CN108964914A - The SM2 dot product framework of preventing side-channel attack - Google Patents

The SM2 dot product framework of preventing side-channel attack Download PDF

Info

Publication number
CN108964914A
CN108964914A CN201710348996.9A CN201710348996A CN108964914A CN 108964914 A CN108964914 A CN 108964914A CN 201710348996 A CN201710348996 A CN 201710348996A CN 108964914 A CN108964914 A CN 108964914A
Authority
CN
China
Prior art keywords
module
point
dot product
coordinate
naf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710348996.9A
Other languages
Chinese (zh)
Other versions
CN108964914B (en
Inventor
胡红钢
刘石刚
汪仔业
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology of China USTC
Original Assignee
University of Science and Technology of China USTC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology of China USTC filed Critical University of Science and Technology of China USTC
Priority to CN201710348996.9A priority Critical patent/CN108964914B/en
Publication of CN108964914A publication Critical patent/CN108964914A/en
Application granted granted Critical
Publication of CN108964914B publication Critical patent/CN108964914B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves

Abstract

The invention discloses a kind of SM2 dot product framework of preventing side-channel attack, the program calculates Algorithm for Scalar Multiplication by modification NAF (k), redundant operation is added in the algorithm, the algorithm is enabled to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that calculating the basic point coordinate difference of participation every time to resist the attack of differential power consumption analysis;Defence of the framework to fault analysis attacks is completed by addition point authentication module.

Description

The SM2 dot product framework of preventing side-channel attack
Technical field
The present invention relates to cryptological technique application field more particularly to a kind of SM2 dot product frameworks of preventing side-channel attack.
Background technique
SM2 algorithm is that the elliptic curve with independent intellectual property rights that national Password Management office issues in December, 2010 is public Key cryptographic algorithm.With the continuous development of cryptographic technique and computing technique, the face currently used 1024 public key algorithm RSA Face and seriously threaten, it is of course possible to use longer key such as 2048, but influence to be to cause face on hard-wired in this way Long-pending and power consumption exponentially type increases.Relative to RSA Algorithm, under the premise of reaching identical security intensity, required for SM2 algorithm Key length it is shorter, hardware realization is more simple.The short design for SM2 algorithm of key length and realization bring bandwidth requirement The advantages such as low, memory space is small and the speed of service is fast.In China, SM2 algorithm is used to replacement RSA Algorithm.SM2 cryptographic system exists It is theoretically foolproof, but a kind of cryptanalysis means newly risen in recent years: side are considered during realization Channel attack.Side-channel attack is mainly using cryptographic system in the letter correctly or improperly leaked in implementation procedure Breath is attacked.
Field programmable gate array (Field Programmable Gate Arrary, FPGA) can use strong Design tool shortens the development cycle, provides Resources on Chip abundant, can parallel data processing, flowing water knot easy to accomplish Structure improves design flexibility, and upgrades conveniently, reduces design cost.By these advantages, operating speed is fast, degree of parallelism is big Fpga chip realize that SM2 dot product framework has become trend.
Traditional SM2 dot product framework is to fast implement as target, and there is no take into account side-channel attack.In dot product Top layer algorithm in, usually used is binary system dot product calculating method from left to right either sliding window NAF algorithm to count Calculate dot product.But all there is apparent skip instruction in two above algorithm, pass through the method for simple power consumption analysis Secret integer k is obtained, this makes attacker be easy to forge a signature, obtain a systems such as arranging key, decryption cipher-text information Column operation.
Zhao Zhen big et al. paper " Ultra High-speed SM2ASIC Implementation " [1] proposes one The SM2 dot product framework that kind is realized based on full precision multiplier uses two level production lines to improve dot product calculating speed.But the program Only focus on fast implementing for framework, there is no the safeguard procedures using any side-channel attack.Attacker can be by the side SPA Method, observation calculate the energy trace curve of dot product kP, distinguish adduction times point operation, so learn in each circulation whether An add operation is performed, to deduce whether the NAF (k) of the circulation is 0.Likewise, attacker can by using DPA and FAA means attack the dot product framework, and the relevant information of key k is obtained by analyzing.
Paper " the Ultra high-performance ASIC implementation of SM2with of Zhang Dan et al. Power-analysis resistance " [2] proposes a kind of dot product framework based on Montgomery ladder, is covered by modification Montgomery ladder Algorithm for Scalar Multiplication is used to resist simple power consumption analysis, and random period is added in the algorithm and is used to resist difference function Consumption analysis.But it has used register value swap operation, in " On when improving the Algorithm for Scalar Multiplication based on Montgomery ladder Power-Analysis Resistant Hardware Implementations of ECC-Based Cryptosystems” [3] in paper, a kind of attack method to register value swap operation is proposed, so the scheme opened can not resist SPA.And And the framework opened does not consider another major class side-channel attack: fault analysis attacks (FAA).Attacker can pass through operation The processor of the framework injects mistake, and obtains wrong output, by carrying out analysis to mistake output to obtain related key k Information.
In short, being all the high-speed computation for focusing on SM2 dot product framework in current paper and design, lack to side-channel attack Mean of defense.If not accomplishing the fine prevention to side-channel attack, designed crypto chip out, which there is, to be attacked A possibility that success, this makes the realization of design lose realistic meaning.Taking into account SM2 dot product framework high-speed computation, realize comprehensively, Efficient preventing side-channel attack has become a kind of trend, this is but also the realization of SM2 dot product framework has more realistic meaning.
Summary of the invention
The object of the present invention is to provide a kind of SM2 dot product framework of preventing side-channel attack, high-speed cruising and can resist comprehensively Side-channel attack.
The purpose of the present invention is what is be achieved through the following technical solutions:
A kind of SM2 dot product framework of preventing side-channel attack, comprising: ROM module, main control module, NAF dot product module, point Authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion Data transmission and control output module between module export result;
The ROM module, basic point coordinate and SM2 elliptic curve parameter after being randomized for memory counter value, M group, Once randomization basic point coordinate, Counter Value add 1 to the every reading of NAF dot product module, carry out next time reading counting when point multiplication operation Device group basic point coordinate;
The NAF dot product module, for reading the basic point coordinate after the randomization that is proved to be successful from ROM module and from number The point multiplication operation under Jacobi Coordinate system is carried out according to the key that bus is read, and to the two data read;
Point authentication module, for the dot product to basic point coordinate and NAF dot product module after the randomization in ROM module Operation result is made whether the verifying on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation knot Fruit is converted from Jacobi Coordinate system to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation of point authentication module When result verification fails, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, output is just Really mark;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
Described authentication module include:
First authentication module, for receive main control module transmission enable signal after, from ROM module read with Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b after machine carry out a verifying, judgement to the basic point coordinate after randomization Whether point is on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and point authentication module exists When ready signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, and authentication module is put When ready signal output 1, result signal is 1, shows to be proved to be successful.
The NAF dot product module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it is defeated It is out the dot product result kP (X under Jacobi Coordinate systemo,Yo,Zo);
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point adds module completion is refined can Than point Q under coordinate system plus the operation of basic point P under affine coordinate system;Times point module then completes the behaviour of 2*Q under Jacobi Coordinate system Make;Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module.
Point multiplication operation is specific as follows:
The leading zero that 3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) it is assigned to point Q;It opens Begin circulation:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, it jumps in next step, Judge 1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q is carried out using arithmetic of rational point module =Q+P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then utilize Arithmetic of rational point module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
Described authentication module include:
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, sentence Whether breakpoint is on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module puts authentication module in ready signal When being 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, point authentication module ready signal output 1 When, result signal is 1, shows to be proved to be successful.
It is described point multiplication operation result is converted from Jacobi Coordinate system to affine coordinate system under include:
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod fortune It calculates;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
Output module output error mark includes: the Ready output high level of output module, will output x_o [255: 0] and the whole zero setting of y_o [255:0].
As seen from the above technical solution provided by the invention, Algorithm for Scalar Multiplication is calculated by modification NAF (k), in algorithm Middle addition redundant operation, enables the algorithm to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that often It is secondary to calculate the basic point coordinate difference that participates in resist the attack of differential power consumption analysis;Framework pair is completed by addition point authentication module The defence of fault analysis attacks.The advantages of program, is main are as follows:
1) there is corresponding preventive means to existing nearly all side-channel attack type, be truly realized comprehensive anti-side letter Road attack.
2) it is realized relative to tradition, does not increase occupancy resource.Redundant operation and point authentication module are all to pass through assembly line Existing module is called to realize.
3) scalability is high, which provides standard interface, convenient for being called when the realization of SM2 common key cryptosystem.
4) speed of service is fast, which uses two-stage pipelining, by multiplication and Mo Yue, the parallel execution of mould plus-minus, and And selection carries out calculating dot product result reducing to mould algorithm for inversion this very time-consuming operation Jacobi Coordinate system is offline It calls, a modular inversion is only called when Jacobi Coordinate system to be transformed under affine coordinate system.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the SM2 dot product configuration diagram of preventing side-channel attack provided in an embodiment of the present invention;
Fig. 2 is the work flow diagram of SM2 dot product framework provided in an embodiment of the present invention;
Fig. 3 is the state machine diagram of SM2 dot product framework provided in an embodiment of the present invention;
Fig. 4 is the work flow diagram of NAF dot product module provided in an embodiment of the present invention;
Fig. 5 is the work flow diagram of provided in an embodiment of the present invention authentication module;
Fig. 6 is the work flow diagram of coordinate system conversion module provided in an embodiment of the present invention.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts Example, belongs to protection scope of the present invention.
The embodiment of the present invention is using comprehensive preventing side-channel attack of SM2 algorithm as starting point, using a set of simple including resisting Power consumption analysis (Simple Power Analysis, SPA), differential power consumption analysis (Differential Power Analysis, DPA), a series of measures including fault analysis attacks (Fault Analysis Attack, FAA), and from finite field layer and ellipse Circular curve operation layer has carried out algorithm optimization and circuit design to dot product calculating, so that proposing one kind being capable of high-speed cruising and complete The SM2 point multiplication operation framework of face preventing side-channel attack.
As shown in Figure 1, being the SM2 dot product framework of preventing side-channel attack provided in an embodiment of the present invention, which is characterized in that packet It includes: ROM module, main control module, NAF dot product module, point authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion Data transmission and control output module between module export result;
The ROM module, basic point coordinate and SM2 elliptic curve parameter after being randomized for memory counter value, M group, Once randomization basic point coordinate, Counter Value add 1 to the every reading of NAF dot product module, carry out next time reading counting when point multiplication operation Device group basic point coordinate;
The NAF dot product module, for reading the basic point coordinate after the randomization that is proved to be successful from ROM module and from number The point multiplication operation under Jacobi Coordinate system is carried out according to the key that bus is read, and to the two data read;
Point authentication module, for the dot product to basic point coordinate and NAF dot product module after the randomization in ROM module Operation result is made whether the verifying on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation knot Fruit is converted from Jacobi Coordinate system to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation of point authentication module When result verification fails, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, output is just Really mark;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
The workflow of SM2 dot product framework provided in an embodiment of the present invention is as shown in Figure 2, the specific steps are as follows:
Step 1, initialization.It gives system one reset Rst signal, removes other all module resets of ROM module.
Step 2, main control module send enable signal to point authentication module, put first point of verifying mould in authentication module Block reads the basic point coordinate (X, Y, Z) after randomization from ROM module after the enable signal for receiving main control module transmission With SM2 elliptic curve parameter b, a verifying is carried out to the basic point coordinate after randomization, is judged a little whether on oval SM2 curve, If authentication failed, output error mark;If be proved to be successful, it is transferred to next step.
Step 3, NAF dot product module read enable signal from authentication module, key k are read from data/address bus, from ROM Module reads the basic point coordinate after the randomization being proved to be successful, and starts point multiplication operation.After the completion of calculating, dot product module ready letter Number output is 1, and the signal is exported to an authentication module, and a notice point authentication module is verified.
Second point authentication module in step 4, point authentication module, is verified by the way of similar with step 2, to test Whether correct demonstrate,prove point multiplication operation;If authentication failed, output error mark;If be proved to be successful, correct mark is exported, and It is transferred to next step.
Step 5, coordinate system conversion module read point multiplication operation result (i.e. under Jacobi Coordinate system from NAF dot product module Point), it is converted by coordinate and coordinate under Jacobi Coordinate system is transformed under affine coordinate system.
Step 6, output module, on the one hand, the error identification and Correct for output point authentication module to export;Another party The coordinate transformation result of output coordinate system conversion module is also wanted in face.
Correspondingly, the state machine of entire SM2 dot product framework is as shown in figure 3, amount to six states.Needed in each state into Capable operation is as follows:
S0: the system under the state is in idle condition, the register in reset system, waits arriving for enable signal Come, enters the S1 state of system operation;
S1: the state main purpose is to check basic point coordinate in ROM after the randomization that stores whether on elliptic curve. By after randomization basic point coordinate and parameter b be updated to elliptic curve equation Y2+3XZ2=X3+bZ6In, checking computations equation or so two Hold calculated value whether equal.If otherwise the correct S2 state that then enters of checking computations exports the instruction of authentication error and returns to S0 shape State;
S2: the system under the state runs NAF algorithm, calculates dot product as a result, exporting naf_ready letter after calculating Number, the S3 state of unimpeded access checking computation results;
S3: the state completes the checking computations of dot product result, and S4 coordinate transition status is entered if checking computations are correct, otherwise, defeated The instruction of the calculated result mistake and return to S0 state out;
S4: the state is completed coordinate using modular inversion and is converted.Tran_ready signal is exported after converting, and is entered Export the S5 state of official result.
S5: it is exported under the state calculating as a result, the result for keeping output to calculate.Computing system Rst signal is waited, is jumped To S0 state, prepare for calculating next time.
In order to make it easy to understand, being described further below for the specific work process of above-mentioned several important modules.
1, ROM module.
Basic point coordinate and SM2 elliptic curve parameter after memory counter value, the randomization of M group, the every reading of NAF dot product module Primary randomization basic point coordinate, Counter Value add 1, and basic point coordinate is organized in reading (counter+1) when carrying out point multiplication operation next time, Counter value period is S.Since the basic point coordinate value in a cycle of counter, participating in operation is different, opponent can not be obtained It takes identical basic point coordinate to carry out the energy mark of point multiplication operation, and then differential power consumption analysis can not be carried out.
2, NAF dot product module.
The NAF dot product module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it is defeated It is out the dot product result kP (X under Jacobi Coordinate systemo,Yo,Zo)。
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point adds module completion is refined can Than point Q under coordinate system plus the operation of basic point P under affine coordinate system;Times point module then completes the behaviour of 2*Q under Jacobi Coordinate system Make;Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module; Specific calculation process is as shown in Figure 4:
Basic point coordinate (X after reading the randomization being proved to be successfuli,Yi,Zi) (i.e. point P in Fig. 4) and key k.
The leading zero that Z=3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) be assigned to a little Q;It starts the cycle over:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, it jumps in next step, Judge 1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q is carried out using arithmetic of rational point module =Q+P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then utilize Arithmetic of rational point module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
Above-mentioned point multiplication operation, different from usual NAF Algorithm for Scalar Multiplication, usual algorithm only carries out in the circulation of NAF (k)=0 Point operation again does not have add operation to participate in.It will result in circulating on energy mark for NAF (k)=0 in this way to embody, attack Person can observe the position that point multiplication operation power consumption profile derives NAF (k)=0, and then obtain key k by simple power consumption analysis Relevant information.This programme adds redundancy point add operation in NAF (k)=0, and the input data which adds is still wheel circulation In times point calculated result, but output data not enter circulation.Dot product calculating had so not only been completed, but also has made the wheel operation in energy It is no different on amount mark with other wheels, to resist simple power consumption analysis.
3, authentication module is put.
Its verify principle it is as follows: to after the randomization read from ROM module basic point coordinate or NAF dot product module calculate Coordinate out is made whether the verifying on SM2 elliptic curve.Verifying foundation is to examine whether coordinate meets equation Y2-aXZ2= X3+bZ6, wherein a, b are SM2 elliptic curve parameter, due to a=-3mod | p, p are the prime numbers for defining SM2 elliptic curve, or more Y can be converted by stating equation2+3XZ2=X3+bZ6.The module reads point coordinate and elliptic curve ginseng under Jacobi Coordinate system Number, calculates separately equation both sides formula value.If two boundary values are equal, result exports high level, it is believed that passes through checking computations.If Two boundary values differ, then result exports low level, it is believed that does not pass through checking computations.The authentication module provides dot product framework to failure A kind of safeguard procedures of analysis are injected, if attacker changes the randomization stored in ROM by other means such as electromagnetism, laser Calculating is transferred on an other weak elliptic curve by basic point coordinate or SM2 elliptic curve parameter, can by mistake output To derive part of key.Point authentication module provides the defence capability that this programme analyzes direct fault location, if randomization Not on SM2 elliptic curve, system reports an error for basic point coordinate or calculated dot product result, terminates operation, and notifies output mould Block will export zero setting.
It in specific implementation, mainly include as shown in Figure 1, first authentication module and second point authentication module;This The course of work of two modules is similar, and as shown in figure 5, difference is the data inputted difference, (the point Q coordinate to be verified is not Together);Specifically:
First authentication module, for receive main control module transmission enable signal after, from ROM module read with Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b after machine carry out a verifying, judgement to the basic point coordinate after randomization Whether point is on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and point authentication module exists When ready signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, and authentication module is put When ready signal output 1, result signal is 1, shows to be proved to be successful.
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, sentence Whether breakpoint is on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module puts authentication module in ready signal When being 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, point authentication module ready signal output 1 When, result signal is 1, shows to be proved to be successful.
4, coordinate system conversion module.
It is imitative that the module calls finite field layer modular multiplication algorithm and mould algorithm for inversion to be transformed into the point coordinate under Jacobi Coordinate system The point coordinate under coordinate system is penetrated, conversion process is as shown in fig. 6, comprise the following processes:
It is described point multiplication operation result is converted from Jacobi Coordinate system to affine coordinate system under include:
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod fortune It calculates;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
5, output module.
The module completes the output of dot product result, if authentication module authentication error, Ready is set 1 (output high level), X_o [255:0] will be exported, y_o [255:0] all sets 0;If authentication module verifying is correct, Ready is set 1, coordinate is converted The affine coordinate output of module output.
The above scheme of the embodiment of the present invention, calculates Algorithm for Scalar Multiplication by modification NAF (k), and redundancy fortune is added in the algorithm It calculates, the algorithm is enabled to resist the attack of simple power consumption analysis;By being randomized basic point coordinate, so that calculating participation every time Basic point coordinate difference resists the attack of differential power consumption analysis;Framework is completed to fault analysis attacks by addition point authentication module Defence.The advantages of program, is main are as follows:
1) there is corresponding preventive means to existing nearly all side-channel attack type, be truly realized comprehensive anti-side letter Road attack.
2) it is realized relative to tradition, does not increase occupancy resource.Redundant operation and point authentication module are all to pass through assembly line Existing module is called to realize.
3) scalability is high, which provides standard interface, convenient for being called when the realization of SM2 common key cryptosystem.
4) speed of service is fast, which uses two-stage pipelining, by multiplication and Mo Yue, the parallel execution of mould plus-minus, and And selection carries out calculating dot product result reducing to mould algorithm for inversion this very time-consuming operation Jacobi Coordinate system is offline It calls, a modular inversion is only called when Jacobi Coordinate system to be transformed under affine coordinate system.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto, Within the technical scope of the present disclosure, any changes or substitutions that can be easily thought of by anyone skilled in the art, It should be covered by the protection scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of claims Subject to enclosing.

Claims (7)

1. a kind of SM2 dot product framework of preventing side-channel attack characterized by comprising ROM module, main control module, NAF point Multiply module, point authentication module, coordinate system conversion module and output module;Wherein:
The control module, for controlling and coordinating NAF dot product module, ROM module, point authentication module, coordinate system conversion module Between data transmission and control output module export result;
The ROM module, for the basic point coordinate and SM2 elliptic curve parameter after memory counter value, the randomization of M group, NAF point Multiply the primary randomization basic point coordinate of the every reading of module, Counter Value adds 1, carries out next time reading counter group base when point multiplication operation Point coordinate;
The NAF dot product module, for the basic point coordinate after the randomization that is proved to be successful is read from ROM module and from data it is total The key that line is read, and the point multiplication operation under Jacobi Coordinate system is carried out to the two data read;
Point authentication module, for the point multiplication operation to basic point coordinate and NAF dot product module after the randomization in ROM module As a result the verifying being made whether on SM2 elliptic curve;
Coordinate system conversion module, for NAF dot product module point multiplication operation result verification success when, by point multiplication operation result from Jacobi Coordinate system converts to affine coordinate system;
Output module, for basic point coordinate after randomization in ROM module, or the point multiplication operation result of point authentication module When authentication failed, output error mark;When basic point coordinate after the randomization in ROM module is proved to be successful, correct mark is exported Know;When the success of the point multiplication operation result verification of authentication module, the transformation result of output coordinate system conversion module.
2. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the point verifying Module includes:
First authentication module, for reading and being randomized from ROM module after the enable signal for receiving main control module transmission Basic point coordinate (X, Y, Z) and SM2 elliptic curve parameter b afterwards carry out verifying to the basic point coordinate after randomization, judge be a little It is no on oval SM2 curve, judgment formula are as follows:
Y2+3XZ2=X3+bZ6
If equation is invalid, then it is assumed that basic point coordinate or parameter b after randomization are altered, and put authentication module in ready When signal is 1, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that basic point coordinate and parameter b after randomization are verified correctly, point authentication module ready letter Number output 1 when, result signal be 1, show to be proved to be successful.
3. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the NAF dot product Module reads the basic point coordinate (X after the randomization being proved to be successfuli,Yi,Zi) and key k, it exports as under Jacobi Coordinate system Dot product result kP (Xo,Yo,Zo);
The NAF dot product module includes: arithmetic of rational point module and puts algoritic module again;Wherein, point plus module complete Jacobi's seat Mark is operation of the lower point Q plus basic point P under affine coordinate system;Times point module then completes the operation of 2*Q under Jacobi Coordinate system;Meter Calculate dot product result kP (Xo,Yo,Zo) it is exactly to be completed by arithmetic of rational point module with times recursive call of point algoritic module.
4. a kind of SM2 dot product framework of preventing side-channel attack according to claim 3, which is characterized in that point multiplication operation tool Body is as follows:
The leading zero that 3k is calculated using leading zero algorithm is N, while by basic point coordinate (Xi,Yi,Zi) it is assigned to point Q;Start to follow Ring:
A times point algoritic module is called to calculate Q=2Q, if N=258, directly output Q=kP;Otherwise, jump to as a next step it is determined that 1:Z [257-N]=1 and k [255-N]=0;If it is determined that 1 sets up, then an add operation: Q=Q+ is carried out using arithmetic of rational point module P, and N=N+1 return to circulation and start;
If it is determined that 1 is invalid, then 2:Z [257-N]=0 and k [255-N]=1 are judged;If it is determined that 2 set up, then added using point Algoritic module carries out an add operation: Q=Q-P, and N=N+1, returns to circulation and starts;
If it is determined that 2 is invalid, then redundant points add operation T=Q+P, and N=N+1 are carried out, returns to circulation and start.
5. a kind of SM2 dot product framework of preventing side-channel attack described according to claim 1 or 3 or 4, which is characterized in that described Putting authentication module includes:
Second point authentication module, for the point multiplication operation result kP (X to NAF dot product moduleo,Yo,Zo) verified, judge a little Whether on oval SM2 curve, judgment formula are as follows:
In above formula, b is SM2 elliptic curve parameter;
If equation is invalid, then it is assumed that the point multiplication operation mistake of NAF dot product module, point authentication module are 1 in ready signal When, the output of result signal is 0, terminates operation;
If equation is set up, then it is assumed that the point multiplication operation of NAF dot product module is correct, when point authentication module ready signal exports 1, Result signal is 1, shows to be proved to be successful.
6. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that described by dot product Operation result includes: under converting from Jacobi Coordinate system to affine coordinate system
Read the point multiplication operation result kP (X for the NAF dot product module being proved to be successfulo,Yo,Zo);
Modular multiplication algorithm is called to calculateWherein, p is the prime number for defining SM2 elliptic curve, and mod indicates mod operation;
Modular multiplication algorithm is called to calculateMould algorithm for inversion is called to calculate simultaneously
Mould algorithm for inversion is called to calculate
Modular multiplication algorithm is called to calculate separately out
By coordinate x, y output under affine coordinate system after conversion.
7. a kind of SM2 dot product framework of preventing side-channel attack according to claim 1, which is characterized in that the output mould Block output error mark includes: the Ready output high level of output module, and output x_o [255:0] and y_o [255:0] is whole Zero setting.
CN201710348996.9A 2017-05-17 2017-05-17 SM2 point multiplication architecture for resisting side channel attack Active CN108964914B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710348996.9A CN108964914B (en) 2017-05-17 2017-05-17 SM2 point multiplication architecture for resisting side channel attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710348996.9A CN108964914B (en) 2017-05-17 2017-05-17 SM2 point multiplication architecture for resisting side channel attack

Publications (2)

Publication Number Publication Date
CN108964914A true CN108964914A (en) 2018-12-07
CN108964914B CN108964914B (en) 2020-08-25

Family

ID=64461883

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710348996.9A Active CN108964914B (en) 2017-05-17 2017-05-17 SM2 point multiplication architecture for resisting side channel attack

Country Status (1)

Country Link
CN (1) CN108964914B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611559A (en) * 2019-08-21 2019-12-24 广东工业大学 Side channel attack resistant SM2 dot product architecture based on algorithm layer and operation method thereof
CN110798305A (en) * 2019-09-24 2020-02-14 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN111211886A (en) * 2020-04-20 2020-05-29 成都信息工程大学 Energy analysis detection method for SM2 decryption algorithm
CN111416717A (en) * 2019-01-07 2020-07-14 中安网脉(北京)技术股份有限公司 Parallel multi-path hardware implementation method for SM2 algorithm
CN112019320A (en) * 2019-05-30 2020-12-01 中国科学技术大学 Energy track extraction method and system in side channel analysis
CN112134704A (en) * 2020-09-21 2020-12-25 中国电子科技网络信息安全有限公司 Sm2 performance optimization implementing method
CN114879934A (en) * 2021-12-14 2022-08-09 中国科学院深圳先进技术研究院 Efficient zero-knowledge proof accelerator and method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080205638A1 (en) * 2007-02-07 2008-08-28 Al-Gahtani Theeb A Method for elliptic curve scalar multiplication
CN103631660A (en) * 2013-09-23 2014-03-12 中国科学院数据与通信保护研究教育中心 Method and device for distributing storage resources in GPU in big integer calculating process

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080205638A1 (en) * 2007-02-07 2008-08-28 Al-Gahtani Theeb A Method for elliptic curve scalar multiplication
CN103631660A (en) * 2013-09-23 2014-03-12 中国科学院数据与通信保护研究教育中心 Method and device for distributing storage resources in GPU in big integer calculating process

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
",余荣威,陈建华,张四兰,夏静波等: "抗侧信道攻击的椭圆曲线点乘算法设计", 《计算机工程与应用》 *
张振宾: "国密SM4和SM2算法功耗攻击关键技术研究与实现", 《CNKI中国硕士学位论文全文数据库信息科技辑》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111416717A (en) * 2019-01-07 2020-07-14 中安网脉(北京)技术股份有限公司 Parallel multi-path hardware implementation method for SM2 algorithm
CN111416717B (en) * 2019-01-07 2023-01-03 中安网脉(北京)技术股份有限公司 SM2 algorithm parallel multi-path hardware implementation method
CN112019320A (en) * 2019-05-30 2020-12-01 中国科学技术大学 Energy track extraction method and system in side channel analysis
CN112019320B (en) * 2019-05-30 2022-04-19 中国科学技术大学 Energy track extraction method and system in side channel analysis
CN110611559A (en) * 2019-08-21 2019-12-24 广东工业大学 Side channel attack resistant SM2 dot product architecture based on algorithm layer and operation method thereof
CN110611559B (en) * 2019-08-21 2023-08-22 广东工业大学 SM2 point multiplication architecture for resisting side channel attack based on algorithm layer and operation method thereof
CN110798305A (en) * 2019-09-24 2020-02-14 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN110798305B (en) * 2019-09-24 2023-05-30 瓦戈科技有限公司 Fault analysis defense method, electronic equipment and readable storage medium
CN111211886A (en) * 2020-04-20 2020-05-29 成都信息工程大学 Energy analysis detection method for SM2 decryption algorithm
CN111211886B (en) * 2020-04-20 2020-07-14 成都信息工程大学 Energy analysis detection method for SM2 decryption algorithm
CN112134704A (en) * 2020-09-21 2020-12-25 中国电子科技网络信息安全有限公司 Sm2 performance optimization implementing method
CN114879934A (en) * 2021-12-14 2022-08-09 中国科学院深圳先进技术研究院 Efficient zero-knowledge proof accelerator and method

Also Published As

Publication number Publication date
CN108964914B (en) 2020-08-25

Similar Documents

Publication Publication Date Title
CN108964914A (en) The SM2 dot product framework of preventing side-channel attack
Wang et al. Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0
CN104506313B (en) A kind of quantum key distribution secrecy Enhancement Method for supporting extensive dynamic change
CN106452789B (en) A kind of endorsement method of multi-faceted anti-side-channel attack
CN104917608B (en) A kind of method of the anti-power consumption attack of key
CN109214195A (en) A kind of the SM2 ellipse curve signature sign test hardware system and method for resisting differential power consumption attack
US10033526B2 (en) One INS network-based anti-fault attack method of random infection
Longo et al. Simulatable leakage: Analysis, pitfalls, and new constructions
CN109685503A (en) Referee method based on block chain data safety
CN104484615B (en) Suitable for reconfigurable arrays framework based on space randomization fault-resistant attack method
CN103164187B (en) RSA modular exponentiation circuit and RSA security encryption chip
CN105119929B (en) Safe module exponent outsourcing method and system under single malice Cloud Server
CN107888385A (en) RSA moduluses generation method, RSA key generation method, computer equipment and medium
CN102468954A (en) Method for preventing symmetric cryptographic algorithm from being attacked
EP3696670A1 (en) Distributed computation system and method of operation thereof
Jeřábek et al. Analyzing and optimizing the dummy rounds scheme
CN113691375B (en) ECC elliptic curve anti-attack hardware architecture
Ganji et al. Pitfalls in machine learning-based adversary modeling for hardware systems
Siim A comprehensive protocol suite for secure two-party computation
CN106027221B (en) Resist the data processing system of high-order differential power analysis attack
Bock SCA resistent implementation of the Montgomery kP-algorithm
Jayasena et al. TVLA*: Test Vector Leakage Assessment on Hardware Implementations of Asymmetric Cryptography Algorithms
CN106685643A (en) Method and device for verifying public key in CRT mode
Zhang et al. A Comprehensive Design Method Based on WDDL and Dynamic Cryptosystem to Resist DPA Attack
CN111817847A (en) Bypass defense method and device based on SIKE algorithm, electronic equipment and readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant