CN102761411B - P element field SM2 elliptic curve key agreement system - Google Patents

P element field SM2 elliptic curve key agreement system Download PDF

Info

Publication number
CN102761411B
CN102761411B CN201110107526.6A CN201110107526A CN102761411B CN 102761411 B CN102761411 B CN 102761411B CN 201110107526 A CN201110107526 A CN 201110107526A CN 102761411 B CN102761411 B CN 102761411B
Authority
CN
China
Prior art keywords
point
submodule
module
responder
initiator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110107526.6A
Other languages
Chinese (zh)
Other versions
CN102761411A (en
Inventor
徐树民
屈善新
刘振
王绍麟
田心
刘建巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201110107526.6A priority Critical patent/CN102761411B/en
Publication of CN102761411A publication Critical patent/CN102761411A/en
Application granted granted Critical
Publication of CN102761411B publication Critical patent/CN102761411B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Complex Calculations (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a p element field SM2 elliptic curve key agreement system which comprises an initiator subsystem and a responder subsystem, wherein the initiator subsystem is composed of an initiator control center for controlling the work time sequence and data call of other modules in the subsystem and judging whether key agreement succeeds or not, an initiator random number generation module for generating random numbers, an initiator multiple point operation module for implementing multiple point operation, an initiator point addition module for implementing point addition operation, and an initiator key derivation module with a key derivation function; and the responder subsystem is composed of an responder control center for controlling the work time sequence and data call of other modules in the subsystem and judging whether key agreement succeeds or not, an responder random number generation module for generating random numbers, an responder multiple point operation module for implementing multiple point operation, an responder point addition module for implementing point addition operation, and an responder key derivation module with a key derivation function. By using the p element field SM2 elliptic curve key agreement system provided by the invention, the key exchange protocol in the SM2 elliptic curve public key cryptography algorithm can be implemented with hardware.

Description

P-element domain SM2 elliptic curve key negotiation system
Technical Field
The invention relates to the technical field of information security, in particular to a p-element domain SM2 elliptic curve key negotiation system.
Background
With the development of communication technology and information processing technology, the security of information in the transmission process is more and more concerned, and the information processing technology is required to ensure that the information is not intercepted, tampered and imitated in the communication process. Cryptographic techniques can be used to better address this need.
Since Diffie and Hellmann put forward the concept of the public key cryptosystem in 1976, 3 types of well-known, safe and effective public key cryptosystems appeared, and the mathematical problems relied on by the public key cryptosystem were respectively Integer Factorization (IFP), Discrete Logarithm (DLP) and Elliptic Curve Discrete Logarithm (ECDLP), and the corresponding algorithms were RSA algorithm, DSA digital signature algorithm and elliptic curve algorithm (ECC). All three of these problems are based on the NPC problem of computational complexity (Non-terminal specific polymeric Complete layout) to guarantee the security of the keys. Compared with the other two algorithms, the ECC has higher security performance, smaller calculation amount, higher processing speed, smaller size of a required key under the condition of same security and lower requirement on bandwidth, so the ECC system has wider application prospect.
The SM2 elliptic curve public key cryptographic algorithm is an ECC algorithm issued by the State crypto administration, and the key exchange protocol is an important algorithm, which is suitable for the key exchange in the commercial cryptographic application, and can satisfy the requirement that two communication parties calculate and obtain a shared session key determined by the two parties through two or three information transmission processes. However, the only published procedures of the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm by the national crypto authority are the flows of the key exchange protocol, and no hardware device for implementing the key exchange protocol in hardware is available at present, so that it is difficult to apply the excellent algorithm.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a p-element domain SM2 elliptic curve key negotiation system, which can realize a key exchange protocol in an SM2 elliptic curve public key cryptographic algorithm by using hardware.
The technical scheme for solving the technical problems is as follows: a p-element domain SM2 elliptic curve key agreement system, the elliptic curve has a base G and a cofactor h, the order of G is n; the initiator hash value and the responder hash value are ZA and ZB respectively; the initiator public key and the initiator private key are PA and dA respectively, and the responder public key and the responder private key are PB and dB respectively; the length of the session key appointed by the initiator and the responder is klen; the system comprises: an initiator subsystem and a responder subsystem; the initiator subsystem includes: the system comprises an initiator control center, an initiator random number generation module, an initiator point multiplication operation module, an initiator point addition module and an initiator key derivation module; the responder subsystem includes: the system comprises a responder control center, a responder random number generation module, a responder multiple point operation module, a responder point addition module and a responder key derivation module; wherein,
the initiator control center is used for sending rA and G as a group of point doubling operation data to the initiator point doubling operation module; sending the RA to the responder control center; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 10. rA of x10 and rA, and calculating tA according to the result that tA is equal to (dA + x 10. rA) modn; judging whether RB is a point on the elliptic curve; sending x20 and RB as a set of multiple point operation data to the initiator multiple point operation module; calculating a scalar product h & tA of h and tA; mixing PB with [ x20]]RB is used as a group of point addition operation data to be sent to the initiator point addition module; mixing h & tA and (PB + [ x20]]RB) as a set of point operations data to the initiator point operations module; judging whether U is an infinite point or not; sending a bit string Z formed by splicing xU, yU, ZA and ZB to the initiator key derivation module; outputting a bit string KA returned by the initiator key derivation module as an initiator session key; when the RB is judged not to be one of the points on the elliptic curve and the U is the point at infinity, outputting a message of negotiation failure;
the initiator random number generation module is used for sending the generated random number rA between 1 and (n-1) to the initiator control center;
the initiator point doubling operation module is used for performing rA point doubling operation on the G to obtain a point RA with coordinates (x1, y1) and sending the point RA to the initiator control center; carrying out x20 point operation on RB, and sending the obtained [ x20] RB to the control center of the initiator; performing h & tA point multiplication operation on (PB + [ x20] RB), and sending an obtained point U to the initiator control center, wherein the coordinate of the point U is (xU, yU);
the initiator point adding module is used for performing point adding operation on PB and [ x20] RB and sending the generated (PB + [ x20] RB) to the initiator control center;
the initiator key derivation module is used for performing key derivation operation on the bit string Z and sending the obtained bit string KA with the length of klen to the initiator control center;
the responder control center is used for sending rB and G as a group of point doubling operation data to the responder point doubling operation module; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 20. rB of x20 and rB, and calculating tB according to (dB + x 20. rB) modn; judging whether RA is a point on the elliptic curve; sending x10 and RA to the responder multiple point operation module as a set of multiple point operation data; calculating a scalar product h.tB of h and tB; mixing PA with [ x10]RA is sent to the responder point addition module as a group of point addition operation data; mixing h.tB and (PA + [ x10]]RA) as a set of point operations data to the responder point operations module; judging whether V is an infinite point or not; sending a bit string Z' formed by splicing xV, yV, ZA and ZB to the responder key derivation module; outputting a bit string KB returned by the responder key derivation module as a responder session key; transmitting the RB to the originator control center; when the situation that RA is not one of the points on the elliptic curve and V is an infinite point is judged, a message of negotiation failure is output;
the responder random number generation module is used for sending the generated random number rB between 1 and (n-1) to the responder control center;
the responder point multiplication module is used for carrying out rB point multiplication on the G to obtain a point RB with the coordinate of (x2, y2), and sending the RB to the responder control center; carrying out x10 point operation on RA, and sending the obtained [ x10] RA to the responder control center; performing h & tB point multiplication operation on (PA + [ x10] RA), and sending an obtained point V to the responder control center, wherein the coordinate of the point V is (xV, yV);
the responder point addition module is used for performing point addition operation on PA and [ x10] RA and sending the generated (PA + [ x10] RA) to the responder control center;
the responder key derivation module is used for performing key derivation operation on the bit string Z' and sending the obtained bit string KB with the length of klen to the responder control center;
where w is the parameter, & is the bitwise logical AND operator, mod is the modulo operator.
The invention has the beneficial effects that: as the initiator control center and the responder control center can respectively arrange the working time sequences of the corresponding random number generation module, the point multiplication operation module, the point addition module and the key derivation module, the initiator random number generation module and the responder random number generation module respectively generate random numbers rA and rB between 1 and (n-1) at random, the initiator point multiplication operation module and the responder point multiplication operation module respectively carry out point multiplication operation between scalar values and points, the initiator point addition module and the responder point addition module respectively carry out point addition operation of two points, the initiator key derivation module and the responder key derivation module respectively carry out key derivation operation on bit strings, and simultaneously, the initiator control center and the responder control center respectively judge whether the negotiation is successful or not, thereby realizing the key negotiation between the initiator and the responder, when the two parties negotiate successfully, the initiator and the responder respectively obtain the same session key through the operation of the initiator key derivation module and the responder key derivation module, so as to encrypt and decrypt the communication, and when the negotiation is unsuccessful, the negotiation failure information is output. Therefore, the invention can utilize an initiator subsystem and a responder subsystem, wherein the initiator subsystem is composed of an initiator control center, an initiator random number generation module, an initiator multiple point operation module, an initiator point addition module and an initiator key derivation module, and the responder subsystem is composed of a responder control center, a responder random number generation module, a responder multiple point operation module, a responder point addition module and a responder key derivation module, and the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm is realized by hardware.
Drawings
FIG. 1 is a flow diagram of a key exchange protocol in an SM2 elliptic curve public key cryptographic algorithm issued by the State crypto administration;
FIG. 2 is a block diagram of a p-element domain SM2 elliptic curve key agreement system provided by the present invention;
FIG. 3 is a hardware structure diagram of the initiator control center and the responder control center provided by the present invention for implementing scalar multiplication function;
FIG. 4 is a block diagram of a multiple point calculation module according to the present invention;
FIG. 5 is a block diagram of a point add module provided by the present invention;
FIG. 6 is a block diagram of a key derivation module provided by the present invention;
FIG. 7 is a block diagram of one embodiment of the present invention;
fig. 8 is a block diagram of another embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
Fig. 1 is a flow chart of a key exchange protocol in an SM2 elliptic curve public key cryptographic algorithm issued by the national crypto authority. Among two users communicating with each other, involved in the key exchange protocol, the user sending the first round of exchange information is called an initiator, and the other user is called a responder, and both parties have a public-private key pair. In the invention, the initiator is represented by a symbol A, and the responder is represented by a symbol B, so that the initiator public key and the initiator private key are respectively represented by PA and dA, and the responder public key and the responder private key are respectively represented by PB and dB. As shown in fig. 1, in the flow, steps a-101 to a-107 are all performed by an initiator a, steps B-101 to B-106 are all performed by a responder B, and in case the condition is satisfied, both the initiator a and the responder B can perform step 108.
As shown in FIG. 1, steps A-101 through A-107 are as follows:
step A-101: data known to confirm initiator a: the order n of the bases G and G of the elliptic curve, the complementary factor h, the initiator hash value ZA, the responder hash value ZB, the initiator public key PA and the initiator private key dA, the responder public key PB, the length klen of the session key agreed by the two parties, and the parameter w | (| log)2 n||/2)||-1。
This step is a step of confirming known data, and the subsequent steps a-102 to a-107 are all operated on the basis of these known data determined in this step.
The elliptic curves in the invention are all elliptic curves in a p-element finite field. In a p-ary finite field, the equation for the elliptic curve is y2=x3+ ax + b, where p is a prime number greater than 3, a and b are both values in the p-ary domain, and satisfy (4 a)3+27b2) mod p is not 0 and mod is the modulo operator.
The elliptic curve described in the present invention has a base, which is denoted as G, G is a point on the elliptic curve, the coordinates of the point are (xG, yG), and G has an order of n. In addition, the elliptic curve has a parameter, called a cofactor, which is denoted by h in the present invention.
The initiator hash value ZA is a hash value obtained by performing cryptographic hash operation on the bit string obtained after the distinguishable identifier of the splice a, the abscissa xA and the ordinate yA of the parameters a, B, xG, yG, PA in the elliptic curve equation, and the responder hash value ZB is a hash value obtained by performing cryptographic hash operation on the bit string obtained after the distinguishable identifier of the splice B, the abscissa xB and the ordinate yB of the parameters a, B, xG, yG, PB. Here, the concatenation operation refers to an operation of mapping a bit string of an arbitrary length into a bit string of a fixed length after connecting a bit string to the last bit of the previous bit string, and the output value of the operation is called a hash value. The cryptographic hash operation has the irreversibility of operation and the one-to-one correspondence of input and output, so that the information of the input value can not be revealed by the hash value obtained by the cryptographic hash operation.
Before the key exchange protocol is executed, a and B need to agree on the length of the shared session key, which is denoted by klen in the present invention.
The operation of | | X | | |, which is used when determining the parameter w, is an operation of determining the smallest integer greater than or equal to X, for example, | |7.2| | > 8, | | | |8| | | | > 9. Therefore, | log2 nI is greater than or equal to log2 nIs the smallest integer, | (| log)2 nI/2) I is greater than or equal to (log |)2 nThe smallest integer of/|/2).
Step A-102: a random number rA between 1 and (n-1) is generated, rA is obtained from rA ═ rA ] G ═ (x1, y1), and rA is transmitted to the responder.
The random number rA in this step is a positive integer and must not exceed (n-1).
In the calculation formula RA ═ RA ] G ═ G (x1, y1) is the base of an elliptic curve, RA is a random number, and [ RA ] G calculation is performed by multiplying G by RA, and the calculation result RA is also one point with coordinates (x1, y 1).
Step A-103: tA is calculated according to tA ═ dA + x 10. rA) modn,wherein the parameter x10 is 2 according to the formula x10 ═ 2w+[x1&(2w-1)]And (4) calculating.
In this step, the operation of x10 · rA is a scalar multiplication operation in a p-ary finite field. x10 ═ 2w+[x1&(2w-1)]In (1)&Is a bitwise logical and operator.
Step A-104: and B, receiving the RB sent in the step B-106, judging whether the coordinate of the RB meets an elliptic curve equation in the invention, namely whether the RB is a point on an elliptic curve, if so, executing the step A-105, otherwise, executing the step 108.
This step is mainly a judgment step, and is executed on the basis of the steps B to 106.
Step A-105: according to U ═ h.tA](PB+[x20]RB) ═ U (xU, yU) of U, where x20 is 2 according to the formula x20w+[x2&(2w-1)]And (4) calculating.
H & tA in the step is scalar multiplication operation to obtain a numerical value in a p-element finite field; the [ x20] RB is to perform x20 times point operation on RB, the obtained result and PB are further to perform point addition operation in a p-element finite field, the operation result is still one point, thus, the [ h & tA ] (PB + [ x20] RB) is to perform h & tA times point operation on the point (PB + [ x20] RB), and the operation result U is a new point on the elliptic curve and has coordinates of (xU, yU).
Step A-106: and D, judging whether the U obtained in the steps A-105 is an infinite point, if so, executing the step 108, otherwise, executing the steps A-107.
Here, the infinity point is a special point on the p-element finite field elliptic curve, the operation performed in steps a to 105 is a multiple point operation, the operation result may be the infinity point, and after the negotiation is successful, a uses the coordinate of point U in the process of calculating the session key, where point U participating in the calculation cannot be the infinity point, so it is necessary to determine whether U is the infinity point in this step.
Step A-107: the negotiation is successful and the session key KA is calculated from KA ═ KDF (xU-yU-ZA-ZB, klen).
The negotiation success in the step has two layers of meanings, one is that the key confirmation from B to A is realized, namely the guarantee that A ensures that B has the session key is realized; in addition, because the step is executed on the basis that the step A-104 receives the RB sent by the step B-106, and the step B-106 judges that the negotiation from the step A to the step B is successful, namely the key confirmation from the step A to the step B is realized, the step B ensures that the step A has the guarantee of the session key, thus, the negotiation success in the step has another layer of meaning, namely, both the parts AB and the party AB ensure that the opposite party has the session key, namely, the negotiation of both the parts AB and the party AB required by the key exchange protocol is completely successful, and the negotiation process can be finished only by calculating the session key.
From the point of view of mathematics, after the whole key exchange protocol reaches the step, the calculated KA and the calculated KB in step B-106 are the same, so that both parties AB can encrypt data sent to the opposite party by using the same session key and decrypt the encrypted data sent by the opposite party.
Here, xU-yU-ZA-ZB is a bit string formed by splicing the abscissa xU, the ordinate yU of U, the initiator hash value ZA and the responder hash value ZB, and KDF (xU-yU-ZA-ZB, klen) operation is to perform key derivation operation on the bit string xU-yU-ZA-ZB to generate a bit string with a length of klen, where KDF is the identifier of a key derivation function, and if the bit string xU-yU-ZA-ZB is represented by the bit string Z, a 32-bit count variable ct is set, and the length of the hash value generated by the cipher hash operation performed in the key operation is v bits, the operation rule of the key derivation operation is:
(a) setting the initial value of ct to 00000001 in 16-system notation;
(b) determining the minimum integer | | | klen/v | | | which is greater than or equal to (klen/v), and in the process of increasing the loop variable i from 1 to | | | klen/v | |, performing the steps b1 and b2 in a loop:
(b1) according to Hai=Hv(Z-ct) to obtain Hai(ii) a Wherein Hv(Z-ct) carrying out cryptographic hash operation on a bit string formed by splicing Z and ct, wherein the length of a generated hash value is v bits;
(b2) ct increments by 16-ary 00000001;
(c) if (klen/v) is an integer, put Ha!||klen/v||=Ha||klen/v||(ii) a Otherwise, Ha!||klen/v||Put as a bit string Ha||klen/v||From the highest bitBits of whichIs the smallest integer less than or equal to (klen/v);
(d) performing splicing operation KA Ha1-Ha2-...-Ha(||klen/v||-1)-Ha!||klen/v||And obtaining the session key KA.
Therefore, from the step (a) to the step (d), the session key KA can be obtained through a key derivation operation, and it can be seen that, in the key derivation operation process, except for the bit string splicing operation, the most core operation is a circular cipher hash operation. The purpose of step (c) is to determine the last bit string Ha!used for splicing into KA in step (d)!||klen/v||The length of KA is made to conform to the length klen predetermined by AB.
The steps B-101 to B-106 are as follows:
step B-101: known data of confirmation responder B: the order n of the bases G and G of the elliptic curve, a complementary factor h, an initiator hash value ZA, a responder hash value ZB, a responder public key PB, a responder private key dB, an initiator public key PA, a session key length klen agreed by the two parties, and a parameter w | (| log)2 n||/2)||-1。
This step is similar to step a-101 and is a step of confirming known data, and the subsequent steps B-102 to B-106 are operated based on the known data determined in this step.
Step B-102: generating a random number rB between 1 and (n-1) according to RB ═ rB]G ═ x2, y2 gave RB, tB ═ according to (dB + x20 · RB) modn, where parameter x20 gave 2 according to the formula x20 ═ 2w+[x2&(2w-1)]And (4) calculating.
Similar to step A-102, [ rB ] G in this step is also a multiple point operation performed on G, with the difference that the number of times of the multiple point operation is different, and rB multiple point operation is performed, and the operation result RB is also a point with coordinates (x2, y 2).
Similar to steps A-103, x 20. rB in this step is also a scalar multiplication in a p-ary finite field.
Step B-103: and receiving RA sent by A, judging whether the coordinate of RA meets an elliptic curve equation, if so, executing the step B-104, otherwise, executing the step 108.
The RA received in this step is the coordinates of a point calculated by a through steps a-102.
Step B-104: according to V ═ h tB](PA+[x10]RA) ═ V (xV, yV) to obtain V, where x10 can be calculated by the formula x10 ═ 2w+[x1&(2w-1)]And (4) calculating.
Similar to the step A-105, h.tB in the step is scalar multiplication operation to obtain a numerical value in a p-element finite field; [ x10] RA is to perform x10 times point operation on RA, the obtained result and PA are further subjected to point addition operation in a p-element finite field, the operation result is still one point, thus [ h tB ] (PA + [ x10] RA) is to perform h tB times point operation on the point (PA + [ x10] RA), and the operation result V is a new point on an elliptic curve and has coordinates of (xV, yV).
Step B-105: and D, judging whether the V obtained in the step B-104 is an infinite point, if so, executing the step 108, otherwise, executing the step B-106.
Step B-106: the negotiation from a to B is successful, KB is calculated from KB ═ KDF (xV-yV-ZA-ZB, klen), and RB is sent to a.
In this step, the negotiation from a to B is successful, which means that the key confirmation from a to B is realized, i.e. B is sure that a has the assurance of the session key, and therefore KB can be calculated as the session key, and the negotiation process of the responder is ended, the rest of the key exchange protocol is transferred to step a-104, which is performed by the initiator a, if a judges that the negotiation is also successful, the negotiation process of the key exchange protocol is completely successful, and the session key KA of the initiator is calculated in step a-107, and mathematically, KA obtained in step a-107 and KB obtained in this step are equal, i.e. the initiator a and the responder B will use the same session key to encrypt and decrypt information in the subsequent communication process.
In addition, step 108 is: the negotiation fails.
Here, whether a executes the step a-101 to the step a-107 or B executes the step B-101 to the step B-106, the negotiation process of the entire key exchange protocol fails, and the two parties AB need to restart the negotiation process to obtain the session key shared by the two parties.
Fig. 2 is a structural diagram of a p-element domain SM2 elliptic curve key agreement system provided by the present invention. The elliptic curve has a base G and a cofactor h, and the order of G is n; the initiator hash value and the responder hash value are ZA and ZB respectively; the initiator public key and the initiator private key are PA and dA respectively, and the responder public key and the responder private key are PB and dB respectively; the length of the session key agreed by the initiator and the responder is klen. The key negotiation system is used for realizing a key exchange protocol in a p-element domain SM2 elliptic curve public key cryptographic algorithm from hardware, if negotiation between an initiator and a responder is successful, the initiator and the responder respectively generate the same session key, and the length of the session key is the agreed length klen.
As shown in fig. 2, the system includes: initiator subsystem 212 and responder subsystem 213; the initiator subsystem 212 includes: the system comprises an initiator control center 201, an initiator random number generation module 202, an initiator multiple point operation module 205, an initiator point addition module 204 and an initiator key derivation module 203; the responder subsystem 213 includes: a responder control center 206, a responder random number generation module 207, a responder multiple point operation module 208, a responder point addition module 209 and a responder key derivation module 210; it can be seen that the modules in the initiator subsystem and the responder subsystem are corresponding to each other and can be implemented by the same hardware. In the system, the system is provided with a plurality of sensors,
the initiator control center 201 is configured to send rA and G to the initiator multiple point operation module 205 as a set of multiple point operation data; send the RA to the responder control center 206; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 10. rA of x10 and rA, and calculating tA according to the result that tA is equal to (dA + x 10. rA) modn; judging whether RB is a point on an elliptic curve; sending x20 and RB as a set of multiple point operation data to the initiator multiple point operation module 205; calculating a scalar product h & tA of h and tA; mixing PB with [ x20]]RB is sent to the initiator adding block 204 as a set of adding operation data; mixing h & tA and (PB + [ x20]]RB) as a set of point operations data to the initiator point operations module 205; judging whether U is an infinite point or not; sending a bit string Z formed by splicing xU, yU, ZA and ZB to the initiator key derivation module 203; outputting the bit string KA returned by the initiator key derivation module 203 as an initiator session key; when the RB is judged not to be one of the points on the elliptic curve and the U is the point at infinity, outputting a message of negotiation failure;
the initiator random number generation module 202 is configured to send the generated random number rA between 1 and (n-1) to the initiator control center 201;
the initiator multiple point operation module 205 is configured to perform rA multiple point operation on G to obtain a point rA with coordinates (x1, y1), and send the point rA to the initiator control center 201; carrying out x20 point multiplication operation on RB, and sending the obtained [ x20] RB to the initiator control center 201; performing h.tA point multiplication operation on (PB + [ x20] RB), and sending the obtained point U to the initiator control center 201, wherein the coordinate of the point U is (xU, yU);
the initiator adding module 204 is configured to perform a point addition operation on PB and [ x20] RB, and send the generated (PB + [ x20] RB) to the initiator control center 201;
the initiator key derivation module 203 is configured to perform key derivation operation on the bit string Z, and send the obtained bit string KA with the length of klen to the initiator control center 201;
the responder control center 206 is configured to send rB and G to the responder multiple point operation module 208 as a set of multiple point operation data; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 20. rB of x20 and rB, and calculating tB according to (dB + x 20. rB) modn; judging whether RA is a point on an elliptic curve; sending x10 and RA as a set of multiple point operation data to the responder multiple point operation module 208; calculating a scalar product h.tB of h and tB; mixing PA with [ x10]RA is sent as a set of dot-add operation data to the responder dot-add module 209; mixing h.tB and (PA + [ x10]]RA) as a set of point operations data to the responder point operations module 208; judging whether V is an infinite point or not; a bit string Z' formed by splicing xV, yV, ZA, and ZB is sent to the responder key derivation module 210; outputting the bit string KB returned by the responder key derivation module 210 as a responder session key; transmitting the RB to the originator control center 201; when the situation that RA is not one of the points on the elliptic curve and V is an infinite point is judged, a message of negotiation failure is output;
the responder random number generation module 207 is configured to send the generated random number rB between 1 and (n-1) to the responder control center 206;
the responder multiple point operation module 208 is configured to perform rB multiple point operation on G to obtain a point rB with coordinates (x2, y2), and send the rB to the responder control center 206; x10 point multiplication is carried out on RA, and the obtained [ x10] RA is sent to the responder control center 206; h.tB point multiplication is performed on (PA + [ x10] RA), and the obtained point V is sent to the responder control center 206, and the coordinate of the point V is (xV, yV);
the responder point addition module 209 is configured to perform point addition operation on PA and [ x10] RA, and send the generated (PA + [ x10] RA) to the responder control center 206;
the responder key derivation module 210 is configured to perform key derivation operation on the bit string Z', and send the obtained bit string KB with a length of klen to the responder control center 206;
where w is the parameter, & is the bitwise logical AND operator, mod is the modulo operator.
It should be noted that the operations performed on the points in the present invention refer to operations performed on the coordinates of the points, for example, a point addition operation is an operation performed on the coordinates of two points, and a point doubling operation is an operation performed on the coordinates of one scalar and one point. Therefore, the sending or receiving of a point by each module or sub-module mentioned in the present invention refers to the sending or receiving of the coordinates of the point.
The initiator control center and the responder control center are both control centers of respective subsystems and are responsible for arranging the working time sequence of each module in the subsystem, transmitting and operating data among the modules and sending the data to the control center in the other subsystem. For another example, the responder control center is responsible for determining whether V is an infinite point, and if V is the infinite point, a negotiation failure message is output, which also indicates that the negotiation between the initiator and the responder fails.
Corresponding to the flowchart published in fig. 1, steps a-101 to a-107 are implemented by the initiator subsystem, steps B-101 to B-106 is implemented by the responder subsystem and step 108 is implemented by both parties. Wherein, the steps A-101 and B-101 are realized by the control center in the corresponding subsystem, namely, the known data in the two steps are input or stored in the control center in the corresponding subsystem and are sent to the corresponding module by the control center so as to be used in the calculation; the step of generating the random number rA between 1 and (n-1) in step a-101 is implemented by an initiator random number generation module, according to rA ═ rA]The step of obtaining RA by G (x1, y1) is realized by an initiator double-point operation module, and the step of sending RA to a responder and the steps A-103, A-104 and A-106 are realized by an initiator control center; scalar multiplication between h and tA in step A-105 is implemented by the initiator control center, between x20 and RB, and h.tA and (PB + [ x20]]RB) is realized by an initiator double-point operation module, PB and [ x20]]The point addition operation between RBs is realized by an initiator point addition module; the step of determining that the negotiation is successful in step a-107 is implemented by the initiator control center, and the step of calculating the session key KA according to KA ═ KDF (xU-yU-ZA-ZB, klen) is implemented by the initiator key derivation module. Corresponding to each module of the initiator subsystem, each module in the responder subsystem can also realize steps B-101 to B-106, specifically: the step of generating the random number rB between 1 and (n-1) in step B-102 is implemented by a responder random number generation module, according to rB ═ rB [ rB ═ rB]The step of obtaining RB by G (x2, y2) is implemented by a responder multiple point operation module, obtaining tB according to (dB + x 20. RB) modn and obtaining tB according to formula x20 ═ 2w+[x2&(2w-1)]The step of calculating x20 and steps B-103 are implemented by a responder control center; in step B-104, scalar multiplication between h and tB is realized by the responder control center, between x10 and RA and h.tB and (PA + [ x10]]RA) is implemented by a response-side multiple-point operation module, PA and [ x10]]The point addition operation between RA is realized by a responder point addition module, the steps of judging successful negotiation from A to B in steps B-105 and B-106 and the step of sending RB to an initiator A are realized by a responder control center, and the step of calculating KB according to KB ═ KDF (xV-yV-ZA-ZB, klen) is realized by a responder key derivation module. Depending on the determination, step 108 is controlled by the initiatorA hub or a responder control hub.
