CN103078732A - Prime field elliptic curve crypto dot product accelerating circuit - Google Patents

Abstract

The invention relates to a prime field elliptic curve crypto dot product accelerating circuit, which is used for calculating a formula that Q is equal to k*P, wherein the k is times for calculating dot product; the P is a point on an elliptic curve, and the Q is the other point on the elliptic curve. The prime field elliptic curve crypto dot product accelerating circuit comprises an initialization register, a point addition operation module, a point subtraction operation module, a multiple point operation module, a shifting register, a comparator, an alternative selector and a result register, wherein the point addition operation module, the point subtraction operation module, the multiple point operation module and the shifting register are in parallel execution. According to the prime field elliptic curve crypto dot product accelerating circuit, the operation times for point addition and multiple point are controlled through carrying out right shift operation on NAF (k) and judging whether the NAF (k) is '0' or not, wherein the NAF (k) is a non-adjacent expression type numerical value of the k. When a value of the k is '0', the point addition operation can be stopped automatically, so that the operation time is saved. The accelerating circuit is more flexible than regular execution of 2m times of point operation, only a 2m-bit shifter and a corresponding control circuit are needed when an algorithm realizes point multiplication operation of any bit length, the resource demand is less, and the accelerating circuit is suitable to be realized in an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit).

Description

A kind of dot product accelerating circuit of prime field elliptic curve cryptography

Technical field

The invention provides a kind of dot product accelerating circuit hardware configuration of prime field elliptic curve encryption algorithm, belong to the hardware-accelerated field to complicated calculations.

Background technology

Elliptic curve cipher (ECC) is to be proposed by N.Koblitz and V.Miller in 1985.Elliptic curve cipher belongs to public-key cryptosystem, its fail safe is based upon on the difficulty of elliptic curves discrete logarithm problem (ECDLP), has the total index number time complexity and find the solution now the best algorithm of ECDLP, this means that for the safe coefficient that reaches expectation elliptic curve cipher can use the key shorter than rsa cryptosystem.Because the advantage that key is short so that ellipse curve encryption and decryption not only speed is fast, and can also save the energy, bandwidth and memory space.

Specific to the whole computational process of the cryptographic algorithm of elliptic curve, point multiplication operation is part the most consuming time.The art demands improving this a part of accelerating circuit hardware configuration urgently.

Summary of the invention

The present invention is directed to the problem of point multiplication operation inefficiency on traditional hardware or the software algorithm, a kind of dot product accelerating circuit structure is provided, can obviously improve the speed of point multiplication operation and can reduce hardware use resource.

The invention provides a kind of dot product accelerating circuit of prime field elliptic curve cryptography, be used for calculating Q=kP, wherein k is for calculating the number of times of dot product, the P point is a point on the elliptic curve, the Q point is another point on the elliptic curve, it is characterized in that: comprise that initialization register, point add operation module, point subtract computing module, point doubling module, shift register, comparator, alternative selector and result register, point add operation module, point subtract computing module, point doubling module and shift register executed in parallel;

Described initialization register, the initialized value of input input Q point, the initialized value of Q point are that the transverse and longitudinal coordinate all is zero, output receives respectively the point add operation module and point subtracts computing module;

Described point add operation module is used for calculating Q=Q+P, and input is received the output of initialization register, and output is received the alternative selector;

Described point subtracts computing module, is used for calculating Q=Q-P, and input is received the output of initialization register, and output is received the alternative selector;

Described point doubling module, P point coordinates on the input input elliptic curve, i.e. the P transverse and longitudinal coordinate of order, output is that the P point is through doubly putting P=2P value afterwards;

Described shift register, input value are random number k through the value NAF (k) after the NAF coding, and the result that NAF (k) is moved to right after two receives comparator and alternative selector by output;

Described alternative selector is used for low two k according to NAF (k) _[10]Select output, k _[10]=01 o'clock output point adds computing module and outputs results to result register, k _[10]=11 o'clock output points subtract computing module and output results to result register;

Described comparator, input value are the output and 0 of shift register, produce more afterwards control signal through output be linked into result register or point add operation module, point subtracts computing module, point doubling module and shift register;

Described result register, input are received the output of alternative selector, the transverse and longitudinal coordinate of ordering from output output Q under the control signal of comparator.

And, carry out flow process and adopt state machine to realize control.

Adopt in traditional binary system NAF calculation level multiplication algorithm to k, it is full serial that point adds with point doubling, along with the increase of bit wide m, and linear increase computing time.The present invention has provided a kind of complete parallel dot product circuit, has utilized the parallel computation feature of point add operation Q=Q+P, point doubling P=2P and NAF displacement, adopts complete parallel mode, has greatly improved the speed of service, and implementation procedure is simple simultaneously.The present invention has utilized the new NAF method for expressing of dot product number of times k, so that the minimizing of the number of the nonzero element in the binary representation of k, so the number of times that calculation level adds will reduce.Suppose the k of a m position, after the NAF coding, the average computation time that point adds is about mA/3 (the A representative point adds operation time).And by whether being the judgement of " 0 " to the right-shift operation of NAF (k) with to NAF (k), the operation times that comes the control point to add and doubly put.Point add operation will automatic stop when the value of k is " 0 ", has saved operation time.Accelerating circuit of the present invention is much more flexible than carrying out regularly 2m point operation, algorithm can be realized the arbitrarily long point multiplication operation in position simultaneously, only need shift unit and the corresponding control circuit of a 2m position on the circuit structure, resource requirement is few, is adapted at realizing among FPGA or the ASIC.

Description of drawings

Fig. 1 is the schematic diagram of embodiment of the invention point multiplication operation;

Fig. 2 is the state diagram of embodiment of the invention state machine control point multiplication;

Fig. 3 is the structure chart of embodiment of the invention dot product circuit.

Embodiment

Below in conjunction with accompanying drawing and embodiment the present invention is described in further detail:

General elliptic curve satisfies Weierstrass equation, y ²=x ³+ ax+b, and have: a, b ∈ Z _p, Z _pBe prime field, Δ=4a ³+ 27b ²≠ 0modp, p are prime number, behind initialization elliptic curve parameter a and the b, have determined the elliptic curve E among the present invention.

Prime field dot product representation is generally:

Q＝k·P

Wherein k is for calculating the number of times of dot product, and some P is that bit wide is the point of m on the elliptic curve.

The NAF method of the dot product number of times k that adopts in the tradition prime field Algorithm for Scalar Multiplication is:

Input a: positive integer k

Output: NAF (k)

1、i＝0；

2, when k 〉=1, repeated execution of steps 3 is to step 5;

If 3 k are odd numbers, then k _i← 2-(kmod4), k ← k-k _i(k _iRepresent correspondingly i position of k value, i adds since 0, and namely the lowest order from k begins assignment, by i in the step 5 add 1 at every turn, finally obtain NAF(k) the value of highest order);

4 otherwise, k _i← 0;

5、k←k/2,i←i+1；

6, return (k _I-1, k _I-2..., k ₁, k ₀), the binary numeral that namely obtains after the k value process NAF coding, the lowest order note is k ₀, the highest order note is k _I-1

The NAF method is that the k value of binary representation is carried out recompile, each has three kinds of situation ± 1 and 0 to k value behind the coding with binary representation, after the NAF coding, the number of nonzero element can reduce in the k value of binary representation, on this basis, the number of times that needs accordingly calculation level to add will reduce, thereby has reached the purpose that improves speed.

Utilize binary system NAF calculation level multiplication algorithm as follows:

Input a: positive integer k, P ∈ E (F _p) (P is a point on the elliptic curve).

Output: kP.

1, calculates NAF (k) with top NAF algorithm.

2、Q=0；

3, for i from m-1 to 0, repeated execution of steps 3.1 to 3.3

3.1Q=2Q。

If 3.2 k _i=1, Q=Q+P then.

If 3.3 k _i=-1, Q=Q-P then.

4, return (Q).

Calculated the algorithm of dot product by top binary system NAF and can find out that 3.1,3.2 and 3.3 these three steps are to be mutually related, and can only adopt the execution sequence of serial, have been subjected to very large restriction in speed.The present invention improves the algorithm that binary system NAF calculates dot product, and invocation point is added with point doubling can be carried out simultaneously, improves a lot in speed.Simultaneously, by the shifting function of k being controlled the judgement to the low level of k, hardware realizes having terseness.

As shown in Figure 1, dot product radix-2 algorithm of the present invention is as follows:

Input: k=(k _M-1, k ₂k ₁k ₀) ₂(subscript 2 represents binary representation), P is any point on the finite field (prime field or binary field).

Output: kP

Calculating process is as follows:

1, calculates NAF (k);

2、Q＝0；

3, in k ≠ 0 situation, repeated execution of steps 3.1 to 3,4;

If 3.1 k _[10]=01, Q=Q+P then;

If 3.2 k _[10]=11, Q=Q-P then;

3.3P=2P；

3.4k=k＞＞2, be about to k and move to right 2;

If 4 k=0, then execution in step 5;

5, return (Q).

The initial value of point Q is zero, in step 3, and the characteristics that walk abreast in the performance hardware circuit, the computing that the realization point adds under the control of state machine, point subtracts, doubly puts and be shifted finally equates to withdraw from step 3 by NAF (k) and null value, the result that output Q is ordered.So just finished point multiplication operation one time.

The dot product accelerating circuit structure that the embodiment of the invention provides comprises:

An initialization register, the initialized value of input input Q point, namely the Q transverse and longitudinal coordinate of order all is zero (q_x=0, q_y=0), output receives respectively the point add operation module and point subtracts computing module.

The point add operation module can be designed to specifically comprise that mould adds, mould subtracts, mould is taken advantage of and the contrary module of mould.For calculation level adds, formula is arranged:

$\left\{\begin{array}{c}{x}_3={\mathrm{\&lambda;}}^2-x_1-x_2\\ {\mathrm{<figure-callout\; id="3"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_3=\mathrm{\&lambda;}(x_1-x_3)-{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_1\end{array}\right.$ Wherein $\mathrm{\&lambda;}=\frac{y_2-y_1}{x_2-{\mathrm{<figure-callout\; id="1"\; label="x"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">x</figure-callout>}}_1}$

During implementation, point adds module can be according to this formula by calling to realize point add operation, wherein (x to the bottom modules ₃, y ₃) be the point (x to input ₁, y ₁), (x ₂, y ₂) the point add operation result.The input that the embodiment mid point adds module is received the output of initialization register, calculates Q=Q+P, and output is received the alternative selector.

Point subtracts computing module, can be designed to specifically comprise that mould adds, mould subtracts, mould is taken advantage of and the contrary module of mould.For calculation level subtracts, formula is arranged:

$\left\{\begin{array}{c}{x}_3={\mathrm{\&lambda;}}^2-x_1-x_2\\ {\mathrm{<figure-callout\; id="3"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_3=\mathrm{\&lambda;}(x_1-x_3)-{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_1\end{array}\right.$ Wherein $\mathrm{\&lambda;}=\frac{y_2-y_1}{x_2-{\mathrm{<figure-callout\; id="1"\; label="x"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">x</figure-callout>}}_1}$

During implementation, point subtracts module can be according to this formula by calling to realize a little subtracting computing, wherein (x to the bottom modules ₃, y ₃) be the point (x to input ₁, y ₁), (x ₂, y ₂) point subtract operation result.The input that the embodiment mid point subtracts module is received the output of initialization register, calculates Q=Q+P, and output is received the alternative selector.

The point doubling module can be designed to specifically comprise that mould adds, mould subtracts, mould is taken advantage of and the contrary module of mould.In order to calculate a times point, satisfy Weierstrass equation y based on elliptic curve ²=x ³+ ax+b has formula:

$\left\{\begin{array}{c}{x}_3={\mathrm{\&lambda;}}^2-2x_1\\ {\mathrm{<figure-callout\; id="3"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_3=\mathrm{\&lambda;}(x_1-x_3)-{\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_1\end{array}\right.$ Wherein $\mathrm{\&lambda;}=\frac{3{x_1}^2+a}{{2\mathrm{<figure-callout\; id="1"\; label="y"\; filenames="HDA00002715727400021.png"\; state="\{\{state\}\}">y</figure-callout>}}_1}$

During implementation, point subtracts module can be according to this formula by calling to realize point doubling, wherein (x to the bottom modules ₃, y ₃) be the point (x to input ₁, y ₁) the point doubling result.The oval upper P point coordinates of times point module input input among the embodiment, it is the transverse and longitudinal coordinate that P is ordered, output is the P point through doubly putting the value after the P=2P, can be equipped with register, the value of output through behind the buffer memory during in next computing input point add computing module and point add operation module, point subtract module.

Shift register, input value are random number k through the value NAF (k) after non-adjacent expression type (NAF) coding, and the result that NAF (k) is moved to right after two receives comparator and alternative selector by output.Shift register adopts the shift unit of 2m position.

The alternative selector is used for low two k according to NAF (k) _[10]Select output, k _[10]=01 o'clock output point adds computing module and outputs results to result register, k _[10]=11 o'clock output points subtract computing module and output results to result register.

Comparator, input value are the output and 0 of shift register, produce more afterwards control signal and are linked into result register through output.If continue circulation, then can output a control signal to the point add operation module, point subtracts computing module, point doubling module and shift register, to continue computing.

Result register, input are received the output of alternative selector, under the control signal of comparator from output output data, i.e. the Q transverse and longitudinal coordinate of ordering.

The flow process of point multiplication operation can be realized by the state machine of Fig. 2 among Fig. 1, and this state machine can be realized at hardware platform, during implementation, the auxiliary operation of corresponding registers can be set.Referring to Fig. 2, the state of a control machine of prime field point multiplication operation process has 5 states among the present invention.At first, enter the S0 state after the system reset, storage k_NAF(random number k value is through the binary numeral after the NAF coding), the abscissa of the oval upper some P of p_x(), the ordinate of the oval upper some P of p_y(), the abscissa of another Q on the q_x(ellipse) ordinate of another Q and on the q_y(ellipse) m bit register k_NAF_dout_reg, p_x_reg, p_y_reg, q_x_reg and q_y_reg are designated as among 0, the figure! Rst_n/k_NAF_dout_reg=0, p_x_reg=0, p_y_reg=0, q_x_reg=0, q_y_reg=0.After enabling signal starts (load), state transition is to the S1 state, to calculate the enabling signal of k NAF at the S1 state and draw high (being designated as NAF_load=1 among the figure), until the enabling signal NAF_load that the result of k_NAF calculates when finishing k_NAF again drags down (NAF_load=0), and jump to the S2 state, at the S2 state, first m bit register q_x_reg and q_y_reg being arranged initial value is 0, the initial value of m bit register p_x_reg and p_y_reg is taken as the point (p_x on the ellipse, p_y), be designated as a some p_x on the p_x_reg=ellipse among the figure, a point p_y on the p_y_reg=ellipse, q_x_reg=0, q_y_reg=0.Jump to afterwards the S3 state, the S3 state point is added and doubly the enabling signal of point draw high simultaneously and (be designated as pa_load=1 among the figure, pd_load=1), if low two of m bit register k_NAF_dout_reg is to be designated as k[1 among the 01(figure] [0]=01), then execution point adds (Q=Q-P) simultaneously, times point (P=2P) and shifting function (k=k〉〉 2), if low two of m bit register k_NAF_dout_reg is 11, then execution point subtracts (Q=Q+(-P) simultaneously), times point (P=2P) and shifting function (k=k〉〉 2), if low two of m bit register k_NAF_dout_reg is 00, then simultaneously execution times point (P=2P) and shifting function (k=k〉〉 2).Jump to afterwards the S4 state, this state judges whether m bit register k_NAF_dout_reg equals 0, if (k=0) then jump to S5 state and export the result (q_dout_x=q_x_reg that Q is ordered, otherwise (k ≠ 0) jumps to the S3 state continues that execution point adds, the doubly operation of point and displacement q_dout_y_reg=q_y_reg).

The transverse and longitudinal coordinate of at first by initialization register Q being ordered among Fig. 3 all is initialized as zero, is designated as [m-1:0] q_x_reg=0, [m-1:0] q_y_reg=0, and the value of [m-1:0] expression m position, wherein everybody is labeled as m-1, m-2 ..., 0.The output of initialization register be connected respectively to a little add and put subtract computing module respectively execution point add Q=Q+P and point subtracts the operation of Q=Q – P, point adds the Q that is input as the m position of module and the P of m position (comprising [m-1:0] q_x_reg, [m-1:0] q_y_reg, [m-1:0] p_x_reg, [m-1:0] p_y_reg), the result can be designated as [m-1:0] q_dout_x=Q+P, [m-1:0] q_dout_y=Q+P.The input that point subtracts module is similarly the Q of m position and the P of m position, and the result can be designated as [m-1:0] q_dout_x=Q-P, [m-1:0] q_dout_y=Q+P.Point subtract module also available point add module and replace, to carry out before just replacing negative some P is processed, i.e. (p_x,-p_y)=(p_x, p-p_y), the transverse and longitudinal seat target value of bearing after a little processing is stored in respectively among register [m-1:0] p_x_temp and [m-1:0] p_y_temp of m position, and wherein p_x and p_y are the transverse and longitudinal coordinates that P is ordered, and p is exactly the prime number p of a m position; The input that this sampling point subtracts module comprises [m-1:0] q_x_reg, [m-1:0] q_y_reg, [m-1:0] p_x_temp, [m-1:0] p_y_temp.Point doubling be input as the coordinate that P orders (i.e. [m-1:0] p_x_reg, [m-1:0] p_y_reg) the P value after being output as more doubly, be that P=2P(is designated as [m-1:0] p_x_reg=2P, [m-1:0] p_y_reg=2P), the P value of this moment can be stored with a register p_temp, be used for adding next time or put and subtract computing, i.e. Q=Q+p_temp or Q=Q – p_temp.Also have the shift register of a 2m position to realize that shifting function to NAF (k) (the random number k value is through the binary numeral after the NAF coding) realizes that each time point adds or point subtracts and the doubly operation of point, wherein NAF (k) value is designated as [2m-1:0] k_NAF.Four steps among the figure in the empty wire frame representation frame can concurrent operation, and are said as the front, this invention given full play to dot product accelerating circuit hardware realize in parallel characteristics, only need to get final product by the calculating process that a state machine is controlled each module.Point adds the input that alternative selector (MUX) all received in output that module and point subtract module, by low two of NAF (k) (are designated as k _[10]) determine whether 01 or 11 (01 representative+1,11 representatives-1), if 01, then select (SEL) output Q=Q+P, otherwise output Q=Q – P.Then will compare through NAF (k) and null value after the displacement at every turn, export control signal according to the result: if both equate, then can jump out the step in the dotted line frame, directly export transverse and longitudinal coordinate [m-1:0] q_dout_x, [m-1:0] q_dout_y that Q is ordered, and leave in the result register.Otherwise, can continue to carry out the step in the dotted line frame, until both are equal, just can jump out this circulation.During implementation, can export whether Output rusults of control signal advise fate register by comparator, then can output a control signal to state machine if continue circulation, by the state machine control point add computing module, point subtracts computing module, point doubling module and shift register and continues computing.

Specific embodiment described herein only is to the explanation for example of the present invention's spirit.Those skilled in the art can make various modifications or replenish or adopt similar mode to substitute described specific embodiment, but can't depart from spirit of the present invention or surmount the defined scope of appended claims.

Claims (2)

1. the dot product accelerating circuit of a prime field elliptic curve cryptography, be used for calculating Q=kP, wherein k is for calculating the number of times of dot product, the P point is a point on the elliptic curve, the Q point is another point on the elliptic curve, it is characterized in that: comprise that initialization register, point add operation module, point subtract computing module, point doubling module, shift register, comparator, alternative selector and result register, point add operation module, point subtract computing module, point doubling module and shift register executed in parallel;

Described initialization register, the initialized value of input input Q point, the initialized value of Q point are that the transverse and longitudinal coordinate all is zero, output receives respectively the point add operation module and point subtracts computing module;

Described point add operation module is used for calculating Q=Q+P, and input is received the output of initialization register, and output is received the alternative selector;

Described point subtracts computing module, is used for calculating Q=Q-P, and input is received the output of initialization register, and output is received the alternative selector;

Described point doubling module, P point coordinates on the input input elliptic curve, i.e. the P transverse and longitudinal coordinate of order, output is that the P point is through doubly putting P=2P value afterwards;

Described shift register, input value are random number k through the value NAF (k) after the NAF coding, and the result that NAF (k) is moved to right after two receives comparator and alternative selector by output;

Described alternative selector is used for low two k according to NAF (k) _[10]Select output, k _[10]=01 o'clock output point adds computing module and outputs results to result register, k _[10]=11 o'clock output points subtract computing module and output results to result register;

Described comparator, input value are the output and 0 of shift register, produce more afterwards control signal through output be linked into result register or point add operation module, point subtracts computing module, point doubling module and shift register;

Described result register, input are received the output of alternative selector, the transverse and longitudinal coordinate of ordering from output output Q under the control signal of comparator.

2. the dot product accelerating circuit of prime field elliptic curve cryptography as claimed in claim 1 is characterized in that: carry out flow process and adopt state machine to realize control.

Images