CN101572602A - Finite field inversion method based on hardware design and device thereof - Google Patents

Finite field inversion method based on hardware design and device thereof Download PDF

Info

Publication number
CN101572602A
CN101572602A CNA2008100669157A CN200810066915A CN101572602A CN 101572602 A CN101572602 A CN 101572602A CN A2008100669157 A CNA2008100669157 A CN A2008100669157A CN 200810066915 A CN200810066915 A CN 200810066915A CN 101572602 A CN101572602 A CN 101572602A
Authority
CN
China
Prior art keywords
value
variable
register
calculate
replaces
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008100669157A
Other languages
Chinese (zh)
Inventor
陈婧
蒋俊洁
王石
邓小铁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNA2008100669157A priority Critical patent/CN101572602A/en
Publication of CN101572602A publication Critical patent/CN101572602A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Complex Calculations (AREA)

Abstract

The invention discloses a finite field inversion method based on hardware design, which is applicable to an elliptical curve encrypt system. The method comprises the following steps: using a monadic polynomial in a finite field GF(p<m>) as an input element a and defining an irreducible polynomial f(x), wherein a=am-1x<m-1>+am-2x<m-2)>+to +a1x+a0, f(x)x=<m>+fm-1x<m-1>x<m-1>+to +f(1)+f(0), ai and fi are respectively the coefficients of the input element a and the irreducible polynomial f(x); the input element a being repeatedly multiplied or divided by x<2> and adding the results, and outputting the multiplicative inverse a<-1> of the input element a. Correspondingly, the invention further provides a finite field GF(2<m>) inversion device based on the hardware design, therefore, the invention ensures rapider calculation speed, thereby greatly improving inversion operating efficiency. In addition, the working frequency of the inversion device is close to that of other operation devices in the encrypt system so as to fully improve the hardware source utilization rate of the inversion device.

Description

A kind of method and device of inverting based on the finite field of hardware designs
Technical field
The present invention relates to the elliptic curve cipher technology, relate in particular to a kind of method and device of inverting based on the finite field of hardware designs in the elliptic curve cryptography system of being applied to.
Background technology
Elliptic Curve Cryptography (Elliptic Curve Cryptography, ECC) be to propose by VictorMiller and Neal Koblitz in 1985, its advantage is: it provides and the equal fail safe of other cryptographic systems, has less keys sizes simultaneously, so be a kind of public key system that higher bit intensity can be provided at present known all public-key cryptosystems.Less keys sizes means the minimizing of memory needs and the minimizing of computing time, the Secure Application system that is particularly useful for low-power consumption and high-speed encryption, for example application of smart card, personal computer memory card or types such as other any hand-hold types or portable set.The public key encryption algorithm standard P 1363 that IEEE (Institute of Electrical and Electronics Engineers, IEEE) has formulated just is based on the ECC algorithm.Password educational circles generally believes that it will substitute RSA Algorithm, becomes general public key algorithm, has become very promising research direction at present, and how to realize efficiently that the ECC basic operation also becomes one of research focus.
Elliptic Curve Cryptography is mainly studied two class elliptic curves, GF (p) and GF (p m).Therefore the basic algebraic operation that needs to carry out in the cipher processor refers to finite field gf (p) and GF (p m) on element addition, subtraction, multiplication and inversion operation.Wherein the inversion algorithms of element is promptly calculated b=a -1Mod f is an expense maximum in the involved basic operation.
General element inversion algorithms is according to Fermat (Fermat) theorem, regards inversion algorithms the combination of element multiplication as, and is as follows:
a ( x ) - 1 = a ( x ) 2 m - 2 mod f ( x )
Like this, the common need 2 of inverting M-1Square (perhaps multiplication) computing in-1 territory, so this algorithm operation quantity is very big, efficient is very low, the very little simple application of only suitable base field.
Another element method of inverting commonly used is to realize according to Extended Euclid algorithm.Its basic thought is to calculate the contrary of finite field by iterating, and a and f (x) respectively multiply by repeatedly or divided by x and addition, do same conversion with 1 and 0 simultaneously.Like this, when becoming 1,1, a just becomes the contrary of a.This algorithm is finished finite field gf (p one time m) on inversion operation need 2m cycle, efficient is higher.But growing along with cryptographic applications, electronic installation in some high speed low consumption, for example in the application of smart card, personal computer memory card or other any hand-hold types or portable set etc., this type of algorithm has still limited the disposal ability and the power consumption of whole system.
In summary, the existing finite field that is applied in the elliptic curve cryptography system scheme of inverting on reality is used, obviously exists inconvenience and defective, so be necessary to be improved.
Summary of the invention
At above-mentioned defective, the object of the present invention is to provide a kind of method and device of inverting based on the finite field of hardware designs, it can reduce execution cycle, and then improves inversion operation efficient greatly.
To achieve these goals, the invention provides a kind of method of inverting based on the finite field of hardware designs, be applied to the elliptic curve cryptography system, described method comprises that step is as follows:
A, with finite field gf (p m) interior monobasic prime polynomial a is as input element a, and define irreducible function f (x), wherein an a=a M-1x M-1+ a M-2x M-2+ ...+a 1X+a 0, f (x)=x m+ f M-1x M-1+ ...+f 1X+f 0, a iAnd f iBe respectively the coefficient of input element a and irreducible function f (x), m is a positive integer, and x belongs to the independent variable of f (x);
B, described input element a and irreducible function f (x) multiply by or repeatedly divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1
The method that finite field is inverted according to the present invention, described step B further comprises:
Variable of a polynomial S, R, U, V are initialized as f, a, 1 and 0 respectively, and δ is initialized as 0 with variable; The highest two groups of coefficient r according to described variable S and R mr M-1, s ms M-1Value, calculate intermediate variable q and e; Then according to control signal r m, r M-1δ 0, δ 1, e and i calculate described four variable S, R, U, V, it finishes calculating in a clock cycle, in the next clock cycle value of four variable S, R, U, V is upgraded, and after circulating for m time, exports the multiplicative inverse a of this input element a -1
The method that finite field is inverted according to the present invention, described step B further comprises:
B1, variable S, R, U, V and δ are initialized as f, a, 1 and 0 respectively; Intermediate variable q, e, temp1 and temp2 are initialized as 0 respectively;
B2, to the scope of i from 0 to m-1, carry out following steps:
B3, calculating intermediate variable q=s mAnd e=s M-1-s mr M-1, s wherein mAnd s M-1Be respectively highest order coefficient and time high potential coefficient of variable S, r M-1It then is the inferior high potential coefficient of variable R;
B4, calculating intermediate variable T=S-s mR;
B5, calculating intermediate variable W=V-s mU;
If the highest order coefficient r of B6 variable R mCorrespond to GF (p) element 1, carry out following steps:
If minimum two of B7 variable δ is all to be 0, and the element 0 of the corresponding GF of the value of variable e (p), then carry out following substep B7a~B7h:
B7a) value of usefulness R replaces the value of temp1;
B7b) calculate x 2T replaces the result value of R;
B7c) value of usefulness temp1 replaces the value of S;
B7d) value of usefulness U replaces the value of temp2;
B7e) calculate xW mod f, the result is replaced the value of W;
B7f) iteron step B7e, the value of usefulness W replaces the value of U;
B7g) value of usefulness temp2 replaces the value of V;
B7h) replace δ with δ+2;
If minimum two of B8 variable δ is all to be 0, and the element 1 of the corresponding GF of the value of variable e (p), then carry out following substep B8a~B8f:
B8a) calculate xR-x 2ET replaces the result value of temp1;
B8b) calculate xT, the result is replaced the value of R;
B8c) value of usefulness temp1 replaces the value of S;
B8d) calculate U-e (xW mod f), the result is replaced the value of temp2;
B8e) value of usefulness W replaces the value of U;
B8f) value of usefulness temp2 replaces the value of V;
If lowest order and the inferior low level of B9 variable δ are respectively 1 and 0, then carry out following substep B9a~B9f:
B9a) value of usefulness R replaces the value of temp1;
B9b) calculate x 2T-x (eR) replaces the result value of R;
B9c) value of usefulness temp1 replaces the value of S;
B9d) calculate U/x mod f, the result is replaced the value of temp2;
B9e) calculate x (W-e-temp2) mod f, the result is replaced the value of U;
B9f) value of usefulness temp2 replaces the value of V;
If lowest order and the inferior low level of B10 variable δ are respectively 1 and 1, then carry out following substep B10a~B10e:
B10a) calculate x 2T-x (eR) replaces the result value of S;
B10b) calculate U/x mod f, the result is replaced the value of temp1;
B10c) calculate W-etemp1, the result is replaced the value of V;
B10d) iteron step B10b replaces the value of temp1 the value of U;
B10e) replace δ with δ-2;
If the highest order coefficient r of B11 variable R mWith inferior high potential coefficient r M-1The element 0 of all corresponding GF (p), carry out following substep B11a~B11d:
B11a) calculate x 2R replaces the result value of R;
B11b) calculate xU mod f, the result is replaced the value of U;
B11c) iteron step B11b;
B11d) replace δ with δ+2;
If the highest order coefficient r of B12 variable R mWith inferior high potential coefficient r M-1The element 0 and 1 of the corresponding GF of difference (p), carry out following substep B12a~B12d:
B12a) calculate xR, the result is replaced the value of R;
B12b) calculate xT, the result is replaced the value of S;
B12c) calculate xU mod f, the result is replaced the value of temp1;
B12d) calculate V-qtemp1, the result is replaced the value of V;
The counting i of B13, cycle counter increases by one, as i during less than m-1, returns step B2;
B14, counting m time, when promptly i equals m-1, finite field gf (p m) inversion operation finish, output valve is the multiplicative inverse a of input element a -1
The method that finite field is inverted according to the present invention, the coefficient a of described input element a and irreducible function f (x) iAnd f i, the scope of i from 0 to m-1 belonged to finite field gf (p).
The method that finite field is inverted according to the present invention, described method realizes finite field gf (2 by the hardware device of inverting m) element is inverted, and the operating frequency of other arithmetic units is close in the operating frequency of the described device of inverting and the elliptic curve cryptography system.
The method that finite field is inverted according to the present invention, described finite field gf (2 m) go up the step-by-step XOR that certain element plus-minus is vector; Certain element be multiply by or be about to this vector divided by x move to left or move to right one, zero padding; Certain element delivery f (x) is about to this element and f (x) step-by-step XOR delivery, to guarantee that the result is still at finite field gf (2 m) in.
The method that finite field is inverted according to the present invention, described variable U multiply by x or during divided by x at every turn, if highest order is 1, need with f ( x ) = x m + &Sigma; 0 m - 1 f i x i Step-by-step XOR delivery is to carry out stipulations, to guarantee that the result is still at finite field gf (2 m) in.
The present invention also provides a kind of device of inverting based on the finite field of hardware designs, is applied to the elliptic curve cryptography system, and described finite field is GF (2 m), and this device comprises:
Register R, S, U, V and δ, described register R, S, U, V are respectively applied for storage variable of a polynomial R, S, U and V, and described δ register is used for the value of record variable δ, and the displacement situation of the variation of variable δ reflection U register, during initialization, with finite field gf (2 m) interior monobasic prime polynomial a inserts described R register as input element a, define an irreducible function f (x) simultaneously and insert described source register, and described U register is set to 1, described V register and δ register are set to 0;
RS computational logic module is used to upgrade variable R and S;
UV computational logic module is used for more new variables U and V;
Control logic module is used for the highest two groups of coefficient r according to described source register and R register mr M-1, s ms M-1Value, calculate intermediate variable q and e, then according to control signal r m, r M-1, δ 0, δ 1, e and i control the work of described RS computational logic module and UV computational logic module;
Described RS computational logic module and UV computational logic module are finished calculating in a clock cycle, in the next clock cycle updating value of four variable S, R, U, V is re-entered register S, R, U, V, the counter of loop control simultaneously i upgrades, after m circulation, export the multiplicative inverse a of this input element a -1
The device that finite field is inverted according to the present invention, described RS computational logic module and UV computational logic module adopt hardware to realize basic operation respectively,
Described RS computational logic module is made up of m+1 identical and arranged side by side RS computational logic unit, described each RS computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported R register and source register, wait for that again next round calculating is carried out in the control logic instruction of described control logic module;
Described UV computational logic module is made up of m identical and arranged side by side UV computational logic unit, described each UV computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported U register and V register, wait for that again next round calculating is carried out in the control logic instruction of described control logic module.
The device that finite field is inverted according to the present invention, the memory space of described R register and source register is the m+1 bit, and the memory space of described U register and V register is the m bit; Described R register and source register interact, and described U register and V register interact, and these two groups of operation registers are synchronous.
The present invention is with finite field gf (p m) or GF (2 m) interior monobasic prime polynomial a is as input element a, and defines an irreducible function f (x), again with described input element a and irreducible function f (x) multiply by repeatedly or divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1Whereby, the present invention finishes an inversion operation and only needs m clock cycle, is half of an existing Extended Euclid algorithm required 2m clock cycle, has guaranteed computational speed faster, thereby has improved inversion operation efficient greatly.In addition, the operating frequency of other arithmetic units is close in the operating frequency of the device of inverting of the present invention and the elliptic curve cryptography system, with the invert hardware resource utilization of device of abundant raising, and then improves the calculated performance of whole system.
Description of drawings
Fig. 1 is the application block diagram of device in the elliptic curve cryptography system that finite field of the present invention is inverted;
Fig. 2 is the hardware example fig. of the finite field of the present invention device of inverting;
Fig. 3 is the hardware example fig. of the RS computational logic unit of the finite field of the present invention device of inverting;
Fig. 4 A is the hardware example fig. of the UV computational logic unit of the finite field of the present invention device of inverting;
Fig. 4 B is the hardware example fig. of XMOD module and D_XMOD module in the UV computational logic of the present invention unit;
Fig. 5 the present invention is based on the method flow diagram that the finite field of hardware designs is inverted;
Fig. 6 is the method flow instance graph that the preferred finite field of the present invention is inverted.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Basic thought of the present invention is: with finite field gf (p m) or GF (2 m) interior monobasic prime polynomial a is as input element a, and defines an irreducible function f (x), again with described input element a and irreducible function f (x) multiply by repeatedly or divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1Whereby, the present invention can reduce execution cycle, and then improves inversion operation efficient greatly.
Fig. 1 shows the application of device in the elliptic curve cryptography system that finite field of the present invention is inverted, requirement according to elliptic curve encryption algorithm, elliptic curve cryptography system 100 is carried out modularized design, each module is independently finished function separately, carry out mutual exchanges data according to control signal between the module, realize encryption function.Described elliptic curve cryptography system 100 mainly comprises control interface 10, arithmetic control unit 20, two-port RAM 30, adder 40, multiplier 50, squaring device 60 and the device 70 of inverting, wherein:
Control interface 10 is the major control devices in the encryption system 100, has controlled inner with outside being connected, and transfer instruction is in encryption system 100 inner other assemblies.
Arithmetic control unit 20 is used to manage and organize the running of each bottom module, and described bottom module comprises: adder 40, multiplier 50, squaring device 60 and the device 70 of inverting.
Two-port RAM 30 is responsible for the transmission and the storage of data.
Adder 40, multiplier 50, squaring device 60 and 70 in the device of inverting are realized finite field gf (p respectively m) lining addition, multiplication, square and basic operation such as invert.
Realize that an elliptic curve cryptography system 100 mainly contains two kinds of implementations, promptly software is realized and the hardware realization.Adopt software to realize that the required development time is short, but its enciphering rate is slow, has hindered the practicality of elliptic curve cryptography.Adopt hardware to realize the speed more superior than software method then is provided, be more suitable in the application that enciphering rate is had requirement.The invention belongs to hardware implementations, it is applied to the elliptic curve cryptography system 100 of hardware implementation mode.
At present LSD (Least Significant DigitFirst, lowest order is preferential) or MSD (Most Significant Digit First, the MSD) algorithms of adopting of multiplier 50 in the encryption system 100 more.Adopt the maximum operating frequency of the hardware module that this algorithm realizes to be lower than to adopt the maximum operating frequency of the device 70 of inverting that Extended Euclid algorithm realizes.Therefore, though the device 70 of inverting that Extended Euclid algorithm is realized can reach very high operating frequency separately, but still be subject to the overall work frequency of elliptic curve cryptography system 100, in each clock cycle, the device 70 of inverting has the most of the time to be in idle state.The device 70 of inverting that algorithm of the present invention is realized, the operating frequency of its operating frequency and other computing hardware modules is close, with the abundant raising hardware resource utilization of device 70 of inverting, and then improves the calculated performance of whole encryption system 100.
Fig. 2 is the invert hardware example fig. of device of finite field of the present invention, and for convenience of description, this example is a finite field gf (2 m) go up the hardware implementation mode that element is inverted.According to finite field gf (2 m) operation rule: its element is m-1 rank multinomials, and the binary vector of available m position is represented.Here, finite field gf (2 m) go up the step-by-step XOR that certain element plus-minus is vector; Certain element be multiply by or be about to this vector divided by x move to left or move to right one, zero padding; Certain element delivery f (x) is about to this element and f (x) step-by-step XOR delivery, to guarantee that the result is still at finite field gf (2 m) in.And finite field gf (p m) to go up the hardware implementation mode that element inverts similar with it, only need operand is replaced with GF (p m) on element, adopt the basic operation rule on the GF (p) simultaneously, in the application in detail, GF (p will be described in detail m) go up the hardware implement device that element is inverted.
The device 70 that finite field of the present invention is inverted is applied in as shown in Figure 1 the elliptic curve cryptography system 100, it mainly comprises: R register 71, source register 72, U register 73, V register 74, δ register 75, RS computational logic module 76, UV computational logic module 77 and control logic module 78, wherein:
R register 71 and source register 72 are interactional one group of register R[r mR 0] and S[s mS 0], both memory spaces are the m+1 bit, are respectively applied for storage variable of a polynomial R and S.U register 73 and V register 74 are interactional one group of register U[u M-1U 0] and V[v M-1V 0], both memory spaces are the m bit, are respectively applied for storage variable of a polynomial U and V.And these two groups of operation registers are synchronous, and are written into the once updating value of circulation at the rising edge of each clock cycle.
δ register 75 is used for the value of record variable δ, and the displacement situation of the variation of δ reflection U register 73, when U on duty with x 2, δ register 75 adds 2 of countings at this moment; When the U value divided by x 2, δ register 75 subtracts 2 of countings at this moment.
During initialization, with finite field gf (2 m) interior monobasic prime polynomial a inserts described R register 71 as input element a, define an irreducible function f (x) simultaneously and insert described source register 72, and described U register 73 is set to 1, and described V register 74 and δ register 75 are set to 0, and calculating process begins then.
a=a m-1x m-1+a m-2x m-2+...+a 1x+a 0
f(x)=x m+f m-1x m-1+...+f 1x+f 0
A wherein iAnd f iBe respectively the coefficient of input element a and irreducible function f (x), m is a positive integer, and x belongs to the independent variable of f (x).
RS computational logic module 76 is used to upgrade variable R and S.
UV computational logic module 77 is used for more new variables U and V.
Control logic module 78 is used for the highest two groups of coefficient r according to described R register 71 and source register 72 mr M-1, s ms M-1Value, calculate two intermediate variable q and e, wherein q=s mAnd e=s M-1-s mr M-1, then according to six control signal r m, r M-1, δ 0, δ 1, e and i control the work of described RS computational logic module 76 and UV computational logic module 77.
RS computational logic module 76 is carried out different additions, subtraction, modulo operation with UV computational logic module 77 according to the index signal of control logic module 78.RS computational logic module 76 of the present invention and UV computational logic module 77 are finished calculating in a clock cycle, in the next clock cycle updating value of four variable S, R, U, V is re-entered R register 71, source register 72, U register 73, V register 74, the counter of loop control simultaneously i upgrades, after m circulation, output valve is input element a at finite field gf (2 m) interior multiplicative inverse a -1
Particularly, described RS computational logic module 76 adopts hardware to realize basic operation respectively with UV computational logic module 77:
RS computational logic module 76 is made up of m+1 identical and arranged side by side RS computational logic unit, described each RS computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported R register 71 and source register 72, wait for that again next round calculating is carried out in the control logic instruction of described control logic module 78.
UV computational logic module 77 is made up of m identical and arranged side by side UV computational logic unit, described each UV computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported U register 73 and V register 74, wait for that again next round calculating is carried out in the control logic instruction of described control logic module 78.Wherein the UV computational logic is complicated: wherein variable U multiply by x at every turn or the stipulations computing must be arranged divided by x, if promptly highest order is 1, needs and f step-by-step order XOR delivery, guarantees that the result is still at finite field gf (2 m) in.
The hardware example fig. of the RS computational logic unit of the device that Fig. 3 inverts for finite field of the present invention, RS computational logic module 76 can be formed in m+1 identical and arranged side by side RS computational logic unit.RS computational logic unit is used to upgrade the coefficient of multinomial R and S, and selector control signal has r m, r M-1, δ 0, δ 1, e and i.The low level of this several Control signal is represented the highest order coefficient r of R register 71 respectively mBe 0, the inferior high potential coefficient r of R register 71 M-1Be 0, the value of δ register 75 is not 1 but 0, the value of δ register 75 less than 2 and variable e equal 0, represent that R register 71 and source register 72 are initialized as a when the low level of i in addition iAnd f i, described a iAnd f iIt is the coefficient of input element a and irreducible function f (x).Signal q and e are the elements of finite field gf (2) the inside, can be by equation q=s mAnd e=s M-1-s mr M-1Obtain.The subscript of variable is to a certain position that should variable, output r in the RS computational logic unit oAnd s oThe variable R of input and the i position of variable S when then distinguishing corresponding next round and calculating.
It should be noted that because certain variable multiply by x 2Adopt hardware to realize being about to 2 zero paddings that move to left of this variable, then when i less than 2 the time, (i-1 i-2) will be less than 0, and these input data are 0 at this moment for the part subscript.These RS computational logic unit concurrent workings are imported the R register 71 and the source register 72 of corresponding positions with updating value finish computing in a clock cycle after, and the control logic instruction of waiting for control logic module 78 is again carried out next round and calculated.
The hardware example fig. of the UV computational logic unit of the device that Fig. 4 A inverts for finite field of the present invention, UV computational logic module 77 can be formed in m identical and arranged side by side UV computational logic unit.Compare with RS computational logic unit, UV computational logic unit is more complicated, because described variable U multiply by x or during divided by x at every turn, and xU for example, xW and divide operations U/x if the highest order coefficient is 1, need and an irreducible polynomial f ( x ) = x m + &Sigma; 0 m - 1 f i x i Step-by-step XOR delivery is to carry out stipulations, to guarantee that the result is still at finite field gf (2 m) in.
Sign has the modular unit of XMOD to realize that certain variable multiply by or divided by the operation of delivery stipulations behind the x among Fig. 4 A, and sign has the modular unit of D_XMOD to realize then that certain variable repeats to multiply by for twice or divided by the operation of delivery stipulations behind the x.Control signal MultU=(r wherein m=1) ﹠amp; (δ 1=1) ﹠amp; (δ 0=1): when MultU was high level, these two modules then realized division function, i.e. two gray cell among Fig. 4 A.
The XMOD module of described UV computational logic unit and the specific implementation of D_XMOD module are shown in Fig. 4 B, and the selector of being with * number among Fig. 4 B is by e and δ 1Control simultaneously, the output signal or the u of selection input XMOD module iAs e=1 and δ 1, select output u at=0 o'clock iThe time, be with * number holding wire then to import the output signal of XMOD module; Otherwise work as δ 1=1 and during e=0, select the output signal of input XMOD module, be with * number holding wire then to export u iThese UV computational logic unit concurrent workings are imported U register 73 and V register 74 with updating value finish computing in a clock cycle after, and the control logic instruction of waiting for control logic module 78 is again carried out next round and calculated.
The present invention significantly reduces execution cycle from improving the utilance angle of hardware resource, half time of implementation of the Extended Euclid algorithm that only need use always, has guaranteed to realize more rapidly calculating.
Simultaneously, the present invention has improved the convenience of exploitation.The invention provides the IPC (Intelligence Property Core, intelligence nuclear) that can directly apply to Hardware Design, be included in and carry out the comprehensive code of hardware RTL of the present invention in the system design.Using the present invention only needs application-specific is created Interface Matching, greatly reduces the difficulty of system design and has reduced the design time-consuming.Help the user to improve the efficient and the correctness of system design, quickened the research and development process of system product when improving the quality of products again.
Fig. 5 shows the finite field gf (p that the present invention is based on hardware designs m) method flow of inverting, preferably finite field gf (2 m) method of inverting, being applied to the elliptic curve cryptography system, can realize by Fig. 1 or the device 70 of inverting shown in Figure 2, comprise that mainly step has:
Step S501 is with finite field gf (p m) interior monobasic prime polynomial a is as input element a, and define an irreducible function f (x), wherein
a=a m-1x m-1+a m-2x m-2+...+a 1x+a 0
f(x)=x m+f m-1x m-1+...+f 1x+f 0
a iAnd f iBe respectively the coefficient of input element a and irreducible function f (x), m is a positive integer, and x belongs to the independent variable of f (x).
Step S502, described input element a and irreducible function f (x) multiply by or repeatedly divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1This step comprises again:
1) variable of a polynomial S, R, U, V are initialized as f, a, 1 and 0 respectively, δ is initialized as 0 with variable.Particularly, input element a is inserted described R register 71, irreducible function f (x) is inserted described source register 72, and described U register 73 is set to 1, described V register 74 and δ register 75 are set to 0, and calculating process begins then.
2) according to the highest two groups of coefficient r of described variable S and R mr M-1, s ms M-1Value, calculate intermediate variable q and e.Particularly, control logic module 78 is according to the highest two groups of coefficient r of described R register 71 and source register 72 mr M-1, s ms M-1Value, calculate two intermediate variable q and e, wherein q=s mAnd e=s M-1-s mr M-1
3) then according to control signal r m, r M-1, δ 0, δ 1, e and i calculate described four variable S, R, U, V, it finishes calculating in a clock cycle, in the next clock cycle value of four variable S, R, U, V is upgraded.Particularly, RS computational logic module 76 and UV computational logic module 77 are according to six control signal r of control logic module 78 m, r M-1, δ 0, δ 1, e and i hold computing, RS computational logic module 76 and UV computational logic module 77 are finished calculating in a clock cycle, in the next clock cycle updating value of four variable S, R, U, V is re-entered R register 71, source register 72, U register 73, V register 74, the counter of loop control simultaneously i upgrades.
4) after m circulation, output valve is this input element a at finite field gf (p m) multiplicative inverse a -1
Fig. 6 is the method flow instance graph that the preferred finite field of the present invention is inverted, and is applied to elliptic curve cryptography system 100, can be realized by Fig. 1 or the device 70 of inverting shown in Figure 2, and is this at finite field gf (p m) on the computing carried out be achieved as follows computing:
a -1=a?mod?f(x),a∈GF(p m)
Described method is a finite field gf (p m) a first prime polynomial a as input element a, and define an irreducible function f (x), in the method implementation procedure, these two elements are understood becomes polynomial set:
F (x)=x m+ f M-1x M-1+ ...+f 1X+f 0And
a=a m-1x m-1+a m-2x m-2+...+a 1x+a 0
The coefficient a of described input element a and irreducible function f (x) iAnd f i, from 0 to m-1 scope, be the element of finite field gf (p) concerning i, so the basic operation that the following stated is inverted in the method is the basic operation that GF (p) goes up element.
Finite field gf (p of the present invention m) on the method for inverting, can comprise following steps:
1) variable of a polynomial S, R, U, V and δ are initialized as f, a, 1 and 0 respectively; Intermediate variable q, e, temp1 and temp2 are initialized as 0 respectively;
2) to the scope of i from 0 to m-1, carry out following steps: specifically be control signal r according to control logic module 78 m, r M-1, δ 0, δ 1, e and i control described RS computational logic module 76 and UV computational logic module 77 is carried out following steps:
3) calculate intermediate variable q=s mAnd e=s M-1-s mr M-1, s wherein mAnd s M-1Be respectively highest order coefficient and time high potential coefficient of variable S, r M-1It then is the inferior high potential coefficient of variable R;
4) calculate intermediate variable T=S-s mR;
5) calculate intermediate variable W=V-s mU;
6) if the highest order coefficient r of variable R mCorrespond to the element 1 of GF (p), carry out following steps:
7) if minimum two of variable δ are to be 0, and the element 0 of the corresponding GF of the value of variable e (p), then carry out following substep 7a~7h (step S6):
7a) value of usefulness R replaces the value of temp1;
7b) calculate x 2T replaces the result value of R;
7c) value of usefulness temp1 replaces the value of S;
7d) value of usefulness U replaces the value of temp2;
7e) calculate xW mod f, the result is replaced the value of W;
7f) iteron step B7e, the value of usefulness W replaces the value of U;
7g) value of usefulness temp2 replaces the value of V;
7h) replace δ with δ+2;
8) if minimum two of variable δ are to be 0, and the element 1 of the corresponding GF of the value of variable e (p), then carry out following substep 8a~8f (step S5):
8a) calculate xR-x 2ET replaces the result value of temp1;
8b) calculate xT, the result is replaced the value of R;
8c) value of usefulness temp1 replaces the value of S;
8d) calculate U-e (xW mod f), the result is replaced the value of temp2;
8e) value of usefulness W replaces the value of U;
8f) value of usefulness temp2 replaces the value of V;
9) if the lowest order of variable δ and time low level are respectively 1 and 0, then carry out following substep 9a~9f (step S2):
9a) value of usefulness R replaces the value of temp1;
9b) calculate x 2T-x (eR) replaces the result value of R;
9c) value of usefulness temp1 replaces the value of S;
9d) calculate U/x mod f, the result is replaced the value of temp2;
9e) calculate x (W-etemp2) mod f, the result is replaced the value of U;
9f) value of usefulness temp2 replaces the value of V.
10) if the lowest order of variable δ and time low level are respectively 1 and 1, then carry out following substep 10a~10e (step S1):
10a) calculate x 2T-x (eR) replaces the result value of S;
10b) calculate U/x mod f, the result is replaced the value of temp1;
10c) calculate W-etemp1, the result is replaced the value of V;
10d) iteron step B10b replaces the value of temp1 the value of U;
10e) replace δ with δ-2.
11) if the highest order coefficient r of variable R mWith inferior high potential coefficient r M-1The element 0 of all corresponding GF (p), carry out following substep 11a~11d (step S4):
11a) calculate x 2R replaces the result value of R;
11b) calculate xU mod f, the result is replaced the value of U;
11c) iteron step B11b;
11d) replace δ with δ+2.
12) if the highest order r of variable R mCoefficient and time high potential coefficient r M-1The element 0 and 1 of the corresponding GF of difference (p), carry out following substep 12a~12d (step S3):
12a) calculate xR, the result is replaced the value of R;
12b) calculate xT, the result is replaced the value of S;
12c) calculate xU mod f, the result is replaced the value of temp1;
12d) calculate V-qtemp1, the result is replaced the value of V;
13) the counting i of cycle counter increases by one, as i during less than m-1, returns step B2;
14) counting is m time, when promptly i equals m-1, and finite field gf (p m) inversion operation finish, output valve is the multiplicative inverse a of input element a -1
The present invention also has following characteristics:
1) the required clock cycle of computing is constant at every turn, promptly can not design in the large scale system application and the control difficulty thereby help being reduced in along with the input data variation.
2) required hardware area and finite field gf (p m) p and the m of definition be proportional, promptly do not change with input data or f variation.
3) have quite high configurability,, can be applicable to the elliptic curve cryptography system that irreducible function f changes as increasing m bit register number.
In summary, the present invention is with finite field gf (p m) or GF (2 m) interior monobasic prime polynomial a is as input element a, and defines an irreducible function f (x), again with described input element a and irreducible function f (x) multiply by repeatedly or divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1Whereby, the present invention finishes an inversion operation and only needs m clock cycle, is half of an existing Extended Euclid algorithm required 2m clock cycle, has guaranteed computational speed faster, thereby has improved inversion operation efficient greatly.In addition, the operating frequency of other arithmetic units is close in the operating frequency of the device of inverting of the present invention and the elliptic curve cryptography system, with the invert hardware resource utilization of device of abundant raising, and then improves the calculated performance of whole system.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.

Claims (10)

1, a kind of method of inverting based on the finite field of hardware designs is applied to the elliptic curve cryptography system, it is characterized in that, described method comprises that step is as follows:
A, with finite field gf (p m) interior monobasic prime polynomial a is as input element a, and define irreducible function f (x), wherein an a=a M-1x M-1+ a M-2x M-2+ ...+a 1X+a 0, f (x)=x m+ f M-1x M-1+ ...+f 1X+f 0, a iAnd f iBe respectively the coefficient of input element a and irreducible function f (x), m is a positive integer, and x belongs to the independent variable of f (x);
B, described input element a and irreducible function f (x) multiply by or repeatedly divided by x 2And addition, after m circulation, export the multiplicative inverse a of this input element a -1
2, method according to claim 1 is characterized in that, described step B further comprises:
Variable of a polynomial S, R, U, V are initialized as f, a, 1 and 0 respectively, and δ is initialized as 0 with variable; The highest two groups of coefficient r according to described variable S and R mr M-1, s ms M-1Value, calculate intermediate variable q and e; Then according to control signal r m, r M-1, δ 0, δ 1, e and i calculate described four variable S, R, U, V, it finishes calculating in a clock cycle, in the next clock cycle value of four variable S, R, U, V is upgraded, and after circulating for m time, exports the multiplicative inverse a of this input element a -1
3, method according to claim 2 is characterized in that, described step B further comprises:
B1, variable S, R, U, V and δ are initialized as f, a, 1 and 0 respectively; Intermediate variable q, e, temp1 and temp2 are initialized as 0 respectively;
B2, to the scope of i from 0 to m-1, carry out following steps:
B3, calculating intermediate variable q=s mAnd e=s M-1-s mr M-1, s wherein mAnd s M-1Be respectively highest order coefficient and time high potential coefficient of variable S, r M-1It then is the inferior high potential coefficient of variable R;
B4, calculating intermediate variable T=S-s mR;
B5, calculating intermediate variable W=V-s mU;
If the highest order coefficient r of B6 variable R mCorrespond to GF (p) element 1, carry out following steps:
If minimum two of B7 variable δ is all to be 0, and the element 0 of the corresponding GF of the value of variable e (p), then carry out following substep B7a~B7h:
B7a) value of usefulness R replaces the value of temp1;
B7b) calculate x 2T replaces the result value of R;
B7c) value of usefulness temp1 replaces the value of S;
B7d) value of usefulness U replaces the value of temp2;
B7e) calculate xW mod f, the result is replaced the value of W;
B7f) iteron step B7e, the value of usefulness W replaces the value of U;
B7g) value of usefulness temp2 replaces the value of V;
B7h) replace δ with δ+2;
If minimum two of B8 variable δ is all to be 0, and the element 1 of the corresponding GF of the value of variable e (p), then carry out following substep B8a~B8f:
B8a) calculate xR-x 2ET replaces the result value of temp1;
B8b) calculate xT, the result is replaced the value of R;
B8c) value of usefulness temp1 replaces the value of S;
B8d) calculate U-e (xW mod f), the result is replaced the value of temp2;
B8e) value of usefulness W replaces the value of U;
B8f) value of usefulness temp2 replaces the value of V;
If lowest order and the inferior low level of B9 variable δ are respectively 1 and 0, then carry out following substep B9a~B9f:
B9a) value of usefulness R replaces the value of temp1;
B9b) calculate x 2T-x (eR) replaces the result value of R;
B9c) value of usefulness temp1 replaces the value of S;
B9d) calculate U/x mod f, the result is replaced the value of temp2;
B9e) calculate x (W-etemp2) mod f, the result is replaced the value of U;
B9f) value of usefulness temp2 replaces the value of V;
If lowest order and the inferior low level of B10 variable δ are respectively 1 and 1, then carry out following substep B10a~B10e:
B10a) calculate x 2T-x (eR) replaces the result value of S;
B10b) calculate U/x mod f, the result is replaced the value of temp1;
B10c) calculate W-etemp1, the result is replaced the value of V;
B10d) iteron step B10b replaces the value of temp1 the value of U;
B10e) replace δ with δ-2;
If the highest order coefficient r of B11 variable R mWith inferior high potential coefficient r M-1The element 0 of all corresponding GF (p), carry out following substep B11a~B11d:
B11a) calculate x 2R replaces the result value of R;
B11b) calculate xU mod f, the result is replaced the value of U;
B11c) iteron step B11b;
B11d) replace δ with δ+2;
If the highest order coefficient r of B12 variable R mWith inferior high potential coefficient r M-1The element 0 and 1 of the corresponding GF of difference (p), carry out following substep B12a~B12d:
B12a) calculate xR, the result is replaced the value of R;
B12b) calculate xT, the result is replaced the value of S;
B12c) calculate xU mod f, the result is replaced the value of temp1;
B12d) calculate V-qtemp1, the result is replaced the value of V;
The counting i of B13, cycle counter increases by one, as i during less than m-1, returns step B2;
B14, counting m time, when promptly i equals m-1, finite field gf (p m) inversion operation finish, output valve is the multiplicative inverse a of input element a -1
4, method according to claim 3 is characterized in that, the coefficient a of described input element a and irreducible function f (x) iAnd f i, the scope of i from 0 to m-1 belonged to finite field gf (p).
5, method according to claim 3 is characterized in that, described method realizes finite field gf (2 by the hardware device of inverting m) element is inverted, and the operating frequency of other arithmetic units is close in the operating frequency of the described device of inverting and the elliptic curve cryptography system.
6, method according to claim 5 is characterized in that, described finite field gf (2 m) go up the step-by-step XOR that certain element plus-minus is vector; Certain element be multiply by or be about to this vector divided by x move to left or move to right one, zero padding; Certain element delivery f (x) is about to this element and f (x) step-by-step XOR delivery, to guarantee that the result is still at finite field gf (2 m) in.
7, method according to claim 6 is characterized in that, described variable U multiply by x or during divided by x at every turn, if highest order is 1, need with f ( x ) = x m + &Sigma; 0 m - 1 f i x i Step-by-step XOR delivery is to carry out stipulations, to guarantee that the result is still at finite field gf (2 m) in.
8, a kind of realization is applied to the elliptic curve cryptography system as claim 1~7 device that the finite field of method is inverted as described in each, it is characterized in that described finite field is GF (2 m), and this device comprises:
Register R, S, U, V and δ, described register R, S, U, V are respectively applied for storage variable of a polynomial R, S, U and V, and described δ register is used for the value of record variable δ, and the displacement situation of the variation of variable δ reflection U register, during initialization, with finite field gf (2 m) interior monobasic prime polynomial a inserts described R register as input element a, define an irreducible function f (x) simultaneously and insert described source register, and described U register is set to 1, described V register and δ register are set to 0;
RS computational logic module is used to upgrade variable R and S;
UV computational logic module is used for more new variables U and V;
Control logic module is used for the highest two groups of coefficient r according to described source register and R register mr M-1, s ms M-1Value, calculate intermediate variable q and e, then according to control signal r m, r M-1, δ 0, δ 1, e and i control the work of described RS computational logic module and UV computational logic module;
Described RS computational logic module and UV computational logic module are finished calculating in a clock cycle, in the next clock cycle updating value of four variable S, R, U, V is re-entered register S, R, U, V, the counter of loop control simultaneously i upgrades, after m circulation, export the multiplicative inverse a of this input element a -1
9, device according to claim 8 is characterized in that, described RS computational logic module and UV computational logic module adopt hardware to realize basic operation respectively,
Described RS computational logic module is made up of m+1 identical and arranged side by side RS computational logic unit, described each RS computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported R register and source register, wait for that again next round calculating is carried out in the control logic instruction of described control logic module;
Described UV computational logic module is made up of m identical and arranged side by side UV computational logic unit, described each UV computational logic unit concurrent working, after in a clock cycle, finishing computing updating value is imported U register and V register, wait for that again next round calculating is carried out in the control logic instruction of described control logic module.
10, device according to claim 8 is characterized in that, the memory space of described R register and source register is the m+1 bit, and the memory space of described U register and V register is the m bit; Described R register and source register interact, and described U register and V register interact, and these two groups of operation registers are synchronous.
CNA2008100669157A 2008-04-28 2008-04-28 Finite field inversion method based on hardware design and device thereof Pending CN101572602A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008100669157A CN101572602A (en) 2008-04-28 2008-04-28 Finite field inversion method based on hardware design and device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008100669157A CN101572602A (en) 2008-04-28 2008-04-28 Finite field inversion method based on hardware design and device thereof

Publications (1)

Publication Number Publication Date
CN101572602A true CN101572602A (en) 2009-11-04

Family

ID=41231844

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008100669157A Pending CN101572602A (en) 2008-04-28 2008-04-28 Finite field inversion method based on hardware design and device thereof

Country Status (1)

Country Link
CN (1) CN101572602A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102713921A (en) * 2010-01-13 2012-10-03 微软公司 Determination of pairings on a curve using aggregated inversions
CN102902510A (en) * 2012-08-03 2013-01-30 华南理工大学 Galois field inversion device
CN105068784A (en) * 2015-07-16 2015-11-18 清华大学 Montgomery modular multiplication based Tate pairing algorithm and hardware structure therefor
CN105204820A (en) * 2014-06-26 2015-12-30 英特尔公司 Instructions and logic to provide general purpose gf(256) simd cryptographic arithmetic functionality
CN107797790A (en) * 2017-11-03 2018-03-13 深圳职业技术学院 A kind of finite field inverter based on a full irreducible function
CN107885486A (en) * 2017-12-04 2018-04-06 深圳职业技术学院 A kind of compound finite field inversions device based on search tree
CN108008934A (en) * 2017-12-04 2018-05-08 深圳职业技术学院 A kind of compound finite field inversions device based on look-up table
CN108390761A (en) * 2018-02-09 2018-08-10 北京万协通信息技术有限公司 A kind of hardware implementation method that dual domain mould is inverse
CN112286490A (en) * 2020-11-11 2021-01-29 南京大学 Hardware architecture and method for loop iteration multiply-add operation

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102713921A (en) * 2010-01-13 2012-10-03 微软公司 Determination of pairings on a curve using aggregated inversions
CN102902510A (en) * 2012-08-03 2013-01-30 华南理工大学 Galois field inversion device
CN102902510B (en) * 2012-08-03 2016-04-13 华南理工大学 A kind of finite field inverter
US9389835B2 (en) 2012-08-03 2016-07-12 South China University Of Technology Finite field inverter
CN105204820B (en) * 2014-06-26 2019-02-22 英特尔公司 For providing general GF(256) instruction and logic of SIMD encrypted mathematical function
CN105204820A (en) * 2014-06-26 2015-12-30 英特尔公司 Instructions and logic to provide general purpose gf(256) simd cryptographic arithmetic functionality
CN105068784A (en) * 2015-07-16 2015-11-18 清华大学 Montgomery modular multiplication based Tate pairing algorithm and hardware structure therefor
CN105068784B (en) * 2015-07-16 2018-02-16 清华大学 Realize the circuit based on the Tate of montgomery modulo multiplication to algorithm
CN107797790A (en) * 2017-11-03 2018-03-13 深圳职业技术学院 A kind of finite field inverter based on a full irreducible function
CN107797790B (en) * 2017-11-03 2021-07-09 深圳职业技术学院 Finite field inverter based on all-one irreducible polynomial
CN107885486A (en) * 2017-12-04 2018-04-06 深圳职业技术学院 A kind of compound finite field inversions device based on search tree
CN108008934A (en) * 2017-12-04 2018-05-08 深圳职业技术学院 A kind of compound finite field inversions device based on look-up table
CN107885486B (en) * 2017-12-04 2021-09-07 深圳职业技术学院 Composite finite field inversion device based on search tree
CN108390761A (en) * 2018-02-09 2018-08-10 北京万协通信息技术有限公司 A kind of hardware implementation method that dual domain mould is inverse
CN108390761B (en) * 2018-02-09 2021-03-05 北京万协通信息技术有限公司 Hardware implementation method of dual-domain modular inversion
CN112286490A (en) * 2020-11-11 2021-01-29 南京大学 Hardware architecture and method for loop iteration multiply-add operation
CN112286490B (en) * 2020-11-11 2024-04-02 南京大学 Hardware architecture and method for loop iteration multiply-add operation

Similar Documents

Publication Publication Date Title
CN101572602A (en) Finite field inversion method based on hardware design and device thereof
Naehrig et al. New software speed records for cryptographic pairings
Agnew et al. An implementation of elliptic curve cryptosystems over F/sub 2/155
Shantz From Euclid's GCD to Montgomery multiplication to the great divide
Afreen et al. A review on elliptic curve cryptography for embedded systems
Naehrig et al. Dual isogenies and their application to public-key compression for isogeny-based cryptography
Granger et al. Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three
CN103942031B (en) Elliptic domain curve operations method
Kumar Elliptic curve cryptography for constrained devices
CN106888088A (en) Elliptic curve cipher Fast implementation and its device
Goodman et al. An energy efficient reconfigurable public-key cryptography processor architecture
CN100527073C (en) High efficiency modular multiplication method and device
CN101842824A (en) Pairing calculation device, pairing calculation method, and recording medium on which pairing calculation program is recorded
Abdulrahman et al. New regular radix-8 scheme for elliptic curve scalar multiplication without pre-computation
Orlando Efficient elliptic curve processor architectures for field programmable logic
Gutub et al. Serial vs. parallel elliptic curve crypto processor designs
WO2024100108A1 (en) Devices and processes for generating public keys and for generating and verifying signatures
Vollala et al. Efficient modular exponential algorithms compatible with hardware implementation of public‐key cryptography
Chatterjee et al. Software Implementation of Curve based Cryptography for Constrained Devices
Stogbauer Efficient Algorithms for pairing-based cryptosystems
Kim et al. LFSR multipliers over GF (2m) defined by all-one polynomial
Ma et al. Fast implementation for modular inversion and scalar multiplication in the elliptic curve cryptography
Koziel Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves
Realpe-Muñoz et al. High-performance elliptic curve cryptoprocessors over GF (2^ m) GF (2 m) on Koblitz curves
Byrne et al. Versatile processor for GF (pm) arithmetic for use in cryptographic applications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20091104