CN1831754A - Elliptic curve cipher system and implementing method - Google Patents

Elliptic curve cipher system and implementing method Download PDF

Info

Publication number
CN1831754A
CN1831754A CN 200510115512 CN200510115512A CN1831754A CN 1831754 A CN1831754 A CN 1831754A CN 200510115512 CN200510115512 CN 200510115512 CN 200510115512 A CN200510115512 A CN 200510115512A CN 1831754 A CN1831754 A CN 1831754A
Authority
CN
China
Prior art keywords
module
montgomery
computing
elliptic curve
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200510115512
Other languages
Chinese (zh)
Other versions
CN100414492C (en
Inventor
范欣欣
王育民
詹阳
姜正涛
谭示崇
田海博
袁素春
于松亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
BEIJING PUAODE DITIAL TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING PUAODE DITIAL TECHNOLOGY Co Ltd filed Critical BEIJING PUAODE DITIAL TECHNOLOGY Co Ltd
Priority to CNB2005101155123A priority Critical patent/CN100414492C/en
Publication of CN1831754A publication Critical patent/CN1831754A/en
Application granted granted Critical
Publication of CN100414492C publication Critical patent/CN100414492C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Complex Calculations (AREA)

Abstract

A system of oval curve cipher comprises finite domain algorithm module for carrying out operation in large prime domain with Montgomery arithmetic, point addition and multiple point algorithm module for carrying out operation on oval curve, scalar multification algorithm module for realizing said algorithm of oval curve cipher system, DH cipher key consultation algorithm module for finalizing cipher key consultation, digital signature and verification module for finalizing said signature and verification by calling on scalar multification algorithm module. The realizing method of oval curve cipher is also disclosed.

Description

A kind of elliptic curve cipher system and implementation method
Technical field
The present invention relates to the digital content protective system of electronic equipment, particularly relate to a kind of elliptic curve cipher system and implementation method.
Background technology
Along with the continuous development and the application of infotech, the safety issue of electronic information becomes more and more important.And cryptography is being played the part of very important role as the core of information security in information security.Two important milestones are arranged: " the cryptographic new direction " of " mathematical theory in the secret communication " of Shanon in 1949 and Diffie in 1976 and Hellman in the cryptographic development.The theory of Shanon is that cryptographic research is become the science with certain theoretical system; " cryptographic new direction " literary composition has proposed the thought of public key cryptography, has started new era of public key cryptography.Public key cryptography has been subjected to people's common concern after proposing at once.Since 1976, people have proposed the implementation of a large amount of public-key cryptosystems.The security of all these schemes all is based on finds the solution certain mathematics difficult problem, up to now, and the mathematics difficult problem that has following three classes not only to have certain security but also be easy to realize:
1. based on the common key cryptosystem of big several resolution problems (IFP), comprising RSA system and Rabin system;
2. based on the public-key cryptosystem of discrete logarithm problem on the Galois field (DLP), wherein mainly comprise ElGamal class encryption system and signature scheme, Diffie-Hellman key exchange scheme, Schnorr signature scheme and Nyberg-Ruppel signature scheme etc.;
3. based on the public-key cryptosystem of elliptic curve discrete logarithm problem (ECDLP), wherein mainly comprise the Diffie-Hellman key exchange scheme of elliptic curve type, the MQV key exchange scheme of elliptic curve type; The Digital Signature Algorithm of elliptic curve type.
Elliptic curve is used for cryptographic algorithm, proposed independently respectively by Koblitz and Victor Miller in 1985.It has been the research object of cryptoanalysis since coming out always.Now, in the purposes of commercial and government, elliptic curve cipher system (ECC) all is considered to safe.Gain knowledge according to known cryptanalysis, elliptic curve cipher system provides higher security than traditional cryptographic system.For example, compare based on the encryption of RSA and ELGamal and Digital Signature Algorithm with based on the Diffie-Hellman cipher key agreement algorithm, elliptic curve cipher system has shorter key and more effective algorithm.And the advantage of this two aspect makes elliptic curve cipher system more practical compared with traditional cryptographic system, and can be widely used under memory space and the calculated amount constrained environment, as mobile phone and personal digital assistant.Same reason makes the also extremely favor of high request system of elliptic curve cipher system, as secure networking device (these equipment are often used public key calculation).
Elliptic curve cipher system (ECC) is that its security is based on the discrete logarithm problem ECDLP in the point group on the elliptic curve on the Galois field with respect to system attractive people's such as RSA and DSA main reason, ECDLP is the more difficult problem of specific factor resolution problem, many cryptographists think that it is exponential difficulty, promptly solves its mathematical problem--the known best algorithm of elliptic curve discrete logarithm problem (ECDLP) also will use up the total index number time.By comparison, other common key cryptosystem such as RSA and DSA based on mathematical problem--factor resolution problem (IFP) and discrete logarithm problem (DLP) they all are the subset index time algorithms, compare with systems such as DSA with RSA, elliptic curve cipher system has following better advantage:
1. security is higher
The security performance of cryptographic algorithm reflects by the anti-attack strength of this algorithm.Table 1.1 has been described the comparison of elliptic curve cipher system and the anti-attack strength of other several public key algorithms.We can see, compare with other public key algorithms, and the anti-aggressiveness of elliptic curve cipher system has absolute advantage.Elliptic curve cipher system as 160bit can provide the security intensity suitable with RSA, the DSA of 1024bit, and the elliptic curve cipher system of 210bit then has identical security intensity with 2048bit RSA, DSA.
The anti-attack performance of table 1.1 ECC and RSA/DSA relatively
RSA/DSA key length (bit) ECC key length (bit) RSA and ECC key length ratio Required workload MIPS
512 106 5∶1 10 4
768 132 6∶1 10 8
1024 160 7∶1 10 11
2048 210 10∶1 10 20
21,000 600 35∶1 10 78
Wherein MIPS represents can move p.s. the workload in 1 year of computer run of 1,000,000 instructions
2. calculated amount is little, and processing speed is fast
Though in RSA, can improve the speed of public-key process by the method for choosing less PKI (as 3), both improved the speed of encryption and signature verification, make it in encryption and signature verification, comparability be arranged, but (deciphering and signature) elliptic curve cipher system is faster than RSA, DSA on the processing speed of private key with elliptic curve cipher system.Elliptic curve cipher system described by table 1.2 and RSA, DSA generate at key, the comparison of signature and verifying speed.
Table 1.2 ECC and RSA/DSA computing velocity are relatively
ECDSA GF(2 n) standard ECDSA GF(2 n) improved ECDSA GF(p) RSA DSA
key generation 13.0 11.7 5.5 1s 22.7
signature 13.3 11.3 6.3 43.3 23.6
verification 68 60 26 0.65 28.3
Wherein, the ECC algorithm is 191bit, and RSA/DSA is 1024bit.Along with the increase of security intensity, ECC than the speed of RSA/DSA computing improve faster.
3. storage space is few
It is much smaller that the keys sizes of elliptic curve cipher system and systematic parameter are compared with RSA/DSA, means that its shared storage space wants much less.Application in IC-card and wireless environment has the meaning of particular importance for cryptographic algorithm for this.
4. bandwidth requirement is low
When long message was carried out encryption and decryption, three class cryptographic systems had identical bandwidth requirement, but when being applied to short message, the elliptic curve cipher system bandwidth requirement is much lower.Bandwidth requirement is low to have broad application prospects elliptic curve cipher system in wireless network.
We can see by top advantage, and along with the raising of computing power needs the increase of key length, elliptic curve cipher system other common key cryptosystem relatively more attracts our concern.The advantage that security brought that its every bit is higher comprises: higher speed, and lower energy consumption, conserve bandwidth improves storage efficiency.These advantages at some for bandwidth, processor ability or store in the application of restriction and seem particularly important.
Summary of the invention
The object of the present invention is to provide a kind of elliptic curve cipher system and implementation method, for the realization of high-rise authentication protocol provides the bottom module.
A kind of elliptic curve cipher system for realizing that purpose of the present invention provides comprises:
(1) Galois field algoritic module is used for utilizing Montgomery arithmetic to realize the computing of large prime field.
Described Galois field algoritic module comprises that mould adds computing module, mould subtracts computing module, modular multiplication module, computing module-square module, modular reduction computing module, inversion operation module.
Described modular multiplication module is a CIOS-Montgomery multiplication algorithm module.
Described computing module-square module is a SRCIL-Montgomery square algorithm module.
Described inversion operation module is an index inversion algorithms module.
Elliptic curve cipher system of the present invention also comprises:
(2) add and doubly put the algorithm module, be used for utilizing Montgomery arithmetic to realize point add operation and the point doubling on the realization elliptic curve on the basis of Galois field algorithm, it calls the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
Described point add operation and point doubling add for the optimization point and doubly put the algorithm computing.
(3) scalar multiplication algorithm module is used to realize its main operational of described elliptic curve cipher system: the scalar multiplication, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.
Described scalar multiplication adopts NAF scalar multiplication algorithm at random.
(4) DH cipher key agreement algorithm module is used to call the scalar multiplication algorithm module, finishes key agreement, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
(5) digital signature and authentication module are used to call the scalar multiplication algorithm module, finish digital signature and proof procedure to message, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The present invention also provides a kind of implementation method of elliptic curve cipher system, comprises the following steps:
(1) utilizes Montgomery to count to realize computing in the large prime field in the elliptic curve cipher system.
Described computing comprises that mould adds computing, mould subtracts computing, modular multiplication, computing module-square, modular reduction computing, inversion operation.
Described modular multiplication module is the CIOS-Montgomery multiplication algorithm.
Described computing module-square is the SRCIL-Montgomery square algorithm.
Described inversion operation module is an index inversion algorithms module.
Elliptic curve cipher system implementation method of the present invention also comprises the following steps:
(2) utilizing Montgomery to count to realize point add operation and the point doubling of realizing on the basis of Galois field algorithm on the elliptic curve, it calls the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
Described point add operation and point doubling add for the optimization point and doubly put the algorithm computing.
(3) scalar multiplication, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.
Described scalar multiplication adopts NAF scalar multiplication algorithm at random.
(4) call DH cipher key agreement algorithm module, by the scalar multiplication algorithm module, finish key agreement, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
(5) call number signature and authentication module by the scalar multiplication algorithm module, are finished digital signature and proof procedure to message, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The invention has the beneficial effects as follows: the invention provides a kind of hard-wired elliptic curve cipher system and implementation method of being fit to, it has adopted Montgomery to count to realize the various computings in the large prime field, required all arithmetic operators of realizing elliptic curve cipher system can carry out in the Montgomery territory: and mould adds/and mould subtracts, mould multiply by and inversion operation, need not explicit execution modular reduction computing consuming time, make it be fit to software and hardware simultaneously and realize.
Description of drawings
Fig. 1 is an elliptic curve cipher system hierarchical system structural drawing;
Fig. 2 is the transformational relation between prime field and the Montgomery field element.
Embodiment
Further describe elliptic curve cipher system of the present invention and method below in conjunction with accompanying drawing 1,2.
The definition of elliptic curve:
Article one, elliptic curve is to satisfy equation on projective plane:
Y 2Z+a 1XYZ+a 3YZ 2=X 3+ a 2X 2Z+a 4X 2+ a 6Z 3------------set of being had a few of----[3-1], and each point on the curve all is nonsingular or smooth.
Wherein, Y 2Z+a 1XYZ+a 3YZ 2=X 3+ a 2X 2Z+a 4X 2+ a 6Z 3Be that (Weierstrass, Karl Theodor Wilhelm Weierstrass 1815-1897), are homogeneous equations to Wei Ersite Lars equation.
So-called " nonsingular " or " smooth ", in mathematics, be meant on the curve partial derivative F of any arbitrarily x(x, y, z), F y(x, y, z), F z(x, y can not be 0 simultaneously z).
If an infinity point O ∞ (0: 1: 0) is arranged on the elliptic curve, because this point satisfies equation [3-1],
X=X/Z, y=Y/Z substitution equation [3-1] obtains:
Y 2+a 1xy+a 3y=x 3+a 2x 2+a 4x+a 6-------------------------[3-2]
Wherein, (x, y) coordinate of fastening for the common plane rectangular coordinate.
That is to say that the smooth curve that satisfies equation [3-2] adds an infinity point O ∞, has formed elliptic curve.
Elliptic curve is continuous, and is not suitable for encrypting, and therefore, usually, be defined in the elliptic curve that is fit to encrypt on the Galois field.
Galois field is a kind of the territory of being made up of limited element.
Provide a Galois field F p, this territory has only limited element, i.e. F pIn have only the individual element 0,1,2 of p (p is a prime number) ... p-2, p-1.
Definition F pAddition (a+b) rule be a+b ≡ c (mod p); That is, (a+b) remainder of ÷ p is identical with the remainder of c ÷ p;
F pMultiplication (a * b) rule is a * b ≡ c (mod p);
F pDivision (a ÷ b) rule be a/b ≡ c (mod p); Be a * b -1≡ c (mod p); (b -1Also be the integer between 0 to p-1, but satisfy b * b -1≡ 1 (mod p)).
F pIdentical element be 1, null element is 0.
But, elliptic curve on not all Galois field all is fit to encrypt, be the elliptic curve that is suitable for encrypting for the elliptic curve that is defined on the large prime field wherein, the elliptic curve on the large prime field can be transformed to simple especially form: y with general curvilinear equation by the isomorphism mapping 2=x 3+ ax+b, parameter of curve a wherein, b ∈ F pAnd satisfy 4a 3+ 27b 2≠ 0 (mod p).
Therefore, satisfy establish an equation down have a few that (x y), adds infinity point O ∞, constitutes one and is defined in large prime field F pOn elliptic curve.
Y 2=x 3+ax+b(mod p)
X wherein, y belongs to the big prime number between 0 to p-1, and this elliptic curve is designated as E p(a, b).
Public key algorithm always will be based on a mathematical difficult problem.System is based on such as rsa cryptosystem: given two big prime number p, q are easy to multiply each other and obtain n, and n is carried out factorization difficulty relatively.
Consider following equation:
K=kG[is K wherein, and G is E p(k is the integer less than n (n is the rank of a G) for a, the b) point on, be not difficult to find, and given k and G, according to the addition rule, calculating K is easy to; But given K and G ask k just quite difficult.
Here it is elliptic curve cipher system based on a mathematics difficult problem.G calls basic point (base point) point, and k (k<n, n are the rank of basic point G) is called private cipher key (private key), and K is called public-key cryptography (publickey).
The present invention is the various computings of having adopted Montgomery to count to realize in the large prime field, thereby realizes the system and method for elliptic curve cipher.
Montgomery counts and is proposed by Peter Montgomery as shown in Figure 2, its its main operational is the Montgomery multiplication, because the Montgomery multiplication neither needs to calculate and division consuming time does not need to utilize merchant's valuation technology yet, so it has simplified the modular reduction computing.
From the angle of mathematics, Montgomery territory and prime field GF (p) are isomorphisms, and each element among the GF (p) all has a unique corresponding with it element in the Montgomery territory.Element a ∈ GF (p) is expressed as a '=aR mod p in the Montgomery territory, wherein R is called Montgomery constant (R must greater than p).The feature of Montgomery constant R and large prime field must be coprime, promptly gcd (R, p)=1.Usually choose R and be 2 power: R=2 m, wherein m has reflected the scale of hardware, is preferably R=2 192
Utilize Montgomery to count to finish the prime field computing and operand need be transformed into the Montgomery territory by prime field, conversion can utilize the Montgomery multiplication to finish: a '=MonMul (a, R 2)=aR 2/ R mod p=aR mod p.
Realize the Montgomery multiplication algorithm by hardware in system, then this conversion no longer needs other computing when hardware is realized, so does not also need the hardware resource that adds, Montgomery constant R=2 during conversion mMod p promptly calculates R by precomputation 2Need some costs, but only need calculate once for each mould p.
Being transformed into prime field by the Montgomery territory also can utilize the Montgomery multiplication to finish: a=MonMul (a ', 1)=a ' 1/R mod p=aR1/R mod p=a mod p; B is the same with the compute mode of a, promptly has following formula to set up b=MonMul (b ', 1)=b ' 1/R mod p=bR1/R mod p=b mod p to b.When carrying out a large amount of arithmetic operator in the Montgomery territory, the cost of this conversion can be ignored, and carries out once when all computings begin and finish because only need.All operands were transformed into the point processing of then finishing in the Montgomery territory in the Montgomery territory on all elliptic curves when the elliptic curve cipher system computing among the present invention began, and last operation result is transformed into large prime field.
Like this, the present invention utilizes the Montgomery of big integer to represent to realize effectively modular arithmetic in the prime field, and in the Montgomery territory, need not explicit execution modular reduction computing consuming time, and realize that all required arithmetic operators of elliptic curve cipher system can carry out in the Montgomery territory: mould adds/and mould subtracts, mould is taken advantage of, inversion operation, computing module-square and modular reduction computing.
Mould adds computing: R mod p=a '+b ' the mod p of a+b mod p=MonAdd (a ', b ')=(a+b)
R mod p=a ' the b '/R mod p of modular multiplication: abmod p=MonMul (a ', b ')=(ab)
Inversion operation: a -1Mod p=MonInv (a ')=a -1R mod p=a ' -1R2 mod p
Mould subtracts computing: R mod p=a '-b ' the mod p of a-b mod p=MonSub (a ', b ')=(a-b)
Computing module-square: a 2Mod p=MonSq (a ' 2)=(a 2) R mod p=a ' 2/ R mod p
Modular reduction computing: r=cR -1Mod p
Wherein, MonMul: modular multiplication; MonAdd: mould adds computing; MonInv: inversion operation; MonSub: mould subtracts computing; MonSq: computing module-square
Describe the elliptic curve cipher system of the embodiment of the invention in detail below in conjunction with Fig. 1:
As shown in Figure 1, the elliptic curve cipher system of present embodiment comprises:
The Galois field algoritic module is used for utilizing Montgomery to count and realizes additive operation, multiplying, square operation and the inversion operation of large prime field.
The general prime field F that the large prime field here just is meant p, p is the prime number greater than 2.
Described Galois field algoritic module comprises that mould adds computing module, mould subtracts computing module, modular multiplication module, computing module-square module, modular reduction computing module, inversion operation module.
Described modular multiplication module is CIOS-Montgomery multiplication algorithm module (CoarselyIntegrated Operand Scanning), and the resource that this algoritic module takies is minimum, and is fastest.
The principle of CIOS-Montgomery multiplication algorithm is: this algorithm is integrated multiplication and reduction step.Specifically, the product that this algorithm does not directly calculate a and b carries out reduction to this product then, but multiplication and reduction are hocketed in the skin circulation, do like this is since in the i time outer circulation the used value m of reduction step only depend on s[i] value, and in the i time of multiplication circulates s[i] value finish as calculated.
Described computing module-square module is SRCIL-Montgomery square algorithm module (SquaringReduction with Inner Loop), and this algorithm speed is the fastest.SRCIL-Montgomery square algorithm principle is: this algorithm has been removed the redundancy section in the general Montgomery square algorithm and has been maximized the parallel ability of algorithm software, and its basic thought has been to use an independent cycle calculations a i* a i, removed the delay of carry and removed redundant part by changing the round-robin structure.
Described inversion operation module is an index inversion algorithms module, with the inversion operation in the fermat's little theorem realization Galois field, i.e. b=a P-2(mod p), it can utilize the Montgomery multiplier resources on the hardware circuit board, and the execution time of this algoritic module on the hardware circuit board that the Montgomery multiplier is arranged is about 70% of the binary expansion Euclidean algorithm execution time.
Elliptic curve cipher system in the present embodiment also comprises:
Point adds and doubly puts the algorithm module, be used for point add operation and the point doubling realized on the basis of Galois field algorithm on the elliptic curve utilizing Montgomery to count to realize, it adopts the optimization point to add and doubly puts algorithm realization group operatione, call the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
The scalar multiplication algorithm module is used to realize its main operational of described elliptic curve cipher system: the scalar multiplication, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.Described scalar takes advantage of the computing in the module to adopt NAF scalar multiplication algorithm at random.
NAF random point scalar multiplication algorithm principle is: NAF random point scalar multiplication algorithm at first carries out the NAF coding to scalar, and promptly the NAF of scalar k is expressed as Σ i = 0 l k i 2 i , k wherein i∈ 0, ± 1} and adjacent k iIn have at least one to be 0.Can calculate scalar effectively by this coded system and take advantage of, be about (m/3) A+mD, wherein m=[log the working time of NAF scalar multiplication algorithm expectation 2P], A represents point add operation, D represents point doubling.
DH cipher key agreement algorithm module is used to call the scalar multiplication algorithm module, finishes key agreement.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The EC-Diffie-Hellman key agreement is to derive a shared secret value from the PKI of the private key of a main body and another main body, and two main bodys have identical EC field parameter herein.Execute this agreement if both sides can be correct, then they will obtain identical result.This algorithm can be called to produce a shared secret keys by some schemes, and wherein, the key of being imported is effective.
Digital signature and authentication module are used to call the scalar multiplication algorithm module, finish digital signature and proof procedure to message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
Digital signature of elliptic curve and verification algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA) be a kind of digital signature and the verification algorithm that is similar to DSA (Digital Signature Algorithm) based on elliptic curve, its not as discrete logarithm problem and integer resolution problem, the elliptic curve discrete logarithm problem does not have the subset index algorithm, just owing to this point, every bit intensity of the algorithm of feasible employing elliptic curve discrete logarithm is substantially stronger.
The major parameter of ECDSA comprises: be defined in the elliptic curve E on the finite field gf (p), the number #E of the GF on the E (p)-rational point (GF (p)) can be divided exactly by a big prime number n, and a basic point G ∈ E (GF (p)) can be designated as: D=(p, a, b, G, n, h), (d, Q), Hash function H.
With D=(p, a, b, G, n, h), Hash function H, Q is open, d maintains secrecy.
In the elliptic curve cipher system of present embodiment, need at first to realize that the various basic computing in the bottom Galois field comprises: additive operation, multiplying, square operation and inversion operation; Secondly at point add operation and the point doubling realized on the basis of Galois field algorithms library on the elliptic curve; Realize its main operational of elliptic curve cipher system at last: the scalar multiplication; By calling the scalar multiplication algorithm module, finish key agreement; By calling the scalar multiplication algorithm module, finish digital signature and proof procedure to message.
Below in conjunction with elliptic curve cipher system of the present invention, the implementation method of elliptic curve cipher system of the present invention is described in further detail, comprise the following steps:
(1) utilizes Montgomery to count to realize additive operation, multiplying, square operation and inversion operation in the large prime field.
The general prime field F that the large prime field here just is meant p, p is the prime number greater than 2.
◆ mould adds computing:
The modadd algorithm:
Input: integer a, b ∈ [0, p-1], a=(a T-1, a T-2..., a 1, a 0), b=(b T-1, b T-2..., b 1, b 0).
Output: c=a+b mod p.
1.c 0← Add (a 0, b 0), // low 32 bit additions
2.For i from 1 to t-1 do:c i← Add (a i, b i)+carry (a I-1, b I-1). //a and b bring 32 bit addition of position into
3.If c 〉=p, if then were c ← c-p. // carry (a T-1, b T-1) ≠ 0, then last operation result have the carry execution to subtract the p computing
4.Return (c). // operation result returned
Wherein, Add (a i, b i) :=(a i+ b i) mod2 32, carry (a i, b i) :=(a i+ b i)/2 32
◆ mould subtracts computing:
The modsub algorithm:
It is very similar subtracting computing and adding computing, and different is that it will use borrow.
Input: integer a, b ∈ [0, p-1], a=(a T-1, a T-2..., a 1, a 0), b=(b T-1, b T-2..., b 1, b 0).
Output: c=a-b mod p.
1.borrow ← 0. // initialization gives 0 with borrow borrow
2.For i from 0 to t-1 do: //a and b bring 32 bit addition of position into
2.1. c i← (a i-b i-borrow) mod2 32// 32 bit subtraction operation results
2.2. If Ai-bi-borrow 〉=0, then borrow ← 0; Otherwise borrow ← 1. // 32 the bit subtraction result is 0 for canonical borrow borrow, otherwise borrow borrow is 1
3.If borrow>0, if then were c ← c+p. // computing would also have borrow at last then carries out and add the p computing
4.Return (c). // operation result returned
Because (a 〉=b), this is the special circumstances of modsub, the step of the 3rd in the top algorithm need only be removed to get final product to have used a-b in modadd.
◆ modular multiplication:
The Montgomery multiplication has multiple implementation, and present embodiment has adopted the most effectively CIOS-Montgomery multiplication algorithm (Coarsely Integrated Operand Scanning), and the resource that this algorithm takies is minimum, and is fastest.
Input: integer a, b ∈ [0, p-1], a=(a T-1, a T-2..., a 1, a 0), b=(b T-1, b T-2..., b 1, b 0).
Output: c=abR -1Mod p
1.For i from 0 to t-1 do:s[i] ← array of 0. // initialization storage operation result
S6 ← 0, s7 ← 0 // initialization temporary variable
2.For i from 0 to t-1 do:
2.1. C ← 0. // initialization temporary variable
2.2. Forj from 0 to t-1 do: //a and b carry out 32 bit multiplication
Calculate (C, S)=s[j]+a jb i+ C, the intermediate result of // 32 bit multiplication
Make t[j] ← S. // storage 32 bit carries
2.3. (C, S) ← s6+C, s6 ← S, the operation result of s7 ← C. // storage most significant digit
2.4.C ← 0, m=s[0] * p ' [0] mod 2 32, (C, S)=s[0]+m*p[0]. // minimum 32 bits are carried out reduction
2.5.Forj form 1 to t-1 do: // reduction piecemeal
Calculate (C, S)=s[j]+m*p[j]+C, // 32 bit intermediate result reduction
Make s[j-1] ← S. // storage 32 bit carries
2.6. (C, S) ← s6+C, s[t-1] ← S, s6 ← s7+C // storage reduction result
If s6!=0 // carry arranged
3.1 C=1; // initialization temporary variable
3.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=s[i] +~p[i]+C, // carry is corrected
Make s[i] ← S. // storage 32 bit carries
4.Return ((S T-1..., s 1, s 0)) // return operation result
Here C, S is the word of 32 bits, (C S) is C, the connection of S, and it is 64 bits;
P ' [0]=-p[0] -1Mod 2 32, p[0 wherein] and be minimum 32 bits (minimum word) of 192 bit prime number p.
◆ computing module-square:
Montgomery square also has multiple implementation, and present embodiment has adopted the most effectively SRCIL-Montgomery square algorithm (Squaring Reduction with Inner Loop), and this algorithm speed is the fastest.
Input: integer a, b ∈ [0, p-1], a=(a T-1, a T-2..., a 1, a 0).
Output: c=a 2R -1Mod p
1.For i from 0 to t-1 do:(s[2i+1], s[2i]) ← a i* a i// calculating i section multiplied result
2.For i from 0 to t-1 do: // the 1st step operation result is carried out reduction
2.1 m=s[i] * p ' [0] mod 2 32Every section reduction value of // calculating
2.2 Forj from 0 to i do: // reduction piecemeal
(C, s[i+j])=s[i+j]+m * p[j]+C; // 32 bit intermediate result reduction
2.3 C 1=0; C 2=0; // initialization temporary variable
2.4 Forj from i+1 to t-1 do: // calculating a iWith a jProduct and carry out reduction
2.4.1 s Long=2 * C 1+ C+s[i+j] // storage intermediate result
2.4.2 (C 1, S)=a i* a j// calculating a iWith a jProduct
2.4.3 (C, s[i+j]=s Long+ 2 * S; // with the carry addition of low section operation result
2.4.4 (C 2, s[i+j]=m * p[j]+s[i+j]+C 2. // 32 bit interlude reduction
2.5 (prevcar, s[i+t])=C+2 * C 1+ C 2+ s[i+t]+prevcar; The highest 32 bits of // storage
3.s[2t]=s[2t]+prevcar; The carry of // storage most significant digit
4.For i from 0 to t-1 do:s[i] ← s[i+t] // operation result is moved to low t unit
A 5.If s[2t]!=0//if carry is not equal to 0
1.1 C=1; // initialization temporary variable
1.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=s[i] +~p[i]+C; // carry is corrected
Make s[i] ← S. // storage 32 bit carries
6.Return ((s T-1..., s 1, s 0)) // return operation result
Wherein, C, C 1, C 2, S is the word of 32 bits, (C S) is C, the connection of S, and it is 64 bits; P ' [0]=-p[0] -1Mod 2 32, p[0 wherein] and be minimum 32 bits (minimum word) of 192 bit prime number p.
◆ Montgomery modular reduction algorithm:
Input: c=(c 2t-1..., c 1, c 0)
Output: r=cR -1Mod p.
1.For i from 0 to t-1 do: // reduction
1.1 C=0; // initialization temporary variable
1.2 m=c i* p ' [0]; Every section reduction value of // calculating
1.3 Forj from 0 to t-1 do: // reduction piecemeal
Calculate (C, S)=c I+j+ m*p[j]+C; // 32 bit intermediate result reduction
1.4 (prevcar, s[i+t])=C+s[i+t]+prevcar; The highest 32 bits of // storage
2.For i from 0 to t-1 do:c[i] ← c[i+t] // operation result is moved to low t unit
=0 // if carry is not equal to 0
3.1 C=1; // initialization temporary variable
3.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=c[i] +~p[i]+C; // carry is corrected
Make r[i] ← S // storage 32 bit carries
4.Return ((r T-1..., r 1, r 0)) // return operation result
◆ the Montgomery inversion algorithms:
Consider the Montgomery multiplier resources of utilizing on the hardware circuit board, so present embodiment is considered with the inversion operation in the fermat's little theorem realization Galois field, i.e. b=a P-2(mod p).The execution time of this algorithm on the hardware circuit board that the Montgomery multiplier is arranged is about 70% of binary expansion Euclid (Euclid) algorithm execution time.
Input: integer a ∈ [0, p-1], a=(a T-1, a T-2..., a 1, a 0)
Output: b=a -1Mod p.
1. a=aR mod p; // a is transformed to the Montgomery territory
2. x=1R mod p; // transform to the Montgomery territory with 1
3.For i from j-1 down to 0 do: // calculating module exponent
3.1 x=MontMult (x, x); // computing module-square
3.2 If e i=1 then x=MontMult( x, a);
If the current bit of // p-2 is 1 then carries out modular multiplication
4.Return b=MontMult (x, 1). // operation result returned to prime field
◆ division:
Division arithmetic in the Galois field is the multiplication and the combination of inverting, those of ordinary skills can according in the present embodiment about multiplication and the description of inverting, realize division arithmetic of the present invention, therefore, be not described in detail in the present embodiment.
(2) utilizing Montgomery to count to realize point add operation and the point doubling of realizing on the basis of Galois field algorithm on the elliptic curve, present embodiment adopts the point of optimizing to add and doubly puts algorithm realization group operatione, call the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
For group operatione, present embodiment adds the point in the IEEEP1363 standard and doubly puts algorithm and optimize, adopted and the IEEEP1363 standard (list of references of IEEEP1363 standard: IEEE std1363-2000:Standard specifications for public-key cryptography, 2000, standards.ieee.org/catalog/oils/busarch.html) different order of operation in, thereby make that the needed temporary variable of algorithm is minimum, optimized Algorithm is as follows:
◆ point adds (elliptic_add)
GF (p) goes up Elliptic Curve y 2=x 3The Modified-Jacobian coordinate form that the point of+ax+b adds formula is:
P = ( X 1 , Y 1 , Z 1 , aZ 1 4 ) , Q = ( X 2 , Y 2 , Z 2 , aZ 2 4 ) , And P + Q = ( X 3 , Y 3 , Z 3 , aZ 3 4 )
Here U 1 = X 1 Z 2 2 , U 2 = X 2 Z 1 2 , S 1 = Y 1 Z 2 3 , S 2 = Y 2 Z 1 3 , H=U 2-U 1,T=S 2-S 1, X 3=-H 3-2U 1H 2+T 2,Y 3=-S 1H 3+T(U 1H 2-X 3),Z 3=Z 1Z 2H,
aZ 3 4 = a ( Z 3 ) 4 .
Its algorithm is as follows:
Input: p, a, b, Q In=(X, Y, Z), P=(X 2, Y 2).
Output: Q Out=(X, Y, Z, aZ 4)=Q In+ P.
1.If (P==O) // judge whether that a P is an infinity point
AZ 4=a*Z 4If necessary // calculating aZ when needing 4Value
Return Q Out// reentry point adds the result
2.If (Z==0) // judge whether a Q InIt is infinity point
Q Out=P // add the result is P
Return Q Out// reentry point adds the result
3.aZ 4=Z 2// calculating Z 2
4.T 1=X 2* aZ 4// calculating U 2=X 2Z 2
5.T 1=T 1-X // calculating H=U 2-U 1
6.aZ 4=Z*aZ 4// calculating Z 3
7.aZ 4=Y 2* aZ 4// calculating Y 2=Y 2Z 3
8.aZ 4=aZ 4-Y // calculating T=S 2-S 1
9.Z=Z*T 1// calculating Z 3=ZH
10.If (T 1==0) if // U 2=U 1
If (aZ 4==0) if // P=Q In
Q Out=P // initialization Q Out
Double (Q Out) // this moment, result of calculation was 2P
Return Q Out// reentry point adds the result
Else // this moment P=-Q In
Z=0 // this moment result of calculation is infinity point
AZ 4=0 // this moment, result of calculation was infinity point
Return Q Out// reentry point adds the result
11. T 2 = T 1 2 // calculating H 2
12.T 1=T 1* T 2// calculating H 3
13.Y=T 1* Y // calculating S 1H 3
14.T 2=X*T 2// calculating U 1H 2
15.X=(aZ 4) 2// calculating T 2
16.X=X-T 1// calculating T 2-H 3
17.X=X-T 2// calculating T 2-U 1H 2-H 3
18.X=X-T 2// calculating X 3=T 2-2U 1H 2-H 3
19.T 2=T 2-X // calculating U 1H 2-X 3
20.T 2=aZ 4* T 2// calculating T (U 1H 2-X 3)
21.Y=T 2-Y // calculating Y 3=T (U 1H 2-X 3)-S 1H 3
22.aZ 4=Z 2// calculating Z 2
23.aZ 4=(aZ 4) 2// calculating Z 4
If 24.If (a==p-3) // a=p-3
AZ 4=0-3aZ 4// calculating-3Z 4
else
AZ 4=a*aZ 4// calculating aZ 4
This algorithm needs 9 territory multiplication, 2 temporary variables of 5 territory quadratic sums.
◆ times point (elliptic_doubl)
GF (p) goes up Elliptic Curve y 2=x 3The Modified-Jacobian coordinate form of doubly putting formula of+ax+b is:
Q in = ( X 1 , Y 1 , Z 1 , a Z 1 4 ) , Q out = 2 Q in = ( X 3 , Y 3 , Z 3 , aZ 3 4 )
Here: S = 4 X 1 Y 1 2 , U = 8 Y 1 4 , M = 3 X 1 2 + ( aZ 1 4 ) , T=M 2-2S,X 3=T,Y 3=M(S-T)-U,Z 3=2Y 1Z 1 aZ 3 4 = 2 U ( aZ 1 ) 4
Its algorithm is as follows:
Input: p, a=-3, b, Q In=(X, Y, Z, aZ 4).
Output: Q Out=(X, Y, Z, aZ 4)=2 Q In.
If 1.If (Z==0) return Qout // Qin is infinity point output result
2.T1=2Y // calculating 2Y
3.Z=T1*Z // calculating Z3=2YZ
4.Y=Y2 // calculating Y2
5.T1=2X // calculating 2X
6.T1=2T1 // calculating 4X
7.T1=T1*Y // calculating S=4XY2
8.T2=X2 // calculating X2
9. X=2T2 // calculating 2X2
10.T2=X+T2 // calculating 3X2
11.T2=T2+aZ4 // calculating M=3X2+aZ4
12. X = T 2 2 // calculating M2
13.X=X-T1 // calculating M2-S
14.X=X-T1 // calculating X3=T=M2-2S
15.T1=T1-X // calculating S-T
16.T2=T2*T1 // calculating M (S-T)
17.Y=2Y // calculating 2Y2
18.Y=Y2 // calculating 4Y4
19.Y=2Y // calculating U=8Y4
20.T1=2Y // calculating 2U
21.aZ4=T1*aZ4 // calculating 2U (aZ4)
22.Y=T2-Y // calculating Y3=M (S-T)-U
The a=p-3 that present embodiment is chosen, above algorithm only need 4 territory multiplication and 4 territories square.
(3) its main operational of the described elliptic curve cipher system of realization: the scalar multiplication, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.Described scalar takes advantage of the computing in the module to adopt NAF scalar multiplication algorithm at random.
For scalar multiplication algorithm, consider that hardware is to adopt finite state machine that the state of scalar is encoded when realizing scalar multiplication algorithm, therefore for the big or small present embodiment of the complicacy that reduces the finite states machine control logic and storage space scalar has been carried out the NAF coding and adopted below the random point scalar multiplication algorithm, this algorithm need not to carry out precomputation.
◆ the random point scalar is taken advantage of
The random point scalar multiplication algorithm carries out NAF (non-adjacent form) coding to scalar, and is below that this arthmetic statement is as follows:
Input: integer k = Σ i = 0 l - 1 b i 2 i , B wherein i∈ 0,1} and b l=b L+1=0, the some P on the elliptic curve
Output: the some Q on the elliptic curve, Q=kP
/ * carries out NAF (non-adjacent form) coding to scalar: K wherein i∈ 0, ± 1}*/
1. α ← 0 // initialization temporary variable
2.For i from 0 to l do: //NAF (non-adiacent form) coding
Figure A20051011551200233
k i← b i+ α-2 β, // calculate the NAF coding and be stored in k iIn
α←β,
/ * by the NAF of scalar represent to calculate scalar take advantage of */
3.For i from l down to 0 do: // calculate scalar to take advantage of
3.1.Q ← 2Q // point doubling
3.2.If k i≠ 0 then: //k iNeed carry out point add operation when non-vanishing
If k i==1, then Q ← Q+P; //k iCarried out Q+P at=1 o'clock
Else Q ← Q-P //k iCarried out Q+ (P) at=-1 o'clock
Return (Q) // return scalar multiplication result
(4) be used to call the scalar multiplication algorithm module, finish digital signature and proof procedure message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The DH cipher key agreement algorithm:
The EC-Diffie-Hellman key agreement is to derive a shared secret value from the PKI of the private key of a main body and another main body, and two main bodys have identical EC field parameter herein.Execute this agreement if both sides can be correct, then they will obtain identical result.This algorithm can be called to produce a shared secret keys by some schemes, and wherein, the key of being imported is effective.
Input:
---EC basic parameter q, a, b, n and G and corresponding key s and W ' (for s and W ', basic parameter should be the same)
---the private key s of main body oneself
---the PKI W ' of another main body
Wherein: private key s, EC basic parameter q, a, b, r and G, and PKI W ' is effective; All keys are all relevant with same basic parameter.
Output: the shared secret value z ∈ GF (q) of derivation; Perhaps " error "
Operation. the secret value z that shares must carry out according to following steps:
1. calculate elliptic curve point P=s W '.
2. if P=O exports " error " and stops.
3. make z=xP, both put the x coordinate of P.
4. output z is as the secret keys of sharing.
(5) call the scalar multiplication algorithm module, finish digital signature and proof procedure message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
Digital signature of elliptic curve and verification algorithm (ECDSA):
ECDSA (Elliptic Curve Digital Signature Algorithm) is a kind of digital signature and the verification algorithm based on elliptic curve that is similar to DSA (DigitalSignature Algorithm).Not as discrete logarithm problem and integer resolution problem, the elliptic curve discrete logarithm problem does not have the subset index algorithm, just because this point, makes that every bit intensity of the algorithm that adopts the elliptic curve discrete logarithm is substantially stronger.
The major parameter of ECDSA comprises: be defined in the elliptic curve E on the finite field gf (p), the number #E of the GF on the E (p)-rational point (GF (p)) can be divided exactly by a big prime number n, a basic point G ∈ E (GF (p)).We can be designated as: D=(p, a, b, G, n, h), (d, Q), Hash function H.
With D=(p, a, b, G, n, h), Hash function H, Q is open, d maintains secrecy.
◆ signature generates:
Parameter above signer A utilizes and public private key pair is following that a message m is signed:
At random or pseudorandom ground select an integer k ∈ R Z n * ;
2. calculate kG=(x 1, y 1), r=x 1Mod n is if r=0 then turns back to 1;
3. calculate k -1Mod n;
4. calculate e=H (m);
5. calculate s=k -1(e+dr) mod n is if s=0 then turns back to 1.
Wherein, (r s) is the signature of A to message m.
◆ signature verification:
The following checking of verifier B (r s) is the signature of A to message m:
1. verify r, s is the integer in [1, n-1];
2. calculate e=H (m);
3. calculate w=s -1Mod n;
4. calculate u 1=ew mod n, u 2=rw mod n;
5. calculate X=u iG+u 2Q=(x 1, y 1), if X=O then refuses this signature, otherwise, v=x calculated 1Accept this signature when mod n, and if only if v=r.
The invention provides a kind of hard-wired elliptic curve cipher system and implementation method of being fit to, it has adopted Montgomery to count to realize the various computings in the large prime field, required all arithmetic operators of realizing elliptic curve cipher system can carry out in the Montgomery territory: and mould adds/and mould subtracts, mould multiply by and inversion operation, need not to show and carry out modular reduction computing consuming time, make it be fit to software and hardware simultaneously and realize.
Present embodiment is to the detailed description that the present invention carried out for those of ordinary skills are understood; but those of ordinary skills can expect; can also make other variation and modification in the scope that does not break away from claim of the present invention and contained, it is all in protection scope of the present invention.

Claims (22)

1. an elliptic curve cipher system is characterized in that, includes the confinement algoritic module, is used for utilizing Montgomery arithmetic to realize the computing of large prime field.
2. elliptic curve cipher system according to claim 1, it is characterized in that described Galois field algoritic module comprises that mould adds computing module, mould subtracts computing module, modular multiplication module, computing module-square module, modular reduction computing module, inversion operation module.
3. elliptic curve cipher system according to claim 2 is characterized in that, described modular multiplication module is a CIOS-Montgomery multiplication algorithm module.
4. elliptic curve cipher system according to claim 3 is characterized in that, described computing module-square module is a SRCIL-Montgomery square algorithm module.
5. elliptic curve cipher system according to claim 4 is characterized in that, described inversion operation module is an index inversion algorithms module.
6. according to each described elliptic curve cipher system of claim 1~5, it is characterized in that, also comprise and a little add and doubly put the algorithm module, be used for utilizing Montgomery arithmetic to realize point add operation and the point doubling on the realization elliptic curve on the basis of Galois field algorithm, it calls the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
7. elliptic curve cipher system according to claim 6 is characterized in that, described point add operation and point doubling add for the optimization point and doubly put the algorithm computing.
8. elliptic curve cipher system according to claim 7, it is characterized in that, also comprise the scalar multiplication algorithm module, be used to realize its main operational of described elliptic curve cipher system: the scalar multiplication, its input parameter is an element in the prime field, be converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.
9. elliptic curve cipher system according to claim 8 is characterized in that, described scalar multiplication adopts NAF scalar multiplication algorithm at random.
10. elliptic curve cipher system according to claim 9, it is characterized in that, also comprise DH cipher key agreement algorithm module, be used to call the scalar multiplication algorithm module, finish key agreement, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
11. elliptic curve cipher system according to claim 10, it is characterized in that, also comprise digital signature and authentication module, be used to call the scalar multiplication algorithm module, finish digital signature and proof procedure to message, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
12. the implementation method of an elliptic curve cipher system is characterized in that, comprises the following steps:
Utilize Montgomery to count to realize the computing in the large prime field in the elliptic curve cipher system.
13. implementation method according to claim 12 is characterized in that, described computing comprises that mould adds computing, mould subtracts computing, modular multiplication, computing module-square, modular reduction computing, inversion operation.
14. implementation method according to claim 13 is characterized in that, described modular multiplication module is the CIOS-Montgomery multiplication algorithm.
15. implementation method according to claim 14 is characterized in that, described computing module-square is the SRCIL-Montgomery square algorithm.
16. implementation method according to claim 15 is characterized in that, described inversion operation module is an index inversion algorithms module.
17. according to the described implementation method of claim 12~16, it is characterized in that, also comprise the following steps:
Utilizing Montgomery to count to realize point add operation and the point doubling of realizing on the basis of Galois field algorithm on the elliptic curve, it calls the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
18. implementation method according to claim 17 is characterized in that, described point add operation and point doubling add for the optimization point and doubly put the algorithm computing.
19. implementation method according to claim 18 is characterized in that, also comprises the following steps: the scalar multiplication, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
20. implementation method according to claim 19 is characterized in that, described scalar multiplication adopts NAF scalar multiplication algorithm at random.
21. implementation method according to claim 20 is characterized in that, also comprises the following steps:
Call DH cipher key agreement algorithm module, by the scalar multiplication algorithm module, finish key agreement, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
22. implementation method according to claim 21 is characterized in that, also comprises the following steps:
Call number signature and authentication module by the scalar multiplication algorithm module, are finished digital signature and proof procedure to message, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
CNB2005101155123A 2005-11-04 2005-11-04 Elliptic curve cipher system and implementing method Expired - Fee Related CN100414492C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005101155123A CN100414492C (en) 2005-11-04 2005-11-04 Elliptic curve cipher system and implementing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005101155123A CN100414492C (en) 2005-11-04 2005-11-04 Elliptic curve cipher system and implementing method

Publications (2)

Publication Number Publication Date
CN1831754A true CN1831754A (en) 2006-09-13
CN100414492C CN100414492C (en) 2008-08-27

Family

ID=36994081

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005101155123A Expired - Fee Related CN100414492C (en) 2005-11-04 2005-11-04 Elliptic curve cipher system and implementing method

Country Status (1)

Country Link
CN (1) CN100414492C (en)

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009026771A1 (en) * 2007-08-24 2009-03-05 Guan, Haiying The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information
CN101782845A (en) * 2009-01-20 2010-07-21 北京华大信安科技有限公司 High speed arithmetic device and method of elliptic curve code
CN101971138A (en) * 2008-02-15 2011-02-09 汤姆森许可贸易公司 An apparatus and a method for calculating a multiple of a point on an elliptic curve
CN101378319B (en) * 2008-10-08 2011-07-06 东南大学 Authentication method for multicast communication source
CN101252431B (en) * 2007-09-06 2011-07-27 广州信睿网络科技有限公司 Realizing method of general-purpose digital signing scheme
CN101582170B (en) * 2009-06-09 2011-08-31 上海大学 Remote sensing image encryption method based on elliptic curve cryptosystem
CN102479171A (en) * 2010-11-25 2012-05-30 上海华虹集成电路有限责任公司 Method for realizing Eta bilinear pairings on supersingular curve in binary field
CN101547089B (en) * 2008-03-28 2012-07-25 上海爱信诺航芯电子科技有限公司 Method for realizing elliptic curve cryptosystem algorithm over prime field in integrated circuit
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN102866878A (en) * 2007-12-28 2013-01-09 英特尔公司 A technique for accelerating characteristic 2 elliptic curve cryptography
WO2013078970A1 (en) * 2011-11-30 2013-06-06 西安西电捷通无线网络通信股份有限公司 Key negotiation method and apparatus according to sm2 key exchange protocol
CN104468125A (en) * 2014-12-24 2015-03-25 江西倍康信息技术有限公司 Mobile Internet information communication encryption method based on GMB algorithm
CN104917608A (en) * 2015-05-19 2015-09-16 清华大学 Key anti-power attack method
CN105337734A (en) * 2014-08-05 2016-02-17 英赛瑟库尔公司 Elliptic curve encryption method comprising error detection
CN105610583A (en) * 2014-11-04 2016-05-25 上海华虹集成电路有限责任公司 ECDSA method for resisting error curve attack
CN106100844A (en) * 2016-05-24 2016-11-09 天津大学 Optimization automatic Bilinear map encryption method and the device of method is blinded based on point
CN106161022A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 Anti-attack method based on ECC crypto module and device
CN102790673B (en) * 2011-05-17 2017-05-10 上海华虹集成电路有限责任公司 Method for resisting error attacks applicable for ECC (Error Correction Code) algorithm
CN106888088A (en) * 2017-03-29 2017-06-23 中国人民解放军信息工程大学 Elliptic curve cipher Fast implementation and its device
CN108008932A (en) * 2016-10-28 2018-05-08 畅想科技有限公司 Division synthesizes
CN108512665A (en) * 2017-02-28 2018-09-07 塞尔蒂卡姆公司 Elliptic curve point is generated in elliptic curve cipher system
CN110663215A (en) * 2017-03-17 2020-01-07 皇家飞利浦有限公司 Elliptic curve point multiplication device and method in white-box scene
CN111835517A (en) * 2020-06-29 2020-10-27 易兆微电子(杭州)股份有限公司 Double-domain elliptic curve point multiplication hardware accelerator
CN113783702A (en) * 2021-09-28 2021-12-10 南京宁麒智能计算芯片研究院有限公司 Hardware implementation method and system for elliptic curve digital signature and signature verification
CN114650135A (en) * 2022-04-01 2022-06-21 浙江大学 Software and hardware cooperative SM2 elliptic curve cryptographic algorithm implementation method
CN114879934A (en) * 2021-12-14 2022-08-09 中国科学院深圳先进技术研究院 Efficient zero-knowledge proof accelerator and method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116647318A (en) * 2022-02-16 2023-08-25 瑞昱半导体股份有限公司 Method for defending time attack of cipher system and cipher system processing circuit

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1280726A (en) * 1997-12-05 2001-01-17 保密信息技术公司 Transformation methods for optimizing elliptic curve cryptographic computations
JP2001265218A (en) * 2000-03-23 2001-09-28 Nippon Telegr & Teleph Corp <Ntt> Method and device for calculation on elliptic curve, and recording medium with calculation program recorded thereon
JP2003216026A (en) * 2002-01-18 2003-07-30 Sony Corp Method and device for enciphering elliptic curve and computer program

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009026771A1 (en) * 2007-08-24 2009-03-05 Guan, Haiying The method for negotiating the key, encrypting and decrypting the information, signing and authenticating the information
CN101252431B (en) * 2007-09-06 2011-07-27 广州信睿网络科技有限公司 Realizing method of general-purpose digital signing scheme
CN102866878A (en) * 2007-12-28 2013-01-09 英特尔公司 A technique for accelerating characteristic 2 elliptic curve cryptography
CN102866878B (en) * 2007-12-28 2016-09-28 英特尔公司 The method accelerating the calculating to characteristic 2 elliptic curve cipher system
CN101971138A (en) * 2008-02-15 2011-02-09 汤姆森许可贸易公司 An apparatus and a method for calculating a multiple of a point on an elliptic curve
CN101971138B (en) * 2008-02-15 2014-08-20 汤姆森许可贸易公司 An apparatus and a method for calculating a multiple of a point on an elliptic curve
CN101547089B (en) * 2008-03-28 2012-07-25 上海爱信诺航芯电子科技有限公司 Method for realizing elliptic curve cryptosystem algorithm over prime field in integrated circuit
CN101378319B (en) * 2008-10-08 2011-07-06 东南大学 Authentication method for multicast communication source
CN101782845B (en) * 2009-01-20 2014-11-26 北京华大信安科技有限公司 High speed arithmetic device and method of elliptic curve code
CN101782845A (en) * 2009-01-20 2010-07-21 北京华大信安科技有限公司 High speed arithmetic device and method of elliptic curve code
CN101582170B (en) * 2009-06-09 2011-08-31 上海大学 Remote sensing image encryption method based on elliptic curve cryptosystem
CN102479171A (en) * 2010-11-25 2012-05-30 上海华虹集成电路有限责任公司 Method for realizing Eta bilinear pairings on supersingular curve in binary field
CN102761415A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN102761415B (en) * 2011-04-27 2015-04-08 航天信息股份有限公司 System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN102790673B (en) * 2011-05-17 2017-05-10 上海华虹集成电路有限责任公司 Method for resisting error attacks applicable for ECC (Error Correction Code) algorithm
WO2013078970A1 (en) * 2011-11-30 2013-06-06 西安西电捷通无线网络通信股份有限公司 Key negotiation method and apparatus according to sm2 key exchange protocol
US9313026B2 (en) 2011-11-30 2016-04-12 China Iwncomm Co., Ltd. Key negotiation method and apparatus according to SM2 key exchange protocol
CN105337734A (en) * 2014-08-05 2016-02-17 英赛瑟库尔公司 Elliptic curve encryption method comprising error detection
CN105610583A (en) * 2014-11-04 2016-05-25 上海华虹集成电路有限责任公司 ECDSA method for resisting error curve attack
CN105610583B (en) * 2014-11-04 2018-10-26 上海华虹集成电路有限责任公司 ECDSA methods for resisting error curve attack
CN104468125A (en) * 2014-12-24 2015-03-25 江西倍康信息技术有限公司 Mobile Internet information communication encryption method based on GMB algorithm
CN106161022A (en) * 2015-03-31 2016-11-23 上海复旦微电子集团股份有限公司 Anti-attack method based on ECC crypto module and device
CN104917608B (en) * 2015-05-19 2018-04-20 清华大学 A kind of method of the anti-power consumption attack of key
CN104917608A (en) * 2015-05-19 2015-09-16 清华大学 Key anti-power attack method
CN106100844B (en) * 2016-05-24 2020-08-18 天津大学 Optimized automatic bilinear pairing encryption method and device based on point blinding method
CN106100844A (en) * 2016-05-24 2016-11-09 天津大学 Optimization automatic Bilinear map encryption method and the device of method is blinded based on point
CN108008932B (en) * 2016-10-28 2023-06-20 畅想科技有限公司 Division synthesis
CN108008932A (en) * 2016-10-28 2018-05-08 畅想科技有限公司 Division synthesizes
CN108512665B (en) * 2017-02-28 2023-06-16 黑莓有限公司 Generating elliptic curve points in elliptic curve cryptography
CN108512665A (en) * 2017-02-28 2018-09-07 塞尔蒂卡姆公司 Elliptic curve point is generated in elliptic curve cipher system
CN110663215A (en) * 2017-03-17 2020-01-07 皇家飞利浦有限公司 Elliptic curve point multiplication device and method in white-box scene
CN110663215B (en) * 2017-03-17 2024-03-08 皇家飞利浦有限公司 Elliptic curve point multiplication device and method in white-box scene
CN106888088A (en) * 2017-03-29 2017-06-23 中国人民解放军信息工程大学 Elliptic curve cipher Fast implementation and its device
CN111835517A (en) * 2020-06-29 2020-10-27 易兆微电子(杭州)股份有限公司 Double-domain elliptic curve point multiplication hardware accelerator
CN111835517B (en) * 2020-06-29 2023-12-22 易兆微电子(杭州)股份有限公司 Double-domain elliptic curve point multiplication hardware accelerator
CN113783702A (en) * 2021-09-28 2021-12-10 南京宁麒智能计算芯片研究院有限公司 Hardware implementation method and system for elliptic curve digital signature and signature verification
CN114879934A (en) * 2021-12-14 2022-08-09 中国科学院深圳先进技术研究院 Efficient zero-knowledge proof accelerator and method
CN114650135A (en) * 2022-04-01 2022-06-21 浙江大学 Software and hardware cooperative SM2 elliptic curve cryptographic algorithm implementation method
CN114650135B (en) * 2022-04-01 2024-01-02 浙江大学 Software and hardware cooperated SM2 elliptic curve cryptography algorithm implementation method

Also Published As

Publication number Publication date
CN100414492C (en) 2008-08-27

Similar Documents

Publication Publication Date Title
CN1831754A (en) Elliptic curve cipher system and implementing method
CN1148643C (en) Circuit and system for modulo exponentiation arithmetic and airthmetic method fo performing modulo exponentiation arithmetic
CN1242587C (en) Method and apparatus for robust high-speed cryptosystem
CN1265280C (en) Extending the range of computational fields of integers
CN1345495A (en) Countermeasure procedures in electronic component implementing elliptical curve type public key encryption algorithm
CN1235446A (en) Elliptical curve converting device and device and system for use thereof
CN1734526A (en) Block encryption device using auxiliary conversion
CN1203431C (en) Encipher decipher devices and device for producing expanded key, method and recording medium therefor
CN1172474C (en) Public key cryptosystem method and apparatus
CN1841443A (en) Calculation method, calculation equipment and computer program
CN1124545C (en) High-speed cryptographic processing apparatus, cryptographic processing method, and storage medium
CN101061526A (en) Encryption computing device
CN1921382A (en) Encrypting-decrypting method based on AES algorithm and encrypting-decrypting device
CN1941699A (en) Cryptographic methods, host system, trusted platform module, and computer arrangement
CN1251715A (en) Cyclotomic polynomial construction of discrete logarithm cryptosystem over finite fields
CN1280726A (en) Transformation methods for optimizing elliptic curve cryptographic computations
CN1312630A (en) Encryption apparatus based on block encryption type, its method and decoding device and method thereof
CN1280755C (en) Information processing system, enciphering/deciphering system, system LSI and electronic apparatus
CN1871810A (en) Authentication system, and remotely distributed storage system
CN1922643A (en) Encryption system, encryption device, decryption device, program, and integrated circuit
CN1279781A (en) Apparatus for multiprecision integer arithmetic
CN1338166A (en) Public and private key cryptographic method
CN1267816C (en) Information security device, prime genrating device and prime genrating method
CN1605059A (en) Pipeline core in montgomery multiplier
CN1269680A (en) Interleaving apparatus and method for interleaving data collection thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: SICHUAN CHANGHONG ELECTRIC CO., LTD.

Free format text: FORMER OWNER: BEIJING POWER DIGITAL TECHLABS CO., LTD.

Effective date: 20100609

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100016 ROOM AE26-28, 2/F, BUILDING 51, NO.14, JIUXIANQIAO ROAD, CHAOYANG DISTRICT, BEIJING TO: 621000 NO.35, MIANXING EAST ROAD, MIANYANG CITY HIGH-TECH ZONE, SICHUAN PROVINCE

TR01 Transfer of patent right

Effective date of registration: 20100609

Address after: 621000 Mianyang province high tech Zone, East Hing Road, No. 35 cotton

Patentee after: Sichuan Changhong Electrical Appliance Co., Ltd.

Address before: 100016, room two, building 51, building 14, Jiuxianqiao Road, Chaoyang District, Beijing,

Patentee before: Beijing Puaode Ditial Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080827

Termination date: 20201104

CF01 Termination of patent right due to non-payment of annual fee