CN108964914A - The SM2 dot product framework of preventing side-channel attack - Google Patents
The SM2 dot product framework of preventing side-channel attack Download PDFInfo
- Publication number
- CN108964914A CN108964914A CN201710348996.9A CN201710348996A CN108964914A CN 108964914 A CN108964914 A CN 108964914A CN 201710348996 A CN201710348996 A CN 201710348996A CN 108964914 A CN108964914 A CN 108964914A
- Authority
- CN
- China
- Prior art keywords
- module
- point
- dot product
- coordinate
- naf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
Abstract
The invention discloses a kind of SM2 dot product framework of preventing side-channel attack, the program calculates Algorithm for Scalar Multiplication by modification NAF (k), redundant operation is added in the algorithm, the algorithm is enabled to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that calculating the basic point coordinate difference of participation every time to resist the attack of differential power consumption analysis;Defence of the framework to fault analysis attacks is completed by addition point authentication module.
Description
Technical field
The present invention relates to cryptological technique application field more particularly to a kind of SM2 dot product frameworks of preventing side-channel attack.
Background technique
SM2 algorithm is that the elliptic curve with independent intellectual property rights that national Password Management office issues in December, 2010 is public
Key cryptographic algorithm.With the continuous development of cryptographic technique and computing technique, the face currently used 1024 public key algorithm RSA
Face and seriously threaten, it is of course possible to use longer key such as 2048, but influence to be to cause face on hard-wired in this way
Long-pending and power consumption exponentially type increases.Relative to RSA Algorithm, under the premise of reaching identical security intensity, required for SM2 algorithm
Key length it is shorter, hardware realization is more simple.The short design for SM2 algorithm of key length and realization bring bandwidth requirement
The advantages such as low, memory space is small and the speed of service is fast.In China, SM2 algorithm is used to replacement RSA Algorithm.SM2 cryptographic system exists
It is theoretically foolproof, but a kind of cryptanalysis means newly risen in recent years: side are considered during realization
Channel attack.Side-channel attack is mainly using cryptographic system in the letter correctly or improperly leaked in implementation procedure
Breath is attacked.
Field programmable gate array (Field Programmable Gate Arrary, FPGA) can use strong
Design tool shortens the development cycle, provides Resources on Chip abundant, can parallel data processing, flowing water knot easy to accomplish
Structure improves design flexibility, and upgrades conveniently, reduces design cost.By these advantages, operating speed is fast, degree of parallelism is big
Fpga chip realize that SM2 dot product framework has become trend.
Traditional SM2 dot product framework is to fast implement as target, and there is no take into account side-channel attack.In dot product
Top layer algorithm in, usually used is binary system dot product calculating method from left to right either sliding window NAF algorithm to count
Calculate dot product.But all there is apparent skip instruction in two above algorithm, pass through the method for simple power consumption analysis
Secret integer k is obtained, this makes attacker be easy to forge a signature, obtain a systems such as arranging key, decryption cipher-text information
Column operation.
Zhao Zhen big et al. paper " Ultra High-speed SM2ASIC Implementation " [1] proposes one
The SM2 dot product framework that kind is realized based on full precision multiplier uses two level production lines to improve dot product calculating speed.But the program
Only focus on fast implementing for framework, there is no the safeguard procedures using any side-channel attack.Attacker can be by the side SPA
Method, observation calculate the energy trace curve of dot product kP, distinguish adduction times point operation, so learn in each circulation whether
An add operation is performed, to deduce whether the NAF (k) of the circulation is 0.Likewise, attacker can by using DPA and
FAA means attack the dot product framework, and the relevant information of key k is obtained by analyzing.
Paper " the Ultra high-performance ASIC implementation of SM2with of Zhang Dan et al.
Power-analysis resistance " [2] proposes a kind of dot product framework based on Montgomery ladder, is covered by modification
Montgomery ladder Algorithm for Scalar Multiplication is used to resist simple power consumption analysis, and random period is added in the algorithm and is used to resist difference function
Consumption analysis.But it has used register value swap operation, in " On when improving the Algorithm for Scalar Multiplication based on Montgomery ladder
Power-Analysis Resistant Hardware Implementations of ECC-Based Cryptosystems”
[3] in paper, a kind of attack method to register value swap operation is proposed, so the scheme opened can not resist SPA.And
And the framework opened does not consider another major class side-channel attack: fault analysis attacks (FAA).Attacker can pass through operation
The processor of the framework injects mistake, and obtains wrong output, by carrying out analysis to mistake output to obtain related key k
Information.
In short, being all the high-speed computation for focusing on SM2 dot product framework in current paper and design, lack to side-channel attack
Mean of defense.If not accomplishing the fine prevention to side-channel attack, designed crypto chip out, which there is, to be attacked
A possibility that success, this makes the realization of design lose realistic meaning.Taking into account SM2 dot product framework high-speed computation, realize comprehensively,
Efficient preventing side-channel attack has become a kind of trend, this is but also the realization of SM2 dot product framework has more realistic meaning.
Summary of the invention
The object of the present invention is to provide a kind of SM2 dot product framework of preventing side-channel attack, high-speed cruising and can resist comprehensively
Side-channel attack.
The purpose of the present invention is what is be achieved through the following technical solutions:
A kind of SM2 dot product framework of preventing side-channel attack, comprising: ROM module, main control module, NAF dot product module, point
Authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion
Data transmission and control output module between module export result;
The ROM module, basic point coordinate and SM2 elliptic curve parameter after being randomized for memory counter value, M group,
Once randomization basic point coordinate, Counter Value add 1 to the every reading of NAF dot product module, carry out next time reading counting when point multiplication operation
Device group basic point coordinate;
The NAF dot product module, for reading the basic point coordinate after the randomization that is proved to be successful from ROM module and from number
The point multiplication operation under Jacobi Coordinate system is carried out according to the key that bus is read, and to the two data read;
Point authentication module, for the dot product to basic point coordinate and NAF dot product module after the randomization in ROM module
Operation result is made whether the verifying on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation knot
Fruit is converted from Jacobi Coordinate system to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation of point authentication module
When result verification fails, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, output is just
Really mark;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
Described authentication module include:
First authentication module, for receive main control module transmission enable signal after, from ROM module read with
Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b after machine carry out a verifying, judgement to the basic point coordinate after randomization
Whether point is on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6;
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and point authentication module exists
When ready signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, and authentication module is put
When ready signal output 1, result signal is 1, shows to be proved to be successful.
The NAF dot product module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it is defeated
It is out the dot product result kP (X under Jacobi Coordinate systemo,Yo,Zo);
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point adds module completion is refined can
Than point Q under coordinate system plus the operation of basic point P under affine coordinate system;Times point module then completes the behaviour of 2*Q under Jacobi Coordinate system
Make;Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module.
Point multiplication operation is specific as follows:
The leading zero that 3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) it is assigned to point Q;It opens
Begin circulation:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, it jumps in next step,
Judge 1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q is carried out using arithmetic of rational point module
=Q+P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then utilize
Arithmetic of rational point module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
Described authentication module include:
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, sentence
Whether breakpoint is on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module puts authentication module in ready signal
When being 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, point authentication module ready signal output 1
When, result signal is 1, shows to be proved to be successful.
It is described point multiplication operation result is converted from Jacobi Coordinate system to affine coordinate system under include:
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod fortune
It calculates;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
Output module output error mark includes: the Ready output high level of output module, will output x_o [255:
0] and the whole zero setting of y_o [255:0].
As seen from the above technical solution provided by the invention, Algorithm for Scalar Multiplication is calculated by modification NAF (k), in algorithm
Middle addition redundant operation, enables the algorithm to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that often
It is secondary to calculate the basic point coordinate difference that participates in resist the attack of differential power consumption analysis;Framework pair is completed by addition point authentication module
The defence of fault analysis attacks.The advantages of program, is main are as follows:
1) there is corresponding preventive means to existing nearly all side-channel attack type, be truly realized comprehensive anti-side letter
Road attack.
2) it is realized relative to tradition, does not increase occupancy resource.Redundant operation and point authentication module are all to pass through assembly line
Existing module is called to realize.
3) scalability is high, which provides standard interface, convenient for being called when the realization of SM2 common key cryptosystem.
4) speed of service is fast, which uses two-stage pipelining, by multiplication and Mo Yue, the parallel execution of mould plus-minus, and
And selection carries out calculating dot product result reducing to mould algorithm for inversion this very time-consuming operation Jacobi Coordinate system is offline
It calls, a modular inversion is only called when Jacobi Coordinate system to be transformed under affine coordinate system.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the SM2 dot product configuration diagram of preventing side-channel attack provided in an embodiment of the present invention;
Fig. 2 is the work flow diagram of SM2 dot product framework provided in an embodiment of the present invention;
Fig. 3 is the state machine diagram of SM2 dot product framework provided in an embodiment of the present invention;
Fig. 4 is the work flow diagram of NAF dot product module provided in an embodiment of the present invention;
Fig. 5 is the work flow diagram of provided in an embodiment of the present invention authentication module;
Fig. 6 is the work flow diagram of coordinate system conversion module provided in an embodiment of the present invention.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this
The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, belongs to protection scope of the present invention.
The embodiment of the present invention is using comprehensive preventing side-channel attack of SM2 algorithm as starting point, using a set of simple including resisting
Power consumption analysis (Simple Power Analysis, SPA), differential power consumption analysis (Differential Power Analysis,
DPA), a series of measures including fault analysis attacks (Fault Analysis Attack, FAA), and from finite field layer and ellipse
Circular curve operation layer has carried out algorithm optimization and circuit design to dot product calculating, so that proposing one kind being capable of high-speed cruising and complete
The SM2 point multiplication operation framework of face preventing side-channel attack.
As shown in Figure 1, being the SM2 dot product framework of preventing side-channel attack provided in an embodiment of the present invention, which is characterized in that packet
It includes: ROM module, main control module, NAF dot product module, point authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion
Data transmission and control output module between module export result;
The ROM module, basic point coordinate and SM2 elliptic curve parameter after being randomized for memory counter value, M group,
Once randomization basic point coordinate, Counter Value add 1 to the every reading of NAF dot product module, carry out next time reading counting when point multiplication operation
Device group basic point coordinate;
The NAF dot product module, for reading the basic point coordinate after the randomization that is proved to be successful from ROM module and from number
The point multiplication operation under Jacobi Coordinate system is carried out according to the key that bus is read, and to the two data read;
Point authentication module, for the dot product to basic point coordinate and NAF dot product module after the randomization in ROM module
Operation result is made whether the verifying on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation knot
Fruit is converted from Jacobi Coordinate system to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation of point authentication module
When result verification fails, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, output is just
Really mark;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
The workflow of SM2 dot product framework provided in an embodiment of the present invention is as shown in Figure 2, the specific steps are as follows:
Step 1, initialization.It gives system one reset Rst signal, removes other all module resets of ROM module.
Step 2, main control module send enable signal to point authentication module, put first point of verifying mould in authentication module
Block reads the basic point coordinate (X, Y, Z) after randomization from ROM module after the enable signal for receiving main control module transmission
With SM2 elliptic curve parameter b, a verifying is carried out to the basic point coordinate after randomization, is judged a little whether on oval SM2 curve,
If authentication failed, output error mark;If be proved to be successful, it is transferred to next step.
Step 3, NAF dot product module read enable signal from authentication module, key k are read from data/address bus, from ROM
Module reads the basic point coordinate after the randomization being proved to be successful, and starts point multiplication operation.After the completion of calculating, dot product module ready letter
Number output is 1, and the signal is exported to an authentication module, and a notice point authentication module is verified.
Second point authentication module in step 4, point authentication module, is verified by the way of similar with step 2, to test
Whether correct demonstrate,prove point multiplication operation;If authentication failed, output error mark;If be proved to be successful, correct mark is exported, and
It is transferred to next step.
Step 5, coordinate system conversion module read point multiplication operation result (i.e. under Jacobi Coordinate system from NAF dot product module
Point), it is converted by coordinate and coordinate under Jacobi Coordinate system is transformed under affine coordinate system.
Step 6, output module, on the one hand, the error identification and Correct for output point authentication module to export;Another party
The coordinate transformation result of output coordinate system conversion module is also wanted in face.
Correspondingly, the state machine of entire SM2 dot product framework is as shown in figure 3, amount to six states.Needed in each state into
Capable operation is as follows:
S0: the system under the state is in idle condition, the register in reset system, waits arriving for enable signal
Come, enters the S1 state of system operation;
S1: the state main purpose is to check basic point coordinate in ROM after the randomization that stores whether on elliptic curve.
By after randomization basic point coordinate and parameter b be updated to elliptic curve equation Y2+3XZ2=X3+bZ6In, checking computations equation or so two
Hold calculated value whether equal.If otherwise the correct S2 state that then enters of checking computations exports the instruction of authentication error and returns to S0 shape
State;
S2: the system under the state runs NAF algorithm, calculates dot product as a result, exporting naf_ready letter after calculating
Number, the S3 state of unimpeded access checking computation results;
S3: the state completes the checking computations of dot product result, and S4 coordinate transition status is entered if checking computations are correct, otherwise, defeated
The instruction of the calculated result mistake and return to S0 state out;
S4: the state is completed coordinate using modular inversion and is converted.Tran_ready signal is exported after converting, and is entered
Export the S5 state of official result.
S5: it is exported under the state calculating as a result, the result for keeping output to calculate.Computing system Rst signal is waited, is jumped
To S0 state, prepare for calculating next time.
In order to make it easy to understand, being described further below for the specific work process of above-mentioned several important modules.
1, ROM module.
Basic point coordinate and SM2 elliptic curve parameter after memory counter value, the randomization of M group, the every reading of NAF dot product module
Primary randomization basic point coordinate, Counter Value add 1, and basic point coordinate is organized in reading (counter+1) when carrying out point multiplication operation next time,
Counter value period is S.Since the basic point coordinate value in a cycle of counter, participating in operation is different, opponent can not be obtained
It takes identical basic point coordinate to carry out the energy mark of point multiplication operation, and then differential power consumption analysis can not be carried out.
2, NAF dot product module.
The NAF dot product module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it is defeated
It is out the dot product result kP (X under Jacobi Coordinate systemo,Yo,Zo)。
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point adds module completion is refined can
Than point Q under coordinate system plus the operation of basic point P under affine coordinate system;Times point module then completes the behaviour of 2*Q under Jacobi Coordinate system
Make;Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module;
Specific calculation process is as shown in Figure 4:
Basic point coordinate (X after reading the randomization being proved to be successfuli,Yi,Zi) (i.e. point P in Fig. 4) and key k.
The leading zero that Z=3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) be assigned to a little
Q;It starts the cycle over:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, it jumps in next step,
Judge 1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q is carried out using arithmetic of rational point module
=Q+P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then utilize
Arithmetic of rational point module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
Above-mentioned point multiplication operation, different from usual NAF Algorithm for Scalar Multiplication, usual algorithm only carries out in the circulation of NAF (k)=0
Point operation again does not have add operation to participate in.It will result in circulating on energy mark for NAF (k)=0 in this way to embody, attack
Person can observe the position that point multiplication operation power consumption profile derives NAF (k)=0, and then obtain key k by simple power consumption analysis
Relevant information.This programme adds redundancy point add operation in NAF (k)=0, and the input data which adds is still wheel circulation
In times point calculated result, but output data not enter circulation.Dot product calculating had so not only been completed, but also has made the wheel operation in energy
It is no different on amount mark with other wheels, to resist simple power consumption analysis.
3, authentication module is put.
Its verify principle it is as follows: to after the randomization read from ROM module basic point coordinate or NAF dot product module calculate
Coordinate out is made whether the verifying on SM2 elliptic curve.Verifying foundation is to examine whether coordinate meets equation Y2-aXZ2=
X3+bZ6, wherein a, b are SM2 elliptic curve parameter, due to a=-3mod | p, p are the prime numbers for defining SM2 elliptic curve, or more
Y can be converted by stating equation2+3XZ2=X3+bZ6.The module reads point coordinate and elliptic curve ginseng under Jacobi Coordinate system
Number, calculates separately equation both sides formula value.If two boundary values are equal, result exports high level, it is believed that passes through checking computations.If
Two boundary values differ, then result exports low level, it is believed that does not pass through checking computations.The authentication module provides dot product framework to failure
A kind of safeguard procedures of analysis are injected, if attacker changes the randomization stored in ROM by other means such as electromagnetism, laser
Calculating is transferred on an other weak elliptic curve by basic point coordinate or SM2 elliptic curve parameter, can by mistake output
To derive part of key.Point authentication module provides the defence capability that this programme analyzes direct fault location, if randomization
Not on SM2 elliptic curve, system reports an error for basic point coordinate or calculated dot product result, terminates operation, and notifies output mould
Block will export zero setting.
It in specific implementation, mainly include as shown in Figure 1, first authentication module and second point authentication module;This
The course of work of two modules is similar, and as shown in figure 5, difference is the data inputted difference, (the point Q coordinate to be verified is not
Together);Specifically:
First authentication module, for receive main control module transmission enable signal after, from ROM module read with
Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b after machine carry out a verifying, judgement to the basic point coordinate after randomization
Whether point is on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6;
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and point authentication module exists
When ready signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, and authentication module is put
When ready signal output 1, result signal is 1, shows to be proved to be successful.
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, sentence
Whether breakpoint is on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module puts authentication module in ready signal
When being 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, point authentication module ready signal output 1
When, result signal is 1, shows to be proved to be successful.
4, coordinate system conversion module.
It is imitative that the module calls finite field layer modular multiplication algorithm and mould algorithm for inversion to be transformed into the point coordinate under Jacobi Coordinate system
The point coordinate under coordinate system is penetrated, conversion process is as shown in fig. 6, comprise the following processes:
It is described point multiplication operation result is converted from Jacobi Coordinate system to affine coordinate system under include:
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod fortune
It calculates;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
5, output module.
The module completes the output of dot product result, if authentication module authentication error, Ready is set 1 (output high level),
X_o [255:0] will be exported, y_o [255:0] all sets 0;If authentication module verifying is correct, Ready is set 1, coordinate is converted
The affine coordinate output of module output.
The above scheme of the embodiment of the present invention, calculates Algorithm for Scalar Multiplication by modification NAF (k), and redundancy fortune is added in the algorithm
It calculates, the algorithm is enabled to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that calculating participation every time
Basic point coordinate difference resists the attack of differential power consumption analysis;Framework is completed to fault analysis attacks by addition point authentication module
Defence.The advantages of program, is main are as follows:
1) there is corresponding preventive means to existing nearly all side-channel attack type, be truly realized comprehensive anti-side letter
Road attack.
2) it is realized relative to tradition, does not increase occupancy resource.Redundant operation and point authentication module are all to pass through assembly line
Existing module is called to realize.
3) scalability is high, which provides standard interface, convenient for being called when the realization of SM2 common key cryptosystem.
4) speed of service is fast, which uses two-stage pipelining, by multiplication and Mo Yue, the parallel execution of mould plus-minus, and
And selection carries out calculating dot product result reducing to mould algorithm for inversion this very time-consuming operation Jacobi Coordinate system is offline
It calls, a modular inversion is only called when Jacobi Coordinate system to be transformed under affine coordinate system.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,
Within the technical scope of the present disclosure, any changes or substitutions that can be easily thought of by anyone skilled in the art,
It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of claims
Subject to enclosing.
Claims (7)
1. a kind of SM2 dot product framework of preventing side-channel attack characterized by comprising ROM module, main control module, NAF point
Multiply module, point authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion module
Between data transmission and control output module export result;
The ROM module, for the basic point coordinate and SM2 elliptic curve parameter after memory counter value, the randomization of M group, NAF point
Multiply the primary randomization basic point coordinate of the every reading of module, Counter Value adds 1, carries out next time reading counter group base when point multiplication operation
Point coordinate;
The NAF dot product module, for the basic point coordinate after the randomization that is proved to be successful is read from ROM module and from data it is total
The key that line is read, and the point multiplication operation under Jacobi Coordinate system is carried out to the two data read;
Point authentication module, for the point multiplication operation to basic point coordinate and NAF dot product module after the randomization in ROM module
As a result the verifying being made whether on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation result from
Jacobi Coordinate system converts to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation result of point authentication module
When authentication failed, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, correct mark is exported
Know;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
2. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the point verifying
Module includes:
First authentication module, for reading and being randomized from ROM module after the enable signal for receiving main control module transmission
Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b afterwards carry out verifying to the basic point coordinate after randomization, judge be a little
It is no on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6;
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and put authentication module in ready
When signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, point authentication module ready letter
Number output 1 when, result signal be 1, show to be proved to be successful.
3. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the NAF dot product
Module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it exports as under Jacobi Coordinate system
Dot product result kP (Xo,Yo,Zo);
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point plus module complete Jacobi's seat
Mark is operation of the lower point Q plus basic point P under affine coordinate system;Times point module then completes the operation of 2*Q under Jacobi Coordinate system;Meter
Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module.
4. a kind of SM2 dot product framework of preventing side-channel attack according to claim 3, which is characterized in that point multiplication operation tool
Body is as follows:
The leading zero that 3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) it is assigned to point Q;Start to follow
Ring:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, jump to as a next step it is determined that
1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q=Q+ is carried out using arithmetic of rational point module
P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then added using point
Algoritic module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
5. a kind of SM2 dot product framework of preventing side-channel attack described according to claim 1 or 3 or 4, which is characterized in that described
Putting authentication module includes:
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, judge a little
Whether on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module, point authentication module are 1 in ready signal
When, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, when point authentication module ready signal exports 1,
Result signal is 1, shows to be proved to be successful.
6. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that described by dot product
Operation result includes: under converting from Jacobi Coordinate system to affine coordinate system
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod operation;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
7. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the output mould
Block output error mark includes: the Ready output high level of output module, and output x_o [255:0] and y_o [255:0] is whole
Zero setting.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710348996.9A CN108964914B (en) | 2017-05-17 | 2017-05-17 | SM2 point multiplication architecture for resisting side channel attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710348996.9A CN108964914B (en) | 2017-05-17 | 2017-05-17 | SM2 point multiplication architecture for resisting side channel attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108964914A true CN108964914A (en) | 2018-12-07 |
CN108964914B CN108964914B (en) | 2020-08-25 |
Family
ID=64461883
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710348996.9A Active CN108964914B (en) | 2017-05-17 | 2017-05-17 | SM2 point multiplication architecture for resisting side channel attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108964914B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110611559A (en) * | 2019-08-21 | 2019-12-24 | 广东工业大学 | Side channel attack resistant SM2 dot product architecture based on algorithm layer and operation method thereof |
CN110798305A (en) * | 2019-09-24 | 2020-02-14 | 瓦戈科技有限公司 | Fault analysis defense method, electronic equipment and readable storage medium |
CN111211886A (en) * | 2020-04-20 | 2020-05-29 | 成都信息工程大学 | Energy analysis detection method for SM2 decryption algorithm |
CN111416717A (en) * | 2019-01-07 | 2020-07-14 | 中安网脉(北京)技术股份有限公司 | Parallel multi-path hardware implementation method for SM2 algorithm |
CN112019320A (en) * | 2019-05-30 | 2020-12-01 | 中国科学技术大学 | Energy track extraction method and system in side channel analysis |
CN112134704A (en) * | 2020-09-21 | 2020-12-25 | 中国电子科技网络信息安全有限公司 | Sm2 performance optimization implementing method |
CN114879934A (en) * | 2021-12-14 | 2022-08-09 | 中国科学院深圳先进技术研究院 | Efficient zero-knowledge proof accelerator and method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080205638A1 (en) * | 2007-02-07 | 2008-08-28 | Al-Gahtani Theeb A | Method for elliptic curve scalar multiplication |
CN103631660A (en) * | 2013-09-23 | 2014-03-12 | 中国科学院数据与通信保护研究教育中心 | Method and device for distributing storage resources in GPU in big integer calculating process |
-
2017
- 2017-05-17 CN CN201710348996.9A patent/CN108964914B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080205638A1 (en) * | 2007-02-07 | 2008-08-28 | Al-Gahtani Theeb A | Method for elliptic curve scalar multiplication |
CN103631660A (en) * | 2013-09-23 | 2014-03-12 | 中国科学院数据与通信保护研究教育中心 | Method and device for distributing storage resources in GPU in big integer calculating process |
Non-Patent Citations (2)
Title |
---|
",余荣威,陈建华,张四兰,夏静波等: "抗侧信道攻击的椭圆曲线点乘算法设计", 《计算机工程与应用》 * |
张振宾: "国密SM4和SM2算法功耗攻击关键技术研究与实现", 《CNKI中国硕士学位论文全文数据库信息科技辑》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111416717A (en) * | 2019-01-07 | 2020-07-14 | 中安网脉(北京)技术股份有限公司 | Parallel multi-path hardware implementation method for SM2 algorithm |
CN111416717B (en) * | 2019-01-07 | 2023-01-03 | 中安网脉(北京)技术股份有限公司 | SM2 algorithm parallel multi-path hardware implementation method |
CN112019320A (en) * | 2019-05-30 | 2020-12-01 | 中国科学技术大学 | Energy track extraction method and system in side channel analysis |
CN112019320B (en) * | 2019-05-30 | 2022-04-19 | 中国科学技术大学 | Energy track extraction method and system in side channel analysis |
CN110611559A (en) * | 2019-08-21 | 2019-12-24 | 广东工业大学 | Side channel attack resistant SM2 dot product architecture based on algorithm layer and operation method thereof |
CN110611559B (en) * | 2019-08-21 | 2023-08-22 | 广东工业大学 | SM2 point multiplication architecture for resisting side channel attack based on algorithm layer and operation method thereof |
CN110798305A (en) * | 2019-09-24 | 2020-02-14 | 瓦戈科技有限公司 | Fault analysis defense method, electronic equipment and readable storage medium |
CN110798305B (en) * | 2019-09-24 | 2023-05-30 | 瓦戈科技有限公司 | Fault analysis defense method, electronic equipment and readable storage medium |
CN111211886A (en) * | 2020-04-20 | 2020-05-29 | 成都信息工程大学 | Energy analysis detection method for SM2 decryption algorithm |
CN111211886B (en) * | 2020-04-20 | 2020-07-14 | 成都信息工程大学 | Energy analysis detection method for SM2 decryption algorithm |
CN112134704A (en) * | 2020-09-21 | 2020-12-25 | 中国电子科技网络信息安全有限公司 | Sm2 performance optimization implementing method |
CN114879934A (en) * | 2021-12-14 | 2022-08-09 | 中国科学院深圳先进技术研究院 | Efficient zero-knowledge proof accelerator and method |
Also Published As
Publication number | Publication date |
---|---|
CN108964914B (en) | 2020-08-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108964914A (en) | The SM2 dot product framework of preventing side-channel attack | |
Wang et al. | Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0 | |
CN104506313B (en) | A kind of quantum key distribution secrecy Enhancement Method for supporting extensive dynamic change | |
CN106452789B (en) | A kind of endorsement method of multi-faceted anti-side-channel attack | |
CN104917608B (en) | A kind of method of the anti-power consumption attack of key | |
CN109214195A (en) | A kind of the SM2 ellipse curve signature sign test hardware system and method for resisting differential power consumption attack | |
US10033526B2 (en) | One INS network-based anti-fault attack method of random infection | |
Longo et al. | Simulatable leakage: Analysis, pitfalls, and new constructions | |
CN109685503A (en) | Referee method based on block chain data safety | |
CN104484615B (en) | Suitable for reconfigurable arrays framework based on space randomization fault-resistant attack method | |
CN103164187B (en) | RSA modular exponentiation circuit and RSA security encryption chip | |
CN105119929B (en) | Safe module exponent outsourcing method and system under single malice Cloud Server | |
CN107888385A (en) | RSA moduluses generation method, RSA key generation method, computer equipment and medium | |
CN102468954A (en) | Method for preventing symmetric cryptographic algorithm from being attacked | |
EP3696670A1 (en) | Distributed computation system and method of operation thereof | |
Jeřábek et al. | Analyzing and optimizing the dummy rounds scheme | |
CN113691375B (en) | ECC elliptic curve anti-attack hardware architecture | |
Ganji et al. | Pitfalls in machine learning-based adversary modeling for hardware systems | |
Siim | A comprehensive protocol suite for secure two-party computation | |
CN106027221B (en) | Resist the data processing system of high-order differential power analysis attack | |
Bock | SCA resistent implementation of the Montgomery kP-algorithm | |
Jayasena et al. | TVLA*: Test Vector Leakage Assessment on Hardware Implementations of Asymmetric Cryptography Algorithms | |
CN106685643A (en) | Method and device for verifying public key in CRT mode | |
Zhang et al. | A Comprehensive Design Method Based on WDDL and Dynamic Cryptosystem to Resist DPA Attack | |
CN111817847A (en) | Bypass defense method and device based on SIKE algorithm, electronic equipment and readable medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |