CN108322308B - Hardware implementation system of digital signature algorithm for identity authentication - Google Patents

Hardware implementation system of digital signature algorithm for identity authentication Download PDF

Info

Publication number
CN108322308B
CN108322308B CN201711335280.1A CN201711335280A CN108322308B CN 108322308 B CN108322308 B CN 108322308B CN 201711335280 A CN201711335280 A CN 201711335280A CN 108322308 B CN108322308 B CN 108322308B
Authority
CN
China
Prior art keywords
module
control module
algorithm
operation control
storage space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711335280.1A
Other languages
Chinese (zh)
Other versions
CN108322308A (en
Inventor
付彦淇
何全
鲁毅
王晓璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Jinhang Computing Technology Research Institute
Original Assignee
Tianjin Jinhang Computing Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Jinhang Computing Technology Research Institute filed Critical Tianjin Jinhang Computing Technology Research Institute
Priority to CN201711335280.1A priority Critical patent/CN108322308B/en
Publication of CN108322308A publication Critical patent/CN108322308A/en
Application granted granted Critical
Publication of CN108322308B publication Critical patent/CN108322308B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a hardware implementation system of a digital signature algorithm for identity authentication, which comprises a bus input interface, a bus output interface, an information input module, an algorithm auxiliary module, a hash operation module, an algorithm control module, a double-point operation control module, a modular exponentiation operation control module, a result checking module, a control register module, a state query module and a data storage space module, wherein the hash operation module is used for carrying out hash operation on a data storage space; the bus input interface is respectively connected with the information input module and the control register module; the information input module is connected with the algorithm auxiliary module; the algorithm auxiliary module is connected with the hash operation module; the hash operation module is connected with the algorithm control module; the algorithm control module is respectively connected with the multiple point operation control module and the modular exponentiation operation control module; the point doubling operation control module is connected with the modular exponentiation operation control module; the modular exponentiation operation control module is connected with the result checking module; the bus output interface is respectively connected with the result checking module and the state query module.

Description

Hardware implementation system of digital signature algorithm for identity authentication
Technical Field
The invention belongs to the field of information security, and particularly relates to a hardware implementation system of a digital signature algorithm for identity authentication.
Background
With the continuous popularization of internet application, the importance of information security is increasing day by day, and particularly, in aspects of mobile payment, internet banking, internet shopping, mobile phone mailboxes, mobile phone stock markets and the like in daily life, the security processing process of identity identification is involved, and the identity authentication technology becomes the core and the foundation of the information security field.
At present, a digital signature algorithm of a public key cryptosystem is widely applied to identity recognition in various fields as one of the most secure known identity authentication processing modes. In 12 months in 2010, the national cryptology authority issues 'SM 2 elliptic curve public key cryptographic algorithm' (hereinafter 'algorithm') with national independent intellectual property, and a set of complete digital signature algorithm is specified to meet the needs of identity authentication scenes in various cryptographic applications.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to solve the technical problem of providing a hardware implementation system of a digital signature algorithm for identity authentication.
The invention provides a hardware realization system of digital signature algorithm for identity authentication, which is characterized in that the system comprises a bus input interface, a bus output interface, an information input module, an algorithm auxiliary module, a hash operation module, an algorithm control module, a double-point operation control module, a modular exponentiation operation control module, a result checking module, a control register module, a state query module and a data storage space module;
the bus input interface is respectively connected with the information input module and the control register module; the information input module is connected with the algorithm auxiliary module; the algorithm auxiliary module is connected with the hash operation module; the hash operation module is connected with the algorithm control module; the algorithm control module is respectively connected with the multiple point operation control module and the modular exponentiation operation control module; the multiple point operation control module is connected with the modular exponentiation operation control module; the modular exponentiation operation control module is connected with the result checking module; the bus output interface is respectively connected with the result checking module and the state query module; the data storage space module is respectively connected with the information input module, the algorithm auxiliary module, the hash operation module, the multiple point operation control module and the modular exponentiation operation control module.
Compared with the prior art, the invention has the beneficial effects that:
1. the system can complete the identity authentication function, meet the digital signature generation function and the digital signature verification function of the 'algorithm' standard, meet the application requirement of identity authentication and realize the identity information (the maximum is 2)631 bit) to carry out digital signature and verify signature information, and the system is more safe and faster in operation in a full hardware implementation mode than other software implementation modes;
2. the system integrates digital signature generation and digital signature verification algorithms in the algorithm specification, two independent algorithms in the algorithm specification are subjected to hardware logic sharing and scheduling flow integration, hardware logic is shared to the maximum extent, hardware consumption is effectively reduced, operation flows are unified, hardware resources and time consumption of the algorithms are saved, and implementation cost is reduced;
3. the system supports an AHB bus protocol and supports an SoC architecture of a security system. The standard AHB bus interface can enable the system to be used as a digital IP soft core form and flexibly integrated into various SoC chips or FPGA designs, and meanwhile, the system can support a security architecture system similar to a Trust Zone technology through an active reading and writing mechanism of sensitive data, so that the system has wide applicability.
4. The hardware structure of the invention meets the digital signature algorithm specifications of section 2.6 and section 2.7 in Algorithm. Identity information or signature information is processed according to a cryptographic hash function specified in section 2.5.4.2, a random number is generated according to a random number generator specified in section 2.5.4.3, a curve point is generated by using elliptic curve multiple point operation specified in section 1.A.3, modular inverse operation is completed by using exponential operation in section 1.B.1.1 and inverse operation in section 1.B.1.2, and an operation process is optimized by using Jacobian weighted projective coordinate system specified in section 1.A.2.2.3.2, so that the signature of the identity information and the authentication of the signature information are realized. The hardware structure optimizes the digital signature algorithm specifications of sections 2.6.1 and 2.7.1 in the algorithm, common sub-algorithms such as cryptographic hash operation, multiple point operation, exponential operation, inverse operation, coordinate system conversion operation and the like in the digital signature generation and digital signature verification algorithm are extracted as common logic, the calling flow of a state machine is optimized, two algorithms share one set of operation logic to the maximum extent, and hardware consumption is effectively reduced.
Drawings
FIG. 1 is a schematic block diagram illustrating the overall structural connection of one embodiment of a hardware implementation system of the digital signature algorithm for identity authentication of the present invention;
Detailed Description
Specific examples of the present invention are given below. The specific examples are only intended to illustrate the invention in further detail and do not limit the scope of protection of the claims of the present application.
The invention has provided a hardware used for digital signature algorithm of the identity authentication to realize the system (refer to fig. 1, system for short), characterized by that the system includes the bus input interface, bus output interface, information input module 1, algorithm auxiliary module 2, hash operation module 3, algorithm control module 4, double-point operation control module 5, modular exponentiation operation control module 6, result check module 7, control register module 8, state inquiry module 9 and data storage space module 10;
the bus input interface is respectively connected with the information input module 1 and the control register module 8; the information input module 1 is connected with the algorithm auxiliary module 2; the algorithm auxiliary module 2 is connected with the hash operation module 3; the hash operation module 3 is connected with the algorithm control module 4; the algorithm control module 4 is respectively connected with a multiple point operation control module 5 and a modular exponentiation operation control module 6; the multiple point operation control module 5 is connected with the modular exponentiation operation control module 6; the modular exponentiation control module 6 is connected with the result checking module 7; the bus output interface is respectively connected with the result checking module 7 and the state query module 9; the data storage space module 10 is respectively connected with the information input module 1, the algorithm auxiliary module 2, the hash operation module 3, the multiple point operation control module 5 and the modular exponentiation operation control module 6.
The information input module 1 actively acquires identity information in a signature generation algorithm or signature information in a signature verification algorithm through a bus input interface, and stores the acquired information into the data storage space module 10;
the algorithm auxiliary module 2 generates a random number in a signature generation algorithm and stores the generated random number in the data storage space module 10; carrying out boundary check of the signature information in a signature verification algorithm;
the hash operation module 3 performs expansion and hash operation on the information acquired by the information input module 1, and stores the operation result into the data storage space module 10;
the algorithm control module 4 is used for managing the scheduling of the multiple point operation control module 5, the modular exponentiation operation control module 6 and the result checking module 7, and realizing the maximum multiplexing operation logic of a signature generation algorithm and a signature verification algorithm;
the multiple point operation control module 5 realizes the multiple point operation according to the multiple point operation regulation in the algorithm and the regulation of a Jacobian coordinate system, the basic big number addition and the big number multiplication are realized by self-definition, and the basic operation control unit calls the operation and writes the cache data and the operation result into the data storage space;
the modular exponentiation control module 6 is implemented by using a Montgomery modular exponentiation calculation method (including four sub-algorithm operations of Montgomery advancing domain, Montgomery modular multiplication, Montgomery modular exponentiation and Montgomery receding domain) according to exponential operation and inverse operation in the finite field of the Algorithm, and writes the cached data and the operation result into the data storage space module 10;
the result checking module 7 checks whether the generated signature information is legal in the signature generation algorithm; checking whether the generated verification information is legal or not in a signature verification algorithm; and outputting the legal operation result to the bus.
The control register module 8 and the status query module 9 are responsible for command interaction with the outside. The status query module 9 may provide the real-time status of the system to the external system through the bus output interface.
The data storage space module 10 is an independent space inside the system and is not accessible from the outside.
The hardware implementation system of the digital signature algorithm for identity authentication of the invention has the working principle and the working process that:
signature generation algorithm process:
step 1, a control register module 8 receives a signature generation task configured by a bus input interface, and then starts signature generation operation;
step 2, the information input module 1 actively acquires the identity information to be signed through a bus input interface and stores the acquired information into the data storage space module 10;
step 3, the algorithm auxiliary module 2 generates a random number and stores the generated random number into the data storage space module 10;
step 4, the hash operation module 3 reads the identity information in the data storage space module 10, performs hash operation, and then stores the operation result in the data storage space module 10;
step 5, the algorithm control module 4 sequentially schedules according to the sequence of the multiple operation control module 5, the modular exponentiation control module 6, the result check module 7, the modular exponentiation control module 6 and the result check module 7; the point doubling operation control module 5 and the modular exponentiation operation control module 6 read the data stored in the data storage space module 10 in the steps 2-4 in the operation process and store the calculation result into the data storage space module 10; the result checking module 7 will check whether the generated signature information is legal, if so, the result data will be sent out through the bus output interface, otherwise, the algorithm control module 4 will be informed to start the recalculation from step 3.
Signature verification algorithm process:
step 1, a control register module 8 receives a signature verification task configured by a bus input interface and then starts signature verification operation;
step 2, the information input module 1 actively acquires the signature information to be verified through a bus input interface and stores the acquired information into the data storage space module 10;
step 3, the algorithm auxiliary module 2 reads the signature information in the data storage space module 10 and carries out boundary check on the signature information;
step 4, the hash operation module 3 reads the identity information in the data storage space module 10, performs hash operation, and then stores the operation result in the data storage space module 10;
step 5, the algorithm control module 4 sequentially schedules according to the order of the modular exponentiation control module 6, the result check module 7, the multiple point operation control module 5, the operation control module 6 and the result check module 7; the point doubling operation control module 5 and the modular exponentiation operation control module 6 read the data stored in the data storage space module 10 in the steps 2-4 in the operation process and store the calculation result into the data storage space module 10; the result checking module 7 checks whether the generated verification information is legal, if so, the signature verification result is sent out through the bus output interface, otherwise, a signature verification failure signal is sent out through the bus output interface.
Nothing in this specification is said to apply to the prior art.

Claims (2)

1.A hardware realization system of digital signature algorithm for identity authentication is characterized in that the system comprises a bus input interface, a bus output interface, an information input module, an algorithm auxiliary module, a hash operation module, an algorithm control module, a double-point operation control module, a modular exponentiation operation control module, a result check module, a control register module, a state query module and a data storage space module;
the bus input interface is respectively connected with the information input module and the control register module; the information input module is connected with the algorithm auxiliary module; the algorithm auxiliary module is connected with the hash operation module; the hash operation module is connected with the algorithm control module; the algorithm control module is respectively connected with the multiple point operation control module and the modular exponentiation operation control module; the multiple point operation control module is connected with the modular exponentiation operation control module; the modular exponentiation operation control module is connected with the result checking module; the bus output interface is respectively connected with the result checking module and the state query module; the data storage space module is respectively connected with the information input module, the algorithm auxiliary module, the hash operation module, the multiple point operation control module and the modular exponentiation operation control module.
The system performs a signature generation algorithm by the following steps:
step 1, a control register module receives a signature generation task configured by a bus input interface, and then starts signature generation operation;
step 2, the information input module actively acquires the identity information to be signed through a bus input interface and stores the acquired information into a data storage space module;
step 3, the algorithm auxiliary module generates random numbers and stores the generated random numbers into the data storage space module;
step 4, the hash operation module reads the identity information in the data storage space module, carries out hash operation and then stores the operation result in the data storage space module;
step 5, the algorithm control module carries out scheduling in sequence according to the order of the multiple operation control module, the modular exponentiation operation control module, the result checking module, the modular exponentiation operation control module and the result checking module; the point multiplication operation control module and the modular exponentiation operation control module read the data stored in the data storage space module in the step 2-4 in the operation process and store the calculation result into the data storage space module; and the result checking module checks whether the generated signature information is legal or not, if so, the result data is sent out through the bus output interface, and otherwise, the algorithm control module is informed to recalculate from the step 3.
2. The hardware-implemented system of digital signature algorithm for identity authentication as claimed in claim 1, wherein the process of the system to perform signature verification algorithm is:
step s1, the control register module receives the signature verification task configured by the bus input interface, and then starts the signature verification operation;
step s2, the information input module actively acquires the signature information to be verified through the bus input interface, and stores the acquired information into the data storage space module;
step s3, the algorithm auxiliary module reads the signature information in the data storage space module and carries out boundary check on the signature information;
step s4, the hash operation module reads the identity information in the data storage space module, and performs hash operation, and then stores the operation result in the data storage space module;
step s5, the algorithm control module carries out scheduling in sequence according to the order of the modular exponentiation operation control module, the result check module, the multiple point operation control module, the operation control module and the result check module; the point multiplication operation control module and the modular exponentiation operation control module read the data stored in the data storage space module in the steps s2-s4 in the operation process and store the calculation result in the data storage space module; the result checking module checks whether the generated verification information is legal, if so, the signature verification result is sent out through the bus output interface, otherwise, a signature verification failure signal is sent out through the bus output interface.
CN201711335280.1A 2017-12-14 2017-12-14 Hardware implementation system of digital signature algorithm for identity authentication Active CN108322308B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711335280.1A CN108322308B (en) 2017-12-14 2017-12-14 Hardware implementation system of digital signature algorithm for identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711335280.1A CN108322308B (en) 2017-12-14 2017-12-14 Hardware implementation system of digital signature algorithm for identity authentication

Publications (2)

Publication Number Publication Date
CN108322308A CN108322308A (en) 2018-07-24
CN108322308B true CN108322308B (en) 2021-01-12

Family

ID=62892486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711335280.1A Active CN108322308B (en) 2017-12-14 2017-12-14 Hardware implementation system of digital signature algorithm for identity authentication

Country Status (1)

Country Link
CN (1) CN108322308B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113193962B (en) * 2021-04-30 2022-08-30 安徽师范大学 SM2 digital signature generation and verifier based on lightweight modular multiplication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685436B2 (en) * 2003-10-02 2010-03-23 Itt Manufacturing Enterprises, Inc. System and method for a secure I/O interface
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN103049710A (en) * 2012-12-13 2013-04-17 国家广播电影电视总局广播科学研究院 Field-programmable gate array (FPGA) chip for SM2 digital signature verification algorithm
CN106549769A (en) * 2016-12-08 2017-03-29 广东工业大学 SM2 ellipse curve signatures system under a kind of prime field Fp

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737270B (en) * 2011-04-15 2015-11-18 航天信息股份有限公司 A kind of bank intelligent card chip secure coprocessor based on domestic algorithm
US10042776B2 (en) * 2012-11-20 2018-08-07 Arm Limited Prefetching based upon return addresses
CN104202161B (en) * 2014-08-06 2018-05-04 广东电网公司电力科学研究院 A kind of SoC crypto chips
CN104503730A (en) * 2014-10-24 2015-04-08 山东华芯半导体有限公司 Instruction-based large-number point addition and point multiplication operation circuit and realization method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685436B2 (en) * 2003-10-02 2010-03-23 Itt Manufacturing Enterprises, Inc. System and method for a secure I/O interface
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN103049710A (en) * 2012-12-13 2013-04-17 国家广播电影电视总局广播科学研究院 Field-programmable gate array (FPGA) chip for SM2 digital signature verification algorithm
CN106549769A (en) * 2016-12-08 2017-03-29 广东工业大学 SM2 ellipse curve signatures system under a kind of prime field Fp

Also Published As

Publication number Publication date
CN108322308A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
EP3591510B1 (en) Method and device for writing service data in block chain system
JP5969048B2 (en) System and method for key management of issuer security domain using global platform specification
CN110100422B (en) Data writing method and device based on block chain intelligent contract and storage medium
CN110689349B (en) Transaction hash value storage and searching method and device in blockchain
CN100454321C (en) USB device with data memory and intelligent secret key and control method thereof
CN109726598A (en) Embedded-type security encryption chip based on Cloud Server
CN108345806A (en) A kind of hardware encryption card and encryption method
CN108075882A (en) Cipher card and its encipher-decipher method
US11520905B2 (en) Smart data protection
CN102737270B (en) A kind of bank intelligent card chip secure coprocessor based on domestic algorithm
US20160062920A1 (en) Address-dependent key generation with a substitution-permutation network
US20210319117A1 (en) Secure asset management system
CN112100673A (en) Federal learning accelerator and RSA intersection calculation method for privacy calculation
CN109344664A (en) A kind of cipher card and its encryption method that based on FPGA data are carried out with algorithm process
CN112367155A (en) FPGA-based ZUC encryption system IP core construction method
CN104463020A (en) Method for protecting data integrity of memory
WO2022041902A1 (en) Data processing method and apparatus
CN108322308B (en) Hardware implementation system of digital signature algorithm for identity authentication
CN114417374A (en) Intelligent contract business card method, device, equipment and storage medium based on block chain
CN113572613A (en) Message protection system and message protection method
CN116166402B (en) Data security processing method, system, security chip and electronic equipment
CN110830428A (en) Block chain financial big data processing method and system
CN115348363A (en) Encryption/decryption chip, method, equipment and medium based on state cryptographic algorithm
CN105094746A (en) Method for achieving point addition/point doubling of elliptic curve cryptography
US20200382297A1 (en) Key registration transparency for secure messaging

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant