CN107896142B - Method and device for executing modular exponentiation and computer readable storage medium - Google Patents
Method and device for executing modular exponentiation and computer readable storage medium Download PDFInfo
- Publication number
- CN107896142B CN107896142B CN201710942868.7A CN201710942868A CN107896142B CN 107896142 B CN107896142 B CN 107896142B CN 201710942868 A CN201710942868 A CN 201710942868A CN 107896142 B CN107896142 B CN 107896142B
- Authority
- CN
- China
- Prior art keywords
- variable
- assigning
- result
- product
- precomputed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/003—Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/60—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
- G06F7/72—Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
- G06F7/727—Modulo N arithmetic, with N being either (2**n)-1,2**n or (2**n)+1, e.g. mod 3, mod 4 or mod 5
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
Abstract
The application discloses a method and a device for executing modular exponentiation and a computer-readable storage medium, which comprises the steps of obtaining a base number g, an exponent d, a modulus q and a window w; the index d is expressed in m-ary representation:wherein d is not less than 0i<m,m=2w,dl‑1Not equal to 0; with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variablesThe product with the result variable A is circularly assigned toAnd A ismCircularly assigning values to a result variable A; will be provided withAssigning to a result variable A; and assigning the product of the result variable A and the base number g to the result variable A. According to the method, the module square and the module multiplication operation are set once in each calculation process, so that the SPA attack is completely resisted; by eliminating the pseudo operation in the whole operation process of the modular exponentiation, the FA attack resistance is realized; by setting the window w, the calculation speed is faster.
Description
Technical Field
The present invention relates to, but not limited to, the field of information security technologies, and in particular, to a method and an apparatus for performing modular exponentiation, and a computer-readable storage medium.
Background
With the development of computer technology and the continuous improvement of social informatization degree, the information security problem is more and more paid attention by people. When the RSA public key cryptographic algorithm, the SM9 identification cryptographic algorithm or other cryptographic algorithms are realized in the embedded single chip, the modular exponentiation operation is used, and the modular exponentiation operation is in the form of m-gd(mod q) where g is a base, d is an exponent, q is a modulus, and m is the result of the computation. In these public key cryptosystems, the exponent d of partial modular exponentiation always needs to be strictly kept secret, for example, in the RSA system, when d is a private key, it needs to be strictly kept secret; in the SM9 signature algorithm, if an attacker can obtain the exponent of the modular exponentiation, the private key of the user can be derived by combining the SM9 signature result.
Side channel Attack and Fault Attack (Fault attach) are two representative Attack methods proposed in recent years and have strong threat to chips. Simple Power Analysis (SPA) attack is a technique in which an attacker directly derives secret information about secret data by simply observing a Power consumption curve of secret data operation as a method of side channel attack. A premise of power analysis attacks is that the power curve is related to the instructions executed by the device and to the values of the operands being processed, so that examining the power curve reveals the instructions being executed and the data in the registers. The basic principle of fault attack is that a chip generates transient logic errors in the execution process of a cryptographic algorithm by means of error injection (such as adding clock glitches, laser irradiation, electromagnetic pulses and the like), an attacker obtains secret data information inside the chip by analyzing correct and wrong encryption results, for example, errors are injected in the SM9/SM2 encryption algorithm process, if the attacker can obtain random numbers, then a key of a true encryption message can be deduced by combining the calculation results of SM9/SM2 encryption, and further the true message is obtained.
At present, the main idea of the modular exponentiation calculation method against SPA attack is to fix or randomize the program execution circuit, and typical methods are as follows: binary pseudo-algorithm, montgomery ladder method, Joye's square-multiply ladder method, Joye's modified binary method. Through analysis, in a binary pseudo algorithm, a Montgomery ladder method and a Joye square-multiplication ladder method, no matter a key bit is 0 or 1, modular multiplication and modular square operation are required, if an error is injected in the modular multiplication operation and the modular multiplication operation is pseudo operation, a result is correct, a corresponding key bit value is 0, otherwise, the result is 1, and therefore the existing binary pseudo algorithm, the Montgomery ladder method and the Joye square-multiplication ladder method cannot resist FA attack; when pre-computing in the improved binary method of Joye, information of the lowest 1bit of the key is involved, and the situation of information leakage exists, namely, the improved binary method of Joye cannot completely resist SPA attacks. Furthermore, it should be noted that these modular exponentiation calculation methods often suffer from a sacrifice in efficiency, and thus are relatively inefficient.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides a method and an apparatus for performing modular exponentiation, and a computer-readable storage medium, which can make the modular exponentiation fully resistant to SPA attacks and FA attacks and improve the computational efficiency of the algorithm.
In order to achieve the purpose of the invention, the technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a method for executing modular exponentiation, which comprises the following steps:
obtaining a base number g, an index d, a modulus q and a window w;
With precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
from i-0 to l-2, precomputed variablesProduct with result variable A is cyclically assignedAnd A ismCircularly assigning values to a result variable A;
will be provided withAssigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator;
and assigning the product of the result variable A and the base number g to the result variable A.
Further, the method comprises the following stepsAssigning a value to a result variable A, specifically comprising:
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1;
Further, the method comprises the following stepsAssigning a value to a result variable A, specifically comprising:
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable A to a second intermediate variable Q, wherein > (w-1)Is the right shift operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
An embodiment of the present invention further provides a computer-readable storage medium, on which a program for performing a modular exponentiation operation is stored, and when the program for performing a modular exponentiation operation is executed by a processor, the method for performing a modular exponentiation operation as described in any of the above steps is implemented.
The embodiment of the present invention further provides a device for performing modular exponentiation, which includes an obtaining unit, an encoding unit, and a calculating unit, wherein:
the acquisition unit is used for acquiring the base number g, the exponent d, the modulus q and the window w, outputting the values of the exponent d and the window w to the coding unit, and outputting the base number g, the modulus q and the window w to the calculation unit;
an encoding unit for expressing the exponent d in m-ary representation:wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, will diThe values of l and m are output to a computing unit;
a calculation unit for pre-calculating the variable R according to the value of the window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variablesThe product with the result variable A is circularly assigned toAnd A ismCircularly assigning values to a result variable A; will be provided withAssigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator; and assigning the product of the result variable A and the base number g to the result variable A.
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1;
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1,squaring Q of second intermediate variable Q2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
The technical scheme of the invention has the following beneficial effects:
according to the method and the device for executing the modular exponentiation and the computer-readable storage medium, the modular square and modular multiplication operation is set once in each calculation process, so that the SPA attack is completely resisted; by eliminating the pseudo operation in the whole operation process of the modular exponentiation, the FA attack resistance is realized, and the safety is higher; by setting the window w, the method has higher calculation speed, and is not only suitable for software implementation, but also suitable for hardware implementation.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart illustrating a method for performing modular exponentiation according to an embodiment of the present invention;
FIG. 2 is a block diagram of an apparatus for performing modular exponentiation according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments in the present application may be arbitrarily combined with each other without conflict.
The derivation of the modular exponentiation calculation is as follows:
Thus, gd=g·gd-1,gd-1The calculation process of (2) is as follows:
1. let A be g, Rj=1
2. Performing on j ═ 0 to l-2
2.2 A=Am
as shown in fig. 1, a method for performing modular exponentiation according to the present invention comprises the steps of:
step 101: obtaining a base number g, an index d, a modulus q and a window w;
step 102: the index d is expressed in m-ary representation:wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, not equal to a sign;
step 103: with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
step 104: from i-0 to l-2, precomputed variablesProduct with result variable A is cyclically assignedAnd A ismCircularly assigning a value to a result variable A, wherein the step length of each circulation is 1;
step 105: will be provided withAssigning a value to a result variable A, wherein the result variable A is a multiplication sign, and pi is a product operator;
step 106: and assigning the product of the result variable A and the base number g to the result variable A.
Because the step 105 is relatively complex to implement and the implementation cost is relatively high, the implementation process of the step 105 is optimized by the invention, and the step 105 is implemented by the methodCan be converted intoThe method can not only resist the SPA attack, but also reduce the computational complexity.
The derivation process is as follows:
1. Let B be Rm
2. For i-m-1 to 2 execution
2.1Ri=Ri·Ri+1
2.2B=B·Ri
3、R1=R1·R2(R is obtained according to step 2)2=Rm·Rm-1…·R2)
Further, in step 105, the steps areAssigning a value to a result variable A, specifically comprising:
step 1051) precomputes the variable RmAssigning a value to a first intermediate variable B;
step 1052) for i ═ m-1To 2, pre-calculating the variable RiAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediThe product of (a) is circularly assigned to a first intermediate variable B, and the step length of each circulation is 1;
step 1053) precomputes the variable R1And R2Is assigned to R1(obtaining R according to step 1052)2=Rm·Rm-1…·R2);
Since step 1054 is still complex to implement, the implementation process of step 1054 is optimized again, and the process in step 1054 can be performedIs converted into
The derivation process is as follows:
2. Calculate Q.B and assign the result to A.
10541) The resulting variable A is compared with the precomputed variable R1Assigning the product of A;
10542) Detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
10543) For i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q, and the step length of each cycle is 1;
10544) And assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
The present invention also discloses a computer-readable storage medium having stored thereon a program for performing modular exponentiation, which when executed by a processor implements the steps of the method for performing modular exponentiation as described in any of the above.
As shown in fig. 2, an apparatus for performing modular exponentiation according to the present invention includes an obtaining unit 201, an encoding unit 202, and a calculating unit 203, wherein:
the acquiring unit 201 is configured to acquire a base number g, an exponent d, a modulus q, and a window w, output values of the exponent d and the window w to the encoding unit 202, and output the base number g, the modulus q, and the window w to the calculating unit 203;
an encoding unit 202 for representing the exponent d in m-ary representation:wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, will diThe values of l and m are output to the computing unit 203;
a calculation unit 203 for calculating a windowThe value of w being a precomputed variable RiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variablesProduct with result variable A is cyclically assignedAnd A ismCircularly assigning values to a result variable A; will be provided withAssigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator; and assigning the product of the result variable A and the base number g to the result variable A.
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1;
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
In the operation of the SM9 algorithm, operations such as bilinear pairings, scalar multiplication of elliptic curves (prime field and 2-time extension field), modular exponentiation on 12-time extension field and the like are involved. The SPA-resistant core idea of the invention is that when the modular exponentiation operation is realized in the 12-time domain expansion, the condition transfer situation in the modular exponentiation operation process is eliminated, namely if.It can be seen that in each calculation process, the modular squaring and modular multiplication operations are performed once, so that the SPA attack can be completely resisted; the core idea of FA resistance is that when the modular exponentiation operation is realized in the domain expansion of 12 times, the pseudo operation in the modular exponentiation operation process is eliminated, and the whole operation process of the modular exponentiation has no pseudo operation, so that the FA resistance is achieved, the security is higher, and an attacker cannot deduce any 1-bit value needing a strict secret exponent through the execution process of the domain expansion modular exponentiation. The invention overcomes the defect that the power consumption curve is used for analyzing the related information of the exponent during the modular exponentiation operation, has stronger capability of resisting SPA and FA attacks, and has higher calculation speed by setting the size of the window w, thereby being not only suitable for software implementation but also suitable for hardware implementation.
It will be understood by those skilled in the art that all or part of the steps of the above methods may be implemented by instructing the relevant hardware through a program, and the program may be stored in a computer readable storage medium, such as a read-only memory, a magnetic or optical disk, and the like. Alternatively, all or part of the steps of the foregoing embodiments may also be implemented by using one or more integrated circuits, and accordingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, and may also be implemented in the form of a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (3)
1. A method for performing modular exponentiation in a public key cryptosystem, comprising:
obtaining a base number g, an index d, a modulus q and a window w;
the index d is expressed in m-ary representation:wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, l is the digit of the m-ary number converted from the index d;
with precalculated variable R according to the value of window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A;
from i-0 to l-2, precomputed variablesThe product with the result variable A is circularly assigned toAnd A ismCircularly assigning values to a result variable A; will be provided withAssigning to a result variable A, wherein, is a multiplication sign, and pi is a product operator;
assigning the product of the result variable A and the base number g to the result variable A;
the device is toAssigning a value to a result variable A, specifically comprising: to pre-calculate the variable RmAssigning a value to a first intermediate variable B; for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B; to pre-calculate the variable R1And R2Is assigned to R1(ii) a Will be provided withAssigning to a result variable A;
the device is toAssigning a value to a result variable A, specifically comprising: the resulting variable A is compared with the precomputed variable R1Assigning the product of A; detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q; for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q; the first intermediate variable B is compared with the second intermediate variable BThe product of the intermediate variables Q is assigned to the result variable A.
2. A computer-readable storage medium, having stored thereon a program for performing a modular exponentiation, when executed by a processor, the steps of the method of performing a modular exponentiation as claimed in claim 1.
3. An apparatus for performing a modular exponentiation, comprising an obtaining unit, an encoding unit, and a calculating unit, wherein:
the acquisition unit is used for acquiring the base number g, the exponent d, the modulus q and the window w, outputting the values of the exponent d and the window w to the coding unit, and outputting the base number g, the modulus q and the window w to the calculation unit;
an encoding unit for expressing the exponent d in m-ary representation:wherein d is not less than 0i<m,m=2w,dl-1Not equal to 0, 1 is the number of digits of the m-ary number into which the exponent d is convertediThe values of l and m are output to a computing unit;
a calculation unit for pre-calculating the variable R according to the value of the window wiDistribution space, Ri1, i-1, 2,3, …, m; and assigning the base number g to a result variable A; from i-0 to l-2, precomputed variablesThe product with the result variable A is circularly assigned toAnd A ismCircularly assigning values to a result variable A; will be provided withIs assigned to a result variable A, where, is the product ofAn operator; assigning the product of the result variable A and the base number g to the result variable A;
to pre-calculate the variable RmAssigning a value to a first intermediate variable B;
for i-m-1 to 2, the variable R is precomputediAnd Ri+1The product of (c) is circularly assigned to RiAnd the first intermediate variable B and the precomputed variable R are usediCircularly assigning the product of (a) to a first intermediate variable B;
to pre-calculate the variable R1And R2Is assigned to R1;
the resulting variable A is compared with the precomputed variable R1Assigning the product of A;
detecting (d)l-1-1) > (w-1) if the result of the calculation is true, and if true, assigning the result variable a to a second intermediate variable Q, where > is a shift right operator; if false, the variable R will be pre-calculated1Assigning a value to a second intermediate variable Q;
for i-w-1 to 1, the square Q of the second intermediate variable Q is2Circularly assigning a value to Q, and detecting (d)l-1-1) > (i-1) if the result of the calculation is true, and if true, assigning a product of a second intermediate variable Q and a to the second intermediate variable Q; if false, the second intermediate variable Q is compared with the precomputed variable R1The product of (a) is assigned to a second intermediate variable Q;
and assigning the product of the first intermediate variable B and the second intermediate variable Q to the result variable A.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710942868.7A CN107896142B (en) | 2017-10-11 | 2017-10-11 | Method and device for executing modular exponentiation and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710942868.7A CN107896142B (en) | 2017-10-11 | 2017-10-11 | Method and device for executing modular exponentiation and computer readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107896142A CN107896142A (en) | 2018-04-10 |
CN107896142B true CN107896142B (en) | 2021-04-13 |
Family
ID=61803232
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710942868.7A Active CN107896142B (en) | 2017-10-11 | 2017-10-11 | Method and device for executing modular exponentiation and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107896142B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112332970A (en) * | 2019-08-05 | 2021-02-05 | 上海复旦微电子集团股份有限公司 | Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm |
CN112769557B (en) * | 2020-12-30 | 2022-10-18 | 北京宏思电子技术有限责任公司 | Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system |
CN112769552B (en) * | 2020-12-30 | 2022-08-23 | 北京宏思电子技术有限责任公司 | Method and device for accelerating linear pair operation in embedded system |
CN112769553B (en) * | 2020-12-30 | 2022-08-19 | 北京宏思电子技术有限责任公司 | Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1259617C (en) * | 2003-09-09 | 2006-06-14 | 大唐微电子技术有限公司 | Montgomery analog multiplication algorithm and its analog multiplication and analog power operation circuit |
WO2010105900A1 (en) * | 2009-03-16 | 2010-09-23 | Thomson Licensing | Exponentiation method resistant against side-channel and safe-error attacks |
EP2535804A1 (en) * | 2011-06-17 | 2012-12-19 | Thomson Licensing | Fault-resistant exponentiation algorithm |
CN103246494A (en) * | 2013-05-27 | 2013-08-14 | 上海爱信诺航芯电子科技有限公司 | Safety modular exponentiation method for resisting energy analysis and fault attack |
-
2017
- 2017-10-11 CN CN201710942868.7A patent/CN107896142B/en active Active
Non-Patent Citations (2)
Title |
---|
Highly Regular m-Ary Powering Ladders;Marc Joye等;《Springer》;20090814;全文 * |
Regular 2w-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures;Yoo-Jin Baek;《Springer》;20100924;第363-370页 * |
Also Published As
Publication number | Publication date |
---|---|
CN107896142A (en) | 2018-04-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110363030B (en) | Method and processing device for performing a trellis-based cryptographic operation | |
US8402287B2 (en) | Protection against side channel attacks | |
CN107040362B (en) | Modular multiplication apparatus and method | |
Fouque et al. | Fault attack on elliptic curve Montgomery ladder implementation | |
CN107896142B (en) | Method and device for executing modular exponentiation and computer readable storage medium | |
US9772821B2 (en) | Cryptography method comprising an operation of multiplication by a scalar or an exponentiation | |
AU782868B2 (en) | Information processing device, information processing method and smartcard | |
JP7123959B2 (en) | Elliptic curve point multiplication device and method | |
JP2008541166A (en) | Randomized modular polynomial reduction method and hardware therefor | |
JP2012129993A (en) | Cryptographic device protection method and protection system | |
US10721056B2 (en) | Key processing method and device | |
WO2018019233A1 (en) | Operation method and security chip | |
KR20100113130A (en) | Countermeasure method and devices for asymmetric cryptography | |
CN106464483B (en) | Countermeasure, electronic circuit and the electronic system of elliptic curve cryptography are realized for electronic component | |
JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
Jalali et al. | ARMv8 SIKE: Optimized supersingular isogeny key encapsulation on ARMv8 processors | |
JP5261088B2 (en) | Unauthorized operation detection circuit, device provided with unauthorized operation detection circuit, and unauthorized operation detection method | |
US11824986B2 (en) | Device and method for protecting execution of a cryptographic operation | |
Vijayakumar et al. | Comparative study of hyperelliptic curve cryptosystem over prime field and its survey | |
CN110048840B (en) | Information processing method, system and related components based on RSA algorithm | |
TWI695292B (en) | Cryptographic apparatus and cryptographic processing method thereof using message blinding | |
JP2005020735A (en) | Side channel attack prevention in data processor | |
US11936768B2 (en) | Obfuscating cryptographic parameters used in elliptical curve cryptography, and related systems and devices | |
Khan et al. | Investigating the blinding approach to resist power analysis attacks on modular exponentiation | |
Chen et al. | A SPA Countermeasure for Hardware Implementation of SM2 Algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |