorithm functions in the SM9 algorithm.
2. The finite field based SM9 identification cryptographic algorithm hardware implementation system of claim 1, wherein the specific functions of the register module include: the user writes the control information and the configuration information into a register module, the register module transmits the initial parameters, the identifiers and the plaintext data written by the user to a memory module, and then corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to a user; if the operation fails, the register module transmits a calculation failure signal to a user.
3. The finite field based SM9 identification cryptographic algorithm hardware implementation system of claim 1, wherein the data path module enables data handling operations between different addresses in memory, including comparing two data, head-to-tail stitching of two data, and shifting of data.
4. The hardware implementation system of the SM9 identification cryptographic algorithm based on the finite field as claimed in claim 1, wherein the operation steps of the cryptographic function H1/H2 and the key derivation function KDF of the auxiliary function module are implemented according to the steps in the SM9 algorithm standard; the cipher function H1/H2 and the key derivation function KDF need to call the cipher hash function Hv (), and the cipher hash function Hv () is realized by an SM3 operation module.
5. The finite field based SM9 identification cryptographic algorithm hardware implementation system of claim 1, wherein the algorithm functions of the SM9 algorithm include: digital signature generation, digital signature verification, key exchange protocol, public key encryption and public key decryption; the algorithm function performs the calculation according to steps in the SM9 algorithm standard.
CN202110763602.2A 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field Active CN113660087B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110763602.2A CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110763602.2A CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Publications (2)

Publication Number Publication Date
CN113660087A CN113660087A (en) 2021-11-16
CN113660087B true CN113660087B (en) 2023-09-26

Family

ID=78477161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110763602.2A Active CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Country Status (1)

Country Link
CN (1) CN113660087B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338049B (en) * 2022-03-14 2022-07-05 山东区块链研究院 Rapid realization method and system of SM2 cryptographic algorithm based on modular reduction
CN117353926B (en) * 2023-12-01 2024-02-27 苏州元脑智能科技有限公司 SM2 algorithm password processing method, device and equipment based on chip

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739396A (en) * 2011-04-11 2012-10-17 航天信息股份有限公司 Co-processor applied in information security
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN103023659A (en) * 2013-01-08 2013-04-03 武汉大学 ECC (elliptic curve cryptosystem) encryption hardware device with expandable parameter bit width
CN107147488A (en) * 2017-03-24 2017-09-08 广东工业大学 A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms
CN206712805U (en) * 2017-04-26 2017-12-05 美的智慧家居科技有限公司 Key chip system and internet of things equipment
CN108259179A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of encryption-decryption coprocessor and its operation method based on SM9 id password algorithms
CN108650078A (en) * 2018-03-22 2018-10-12 北京中电华大电子设计有限责任公司 A kind of accelerated method of SM9 id passwords algorithm
CN112202568A (en) * 2020-10-09 2021-01-08 天津大学 Software and hardware collaborative design SM9 digital signature communication method and system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102412971B (en) * 2011-11-30 2015-04-29 西安西电捷通无线网络通信股份有限公司 SM2 key exchange protocol based key agreement method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739396A (en) * 2011-04-11 2012-10-17 航天信息股份有限公司 Co-processor applied in information security
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN103023659A (en) * 2013-01-08 2013-04-03 武汉大学 ECC (elliptic curve cryptosystem) encryption hardware device with expandable parameter bit width
CN108259179A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of encryption-decryption coprocessor and its operation method based on SM9 id password algorithms
CN107147488A (en) * 2017-03-24 2017-09-08 广东工业大学 A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms
CN206712805U (en) * 2017-04-26 2017-12-05 美的智慧家居科技有限公司 Key chip system and internet of things equipment
CN108650078A (en) * 2018-03-22 2018-10-12 北京中电华大电子设计有限责任公司 A kind of accelerated method of SM9 id passwords algorithm
CN112202568A (en) * 2020-10-09 2021-01-08 天津大学 Software and hardware collaborative design SM9 digital signature communication method and system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SM9标识密码算法综述;袁峰;程朝辉;;信息安全研究(第11期);全文 *
国密SM9算法R-ate对计算的优化设计;王明东;何卫国;李军;梅瑞;;通信技术(第09期);全文 *

Also Published As

Publication number Publication date
CN113660087A (en) 2021-11-16

Similar Documents

Publication Publication Date Title
CN111314089B (en) SM 2-based two-party collaborative signature method and decryption method
CN104539423B (en) A kind of implementation method without CertPubKey cipher system of no Bilinear map computing
CN110247757B (en) Block chain processing method, device and system based on cryptographic algorithm
CN108551392B (en) Blind signature generation method and system based on SM9 digital signature
CN110830236B (en) Identity-based encryption method based on global hash
US11310060B1 (en) Atomic cross-chain swaps using equivalent secret values
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
US7007164B1 (en) Method and array for authenticating a first instance and a second instance
US11223486B2 (en) Digital signature method, device, and system
WO2009143713A1 (en) Two-factor combined public key generation and authentication method
CN113660087B (en) SM9 identification cipher algorithm hardware realization system based on finite field
CN107425971B (en) Certificateless data encryption/decryption method and device and terminal
US9088419B2 (en) Keyed PV signatures
CN111147245A (en) Algorithm for encrypting by using national password in block chain
CN114726546B (en) Digital identity authentication method, device, equipment and storage medium
CN114095181B (en) Threshold ring signature method and system based on cryptographic algorithm
KR20030062401A (en) Apparatus and method for generating and verifying id-based blind signature by using bilinear parings
CN109698747A (en) A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method
US20150006900A1 (en) Signature protocol
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN114117547A (en) SM9 digital signature accelerated generation method and digital signature accelerated verification method based on pre-calculation table
CN116346336B (en) Key distribution method based on multi-layer key generation center and related system
CN115694827A (en) SM 2-based certificate encryption method and system
EP4208982A1 (en) Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge
CN113904777B (en) SM2 digital signature algorithm-based signcryption method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant