CN111966324B - Implementation method and device for multi-elliptic curve scalar multiplier and storage medium - Google Patents

Implementation method and device for multi-elliptic curve scalar multiplier and storage medium Download PDF

Info

Publication number
CN111966324B
CN111966324B CN202010836415.8A CN202010836415A CN111966324B CN 111966324 B CN111966324 B CN 111966324B CN 202010836415 A CN202010836415 A CN 202010836415A CN 111966324 B CN111966324 B CN 111966324B
Authority
CN
China
Prior art keywords
point
calculation
scalar multiplication
coordinates
curve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010836415.8A
Other languages
Chinese (zh)
Other versions
CN111966324A (en
Inventor
黄海
于斌
刘志伟
赵石磊
彭天彬
陶宏敬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin University of Science and Technology
Original Assignee
Harbin University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin University of Science and Technology filed Critical Harbin University of Science and Technology
Priority to CN202010836415.8A priority Critical patent/CN111966324B/en
Publication of CN111966324A publication Critical patent/CN111966324A/en
Application granted granted Critical
Publication of CN111966324B publication Critical patent/CN111966324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/38Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation
    • G06F7/48Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation using non-contact-making devices, e.g. tube, solid state device; using unspecified devices
    • G06F7/52Multiplying; Dividing

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Complex Calculations (AREA)

Abstract

The invention provides a scalar multiplier implementation method, a device and a storage medium for multi-elliptic curves, which can be compatible with secp256r1 and Curve25519 elliptic curves at the same time, take independent consideration of a fixed base point G, call different point adding control and multiple point control according to curves and algorithms, use an operation unit to complete all scalar multiplication and module operation units to complete corresponding operation intermediate calculation results, occupy less hardware resources in a register file, and perform corresponding algorithm operation according to different Curve forms and function operation requirements, thereby reducing the hardware requirement area and improving the operation speed, and solving the problems that the scalar multiplier in the prior art cannot be compatible with multi-class curves, has lower operation speed and does not consider special cases in the aspect of algorithm commonality.

Description

Implementation method and device for multi-elliptic curve scalar multiplier and storage medium
Technical Field
The present invention relates to the field of cryptography, and in particular, to a method, an apparatus, and a storage medium for implementing a scalar multiplier for multiple elliptic curves.
Background
With the increasing computing power of computer processors, the security of traditional encryption algorithms is being increasingly tested, and more complex encryption algorithms are required to ensure the security of data. Elliptic curve cryptography is an asymmetric cryptography which has been active in recent years, and in the latest transmission layer security Protocol Version 1.3 (The Transport Layer Security (TLS) Protocol Version 1.3), various elliptic curves are used for data encryption, and the increasingly important role of elliptic curve cryptography is highlighted both in quantity and in actual frequency of use.
The performance of scalar multiplication is an important indicator for measuring the encryption performance of elliptic curves, and in order to achieve a faster encryption speed, it is necessary to complete scalar multiplication as quickly as possible. The main methods of scalar multiplication operation improvement in the prior art fall into three categories: an optimized scalar multiplication algorithm, a transformation coordinate system and an optimized modular operation algorithm.
The first type of optimization scalar multiplication algorithm is to change the operation process of scalar multiplication kG and reduce the total operation amount. Using earlier algorithms with left-to-right and right-to-left, for n-bit k values, n times of point addition and n/2 times of point addition need to be calculated, the point addition and the point addition of the left-to-right algorithm can be operated in parallel, but an additional modulo operation unit is needed; the k can be preprocessed relatively simply to realize a Non-adjacent-form (NAF) algorithm, and the number of times of point addition is further reduced to n/3 times; the m-bit segmentation processing can be performed on k, a window NAF method is realized, 2m point operation results in a window need to be calculated in pre-calculation, and the pre-calculation amount is large; the combo algorithm can be used to quickly complete scalar multiplication operations, but the pre-computation required is enormous; and Shamir algorithm suitable for multiple scalar multiplication, can finish the addition of two scalar multiplication with the time of one scalar multiplication; the multi-base chain algorithm can be adopted, and three times points and five times points are added to form a multi-base chain to accelerate scalar multiplication operation.
The second class of method transforms coordinate system algorithms are optimizing point-plus-point operations in scalar multiplication. The original curve equation uses a binary coordinate system, the point addition operation needs 1-time modulo inversion and 3-time modulo multiplication, the point multiplication operation needs 1-time modulo inversion and 4-time modulo multiplication, and the modulo inversion operation needs a large number of clock cycles. The point addition and multiplication operation formulas can be changed through the conversion of a coordinate system, the modulo inversion operation, such as affine coordinate system, is eliminated, the coordinates (X, Y) are converted into (X, Y, Z) according to the conversion formulas x=x/Z and y=y/Z, the point addition operation needs 14 times of modulo multiplication, and the multiplication operation needs 12 times of modulo multiplication; the jacobian coordinate system is commonly used, the conversion formula is x=x/Z2, y=y/Z3, 16 times of modular multiplication is needed to complete the point addition operation, and 10 times of modular multiplication is needed to complete the point multiplication operation. In addition, the modified Jacobian coordinate system, the mixed coordinate system and the like are transformed, the method is to make one transformation at the beginning, then eliminate the modulo inversion operation in the process of calculating the point addition and the point multiplication, and finally convert the calculation result into binary coordinates, and the whole scalar multiplication only uses one modulo inversion operation.
The third type of optimization method starts from basic modular operation, improves the speed of modular operation, and mainly comprises modular multiplication and modular inverse operation. The modular multiplication operation uses more Montgomery modular multiplication algorithm, and the final modular multiplication result is obtained by multiple iterative operation by decomposing the modular multiplication of multiple bits into the modular multiplication of 2m bits and utilizing the characteristic of binary system. The theoretical formula of the modular inversion operation generally adopts the small Fisher theorem, can also adopt a special modular inversion module to complete the modular inversion operation, can use the Montgomery modular inversion algorithm in cooperation with Montgomery modular multiplication, can complete the modular inversion operation without conversion, can also use a binary right-shift algorithm, calculates the modular inversion through multiple simple comparison and addition and subtraction, has small resource expenditure, and is mainly used for releasing modular multiplication units to achieve the purpose of parallelism by independently designing the modular inversion operation, and meanwhile, reduces the calculation cycle number.
The prior art has the following defects:
1. and cannot be compatible with multiple types of curves. Most of the existing scalar multipliers are only applicable to a single elliptic curve, or multiple domains (such as prime number domain and 2m domain), or multiple of the same class of curves, and cannot support multiple classes of curves. For example, to complete hardware encryption of TLS1.3 protocol, scalar multipliers of two types, weierstrass curve and Montgomery curve, are required.
2. The operation speed is slower. The conventional encryption is used for the Internet of things equipment, the required area is small, and meanwhile, the Montgomery modular multiplication algorithm and the like can divide the modular multiplication into a plurality of short bit wide multiplication iterative operations, so that the operation speed is reduced, and the operation speed cannot meet the requirement of the server side.
3. Algorithm versatility is over-taught. The special situation which is easy to meet in actual use is ignored, the signature and the verification signature are the main two functions of an elliptic curve, for signature operation, the scalar multiplication of the base point G is used, and the point of a fixed value is used, so that the special situation is often not considered independently in the algorithm of the prior art.
Disclosure of Invention
Based on the problems, the invention provides a realization method, a device and a storage medium for a multi-elliptic curve scalar multiplier, which are used for solving the problems that the scalar multiplier in the prior art cannot be compatible with multiple types of curves, has low operation speed and is not considered in special cases in the aspect of algorithm generality.
The embodiment of the invention discloses a realization method of a scalar multiplier for multiple elliptic curves, which is characterized by comprising the following steps:
the 16 point coordinates of the base point G of the secp256r1 Curve are pre-calculated and stored in a combpre-stored point coordinate part of a register file, and the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve and five times of the characteristic values 5P1 and 5P2 are stored in the register file together;
according to the elliptic curve form, 2P 1-4P 2 or 2P 2-4P 2 are calculated through a modular arithmetic unit, and if coordinates of a P point exist, the coordinates are stored into a register file together;
judging the form of an elliptic curve and the function operation requirement;
if the elliptic curve is in the form of secp256r1 and signature operation is to be carried out, calculating scalar multiplication mu G of the base point G, and carrying out operations of multiplying the point and adding 1 for each iteration by combining the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, wherein the scalar multiplication operation is completed for 64 times by the loop iteration;
if the elliptic curve is in the form of secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing double point and point addition operation, calculating coordinates of two points of 2P and 3P in advance, storing the coordinates into a Shamir precomputation point coordinate area of a register file, and performing loop iteration of two points of 2P and 3P of the general point P of the precomputed secp256r1 curve by combining the two points of coordinates of the 2P and 3P of the general point P, wherein each iteration performs double point and one point addition operation twice, and loop iteration is performed 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of secp256r1 and the signature verification operation is required to be carried out, calculating multi-scalar multiplication lambda P+mu G of a base point G and a general point P, carrying out 5 times of pre-calculation point coordinates of a double point and point addition operation loop, storing the pre-calculation point coordinates into a Shamir pre-calculation point coordinate area of a register file, and carrying out loop iteration of the pre-calculation point coordinates of 13 pre-calculation point of the secp256r1 curve by combining the pre-calculation point coordinates of the pre-calculation point, wherein each iteration carries out twice times of point addition and one time of point addition Z operation, and the loop iteration is carried out 128 times to complete scalar multiplication operation;
if the elliptic Curve is Curve25519 and key exchange operation is required, calculating scalar multiplication lambda P, performing step operation 255 times, performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the condition of the marker bit;
and carrying out data post-processing according to the obtained scalar multiplication result, restoring the calculated ternary coordinates back to binary coordinates, completing scalar multiplication calculation and outputting a final result.
Further, the pre-calculation pre-calculates 16 point coordinates of the secp256r1 curve base point G, specifically:
pre-computing 16 coordinate points of {0000} g to {1111} g, wherein:
{0000} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{0001} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{0010} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{0011} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{0100} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{0101} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{0110} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{0111} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G;
{1000} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{1001} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{1010} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{1011} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{1100} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{1101} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{1110} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{1111} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G。
Further, the storing the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve, and the five times of the characteristic values 5P1 and 5P2 thereof in the register file together includes: the characteristic values P1 and P2 are fixed parameter values of the secp256r1 Curve and the Curve25519 Curve, respectively, and p1=2 224 (2 32 -1)+2 192 +2 96 -1,P2=2 255 –19。
Further, if the elliptic curve is in the form of secp256r1 and the signature operation is to be performed, calculating a scalar multiplication μg of the base point G, and performing operations of multiplying the base point G by the point and adding 1 once each time by combining the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, where the scalar multiplication operation is completed 64 times by the loop iteration, specifically:
input 256-bit binary number μ= { μ 255 μ 254 μ 253 …μ 1 μ 0 Base point G of elliptic curve secp256r 1;
calculating a scalar multiplication q=μg;
constructing a comb algorithm pre-calculation table: pre-calculating {0000} G to {1111} G,16 pre-calculated coordinate points;
extracting comb algorithm coding coefficient alpha i ={μ i+192i+128i+64i };
Giving an initial value Q=0, which is an infinity point;
let i=63 to 0, and perform the following calculation in a cyclic manner;
Q=2Q;
Q=Q+α i G;
regarding the selection of the G coordinate point, the following method is adopted: in the ith cycle calculation, the four-bit values 192+i,128+i,64+i and i of mu in the mu G are selected to form a four-bit binary number, and a pre-calculation table of a comb algorithm is constructed: comparing {0000} to {1111} in {0000} G16 pre-calculated coordinate points, and selecting the pre-calculated point coordinates to participate in point addition operation if the comparison is the same;
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Further, if the elliptic curve is in the form of secp256r1 and the signature verification operation is to be performed, calculating a multiple scalar multiplication λp+μg of the base point G and the general point P, specifically:
input 256-bit binary number λ= { λ 255 λ 254 λ 253 …λ 1 λ 0 },μ={μ 255 μ 254 μ 253 …μ 1 μ 0 -and any point P and base point G on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp+μg;
constructing a pre-calculation table (00) P+ (00) G to (11) P+ (11) G, wherein (00) P+ (00) G, (01) P+ (00) G and (00) P+ (01) G do not need calculation;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P+(μ 2i+1 μ 2i )G};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Further, if the elliptic curve is in the form of secp256r1 and the key exchange operation is to be performed, a scalar multiplication λp of the general point P is calculated, specifically:
input 256-bit binary number λ= { λ 255 λ 254 λ 253 …λ 1 λ 0 -and any point P on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp;
constructing precomputation tables (00) P to (11) P for 16 point coordinates, wherein (00) P does not need to be calculated;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Further, if the elliptic Curve is Curve25519 and key exchange operation is to be performed, scalar multiplication λP is calculated, step operation is performed 255 times, cswap operation is performed before and after each step operation, and two groups of coordinate points are exchanged according to the flag bit condition, specifically:
input 255-bit binary number k= (k) 255 k 254 ……k 0 ) Point coordinates P 1 =(x 1 ,y 1 ) X of the abscissa of (2) 1
Calculating scalar multiplication result kP 1 =(x 2 ,y 2 ) X of the abscissa of (2) 2
Let X 1 =x 1 ;X 2 =x 1 ;Z 2 =0;X 3 =x 1 ;Z 3 =1; flag swap=0;
let i=254 to 0, the following calculation is cyclically performed:
swap=swap^k[i];
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
swap=k[i];
the step algorithm is adopted for calculation: (X) 2 ,Z 2 ,X 3 ,Z 3 )=Ladder step(X 1 ,X 2 ,Z 2 ,X 3 ,Z 3 );
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
Until the calculation is carried out until i=0, the operation is finished, and X is output 2 =X 2 /Z 2
And performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the conditions of the swap flag bit, wherein the specific steps are as follows: when the swap flag bit is 1, exchanging two groups of coordinate points; when the swap flag bit is 0, no exchange is performed.
Further, the data post-processing is performed according to the obtained scalar multiplication result, the calculated ternary coordinates are restored back to binary coordinates, scalar multiplication calculation is completed, and a final result is output, specifically:
the method for converting the ternary coordinates (X, Y, Z) into the binary coordinates (X, Y) with common coordinates is as follows: x=x/Z 2 ,y=Y/Z 3
The embodiment of the invention also provides a realization device for the multi-elliptic curve scalar multiplier, which comprises:
the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller performs data operation exchange with the operation unit;
the register file performs data operation exchange with the operation unit.
Embodiments of the present invention also provide a computer readable storage medium storing one or more programs executable by one or more processors to implement a method of implementing a multi-elliptic curve scalar multiplier according to any of the preceding claims 1 to 8.
Compared with the prior art, the realization method, the device and the storage medium for the multi-elliptic curve scalar multiplier provided by the invention have the advantages that at least the following effects are realized: the realization method, the device and the storage medium for the multi-elliptic Curve scalar multiplier provided by the invention can be compatible with two elliptic curves of secp256r1 and Curve25519 at the same time, and solves the problem that most scalar multipliers in the prior art are only suitable for a single elliptic Curve, or a plurality of fields (such as prime number field and 2m field) or a plurality of similar curves and cannot be compatible with a plurality of types of elliptic curves; the method considers the fixed base point G independently, solves the technical problems that special situations are easy to be encountered when the actual use is easy to be ignored in the existing scalar multiplier realization method, signature and signature verification are the main two functions of an elliptic curve, and for signature operation, scalar multiplication on the base point G is used as the fixed base point, and the special situations are often not considered independently in the algorithm in the prior art; according to the method, different point adding control and multiple point control are called according to curves and algorithms, all scalar multiplication and modular operation units are used for completing corresponding operation intermediate calculation results, the occupied hardware resources in a register file are less, corresponding algorithm operation is carried out according to different curve forms and functional operation requirements, the hardware required area is reduced, the operation speed is improved, the technical problem that in the prior art, in an encryption application scene of equipment of the Internet of things, the required hardware area is smaller, meanwhile, the traditional scalar multiplication algorithm mostly adopts Montgomery modular multiplication algorithm, modular multiplication is divided into multiple short-bit wide multiplication iterative operation, the operation speed is reduced, and the operation speed cannot meet the requirements of the use of a server side is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an implementation method of a scalar multiplier for multiple elliptic curves according to an embodiment of the present invention;
fig. 2 is a block diagram of an implementation apparatus for a multi-elliptic curve scalar multiplier according to an embodiment of the present invention.
Detailed Description
In order to make the technical solution and advantages of the present invention more clear, the following describes in detail the implementation method, device and storage medium for a multi-elliptic curve scalar multiplier according to the embodiments of the present invention with reference to the accompanying drawings. It should be understood that the following description of the preferred embodiments is provided for the purpose of illustrating and explaining the invention, and is not intended to limit the invention. And embodiments and features of embodiments in this application may be combined with each other without conflict.
For more clear explanation of the technical scheme, the following explanation is made:
ellipses in TLS1.3 are of two types, one is a Weierstrass curve, satisfying the curve equation: y is 2 =x 3 +ax+b. Three curves of secp256r1, secp384r1 and secp521r1, which are proposed by the national institute of standards and technology (National Institute of Standards and Technology, NIST) are selected for TLS1.3, and belong to Weierstrass curves. Still another class of elliptic curves are Montgomery curves, whose equations are: y is 2 =x 3 +Ax 2 +x
Curve25519 Curve belongs to Montgomery Curve and was proposed by Bernstein in 2005 to be adopted by TLS 1.3.
The secp256r1 curve has 256 bits of operation data bits; curve25519 Curve has 255 bits of operation data.
The embodiment of the invention discloses a realization method of a scalar multiplier for multiple elliptic curves, which is characterized by comprising the following steps:
the 16 point coordinates of the base point G of the secp256r1 Curve are pre-calculated and stored in a combpre-stored point coordinate part of a register file, and the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve and five times of the characteristic values 5P1 and 5P2 are stored in the register file together;
according to the elliptic curve form, 2P 1-4P 2 or 2P 2-4P 2 are calculated through a modular arithmetic unit, and if coordinates of a P point exist, the coordinates are stored into a register file together;
judging the form of an elliptic curve and the function operation requirement;
if the elliptic curve is in the form of secp256r1 and signature operation is to be carried out, calculating scalar multiplication mu G of the base point G, and carrying out operations of multiplying the point and adding 1 for each iteration by combining the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, wherein the scalar multiplication operation is completed for 64 times by the loop iteration;
if the elliptic curve is in the form of secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing double point and point addition operation, calculating coordinates of two points of 2P and 3P in advance, storing the coordinates into a Shamir precomputation point coordinate area of a register file, and performing loop iteration of two points of 2P and 3P of the general point P of the precomputed secp256r1 curve by combining the two points of coordinates of the 2P and 3P of the general point P, wherein each iteration performs double point and one point addition operation twice, and loop iteration is performed 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of secp256r1 and the signature verification operation is required to be carried out, calculating multi-scalar multiplication lambda P+mu G of a base point G and a general point P, carrying out 5 times of pre-calculation point coordinates of a double point and point addition operation loop, storing the pre-calculation point coordinates into a Shamir pre-calculation point coordinate area of a register file, and carrying out loop iteration of the pre-calculation point coordinates of 13 pre-calculation point of the secp256r1 curve by combining the pre-calculation point coordinates of the pre-calculation point, wherein each iteration carries out twice times of point addition and one time of point addition Z operation, and the loop iteration is carried out 128 times to complete scalar multiplication operation;
if the elliptic Curve is Curve25519 and key exchange operation is required, calculating scalar multiplication lambda P, performing step operation 255 times, performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the condition of the marker bit;
and carrying out data post-processing according to the obtained scalar multiplication result, restoring the calculated ternary coordinates back to binary coordinates, completing scalar multiplication calculation and outputting a final result.
Preferably, the pre-computing pre-computes 16 point coordinates of the base point G of the secp256r1 curve, specifically:
pre-computing 16 coordinate points of {0000} g to {1111} g, wherein:
{0000} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{0001} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{0010} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{0011} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{0100} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{0101} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{0110} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{0111} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G;
{1000} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{1001} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{1010} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{1011} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{1100} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{1101} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{1110} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{1111} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G。
Preferably, the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve and the five times characteristic values 5P1 and 5P2 thereof are stored in a registerIn a stack, comprising: the characteristic values P1 and P2 are fixed parameter values of the secp256r1 Curve and the Curve25519 Curve, respectively, and p1=2 224 (2 32 -1)+2 192 +2 96 -1,P2=2 255 –19。
Preferably, if the elliptic curve is in the form of secp256r1 and the signature operation is to be performed, calculating a scalar multiplication μg of the base point G, and performing operations of multiplying the base point G by the point and adding 1 once each time in combination with the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, where the scalar multiplication operation is completed 64 times in the loop iteration, specifically:
input 256-bit binary number μ= { μ 255 μ 254 μ 253 …μ 1 μ 0 Base point G of elliptic curve secp256r 1;
calculating a scalar multiplication q=μg;
constructing a comb algorithm pre-calculation table: pre-calculating {0000} G to {1111} G,16 pre-calculated coordinate points;
extracting comb algorithm coding coefficient alpha i ={μ i+192i+128i+64i };
Giving an initial value Q=0, which is an infinity point;
let i=63 to 0, and perform the following calculation in a cyclic manner;
Q=2Q;
Q=Q+α i G;
regarding the selection of the G coordinate point, the following method is adopted: in the ith cycle calculation, the four-bit values 192+i,128+i,64+i and i of mu in the mu G are selected to form a four-bit binary number, and a pre-calculation table of a comb algorithm is constructed: comparing {0000} to {1111} in {0000} G16 pre-calculated coordinate points, and selecting the pre-calculated point coordinates to participate in point addition operation if the comparison is the same;
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic curve is in the form of secp256r1 and the signature verification operation is to be performed, a multiple scalar multiplication λp+μg of the base point G and the general point P is calculated, specifically:
input 256-bit binary number λ={λ 255 λ 254 λ 253 …λ 1 λ 0 },μ={μ 255 μ 254 μ 253 …μ 1 μ 0 -and any point P and base point G on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp+μg;
constructing a pre-calculation table (00) P+ (00) G to (11) P+ (11) G, wherein (00) P+ (00) G, (01) P+ (00) G and (00) P+ (01) G do not need calculation;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P+(μ 2i+1 μ 2i )G};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic curve is in the form of secp256r1 and the key exchange operation is to be performed, a scalar multiplication λp of the general point P is calculated, specifically:
input 256-bit binary number λ= { λ 255 λ 254 λ 253 …λ 1 λ 0 -and any point P on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp;
constructing precomputation tables (00) P to (11) P for 16 point coordinates, wherein (00) P does not need to be calculated;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
Preferably, if the elliptic Curve is Curve25519 and key exchange operation is to be performed, scalar multiplication λP is calculated, step operation is performed 255 times, cswap operation is performed before and after each step operation, and two groups of coordinate points are exchanged according to the flag bit condition, specifically:
input 255-bit binary number k= (k) 255 k 254 ……k 0 ) Point coordinates P 1 =(x 1 ,y 1 ) X of the abscissa of (2) 1
Calculating scalar multiplication result kP 1 =(x 2 ,y 2 ) X of the abscissa of (2) 2
Let X 1 =x 1 ;X 2 =x 1 ;Z 2 =0;X 3 =x 1 ;Z 3 =1; flag swap=0;
let i=254 to 0, the following calculation is cyclically performed:
swap=swap^k[i];
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
swap=k[i];
the step algorithm is adopted for calculation: (X) 2 ,Z 2 ,X 3 ,Z 3 )=Ladder step(X 1 ,X 2 ,Z 2 ,X 3 ,Z 3 );
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
Until the calculation is carried out until i=0, the operation is finished, and X is output 2 =X 2 /Z 2
And performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the conditions of the swap flag bit, wherein the specific steps are as follows: when the swap flag bit is 1, exchanging two groups of coordinate points; when the swap flag bit is 0, no exchange is performed.
Preferably, the data post-processing is performed according to the obtained scalar multiplication result, the calculated ternary coordinates are restored back to binary coordinates, scalar multiplication calculation is completed, and a final result is output, specifically:
three-dimensional coordinates (X, Y, Z) are converted into a binary coordinate systemThe method of the label (x, y) is as follows: x=x/Z 2 ,y=Y/Z 3
Preferably, the multiple point operation is specifically:
solving for ternary coordinates (X 3 ,Y 3 ,Z 3 )=2(X 1 ,Y 1 ,Z 1 ) The method comprises the steps of carrying out a first treatment on the surface of the Presetting an intermediate variable t 1 ,t 2 ,t 3 ,t 4 ,t 5 And the initial value is set as null;
step 1, performing modular multiplication operation Z 1 ·Z 1 And stores the operation result in the intermediate variable t 1 In (a) and (b);
step 2, performing modular multiplication operation Y 1 ·Y 1 And stores the operation result in the intermediate variable t 2 In which the modulo addition operation X is performed simultaneously 1 +t 1 And stores the operation result in the intermediate variable t 3 In the calculation of the modulo subtraction operation X 1 -t 1 And stores the operation result in the intermediate variable t 4 In (a) and (b);
step 3. For the intermediate variable t in step 2 3 And t 4 Carry out modular multiplication operation t 3 ·t 4 And updating the operation result to the intermediate variable t 1 In (a) and (b);
step 4, performing modular multiplication operation Y 1 ·Z 1 And updating the operation result to the intermediate variable t 3 In calculating the intermediate variable t 2 8 times the value of 8t 2 And updating the operation result to the intermediate variable t 4 In (a) and (b);
step 5, performing modular multiplication operation X1. T 4 And stores the operation result into an intermediate variable t 5 In calculating the intermediate variable t 1 3 times the value of 3t 1 And updating the operation result to the intermediate variable t 1 In (a) and (b);
step 6. For the intermediate variable t obtained in step 5 1 Carry out modular multiplication operation t 1 ·t 1 And updating the operation result to the intermediate variable t 3 Then the updated intermediate variable t is performed 3 Carry out modulo addition and subtraction operation t 3 +t 3 And store the operation result in Z 3 In (a) and (b);
step 7. For the medium obtained in step 2Inter-variable t 2 And obtaining intermediate variable t in step 4 4 Carry out modular multiplication operation t 2 ·t 4 And updating the operation result to the intermediate variable t 2 In which the modulo subtraction operation t is performed simultaneously 3 -t 5 And store the operation result in X 3 In (a) and (b); performing modular subtraction operation for 1.5t 5 -t 3 And updating the operation result to the intermediate variable t 4 In (a) and (b);
step 8. For the intermediate variable t obtained in step 5 1 And for the intermediate variable t obtained in step 7 4 Performing modular multiplication operation, and updating the operation result to an intermediate variable t 1 In (a) and (b);
step 9. For the intermediate variable t obtained in step 8 1 And for the intermediate variable t obtained in step 7 2 Performing a modulo subtraction operation t 1 -t 2 And store the operation result into Y 3 Is a kind of medium.
Preferably, the point-adding 1 operation is specifically:
solving for ternary coordinates (X 3 ,Y 3 ,Z 3 )=(X 1 ,Y 1 ,Z 1 )+(X 2 ,Y 2 1) a step of; presetting an intermediate variable t 1 ,t 2 ,t 3 ,t 4 And the initial value is set as null;
step 1, performing modular multiplication operation Z1.Z 1 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 2, performing modular multiplication operation Y 2 ·Z 1 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 3, updating the intermediate variable t obtained in the step 1 1 And X is 2 Carry out modular multiplication operation t 1 ·X 2 And updating the operation result in the intermediate variable t 3 In (a) and (b);
step 4, updating the intermediate variable t obtained in the step 1 1 And updating the obtained intermediate variable t in step 1 2 Carry out modular multiplication operation t 1 ·t 2 And updating the operation result in the intermediate variable t 1 In (a) and (b); for t obtained by updating in step 3 3 And X is 1 Performing a modulo subtraction operation t 3 -X 1 And updating the operation result in the intermediate variable t 2 In (a) and (b); for t obtained by updating in step 3 3 And X is 1 Carry out modulo addition operation t 3 +X 1 And updating the operation result in the intermediate variable t 3 In (a) and (b);
step 5, updating the intermediate variable t obtained in the step 2 2 Carry out modular multiplication operation t 2 ·t 2 And updating the operation result in the intermediate variable t 4 In (a) and (b); for the intermediate variable t updated and obtained in step 4 1 And Y is equal to 1 Performing a modulo subtraction operation t 1 -Y 1 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 6, updating the intermediate variable t obtained in the step 2 2 And Z is 1 Performing modular multiplication operation and storing the operation result into Z 3 In (a) and (b);
step 7, updating the intermediate variable t obtained in the step 2 2 And updating the obtained intermediate variable t in step 5 4 Performing modular multiplication operation t2 t 4 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 8, updating the intermediate variable t obtained in the step 2 3 And updating the obtained intermediate variable t in step 5 4 Performing modular multiplication operation t 3t 4 And updating the operation result in the intermediate variable t 3 In (a) and (b);
step 9. Update the intermediate variable t obtained in step 5 1 Performing modular multiplication operation t1 t 1 And updating the operation result in the intermediate variable t 5 In (a) and (b);
step 10. Update the intermediate variable t obtained in step 5 4 And X 1 Performing modular multiplication operation t4.t 1 And updating the operation result in the intermediate variable t 4 In (a) and (b); for the intermediate variable t updated and obtained in step 8 3 And updating the obtained intermediate variable t in step 9 5 Performing a modulo subtraction operation t 5 -t 3 And store the operation result in X 3 In (a) and (b);
step 11, updating the obtained intermediate variable t in step 7 2 And Y 1 Performing modular multiplication operation Y 1 ·t 2 And updating the operation result in the intermediate variable t 2 In (a) and (b); for the intermediate variable t updated and obtained in step 10 4 And X 3 Performing modular subtraction operation, and updating the operation result in an intermediate variable t 3 In (a) and (b);
step 12, updating the obtained intermediate variable t in step 5 1 And the intermediate variable t obtained by updating in step 11 3 Carry out modular multiplication operation t 3 ·t 1 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 13. Update the intermediate variable t obtained in step 12 1 And updating the obtained intermediate variable t in step 11 2 Performing modular subtraction operation and storing the operation result into Y 3 Is a kind of medium.
Preferably, the point-plus-Z operation is specifically:
solving for ternary coordinates (X 3 ,Y 3 ,Z 3 )=(X 1 ,Y 1 ,Z 1 )+(X 2 ,Y 2 ,Z 2 ) The method comprises the steps of carrying out a first treatment on the surface of the Presetting an intermediate variable t 1 ,t 2 ,t 3 ,t 4 ,t 5 ,t 6 And the initial value is set as null;
step 1, performing modular multiplication operation Z 1 ·Z 1 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 2, performing modular multiplication operation Z2.Z 1 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 3, updating the intermediate variable t obtained in the step 1 1 And X is 2 Carry out modular multiplication operation t 1 ·X 2 And updating the operation result to X 3 In (a) and (b);
step 4, updating the intermediate variable t obtained in the step 2 2 And X is 1 Carry out modular multiplication operation t 2 ·X 1 And updating the operation result in the intermediate variable t 3 In (a) and (b);
step 5, updating the intermediate variable t obtained in the step 1 1 And Z is 1 Carry out modular multiplication operation t 1 ·Z 1 And updating the operation result in the intermediate variable t 1 In (a) and (b); update in step 3Obtained X 3 And the intermediate variable t obtained by updating in step 4 3 Carry out modulo addition operation t 3 +X 3 And updating the operation result in the intermediate variable t 6 In (a) and (b); for the X obtained by updating in step 3 3 And the intermediate variable t obtained by updating in step 4 3 Performing a modulo subtraction operation X 3 -t 3 And updating the operation result in the intermediate variable t 4 In (a) and (b);
step 6. Updating the intermediate variable t obtained in step 5 4 Performing modular multiplication operation t4.t 4 And updating the operation result in the intermediate variable t 5 In (a) and (b);
step 7, updating the intermediate variable t obtained in the step 2 2 And Z 2 Carry out modular multiplication operation t 2 ·Z 2 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 8, updating the obtained intermediate variable t in the step 5 1 And Y 2 Carry out modular multiplication operation t 1 ·Y 2 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 9. Update the intermediate variable t obtained in step 7 2 And Y is equal to 1 Carry out modular multiplication operation t 2 ·Y 1 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 10. Update the intermediate variable t obtained in step 5 6 And updating the obtained intermediate variable t in step 6 5 Carry out modular multiplication operation t 5 ·t 6 And store the operation result into Y 3 In (a) and (b);
step 11, updating the obtained intermediate variable t in step 5 4 And updating the obtained intermediate variable t in step 6 5 Carry out modular multiplication operation t 4 ·t 5 And updating the operation result in the intermediate variable t 6 In (a) and (b); for the intermediate variable t updated and obtained in step 8 1 And updating the obtained intermediate variable t in step 9 2 Performing a modulo subtraction operation t 1 -t 2 And updating the operation result in the intermediate variable t 3 In (a) and (b); for the intermediate variable t updated and obtained in step 8 1 And updating the obtained intermediate variable t in step 9 2 Carry out modulo addition operation t 1 +t 2 And updating the operation result in the intermediate variable t 2 In (a) and (b);
step 12, updating the obtained intermediate variable t in step 11 3 Carry out modular multiplication operation t 3 ·t 3 And updating the operation result in the intermediate variable t 1 In (a) and (b);
step 13. Update the intermediate variable t obtained in step 11 2 And intermediate variable t 6 Step-wise performing modular multiplication t 2 ·t 6 And updating the operation result in the intermediate variable t 5 In (a) and (b); for the intermediate variable t updated and obtained in step 12 1 And Y is equal to 3 Performing a modulo subtraction operation and storing the result in X 3 In (a) and (b);
step 14. For Z 1 And Z 2 Performing modular multiplication operation Z 1 ·Z 2 And store the result in Z 3 In (a) and (b); for Y 3 And 2X in step 13 3 Performing a modulo subtraction operation Y 3 -2X 3 And updating the operation result in the intermediate variable t 6 In (a) and (b);
step 15. Update the intermediate variable t obtained in step 11 3 And the intermediate variable t obtained by updating in step 14 6 Performing modular multiplication operation t 3t 6 And update the result into Y 3 In (a) and (b);
step 16. Update the obtained Z in step 14 3 And the intermediate variable t obtained by updating in step 5 4 Performing modular multiplication operation Z3.t 4 The method comprises the steps of carrying out a first treatment on the surface of the For the Y obtained by updating in step 15 3 And the intermediate variable t obtained by updating in step 13 5 Performing a modulo subtraction operation Y 3 -t 5 And update the result into Y 3 In (a) and (b);
step 17. Update the Y obtained in step 16 3 Performing modulo addition operation to 0.5.Y 3 And update the result into Y 3 Is a kind of medium.
The embodiment of the invention also provides a realization device for the multi-elliptic curve scalar multiplier, which comprises:
the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller performs data operation exchange with the operation unit;
the register file performs data operation exchange with the operation unit.
Embodiments of the present invention also provide a computer readable storage medium storing one or more programs executable by one or more processors to implement a method of implementing a multi-elliptic curve scalar multiplier according to any of the preceding claims 1 to 8.
The realization method, the device and the storage medium for the multi-elliptic curve scalar multiplier provided by the invention have the following beneficial effects: the technical scheme of the invention can be compatible with two elliptic curves of secp256r1 and Curve25519 at the same time, and solves the problem that most scalar multipliers in the prior art are only suitable for a single elliptic Curve, or a plurality of domains (such as prime number domain and 2m domain) or a plurality of similar curves and cannot be compatible with a plurality of elliptic curves; the method considers the fixed base point G independently, solves the technical problems that special situations are easy to be encountered when the actual use is easy to be ignored in the existing scalar multiplier realization method, signature and signature verification are the main two functions of an elliptic curve, and for signature operation, scalar multiplication on the base point G is used as the fixed base point, and the special situations are often not considered independently in the algorithm in the prior art; according to the method, different point adding control and multiple point control are called according to curves and algorithms, all scalar multiplication and modular operation units are used for completing corresponding operation intermediate calculation results, the occupied hardware resources in a register file are less, corresponding algorithm operation is carried out according to different curve forms and functional operation requirements, the hardware required area is reduced, the operation speed is improved, the technical problem that in the prior art, in an encryption application scene of equipment of the Internet of things, the required hardware area is smaller, meanwhile, the traditional scalar multiplication algorithm mostly adopts Montgomery modular multiplication algorithm, modular multiplication is divided into multiple short-bit wide multiplication iterative operation, the operation speed is reduced, and the operation speed cannot meet the requirements of the use of a server side is solved.
From the foregoing description of embodiments, it will be apparent to those skilled in the art that embodiments of the present invention may be implemented in hardware, or may be implemented in a combination of software and a necessary general purpose hardware platform. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product, where the software product may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present invention.
Those skilled in the art will appreciate that the drawing is merely a schematic representation of one preferred embodiment and that the modules or processes in the drawing are not necessarily required to practice the invention.
Those skilled in the art will appreciate that modules in an apparatus of an embodiment may be distributed in an apparatus of an embodiment as described in the embodiments, and that corresponding changes may be made in one or more apparatuses different from the present embodiment. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (10)

1. A method for implementing a multi-elliptic curve-oriented scalar multiplier, comprising:
the 16 point coordinates of the base point G of the secp256r1 Curve are pre-calculated and stored in a combpre-stored point coordinate part of a register file, and the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve and five times of the characteristic values 5P1 and 5P2 are stored in the register file together;
judging the form of an elliptic curve and the function operation requirement;
if the elliptic curve is in the form of secp256r1 and signature operation is to be carried out, calculating scalar multiplication mu G of the base point G, and carrying out operations of multiplying the point and adding 1 for each iteration by combining the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, wherein the scalar multiplication operation is completed for 64 times by the loop iteration;
if the elliptic curve is in the form of secp256r1 and key exchange operation is required, calculating scalar multiplication lambda P of a general point P, performing double point and point addition operation, calculating coordinates of two points of 2P and 3P in advance, storing the coordinates into a Shamir precomputation point coordinate area of a register file, and performing loop iteration of two points of 2P and 3P of the general point P of the precomputed secp256r1 curve by combining the two points of coordinates of the 2P and 3P of the general point P, wherein each iteration performs double point and one point addition operation twice, and loop iteration is performed 128 times to complete scalar multiplication operation;
if the elliptic curve is in the form of secp256r1 and the signature verification operation is required to be carried out, calculating multi-scalar multiplication lambda P+mu G of a base point G and a general point P, carrying out 5 times of pre-calculation point coordinates of a double point and point addition operation loop, storing the pre-calculation point coordinates into a Shamir pre-calculation point coordinate area of a register file, and carrying out loop iteration of the pre-calculation point coordinates of 13 pre-calculation point of the secp256r1 curve by combining the pre-calculation point coordinates of the pre-calculation point, wherein each iteration carries out twice times of point addition and one time of point addition Z operation, and the loop iteration is carried out 128 times to complete scalar multiplication operation;
if the elliptic Curve is Curve25519 and key exchange operation is required, calculating scalar multiplication lambda P, performing step operation 255 times, performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the condition of the marker bit;
and carrying out data post-processing according to the obtained scalar multiplication result, restoring the calculated ternary coordinates back to binary coordinates, completing scalar multiplication calculation and outputting a final result.
2. The method according to claim 1, characterized in that the pre-calculation of 16 point coordinates of the secp256r1 curve base point G is:
pre-computing 16 coordinate points of {0000} g to {1111} g, wherein:
{0000} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{0001} G calculation: (0X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{0010} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{0011} G calculation: (0X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{0100} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{0101} G calculation: (0X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{0110} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{0111} G calculation: (0X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G;
{1000} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +0×2 0 )G;
{1001} G calculation: (1X 2) 192 +0×2 128 +0×2 64 +1×2 0 )G;
{1010} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +0×2 0 )G;
{1011} G calculation: (1X 2) 192 +0×2 128 +1×2 64 +1×2 0 )G;
{1100} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +0×2 0 )G;
{1101} G calculation: (1X 2) 192 +1×2 128 +0×2 64 +1×2 0 )G;
{1110} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +0×2 0 )G;
{1111} G calculation: (1X 2) 192 +1×2 128 +1×2 64 +1×2 0 )G。
3. The method of claim 1, wherein storing the characteristic value P1 of the secp256r1 Curve, the characteristic value P2 of the Curve25519 Curve, and the five times characteristic values 5P1 and 5P2 thereof together in the register file comprises: the characteristic values P1 and P2 are fixed parameter values of the secp256r1 Curve and the Curve25519 Curve, respectively, and p1=2 224 (2 32 -1)+2 192 +2 96 -1,P2=2 255 –19。
4. The method according to claim 2, wherein if the elliptic curve is in the form of secp256r1 and the signature operation is to be performed, calculating a scalar multiplication μg of the base point G, and performing a double-point and a single-point plus 1 operation in combination with the coordinate loop iteration of the base point G of the precomputed secp256r1 curve, the loop iteration completing the scalar multiplication operation 64 times, specifically:
input 256-bit binary number μ= { μ 255 μ 254 μ 253 …μ 1 μ 0 Base point G of elliptic curve secp256r 1;
calculating a scalar multiplication q=μg;
constructing a comb algorithm pre-calculation table: pre-calculating {0000} G to {1111} G,16 pre-calculated coordinate points;
extracting comb algorithm coding coefficient alpha i ={μ i+192i+128i+64i };
Giving an initial value Q=0, which is an infinity point;
let i=63 to 0, and perform the following calculation in a cyclic manner;
Q=2Q;
Q=Q+α i G;
regarding the selection of the G coordinate point, the following method is adopted: in the ith cycle calculation, the four-bit values 192+i,128+i,64+i and i of mu in the mu G are selected to form a four-bit binary number, and a pre-calculation table of a comb algorithm is constructed: {0000} G to {1111} G16 pre-calculated coordinate points {0000} to {1111} are compared, and if the same, the pre-calculated point coordinates are selected to participate in point addition operation;
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
5. The method according to claim 1, wherein if the elliptic curve is in the form of secp256r1 and the signature verification operation is to be performed, a multiple scalar multiplication λp+μg of the base point G and the general point P is calculated, specifically:
input 256-bit binary number λ= { λ 255 λ 254 λ 253 …λ 1 λ 0 },μ={μ 255 μ 254 μ 253 …μ 1 μ 0 -and any point P and base point G on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp+μg;
constructing a pre-calculation table (00) P+ (00) G to (11) P+ (11) G, wherein (00) P+ (00) G, (01) P+ (00) G and (00) P+ (01) G do not need calculation;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P+(μ 2i+1 μ 2i )G};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
6. The method according to claim 1, wherein if the elliptic curve is in the form of secp256r1 and the key exchange operation is to be performed, calculating a scalar multiplication λp of the general point P is specifically:
input 256-bit binary number λ= { λ 255 λ 254 λ 253 …λ 1 λ 0 -and any point P on elliptic curve secp256r 1;
calculating a scalar multiplication q=λp;
constructing precomputation tables (00) P to (11) P for 16 point coordinates, wherein (00) P does not need to be calculated;
let q=0, be the infinity point;
let i=127 to 0, the following calculation is performed in a loop:
Q=4Q;
Q=Q+{(λ 2i+1 λ 2i )P};
and (3) until the calculation is carried out until i=0, ending the operation, and outputting a final scalar multiplication result Q.
7. The method of claim 1, wherein if the elliptic Curve is Curve25519 and the key exchange operation is to be performed, calculating scalar multiplication λP, performing step operation 255 times, performing cswap operation before and after each step operation, and exchanging two sets of coordinate points according to the flag bit condition, wherein the steps are as follows:
input 255-bit binary number k= (k) 255 k 254 ……k 0 ) Point coordinates P 1 =(x 1 ,y 1 ) X of the abscissa of (2) 1
Calculating scalar multiplication result kP 1 =(x 2 ,y 2 ) X of the abscissa of (2) 2
Let X 1 =x 1 ;X 2 =x 1 ;Z 2 =0;X 3 =x 1 ;Z 3 =1; flag swap=0;
let i=254 to 0, the following calculation is cyclically performed:
swap=swap^k[i];
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
swap=k[i];
the step algorithm is adopted for calculation: (X) 2 ,Z 2 ,X 3 ,Z 3 )=Ladder step(X 1 ,X 2 ,Z 2 ,X 3 ,Z 3 );
(X 2 ,X 3 )=cswap(swap,X 2 ,X 3 );
(Z 2 ,Z 3 )=cswap(swap,Z 2 ,Z 3 );
Until calculated to i=0, endOperation, output X 2 =X 2 /Z 2
And performing cswap operation before and after each step operation, and exchanging two groups of coordinate points according to the conditions of the swap flag bit, wherein the specific steps are as follows: when the swap flag bit is 1, exchanging two groups of coordinate points; when the swap flag bit is 0, no exchange is performed.
8. The method according to claim 1, wherein the data post-processing is performed according to the obtained scalar multiplication result, the calculated ternary coordinates are restored to binary coordinates, the scalar multiplication calculation is completed, and the final result is output, specifically:
the method for converting the ternary coordinates (X, Y, Z) into the binary coordinates (X, Y) with common coordinates is as follows: x=x/Z 2 ,y=Y/Z 3
9. A multi-elliptic curve-oriented scalar multiplier implementation apparatus, comprising: the arithmetic unit is a 256-bit scalar multiplier;
the algorithm controller performs data operation exchange with the operation unit;
the register file performs data operation exchange with the operation unit.
10. A computer readable storage medium storing one or more programs executable by one or more processors to implement the multi-elliptic curve scalar multiplier of any of claims 1-8.
CN202010836415.8A 2020-08-19 2020-08-19 Implementation method and device for multi-elliptic curve scalar multiplier and storage medium Active CN111966324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010836415.8A CN111966324B (en) 2020-08-19 2020-08-19 Implementation method and device for multi-elliptic curve scalar multiplier and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010836415.8A CN111966324B (en) 2020-08-19 2020-08-19 Implementation method and device for multi-elliptic curve scalar multiplier and storage medium

Publications (2)

Publication Number Publication Date
CN111966324A CN111966324A (en) 2020-11-20
CN111966324B true CN111966324B (en) 2024-01-30

Family

ID=73388511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010836415.8A Active CN111966324B (en) 2020-08-19 2020-08-19 Implementation method and device for multi-elliptic curve scalar multiplier and storage medium

Country Status (1)

Country Link
CN (1) CN111966324B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113691543A (en) * 2021-08-25 2021-11-23 苏州国芯科技股份有限公司 Data encryption method and device based on elliptic curve, computer equipment and medium
CN114879934B (en) * 2021-12-14 2023-01-10 中国科学院深圳先进技术研究院 Efficient zero-knowledge proof accelerator and method
CN114527956B (en) * 2022-01-25 2024-05-10 北京航空航天大学 Calculation method for non-fixed point scalar multiplication in SM2 algorithm for resisting SPA attack
CN115276994A (en) * 2022-04-22 2022-11-01 北京智芯微电子科技有限公司 Encrypted data processing method and device, electronic equipment and storage medium
CN115129297B (en) * 2022-08-30 2022-12-13 北京象帝先计算技术有限公司 Multi-point multiplication operation system, method, graphic processor, electronic device and equipment
CN116820394B (en) * 2023-08-29 2023-11-03 无锡沐创集成电路设计有限公司 Scalar multiplication circuit oriented to elliptic curve encryption algorithm
CN117972761B (en) * 2024-04-01 2024-08-06 杭州金智塔科技有限公司 Data processing method and device based on SM2 cryptographic algorithm

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005015526A1 (en) * 2003-08-06 2005-02-17 Fujitsu Limited Elliptic curve encrypting device, elliptic curve encryp-ting method, elliptic curve encrypting program andcomputer-readable recording medium recording that program
CN105094746A (en) * 2014-05-07 2015-11-25 北京万协通信息技术有限公司 Method for achieving point addition/point doubling of elliptic curve cryptography
CN108875416A (en) * 2018-06-22 2018-11-23 北京智芯微电子科技有限公司 Elliptic curve multi point arithmetic method and apparatus
CN109117677A (en) * 2018-09-21 2019-01-01 阿里巴巴集团控股有限公司 A kind of circuit for elliptic curve multi point arithmetic

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7856101B2 (en) * 2007-02-07 2010-12-21 King Fahd University Of Petroleum And Minerals Method for elliptic curve scalar multiplication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005015526A1 (en) * 2003-08-06 2005-02-17 Fujitsu Limited Elliptic curve encrypting device, elliptic curve encryp-ting method, elliptic curve encrypting program andcomputer-readable recording medium recording that program
CN105094746A (en) * 2014-05-07 2015-11-25 北京万协通信息技术有限公司 Method for achieving point addition/point doubling of elliptic curve cryptography
CN108875416A (en) * 2018-06-22 2018-11-23 北京智芯微电子科技有限公司 Elliptic curve multi point arithmetic method and apparatus
CN109117677A (en) * 2018-09-21 2019-01-01 阿里巴巴集团控股有限公司 A kind of circuit for elliptic curve multi point arithmetic

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
低面积复杂度AES低熵掩码方案的研究;姜久兴等;通信学报;第40卷(第5期);201-210 *
抗SPA 攻击的椭圆曲线NAF 标量乘实现算法;王敏等;通信学报;第33卷(第Z1期);228-232 *

Also Published As

Publication number Publication date
CN111966324A (en) 2020-11-20

Similar Documents

Publication Publication Date Title
CN111966324B (en) Implementation method and device for multi-elliptic curve scalar multiplier and storage medium
CN113628094B (en) High-throughput SM2 digital signature computing system and method based on GPU
CN112070222B (en) Processing device, accelerator and method for federal learning
CN114021734B (en) Parameter calculation device, system and method for federal learning and privacy calculation
CN109145616B (en) SM2 encryption, signature and key exchange implementation method and system based on efficient modular multiplication
CN101782845A (en) High speed arithmetic device and method of elliptic curve code
CN108875416B (en) Elliptic curve multiple point operation method and device
CN113794572A (en) Hardware implementation system and method for high-performance elliptic curve digital signature and signature verification
CN113010142A (en) Novel pulse node type scalar dot multiplication dual-domain implementation system and method
CN114527956A (en) Computing method for non-fixed point scalar multiplication in SPA attack resistant SM2 cryptographic algorithm
CN111984226B (en) Cube root solving device and solving method based on hyperbolic CORDIC
CN113467754A (en) Lattice encryption modular multiplication operation method and framework based on decomposition reduction
Liu et al. Efficient digit-serial KA-based multiplier over binary extension fields using block recombination approach
CN111079934B (en) Number theory transformation unit and method applied to error learning encryption algorithm on ring domain
Lee et al. Area-efficient subquadratic space-complexity digit-serial multiplier for type-II optimal normal basis of $ GF (2^{m}) $ using symmetric TMVP and block recombination techniques
CN116225369A (en) SM2 algorithm scalar multiplication operation optimization method and system
CN106126193A (en) Elliptic curve point based on Zynq adds arithmetic accelerator and accelerated method
CN114594925A (en) Efficient modular multiplication circuit suitable for SM2 encryption operation and operation method thereof
CN111756538B (en) Method and device for realizing ECC scalar multiplier based on prime preprocessing
CN106712949A (en) Montgomery-based piecewise scalar multiplication calculation method
CN106911475A (en) The implementation method and its circuit structure of a kind of Tate pairings
CN116820394B (en) Scalar multiplication circuit oriented to elliptic curve encryption algorithm
US11954487B2 (en) Techniques, devices, and instruction set architecture for efficient modular division and inversion
Ors et al. Hardware implementation of an elliptic curve processor over GF (p) with montgomery modular multiplier
CN114531241B (en) Data encryption method and device, electronic equipment using data encryption method and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant