CN102521544B - Modular exponentiation method for preventing power attacks in central processing unit (CPU) - Google Patents
Modular exponentiation method for preventing power attacks in central processing unit (CPU) Download PDFInfo
- Publication number
- CN102521544B CN102521544B CN201110442321.3A CN201110442321A CN102521544B CN 102521544 B CN102521544 B CN 102521544B CN 201110442321 A CN201110442321 A CN 201110442321A CN 102521544 B CN102521544 B CN 102521544B
- Authority
- CN
- China
- Prior art keywords
- current
- subdata
- bit
- default
- cpu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a modular exponentiation method for preventing power attacks in a central processing unit (CPU), and relates to the field of information security. The method comprises the following steps that: the CPU reads a preset overall bit length from a first register, and reads a preset group number from a second register; the CPU accesses a first memory area, reads a piece of subdata according to the preset group number and preset rules, and executes preset operation on the subdata which is currently read; after finishing the preset operation over all the subdata, the CPU obtains a preset group number of operation results; the CPU controls a coprocessor to execute modular exponentiation on the preset group number of operation results according to a preset sequence; the CPU sequentially updates all the subdata into corresponding modular exponentiation results; and the CPU controls the coprocessor to execute modular multiplication operation on the preset group number of pieces of updated subdata and to output operation results. Compared with the prior art, the invention can fulfill the aim of preventing simple power analysis (SPA) attacks, differential power analysis (DPA) attacks, refined power analysis (RPA) attacks and zero value power analysis (ZPA) attacks.
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of for realizing the implementation method of the Montgomery Algorithm of information encryption and decryption.
Background technology
Up to now, the public-key cryptosystem being applied on various electronic equipments mainly contains two classes, the first kind is the cipher system based on large Integer Decomposition, for example, RSA system and Rabin-Williams system, Equations of The Second Kind is the cipher system based on discrete logarithm in cyclic group, for example, and ELGamal system and Digital Signature Algorithm (DSA).Above-mentioned public-key cryptosystem mostly need to calculate mould power x in mould integer meaning
e(mod n), here, x, E, and n is integer, and in these public-key cryptosystems, always have the integer E in part mould power to hold in close confidence.
The calculating unit of modern password equipment is integrated circuit (IC) chip, and chip is all comprised of transistor gate, and circuit is when carrying out different procedure operation, and power consumption is different, and this point can be observed by oscillograph.Accordingly, the people such as Kocher have proposed Analysis of Electricity attack, the prerequisite that Analysis of Electricity is attacked is that the instruction carried out with equipment of power consumption track is relevant, and relevant to the value of the operand of processing, checks that like this power consumption track can leak the information of data in the instruction carried out and register cruelly.When encryption device is being carried out privacy key operation, assailant likely derives privacy key.Research shows, the nearly all common key cryptosystem all potential Analysis of Electricity that exists is attacked problem, and particularly, the such needs external world of smart card provides the threat under attack of the embedded device of power supply particularly huge.
Summary of the invention
The object of this invention is to provide a kind of implementation method with the Montgomery Algorithm of stronger anti-attack ability, particularly a kind of implementation method that is suitable for the Montgomery Algorithm of the limited embedded device of the computational resources such as smart card.
The technical solution used in the present invention is as follows:
An implementation method for the Montgomery Algorithm of anti-Attacks in CPU, comprising:
Step S1:CPU is long from the default total position of the first register read, from the default packet count of the second register read;
Step S2:CPU accesses the first memory block, according to default packet count, by preset rules, reads a subdata, and described subdata is a part for first data of storing in described the first memory block;
Step S3:CPU carries out predetermined registration operation to the current subdata reading;
Step S4: obtain the several operating results of default grouping after CPU executes predetermined registration operation to all subdatas;
Step S5:CPU controls coprocessor the several operating results of described default grouping is carried out to Montgomery Algorithm by preset order;
Step S6:CPU is sequentially updated to all subdatas corresponding Montgomery Algorithm result;
Step S7:CPU controls coprocessor the default packet count subdata after upgrading is carried out to modular multiplication, and operation result is exported.
Wherein, by preset rules, read a subdata described in step S2 and refer to: CPU calculates default total position, and long divided by default packet count, to obtain decile data bit long, according to described decile data bit personal attendant's machine or read a subdata by permanent order from described the first data; Or refer to: CPU is according to the several subdata position personal attendant's machines not etc. of predefined default grouping or by permanent order, from the first data, obtain a long long subdata in described subdata position that equals in position.
When the current subdata reading being carried out to predetermined registration operation for the current subdata reading is carried out to predetermined registration operation from low level to high-order order according to bit described in step S3, corresponding, described step S3-step S4 is specially,
Step S3-1, all intermediate variables of storing in CPU initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
Step S3-2: read subdata by preset rules;
Step S3-3: according to the value of the bit of current bit index point, the current subdata reading is carried out to predetermined registration operation and obtain an operating result;
Step S3-4: when having read a default packet count subdata, while obtaining the several operating result of default grouping, upgrade current operation number and current bit index;
Step S3-5: judging whether current bit index exceeds decile data bit long, is to perform step S3-6, otherwise return to execution step S3-2;
Step S3-6: the several operating results of the default grouping of output.
Further, described in step S3-1, initialization is specially the initial value of all intermediate variables of storing in described the 3rd memory block is set to 1, the initial value of the current operation number of storing in the 4th memory block is made as to the second data, the bit index initial value of depositing in the 3rd register is set to 1.
Described in step S3-3, predetermined registration operation is specially following steps,
Steps A: whether the value that judges the bit of current bit index point is 1, is to perform step B, otherwise execution step D;
Step B: the intermediate variable corresponding with the current subdata reading and current operation number are carried out to modular multiplication;
Step C: upgrade described intermediate variable by modular multiplication result, described predetermined registration operation completes;
Step D: described intermediate variable does not change, described predetermined registration operation completes.
When the current subdata reading being carried out to predetermined registration operation described in step S3, be specially according to bit the order execution predetermined registration operation from a high position to low level, corresponding, described step S3-step S4 is specially,
Step S3-1:CPU initialization current operation number and bit index;
Step S3-2: read subdata by preset rules;
Step S3-3: according to the value of the bit of current bit index point, the current subdata reading is carried out to predetermined registration operation and obtain an operating result;
Step S3-4: upgrade current bit index;
Step S3-5: whether the value that judges current bit index is less than zero, is to perform step S3-6, otherwise return to execution step S3-2;
Step S3-6: the several operating results of the default grouping of output.
Further, described in step S3-1 initialization current operation number refer to CPU access the second memory block by the second data assignment of storage to current operation number, initialization bit position index specifically refer to by the bit index point current accessed of storing in the 3rd register to the most significant digit of decile data play the next bit of first non-zero bit position.
Described in step S3-3, predetermined registration operation is specially following steps,
Steps A: current operation number is carried out computing module-square and upgraded current operation number with operation result, and the modulus of computing module-square is default modulus;
Step B: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step C, otherwise execution step D;
Step C: the second data and current operation number are carried out to modulus for the multiplying of default modulus, and upgrade current operation number by modular multiplication result, described predetermined registration operation completes;
Step D: current operation number does not change, described predetermined registration operation completes.
Wherein, above-mentioned steps S3-step S6 also available following steps replaces,
Step S3 ': CPU carries out default processing to the current subdata reading;
Step S4 ': obtain the several results of default grouping when CPU executes default processing to all subdatas after;
Step S5 ': CPU is sequentially updated to corresponding result by all subdatas.
When step S3 ' is described, the current default processing of subdata execution of reading is specially the current subdata reading is carried out to predetermined registration operation from low level to high-order order according to bit, corresponding, described step S3 '-step S4 ' is specially,
All intermediate variables of storing in step S3 '-1:CPU initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
Step S3 '-2: read subdata by preset rules;
Step S3 '-3: the current subdata reading is carried out to default processing according to the value of the bit of current bit index point;
Step S3 '-4: obtain the several results of default grouping when CPU executes default processing to all subdatas after.
Described in step S3 '-1, initialization is specially, and the initial value of all intermediate variables is set to 1, and the initial value of current operation number is made as to the second data, and the initial value of bit index is set to 1 sensing the 1st bit.
Step S3 '-2 and step S3 '-3 are specially following steps,
Steps A 1: read a subdata by preset rules;
Steps A 2: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step A3, the execution step A4 otherwise current intermediate variable does not change;
Steps A 3: the current operation number in current intermediate variable corresponding with current subdata in the 3rd memory block and the 4th memory block is carried out to modular multiplication, and upgrade current intermediate variable by modular multiplication result;
Steps A 4: current operation number is carried out computing module-square and upgraded current operation number with operation result;
Steps A 5: upgrade current bit index;
Steps A 6: it is long whether the value that judges current bit index exceeds the position of the current subdata reading, and is to perform step A7, otherwise execution step A8;
Steps A 7: recording current intermediate variable is a result;
Steps A 8: judge whether the current subdata reading is a default packet count subdata, is to perform step A10, otherwise execution step A9;
Steps A 9: read next subdata, return to execution step A2;
Steps A 10: the several results of default grouping of output record.
When step S3 ' described to the current subdata that reads carry out default process be specially to the current subdata reading according to bit the order from a high position to low level carry out predetermined registration operation, corresponding, described step S3 '-step S4 ' is specially,
Step S3 '-1:CPU initialization current operation number, current bit index;
Step S3 '-2: read subdata by preset rules;
Step S3 '-3: according to the value of the bit of bit index point, the current subdata reading is carried out to default processing and obtain the several results of default grouping.
Described in step S3 '-1, initialization is specially, and the initial value of current operation number is made as to the second data, by bit index point current accessed to the most significant digit of decile data play the next bit of first non-zero bit position.
Step S3 '-2 and step S3 '-3 are specially following steps,
Steps A 1: read a subdata by preset rules access;
Steps A 2: current operation number is carried out modulus for default modulus computing module-square and upgraded current operation number with operation result;
Steps A 3: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step A4, the execution step A5 otherwise current operation number does not change;
Steps A 4: the second data and current operation number are carried out to modulus for the multiplying of default modulus, and upgrade current operation number by modular multiplication result;
Steps A 5: upgrade current bit index;
Steps A 6: judge whether current bit index is less than zero, is to perform step A7, otherwise execution step A8;
Steps A 7: recording current operation number is a result;
Steps A 8: judge whether the current subdata reading is a default packet count subdata, is to perform step A10, otherwise execution step A9;
Steps A 9: read next subdata, return to execution step A2;
Steps A 10: the several results of default grouping of output record.
The current bit index of described renewal above-mentioned can be that bit index is moved to left one and point to next bit from adding 1, or bit index is moved to right one and point to next bit from subtracting 1.
The beneficial effect that the present invention obtains is: compared with prior art, adopt the implementation method of Montgomery Algorithm of the present invention can reach the object that anti-SPA, DPA, RPA, ZPA attack.
Accompanying drawing explanation
Fig. 1 is the implementation method process flow diagram of a kind of Montgomery Algorithm of the embodiment of the present invention one proposition;
Fig. 2 is the refinement figure of step 103 and step 104 in Fig. 1;
Fig. 3 is the process schematic diagram of predetermined registration operation in step 103-3 in Fig. 2;
Fig. 4 is that in Fig. 1, step 105 is carried out the process schematic diagram of Montgomery Algorithm by preset order;
Fig. 5 is the implementation method process flow diagram of a kind of Montgomery Algorithm of the embodiment of the present invention two propositions;
Fig. 6 is step 103 in Fig. 5 ' refinement figure;
The refinement figure of Fig. 7 is step 103 in Fig. 6 '-4 to step 103, '-2;
Fig. 8 is that the embodiment of the present invention three is for the refinement figure of step 103 and step 104 in Fig. 1;
Fig. 9 is the refinement figure of steps A 3 in Fig. 8;
The refinement figure that Figure 10 is that the embodiment of the present invention three is for step 103 in Fig. 5 ' and step 104 ';
Figure 11 is the refinement figure of step B2 in Figure 10.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, embodiment of the present invention is done further and described in detail.
For guarantee to access to your password key or security parameter are the security that index carries out Montgomery Algorithm, the present invention proposes a kind of implementation method of Montgomery Algorithm, by the index in Montgomery Algorithm is processed, make it be difficult for being attacked by illegal person.
Embodiment mono-
The present embodiment provide a kind of in CPU the implementation method of the Montgomery Algorithm of anti-Attacks, comprise the following steps, as shown in Figure 1:
Step 101:CPU is long from the default total position of the first register read, from the default packet count of the second register read;
Concrete, described default packet count value is to be more than or equal to 2 integer, preferably gets the integer that equals 2.
Step 102:CPU accesses the first memory block, reads first data of storing in the first memory block, and read a subdata at every turn according to default packet count by preset rules, and described subdata is a part for described the first data;
This step is equal to first data of storing in the first memory block is divided into a default packet count subdata, and corresponding the first memory block is from being divided in logic a default packet count subpool;
Preferably, describedly by preset rules, read first data of storing in the first memory block and can be specially: CPU calculates default total position, and long divided by default packet count, to obtain subdata position long, according to described subdata position personal attendant's machine or by permanent order, from described the first data, reads subdata.
Step in the present embodiment after step 102 is all to be described in detail on described preferred preset rules basis.
Concrete in the present embodiment, since the first memory block, the lowest order of the first data intercepts the long long scale-of-two substring in described subdata position that equals in position successively to most significant digit, and each scale-of-two substring is a subdata, the corresponding subpool of each subdata;
Further, if the first long not enough default total position of data bit is long, in the most significant digit leading zero of the first data until long to equal default total position long in position, accordingly, from most significant digit, start intercepting, the high position zero padding of the subpool that first subdata being truncated to is corresponding, for example the position of a first data difference long and that default position is long is 12, and first corresponding subdata being truncated to starts number from most significant digit and gets i.e. the 13rd most significant digit that is only the first data of next bit 12 zero.
Define in the present embodiment the subdata that the long most significant digit that equals the first long data of default total position starts to be truncated to from position and be followed successively by the first subdata, the second subdata ..., the number of the subdata being truncated to equals default packet count.
Except above-mentioned preferably, describedly by preset rules, read first data of storing in the first memory block and can also be specially: according to the several subdata position personal attendant's machines that do not wait of predefined default grouping or obtain the long long subdata in described subdata position that equals in position from the first data by permanent order, the subdata position of at every turn reading is long can be unequal.
Step 103: the current subdata reading is carried out to predetermined registration operation;
Step 104: obtain the several operating results of default grouping after CPU executes predetermined registration operation to all subdatas;
Step 105:CPU controls coprocessor the several operating results of described default grouping is carried out to Montgomery Algorithm by preset order;
Step 106:CPU is sequentially updated to all subdatas corresponding Montgomery Algorithm result;
Step 107:CPU controls coprocessor the default packet count subdata after upgrading is carried out to modular multiplication, and operation result is exported.
As shown in Figure 2, above-mentioned steps 103 is that the current subdata reading is carried out to predetermined registration operation from low level to high-order order according to bit, is specially following steps:
All intermediate variables of storing in step 103-1:CPU initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
In the present embodiment particularly, in the 3rd memory block, store the several intermediate variables of default grouping, CPU accesses the 3rd memory block, all intermediate variables of storing in initialization the 3rd memory block specifically refer to the initial value of each intermediate variable are set to 1, access the second memory block by the second data assignment of storage to current operation number; The bit index of storing in the 3rd register is set to 1.
Further, the several intermediate variables of described default grouping are corresponding one by one with a described default packet count subdata, and the bit index of storing in described the 3rd register is for representing the bit call number of subdata.
Step 103-2:CPU, by preset rules access subpool, reads subdata;
Step 103-3: according to the value of the bit of current bit index point to current accessed to subpool in the subdata of storing carry out predetermined registration operation and obtain an operating result;
In the present embodiment, particularly, described preset rules refers to the access order of predefined CPU to subpool, for example, can preset CPU and visit all subpools according to random mode, and concrete can adopt inverted order or interval mode access.
As shown in Figure 3, described predetermined registration operation is specially following steps:
Step 103-31: whether the value of bit that judges the current bit index point of the subdata of storing in subpool is 1, is to perform step 103-32, otherwise execution step 103-34;
Step 103-32: control the coprocessor pair current intermediate variable corresponding with subdata and current operation number and carry out modular multiplication;
Step 103-33: upgrade current intermediate variable by modular multiplication result, described predetermined registration operation completes;
Step 103-34: current intermediate variable does not change, described predetermined registration operation completes.
For example: if the subpool of CPU access is the first subpool, current operation number is the second data, current bit index is 1 sensing the 1st bit, with the first subdata in the first memory block one to one the initial value of intermediate variable be 1, whether the value that judges the 1st bit of the first subdata is 1, if CPU controls coprocessor current intermediate variable and the second data is carried out to modulus for the multiplying of default modulus, and upgrade current intermediate variable with multiplication result, otherwise current intermediate variable is constant.
Further, execution step 103-2 and step 103-3 specifically carry out a predetermined registration operation to all subdatas according to current bit index point, subdata number is default packet count, each predetermined registration operation choose to as if CPU according to the corresponding intermediate variable of subdata of storing in the subpool of preset rules access, just because of access order is undertaken by preset rules, therefore strengthened security, the attack tolerant of data operation.
Step 103-4: upgrade current operation number and current bit index;
In the present embodiment, particularly, described renewal current operation number refers to that CPU controls coprocessor current operation number is carried out computing module-square and upgraded current operation number with operation result, and the modulus of computing module-square is default modulus; Described renewal bit index refers to bit index is moved to left one and point to next bit from adding 1.
Step 103-5: judge current bit index whether exceed subdata position long, be to perform step 103-6, otherwise return execution step 103-2;
Step 103-6: the several operating results of the default grouping of output.
As shown in Figure 4, the process that described in step 105, coprocessor is carried out Montgomery Algorithm by preset order comprises the steps:
Step 105-1: the current subdata assignment reading, to performance variable, is set to 1 by the initial value of current bit index;
Step 105-2:CPU calculates the cycle index of each subdata;
Concrete, if the subdata reading current is the first subdata, the cycle index of the first subdata equals default packet count and subtracts and after 1, be multiplied by the result of looking in subdata position again, the cycle index of the second subdata equals default packet count and subtracts and after 2, be multiplied by the result of looking in subdata position again, the like.
Step 105-3: whether the value of bit that judges the intermediate variable of current bit index point is 1, is to perform step 105-4, the redirect execution step 105-5 otherwise current output number does not change;
Step 105-4: current operation variable is carried out to modulus and upgrade current operation variable for the square operation of default modulus and with operation result;
Step 105-5: current bit is added to 1 certainly;
Step 105-6: judge whether the value of current bit index is greater than the cycle index of the current subdata of obtaining, and is to carry out next step, otherwise return to execution step 105-3;
Step 105-7: output current operation variable.
To all subdatas, all according to above-mentioned steps 105-1 to 105-7 executable operations, obtaining the several performance variables of default grouping is Montgomery Algorithm result.
Embodiment bis-
On the basis of embodiment mono-, the present embodiment be embodiment mono-is provided a kind of in CPU the step 103 in the implementation method of the Montgomery Algorithm of anti-Attacks to step 103 for step 106 ' to step 105 ' replace, all the other steps are constant, specific as follows as shown in Figure 5:
Step 103 ': the current subdata reading is carried out to default processing, obtain a result;
Step 104 ': when executing default processing to all subdatas after, CPU obtains the several results of default grouping;
Step 105 ': CPU is updated to respectively corresponding result by all subdatas;
As shown in Figure 6, above-mentioned steps 103 ' is that all subdatas are carried out to predetermined registration operation from low level to high-order order according to bit, is specially following steps:
Step 103 '-1: all intermediate variables of storing in initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
In the present embodiment particularly, CPU accesses the 3rd memory block, all intermediate variables of storing in initialization the 3rd memory block specifically refer to that the initial value of all intermediate variables is set to 1, and the second data assignment of storage is given the current operation number of storing in the 4th memory block in access the second memory block; The bit index of storing in the 3rd register is set to 1 sensing the 1st bit.
Further, each subdata is a corresponding bit index one by one, and the bit index of storing in described the 3rd register is for representing the current bit of carrying out of subdata corresponding to current intermediate variable of the 3rd memory block of access.
Step 103 '-2:CPU is by preset rules access subpool, reads subdata;
Step 103 '-3: according to the value of the bit of current bit index point to current accessed to subpool in the subdata of storing carry out default processing and obtain a result;
Step 103 '-4: obtain the several results of default grouping when CPU executes default processing to all subdatas after.
In the present embodiment particularly, describedly by preset rules, read first data of storing in the first memory block and refer to and calculate default total position by CPU long divided by default packet count, to obtain decile data bit long, according to described decile data bit personal attendant's machine or read subdata by permanent order from described the first data.
As shown in Figure 7, to step 103, '-4 are specially following steps in step 103 '-2:
Step 103 '-21: by a subpool of preset rules access;
Step 103 '-22: whether the value of bit that judges the current bit index point of the subdata of storing in the subpool of current accessed is 1, is to perform step 103 '-23, otherwise execution step 103 '-24;
Step 103 '-23:CPU controls coprocessor the current operation number in current intermediate variable corresponding with current subdata in the 3rd memory block and the 4th memory block carried out to modular multiplication, and upgrade current intermediate variable by modular multiplication result, then perform step 103 '-25;
Step 103 '-24: current intermediate variable does not change;
Step 103 '-25:CPU control coprocessor is to current operation number execution computing module-square and upgrade current operation number with operation result;
Step 103 '-26: upgrade current bit index;
In the present embodiment, particularly, if the initial value of current bit index is 1, the current bit index of described renewal refers to the value of current bit index is moved to left one and point to next bit from adding 1.
Step 103 '-27: it is long whether the value that judges current bit index exceeds the position of subdata, is to perform step 103 '-28, otherwise execution step 103 '-29;
Step 103 '-28: recording current intermediate variable is a result;
Step 103 '-29: judge whether current subdata is last subdata, is to perform step 103 '-31, otherwise execution step 103 '-30;
Step 103 '-30: access next subpool, return to execution step 103 '-22;
Step 103 '-31: the several results of default grouping of output record.
Embodiment tri-
The scheme that the present embodiment provides is applicable to embodiment mono-and embodiment bis-, the thought of the technical scheme that the present embodiment provides is by step 104 in step 104 in embodiment mono-and embodiment bis-' convert, be specially to all subdatas according to bit the order from a high position to low level carry out predetermined registration operation, for the thought of the present embodiment, take embodiment mono-and embodiment bis-and be described as follows as basis:
Referring to Fig. 8, step 103 and step 104 in embodiment mono-specifically comprise the steps:
Steps A 1:CPU initialization current operation number and bit index;
In the present embodiment particularly, initialization current operation number refer to CPU access the second memory block by the second data assignment of storage to current operation number, initialization bit position index specifically refer to by the bit index point current accessed of storing in the 3rd register to the most significant digit of subdata play the next bit of first non-zero bit position.
Steps A 2:CPU, by preset rules access subpool, reads subdata;
Steps A 3: according to the value of the bit of current bit index point to current accessed to subpool in the subdata of storing carry out predetermined registration operation and obtain an operating result;
In the present embodiment, particularly, described preset rules is with preferred preset rules described in embodiment mono-.
Described in steps A 3, predetermined registration operation further comprises the steps: as shown in Figure 9
Steps A 3-1:CPU controls coprocessor current operation number is carried out computing module-square and upgraded current operation number with operation result, and the modulus of computing module-square is default modulus;
Steps A 3-2: whether the value of bit that judges the current bit index point of the subdata of storing in subpool is 1, is to perform step A3-3, otherwise execution step A3-4;
Steps A 3-3:CPU controls coprocessor and carries out the multiplying that the modulus of the second data and current operation number is default modulus, and upgrades current operation number by modular multiplication result, and predetermined registration operation completes;
Steps A 3-4: current operation number does not change, and predetermined registration operation completes.
For example: if the subpool of CPU access is the first subpool, current operation number is the second data, current bit index is 127, first current operation number is carried out computing module-square and upgraded current operation number with operation result, then the most significant digit that judges the first subdata plays whether second number corresponding to bit is 1, if CPU controls coprocessor current operation number and the second data is carried out to modulus for the multiplying of default modulus, and upgrade current operation number with multiplication result, otherwise current operation number is constant.
Further, all subdatas are carried out to predetermined registration operation described in a steps A 3 according to current bit index, subdata number is default packet count, can carry out default grouping predetermined registration operation for several times, what each operation was chosen accesses subpool to liking CPU according to preset rules, and the subdata of wherein storage is carried out to predetermined registration operation, just because of access order is undertaken by preset rules, therefore strengthened security, the attack tolerant of data operation.
Steps A 4: upgrade current bit index;
In the present embodiment, particularly, the current bit index of described renewal refers to current bit index is moved to right one and point to next bit from subtracting 1.
Steps A 5: whether the value that judges current bit index is less than zero, is to perform step A6, otherwise return to execution step A2;
Steps A 6: the several operating results of the default grouping of output.
Referring to Figure 10, the step 103 in embodiment bis-' and step 104 ' specifically comprise the steps:
Step B1: initialization current operation number, current bit index;
In the present embodiment particularly, CPU access the second memory block by storage the second data assignment to current operation number; By the bit index point current accessed of storing in the 3rd register to the most significant digit of subdata play the next bit of first non-zero bit position.
Step B2:CPU, by preset rules access subpool, reads subdata;
Step B3: according to the value of the bit of bit index point to current accessed to subpool in the subdata of storing carry out default processing and obtain a result;
Step B4: obtain the several results of default grouping when CPU executes default processing to all subdatas after.
In the present embodiment, particularly, described preset rules is identical with preset rules described in embodiment bis-.
As shown in figure 11, described in step B3, default processing is specially following steps:
Step B2-1: by a subpool of preset rules access;
Step B2-2:CPU controls coprocessor current operation number is carried out computing module-square and upgraded current operation number with operation result, and the modulus of computing module-square is default modulus;
Step B2-3: whether the value of bit that judges the current bit index point of the subdata of storing in the subpool of current accessed is 1, is to perform step B2-5, otherwise execution step B2-4;
Step B2-4: current operation number does not change, then performs step B-26;
Step B2-5:CPU controls coprocessor and carries out the multiplying that the modulus of the second data and current operation number is default modulus, and upgrades current operation number by modular multiplication result;
Step B2-6: upgrade current bit index;
In the present embodiment, particularly, the current bit index of described renewal refers to bit index is moved to right one and point to next bit from subtracting 1.
Step B2-7: whether the value that judges current bit index is less than zero, is to perform step B2-8, otherwise execution step B2-9;
Step B2-8: recording current operation number is a result;
Step B2-9: judge whether current subdata is last subdata, is to perform step B2-11, otherwise execution step B2-10;
Step B2-10: access next subpool, return to execution step B2-2;
Step B2-11: the several results of default grouping of output record.
In above-mentioned four embodiment, we have adopted first data of storing in the first memory block have been divided into a default packet count subdata, corresponding the first memory block is from being divided in logic a default packet count subpool, then adopt the access mode of random sequence to the subdata difference executable operations in all subpools, reach in this way object of the present invention, the implementation method of the Montgomery Algorithm that a kind of anti-SPA, DPA, RPA, ZPA attack.
According to the record of the embodiment of the present invention, adopt the principle of the invention to divide to such an extent that umber is more to power exponent in Montgomery Algorithm process, efficiency is slower, therefore will reach optimum efficiency is that power exponent is divided into i.e. two subdatas of two parts, and each subdata is carried out to predetermined registration operation or processing from low to high according to bit.Above-described embodiment one has been recorded optimum technical scheme.
The above; it is only preferably embodiment of the present invention; but protection scope of the present invention is not limited to this; for example; that in embodiment mono-, mentions does to the first data the effect that not decile processing can realize equally the present invention and reach anti-SPA, DPA, RPA, ZPA attack; anyly be familiar with those skilled in the art in technical scope disclosed by the invention, the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.
Claims (11)
1. an implementation method for the Montgomery Algorithm of anti-Attacks in CPU, is characterized in that: comprise
Step S1:CPU is long from the default total position of the first register read, from the default packet count of the second register read;
Step S2:CPU accesses the first memory block, according to default packet count, by preset rules, reads a subdata, and described subdata is a part for first data of storing in described the first memory block;
Step S3:CPU carries out predetermined registration operation to the current subdata reading;
Step S4: obtain the several operating results of default grouping after CPU executes predetermined registration operation to all subdatas;
Step S5:CPU controls coprocessor the several operating results of described default grouping is carried out to Montgomery Algorithm by preset order;
Step S6:CPU is sequentially updated to corresponding Montgomery Algorithm result by described all subdatas;
Step S7:CPU controls coprocessor the default packet count subdata after upgrading is carried out to modular multiplication, and operation result is exported;
Described in step S3, the current subdata execution predetermined registration operation reading is specially the current subdata reading is carried out to predetermined registration operation from low level to high-order order according to bit;
Described step S3-step S4 is specially,
Step S3-1, all intermediate variables of storing in CPU initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
Step S3-2: read subdata by preset rules;
Step S3-3: according to the value of the bit of current bit index point, the current subdata reading is carried out to predetermined registration operation and obtain an operating result;
Step S3-4: when having read a default packet count subdata, while obtaining the several operating result of default grouping, upgrade current operation number and current bit index;
Step S3-5: judging whether current bit index exceeds decile data bit long, is to perform step S3-6, otherwise return to execution step S3-2;
Step S3-6: the several operating results of the default grouping of output;
Describedly by preset rules, read a subdata and refer to and calculate described default total position by CPU long divided by described default packet count, to obtain decile data bit long, according to described decile data bit personal attendant's machine or read a subdata by permanent order from described the first data; Described in step S3-3, predetermined registration operation is specially following steps,
Steps A: whether the value that judges the bit of current bit index point is 1, is to perform step B, otherwise execution step D;
Step B: the intermediate variable corresponding with the current subdata reading and current operation number are carried out to modular multiplication;
Step C: upgrade described intermediate variable by modular multiplication result, described predetermined registration operation completes;
Step D: described intermediate variable does not change, described predetermined registration operation completes.
2. Montgomery Algorithm method according to claim 1, is characterized in that: described in step S2, by preset rules, read a subdata and can also refer to according to the several subdata position personal attendant's machines that do not wait of predefined default grouping or by permanent order, from the first data, obtain a long long subdata in described subdata position that equals in position.
3. according to the Montgomery Algorithm method described in claims 1, it is characterized in that: described in step S3-1, initialization is specially the initial value of all intermediate variables of storing in described the 3rd memory block is set to 1, the initial value of the current operation number of storing in described the 4th memory block is made as to the second data, the bit index initial value of depositing in described the 3rd register is set to 1.
4. according to the Montgomery Algorithm method described in claims 1, it is characterized in that: described in step S3, the current subdata reading is carried out to predetermined registration operation and can also be specially the execution of the order from a high position to the low level predetermined registration operation according to bit;
Accordingly, described step S3-step S4 is specially,
Step S3-1:CPU initialization current operation number and bit index;
Step S3-2: read subdata by preset rules;
Step S3-3: according to the value of the bit of current bit index point, the current subdata reading is carried out to predetermined registration operation and obtain an operating result;
Step S3-4: upgrade current bit index;
Step S3-5: whether the value that judges current bit index is less than zero, is to perform step S3-6, otherwise return to execution step S3-2;
Step S3-6: the several operating results of the default grouping of output;
Accordingly, predetermined registration operation is specially following steps described in step S3-3,
Steps A: current operation number is carried out computing module-square and upgraded current operation number with operation result, and the modulus of computing module-square is default modulus;
Step B: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step C, otherwise execution step D;
Step C: the second data and current operation number are carried out to modulus for the multiplying of default modulus, and upgrade current operation number by modular multiplication result, described predetermined registration operation completes;
Step D: current operation number does not change, described predetermined registration operation completes.
5. according to the Montgomery Algorithm method described in claims 4, it is characterized in that: described initialization current operation number refer to CPU access the second memory block by the second data assignment of storage to current operation number, initialization bit position index specifically refer to by the bit index point current accessed of storing in the 3rd register to the most significant digit of decile data play the next bit of first non-zero bit position.
6. according to the Montgomery Algorithm method described in claims 1, it is characterized in that: described step S3-step S6 replaces by following steps,
Step S3 ': CPU carries out default processing to the current subdata reading;
Step S4 ': obtain the several results of default grouping when CPU executes default processing to all subdatas after;
Step S5 ': CPU is sequentially updated to corresponding result by all subdatas;
Step S3 ' is described to be specially the current subdata reading is carried out to predetermined registration operation from low level to high-order order according to bit the current default processing of subdata execution of reading; Accordingly, described step S3 '-step S4 ' is specially,
All intermediate variables of storing in step S3 '-1:CPU initialization the 3rd memory block, the bit index of depositing in the current operation number of storing in initialization the 4th memory block and the 3rd register;
Step S3 '-2: read subdata by preset rules;
Step S3 '-3: the current subdata reading is carried out to default processing according to the value of the bit of current bit index point;
Step S3 '-4: obtain the several results of default grouping when CPU executes default processing to all subdatas after;
Accordingly, step S3 '-2 and step S3 '-3 are specially following steps,
Steps A 1: read a subdata by preset rules;
Steps A 2: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step A3, the execution step A4 otherwise current intermediate variable does not change;
Steps A 3: the current operation number in current intermediate variable corresponding with current subdata in described the 3rd memory block and described the 4th memory block is carried out to modular multiplication, and upgrade current intermediate variable by modular multiplication result;
Steps A 4: current operation number is carried out computing module-square and upgraded current operation number with operation result;
Steps A 5: upgrade current bit index;
Steps A 6: it is long whether the value that judges current bit index exceeds the position of the current subdata reading, and is to perform step A7, otherwise execution step A8;
Steps A 7: recording current intermediate variable is a result;
Steps A 8: judge whether the current subdata reading is a default packet count subdata, is to perform step A10, otherwise execution step A9;
Steps A 9: read next subdata, return to execution step A2;
Steps A 10: the several results of default grouping of output record.
7. according to the Montgomery Algorithm method described in claims 6, it is characterized in that: described initialization is specially, the initial value of all intermediate variables is set to 1, and the initial value of current operation number is made as to the second data, and the initial value of bit index is set to 1 sensing the 1st bit.
8. according to the Montgomery Algorithm method described in claims 6, it is characterized in that: step S3 ' described to the current subdata that reads carry out default processing can also be specially to the current subdata reading according to bit the order from a high position to low level carry out predetermined registration operation; Accordingly, described step S3 '-step S4 ' is specially,
Step S3 '-1:CPU initialization current operation number, current bit index;
Step S3 '-2: read subdata by preset rules;
Step S3 '-3: according to the value of the bit of bit index point, the current subdata reading is carried out to default processing and obtain the several results of default grouping;
Accordingly, step S3 '-2 and step S3 '-3 are specially following steps,
Steps A 1: read a subdata by preset rules;
Steps A 2: current operation number is carried out modulus for default modulus computing module-square and upgraded current operation number with operation result;
Steps A 3: whether the value of bit that judges the current bit index point of the current subdata reading is 1, is to perform step A4, the execution step A5 otherwise current operation number does not change;
Steps A 4: the second data and current operation number are carried out to modulus for the multiplying of default modulus, and upgrade current operation number by modular multiplication result;
Steps A 5: upgrade current bit index;
Steps A 6: judge whether current bit index is less than zero, is to perform step A7, otherwise execution step A8;
Steps A 7: recording current operation number is a result;
Steps A 8: judge whether the current subdata reading is a default packet count subdata, is to perform step A10, otherwise execution step A9;
Steps A 9: read next subdata, return to execution step A2;
Steps A 10: the several results of default grouping of output record.
9. according to the Montgomery Algorithm method described in claims 8, it is characterized in that: described initialization is specially, the initial value of current operation number is made as to the second data, by bit index point current accessed to the most significant digit of decile data play the next bit of first non-zero bit position.
10. according to the Montgomery Algorithm method described in claims 1, it is characterized in that: the current bit index of described renewal is specially bit index is moved to left one and point to next bit from adding 1.
11. according to the Montgomery Algorithm method described in claims 4, it is characterized in that: the current bit index of described renewal is specially bit index is moved to right one and point to next bit from subtracting 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442321.3A CN102521544B (en) | 2011-12-26 | 2011-12-26 | Modular exponentiation method for preventing power attacks in central processing unit (CPU) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110442321.3A CN102521544B (en) | 2011-12-26 | 2011-12-26 | Modular exponentiation method for preventing power attacks in central processing unit (CPU) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102521544A CN102521544A (en) | 2012-06-27 |
| CN102521544B true CN102521544B (en) | 2014-09-10 |
Family
ID=46292455
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110442321.3A Active CN102521544B (en) | 2011-12-26 | 2011-12-26 | Modular exponentiation method for preventing power attacks in central processing unit (CPU) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102521544B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102929705B (en) * | 2012-10-31 | 2015-06-17 | 飞天诚信科技股份有限公司 | Method for quickly generating coordinate points in embedded system |
| CN103593628B (en) * | 2013-11-07 | 2016-06-01 | 中国科学院信息工程研究所 | A kind of method of logic compound register system and opposing power analysis |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1639447A1 (en) * | 1999-10-28 | 2006-03-29 | CP8 Technologies | Security method for a cryptographic electronic assembly based on modular exponentiation against analytical attacks |
| CN1835207A (en) * | 2005-03-17 | 2006-09-20 | 联想(北京)有限公司 | Method of preventing energy analysis attack to RSA algorithm |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW586086B (en) * | 2002-12-27 | 2004-05-01 | Ind Tech Res Inst | Method and apparatus for protecting public key schemes from timing, power and fault attacks |
-
2011
- 2011-12-26 CN CN201110442321.3A patent/CN102521544B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1639447A1 (en) * | 1999-10-28 | 2006-03-29 | CP8 Technologies | Security method for a cryptographic electronic assembly based on modular exponentiation against analytical attacks |
| CN1835207A (en) * | 2005-03-17 | 2006-09-20 | 联想(北京)有限公司 | Method of preventing energy analysis attack to RSA algorithm |
Non-Patent Citations (4)
| Title |
|---|
| 《成都信息工程学院学报》 ISTIC -2011年2期饶金涛陈运吴震陈俊许森RAO Jin-taoCHEN YunWU ZhenCHEN JunXU Sen.一种抗简单功耗分析攻击的模幂算法.2011,(第2期),全文. |
| 《成都信息工程学院学报》 ISTIC -2011年2期饶金涛陈运吴震陈俊许森RAO Jin-taoCHEN YunWU ZhenCHEN JunXU Sen.一种抗简单功耗分析攻击的模幂算法.2011,(第2期),全文. * |
| 《计算机工程》 ISTIC PKU -2006年24期童元满戴葵陆洪毅王志英TONG YuanmanDAI KuiLU HongyiWANG Zhiying.基于细粒度任务调度的防功耗分析模幂方法.2006,(第24期),全文. |
| 《计算机工程》 ISTIC PKU -2006年24期童元满戴葵陆洪毅王志英TONG YuanmanDAI KuiLU HongyiWANG Zhiying.基于细粒度任务调度的防功耗分析模幂方法.2006,(第24期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102521544A (en) | 2012-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Blömer et al. | Sign change fault attacks on elliptic curve cryptosystems | |
| JP6707024B2 (en) | Asymmetric masked multiplication | |
| Yen et al. | Checking before output may not be enough against fault-based cryptanalysis | |
| Aumüller et al. | Fault attacks on RSA with CRT: Concrete results and practical countermeasures | |
| Karaklajić et al. | Hardware designer's guide to fault attacks | |
| Fan et al. | An updated survey on secure ECC implementations: Attacks, countermeasures and cost | |
| Saputra et al. | Masking the energy behavior of DES encryption [smart cards] | |
| Page et al. | A fault attack on pairing-based cryptography | |
| Fan et al. | To infinity and beyond: Combined attack on ECC using points of low order | |
| US10354063B2 (en) | Protection of a modular calculation | |
| Dhem et al. | Hardware and software symbiosis helps smart card evolution | |
| US10025559B2 (en) | Protection of a modular exponentiation calculation | |
| CN102779022B (en) | Modular exponentiation method and device resistant against side-channel attacks | |
| Fumaroli et al. | Blinded fault resistant exponentiation | |
| CN103490885B (en) | Use the computational methods of the RSA of Chinese remainder theorem and calculate device | |
| US9405729B2 (en) | Cryptographic method comprising a modular exponentiation operation | |
| CN102521544B (en) | Modular exponentiation method for preventing power attacks in central processing unit (CPU) | |
| Bock et al. | A milestone towards RFID products offering asymmetric authentication based on elliptic curve cryptography | |
| EP1068565A2 (en) | Acceleration and security enhancements for elliptic curve and rsa coprocessors | |
| CN101436932A (en) | Module power computation method capable of resisting simple current drain aggression | |
| CN103246494A (en) | Safety modular exponentiation method for resisting energy analysis and fault attack | |
| Blömer et al. | Wagner’s Attack on a secure CRT-RSA Algorithm Reconsidered | |
| CN109299621B (en) | Protection against level attacks for iterative computations | |
| Chen | Memory address side-channel analysis on exponentiation | |
| Fournaris | Fault and power analysis attack protection techniques for standardized public key cryptosystems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230630 Address after: Room 1505, Building B, Huizhi Building, No. 9 Xueqing Road, Haidian District, Beijing, 100085 Patentee after: BEIJING HONGSI ELECTRONIC TECHNOLOGY Co.,Ltd. Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing Patentee before: Feitian Technologies Co.,Ltd. |