Therefore, as the initiator control center and the responder control center can respectively arrange the working time sequences of the corresponding random number generation module, the point multiplication module, the point addition module and the key derivation module, the initiator random number generation module and the responder random number generation module respectively generate random numbers rA and rB between 1 and (n-1) at random, the initiator point multiplication module and the responder point multiplication module respectively carry out point addition operation between scalar values and points, the initiator point addition module and the responder point addition module respectively carry out point addition operation of two points, the initiator key derivation module and the responder key derivation module respectively carry out key derivation operation on bit strings, and meanwhile, the initiator control center and the responder control center respectively judge whether the negotiation is successful or not, thereby realizing the key negotiation between the initiator and the responder, when the two parties negotiate successfully, the initiator and the responder respectively obtain the same session key through the operation of the initiator key derivation module and the responder key derivation module, so as to encrypt and decrypt the communication, and when the negotiation is unsuccessful, the negotiation failure information is output. Therefore, the invention can utilize an initiator subsystem and a responder subsystem, wherein the initiator subsystem is composed of an initiator control center, an initiator random number generation module, an initiator multiple point operation module, an initiator point addition module and an initiator key derivation module, and the responder subsystem is composed of a responder control center, a responder random number generation module, a responder multiple point operation module, a responder point addition module and a responder key derivation module, and the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm is realized by hardware.
Because the invention can realize the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm by using hardware, compared with the software realization of the key exchange protocol, the invention has faster operation speed and higher safety.
As shown in FIG. 2, the system further comprises a w generation module 211 for generatingThe parameter w is calculated and sent to the initiator control center 201 and the responder control center 206, respectively.
The initiator control center and the responder control center in the invention both have scalar multiplication function, and the function can be realized by the same hardware structure. Fig. 3 is a hardware structure diagram of the initiator control center and the responder control center provided by the present invention for implementing a scalar multiplication function, where the hardware structure is included in the initiator control center and the responder control center. As shown in fig. 3, the hardware structure includes: a control sub-module 301, a domain conversion sub-module 302 and a Montgomery domain multiplication sub-module 303; wherein,
the control submodule 301 is configured to send the value of m and j in the finite field, which need to be subjected to scalar multiplication, to the domain conversion submodule 302; sending the values of m and j in the Montgomery domain to the Montgomery domain multiplication submodule 303; transmitting the 1 and mj returned by the Montgomery domain multiplication submodule 303 to the Montgomery domain multiplication submodule 303;
the domain conversion sub-module 302 is configured to convert the values of m and j in the finite domain into values in the montgomery domain, respectively, and return the values to the control sub-module 301;
the Montgomery domain multiplication submodule 303 is configured to perform Montgomery domain multiplication on respective values of m and j in a Montgomery domain, and return an obtained product mj to the control submodule 301; carrying out Montgomery domain multiplication operation on mj and 1 to obtain a scalar product of the values of m and j in a finite field; the scalar product of the values of m and j in the finite field is returned to the control submodule 301.
M and j referred to herein are two scalars that perform scalar multiplication, which may represent x10 and rA, or h and tA, that perform scalar multiplication by initiator control center 201 in FIG. 2, and may represent x20 and rB, or h and tB, that perform scalar multiplication by responder control center 206.
In the invention, the initiator control center and the responder control center convert two data of scalar multiplication operation from a finite field to a Montgomery field for operation, thereby greatly reducing the operation difficulty, improving the operation efficiency and being beneficial to further improving the operation speed of the key exchange protocol.
Of course, the control sub-module in fig. 3 may also be used as a control core in an initiator control center or a responder control center to complete other control, operation, and judgment functions of the control center in which the control sub-module is located. For example, the control sub-module in the initiator control center, in addition to having the control function of scalar multiplication described in fig. 3, may also be used to: taking rA and G as a group of point multiplication data to be sent to an initiator point multiplication module; sending the RA to a control submodule in a responder control center; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating tA according to tA ═ (dA + x 10. rA) modn; judging whether RB is a point on an elliptic curve; sending x20 and RB as a group of multiple point operation data to an initiator multiple point operation module; mixing PB with [ x20]]RB is used as a group of point addition operation data to be sent to the point addition module of the initiator; mixing h & tA and (PB + [ x20]]RB) as a set of point operations data to the initiator point operations module; judging whether U is an infinite point or not; sending a bit string Z formed by splicing the xU, the yU, the ZA and the ZB to an initiator key derivation module; outputting a bit string KA returned by the initiator key derivation module as an initiator session key; and outputting a message of failed negotiation when the RB is judged to be one of the points on the elliptic curve and the point at infinity. For another example, the control sub-module in the responder control center may be configured to, in addition to the control function of scalar multiplication described in fig. 3: sending rB and G as a group of multiple point operation data to a responder multiple point operation module; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating tB according to tB ═ to (dB + x 20. rB) modn; judging whether RA is a point on an elliptic curve; sending x10 and RA as a set of multiple point operation data to a responder multiple point operation module; mixing PA with [ x10]RA is used as a group of point addition operation data to be sent to a responder point addition module; mixing h.tB and (PA + [ x10]]RA) toSending a group of multiple point operation data to a response party multiple point operation module; judging whether V is an infinite point or not; sending a bit string Z' formed by splicing xV, yV, ZA and ZB to a responder key derivation module; outputting a bit string KB returned by the responder key derivation module as a responder session key; transmitting the RB to a control submodule in a control center of an initiator; and outputting a message of failed negotiation when judging that RA is not one of the points on the elliptic curve and V is an infinite point.
In the invention, the initiator double-point operation module and the responder double-point operation module are both modules for carrying out double-point operation, and the double-point operation is the same, so that the initiator double-point operation module and the responder double-point operation module can be realized by the same hardware mechanism, which can be called as a double-point operation module. Fig. 4 is a structural diagram of a multiple point operation module provided in the present invention, where the multiple point operation module can be used as an initiator multiple point operation module or a responder multiple point operation module.
As shown in fig. 4, the multiple point operation module includes: a point operation control sub-module 401, a projective system two-point operation sub-module 404, a domain conversion sub-module 403, a Montgomery domain multiplication sub-module 405, a finite field inversion sub-module 402, and a projective system point addition sub-module 406; wherein,
the multiple point operation control sub-module 401 is configured to receive a set of multiple point operation data consisting of a value f and a point C, convert coordinates (xc, yc) of C in an affine coordinate system into coordinates (xc2, yc2,1) of C in a projective coordinate system, and send xc2, yc2,1 to the domain conversion sub-module 403; (xc3, yc3, zc3) is sent to the projective point addition module 406 as [ f]C initial value of coordinates (xc1, yc1, zc1) in Montgomery domain, where [ f []C is the result of f times point operation on C; determining a binary bit length L of f; taking the next highest bit in the binary form of f as the initial value of the current bit, and carrying out (L-1) iterative operation from the next highest bit in the binary form of f to the lowest bit by reducing one bit as the current bit each time; the result coordinates (xc1, yc1, zc1) of (L-1) iteration operationzc1 is sent to Montgomery domain multiplication submodule 405; sending the value of zc1 in the finite field to the finite field inversion submodule 402; mixing zc1-1The value in the finite field is sent to the field conversion submodule 403; the result coordinates (xc1, yc1, zc1) of (L-1) iterations of xc1, yc1 and zc1-1The value in the Montgomery domain is sent to Montgomery domain multiplication submodule 405; sending the value of xc1 in the affine coordinate system returned by 1 and the Montgomery domain multiplication submodule 405 to the Montgomery domain multiplication submodule 405; sending the value of yc1 in the affine coordinate system returned by 1 and the Montgomery domain multiplication submodule 405 to the Montgomery domain multiplication submodule 405; the coordinates (xc1, yc1) composed of the values of xc1 and yc1 in a finite field are defined as [ f]C, outputting an operation result; the one-time iterative operation comprises the following steps: the current value of the coordinates (xc1, yc1, zc1) is sent to the projective system binary point arithmetic sub-module 404, and when the current bit of f is binary 1, the output coordinates returned by the projective system binary point arithmetic sub-module 404 are sent to the projective system point addition sub-module 406;
the domain conversion sub-module 403 is configured to convert the values xc2, yc2, and 1 of the finite domain into the values xc3, yc3, and zc3 of the montgomery domain, respectively, and return the converted values to the double-point operation control sub-module 401; mixing zc1-1Converting the value in the finite field into a value in a Montgomery field, and returning the value to the double-point operation control submodule 401;
the projective system double-point operation submodule 404 is configured to perform double-point operation on the input coordinate, and return an operation result as an output coordinate to the double-point operation control submodule 401;
the projective system point addition sub-module 406 is configured to perform a point addition operation on the input coordinates and (xc3, yc3, zc3), and send an operation result to the point doubling operation control sub-module 401;
the montgomery field multiplication submodule 405 is configured to perform montgomery field multiplication on a value of zc1 in a montgomery field and 1, and send an obtained value of zc1 in a finite field to the double point operation control submodule 401; for xc1 and zc1-1Montgomery domain multiplication of values in Montgomery domainFor yc1 and zc1-1Performing Montgomery domain multiplication on the Montgomery domain value, and returning the obtained values of xc1 and yc1 in the affine coordinate system to the point operation control sub-module 401; montgomery domain multiplication is carried out on the values of 1 and xc1 in the affine coordinate system, Montgomery domain multiplication is carried out on the values of yc1 in the affine coordinate system and 1, and the obtained values of xc1 and yc1 in the finite field are returned to the point operation control sub-module 401;
the finite field inversion submodule 402 is configured to perform an inversion operation on the value of zc1 in the finite field, and obtain zc1-1The value in the finite field is sent to the multiple point operation control sub-module 401.
The value f and the point C included in a group of times operation data for performing the times operation are received by the times operation control submodule from the control center in the subsystem where the times operation control submodule is located, if the times operation control submodule is located in the initiator subsystem, the values are received from the initiator control center, and if the times operation control submodule is located in the responder subsystem, the values are received from the responder control center. And f and C are respectively the numerical value and the point in each group of point operation data, for example, f and C can be respectively rA and G, or x20 and RB, or h & tA and (PB + [ x20 ]) sent to the initiator point operation module by the initiator control center shown in FIG. 2]RB), rB and G, or x10 and RA, or h tB sum (PA + [ x 10) ] sent to the responder point-doubling operation module by the responder control center]RA). Of course, xc2, yc2, xc3, yc3, zc3, xc1, yc1, zc1, and zc1 described above-1Or may correspond to corresponding operation values in the functions of the initiator multiple point operation module 205 or the responder multiple point operation module 208 in fig. 2 one to one.
The point operation module shown in fig. 4 provided by the present invention converts data from an affine coordinate system to a projective coordinate system, and then converts the projective coordinate system to a montgomery domain from a finite field, so that corresponding calculation can be performed in the montgomery domain, after that, the data is converted from the projective coordinate system to the affine coordinate system, and then converted from the montgomery domain to the finite field, and finally, the result of the point operation is output.
In the system shown in fig. 2, the initiator point plus module and the responder point plus module are both implemented with point plus functions, and thus can be implemented with the same hardware, which is called a point plus module. Fig. 5 is a structural diagram of a point-plus-module provided in the present invention, where the point-plus-module can be used as an initiator point-plus-module or a responder point-plus-module.
As shown in fig. 5, the dotting module includes: a point addition control submodule 501, a domain conversion submodule 502, a projective system point addition submodule 504, a Montgomery domain multiplication submodule 503 and a finite field inversion submodule 505; wherein,
the point addition control sub-module 501 is configured to convert the coordinates (x11 ', y 11') and (x12 ', y 12') of the received points PP1 and PP2 to be subjected to the point addition operation in the affine coordinate system into coordinates (x11 ', y 11', 1) and (x12 ', y 12', 1) in the projective coordinate system, respectively, and send x11 ', y 11', 1 and x12 ', y 12', 1 to the domain conversion sub-module 502; sending the coordinates (x111 ', y 111', z111 ') composed of x 111', y111 ', z 111' and the coordinates (x121 ', y 121', z121 ') composed of x 121', y121 ', z 121' to the projective system point adding module 504; sending z131 'in coordinates (x 131', y131 ', z 131') returned by the projective system point addition submodule 504 to the montgomery field multiplication submodule 503; sending the value of z131' in the finite field returned by the Montgomery field multiplication submodule 503 to the finite field inversion submodule 505; z131'-1The values in the finite field are sent to the domain conversion submodule 502; x131 ', y131 ' and z131' in coordinates (x131 ', y131 ', z131 ') '-1The value in the Montgomery domain is sent to the Montgomery domain multiplication submodule 503; sending the 1 and the value of x131 'in the affine coordinate system returned by the Montgomery domain multiplication submodule 503 and the 1 and the value of y 131' in the affine coordinate system returned by the Montgomery domain multiplication submodule 503 to the Montgomery domain multiplication submodule 503 respectively; x 131' and y1 returned by Montgomery field multiplication submodule 50331' both of the coordinates (x131 ', y131 ') composed of the values of the finite field are output as the result of the point addition operation performed by PP1 and PP2 in the affine coordinate system;
the domain converting submodule 502 is configured to convert the values of x11 ', y 11', 1 and x12 ', y 12', 1 in the finite field into the values of x111 ', y 111', z111 'and x 121', y121 ', z 121' in the montgomery field, respectively, and return the values to the point adding control submodule 501; z131'-1Conversion of value in finite Domain to z131'-1The value in the montgomery field is returned to the dot plus control submodule 501;
the projective system point addition submodule 504 is configured to perform a point addition operation on the input coordinates (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 '), and return the obtained coordinates (x131 ', y131 ', z131 ') to the point addition control submodule 501;
the montgomery field multiplication submodule 503 is configured to perform montgomery field multiplication on the input z131 'and 1, and send the obtained value of z131' in a finite field to the point addition control submodule 501; p x131 'and z11'-1Values in Montgomery Domain, y131 'and z11'-1The Montgomery domain multiplication operation is respectively carried out on the values of the Montgomery domain, and the obtained values of x131 'and y 131' in the affine coordinate system are returned to the point addition control submodule 501; the Montgomery domain multiplication operation is carried out on the values of the x131 'and the y 131' in the affine coordinate system and 1 respectively, and the obtained values of the x131 'and the y 131' in the finite domain are returned to the point addition control submodule 501;
the finite field inversion submodule 505 is configured to perform inversion operation on the input finite field value of z131', and perform inversion operation on the obtained z131'-1The values in the finite field are sent to the dot gain control submodule 501.
The points PP1 and PP2 are data received by the point plus control submodule from the control center in the subsystem where the point plus control submodule is located, if the data is located in the initiator subsystem, the data is received from the initiator control center, and if the data is located in the responder subsystem, the data is received from the responder control center.
The nodes PP1 and PP2 represent data for performing a node addition operation by the initiator node addition control submodule or the responder node addition control submodule, for example, the nodes PP1 and PP2 may represent node addition operation data PB and [ x20] RB sent by the initiator control center to the initiator node addition module, or may represent node addition operation data PA and [ x10] RA sent by the responder control center to the responder node addition module, respectively.
The point addition module provided by the invention and shown in fig. 5 converts the coordinates of PP1 and PP2 under an affine coordinate system into a projective coordinate system, then converts the coordinates into a montgomery domain from a finite field to perform corresponding calculation, converts the projective coordinate system into the affine coordinate system after the calculation, converts the projective coordinate system into the affine coordinate system from the montgomery domain into the finite field, and finally outputs the result.
In the invention, the initiator key derivation module and the responder key derivation module are both modules for realizing key derivation function, and can also be realized by the same hardware structure, and the hardware structure is called as a key derivation module. Fig. 6 is a structural diagram of a key derivation module provided in the present invention, where the key derivation module can be used as an initiator key derivation module or a responder key derivation module.
As shown in fig. 6, the key derivation module includes: a key derivation control submodule 601, and a cipher hash submodule 602 in which the length of the output hash value is v bits; wherein,
the key derivation control sub-module 601 is configured to receive an input bit string ZZ; setting an initial value of a count variable ct of 32 bits to 00000001 in a 16-ary representation; determining a minimum integer | klen/v | greater than or equal to (klen/v); incrementing a loop variable i from 1 to | klen/v |, incrementing by 1 each time, performing a cryptographic hash operation | klen/v |; in the case where (klen/v) is an integer, put Ha!||klen/v||=Ha||klen/v||(ii) a In the case where (klen/v) is not an integer, let Ha!||klen/v||Put as a bit string Ha||klen/v||From the highest bitBits of whichIs the smallest integer less than or equal to (klen/v); increment i from 1 to Ha (II klen/v | | -1)iAnd Ha!||klen/v||Sequentially splicing, and outputting the obtained bit string with the length of klen bits as a result of performing key derivation operation on ZZ; wherein, the one-time cipher hash operation comprises: splicing the current value of ct and ZZ into a bit string ZZ-ct; sending ZZ-ct to a cryptographic hash sub-module 602; h returned by cryptographic hash submodule 602v(ZZ-ct) Ha assigned to v bitsi(ii) a The value of ct is increased by 16-ary 00000001;
the cipher hash sub-module 602 is configured to perform a cipher hash operation on the input bit string ZZ-ct, and output a hash value H of v bitsv(ZZ-ct) returns the key derivation control submodule 601.
Here, the bit string ZZ is received by the key derivation control submodule from the control center in the subsystem in which it is located, if it is located in the initiator subsystem, from the initiator control center, and if it is located in the responder subsystem, from the responder control center.
Bit string ZZ represents a bit string received by the initiator key derivation module or the responder key derivation module, e.g., ZZ may represent bit string Z sent by the initiator control center to the initiator key derivation module in fig. 2, or may represent bit string Z' sent by the responder control center to the responder key derivation module.
It can be seen that, in the system, some modules of the initiator subsystem and the responder subsystem may have the same structure correspondingly, for example, the initiator random number generation module and the responder random number generation module may be random number generation modules with the same structure; the initiator double-point operation module and the responder double-point operation module can be double-point operation modules with the same structure; the initiator point adding module and the responder point adding module can be point adding modules with the same structure; the initiator key derivation module and the responder key derivation module can be key derivation modules with the same structure, so that corresponding modules in the two subsystems can be multiplexed, thereby saving hardware resources, improving the system integration level and reducing the chip area.
Fig. 7 is a block diagram of an embodiment of the present invention. As shown in fig. 7, the system includes an initiator control center 701, a responder control center 702, a random number generation module 704, a point doubling operation module 705, a point adding module 706, and a key derivation module 707, compared with the structure of fig. 2, the initiator random number generation module and the responder random number generation module in fig. 2 are implemented by the same random number generation module 704 in fig. 7; the initiator multiple point operation module and the responder multiple point operation module are realized by the same multiple point operation module 705 in fig. 7; the initiator point plus module and the responder point plus module are implemented in FIG. 7 using the same point plus module 706; the initiator key derivation module and the responder key derivation module are implemented in fig. 7 by the same key derivation module 707; in addition, the system further includes, on the basis of the system configuration shown in fig. 2: an upper layer check module 703;
the initiator control center 701 is configured to send an initiator occupation signal to the upper check module 703;
the response party control center 702 is configured to send a response party occupation signal to the upper layer check module 703;
the upper-layer check module 703 is configured to set, according to the initiator occupation signal, a working mode of the random number generation module 704, the multiple point operation module 705, the point addition module 706, and the key derivation module 707 to an initiator mode, so that each module has functions of the initiator random number generation module, the initiator multiple point operation module, the initiator point addition module, and the initiator key derivation module in fig. 2, respectively, and forwards communication data between the initiator control center 701 and the random number generation module 704, the multiple point operation module 705, the point addition module 706, and the key derivation module 707; the working modes of the random number generation module 704, the point doubling operation module 705, the point adding module 706 and the key derivation module 707 are set as responder modes according to responder occupation signals, so that the modules respectively have the functions of the responder random number generation module, the responder point doubling operation module, the responder point adding module and the responder key derivation module in fig. 2, and transmit communication data between the responder control center and the random number generation module 704, the point doubling operation module 705, the point adding module 706 and the key derivation module 707.
In addition, a w generation module 708 may be further included in fig. 7 to implement the function of generating w to be sent to the initiator control center 701 and the responder control center 702.
Therefore, in the embodiment shown in fig. 7, by additionally providing an upper check module as a forwarding module for the initiator control center and the responder control center to communicate data with other modules in their respective subsystems, the initiator control center and the responder control center can multiplex the modules with the same corresponding structures in the two subsystems only by controlling the working modes of the other modules through the upper check module, thereby greatly reducing the number of modules and saving hardware resources.
Further, as can be seen from the structures of the modules shown in fig. 3, 4, and 5, the initiator control center, the responder control center, the multiple point operation module, and the point addition module in the embodiment of fig. 7 can further implement multiplexing of sub-modules with the same function. A block diagram of another embodiment of the present invention, shown in figure 8, may thus be obtained.
The system in the embodiment of fig. 8 includes: a domain conversion submodule 810 and a Montgomery domain multiplication submodule 811 which are shared by the initiator control center, the responder control center, the point operation module and the point addition module shown in FIG. 7; a projective system point addition submodule 812 and a finite field inversion submodule 813 shared by the multiple point operation module and the point addition module;
the system further comprises a lower layer check module 808 for realizing the sharing of the domain conversion submodule 810, the Montgomery domain multiplication submodule 811, the projective system point addition submodule 812 and the finite field inversion submodule 813;
the originator control center in fig. 7 may further include: an initiator control sub-module 801; the responder control center further comprises: responder control sub-module 802; the multiple point operation module further comprises: a point doubling operation control submodule 805 and a projective system point doubling operation submodule 809; the point adding module further comprises: a click plus control submodule 806; the random number generation module and the upper check module in fig. 7 are respectively denoted by 804 and 803 in fig. 8, and the functions thereof are the same as those in fig. 7.
The initiator control submodule in fig. 8 is configured to send an initiator control submodule occupation signal to the lower-layer check module; sending the values of two finite fields needing scalar multiplication to a field conversion submodule; sending the values of the two Montgomery domains returned by the domain conversion submodule to the Montgomery domain multiplication submodule; sending the product returned by the 1 and the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule; in addition to the scalar multiplication function, the initiator control submodule also has the functions of data operation, judgment and control of the operation timing of other modules, which are possessed by the initiator center in fig. 2, for example: taking rA and G as a group of point operation data to be sent to a point operation control submodule; sending the RA to a responder control submodule; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating tA according to tA ═ (dA + x 10. rA) modn; judging whether RB is a point on an elliptic curve; sending x20 and RB as a group of point operation data to a point operation control submodule; mixing PB with [ x20]]RB is used as a group of point addition operation data to be sent to a point addition control submodule; mixing h & tA and (PB + [ x20]]RB) is sent to the multiple point operation control submodule as a group of multiple point operation data; judging whether U is an infinite point or not; sending a bit string Z formed by splicing the xU, the yU, the ZA and the ZB to a key derivation module; outputting the bit string KA returned by the key derivation module as an initiator session key; at the judgment of RWhen B is not one of the points on the elliptic curve and U is an infinite point, outputting a message of negotiation failure; therefore, the initiator control submodule, the domain conversion submodule and the Montgomery domain multiplication submodule form the initiator control center shown in the figure 3 through a lower layer check module, and also have the functions of the initiator control center shown in the figure 3.
The responder control submodule in fig. 8 is configured to send an occupancy signal of the responder control submodule to the lower-layer check module; sending the values of two finite fields needing scalar multiplication to a field conversion submodule; sending the values of the two Montgomery domains returned by the domain conversion submodule to the Montgomery domain multiplication submodule; sending the product returned by the 1 and the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule; in addition to the scalar multiplication function, the responder control submodule also has the functions of data operation, judgment and control of the operation timing of other modules, which are possessed by the responder center in fig. 2, for example: sending rB and G as a group of point operation data to a point operation control submodule; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating tB according to tB ═ to (dB + x 20. rB) modn; judging whether RA is a point on an elliptic curve; sending x10 and RA to a multiple point operation control submodule as a group of multiple point operation data; mixing PA with [ x10]RA is used as a group of point addition operation data to be sent to a point addition control submodule; mixing h.tB and (PA + [ x10]]RA) as a set of point operation data to the point operation control sub-module; judging whether V is an infinite point or not; sending a bit string Z' formed by splicing xV, yV, ZA and ZB to a key derivation module; outputting a bit string KB returned by the key derivation module as a responder session key; transmitting the RB to an initiator control submodule; when the situation that RA is not one of the points on the elliptic curve and V is an infinite point is judged, a message of negotiation failure is output; thus, the responder control submodule, the domain conversion submodule and the Montgomery domain multiplication submodule form the responder control center shown in the figure 3 through the lower layer check module, and the responder control submodule also has the function of the responder control center shown in the figure 3Can be used.
The multiple point operation control submodule in fig. 8 is configured to send an occupation signal of the multiple point operation control submodule to the lower-layer check module; receiving a set of point operation data consisting of a numerical value f and a point C, converting coordinates (xc, yc) of C in an affine coordinate system into coordinates (xc2, yc2,1) of C in a projective coordinate system, and transmitting xc2, yc2,1 to the domain conversion submodule; (xc3, yc3, zc3) is sent to the projective point addition module as [ f]C initial value of coordinates (xc1, yc1, zc1) in Montgomery domain, where [ f []C is the result of f times point operation on C; determining a binary bit length L of f; taking the next highest bit in the binary form of f as the initial value of the current bit, and carrying out (L-1) iterative operation from the next highest bit in the binary form of f to the lowest bit by reducing one bit as the current bit each time; sending zc1 in the result coordinates (xc1, yc1, zc1) of the (L-1) iteration to the Montgomery field multiplication sub-module; sending the value of zc1 in the finite field to a finite field inversion submodule; mixing zc1-1Sending the value in the finite field to a field conversion submodule; the result coordinates (xc1, yc1, zc1) of (L-1) iterations of xc1, yc1 and zc1-1The value in the Montgomery domain is sent to a Montgomery domain multiplication submodule; sending the value of xc1 in the affine coordinate system returned by 1 and the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule; sending the value of yc1 in the affine coordinate system returned by the 1 and Montgomery domain multiplication sub-module to the Montgomery domain multiplication sub-module; the coordinates (xc1, yc1) composed of the values of xc1 and yc1 in a finite field are defined as [ f]C, outputting an operation result; the one-time iterative operation comprises the following steps: sending the current value of the coordinates (xc1, yc1, zc1) to the projective system two-time point operation submodule, and sending the output coordinates returned by the projective system two-time point operation submodule to the projective system point addition submodule under the condition that the current bit of f is binary 1;
the projective system double-point operation submodule is used for carrying out double-point operation on the input coordinate and returning an operation result serving as an output coordinate to the double-point operation control submodule;
therefore, the point operation control sub-module, the domain conversion sub-module, the montgomery domain multiplication sub-module, the projective system two-point operation sub-module, the projective system point addition sub-module and the finite field inversion sub-module form the structure of the point operation module shown in fig. 4 through the lower layer check module, and the function of the point operation module shown in fig. 4 is also achieved.
The click adding control submodule in fig. 8 is configured to send a click adding control submodule occupation signal to the lower-layer check module; converting the received coordinates (x11 ', y 11') and (x12 ', y 12') of the points PP1 and PP2 to be subjected to the point addition operation in the affine coordinate system into coordinates (x11 ', y 11', 1) and (x12 ', y 12', 1) respectively in the projective coordinate system, and sending x11 ', y 11', 1 and x12 ', y 12', 1 to the domain conversion submodule; sending the coordinates (x111 ', y 111', z111 ') composed of x 111', y111 ', z 111' and the coordinates (x121 ', y 121', z121 ') composed of x 121', y121 ', z 121' to the projective system point adding module; sending z131 'in coordinates (x 131', y131 ', z 131') returned by the projective system point plus sub-module to the Montgomery field multiplication sub-module; sending the value of z131' in the finite field returned by the Montgomery field multiplication submodule to the finite field inversion submodule; z131'-1Sending the value in the finite field to a field conversion submodule; x131 ', y131 ' and z131' in coordinates (x131 ', y131 ', z131 ') '-1The value in the Montgomery domain is sent to a Montgomery domain multiplication submodule; sending the values of 1 and x 131' in the affine coordinate system to the Montgomery field multiplication submodule; sending the values of 1 and y 131' in the affine coordinate system to the Montgomery field multiplication submodule; outputting coordinates (x131 ', y 131') formed by the values of the x131 'and the y 131' returned by the Montgomery field multiplication submodule in a finite field as the result of performing the dot addition operation on the PP1 and the PP2 in an affine coordinate system; it can be seen that the point addition control submodule in fig. 8, together with the domain conversion submodule, the montgomery domain multiplication submodule, the projective system point addition submodule, and the finite field inversion submodule, forms the structure shown in fig. 5 through data forwarding of the lower layer check moduleThe structure of the dot plus module shown has the function of the dot plus module shown in fig. 5.
The lower layer check module is used for setting the working modes of the domain conversion submodule and the Montgomery domain multiplication submodule as the occupation mode of the initiator control submodule according to the occupation signal of the initiator control submodule and forwarding communication data among the initiator control submodule, the domain conversion submodule and the Montgomery domain multiplication submodule; setting the working modes of the domain conversion sub-module and the Montgomery domain multiplication sub-module as the occupation modes of the responder control sub-module according to the occupation signals of the responder control sub-module, and forwarding communication data among the responder control sub-module, the domain conversion sub-module and the Montgomery domain multiplication sub-module; setting the working modes of a domain conversion sub-module, a Montgomery domain multiplication sub-module, a projective system point addition sub-module and a finite field inversion sub-module as the occupation modes of the double operation control sub-module according to the occupation signals of the double operation control sub-module, and forwarding communication data between the double operation control sub-module and the domain conversion sub-module, the Montgomery domain multiplication sub-module, the projective system point addition sub-module and the finite field inversion sub-module; setting the working modes of the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule as the occupation modes of the point addition control submodule according to the occupation signals of the point addition control submodule, and forwarding communication data among the point addition control submodule, the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule;
therefore, in the embodiment, a lower check module is further arranged on the basis of fig. 7, and is used for forwarding communication data between the initiator control submodule, the responder control submodule, the point operation control submodule, the point addition control submodule and the domain conversion submodule, the montgomery domain multiplication submodule, the projective system point addition submodule and the finite domain inversion submodule, and controlling the working modes of the domain conversion submodule, the montgomery domain multiplication submodule, the projective system point addition submodule and the finite domain inversion submodule, so that multiplexing of the domain conversion submodule, the montgomery domain multiplication submodule, the projective system point addition submodule and the finite domain inversion submodule is realized, hardware resources are further saved on the basis of the embodiment of fig. 7, and the chip area is reduced.
The domain conversion sub-module in fig. 8 is configured to, in the initiator control sub-module occupation mode, convert the values of the two finite domains sent by the initiator control sub-module into respective values in the montgomery domain and return the converted values to the initiator control sub-module; under the occupation mode of the responder control submodule, converting the values of the two finite fields sent by the responder control submodule into the values of the Montgomery fields respectively and returning the values to the responder control submodule; under the occupation mode of the double-point operation control submodule, the values xc2, yc2 and 1 of the finite field are respectively converted into the values xc3, yc3 and zc3 of the Montgomery field, and the values are returned to the double-point operation control submodule; mixing zc1-1Converting the value in the finite field into the value in the Montgomery field, and returning the value to the double-point operation control submodule; under the occupation mode of the dot adding control submodule, converting the values of x11 ', y 11', 1 and x12 ', y 12', 1 in a finite field into the values of x111 ', y 111', z111 'and x 121', y121 ', z 121' in a Montgomery field respectively, and returning the values to the dot adding control submodule; z131'-1Conversion of value in finite Domain to z131'-1The value in the Montgomery field is returned to the point addition control submodule;
the montgomery field multiplication submodule in fig. 8 is configured to, in the initiator control submodule occupying mode, perform montgomery field multiplication on the values of the two montgomery fields sent by the initiator control submodule, and return the obtained product to the initiator control submodule; carrying out Montgomery domain multiplication operation on the product sent by the 1 and the initiator control submodule, and returning an operation result to the initiator control submodule; under the occupation mode of the responder control submodule, Montgomery domain multiplication operation is carried out on the values of two Montgomery domains sent by the responder control submodule, and the obtained product is returned to the responder control submodule; carrying out Montgomery field multiplication operation on the product sent by the 1 and the responder control submodule, and returning the operation result to the responder control submoduleA response side control submodule; under the occupation mode of the double-point operation control submodule, Montgomery domain multiplication operation is carried out on the value of zc1 in a Montgomery domain and 1, and the obtained value of zc1 in a finite field is sent to the double-point operation control submodule; for xc1 and zc1-1Performing Montgomery domain multiplication on Montgomery domain values to obtain yc1 and zc1-1Carrying out Montgomery domain multiplication on the value of the Montgomery domain, and returning the obtained values of xc1 and yc1 in the affine coordinate system to the point operation control submodule; montgomery domain multiplication is carried out on the values of 1 and xc1 in an affine coordinate system, Montgomery domain multiplication is carried out on the values of yc1 in the affine coordinate system and 1, and the obtained values of xc1 and yc1 in a finite field are returned to the point operation control submodule; under the occupation mode of the point addition control submodule, Montgomery field multiplication operation is carried out on input z131 'and 1, and the obtained value of the z131' in a finite field is sent to the point addition control submodule; p x131 'and z11'-1Performing Montgomery domain multiplication on Montgomery domain values to obtain y131 'and z11'-1Carrying out Montgomery domain multiplication operation on the value of the Montgomery domain, and returning the values of the x131 'and the y 131' in the affine coordinate system to the point addition control submodule; carrying out Montgomery domain multiplication operation on the value of x131 'in the affine coordinate system and 1, carrying out Montgomery domain multiplication operation on the value of y 131' in the affine coordinate system and 1, and returning the values of x131 'and y 131' in the finite field to the point addition control submodule;
the projective system point addition sub-module in fig. 8 is configured to perform a point addition operation on the input coordinates and (xc3, yc3, zc3) in the double-point operation control sub-module occupation mode, and send an operation result to the double-point operation control sub-module; under the occupation mode of the point addition control submodule, performing point addition operation on the input coordinates (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 '), and returning the obtained coordinates (x131 ', y131 ', z131 ') to the point addition control submodule;
the finite field inversion submodule in fig. 8 is used for performing the operation of zc1 on the value of the finite field in the occupancy mode of the multiple point operation control submoduleInverting the obtained zc1-1Sending the value in the finite field to a multiple point operation control submodule; in the dot-adding control submodule occupation mode, the inversion operation is carried out on the input z131 'value in the finite field, and the obtained z131'-1The values in the finite field are sent to the point plus control submodule.
It can be seen that the domain conversion submodule, the montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule in fig. 8 can work in the working mode set by the lower-layer check module, thereby completing scalar multiplication, point addition and double point operation.
In addition, the system embodiment shown in fig. 8 may further include a w generation module 814, configured to generate w to be provided to the initiator control sub-module 801 and the responder control sub-module 802.
The key derivation module 807 in fig. 8 may also have the structure shown in fig. 6.
It can be seen that the present invention has the following advantages:
(1) in the invention, the initiator control center and the responder control center can respectively arrange the working time sequences of a corresponding random number generation module, a point multiplication module, a point addition module and a key derivation module, so that the initiator random number generation module and the responder random number generation module respectively generate random numbers rA and rB between 1 and (n-1) at random, the initiator point multiplication module and the responder point multiplication module respectively carry out point multiplication between scalar values and points, the initiator point addition module and the responder point addition module respectively carry out point addition operation of two points, the initiator key derivation module and the responder key derivation module respectively carry out key derivation operation on bit strings, and meanwhile, the initiator control center and the responder control center respectively judge whether the negotiation is successful or not, thereby realizing the key negotiation between the initiator and the responder, when the two parties negotiate successfully, the initiator and the responder respectively obtain the same session key through the operation of the initiator key derivation module and the responder key derivation module, so as to encrypt and decrypt the communication, and when the negotiation is unsuccessful, the negotiation failure information is output. Therefore, the invention can utilize an initiator subsystem and a responder subsystem, wherein the initiator subsystem is composed of an initiator control center, an initiator random number generation module, an initiator multiple point operation module, an initiator point addition module and an initiator key derivation module, and the responder subsystem is composed of a responder control center, a responder random number generation module, a responder multiple point operation module, a responder point addition module and a responder key derivation module, and the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm is realized by hardware.
(2) Because the invention can realize the key exchange protocol in the SM2 elliptic curve public key cryptographic algorithm by using hardware, compared with the software realization of the key exchange protocol, the invention has faster operation speed and higher safety.
(3) In the invention, the initiator control center and the responder control center convert two data of scalar multiplication operation from a finite field to a Montgomery field for operation, thereby greatly reducing the operation difficulty, improving the operation efficiency and being beneficial to further improving the operation speed of the key exchange protocol.
(4) The invention provides a point operation module and a point addition module, which are characterized in that data are firstly converted from an affine coordinate system to a projective coordinate system and then are converted from a finite field to a Montgomery field, so that corresponding calculation can be carried out in the Montgomery field, the data are converted from the projective coordinate system to the affine coordinate system and then are converted from the Montgomery field to the finite field, and finally, the result of point operation is output.
(5) The invention multiplexes the corresponding modules and sub-modules in the initiator sub-system and the responder sub-system, thereby greatly saving hardware resources, improving the integration level of the system and reducing the area of a chip.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (8)

1. A p-element domain SM2 elliptic curve key agreement system, the elliptic curve has a base G and a cofactor h, the order of G is n; the initiator hash value and the responder hash value are ZA and ZB respectively; the initiator public key and the initiator private key are PA and dA respectively, and the responder public key and the responder private key are PB and dB respectively; the length of the session key appointed by the initiator and the responder is klen; characterized in that the system comprises: an initiator subsystem and a responder subsystem; the initiator subsystem includes: the system comprises an initiator control center, an initiator random number generation module, an initiator point multiplication operation module, an initiator point addition module and an initiator key derivation module; the responder subsystem includes: the system comprises a responder control center, a responder random number generation module, a responder multiple point operation module, a responder point addition module and a responder key derivation module; wherein,
the initiator control center is used for sending rA and G as a group of point doubling operation data to the initiator point doubling operation module, wherein rA is a random number between 1 and (n-1) generated by the initiator random number generation module; sending RA to the responder control center, wherein RA is a point with coordinates (x1, y1) obtained by rA-fold operation of G by the initiator multiple-point operation module; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 10. rA of x10 and rA, and calculating tA according to the result that tA is equal to (dA + x 10. rA) mod n; judging whether RB is a point on the elliptic curve, wherein RB is a point of which coordinates are (x2, y2) obtained by performing rB point operation on G by the responder point-doubling operation module, and rB is a random number between 1 and (n-1) generated by the responder random number generation module; sending x20 and RB as a set of multiple point operation data to the initiator multiple point operation module; calculating a scalar product h & tA of h and tA; mixing PB with [ x20]]RB is used as a group of point addition operation data to be sent to the initiator point addition module; mixing h & tA and (PB + [ x20]]RB) as a set of point operations data to the initiator point operations module; judging whether U is an infinite point, wherein U is a point (PB + [ x 20)]RB) performing h & tA multiple point operation, wherein the coordinates of the operation result are (xU, yU); sending a bit string Z formed by splicing xU, yU, ZA and ZB to the initiator key derivation module; outputting a bit string KA returned by the initiator key derivation module as an initiator session key; when the RB is judged not to be one of the points on the elliptic curve and the U is the point at infinity, outputting a message of negotiation failure;
the initiator random number generation module is used for sending the generated random number rA between 1 and (n-1) to the initiator control center;
the initiator point doubling operation module is used for performing rA point doubling operation on the G to obtain a point RA with coordinates (x1, y1) and sending the point RA to the initiator control center; carrying out x20 point operation on RB, and sending the obtained [ x20] RB to the control center of the initiator; performing h & tA point multiplication operation on (PB + [ x20] RB), and sending an obtained point U to the initiator control center, wherein the coordinate of the point U is (xU, yU);
the initiator point adding module is used for performing point adding operation on PB and [ x20] RB and sending the generated (PB + [ x20] RB) to the initiator control center;
the initiator key derivation module is used for performing key derivation operation on the bit string Z and sending the obtained bit string KA with the length of klen to the initiator control center;
the responder control center is used for sending rB and G as a group of point doubling operation data to the responder point doubling operation module; according to x 10-2w+[x1&(2w-1)]And x20 ═ 2w+[x2&(2w-1)]Respectively calculating to obtain x10 and x 20; calculating a scalar product x 20. rB of x20 and rB, and calculating tB according to tB ═ (dB + x 20. rB) mod n; judging whether RA is a point on the elliptic curve; sending x10 and RA to the responder multiple point operation module as a set of multiple point operation data; calculating a scalar product h.tB of h and tB; mixing PA with [ x10]RA is sent to the responder point addition module as a group of point addition operation data; mixing h.tB and (PA + [ x10]]RA) as a set of point operations data to the responder point operations module; judging whether V is an infinite point, wherein V is a pair (PA + [ x 10)]RA) performing h.tB multiple point operation to obtain a point, wherein the coordinate of the point V is (xV, yV); sending a bit string Z' formed by splicing xV, yV, ZA and ZB to the responder key derivation module; outputting a bit string KB returned by the responder key derivation module as a responder session key; transmitting the RB to the originator control center; when the situation that RA is not one of the points on the elliptic curve and V is an infinite point is judged, a message of negotiation failure is output;
the responder random number generation module is used for sending the generated random number rB between 1 and (n-1) to the responder control center;
the responder point multiplication module is used for carrying out rB point multiplication on the G to obtain a point RB with the coordinate of (x2, y2), and sending the RB to the responder control center; carrying out x10 point operation on RA, and sending the obtained [ x10] RA to the responder control center; performing h & tB point multiplication operation on (PA + [ x10] RA), and sending an obtained point V to the responder control center, wherein the coordinate of the point V is (xV, yV);
the responder point addition module is used for performing point addition operation on PA and [ x10] RA and sending the generated (PA + [ x10] RA) to the responder control center;
the responder key derivation module is used for performing key derivation operation on the bit string Z' and sending the obtained bit string KB with the length of klen to the responder control center;
where w is the parameter, & is the bitwise logical AND operator, mod is the modulo operator.
2. The system of claim 1, further comprising a w generation module configured to generate the w based onAnd calculating to obtain a parameter w, and respectively sending the parameter w to the initiator control center and the responder control center.
3. The system of claim 1, wherein the initiator control center and the responder control center each comprise: the control sub-module, the domain conversion sub-module and the Montgomery domain multiplication sub-module; wherein,
the control submodule is used for sending the values of m and j in a finite field, which need to be subjected to scalar multiplication, to the domain conversion submodule; sending the values of m and j in the Montgomery domain to the Montgomery domain multiplication submodule; sending 1 and mj returned by the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule;
the domain conversion submodule is used for respectively converting the values of m and j in the finite domain into values in the Montgomery domain and returning the values to the control submodule;
the Montgomery domain multiplication submodule is used for carrying out Montgomery domain multiplication on the values of m and j in the Montgomery domain respectively and returning the obtained product mj to the control submodule; carrying out Montgomery domain multiplication operation on mj and 1 to obtain a scalar product of the values of m and j in a finite field; the scalar product of the values of m and j in the finite field is returned to the control submodule.
4. The system of claim 1, wherein the initiator multiple point operation module and the responder multiple point operation module each comprise: a point operation control submodule, a projective system two-point operation submodule, a domain conversion submodule, a Montgomery domain multiplication submodule, a finite field inversion submodule and a projective system point addition submodule; wherein,
the multiple point operation control sub-module is used for receiving a group of multiple point operation data consisting of a numerical value f and a point C, converting the coordinate (xc, yc) of the point C in an affine coordinate system into the coordinate (xc2, yc2,1) of the point C in a projective coordinate system, and sending xc2, yc2,1 to the domain conversion sub-module; (xc3, yc3, zc3) is sent to the projective system point addition module as [ f]C initial value of coordinates (xc1, yc1, zc1) in Montgomery domain, where [ f []C is the result of f times point operation on C; determining a binary bit length L of f; taking the next highest bit in the binary form of f as the initial value of the current bit, and carrying out (L-1) iterative operation from the next highest bit in the binary form of f to the lowest bit by reducing one bit as the current bit each time; sending zc1 in the result coordinates (xc1, yc1, zc1) of the (L-1) iteration to the Montgomery field multiplication sub-module; sending the value of zc1 in the finite field to the finite field inversion submodule; mixing zc1-1Sending the value in the finite field to the domain conversion submodule; the (L-1) times of iterative operation result coordinates (xc1, yc1, zc1) of xc1, yc1 and zc1-1Sending the value in the Montgomery domain to the Montgomery domain multiplication submodule; the values of 1 and xc1 in the affine coordinate system and the values of 1 and yc1 in the affine coordinate system are respectivelySending to a Montgomery domain multiplication submodule; the coordinates (xc1, yc1) composed of the values of xc1 and yc1 in a finite field are defined as [ f]C, outputting an operation result; one of the iterative operations comprises: sending the current value of the coordinates (xc1, yc1, zc1) to the projective system binary point operation submodule, and sending the output coordinates returned by the projective system binary point operation submodule to the projective system point addition submodule in the case that the current bit of f is binary 1;
the domain conversion sub-module is used for converting the values xc2, yc2 and 1 of the finite domain into the values xc3, yc3 and zc3 in the Montgomery domain respectively and returning the values to the double-point operation control sub-module; mixing zc1-1Converting the value in the finite field into the value in the Montgomery field, and returning the value to the point operation control submodule;
the projection system double-point operation submodule is used for carrying out double-point operation on the input coordinate and returning an operation result serving as an output coordinate to the double-point operation control submodule;
the projective system point addition submodule is used for performing point addition operation on the input coordinates and (xc3, yc3 and zc3) and sending an operation result to the point doubling operation control submodule;
the Montgomery domain multiplication submodule is used for carrying out Montgomery domain multiplication on the value of zc1 in a Montgomery domain and 1 and sending the obtained value of zc1 in a finite field to the point operation control submodule; for xc1 and zc1-1Values in the Montgomery domain, yc1 and zc1-1Carrying out Montgomery domain multiplication operation on the values in the Montgomery domain respectively, and returning the obtained values of xc1 and yc1 in the affine coordinate system to the point operation control submodule; the Montgomery domain multiplication operation is carried out on the values of the xc1 and the yc1 in the affine coordinate system and 1 respectively, and the obtained values of the xc1 and the yc1 in the finite domain are returned to the point operation control sub-module;
the finite field inversion submodule is used for carrying out inversion operation on the value of zc1 in the finite field and obtaining zc1-1And sending the value in the finite field to the point operation control submodule.
5. The system of claim 1, wherein the initiator point plus module and the responder point plus module each comprise: a point addition control submodule, a domain conversion submodule, a projective system point addition submodule, a Montgomery domain multiplication submodule and a finite field inversion submodule; wherein,
the point addition control submodule is used for converting the received coordinates (x11 ', y 11') and (x12 ', y 12') of the points PP1 and PP2 to be subjected to point addition operation under an affine coordinate system into coordinates (x11 ', y 11', 1) and (x12 ', y 12', 1) under a projective coordinate system respectively, and sending x11 ', y 11', 1, x12 ', y 12', 1 to the domain conversion submodule; sending coordinates (x111 ', y 111', z111 ') composed of x 111', y111 ', z 111' and coordinates (x121 ', y 121', z121 ') composed of x 121', y121 ', z 121' to the projective system point adding module; sending z131 'in coordinates (x 131', y131 ', z 131') returned by the projective system point addition submodule to the Montgomery domain multiplication submodule; sending the value of z131' in the finite field returned by the Montgomery field multiplication submodule to the finite field inversion submodule; z131'-1Sending the value in the finite field to the domain conversion submodule; x131 ', y131 ' and z131' in coordinates (x131 ', y131 ', z131 ') '-1Sending the value in the Montgomery domain to the Montgomery domain multiplication submodule; sending the value of x131 'in the affine coordinate system and 1, and the value of y 131' in the affine coordinate system and 1 to the Montgomery field multiplication submodule respectively; outputting coordinates (x131 ', y 131') formed by the values of the x131 'and the y 131' returned by the Montgomery field multiplication submodule in a finite field as the result of performing point addition operation on PP1 and PP2 in an affine coordinate system;
the domain conversion submodule is used for converting the values of x11 ', y 11', 1 and x12 ', y 12', 1 in the finite domain into the values of x111 ', y 111', z111 'and x 121', y121 ', z 121' in the Montgomery domain respectively and returning the values to the point addition control submodule; z131'-1Conversion of value in finite Domain to z131'-1Values in the Montgomery field and returned to the Point plus control submodule;
The projective system point addition submodule is used for performing point addition operation on the input coordinates (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 '), and returning the obtained coordinates (x131 ', y131 ', z131 ') to the point addition control submodule;
the Montgomery domain multiplication submodule is used for carrying out Montgomery domain multiplication operation on input z131 'and 1 and sending the obtained value of the z131' in a finite field to the point addition control submodule; p x131 'and z11'-1Values in Montgomery Domain, y131 'and z11'-1Carrying out Montgomery domain multiplication operation on the values of the Montgomery domains respectively, and returning the obtained values of x131 'and y 131' in the affine coordinate system to the point addition control submodule; carrying out Montgomery field multiplication operation on the values of the x131 'and the y 131' in the affine coordinate system and 1 respectively, and returning the obtained values of the x131 'and the y 131' in the finite field to the point addition control submodule;
the finite field inversion submodule is used for carrying out inversion operation on the input value of z131 'in the finite field and carrying out inversion operation on the obtained z131'-1The values in the finite field are sent to the point plus control submodule.
6. The system of claim 1, wherein the initiator key derivation module and the responder key derivation module each comprise: the cipher key derivation control submodule and the cipher hash submodule of which the length of the output hash value is v bits; wherein,
the key derivation control submodule is used for receiving an input bit string ZZ; setting an initial value of a count variable ct of 32 bits to 00000001 in a 16-ary representation; determining a minimum integer | | | | klen/v | | | greater than or equal to (klen/v); increasing the circulation variable i from 1 to | | | klen/v | |, increasing 1 each time, and executing the cryptographic hash operation | | | | klen/v | | | |; in the case where (klen/v) is an integer, put Ha!||klen/v||=Ha||klen/v||(ii) a In the case where (klen/v) is not an integer, let Ha!||klen/v||Put as a bit string Ha||klen/v||From the highest bitBits of whichIs the smallest integer less than or equal to (klen/v); increasing i from 1 to (I. klen/v. I-1) HaiAnd Ha!||klen/v||Sequentially splicing, and outputting the obtained bit string with the length of klen bits as a result of performing key derivation operation on ZZ; wherein, the one-time cryptographic hash operation comprises: splicing the current value of ct and ZZ into a bit string ZZ-ct; sending ZZ-ct to the cipher hashing submodule; h returned by the cryptographic hash submodulev(ZZ-ct) Ha assigned to v bitsi(ii) a The value of ct is increased by 16-ary 00000001;
the cipher hash submodule is used for carrying out cipher hash operation on the input bit string ZZ-ct and outputting the hash value H of v bitsv(ZZ-ct) returns to the key derivation control submodule.
7. The system of claim 1, further comprising: an upper layer check module;
the initiator random number generation module and the responder random number generation module are the same random number generation module; the initiator double-point operation module and the responder double-point operation module are the same double-point operation module; the initiator point adding module and the responder point adding module are the same point adding module; the initiator key derivation module and the responder key derivation module are the same key derivation module;
the initiator control center is used for sending an initiator occupation signal to the upper check module;
the responder control center is used for sending a responder occupation signal to the upper check module;
the upper-layer check module is used for setting the working modes of the random number generation module, the point doubling operation module, the point adding module and the key derivation module as initiator modes according to the initiator occupation signal, so that each module has the functions of the initiator random number generation module, the initiator point doubling operation module, the initiator point adding module and the initiator key derivation module respectively, and forwards communication data between the initiator control center and the random number generation module, the point doubling operation module, the point adding module and the key derivation module; and setting the working modes of the random number generation module, the point doubling operation module, the point adding module and the key derivation module as responder modes according to the responder occupation signals, enabling each module to have the functions of the responder random number generation module, the responder point doubling operation module, the responder point adding module and the responder key derivation module respectively, and forwarding communication data between the responder control center and the random number generation module, the point doubling operation module, the point adding module and the key derivation module.
8. The system of claim 7, further comprising an underlying check module;
the system comprises: the initiator control center, the responder control center, the point operation module and the point addition module share a domain conversion submodule and a Montgomery domain multiplication submodule; a projective system point addition submodule and a finite field inversion submodule which are shared by the point addition module and the point operation module;
the initiator control center further comprises: an initiator control submodule; the responder control center further comprises: a responder control submodule; the multiple point operation module further comprises: a point doubling operation control submodule and a projective system point doubling operation submodule; the point adding module further comprises: a point addition control submodule;
the initiator control submodule is used for sending an initiator control submodule occupation signal to the lower-layer check module; sending the values of two finite fields needing scalar multiplication to the field conversion submodule; sending the values of the two Montgomery domains returned by the domain conversion submodule to the Montgomery domain multiplication submodule; sending the product returned by the 1 and the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule;
the responder control submodule is used for sending an responder control submodule occupation signal to the lower-layer check module; sending the values of two finite fields needing scalar multiplication to the field conversion submodule; sending the values of the two Montgomery domains returned by the domain conversion submodule to the Montgomery domain multiplication submodule; sending the product returned by the 1 and the Montgomery domain multiplication submodule to the Montgomery domain multiplication submodule;
the double-point operation control submodule is used for sending an occupation signal of the double-point operation control submodule to the lower-layer check module; receiving a set of point operation data consisting of a numerical value f and a point C, converting coordinates (xc, yc) of C in an affine coordinate system into coordinates (xc2, yc2,1) of C in a projective coordinate system, and transmitting xc2, yc2,1 to the domain conversion sub-module; (xc3, yc3, zc3) is sent to the projective system point addition module as [ f]C initial value of coordinates (xc1, yc1, zc1) in Montgomery domain, where [ f []C is the result of f times point operation on C; determining a binary bit length L of f; taking the next highest bit in the binary form of f as the initial value of the current bit, and carrying out (L-1) iterative operation from the next highest bit in the binary form of f to the lowest bit by reducing one bit as the current bit each time; sending zc1 in the result coordinates (xc1, yc1, zc1) of the (L-1) iteration to the Montgomery field multiplication sub-module; sending the value of zc1 in the finite field to the finite field inversion submodule; mixing zc1-1Sending the value in the finite field to the domain conversion submodule; the (L-1) times of iterative operation result coordinates (xc1, yc1, zc1) of xc1, yc1 and zc1-1Sending the value in the Montgomery domain to the Montgomery domain multiplication submodule; sending the values of 1 and xc1 in the affine coordinate system and the values of 1 and yc1 in the affine coordinate system to the Montgomery field multiplication sub-module respectively; the coordinates (xc1, yc1) composed of the values of xc1 and yc1 in a finite field are defined as [ f]C, outputting an operation result; one of themThe iterative operation comprises the following steps: sending the current value of the coordinates (xc1, yc1, zc1) to the projective system binary point operation submodule, and sending the output coordinates returned by the projective system binary point operation submodule to the projective system point addition submodule in the case that the current bit of f is binary 1;
the projection system double-point operation submodule is used for carrying out double-point operation on the input coordinate and returning an operation result serving as an output coordinate to the double-point operation control submodule;
the point adding control submodule is used for sending a point adding control submodule occupation signal to the lower-layer check module; converting the received coordinates (x11 ', y 11') and (x12 ', y 12') of the points PP1 and PP2 to be subjected to the point addition operation in the affine coordinate system into coordinates (x11 ', y 11', 1) and (x12 ', y 12', 1) respectively in the projective coordinate system, and sending x11 ', y 11', 1 and x12 ', y 12', 1 to the domain conversion submodule; sending coordinates (x111 ', y 111', z111 ') composed of x 111', y111 ', z 111' and coordinates (x121 ', y 121', z121 ') composed of x 121', y121 ', z 121' to the projective system point adding module; sending z131 'in coordinates (x 131', y131 ', z 131') returned by the projective system point addition submodule to the Montgomery domain multiplication submodule; sending the value of z131' in the finite field returned by the Montgomery field multiplication submodule to the finite field inversion submodule; z131'-1Sending the value in the finite field to the domain conversion submodule; x131 ', y131 ' and z131' in coordinates (x131 ', y131 ', z131 ') '-1Sending the value in the Montgomery domain to the Montgomery domain multiplication submodule; sending the value of x131 'in the affine coordinate system and 1, and the value of y 131' in the affine coordinate system and 1 to the Montgomery field multiplication submodule respectively; outputting coordinates (x131 ', y 131') formed by the values of the x131 'and the y 131' returned by the Montgomery field multiplication submodule in a finite field as the result of performing point addition operation on PP1 and PP2 in an affine coordinate system;
the lower layer check module is used for setting the working modes of the domain conversion submodule and the Montgomery domain multiplication submodule to an initiator control submodule occupation mode according to the initiator control submodule occupation signal and forwarding communication data among the initiator control submodule, the domain conversion submodule and the Montgomery domain multiplication submodule; setting the working modes of the domain conversion sub-module and the Montgomery domain multiplication sub-module as the occupation modes of the responder control sub-module according to the occupation signals of the responder control sub-module, and forwarding communication data among the responder control sub-module, the domain conversion sub-module and the Montgomery domain multiplication sub-module; setting the working modes of the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule to be a multiplication operation control submodule occupation mode according to the multiplication operation control submodule occupation signal, and transmitting communication data among the multiplication operation control submodule, the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule; setting the working modes of the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule to be point addition control submodule occupation modes according to the point addition control submodule occupation signals, and forwarding communication data between the point addition control submodule and the domain conversion submodule, the Montgomery domain multiplication submodule, the projective system point addition submodule and the finite field inversion submodule;
the domain conversion sub-module is used for converting the values of the two finite domains sent by the initiator control sub-module into values in Montgomery domains respectively and returning the values to the initiator control sub-module in the occupation mode of the initiator control sub-module; under the occupation mode of the responder control submodule, converting the values of the two finite fields sent by the responder control submodule into values in Montgomery fields respectively and returning the values to the responder control submodule; under the double-point operation control sub-module occupation mode, converting the values xc2, yc2 and 1 of the finite field into the values xc3, yc3 and zc3 of Montgomery fields respectively, and returning the values to the double-point operation control sub-module; mixing zc1-1Converting the value in the finite field into the value in the Montgomery field and returning the value in the Montgomery fieldA multiple point operation control submodule; in the dot-plus-control submodule occupation mode, converting the values of x11 ', y 11', 1 and x12 ', y 12', 1 in a finite field into the values of x111 ', y 111', z111 'and x 121', y121 ', z 121' in a Montgomery field respectively, and returning the values to the dot-plus-control submodule; z131'-1Conversion of value in finite Domain to z131'-1The value in the Montgomery field is returned to the point plus control submodule;
the Montgomery domain multiplication sub-module is used for carrying out Montgomery domain multiplication operation on the values of two Montgomery domains sent by the initiator control sub-module under the occupation mode of the initiator control sub-module and returning the obtained product to the initiator control sub-module; carrying out Montgomery domain multiplication operation on the product sent by the 1 and the initiator control submodule, and returning an operation result to the initiator control submodule; under the occupation mode of the responder control submodule, carrying out Montgomery domain multiplication operation on values of two Montgomery domains sent by the responder control submodule, and returning an obtained product to the responder control submodule; carrying out Montgomery domain multiplication operation on the product sent by the 1 and the responder control submodule, and returning an operation result to the responder control submodule; under the occupation mode of the point operation control submodule, carrying out Montgomery domain multiplication on the value of zc1 in a Montgomery domain and 1, and sending the obtained value of zc1 in a finite domain to the point operation control submodule; for xc1 and zc1-1Values in the Montgomery domain, yc1 and zc1-1Carrying out Montgomery domain multiplication operation on the values in the Montgomery domain respectively, and returning the obtained values of xc1 and yc1 in the affine coordinate system to the point operation control submodule; the Montgomery domain multiplication operation is carried out on the values of the xc1 and the yc1 in the affine coordinate system and 1 respectively, and the obtained values of the xc1 and the yc1 in the finite domain are returned to the point operation control sub-module; under the occupation mode of the point addition control submodule, carrying out Montgomery field multiplication operation on input z131 'and 1, and sending the obtained value of the z131' in a finite field to the point addition control submodule; p x131 'and z11'-1Values in Montgomery Domain, y131 'and z11'-1Carrying out Montgomery domain multiplication operation on the values of the Montgomery domains respectively, and returning the obtained values of x131 'and y 131' in the affine coordinate system to the point addition control submodule; carrying out Montgomery field multiplication operation on the values of the x131 'and the y 131' in the affine coordinate system and 1 respectively, and returning the obtained values of the x131 'and the y 131' in the finite field to the point addition control submodule;
the projective system point addition sub-module is used for performing point addition operation on the input coordinates and (xc3, yc3, zc3) under the occupation mode of the point operation control sub-module and sending an operation result to the point operation control sub-module; under the occupation mode of the point addition control submodule, performing point addition operation on the input coordinates (x111 ', y111 ', z111 ') and (x121 ', y121 ', z121 '), and returning the obtained coordinates (x131 ', y131 ', z131 ') to the point addition control submodule;
the finite field inversion submodule is used for carrying out inversion operation on the value of zc1 in the finite field under the occupation mode of the multiple point operation control submodule, and obtaining zc1-1Sending the value in the finite field to the point operation control submodule; in the dot-adding control submodule occupation mode, the inversion operation is carried out on the input value of z131 'in the finite field, and the obtained z131'-1The values in the finite field are sent to the point plus control submodule.
CN201110107526.6A 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system Active CN102761411B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110107526.6A CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110107526.6A CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Publications (2)

Publication Number Publication Date
CN102761411A CN102761411A (en) 2012-10-31
CN102761411B true CN102761411B (en) 2015-06-10

Family

ID=47055738

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110107526.6A Active CN102761411B (en) 2011-04-27 2011-04-27 P element field SM2 elliptic curve key agreement system

Country Status (1)

Country Link
CN (1) CN102761411B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104601322A (en) * 2013-10-31 2015-05-06 上海华虹集成电路有限责任公司 Montgomery step algorithm for ternary extension field in cryptographic chip
FR3024808B1 (en) * 2014-08-05 2016-07-29 Inside Secure ELLIPTICAL CURVED CRYPTOGRAPHY METHOD COMPRISING ERROR DETECTION
CN108270563A (en) * 2016-12-30 2018-07-10 航天信息股份有限公司 A kind of method for interchanging data and system based on SM2 Encryption Algorithm
CN113114462B (en) * 2021-03-31 2022-10-04 南京航空航天大学 Small-area scalar multiplication circuit applied to ECC (error correction code) safety hardware circuit

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296072A (en) * 2007-04-29 2008-10-29 四川虹微技术有限公司 Sharing cryptographic key generation method of elliptic curve
CN101610153A (en) * 2008-06-20 2009-12-23 航天信息股份有限公司 Electronic signature authentication method based on ellipse curve signature algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296072A (en) * 2007-04-29 2008-10-29 四川虹微技术有限公司 Sharing cryptographic key generation method of elliptic curve
CN101610153A (en) * 2008-06-20 2009-12-23 航天信息股份有限公司 Electronic signature authentication method based on ellipse curve signature algorithm

Also Published As

Publication number Publication date
CN102761411A (en) 2012-10-31

Similar Documents

Publication Publication Date Title
CN102761415B (en) System for generating, verifying and mixing digital signatures of p-element domain SM2 elliptic curves
CN102761413B (en) Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
Law et al. An efficient protocol for authenticated key agreement
He et al. A pairing‐free certificateless authenticated key agreement protocol
Jeong et al. One-round protocols for two-party authenticated key exchange
US8447036B2 (en) Multi-party key agreement method using bilinear map and system therefor
Ohkubo et al. A length-invariant hybrid mix
CN109450640B (en) SM 2-based two-party signature method and system
WO2008151540A1 (en) Method, system and device for generating group key
Oliveira et al. Secure-TWS: Authenticating node to multi-user communication in shared sensor networks
Alkady et al. A new security protocol using hybrid cryptography algorithms
CN102761412A (en) P-element domain SM2 elliptic curve public key encryption, decryption and encryption-decryption hybrid system
CN102761411B (en) P element field SM2 elliptic curve key agreement system
Jeng et al. An ECC-based blind signature scheme
Zhen et al. A lightweight encryption and authentication scheme for wireless sensor networks
Kumar et al. Anonymous ID-based Group Key Agreement Protocol without Pairing.
Biswas Diffie–Hellman technique: extended to multiple two-party keys and one multi-party key
Inam et al. A novel public key cryptosystem and digital signatures
Ammayappan et al. An ECC-Based Two-Party Authenticated Key Agreement Protocol for Mobile Ad Hoc Networks.
CN114785508B (en) Heterogeneous authentication key negotiation method and system
Wahid et al. Implementation of certificateless signcryption based on elliptic curve using Javascript
WO2012116444A1 (en) Accelerated key agreement with assisted computations
Swapna et al. An efficient pairing-free certificateless signcryption scheme with public verifiability
CN114024668A (en) Efficient certificateless authentication key agreement method and system without bilinear pairing operation
US9054861B2 (en) Enhanced key agreement and transport protocol

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant