CN107896142B - Method and device for executing modular exponentiation and computer readable storage medium - Google Patents

Method and device for executing modular exponentiation and computer readable storage medium Download PDF

Info

Publication number
CN107896142B
CN107896142B CN201710942868.7A CN201710942868A CN107896142B CN 107896142 B CN107896142 B CN 107896142B CN 201710942868 A CN201710942868 A CN 201710942868A CN 107896142 B CN107896142 B CN 107896142B
Authority
CN
China
Prior art keywords
variable
assigning
result
product
precomputed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710942868.7A
Other languages
Chinese (zh)
Other versions
CN107896142A (en
Inventor
雷翻翻
李峰
刘利飞
雷黎丽
倪洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Microelectronics Technology Co Ltd
Original Assignee
Datang Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Microelectronics Technology Co Ltd filed Critical Datang Microelectronics Technology Co Ltd
Priority to CN201710942868.7A priority Critical patent/CN107896142B/en
Publication of CN107896142A publication Critical patent/CN107896142A/en
Application granted granted Critical
Publication of CN107896142B publication Critical patent/CN107896142B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/727Modulo N arithmetic, with N being either (2**n)-1,2**n or (2**n)+1, e.g. mod 3, mod 4 or mod 5
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks

Abstract

The application discloses a method and a device for executing modular exponentiation and a computer-readable storage medium, which comprises the steps of obtaining a base number g, an exponent d, a modulus q and a window w; the index d is expressed in m-ary representation:
Figure DDA0001431018580000011
wherein d is not less than 0i<m,m=2w,dl‑1Not equal to 0; with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variables
Figure DDA0001431018580000012
The product with the result variable A is circularly assigned to
Figure DDA0001431018580000013
And A ismCircularly assigning values to a result variable A; will be provided with
Figure DDA0001431018580000014
Assigning to a result variable A; and assigning the product of the result variable A and the base number g to the result variable A. According to the method, the module square and the module multiplication operation are set once in each calculation process, so that the SPA attack is completely resisted; by eliminating the pseudo operation in the whole operation process of the modular exponentiation, the FA attack resistance is realized; by setting the window w, the calculation speed is faster.

Description

Method and device for executing modular exponentiation and computer readable storage medium
Technical Field
The present invention relates to, but not limited to, the field of information security technologies, and in particular, to a method and an apparatus for performing modular exponentiation, and a computer-readable storage medium.
Background
With the development of computer technology and the continuous improvement of social informatization degree, the information security problem is more and more paid attention by people. When the RSA public key cryptographic algorithm, the SM9 identification cryptographic algorithm or other cryptographic algorithms are realized in the embedded single chip, the modular exponentiation operation is used, and the modular exponentiation operation is in the form of m-gd(mod q) where g is a base, d is an exponent, q is a modulus, and m is the result of the computation. In these public key cryptosystems, the exponent d of partial modular exponentiation always needs to be strictly kept secret, for example, in the RSA system, when d is a private key, it needs to be strictly kept secret; in the SM9 signature algorithm, if an attacker can obtain the exponent of the modular exponentiation, the private key of the user can be derived by combining the SM9 signature result.
Side channel Attack and Fault Attack (Fault attach) are two representative Attack methods proposed in recent years and have strong threat to chips. Simple Power Analysis (SPA) attack is a technique in which an attacker directly derives secret information about secret data by simply observing a Power consumption curve of secret data operation as a method of side channel attack. A premise of power analysis attacks is that the power curve is related to the instructions executed by the device and to the values of the operands being processed, so that examining the power curve reveals the instructions being executed and the data in the registers. The basic principle of fault attack is that a chip generates transient logic errors in the execution process of a cryptographic algorithm by means of error injection (such as adding clock glitches, laser irradiation, electromagnetic pulses and the like), an attacker obtains secret data information inside the chip by analyzing correct and wrong encryption results, for example, errors are injected in the SM9/SM2 encryption algorithm process, if the attacker can obtain random numbers, then a key of a true encryption message can be deduced by combining the calculation results of SM9/SM2 encryption, and further the true message is obtained.
At present, the main idea of the modular exponentiation calculation method against SPA attack is to fix or randomize the program execution circuit, and typical methods are as follows: binary pseudo-algorithm, montgomery ladder method, Joye's square-multiply ladder method, Joye's modified binary method. Through analysis, in a binary pseudo algorithm, a Montgomery ladder method and a Joye square-multiplication ladder method, no matter a key bit is 0 or 1, modular multiplication and modular square operation are required, if an error is injected in the modular multiplication operation and the modular multiplication operation is pseudo operation, a result is correct, a corresponding key bit value is 0, otherwise, the result is 1, and therefore the existing binary pseudo algorithm, the Montgomery ladder method and the Joye square-multiplication ladder method cannot resist FA attack; when pre-computing in the improved binary method of Joye, information of the lowest 1bit of the key is involved, and the situation of information leakage exists, namely, the improved binary method of Joye cannot completely resist SPA attacks. Furthermore, it should be noted that these modular exponentiation calculation methods often suffer from a sacrifice in efficiency, and thus are relatively inefficient.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides a method and an apparatus for performing modular exponentiation, and a computer-readable storage medium, which can make the modular exponentiation fully resistant to SPA attacks and FA attacks and improve the computational efficiency of the algorithm.
In order to achieve the purpose of the invention, the technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a method for executing modular exponentiation, which comprises the following steps:
obtaining a base number g, an index d, a modulus q and a window w;
the index d is expressed in m-ary representation:
Figure GDA0002770466440000021
wherein d is not less than 0i<m,m=2w,dl-1≠0;
With precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
from i-0 to l-2, precomputed variables
Figure GDA0002770466440000022
Product with result variable A is cyclically assigned
Figure GDA0002770466440000023
And A ismCircularly assigning values to a result variable A;
will be provided with
Figure GDA0002770466440000024
Assigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator;
and assigning the product of the result variable A and the base number g to the result variable A.
Further, the method comprises the following steps
Figure GDA0002770466440000025
Assigning a value to a result variable A, specifically comprising:
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1
Will be provided with
Figure GDA0002770466440000031
And assigning a value to the result variable A.
Further, the method comprises the following steps
Figure GDA0002770466440000032
Assigning a value to a result variable A, specifically comprising:
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable A to a second intermediate variable Q, wherein > (w-1)Is the right shift operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
An embodiment of the present invention further provides a computer-readable storage medium, on which a program for performing a modular exponentiation operation is stored, and when the program for performing a modular exponentiation operation is executed by a processor, the method for performing a modular exponentiation operation as described in any of the above steps is implemented.
The embodiment of the present invention further provides a device for performing modular exponentiation, which includes an obtaining unit, an encoding unit, and a calculating unit, wherein:
the acquisition unit is used for acquiring the base number g, the exponent d, the modulus q and the window w, outputting the values of the exponent d and the window w to the coding unit, and outputting the base number g, the modulus q and the window w to the calculation unit;
an encoding unit for expressing the exponent d in m-ary representation:
Figure GDA0002770466440000033
wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, will diThe values of l and m are output to a computing unit;
a calculation unit for pre-calculating the variable R according to the value of the window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variables
Figure GDA0002770466440000034
The product with the result variable A is circularly assigned to
Figure GDA0002770466440000035
And A ismCircularly assigning values to a result variable A; will be provided with
Figure GDA0002770466440000036
Assigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator; and assigning the product of the result variable A and the base number g to the result variable A.
Further, the computing unit will
Figure GDA0002770466440000041
Assigning values to result variable a, including:
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1
Will be provided with
Figure GDA0002770466440000042
And assigning a value to the result variable A.
Further, the computing unit will
Figure GDA0002770466440000043
Assigning values to result variable a, including:
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1,squaring Q of second intermediate variable Q2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
The technical scheme of the invention has the following beneficial effects:
according to the method and the device for executing the modular exponentiation and the computer-readable storage medium, the modular square and modular multiplication operation is set once in each calculation process, so that the SPA attack is completely resisted; by eliminating the pseudo operation in the whole operation process of the modular exponentiation, the FA attack resistance is realized, and the safety is higher; by setting the window w, the method has higher calculation speed, and is not only suitable for software implementation, but also suitable for hardware implementation.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart illustrating a method for performing modular exponentiation according to an embodiment of the present invention;
FIG. 2 is a block diagram of an apparatus for performing modular exponentiation according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The derivation of the modular exponentiation calculation is as follows:
d is first rewritten to m-ary form, i.e.
Figure GDA0002770466440000051
0≤di< m and dl-1≠0。
Figure GDA0002770466440000052
Thus, d can be written as
Figure GDA0002770466440000053
Wherein
Figure GDA0002770466440000054
Thus, gd=g·gd-1,gd-1The calculation process of (2) is as follows:
Figure GDA0002770466440000055
wherein
Figure GDA0002770466440000056
Is calculated by the following steps
Figure GDA0002770466440000057
And
Figure GDA0002770466440000058
the details are as follows:
1. let A be g, Rj=1
2. Performing on j ═ 0 to l-2
2.1
Figure GDA0002770466440000061
2.2 A=Am
This gives:
Figure GDA0002770466440000062
as shown in fig. 1, a method for performing modular exponentiation according to the present invention comprises the steps of:
step 101: obtaining a base number g, an index d, a modulus q and a window w;
step 102: the index d is expressed in m-ary representation:
Figure GDA0002770466440000063
wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, not equal to a sign;
step 103: with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
step 104: from i-0 to l-2, precomputed variables
Figure GDA0002770466440000064
Product with result variable A is cyclically assigned
Figure GDA0002770466440000065
And A ismCircularly assigning a value to a result variable A, wherein the step length of each circulation is 1;
step 105: will be provided with
Figure GDA0002770466440000066
Assigning a value to a result variable A, wherein the result variable A is a multiplication sign, and pi is a product operator;
step 106: and assigning the product of the result variable A and the base number g to the result variable A.
Because the step 105 is relatively complex to implement and the implementation cost is relatively high, the implementation process of the step 105 is optimized by the invention, and the step 105 is implemented by the method
Figure GDA0002770466440000067
Can be converted into
Figure GDA0002770466440000068
The method can not only resist the SPA attack, but also reduce the computational complexity.
The derivation process is as follows:
Figure GDA0002770466440000069
Figure GDA0002770466440000071
calculated by the following steps 1-3
Figure GDA0002770466440000072
And Rm·Rm-1·…·R2R1
1. Let B be Rm
2. For i-m-1 to 2 execution
2.1Ri=Ri·Ri+1
2.2B=B·Ri
3、R1=R1·R2(R is obtained according to step 2)2=Rm·Rm-1…·R2)
Wherein
Figure GDA0002770466440000073
R1=Rm·Rm-1·…·R1From this can be obtained
Figure GDA0002770466440000074
Further, in step 105, the steps are
Figure GDA0002770466440000075
Assigning a value to a result variable A, specifically comprising:
step 1051) precomputes the variable RmAssigning a value to a first intermediate variable B;
step 1052) for i ═ m-1To 2, pre-calculating the variable RiAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediThe product of (a) is circularly assigned to a first intermediate variable B, and the step length of each circulation is 1;
step 1053) precomputes the variable R1And R2Is assigned to R1(obtaining R according to step 1052)2=Rm·Rm-1…·R2);
Step 1054) will
Figure GDA0002770466440000076
And assigning a value to the result variable A.
Since step 1054 is still complex to implement, the implementation process of step 1054 is optimized again, and the process in step 1054 can be performed
Figure GDA0002770466440000077
Is converted into
Figure GDA0002770466440000078
Figure GDA0002770466440000081
The derivation process is as follows:
1. computing
Figure GDA0002770466440000082
The detailed description is as follows: and assigning the calculated result to Q
Figure GDA0002770466440000083
2. Calculate Q.B and assign the result to A.
Further, step 1054 will include
Figure GDA0002770466440000084
Assigning a value to a result variable A, specifically comprising:
10541) The resulting variable A is compared with the precomputed variable R1Assigning the product of A;
10542) Detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
10543) For i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q, and the step length of each cycle is 1;
10544) And assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
The present invention also discloses a computer-readable storage medium having stored thereon a program for performing modular exponentiation, which when executed by a processor implements the steps of the method for performing modular exponentiation as described in any of the above.
As shown in fig. 2, an apparatus for performing modular exponentiation according to the present invention includes an obtaining unit 201, an encoding unit 202, and a calculating unit 203, wherein:
the acquiring unit 201 is configured to acquire a base number g, an exponent d, a modulus q, and a window w, output values of the exponent d and the window w to the encoding unit 202, and output the base number g, the modulus q, and the window w to the calculating unit 203;
an encoding unit 202 for representing the exponent d in m-ary representation:
Figure GDA0002770466440000091
wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, will diThe values of l and m are output to the computing unit 203;
a calculation unit 203 for calculating a windowThe value of w being a precomputed variable RiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variables
Figure GDA0002770466440000092
Product with result variable A is cyclically assigned
Figure GDA0002770466440000093
And A ismCircularly assigning values to a result variable A; will be provided with
Figure GDA0002770466440000094
Assigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator; and assigning the product of the result variable A and the base number g to the result variable A.
Further, the calculation unit 203 will
Figure GDA0002770466440000095
Assigning values to result variable a, including:
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1
Will be provided with
Figure GDA0002770466440000096
And assigning a value to the result variable A.
Further, the calculation unit 203 will
Figure GDA0002770466440000097
Assigning values to result variable a, including:
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
In the operation of the SM9 algorithm, operations such as bilinear pairings, scalar multiplication of elliptic curves (prime field and 2-time extension field), modular exponentiation on 12-time extension field and the like are involved. The SPA-resistant core idea of the invention is that when the modular exponentiation operation is realized in the 12-time domain expansion, the condition transfer situation in the modular exponentiation operation process is eliminated, namely if.
Figure GDA0002770466440000101
It can be seen that in each calculation process, the modular squaring and modular multiplication operations are performed once, so that the SPA attack can be completely resisted; the core idea of FA resistance is that when the modular exponentiation operation is realized in the domain expansion of 12 times, the pseudo operation in the modular exponentiation operation process is eliminated, and the whole operation process of the modular exponentiation has no pseudo operation, so that the FA resistance is achieved, the security is higher, and an attacker cannot deduce any 1-bit value needing a strict secret exponent through the execution process of the domain expansion modular exponentiation. The invention overcomes the defect that the power consumption curve is used for analyzing the related information of the exponent during the modular exponentiation operation, has stronger capability of resisting SPA and FA attacks, and has higher calculation speed by setting the size of the window w, thereby being not only suitable for software implementation but also suitable for hardware implementation.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (3)

1. A method for performing modular exponentiation in a public key cryptosystem, comprising:
obtaining a base number g, an index d, a modulus q and a window w;
the index d is expressed in m-ary representation:
Figure FDA0002770466430000011
wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, l is the digit of the m-ary number converted from the index d;
with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
from i-0 to l-2, precomputed variables
Figure FDA0002770466430000012
The product with the result variable A is circularly assigned to
Figure FDA0002770466430000013
And A ismCircularly assigning values to a result variable A; will be provided with
Figure FDA0002770466430000018
Assigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator;
assigning the product of the result variable A and the base number g to the result variable A;
the device is to
Figure FDA0002770466430000015
Assigning a value to a result variable A, specifically comprising: to pre-calculate the variable RmAssigning a value to a first intermediate variable B; for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B; to pre-calculate the variable R1And R2Is assigned to R1(ii) a Will be provided with
Figure FDA0002770466430000016
Assigning to a result variable A;
the device is to
Figure FDA0002770466430000017
Assigning a value to a result variable A, specifically comprising: the resulting variable A is compared with the precomputed variable R1Assigning the product of A; detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q; for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q; the first intermediate variable B is compared with the second intermediate variable BThe product of the intermediate variables Q is assigned to the result variable A.
2. A computer-readable storage medium, having stored thereon a program for performing a modular exponentiation, when executed by a processor, the steps of the method of performing a modular exponentiation as claimed in claim 1.
3. An apparatus for performing a modular exponentiation, comprising an obtaining unit, an encoding unit, and a calculating unit, wherein:
the acquisition unit is used for acquiring the base number g, the exponent d, the modulus q and the window w, outputting the values of the exponent d and the window w to the coding unit, and outputting the base number g, the modulus q and the window w to the calculation unit;
an encoding unit for expressing the exponent d in m-ary representation:
Figure FDA0002770466430000021
wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, 1 is the number of digits of the m-ary number into which the exponent d is convertediThe values of l and m are output to a computing unit;
a calculation unit for pre-calculating the variable R according to the value of the window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variables
Figure FDA0002770466430000022
The product with the result variable A is circularly assigned to
Figure FDA0002770466430000023
And A ismCircularly assigning values to a result variable A; will be provided with
Figure FDA0002770466430000024
Is assigned to a result variable A, where, is the product ofAn operator; assigning the product of the result variable A and the base number g to the result variable A;
the computing unit will
Figure FDA0002770466430000025
Assigning values to result variable a, including:
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1
Will be provided with
Figure FDA0002770466430000026
Assigning to a result variable A;
the computing unit will
Figure FDA0002770466430000027
Assigning values to result variable a, including:
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
CN201710942868.7A 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium Active CN107896142B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710942868.7A CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710942868.7A CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN107896142A CN107896142A (en) 2018-04-10
CN107896142B true CN107896142B (en) 2021-04-13

Family

ID=61803232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710942868.7A Active CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN107896142B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112332970A (en) * 2019-08-05 2021-02-05 上海复旦微电子集团股份有限公司 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm
CN112769557B (en) * 2020-12-30 2022-10-18 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system
CN112769552B (en) * 2020-12-30 2022-08-23 北京宏思电子技术有限责任公司 Method and device for accelerating linear pair operation in embedded system
CN112769553B (en) * 2020-12-30 2022-08-19 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1259617C (en) * 2003-09-09 2006-06-14 大唐微电子技术有限公司 Montgomery analog multiplication algorithm and its analog multiplication and analog power operation circuit
WO2010105900A1 (en) * 2009-03-16 2010-09-23 Thomson Licensing Exponentiation method resistant against side-channel and safe-error attacks
EP2535804A1 (en) * 2011-06-17 2012-12-19 Thomson Licensing Fault-resistant exponentiation algorithm
CN103246494A (en) * 2013-05-27 2013-08-14 上海爱信诺航芯电子科技有限公司 Safety modular exponentiation method for resisting energy analysis and fault attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Highly Regular m-Ary Powering Ladders;Marc Joye等;《Springer》;20090814;全文 *
Regular 2w-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures;Yoo-Jin Baek;《Springer》;20100924;第363-370页 *

Also Published As

Publication number Publication date
CN107896142A (en) 2018-04-10

Similar Documents

Publication Publication Date Title
CN110363030B (en) Method and processing device for performing a trellis-based cryptographic operation
US8402287B2 (en) Protection against side channel attacks
CN107040362B (en) Modular multiplication apparatus and method
Fouque et al. Fault attack on elliptic curve Montgomery ladder implementation
CN107896142B (en) Method and device for executing modular exponentiation and computer readable storage medium
US9772821B2 (en) Cryptography method comprising an operation of multiplication by a scalar or an exponentiation
AU782868B2 (en) Information processing device, information processing method and smartcard
JP7123959B2 (en) Elliptic curve point multiplication device and method
JP2008541166A (en) Randomized modular polynomial reduction method and hardware therefor
JP2012129993A (en) Cryptographic device protection method and protection system
US10721056B2 (en) Key processing method and device
WO2018019233A1 (en) Operation method and security chip
KR20100113130A (en) Countermeasure method and devices for asymmetric cryptography
CN106464483B (en) Countermeasure, electronic circuit and the electronic system of elliptic curve cryptography are realized for electronic component
JP2004304800A (en) Protection of side channel for prevention of attack in data processing device
Jalali et al. ARMv8 SIKE: Optimized supersingular isogeny key encapsulation on ARMv8 processors
JP5261088B2 (en) Unauthorized operation detection circuit, device provided with unauthorized operation detection circuit, and unauthorized operation detection method
US11824986B2 (en) Device and method for protecting execution of a cryptographic operation
Vijayakumar et al. Comparative study of hyperelliptic curve cryptosystem over prime field and its survey
CN110048840B (en) Information processing method, system and related components based on RSA algorithm
TWI695292B (en) Cryptographic apparatus and cryptographic processing method thereof using message blinding
JP2005020735A (en) Side channel attack prevention in data processor
US11936768B2 (en) Obfuscating cryptographic parameters used in elliptical curve cryptography, and related systems and devices
Khan et al. Investigating the blinding approach to resist power analysis attacks on modular exponentiation
Chen et al. A SPA Countermeasure for Hardware Implementation of SM2 Algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant