CN101464920A - Design method for automatic generation of two element field ECC coprocessor circuit - Google Patents

Abstract

The invention discloses a design method for automatically generating a binary field ECC coprocessor circuit, which belongs to the technical field of information security and integrated circuit design. The invention adopts the following technical scheme: firstly, determine domain parameter m, irreducible field polynomial f(x) and multiplier word length digit capacity; then set and input: A(x) is equal to Sigma <m-1> i is equal to 0 a i x<i>, B(x) is equal to Sigma <l-1> i is equal to 0 Bi (x)x<k multiply i> belonging to GF(2<m>), k is equal to 2, or k is equal to 4; output: C(x) is equal to A(x) multiply B(x)mod f(x); produce corresponding arithmetic unit ci by utilizing a iterative process; then, map the logic circuit of each ci arithmetical unit to the modular multiplication part of the corresponding leaf unit; and finally, set AUC instruction set, control the multiple selector in the data path, thereby achieving the read-write conversion and the field operation of data flow, and eventually obtaining an integrated binary field ECC coprocessor circuit. The invention has the advantages that corresponding coprocessor circuit can be generated flexibly under a condition that curve parameters are changed.

Description

A kind of method for designing of automatic generation two element field ECC coprocessor circuit

Technical field

The invention belongs to information security and integrated circuit (IC) design technical field, relate in particular to a kind of method for designing of automatic generation two element field ECC coprocessor circuit.

Background technology

Along with the communication technology and computer network rapid development with extensively popularize, the safety problem of information transmission and utilization has become and has related to national security, influences the significant problem of people's daily life.The notion of information security is being obtained because of people, and storage exchanges and enjoys in the process of information, can not be correctly or realize reliably and produce, and information security issue is also just because of the existence of this situation and existing.In the process of information transmission, how confidentiality, integrality, authenticity and the non-repudiation of guarantee information become the key issue of safeguarding national security and protecting people's number one.Cryptography then is the important subject that sensitive information is protected.Nowadays cryptographic application closely has been penetrated into fields of society, as the authentication to the computer user, data encryption, network security, e-bank or the like.

ECC (Elliptic Curve Cryptosystems: elliptic curve cryptosystem) be a kind of very important public key algorithm system.The security of elliptic curve encryption algorithm is based on the dyscalculia of the discrete logarithm problem on the elliptic curve group.The two element field elliptic curve is compared with other public key system system, under identical level of security, has short key length; And the domain operation under the two element field is simpler; Thereby elliptic curve cipher has safe and reliable, and encryption and decryption efficient height is easy to characteristics such as realization, can be applicable to data communication, and a plurality of fields such as ecommerce are to provide required security service; At storage space, unique application prospect is arranged in smart card that computing function and power are all limited and the embedded system.

According to the difference of two element field elliptic curve cipher system Galois field expression way, ECC hardware is realized being divided into two classes.The first kind is configurable ECC coprocessor, all elliptic curve cryptographies in this class coprocessor support region length certain limit; Second class is the fixing ECC coprocessor of parameter of curve, the elliptic curve cryptography that such processor support region length and parameter of curve are fixing.The characteristics of first kind coprocessor are that it can support the elliptic curve of different length of fields, and certain extendability and dirigibility are arranged; But the configurability of this class coprocessor has increased the scale of circuit, reduces operational performance; And length of field m is not any selection: generally be prime number.Therefore the effective rate of utilization of first kind coprocessor is not high.And the configurable characteristic of first kind coprocessor is very restricted.For the second class coprocessor, because parameter of curve (length of field, irreducible function etc.) is fixing, the Galois field computing hardware circuit in the coprocessor also can be optimized, and has reduced the area of circuit, improves system's operational performance and effective rate of utilization.But, need again artificial design circuit for the ECC coprocessor of different parameters of curve.

Summary of the invention

The objective of the invention is to, propose a kind of method for designing of automatic generation two element field ECC coprocessor circuit, solve under the situation that parameter of curve changes the redesign problem of ECC coprocessor.

Technical scheme of the present invention is, a kind of method for designing of automatic generation two element field ECC coprocessor circuit is characterized in that, described method for designing comprises the step that following order is carried out:

Step 1: field parameter m is set;

Step 2: irreducible territory polynomial f (x) is set;

Step 3: multiplier word length figure place is set;

Step 4:, set input according to field parameter m, irreducible territory polynomial f (x), multiplier word length figure place: $A\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{m-1}{a}_i{x}^i,$ $B\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{l-1}{B}_i\left(x\right)x^{k\&CenterDot;i}\&Element;\mathrm{GF}\left(2^m\right),$ K=2 or k=4; Output: C (x)=A (x) B (x) modf (x); Utilize iterative process, produce corresponding arithmetic element c _i

Step 5: with every c _iThe mould that the logical circuit of arithmetic element is mapped in the corresponding leaf unit is taken advantage of part;

Step 6: square result and the input a that determine each leaf unit _iLogical relation;

Step 7: the AUC instruction set is set, the MUX in the control data path, the read-write conversion and the domain operation of realization data stream finally obtain complete two element field ECC coprocessor circuit.

Described irreducible territory polynomial f (x) is trinomial or five formulas.

Described multiplier word length figure place is 2 or 4.

Described iterative process, performing step is:

(1) $C\left(x\right)\&LeftArrow;0;$

(2)for i＝l-1 down to 0

$C\left(x\right)\&LeftArrow;[(A\left(x\right)\&CenterDot;B_i\left(x\right))\&CirclePlus;(C\left(x\right)\&CenterDot;x^k)]\mathrm{mod}f\left(x\right)$

(3)Return C(x)

Described leaf unit determines that according to the word length figure place of the multiplier that is provided with if promptly multiplier word length figure place is 2, then the leaf unit adopts 2 bit parallel moulds to take advantage of device; If multiplier word length figure place is 4, then the leaf unit adopts 4 bit parallel moulds to take advantage of device.

Effect of the present invention is, the ECC parameter changes the array leaf number of unit that makes in the data path, and the line between inner structure and unit produces respective change.After parameter of curve is selected, can produce corresponding coprocessor circuit neatly.

Description of drawings

Fig. 1 is the system assumption diagram of ECC coprocessor inside.

Fig. 2 is an ECC coprocessor leaf cellular construction synoptic diagram.

Fig. 3 is C (x) operation result synoptic diagram.

Embodiment

Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that following explanation only is exemplary, rather than in order to limit the scope of the invention and to use.

Fig. 1 is the system assumption diagram of ECC coprocessor inside.Among Fig. 1, the architecture of ECC coprocessor inside is made up of three parts: master controller MC (its main part is MU), arithmetical unit controller AUC and data path (Datapath) 101.Master controller MC is the control module of coprocessor, at first controls MU, and MU controls AUC more then, realizes that by state machine scheduling AUC point adds, doubly point and scalar multiplication.AUC contains inside sub-state machine, and the mould in control data path realization feature 2 territories is taken advantage of the quadratic sum additive operation.Adder is the two element field totalizer, is used for finishing additive operation.Data path (Datapath) the 101st, the core of coprocessor, by with compositions such as door, not gate, XOR gate and d type flip flop.

AUC not only realizes the arithmetical operation of Galois field, also carries out the read write command of data, comprises the exchanges data instruction of the input and output instruction of data in data path (Datapath) 101 and its internal register etc.The instruction set and the cycle of operation of AUC see Table 1.Wherein ' row ' represents the computation period and the reading and writing data cycle of modular multiplication.

Instruction set	Cycle	Explanation
			Load	row	Sense data from RAM
MovA2C	row	Data are read into register C from register A
			MovC2A	row	Data are read into register A from register C
Sav	row	Data write RAM
			SavLoa	row	Data write RAM, simultaneously sense data from RAM
SavMov	row	Data write RAM while data and read in A from register C
			Addition	row	Additive operation C=A+B on feature 2 territories
Mult	row*8	Multiplying C=A*B on feature 2 territories
			Square
	1	Square operation C=A on feature 2 territories 2

Table 1. instruction and performance period

The coprocessor automatic generation method is applicable to that parameter is fixed and irreducible function is the elliptic curve cipher system of trinomial or five formulas.In the ECC coprocessor processor system structure of different length of field m, the computing of elliptic curve layer is all the same.Therefore, the state machine (MU and AUC) in the coprocessor is identical: MU carries out the domain operation of specified order by state machine scheduling AUC.No matter how length of field m changes, and the domain operation fixed order that MU carries out is constant.

The difference of the coprocessor maximum that length of field is different is embodied in the array leaf unit of data path (Datapath) 101.The inner structure of Fig. 1 video data path (Datapath) 101, it is made up of four parts: MUX MUXI, MUXII and MUXIII, registers group B, two element field totalizer Adder and an array leaf unit.Wherein MUX MUXI, MUXII and MUXIII, registers group B is identical at the coprocessor of different length of fields with two element field totalizer Adder; After length of field m determines, produce the array leaf unit of 16 row row row among Fig. 1

Because length of field m is different with irreducible function, causes the quadratic sum multiplication part in the leaf unit inequality.

Fig. 2 is an ECC coprocessor leaf cellular construction synoptic diagram.There are two kinds of structures the leaf unit, and among Fig. 2, (a) represented leaf unit adopts 2 bit parallel moulds to take advantage of device, and (b) represented leaf unit adopts 4 bit parallel moulds to take advantage of device.2 bit parallel moulds take advantage of the mould of device to take advantage of part 201 and 4 bit parallel moulds to take advantage of the mould of device to take advantage of part 202, and in Fig. 2, the with dashed lines collimation mark is shown respectively.Each leaf unit contains two register (A _iAnd C _{M ＇-i}) and be used to realize the combinational logic and the MUX of square operation and modular multiplication.Mult.Resi represents result of product, 0/Mult.Resm ＇-n, 0/c _M-1/ c _M-2, 0/c _M-3/ c _M-4Expression is calculated in the product process respectively, when the value of the coefficient of new variables C (x) more, old value with newly be worth between relation.

The calculation function of leaf unit is as follows:

(1) each register A _i, C _{M '-i}Can preserve the data of oneself;

(2) register A _iCan carry out to the right 16 bit shifts and deposit, be used to realize the input of data or the additive operation of two element field;

(3) register C _{M ＇-i}Can carry out left 16 bit shifts and deposit, be used to realize the output of data;

(4) can realize register A by two MUX outside the array leaf unit _iAnd C _{M ＇-i}Between exchanges data;

(5) register C _{M ＇-i}Also be used for storing GF (2 ^m) addition, quadratic sum modular multiplication result.

5 class MUX MUXI in the AUC instruction set control data path (Datapath), MUXII, MUXIII, MUXa and MUXc, (wherein, MUXI, MUXII, MUXIII sees Fig. 1, MUXa and MUXc see Fig. 2) realize the read-write conversion and the domain operation of data stream.Describe the data stream and AUC instruction set (table 1) principle of work of each leaf unit below in detail:

(1) Load instruction: the MUXII in the data path (Datapath) is strobed into the In port, and the MUXa of each leaf unit is strobed into a _I-16

(2) MovA2C instruction: the MUXa of each leaf unit is strobed into a _I-16, MUXc is strobed into c simultaneously _{M '-i-16}, and the MUXII in the data path (Datapath) and MUXIII are strobed into the output terminal of leaf array; MovC2A in like manner.

(3) Sav instruction: the MUXc of each leaf unit is strobed into c _{M '-i-16}, and the MUXIII in the data path (Datapath) is strobed into the output terminal of leaf array;

(4) SavLoa instruction: the MUXII in the data path (Datapath) is strobed into the In port, and the MUXa of each leaf unit is strobed into a _I-16Simultaneously, the MUXc of each leaf unit is strobed into c _{M '-i-16}, and the MUXIII in the data path (Datapath) is strobed into the output terminal of leaf array;

(5) SavMov instruction: the MUXII in the data path (Datapath) is strobed into the In port, and the MUXa of each leaf unit is strobed into a _I-16Simultaneously, the MUXII in the data path (Datapath) is strobed into the Out output terminal;

(6) Addition instruction: the MUXI in the data path (Datapath) is strobed into the In input port, and MUXII is strobed into the output terminal of leaf array, and MUXIII is strobed into the Adder output port; Simultaneously, the MUXa of each leaf unit is strobed into a _I-16, MUXc is strobed into c _{M '-i-16}

(7) Mult instruction: the quadratic sum modular multiplication in the coprocessor of different parameters of curve is all different.By territory m and irreducible function are set is variable, produces corresponding arithmetic element.This paper has used 2 or 4 Bit Parallel Multiplier, and algorithm is as follows:

Input: $A\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{m-1}{a}_i{x}^i,$ $B\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{l-1}{B}_i\left(x\right)x^{k\&CenterDot;i}\&Element;\mathrm{GF}\left(2^m\right),$ Irreducible function f (x), k=2 or k=4;

Output: C (x)=A (x) B (x) mod f (x);

1) $C\left(x\right)\&LeftArrow;0;$

2)for i＝l-1 down to 0

$C\left(x\right)\&LeftArrow;[(A\left(x\right)\&CenterDot;B_i\left(x\right))\&CirclePlus;(C\left(x\right)\&CenterDot;x^k)]\mathrm{mod}f\left(x\right)$

3)Return C(x)

The implementation method of circuit as shown in Figure 2, with irreducible trinomial f (x)=x ^m+ x ⁿ+ 1, and 2 bit parallel moulds to take advantage of device be example: input m, n had both generated the multiplication iterative process $C\left(x\right)\&LeftArrow;[(A\left(x\right)\&CenterDot;B_i\left(x\right))\&CirclePlus;(C\left(x\right)\&CenterDot;x^k)]\mathrm{mod}f\left(x\right)$ Circuit:

Fig. 3 is C (x) operation result synoptic diagram.By iterative process, draw the value of each coefficient among the C (x):

${\mathrm{<figure-callout\; id="0"\; label="c"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">c</figure-callout>}}_0=a_0{\mathrm{<figure-callout\; id="0"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_0\&CirclePlus;a_{m-1}{\mathrm{<figure-callout\; id="1"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_1\&CirclePlus;c_{m-2}$

${\mathrm{<figure-callout\; id="1"\; label="c"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">c</figure-callout>}}_1=a_1{\mathrm{<figure-callout\; id="0"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_0\&CirclePlus;a_0{\mathrm{<figure-callout\; id="1"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_1\&CirclePlus;c_{m-1}$

$c_n={\mathrm{<figure-callout\; id="0"\; label="a\; n\; b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">a</figure-callout>}}_n{b}_{}{}_0\&CirclePlus;a_{n-1}{\mathrm{<figure-callout\; id="1"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_1\&CirclePlus;c_{n-2}\&CirclePlus;a_{m-1}{\mathrm{<figure-callout\; id="1"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_1\&CirclePlus;c_{m-2}$

$c_{n+1}=a_{n+1}{\mathrm{<figure-callout\; id="0"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_0\&CirclePlus;a_{\mathrm{<figure-callout\; id="1"\; label="n\; b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">n</figure-callout>}}{b}_{}{}_1\&CirclePlus;c_{n-1}\&CirclePlus;c_{m-1}$

$c_i=a_{\mathrm{<figure-callout\; id="0"\; label="i\; b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">i</figure-callout>}}{b}_{}{}_0\&CirclePlus;a_{i-1}{\mathrm{<figure-callout\; id="1"\; label="b"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">b</figure-callout>}}_1\&CirclePlus;c_{i-2}(i\&NotEqual;n,n+1\mathrm{and}1<i<m)$

c _i＝0(i≥m)

With every c _iThe mould that is mapped in the respective leaves unit of logical circuit take advantage of part, i.e. 201 parts that indicate among Fig. 2.4 bit parallel moulds take advantage of device in like manner.

(8) Square instruction: the MUXa of each leaf unit is strobed into a _i, MUXc is strobed into the Square[i of square module] and port.

As parameter of curve (length of field m and irreducible function f (x)=x ^m+ x ⁿ+ 1) after fixing, the squarer after can being optimized, its square operation only need 1 clock period.GF (2 ^m) in square operation following characteristic is arranged: (ax+b) ²=ax ²+ b, and, B (x) x is arranged for B (x) arbitrarily ^mModf (x)=B (x) (x ⁿ+ 1).After m and n are fixing, the squaring cell Square[i among Fig. 2] determine by equation (3).If 2n-2＜m, the calculating in the equation (3) finishes; Otherwise equation (3) also need the about polynomial expression of continuation, up to a _iIn index all less than m, finally obtain the Square[i square as a result of leaf unit] and input a _iLogical relation.Order:

A (x)=a _M-1x ^M-1+ a _M-2x ^M-2+ ... + a ₁x ¹+ a ₀, S (x)=s _M-1x ^M-1+ s _M-2x ^M-2+ ... + s ₁x ¹+ s ₀, a _i, s _i∈ 0,1}, then

$S\left(x\right)=A^2\left(x\right)$

$=(a_{m-1}{x}^{2m-2}+a_{m-2}{x}^{2m-4}+a_{m-3}{x}^{2m-6}+\&CenterDot;\&CenterDot;\&CenterDot;+a_2{x}^4+a_1{x}^2+a_0)\mathrm{mod}f\left(x\right)$

$=\left[(a_{m-1}{x}^{m-2}+a_{m-2}{x}^{m-4}+a_{m-3}{x}^{m-6}+\&CenterDot;\&CenterDot;\&CenterDot;+a_{\frac{m+1}{2}}x)\right](x^n+1)\mathrm{mod}f\left(x\right)+{\mathrm{<figure-callout\; id="1"\; label="d"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">d</figure-callout>}}_1$

$=\left[(a_{m-1}{x}^{m+n-2}+a_{m-2}{x}^{m+n-4}+a_{m-3}{x}^{m+n-6}+\&CenterDot;\&CenterDot;\&CenterDot;+a_{\frac{m+1}{2}}{x}^{n+1})\right]\mathrm{mod}f\left(x\right)+{\mathrm{<figure-callout\; id="2"\; label="d"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">d</figure-callout>}}_2+{\mathrm{<figure-callout\; id="1"\; label="d"\; filenames="A200810239350E00141.png,A200810239350E00142.png"\; state="\{\{state\}\}">d</figure-callout>}}_1$

(3)

$+(a_{m-1}{x}^{m-2}+a_{m-2}{x}^{m-4}+a_{m-3}{x}^{m-6}+\&CenterDot;\&CenterDot;\&CenterDot;+a_{\frac{m+1}{2}}x)+(a_{\frac{m-1}{2}}{x}^{m-1}+a_{\frac{m-3}{2}}{x}^{m-3}+\&CenterDot;\&CenterDot;\&CenterDot;+a_1{x}^2+a_0)$

Below one section C code description square equation (3) realize the method for Verilog HDL automatically:

The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (5)

1, a kind of method for designing of automatic generation two element field ECC coprocessor circuit is characterized in that, described method for designing comprises the step that following order is carried out:

Step 1: field parameter m is set;

Step 2: irreducible territory polynomial f (x) is set;

Step 3: multiplier word length figure place is set;

Step 4:, set input according to field parameter m, irreducible territory polynomial f (x), multiplier word length figure place: $A\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{m-1}{a}_i{x}^i,$ $B\left(x\right)={\mathrm{\&Sigma;}}_{i=0}^{l-1}{B}_i\left(x\right)x^{k\&CenterDot;i}\&Element;\mathrm{GF}\left(2^m\right),$ K=2 or k=4; Output: C (x)=A (x) B (x) modf (x); Utilize iterative process, produce corresponding arithmetic element c _i

Step 5: with every c _iThe mould that the logical circuit of arithmetic element is mapped in the corresponding leaf unit is taken advantage of part;

Step 6: square result and the input a that determine each leaf unit _iLogical relation;

Step 7: the AUC instruction set is set, the MUX in the control data path, the read-write conversion and the domain operation of realization data stream finally obtain complete two element field ECC coprocessor circuit.

2, the method for designing of a kind of automatic generation two element field ECC coprocessor circuit according to claim 1 is characterized in that, described irreducible territory polynomial f (x) is trinomial or five formulas.

3, the method for designing of a kind of automatic generation two element field ECC coprocessor circuit according to claim 1 is characterized in that, described multiplier word length figure place is 2 or 4.

4, the method for designing of a kind of automatic generation two element field ECC coprocessor circuit according to claim 1 is characterized in that, described iterative process, and performing step is:

(1) $C\left(x\right)\&LeftArrow;0;$

(2)for i＝l-1 down to 0

$C\left(x\right)\&LeftArrow;[(A\left(x\right)\&CenterDot;B_i\left(x\right))\&CirclePlus;(C\left(x\right)\&CenterDot;x^k)]\mathrm{mod}f\left(x\right)$

(3)Return C(x)

5, the method for designing of a kind of automatic generation two element field ECC coprocessor circuit according to claim 1, it is characterized in that described leaf unit is determined according to the word length figure place of the multiplier that is provided with, if promptly multiplier word length figure place is 2, then the leaf unit adopts 2 bit parallel moulds to take advantage of device; If multiplier word length figure place is 4, then the leaf unit adopts 4 bit parallel moulds to take advantage of device.

Images