CN106888088B - Elliptic curve cipher Fast implementation and its device - Google Patents

Elliptic curve cipher Fast implementation and its device Download PDF

Info

Publication number
CN106888088B
CN106888088B CN201710197758.2A CN201710197758A CN106888088B CN 106888088 B CN106888088 B CN 106888088B CN 201710197758 A CN201710197758 A CN 201710197758A CN 106888088 B CN106888088 B CN 106888088B
Authority
CN
China
Prior art keywords
scalar
elliptic curve
algorithm
point
multi label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201710197758.2A
Other languages
Chinese (zh)
Other versions
CN106888088A (en
Inventor
马传贵
豆允旗
魏福山
李延彬
葛爱军
张洁
徐艳艳
肖思煜
宋健
尹军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201710197758.2A priority Critical patent/CN106888088B/en
Publication of CN106888088A publication Critical patent/CN106888088A/en
Application granted granted Critical
Publication of CN106888088B publication Critical patent/CN106888088B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Complex Calculations (AREA)

Abstract

The present invention relates to a kind of elliptic curve cipher Fast implementation and its device, this method includes following content: choosing Koblitz curve and its corresponding finite field, determines elliptic curve cipher scalar k, basic point P and equipment processing unit number r;It is indicated using the τ-adic NAF that Frobenius endomorphism τ calculates scalar k, and utilizes τsτ-adic NAF the expression of scalar k is divided into r sections isometric;The point on the element and L ó pez-Dahab coordinate representation elliptic curve in finite field is indicated by polynomial basis, and multi label algorithm kP calculating is carried out to the scalar k after division;According to the calculated result of multi label algorithm kP, exported.The present invention reduces the computing cost of point add operation and endomorphism τ using multi label algorithm skill;It can be according to equipment processing unit number r come the dimension of flexible choice parallel algorithm;So that elliptic curve cipher scheme has higher computational efficiency, suitable for wirelessly communicate and the application demand of resource-constrained devices, end-by-end security is effectively ensured and communicates.

Description

Elliptic curve cipher Fast implementation and its device
Technical field
The invention belongs to field of communication technology, in particular to a kind of elliptic curve cipher Fast implementation and its device.
Background technique
Elliptic curve cipher (Elliptic Curve Cryptosystem, ECC) is a big hot topic research of public key cryptography Field, safety are established in the difficulty that elliptic curve rational point group discrete logarithm problem solves.Relative to being based respectively on The RSA public key cryptography of discrete logarithm problem difficulty and ElGamal class public key in Large integer factoring problem difficulty and finite field For cryptography scheme, ECC has its unique advantage --- and security intensity is high, at present for the discrete logarithm on General Elliptic curve Problem is much to seek the algorithm of subset index time.Elliptic curve cryptosystem gradually replaces once proposing just to receive much attention RSA becomes most important public-key cryptosystem.Since other opposite cryptographic algorithms have higher security intensity, elliptic curve is close Code key length, occupy memory space, processing speed and in terms of have very strong advantage.In same security intensity The key length of lower elliptic curve cipher will be far smaller than RSA, and 160 bit ECC security intensities are equal to the RSA of 1024 bits. These advantages make elliptic curve cipher be particularly suitable for using in the limited equipment of storage resource and wireless environment.Since it is opposite There is stronger safety, higher realization efficiency in other cryptographic algorithms, elliptic curve cipher has been widely used for moving The fields such as communication, secure e-business, and obtained the standardized approval of commercial undertaking and international organization.Many based on it add Close scheme, signature scheme and agreement are all received by the standardization bodies of many authoritys such as ANSI, IEEE, ISO and NIST and Through being included in international standard.
In elliptic curve cryptography, most crucial operation is Elliptic Curve Scalar Multiplication method, while it is also entire close Resource, most time-consuming operation are most occupied in code scheme.Its calculating speed decides the efficiency that elliptic curve cipher scheme is realized, adds Fast Elliptic Curve Scalar Multiplication operation is always a research hotspot of Elliptic Curve Cryptography.Elliptic Curve Scalar Multiplication is improved at present The efficiency of algorithm mainly has following research direction: directly improving adduction a point doubling formula, the sparse table using scalar Show, find new curve form and accelerate adduction point doubling faster, using can effectively calculate endomorphism.With Internet of Things The development and application of net, wireless sensor network, to the efficiency of scalar multiplication algorithm, more stringent requirements are proposed.
Summary of the invention
The present invention provides a kind of elliptic curve cipher Fast implementation and its device, further increases elliptic curve cipher The efficiency of algorithm efficiently realizes end-by-end security communication and data transmission.
According to design scheme provided by the present invention, a kind of elliptic curve cipher Fast implementation includes following content:
Step 1 chooses Koblitz curve and its corresponding finite field, determines elliptic curve cipher scalar k, basic point P and sets Standby processing unit number r;
Step 2, the τ-adic NAF that scalar k is calculated using Frobenius endomorphism τ are indicated, and are utilized τsBy scalar k's τ-adic NAF expression is divided into r sections isometric;
Step 3, by polynomial basis indicate finite field in element and L ó pez-Dahab coordinate representation elliptic curve on Point carries out multi label algorithm kP calculating to the scalar k after division;
Step 4, according to the calculated result of multi label algorithm kP, exported.
Above-mentioned, step 1 includes that content is as follows: choosing Koblitz curve Ea:y2+ xy=x3+ax2+ 1, a ∈ { 0,1 } and Its corresponding finite fieldWherein, m is prime number;Integer k is randomly selected as scalar in section [0, n], wherein For elliptic curve EaRank,N is Big prime and h is co-factor;Selected element As basic point, wherein the rank of point P is Big prime.
Preferably, step 2 includes that content is as follows: according to Euclid domain Z [τ]={ a+b τ | a, b ∈ Z } and norm N (k) =k2, the τ-adic NAF expression length average out to 2log of N (τ)=2, scalar k2k;If δ=(τm- 1)/(τ -1) enables ρ ≡ k Mod δ, to arbitrary pointThere is kP=ρ P, wherein the τ-adic NAF that about subtracts of ρ indicates that length is at most m +a+3;According to relational expression τ2- μ τ+2=0 calculates δ=(τm-1)/(τ-1);Utilize rounding algorithm Round, ring Z [τ] in ring Z [τ] In division Division, calculate scalar k τ-adic NAF indicate;It enablesUtilize τsτ-adic NAF is indicated to draw It is divided into r sections isometric, it may be assumed thatWherein, if l/r is not Integer, need to highest order supplement several 0.
Preferably, step 3 includes that content is as follows: selection indicates the element in finite field using polynomial basis, uses L ó Pez-Dahab coordinate indicates the point on elliptic curve, and scalar multiplication kP indicates are as follows:
It enables
Then kP=k1P+k2φ(P)+…+krφ(r-1)(P);Precomputation i1P+i2φ(P)+…+irφr-1(P), wherein i1,…,in∈ { 0, ± 1 }, writes k for k1||k2||…||kr, wherein each kiBit length be s, ki,jIndicate kiJth Bit;AssignmentI=s-1 judges whether i is more than or equal to zero by iterative cycles, if it is, calculating R ← τ R, R ←R+(k1,iP+…+kr,iφr(P)), i ← i-1 returns to iterative cycles, until i less than zero, executes step 4.
Above-mentioned, the multi label algorithm kP of scalar k is calculated in step 3, it is also as follows comprising content: according to equipment processing unit Number r, determines the dimension of scalar multiplication parallel algorithm, and multi label algorithm kP calculating is divided into the irrelevant part r, each equipment processing Unit executes same scalar parallel and multiplies calculating.
Preferably, step 3 particular content is as follows: selection indicates the element in finite field using polynomial basis, uses L ó Pez-Dahab coordinate indicates the point on elliptic curve, and scalar multiplication kP indicates are as follows:
It enables
Then kP=k1P+φ(k2P)+…+φ(r-1)(krP);K is write into k1||k2||…||kr, wherein each kiBit Length is s, ki,jIndicate kiJ-th bit;Each equipment processing unit for parallel execution calculates as follows: assignmentI=s- 1, judge whether i is more than or equal to zero by iterative cycles, if it is, calculating Rr←τRr, and judge kr,iWhether k is metr,i≠ 0, if so, Rr←Rr+kr,iP, i ← i-1 return to iterative cycles, and otherwise, i ← i-1 returns to iterative cycles;Until i is less than zero, Rr←φr-1(Rr), R ← R1+R2+…+Rr, execute step 4.
Preferably, selection indicates the element in finite field using polynomial basis, includes following content: willRegard F as2Upper m Then there is one group of base { a in dimensional vector space0,a1,…,αm-1, so that arbitrarilyα=a can be uniquely expressed as0α0+a1α1 +…+am-1αm-1;If f (x) ∈ F2[x] is m irreducible function, and β is that f (x) existsOn root, then { 1, β, β2,…, βm-1It is polynomial basis, { β, β2,…,β2m-1It is normal basis.
A kind of elliptic curve cipher fast implements device, includes:
Parameter chooses module and determines elliptic curve cipher scalar, base for choosing elliptic curve and its corresponding finite field Point and equipment processing unit number;
Scalar coding module, for calculating the τ-adic NAF of elliptic curve cipher scalar according to Frobenius endomorphism τ It indicates, and utilizes τsThe expression is subjected to isometric division;
Scalar multiplication computing module, for the scalar after isometric division to be carried out multi label algorithm calculating;
Output module is exported for the calculated result according to multi label algorithm.
Above-mentioned device, the scalar multiplication computing module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate in finite field by polynomial basis It indicates the point on elliptic curve, and the expression of multi label algorithm formula is carried out according to the scalar after isometric division;
Pre-calculation unit precalculates point add operation and τ for indicating according to multi label algorithm formulasThe expense of operation, choosing Take optimal multi label algorithm dimension;
Cycle calculations unit, for calculating multi label algorithm by iterative cycles.
Above-mentioned device, the scalar multiplication computing module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate in finite field by polynomial basis Indicate the point on elliptic curve, and complete the multi label algorithm formula executed parallel according to the scalar after isometric division to indicate, it will be more Scalar multiplication calculating is divided into irrelevant each equipment processing unit;
Cycle calculations unit, for passing through the multi label algorithm of each equipment processing unit of iterative cycles parallel computation.
Beneficial effects of the present invention:
The present invention has the Koblitz curve of special endomorphism structure by selection, is replaced using Frobenius endomorphism τ Two point doublings of generation, and the thought for converting single scalar multiplication to multi label algorithm of GLV method is combined, it designs quick scalar multiplication and calculates Method reduces the computing cost of point add operation and endomorphism τ using multi label algorithm skill;Parallel scalar multiplication algorithm is further provided, It can be according to equipment processing unit number r come the dimension of flexible choice parallel algorithm;So that elliptic curve cipher scheme has more High computational efficiency, suitable for wirelessly communicating and the application demand of resource-constrained devices.It can efficiently realize through the invention End-by-end security communication is effectively ensured in elliptic curve cipher scheme.By verification experimental verification, compared to the τ-and-add of standard Method, the present invention in quickly scalar multiplication algorithm 2 dimension realize efficiency improve 16% or more, 3 dimension realize efficiency improve 22% or more; It is realized relative to τ-and-add algorithm, parallel scalar multiplication algorithm can raise speed nearly r times in the present invention, wherein r is at equipment Manage the number of unit.
Detailed description of the invention:
Fig. 1 is the device of the invention schematic diagram;
Fig. 2 is flow chart of the method for the present invention;
Fig. 3 is that Scalar Multiplication of the present invention fast implements algorithm schematic diagram;
Fig. 4 is Scalar Multiplication Parallel Implementation algorithm schematic diagram of the present invention.
Specific embodiment:
The present invention is described in further detail with technical solution with reference to the accompanying drawing, and detailed by preferred embodiment Describe bright embodiments of the present invention in detail, but embodiments of the present invention are not limited to this.
Embodiment one, shown in Figure 1, a kind of elliptic curve cipher fast implements device, includes:
Parameter chooses module and determines elliptic curve cipher scalar, base for choosing elliptic curve and its corresponding finite field Point and equipment processing unit number;
Scalar coding module, for calculating the τ-adic NAF of elliptic curve cipher scalar according to Frobenius endomorphism τ It indicates, and utilizes τsThe expression is subjected to isometric division;
Scalar multiplication computing module, for the scalar after isometric division to be carried out multi label algorithm calculating;
Output module is exported for the calculated result according to multi label algorithm.
The present invention substitutes two point doublings using Frobenius endomorphism τ, and combine GLV method by single scalar multiplication It is converted into the thought of multi label algorithm, effectively improves scalar multiplication computational efficiency.
Embodiment two, is basically the same as the first embodiment, the difference is that: the scalar multiplication computing module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate in finite field by polynomial basis It indicates the point on elliptic curve, and the expression of multi label algorithm formula is carried out according to the scalar after isometric division;
Pre-calculation unit precalculates point add operation and τ for indicating according to multi label algorithm formulasThe expense of operation, choosing Take optimal multi label algorithm dimension;
Cycle calculations unit, for calculating multi label algorithm by iterative cycles.
By multi label algorithm, the computing cost of point add operation and endomorphism τ is reduced, greatly improves the calculating effect of scalar multiplication Rate guarantees that elliptic curve cryptography efficiency is effectively promoted.
Embodiment three, is basically the same as the first embodiment, the difference is that: the scalar multiplication computing module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate in finite field by polynomial basis Indicate the point on elliptic curve, and complete the multi label algorithm formula executed parallel according to the scalar after isometric division to indicate, it will be more Scalar multiplication calculating is divided into irrelevant each equipment processing unit;
Cycle calculations unit, for passing through the multi label algorithm of each equipment processing unit of iterative cycles parallel computation.
According to the multi label algorithm dimension of equipment processing unit number flexible choice parallel computation, each processing unit is carried out Identical order, algorithm calculating speed are effectively promoted.
Embodiment three, referring to shown in Fig. 1~2, a kind of elliptic curve cipher Fast implementation includes following content:
Step 1 chooses Koblitz curve and its corresponding finite field, determines elliptic curve cipher scalar k, basic point P and sets Standby processing unit number r;
Step 2, the τ-adic NAF that scalar k is calculated using Frobenius endomorphism τ are indicated, and are utilized τsBy scalar k's τ-adic NAF expression is divided into r sections isometric;
Step 3, by polynomial basis indicate finite field in element and L ó pez-Dahab coordinate representation elliptic curve on Point carries out multi label algorithm kP calculating to the scalar k after division;
Step 4, according to the calculated result of multi label algorithm kP, exported.
The computing cost that point add operation and endomorphism τ are reduced using multi label algorithm skill, so that elliptic curve cipher scheme With higher computational efficiency, suitable for wirelessly communicating and the application demand of resource-constrained devices, it is effectively ensured and pacifies end to end Full communication.
Example IV, referring to shown in Fig. 1~4, a kind of elliptic curve cipher Fast implementation includes following content:
One) Koblitz curve and its corresponding finite field, are chosen, determines elliptic curve cipher scalar k, basic point P and equipment Processing unit number r.
Choose Koblitz curve Ea:y2+ xy=x3+ax2+ 1, a ∈ { 0,1 } and its corresponding finite fieldWherein, m is Prime number, (can set m=163,233,283,409,571);Integer k is randomly selected as scalar in section [0, n], whereinFor elliptic curve EaRank,N is Big prime and h is co-factor;Selected elementAs basic point, wherein the rank of point P is Big prime, wherein Big prime is that length is greater than 160 bits Prime number.
Two) it, is indicated using the τ-adic NAF that Frobenius endomorphism τ calculates scalar k, and utilizes τsBy the τ-of scalar k Adic NAF expression is divided into r sections isometric.
According to Euclid domain Z [τ]={ a+b τ | a, b ∈ Z } and norm N (k)=k2, N (τ)=2, the τ-of scalar k Adic NAF indicates length average out to 2log2k;If δ=(τm- 1)/(τ -1) enables ρ ≡ k mod δ, to arbitrary pointThere is kP=ρ P, wherein the τ-adic NAF that about subtracts of ρ indicates that length is at most m+a+3;According to relationship Formula τ2- μ τ+2=0 calculates δ=(τm-1)/(τ-1);Utilize the division being rounded in algorithm Round, ring Z [τ] in ring Z [τ] Division, the τ-adic NAF for calculating scalar k are indicated;It enablesUtilize τsτ-adic NAF expression is divided into isometric r Section, it may be assumed thatIt wherein, need to be if l/r is not integer Highest order supplement several 0.
Three) it, is indicated by polynomial basis on the element and L ó pez-Dahab coordinate representation elliptic curve in finite field Point carries out multi label algorithm kP calculating to the scalar k after division.
Selection indicates the element in finite field using polynomial basis, indicates elliptic curve using L ó pez-Dahab coordinate On point, scalar multiplication kP indicate are as follows:
It enables
Then kP=k1P+k2φ(P)+…+krφ(r-1)(P);Precomputation i1P+i2φ(P)+…+irφr-1(P), wherein i1,…,in∈ { 0, ± 1 }, writes k for k1||k2||…||kr, wherein each kiBit length be s, ki,jIndicate kiJth Bit;AssignmentI=s-1 judges whether i is more than or equal to zero by iterative cycles, if it is, R ← τ R is calculated, R ← R+(k1,iP+…+kr,iφr(P)), i ← i-1 returns to iterative cycles, up to i is less than zero, according to the calculating knot of multi label algorithm kP Fruit is exported.
Further, the present embodiment also provides a kind of scalar multiplication Parallel Implementation method, according to equipment processing unit number r, Multi label algorithm kP calculating is divided into the irrelevant part r, each equipment processing unit by the dimension for determining scalar multiplication parallel algorithm The parallel same scalar that executes multiplies calculating, and particular content is as follows: selection indicates the element in finite field using polynomial basis, uses L ó Pez-Dahab coordinate indicates the point on elliptic curve, and scalar multiplication kP indicates are as follows:
It enables
Then kP=k1P+φ(k2P)+…+φ(r-1)(krP);K is write into k1||k2||…||kr, wherein each kiBit Length is s, ki,jIndicate kiJ-th bit;Each equipment processing unit for parallel execution calculates as follows: assignmentI=s- 1, judge whether i is more than or equal to zero by iterative cycles, if it is, calculating Rr←τRr, and judge kr,iWhether k is metr,i≠ 0, if so, Rr←Rr+kr,iP, i ← i-1 return to iterative cycles, and otherwise, i ← i-1 returns to iterative cycles;Until i is less than zero, Rr←φr-1(Rr), R ← R1+R2+…+Rr, then according to the calculated result of multi label algorithm kP, exported.
With reference to the attached drawing in the embodiment of the present invention 3 and 4, the calculation that technical solution in the embodiment of the present invention is related to Method is clearly and completely described.For convenience, related some parameters are illustrated first:
K indicates that scalar, P indicate that basic point, n indicate the rank of point P;τ indicates elliptic curve EaOn Frobenius endomorphism, φ indicates elliptic curve EaOn endomorphism τsIndicate elliptic curve EaOn infinite point;The dimension of r expression multi label algorithm.
One) flow diagram of Fig. 3 Scalar Multiplication fast algorithm, the specific steps are as follows:
101, it is directed to λ01τ finds the integer q with its " nearest " at ring Z [τ]0+q1τ, wherein λ0And λ1For rational, q0, q1For integer.It is rounded algorithm and sees algorithm 1.
102, division arithmetic in ring Z [τ], a=a0+a1τ ∈ Z [τ], β=b0+b1τ ∈ Z [τ] and β ≠ 0 are counted using algorithm 1 A is calculated divided by the quotient k=q of β0+q1τ ∈ Z [τ] and remainder ρ=r0+r1τ ∈ Z [τ] meets a=k β+ρ.Division algorithm is shown in algorithm 2.
103, δ=(τ is calculatedm- 1)/(τ -1) recycles the τ-adic NAF of 2 scalar k of algorithm to indicateWherein l≤m+a+3.τ-adic NAF indicates that algorithm is shown in algorithm 3.
104, it enablesIt then can use τsAbove-mentioned τ-adic NAF expression is divided into r sections isometric (if l/r is not 0) integer only need to supplement several in highest order:
105, selection indicates element in finite field using polynomial basis, effectively realize multiplication in finite field and square Operation;It is considered as F2Then there is one group of base { a in upper m dimensional vector space0,a1,…,am-1, so that arbitrarilyIt can be with Uniquely it is expressed as a=a0a0+a1a1+…+am-1am-1In F2On basis representation there are many selection, from the angle effectively realized Usually consider polynomial basis and normal basis.If f (x) ∈ F2[x] is m irreducible function, and β is that f (x) existsOn root, then {1,β,β2,…,βm-1It is polynomial basis,For normal basis.Under regular basis representation,On square fortune Calculation can be realized by ring shift right position:
IfThen
But it is slow to do domain comultiplication using normal basis.Under polynomial basis, F2mOn square operation be a linear behaviour Make, it is more much faster than domain comultiplication.The proper hardware realization of normal basis, polynomial basis are suitble to software realization.
106, the point on elliptic curve is indicated using L ó pez-Dahab coordinate, is avoided in basic operation using asking Inverse operation;Under this coordinate representation, projection point (X:Y:Z) corresponds to affine point (X/Z, Y/Z2), the calculating of point plus (ADD) are opened Pin is 13M+4S, and the computing cost of mixing addition (mADD) is 8M+5S, the computing cost difference of two times of points (DBL) and τ mapping Are as follows: 3M+5S and 3S, wherein M and S is respectively in finite fieldMultiplication and square.
107, it utilizesRepresentation method is by scalar Multiply kP to be expressed as
It enablesThen above formula can be write
KP=k1P+k2τs(P)+…+krτ(r-1)s(P)。
Enable φ=τs, then kP=k1P+k2φ(P)+…+krφ(r-1)(P).Single scalar multiplication is converted more marks by above-mentioned expression Amount multiplies;
108, precomputation i1P+i2φ(P)+…+irφr-1(P), wherein i1,…,in∈ { 0, ± 1 } is utilized
It indicates k writing k1||k2||…|| kr, wherein each kiBit length be s, ki,jIndicate kiJ-th bit.
109, assignmentI=s-1.
110, judge whether i is more than or equal to zero, if it is, R ← τ R is calculated,
R←R+(k1,iP+…+kr,iφr(P)), i ← i-1, duplicate step of laying equal stress on;Otherwise R is exported.
KP is calculated using the skill of multi label algorithm simultaneously, reduces the computing cost of point add operation and endomorphism τ, it is oval The quick scalar multiplication of curve is shown in algorithm 4.
Carry out the efficiency of assessment algorithm 4 below for specific curve.Consider the two class curves that NIST recommends: being respectively defined inWithOn Koblitz curve K-163 and K-233.Domain can be effectively realized using polynomial basis expressionOn multiply Method (M) and square operation (S).Ignore the expense of domain levels operation, if the inversion operation on I representative domain.As m=163,I≈8M;As m=233,I≈10M.In addition, the 2 of calculating elementssThe expense of power is about to connect It is continuous to calculate the 1/6 of s times square of expense.
In elliptic curve point processing on realizing binary field, selection uses L ó pez-Dahab coordinate herein, in this seat Under mark, projection point (X:Y:Z) corresponds to affine point (X/Z, Y/Z2), it can be to avoid using inversion operation.At this point, point plus (ADD) Computing cost be 13M+4S, the computing cost of mixing addition (mADD) is 8M+5S, and the calculating that two times of points (DBL) and τ map is opened Pin is respectively as follows: 3M+5S and 3S.
Indicate to be about m+a+3 due to the τ-adic NAF of scalar k, then the computing cost of τ-and-add algorithm isPrecomputation is needed in algorithm 2: if r=2, it is contemplated that calculate P ± φ (P) and 2 points is needed to add Operation and τsOperation.If r=3, it is contemplated that calculate P ± φ (P), P ± φ2(P),P±φ(P)±φ2(P) need 6 point add operations and 2 τsOperation.IfJoint indicate density beτsComputing cost be aboutAlgorithm 2 Computing cost is(precomputation needs 2ADD+ τs).With the increase of r, algorithm 2 is main The number of point add operation can be reduced in circulation, it is contemplated that the amount exponentially grade calculated increases, for random point scalar multiplication, r=3 For optimal selection.Finally affine coordinate, computing cost 1I+2M+S also are converted by projective coordinates.R is given in following table Under different values, the theoretical appraisal of the efficiency of algorithm 3.The case where for m=163, when taking r=2, algorithm 2 is than original τ- And-add efficiency of algorithm improves 16.2%;When taking r=3, algorithm 2 improves 22.8% than τ-and-add efficiency of algorithm.For m= 233 the case where, improves 16.7% and 25.1% than τ-and-add efficiency of algorithm respectively.
The assessment of 1. algorithm of table, 3 efficiency theory
m a τ-and-add algorithm Algorithm 2 (r=2) Accelerate Algorithm 2 (r=3) Accelerate
163 1 556.1M 465.8M 16.2% 429.1M 22.8%
233 0 760.6M 633.4M 16.7% 569.9M 25.1%
Two) Fig. 4 is the flow diagram of Scalar Multiplication of embodiment of the present invention Parallel Implementation algorithm, and detailed process is as follows:
201, similar to 101 to 107 the step of, kP=k is obtained1P+k2φ(P)+…+krφ(r-1)(P)。
202, by formula kP=k1P+k2φ(P)+…+krφ(r-1)(P) it is rewritten as
KP=k1P+k2φ(P)+…+krφ(r-1)(P)
=k1P+φ(k2P)+…+φ(r-1)(krP),
Wherein, r can be according to the number of processor come flexible choice.
203, scalar multiplication kP calculating is divided into the irrelevant part r, does not need any precomputation.Parallel scalar multiplication algorithm See algorithm 5.If there is r different processing units in equipment, algorithm 3 accelerates nearly r times than algorithm 1.
Selection indicates element in finite field using polynomial basis in the present invention, effectively realize multiplication in finite field and Square operation;The point on elliptic curve is indicated using L ó pez-Dahab coordinate, is avoided in basic operation using fortune of inverting It calculates;Multi label algorithm is converted by single scalar multiplication using above-mentioned expression, kP is calculated using the skill of multi label algorithm simultaneously, to subtract The computing cost for having lacked point add operation and endomorphism τ, compared to τ-and-add method, the algorithm 2 dimension realizes that efficiency improves 16% More than, 3 dimensions realize that efficiency improves 22% or more.Scalar multiplication Parallel Implementation algorithm can be according to equipment processing unit number r come clever The dimension of selection parallel algorithm living, each processing unit are carried out identical order, and the τ-and-add algorithm relative to standard is real Existing, which can raise speed nearly r times, the computational efficiency of scalar multiplication be improved, to make the efficiency of elliptic curve cryptography It is improved.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with it is other The difference of embodiment, same or similar part may refer to each other between each embodiment.To the disclosed embodiments Above description enables those skilled in the art to implement or use the present invention.Various modifications to these embodiments are to this It will be apparent for the professional technician in field, the general principles defined herein can not depart from the present invention Spirit or scope in the case where, realize in other embodiments.Therefore, the present invention be not intended to be limited to it is shown in this article this A little embodiments, and it is to fit to the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. a kind of elliptic curve cipher Fast implementation, which is characterized in that include following content:
Step 1 chooses Koblitz curve and its corresponding finite field, determines at elliptic curve cipher scalar k, basic point P and equipment Manage unit number r;
Step 2, the τ-adic NAF that scalar k is calculated using Frobenius endomorphism τ are indicated, and are utilized τsBy the τ-of scalar k Adic NAF expression is divided into r sections isometric;
Step 3, by polynomial basis indicate finite field in element and L ó pez-Dahab coordinate representation elliptic curve on point, Multi label algorithm kP calculating is carried out to the scalar k after division;
Step 4 exports the calculated result of multi label algorithm kP.
2. elliptic curve cipher Fast implementation according to claim 1, which is characterized in that step 1 include content such as Under: choose Koblitz curve Ea:y2+ xy=x3+ax2+ 1, a ∈ { 0,1 } and its corresponding finite fieldWherein, m is prime number; Integer k is randomly selected as scalar in section [0, n], whereinFor elliptic curve EaRank, N is Big prime and h is co-factor;Selected elementAs basic point, wherein the rank of point P is Big prime.
3. elliptic curve cipher Fast implementation according to claim 2, which is characterized in that step 2 include content such as Under: according to Euclid domain Z [τ]={ a+b τ | a, b ∈ Z } and norm N (k)=k2, the τ-adic NAF of N (τ)=2, scalar k Indicate length average out to 2log2k;If δ=(τm- 1)/(τ -1) enables ρ ≡ kmod δ, to arbitrary point There is kP=ρ P, wherein the τ-adic NAF that about subtracts of ρ indicates that length is at most m+a+3;According to relational expression τ2- μ τ+2=0 calculates δ =(τm-1)/(τ-1);Using the division Division being rounded in algorithm Round, ring Z [τ] in ring Z [τ], the τ-of scalar k is calculated Adic NAF is indicated;It enablesUtilize τsτ-adic NAF expression is divided into r sections isometric, it may be assumed thatIt wherein, need to be in highest order if l/r is not integer Supplement several 0.
4. elliptic curve cipher Fast implementation according to claim 3, which is characterized in that step 3 include content such as Under: selection indicates the element in finite field using polynomial basis, is indicated on elliptic curve using L ó pez-Dahab coordinate Point, scalar multiplication kP are indicated are as follows:
It enables
φ=τs,
Then kP=k1P+k2φ(P)+…+krφ(r-1)(P);Precomputation i1P+i2φ(P)+…+irφr-1(P), wherein i1,…,in ∈ { 0, ± 1 }, writes k for k1||k2||…||kr, wherein each kiBit length be s, ki,jIndicate kiJ-th bit;AssignmentI=s-1 judges whether i is more than or equal to zero by iterative cycles, if it is, calculating R ← τ R, R ← R+ (k1,iP +…+kr,iφr(P)), i ← i-1 returns to iterative cycles, until i less than zero, executes step 4.
5. elliptic curve cipher Fast implementation according to claim 3, which is characterized in that calculate scalar k in step 3 Multi label algorithm kP, also comprising content it is as follows: according to equipment processing unit number r, determine the dimension of scalar multiplication parallel algorithm, will Multi label algorithm kP calculating is divided into the irrelevant part r, and each equipment processing unit for parallel execution same scalar multiplies calculating.
6. elliptic curve cipher Fast implementation according to claim 5, which is characterized in that step 3 particular content is such as Under: selection indicates the element in finite field using polynomial basis, is indicated on elliptic curve using L ó pez-Dahab coordinate Point, scalar multiplication kP are indicated are as follows:
It enables
φ=τs,
Then kP=k1P+φ(k2P)+…+φ(r-1)(krP);K is write into k1||k2||…||kr, wherein each kiBit length For s, ki,jIndicate kiJ-th bit;Each equipment processing unit for parallel execution calculates as follows: assignmentI=s-1 leads to It crosses iterative cycles and judges whether i is more than or equal to zero, if it is, calculating Rr←τRr, and judge kr,iWhether k is metr,i≠ 0, if It is, then Rr←Rr+kr,iP, i ← i-1 return to iterative cycles, and otherwise, i ← i-1 returns to iterative cycles;Until i is less than zero, Rr← φr-1(Rr), R ← R1+R2+…+Rr, execute step 4.
7. according to the described in any item elliptic curve cipher Fast implementations of claim 4 or 6, which is characterized in that selection makes The element in finite field is indicated with polynomial basis, includes following content: willRegard F as2Upper m dimensional vector space then has one group Base { α01,…,αm-1, so that arbitrarilyα=a can be uniquely expressed as0α0+a1α1+…+am-1αm-1;If f (x) ∈ F2 [x] is m irreducible function, and β is that f (x) existsOn root, then { 1, β, β2,…,βm-1It is polynomial basis,For normal basis.
8. a kind of elliptic curve cipher fast implement device, characterized by comprising:
Parameter chooses module, for choosing elliptic curve and its corresponding finite field, determine elliptic curve cipher scalar, basic point and Equipment processing unit number;
Scalar coding module, for calculating the τ-adic NAF table of elliptic curve cipher scalar according to Frobenius endomorphism τ Show, and utilizes τsThe expression is subjected to isometric division;
Scalar multiplication computing module, for the scalar after isometric division to be carried out multi label algorithm calculating;
Output module is exported for the calculated result to multi label algorithm.
9. elliptic curve cipher according to claim 8 fast implements device, which is characterized in that the scalar multiplication calculates Module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate representation in finite field by polynomial basis Point on elliptic curve, and the expression of multi label algorithm formula is carried out according to the scalar after isometric division;
Pre-calculation unit precalculates point add operation and τ for indicating according to multi label algorithm formulasThe expense of operation is chosen most Excellent multi label algorithm dimension;
Cycle calculations unit, for calculating multi label algorithm by iterative cycles.
10. elliptic curve cipher according to claim 8 fast implements device, which is characterized in that the scalar multiplication meter Calculating module includes:
Multi label algorithm conversion unit, for indicating element and L ó pez-Dahab coordinate representation in finite field by polynomial basis Point on elliptic curve, and the multi label algorithm formula executed parallel expression is completed according to the scalar after isometric division, by multiscalar Multiply calculating and is divided into irrelevant each equipment processing unit;
Cycle calculations unit, for passing through the multi label algorithm of each equipment processing unit of iterative cycles parallel computation.
CN201710197758.2A 2017-03-29 2017-03-29 Elliptic curve cipher Fast implementation and its device Expired - Fee Related CN106888088B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710197758.2A CN106888088B (en) 2017-03-29 2017-03-29 Elliptic curve cipher Fast implementation and its device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710197758.2A CN106888088B (en) 2017-03-29 2017-03-29 Elliptic curve cipher Fast implementation and its device

Publications (2)

Publication Number Publication Date
CN106888088A CN106888088A (en) 2017-06-23
CN106888088B true CN106888088B (en) 2019-08-13

Family

ID=59181122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710197758.2A Expired - Fee Related CN106888088B (en) 2017-03-29 2017-03-29 Elliptic curve cipher Fast implementation and its device

Country Status (1)

Country Link
CN (1) CN106888088B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107547201B (en) * 2017-09-28 2020-06-16 哈尔滨工程大学 Method for improving scalar multiplication calculation efficiency in elliptic curve cryptosystem
CN108337091A (en) * 2018-03-22 2018-07-27 北京中电华大电子设计有限责任公司 P times of point calculating method of specified point on a kind of SM9 elliptic curves line of torsion
CN110470414B (en) * 2019-08-20 2021-01-29 宏人仁医医疗器械设备(东莞)有限公司 Body temperature measurement system and correction method for body temperature measurement system
CN111756538B (en) * 2020-06-28 2023-10-13 哈尔滨理工大学 Method and device for realizing ECC scalar multiplier based on prime preprocessing
CN111897578A (en) * 2020-07-31 2020-11-06 中国科学院信息工程研究所 Parallel processing method and device for scalar multiplication on elliptic curve with characteristic of 2
CN112350827B (en) * 2020-09-29 2022-08-23 中国科学院信息工程研究所 Koblitz curve-based elliptic curve encryption and decryption method and system for acceleration scalar multiplication calculation
CN112887096B (en) * 2021-02-20 2022-04-12 山东区块链研究院 Prime order elliptic curve generation method and system for signature and key exchange
WO2023108422A1 (en) * 2021-12-14 2023-06-22 中国科学院深圳先进技术研究院 Efficient zero knowledge proof accelerator and method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6212279B1 (en) * 1998-06-26 2001-04-03 The United States Of America As Represented By The United States National Security Agency Method of elliptic curve cryptographic key exchange using reduced base tau expansion in non-adjacent form
CN100414492C (en) * 2005-11-04 2008-08-27 北京浦奥得数码技术有限公司 Elliptic curve cipher system and implementing method
CN104836808B (en) * 2015-05-12 2017-12-15 中国科学院软件研究所 Based on the SM2 signature algorithm security verification methods for improving difference fault analysis
CN106533661B (en) * 2016-10-25 2019-07-19 北京大学 The online generation method in cryptography currency address based on Conbined public or double key

Also Published As

Publication number Publication date
CN106888088A (en) 2017-06-23

Similar Documents

Publication Publication Date Title
CN106888088B (en) Elliptic curve cipher Fast implementation and its device
Liu et al. On emerging family of elliptic curves to secure internet of things: ECC comes of age
Granger et al. Hardware and software normal basis arithmetic for pairing-based cryptography in characteristic three
Shantz From Euclid's GCD to Montgomery multiplication to the great divide
CN103078732A (en) Prime field elliptic curve crypto dot product accelerating circuit
Kim et al. Efficient isogeny computations on twisted Edwards curves
Granger et al. A comparison of CEILIDH and XTR
Abdulrahman et al. New regular radix-8 scheme for elliptic curve scalar multiplication without pre-computation
CN109144472A (en) A kind of binary expands the scalar multiplication and its realization circuit of domain elliptic curve
Han et al. Improved computation of square roots in specific finite fields
Gutub Preference of efficient architectures for GF (p) elliptic curve crypto operations using multiple parallel multipliers
Lin et al. Efficient parallel RSA decryption algorithm for many-core GPUs with CUDA
Hashimoto et al. An implementation of ecc with twisted montgomery curve over 32nd degree tower field on arduino uno
Le et al. Improved Miller’s algorithm for computing pairings on Edwards curves
Ma et al. Fast implementation for modular inversion and scalar multiplication in the elliptic curve cryptography
CN111897578A (en) Parallel processing method and device for scalar multiplication on elliptic curve with characteristic of 2
Su et al. A method for efficient parallel computation of Tate pairing
Verma Efficient implementations of pairing-based cryptography on embedded systems
CN106911475A (en) The implementation method and its circuit structure of a kind of Tate pairings
JP3540852B2 (en)   Encryption method including exponentiation operation in encryption system and apparatus therefor
Taşkın et al. TMVP-friendly primes for efficient elliptic curve cryptography
JP4752176B2 (en) Unidirectional function calculation method, apparatus and program
Yong et al. Speeding Scalar Multiplication of Elliptic Curve over GF (2mn).
Maleszewski Analysis of the certain cryptographic problems in protocols of certyfing the nodes in IOT infrastructure
de Clercq Public Key Cryptography in 32-bit for Ultra Low-Power Microcontrollers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190813

Termination date: 20200329