CN113660087A - SM9 identification cryptographic algorithm hardware implementation system based on finite field - Google Patents

SM9 identification cryptographic algorithm hardware implementation system based on finite field Download PDF

Info

Publication number
CN113660087A
CN113660087A CN202110763602.2A CN202110763602A CN113660087A CN 113660087 A CN113660087 A CN 113660087A CN 202110763602 A CN202110763602 A CN 202110763602A CN 113660087 A CN113660087 A CN 113660087A
Authority
CN
China
Prior art keywords
module
algorithm
function
calculation
computation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110763602.2A
Other languages
Chinese (zh)
Other versions
CN113660087B (en
Inventor
陈华锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Media and Communications
Original Assignee
Zhejiang University of Media and Communications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Media and Communications filed Critical Zhejiang University of Media and Communications
Priority to CN202110763602.2A priority Critical patent/CN113660087B/en
Publication of CN113660087A publication Critical patent/CN113660087A/en
Application granted granted Critical
Publication of CN113660087B publication Critical patent/CN113660087B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Mathematical Physics (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Storage Device Security (AREA)

Abstract

The invention belongs to the field of information security, and discloses a finite field-based SM9 identification cryptographic algorithm hardware implementation system, which comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module; the bottom layer operation of the system realizes modular design, has multiple operation functions and flexible interfaces, and can support the core operation steps of public key cryptographic algorithms such as SM2 national cryptographic algorithm, ECDSA and the like while supporting the realization of SM9 upper layer operation. All the operation steps of the system are realized by hardware, the total area is small, high operation performance is kept, and the performance is greatly improved compared with the performance realized by software.

Description

SM9 identification cryptographic algorithm hardware implementation system based on finite field
Technical Field
The invention belongs to the field of information security, and particularly relates to an SM9 identification cryptographic algorithm hardware implementation system under a limited domain.
Background
In 1984, the concept of identifying cryptographic algorithms was first proposed. In the identification cipher algorithm system, a private key of a user is calculated by a key generation center according to a master key and a user identification, and a public key of the user is uniquely determined by the user identification, so that the authenticity of the public key of the user is not required to be ensured by a third party. The SM9 cryptographic algorithm is a public key cryptographic algorithm constructed based on an elliptic curve pair, the security of the SM9 cryptographic algorithm is based on the bilinear property of the elliptic curve pair, and when the solution difficulty of the elliptic curve discrete logarithm problem and the domain expansion discrete logarithm problem is the same, the elliptic curve pair can be used for constructing a mark cryptographic algorithm with both the security and the realization efficiency.
The SM9 identification cryptographic algorithm is used as a public key cryptographic algorithm based on bilinear pairings, so that certificate authentication of a third party organization is omitted, and meanwhile, the security is high. However, due to the fact that calculation of an elliptic curve and a finite field is involved, the calculation complexity is high, the calculation is slow, and application of the algorithm is restricted. Therefore, it is significant to increase the operation speed of the SM9 algorithm.
Disclosure of Invention
In order to solve the problems, under the condition of complying with the SM9 cryptographic algorithm standard, the invention designs a SM9 identification cryptographic algorithm hardware implementation system based on a finite field to realize the rapid operation of the SM9 algorithm. The invention relates to a finite field-based SM9 identification cryptographic algorithm hardware implementation system, which has the following specific technical scheme:
a SM9 identification cryptographic algorithm hardware implementation system based on finite field comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module;
the register module is used for reading configuration information and control information of a user;
the data path module is used for completing various operations on data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operations on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, and transmitting initial parameters, identification and plaintext data written into the register by a user to the memory through the data access module;
the memory module is used for storing various kinds of operation data including initial parameters, calculation intermediate values and calculation results;
the bottom layer control module is used for calling a bottom layer algorithm module to complete various finite field calculation, elliptic curve calculation and encryption operations;
the auxiliary function module is used for realizing a cryptographic function H1/H2 and a key derivation function KDF in the SM9 algorithm, and the key derivation function is used for generating encryption and decryption keys in the SM9 algorithm;
the random digital module is used for generating random numbers between 1 and (N-1) required by the algorithm;
the algorithm function module is used for calling the rest modules to realize various algorithm functions in the SM9 algorithm.
Further, the specific functions of the register module include: the user writes the control information and the configuration information into the register module, the register module transmits the initial parameters, the identification and the plaintext data written by the user to the memory module, and then corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to the user; if the operation fails, the register module transmits a calculation failure signal to a user.
Further, the data path module can carry out carrying operation of data among different addresses in the memory, including comparing two data, splicing the two data end to end, and shifting the data.
Further, the bottom-layer algorithm modules comprise a bilinear pairing module, an SM3 operation module and an SM4 operation module, and the bilinear pairing module comprises functions of finite field calculation, elliptic curve calculation and bilinear pairing calculation; the SM3 operation module is a hardware-implemented SM3 algorithm function module, the SM3 algorithm is a hash algorithm, and is suitable for digital signature and verification and generation and verification of message authentication codes in SM9 algorithm application; the SM4 operation module is a hardware-implemented SM4 algorithm function module, and the SM4 algorithm is a block cipher algorithm used for public key encryption and decryption in the SM9 algorithm.
Furthermore, the bilinear pairing module comprises a prime field calculation module, a secondary domain expansion operation module, a quartic domain expansion operation module, a twelve-time domain expansion operation module, a secondary domain expansion elliptic curve operation module, a line function operation module, a final power operation module and a bilinear pairing calculation state machine;
the prime field calculation module is used for completing modular operation and elliptic curve point operation in the prime field;
the secondary domain expansion operation module is used for realizing various operations in a secondary domain expansion obtained after the prime domain is secondarily expanded, and comprises the following steps: performing modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quadratic field element frobenius operation;
the quartic domain expansion operation module is used for realizing various operations in quartic domain expansion obtained after the prime domain is expanded for four times, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quartic field element frobenius operations;
the twelve-time domain expansion operation module is used for realizing various operations in the twelve-time domain expansion obtained after the prime domain is expanded for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation and twelve domain element frobenius operations;
the quadratic domain expansion elliptic curve operation module is used for realizing various operations of elliptic curves under quadratic domain expansion, and comprises the following steps: converting a coordinate system of the secondary domain points, adding the secondary domain points, multiplying the secondary domain points and carrying out frobenius operation on the secondary domain points; the coordinate transformation of the secondary domain points refers to the transformation of elliptic curve points in the secondary domain between an affine coordinate system and a projective coordinate system;
the linear function operation module is used for realizing a function g in the calculation of the R-ate pairU,V(Q), namely calculating a connection line equation of two elliptic curve points; function gU,V(Q) the calculation process is realized according to the definition in the standard rule of SM9 algorithm; in the calculation, if the two elliptic curve points are different points and are not infinite points, the result is a linear equation passing through the two points; if the two elliptic curve points are the same point and are not infinite points, the result is a tangent equation of the elliptic curve passing through the point; if one of the elliptic curve points is an infinite point, the result is an equation of drawing a perpendicular line of an x axis through the other point;
the final exponentiation module is used to implement the last step in the R-ate pair calculation step, i.e., f ═ f ^ ((q 12-1)/R);
and the bilinear pairing computation state machine is used for controlling and calling each module to complete the computation of bilinear pairings.
Furthermore, the prime field calculation module comprises a modular addition and subtraction calculation hardware module, a Montgomery modular multiplication hardware module, a modular inverse calculation hardware module and a prime field elliptic curve calculation module; the module addition and subtraction computing hardware module is used for realizing module addition, module subtraction and module taking operation in prime field operation; the Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a prime field, and is realized based on an optimized Montgomery modular multiplication algorithm; the modular inverse computation hardware module is used for realizing modular inverse operation in the prime field; the prime field elliptic curve calculation module is used for realizing point addition, point multiplication and point test operation in the prime field.
Furthermore, the operation steps of the cryptographic function H1/H2 and the key derivation function KDF of the auxiliary function module are realized according to the steps in the SM9 algorithm standard; the cryptographic function H1/H2 and the key derivation function KDF need to call a cryptographic hash function Hv (), and the cryptographic hash function Hv () is realized through an SM3 operation module.
Further, the algorithm functions of the SM9 algorithm include: generating a digital signature, verifying the digital signature, exchanging a secret key protocol, encrypting a public key and decrypting the public key; the algorithm function performs the calculations according to the steps in the SM9 algorithm standard.
The SM9 identification cryptographic algorithm hardware implementation system based on the finite field has the following advantages:
1. the bottom layer operation of the system realizes modular design, has multiple operation functions and flexible interfaces, and can support the core operation steps of public key cryptographic algorithms such as SM2 national cryptographic algorithm, ECDSA and the like while supporting the realization of SM9 upper layer operation.
2. All the operation steps of the system are realized by hardware, the total area is small, high operation performance is kept, and the performance is greatly improved compared with the performance realized by software.
Drawings
Fig. 1 is a flow chart of the SM9 digital signature generation algorithm;
fig. 2 is a flow chart of the SM9 digital signature verification algorithm;
fig. 3 is a flow diagram of the SM9 key exchange protocol;
fig. 4 is a flow chart of the SM9 public key encryption algorithm;
fig. 5 is a flow chart of the SM9 decryption algorithm;
FIG. 6 is an architecture diagram of a finite field based SM9 identity cryptographic algorithm hardware implementation system of the present invention;
FIG. 7 is an architecture diagram of a bilinear pairing module of the present invention.
Detailed Description
The invention will be further elucidated with reference to specific embodiments. Under the condition of following the standard of the SM9 identification cryptographic algorithm, the invention provides a SM9 identification cryptographic algorithm hardware implementation system under a finite field to realize the rapid operation of the SM9 algorithm. The embodiment of the invention discloses a framework of an SM9 identification cryptographic algorithm hardware implementation system in a finite field. The embodiment of the hardware implementation system follows the SM9 algorithm standard of the national password, and adopts a 256-bit BN curve and R-ate pairs recommended by the algorithm standard.
Embodiments of the present invention will be described more clearly below with reference to the accompanying drawings. Of course, the examples are only for explaining the present invention, and do not limit the scope of the present invention.
As shown in fig. 6, a finite field-based SM9 hardware implementation system for identifying cryptographic algorithm includes a register module, a data path module, a bottom control module, a memory module, an auxiliary function module, a random number module and an algorithm function module.
The register module is used for reading configuration information and control information of a user. A user writes control information such as selection of an algorithm function and configuration information such as data needing to be calculated into a register module, the register module transmits initial parameters, identification, plaintext data and the like written by the user to a memory module, and corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to the user; if the operation fails, the register module transmits a calculation failure signal to a user.
The data path module is used for completing various operations on data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operations on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, and transmitting initial parameters, identification, plaintext data and the like written into the register by a user to the memory through the data access module. The data path module can also realize the carrying operation of data among different addresses in the memory, including comparing two data, splicing the two data end to end, shifting the data and the like.
The memory module is used for storing various kinds of operation data including initial parameters, calculation intermediate values and calculation results;
the bottom layer control module is used for calling a bottom layer algorithm module to complete various finite field calculation, elliptic curve calculation and encryption operations; the bottom layer algorithm module comprises functions of a bilinear pairing module, an SM3 operation module and an SM4 operation module. The bilinear pairing module is a core calculation module of an SM9 algorithm and comprises finite field calculation, elliptic curve calculation and bilinear pairing calculation; the SM3 operation module is an SM3 algorithm function module realized by hardware, and the SM3 algorithm is a hash algorithm and is suitable for digital signature and verification and generation and verification of message authentication codes in the application of the SM9 algorithm; the SM4 operation module is a hardware-implemented SM4 algorithm function module, and the SM4 algorithm is a block cipher algorithm used for public key encryption and decryption in the SM9 algorithm.
The bilinear pairing module is used for realizing the computation of finite field computation, elliptic curve and bilinear pairing, and is a core computation module of the SM9 algorithm. The embodiment of the invention provides a hardware architecture of a bilinear pairing module, as shown in fig. 7, the bilinear pairing module in the embodiment comprises a prime field calculation module, a quadratic domain expansion operation module, a quartic domain expansion operation module, a twelve-time domain expansion operation module, a quadratic domain expansion elliptic curve operation module, a linear function operation module, a final power operation module and a bilinear pairing calculation state machine.
The prime field calculation module is used for completing the modular operation in the prime field and the operation of elliptic curve points. The prime field calculation module comprises a module addition and subtraction calculation hardware module, a Montgomery modular multiplication hardware module, a module inverse calculation hardware module and a prime field elliptic curve calculation module. The module addition and subtraction computing hardware module is used for realizing module addition, module subtraction and module taking operation in prime field operation. The Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a prime field, is realized based on an optimized Montgomery modular multiplication algorithm, and has higher operation efficiency. And the module inverse computation hardware module is used for realizing module inverse operation in the prime field. And the prime field elliptic curve calculation module is used for realizing point addition, point multiplication and point test operation in the prime field.
The secondary domain expansion operation module is used for realizing various operations in a secondary domain expansion obtained after the prime domain is secondarily expanded, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion, and quadratic field element frobenius operations.
The quartic domain expansion operation module is used for realizing various operations in quartic domain expansion obtained after the prime domain is expanded for four times, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion, and quartic field element frobenius operations.
The twelve-time domain expansion operation module is used for realizing various operations in the twelve-time domain expansion obtained after the prime domain is expanded for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation, and twelve domain element frobenius operations.
The quadratic domain expansion elliptic curve operation module is used for realizing various operations of elliptic curves under quadratic domain expansion, and comprises the following steps: and (3) converting a coordinate system of the secondary domain points, adding the secondary domain points, multiplying the secondary domain points and carrying out frobenius operation on the secondary domain points. Wherein the coordinate system transformation of the quadratic domain points refers to the transformation of elliptic curve points in the quadratic domain between an affine coordinate system and a projective coordinate system.
The linear function operation module is used for realizing a function g in R-ate pair calculationU,VAnd (Q) calculating the equation of the connection line of the two elliptic curve points. Function gU,V(Q) the calculation process is realized according to the definition in the standard rule of SM9 algorithm; in the calculation, if the two elliptic curve points are different points and are not infinite points, the result is a linear equation passing through the two points; if the two elliptic curve points are the same point and are not infinite points, the result is a tangent equation of the elliptic curve passing through the point; if one of the elliptic curve points is an infinite point, the result is an equation for drawing a perpendicular line of the x axis through the other point.
The final exponentiation module is used to implement the last step in the R-ate pair calculation step, i.e., f ═ f ^ ((q 12-1)/R).
And the bilinear pairing computation state machine is used for controlling and calling each module to complete the computation of bilinear pairings.
The bilinear pair calculation in this embodiment is performed by using the R-ate pair on the BN curve, and the calculation process is as follows:
πqis Frobenius homomorphism, piq:E→E,πq(x,y)=(xq,yq)。
Figure BDA0003149956030000081
Calculation of R-ate pairs:
inputting: prime field FpPoint P in (1), second expansion Fp2Point Q, a is 6t +2
And (3) outputting: twelve-time spread Fp12The element (f) in (1).
Step 1: is provided with
Figure BDA0003149956030000082
aL-1=1;
Step 2: setting T as Q and f as 1;
and step 3: for i decreasing from L-2 to 0, perform:
a) calculating f ═ f2·gT,T(P),T=[2]T;
b) If ai1, calculating f ═ f · gT,Q(P),T=T+Q;
And 4, step 4: computing
Figure BDA0003149956030000083
And 5: calculating f as f.gT,Q1(P),T=T+Q1
Step 6: calculating f as f.gT,-Q2(P),T=T-Q2
And 7: computing
Figure BDA0003149956030000084
And 8: and f is output.
The auxiliary function module is used for realizing a cryptographic function H in the SM9 algorithm1/H2And a key derivation function KDF for generating encryption and decryption keys in the SM9 algorithm. Cipher function H1/H2The operation steps of the key derivation function KDF are realized according to the steps in the SM9 algorithm standard. Cipher function H1/H2And a cryptographic hash function H is required to be called in a key derivation function KDFv() The SM9 algorithm standard specifies the use of a cryptographic hash function H approved by the national code administrationv() Such as the SM3 cryptographic hash algorithm, implemented by the SM3 operation module in the embodiment of the present invention.
The random number module is used for generating random numbers between 1 and (N-1) required by the algorithm.
The algorithm function module is used for calling the rest modules to realize various algorithm functions in the SM9 algorithm, and the algorithm functions of the SM9 algorithm comprise: digital signature generation, digital signature verification, a key exchange protocol, public key encryption and public key decryption. The algorithm function implements the calculations according to the steps in the SM9 algorithm standard, the calculation steps for each algorithm are as follows:
1) the digital signature generation algorithm, as shown in figure 1,
the message to be signed is a bit string M, and in order to obtain the digital signature (h, S) of the message M, the user a as a signer should implement the following operation steps:
step 1: computing group G by invoking bilinear pairing moduleTWherein the element g ═ e (P)1,Ppub-s);
Step 2: generating a random number r from a random digital module, wherein the random number r belongs to [1, N-1 ];
and step 3: computing group G by bilinear pairings moduleTWherein w is grConverting the data type of w into a bit string;
and 4, step 4: calculating the integer H ═ H by the auxiliary function module2(M||w,N),H2Is a cryptographic function in the SM9 algorithm;
and 5: calculating an integer l ═ (r-h) mod N through a sub-module prime field calculation module of the bilinear pair module, and returning to the step 2 if l ═ 0;
step 6: computing group G by a prime field computation module1Wherein the element S ═ l]dSA
And 7: s and h are converted to byte strings and the signature of message M is (h, S).
2) The digital signature verification algorithm, as shown in figure 2,
in order to verify the received message M ' and its digital signature (h ', S '), the user B as verifier should implement the following operational steps:
step 1: checking whether h' belongs to [1, N-1] or not, and if not, verifying not to pass;
step 2: converting the data type of S 'into a point on an elliptic curve, and checking that S' belongs to G1If the verification result is not true, the verification is not passed;
and step 3: computing group G by invoking bilinear pairing moduleTWherein the element g ═ e (P)1,Ppub-s);
And 4, step 4: computing module computing group GTWherein t is gh’
And 5: computing an integer h by an auxiliary function module1=H1(IDA||hid,N),H1Is a cryptographic function in the SM9 algorithm;
step 6: computing group G2Wherein the element P ═ h1]P2+Ppub-s
And 7: computing group G by invoking bilinear pairing moduleTThe element u ═ e (S', P);
and 8: computing group GTConverting the data type of w' into a bit string;
and step 9: computing an integer h by an auxiliary function module2=H2(M '| w', N), checking h by the datapath module2If h' is true, the verification is passed; otherwise, the verification is not passed.
3) The key exchange protocol, as shown in figure 3,
the length of key data obtained by negotiation between the users A and B is klen bit, the user A is an initiator, and the user B is a responder. In order to obtain the same key, both users a and B should implement the following operation steps:
the user A:
step A1: computing group G1Element Q of (5)B=[H1(IDB||hid,N)]P1+Ppub-e
Step A2: generating a random number rA∈[1,N-1];
Step A3: computing group G1Element R in (1)A=[rA]QB
Step A4: r is to beASending the data to a user B;
and a user B:
step B1: computing group G1Element Q of (5)A=[H1(IDA||hid,N)]P1+Ppub-e
Step B2: generating a random number rB∈[1,N-1];
Step B3: computing group G1Element R in (1)B=[rB]QA
Step B4: verification of RA∈G1Whether the negotiation is established or not, if not, the negotiation is failed; otherwise, calling bilinear pairing module to calculate group GTElement g in (1)1=e(RA,deB),g2=e(Ppub-e,P2)rB,g3=g1 rBG is mixing1,g2,g3Converting the data type of (a) into a bit string;
step B5: r is a handleAAnd RBConverts the data type of the data into a bit string, and calculates SK through an auxiliary function moduleB=KDF(IDA||IDB||RA||RB||g1||g2||g3Klen), KDF is a key derivation function in the SM9 algorithm;
(optional) step B6: calculating S by calling SM3 operational ModuleB= Hash(0x82||g1||Hash(g2||g3||IDA||IDB||RA||RB));
Step B7: r is to beB(optional) SBSending the data to a user A;
the user A:
step A5: verification of RB∈G1Whether the negotiation is established or not, if not, the negotiation is failed; otherwise, calling bilinear pairing module to calculate group GTElement g in (1)1’=e(Ppub-e,P2)rA,g2’=e(RB,deA),g3’= (g2’)rAG is mixing1’,g2’,g3' the data type is converted into a bit string;
step A6: r is a handleAAnd RBIs converted into a bit string, (optional) S is calculated by calling the SM3 calculation module1=Hash(0x82||g1’||Hash(g2’||g3’||IDA||IDB||RA||RB) And verified S by the datapath module1=SBIf the equation is not satisfied, the key confirmation from B to A fails;
step A7: computing SK through auxiliary function moduleA=KDF(IDA||IDB||RA||RB ||g1’||g2’||g3’,klen);
(optional) step A8: calculating S by calling SM3 operational ModuleA= Hash(0x83||g1’||Hash(g2’||g3’||IDA||IDB||RA||RB) And mixing S withAAnd sent to user B.
And a user B:
(optional) step B8: calculating S by calling SM3 operational Module2= Hash(0x83||g1||Hash(g2||g3||IDA||IDB||RA||RB) And verified S by the datapath module2=SAAnd if the equation is not established, the key confirmation from A to B fails.
4) The public key encryption algorithm, as shown in figure 4,
the message to be sent is a bit string M, mlen is the bit length of M, K1Len is a packetKey K in cryptographic algorithm1Bit length of (1), K2Len is a function MAC (K)2Z) secret key K2The bit length of (c).
In order to encrypt the plaintext M to the user B, the user a as the encryptor should implement the following operation steps:
step 1: computing group G1Element Q of (5)B=[H1(IDB||hid,N)]P1+Ppub-e
Step 2: generating a random number r ∈ [1, N-1 ];
and step 3: computing group G1Element C in (1)1=[r]QBMixing C with1Converting the data type of (a) into a bit string;
and 4, step 4: computing group G by invoking bilinear pairing moduleTWherein the element g ═ e (P)pub-e,P2);
And 5: computing group GTWherein w is grConverting the data type of w into a bit string;
step 6: the calculation is carried out according to the method classification of encryption plaintext:
a) if the method of encrypting the plaintext is a sequential cipher algorithm based on a key derivation function, then
1) Calculating the integer klen ═ mlen + K2Len, calculating K ═ KDF (C) through an auxiliary function module1||w||IDBKlen). Let K1Is the leftmost mlen bit of K, K2Is left over K2A len bit, and K is judged through a data path module1If the bit string is all 0 bit strings, returning to the step 2 if the bit string is all 0 bit strings;
2) computing C through datapath modules2=M⊕K1
b) If the method of encrypting the plaintext is a block cipher algorithm combined with a key derivation function, then
1) Calculating the integer klen ═ K1_len+K2Len, K-KDF (C) calculated by an auxiliary function1||w||IDBKlen). Let K1Is the leftmost K of K1Len bit, K2Is left over K2Len bit, through DatongWay module judgment K1If the bit string is all 0 bit strings, returning to the step 2 if the bit string is all 0 bit strings;
2) computing C by calling SM4 operation module2=Enc(K1,M)。
And 7: computing C by calling SM3 operation module3=MAC(K2,C2);
And 8: outputting the ciphertext C ═ C1||C3||C2
5) The decryption algorithm, as shown in figure 5,
mlen is ciphertext C ═ C1||C3||C2C in2Bit length of (1), K1Len is key K in block cipher algorithm1Bit length of (1), K2Len is a function MAC (K)2Z) secret key K2The bit length of (c).
To decrypt C, user B, who is the decryptor, should implement the following operational steps:
step 1: extracting a bit string C from C1Mixing C with1Is converted into a point on an elliptic curve, verify C1∈G1If the result is not true, an error is reported and the operation is quitted;
step 2: calculating, by the bilinear pairing module, the element w' ═ e (C) in the group T1,deB) Converting the data type of w' into a bit string;
and step 3: the calculation is carried out according to the method classification of encryption plaintext:
a) if the method of encrypting the plaintext is a sequential cipher algorithm based on a key derivation function, then
1) Calculating the integer klen ═ mlen + K2Len, K' ═ KDF (C) is calculated by an auxiliary function1||w’||IDBKlen). Let K1'is the leftmost mlen bit of K', K2Is' as the rest of K2A len bit, judging K through a data path module1If the bit string is all 0 bit string, if so, an error is reported and the operation is exited;
2) calculating M' ═ C by the datapath module2⊕K1’。
b) If the method of encrypting the plaintext is a block cipher algorithm combined with a key derivation function, then
1) Calculating the integer klen ═ K1_len+K2Len, K' ═ KDF (C) is calculated by an auxiliary function1||w’||IDBKlen). Let K1'is K' the leftmost K1Len bit, K2Is' as the rest of K2A len bit, judging K through a data path module1If the bit string is all 0 bit string, if so, an error is reported and the operation is exited;
2) call SM4 calculation module to calculate M' ═ Dec (K)1’,C2)。
And 4, step 4: calling SM3 operation module to calculate u-MAC (K)2’,C2) Taking out the bit string C from C3Judging u ═ C by the data path module3If the result is true, if the result is false, an error is reported and the operation is quitted;
and 5: the plaintext M' is output.
Selecting system parameters:
the selection of the system parameters of the embodiment follows the system parameter selection rule in the general rule of the standard GM/T0044.1-2016 SM9 identification cryptographic algorithm. The embodiment of the invention adopts an elliptic curve as a 256-bit BN curve recommended by the algorithm standard, and the curve equation of the selected BN curve is as follows:
E:y2=x3+b;
wherein x and y are respectively the abscissa and the ordinate of the elliptic curve, and b is a constant parameter different from 0, and the parameter can be self-defined. The embedding order k of the curve is 12, and the order N of the curve is also a prime number. The main parameters of the curve include a base domain feature q, a curve order N, a trace tr of the Frobenius mapping, and the parameters can be determined by a parameter t:
q(t)=36t4+36t3+24t2+6t+1;
N(t)=36t4+36t3+18t2+6t+1;
tr(t)=6t2+1;
since the embedding number k of the selected elliptic curve is 12, the bilinear pairings are calculated in the twelve-fold domain. The invention carries out tower expansion on the finite field according to the method described in the SM9 algorithm standard, wherein the tower expansion mode is as follows:
Figure BDA0003149956030000141
Figure BDA0003149956030000142
Figure BDA0003149956030000143
the base domain is expanded into a second expansion domain for the second time, and the reduction polynomial is as follows: x is the number of2-α,α=-2;
The second expansion is a fourth expansion, and the reduction polynomial is: x is the number of2-u,u2=α;
The quartic domain is expanded into twelve-time domain after three times, and the reduction polynomial is: x is the number of3-v,v2=u;
All numbers participating in calculation in the SM9 algorithm must be in the constructed finite field and its extended field, and all points participating in calculation must be on the constructed BN curve. A given group G is also required for operation1Generating element P of1And group G2Generating element P of2
The embodiment of the invention is realized through Verilog HDL. The SM9 identifier cryptographic algorithm hardware implementation system architecture provided by the invention realizes an SM9 algorithm hardware accelerator, and tests show that the implemented algorithm function and the operation result conform to the SM9 algorithm standard and the provided calculation example. The computational efficiency of the software implementation of the SM9 algorithm and the tested computational efficiency pairs of this example are shown in table 1.
TABLE 1 SM9 software implementation of a comparison of computational efficiency with the present example
Figure BDA0003149956030000151
According to the data in table 1, the calculation time required by the hardware implementation scheme of the SM9 algorithm in the algorithm function calculation is only about 1/10-1/9 of the software implementation scheme, and the calculation speed is greatly improved compared with the software implementation.
It is to be understood that the present invention has been described with reference to certain embodiments, and that various changes in the features and embodiments, or equivalent substitutions may be made therein by those skilled in the art without departing from the spirit and scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from the essential scope thereof. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.

Claims (8)

1. A SM9 identification cryptographic algorithm hardware implementation system based on finite field comprises a register module, a data path module, a bottom layer control module, a memory module, an auxiliary function module, a random number module and an algorithm function module; it is characterized in that the preparation method is characterized in that,
the register module is used for reading configuration information and control information of a user;
the data path module is used for completing various operations on data participating in operation, realizing the transmission of the data between the register and the memory and carrying out simple operations on the data, and comprises the steps of writing the data into the memory from the register and reading the data from the memory, and transmitting initial parameters, identification and plaintext data written into the register by a user to the memory through the data access module;
the memory module is used for storing various kinds of operation data including initial parameters, calculation intermediate values and calculation results;
the bottom layer control module is used for calling a bottom layer algorithm module to complete various finite field calculation, elliptic curve calculation and encryption operations;
the auxiliary function module is used for realizing a cryptographic function H in the SM9 algorithm1/H2And a key derivation function KDF for generating encryption and decryption keys in the SM9 algorithm;
the random digital module is used for generating random numbers between 1 and (N-1) required by the algorithm;
the algorithm function module is used for calling the rest modules to realize various algorithm functions in the SM9 algorithm.
2. The finite field based SM9 identity cryptographic algorithm hardware implementation system of claim 1, wherein the specific functions of the register module include: the user writes the control information and the configuration information into the register module, the register module transmits the initial parameters, the identification and the plaintext data written by the user to the memory module, and then corresponding algorithm function operation is started according to the control information; if the operation is successful, the register module reads out the calculation result from the memory module and transmits the calculation result to the user; if the operation fails, the register module transmits a calculation failure signal to a user.
3. The finite field based SM9 identity cipher algorithm hardware implementation system of claim 1, wherein the datapath module enables data to be moved between different addresses in memory, including comparing two data, splicing two data end-to-end, and shifting data.
4. The finite field based SM9 identity cryptographic algorithm hardware implementation system of claim 1, wherein the underlying algorithm modules comprise a bilinear pairwise module comprising functions of finite field computation, elliptic curve computation, and bilinear pairwise computation, an SM3 computation module, and an SM4 computation module; the SM3 operation module is a hardware-implemented SM3 algorithm function module, the SM3 algorithm is a hash algorithm, and is suitable for digital signature and verification and generation and verification of message authentication codes in SM9 algorithm application; the SM4 operation module is a hardware-implemented SM4 algorithm function module, and the SM4 algorithm is a block cipher algorithm used for public key encryption and decryption in the SM9 algorithm.
5. The finite field based SM9 identity cryptographic algorithm hardware implementation system of claim 4, wherein the bilinear pairing module comprises a prime field computation module, a quadratic domain expansion computation module, a quartic domain expansion computation module, a twelve quadratic domain expansion computation module, a quadratic domain expansion elliptic curve computation module, a line function computation module, a final power computation module and a bilinear pairing computation state machine;
the prime field calculation module is used for completing modular operation and elliptic curve point operation in the prime field;
the secondary domain expansion operation module is used for realizing various operations in a secondary domain expansion obtained after the prime domain is secondarily expanded, and comprises the following steps: performing modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quadratic field element frobenius operation;
the quartic domain expansion operation module is used for realizing various operations in quartic domain expansion obtained after the prime domain is expanded for four times, and comprises the following steps: modulo addition, modulo subtraction, modulo multiplication, modulo inversion and quartic field element frobenius operations;
the twelve-time domain expansion operation module is used for realizing various operations in the twelve-time domain expansion obtained after the prime domain is expanded for twelve times, and comprises the following steps: modular multiplication, modular inversion, modular exponentiation and twelve domain element frobenius operations;
the quadratic domain expansion elliptic curve operation module is used for realizing various operations of elliptic curves under quadratic domain expansion, and comprises the following steps: converting a coordinate system of the secondary domain points, adding the secondary domain points, multiplying the secondary domain points and carrying out frobenius operation on the secondary domain points; the coordinate transformation of the secondary domain points refers to the transformation of elliptic curve points in the secondary domain between an affine coordinate system and a projective coordinate system;
the linear function operation module is used for realizing a function g in R-ate pair calculationU,V(Q), namely calculating a connection line equation of two elliptic curve points; function gU,V(Q) the calculation process is realized according to the definition in the standard rule of SM9 algorithm; in the calculation, if the two elliptic curve points are different points and are not infinite points, the result is a linear equation passing through the two points; if the two elliptic curve points are the sameIf the points are not infinite points, the result is a tangent equation of the elliptic curve passing through the points; if one of the elliptic curve points is an infinite point, the result is an equation of drawing a perpendicular line of an x axis through the other point;
the final exponentiation module is used to implement the last step in the R-ate pair calculation step, i.e., f ═ f ^ ((q 12-1)/R);
and the bilinear pairing computation state machine is used for controlling and calling each module to complete the computation of bilinear pairings.
6. The finite field-based SM9 identity cryptographic algorithm hardware implementation system of claim 4, wherein the prime field computation module comprises a modulo addition subtraction computation hardware module, a Montgomery modulo multiplication hardware module, a modulo inversion computation hardware module, and a prime field elliptic curve computation module; the module addition and subtraction computing hardware module is used for realizing module addition, module subtraction and module taking operation in prime field operation; the Montgomery modular multiplication hardware module is used for realizing modular multiplication operation in a prime field, and is realized based on an optimized Montgomery modular multiplication algorithm; the modular inverse computation hardware module is used for realizing modular inverse operation in the prime field; the prime field elliptic curve calculation module is used for realizing point addition, point multiplication and point test operation in the prime field.
7. The finite field based SM9 identity cryptographic algorithm hardware implementation system of claim 1, wherein the operation steps of the cryptographic functions H1/H2 and the key derivation function KDF of the auxiliary function module are implemented according to the steps in the SM9 algorithm standard; the cryptographic function H1/H2 and the key derivation function KDF need to call a cryptographic hash function Hv (), and the cryptographic hash function Hv () is realized through an SM3 operation module.
8. The finite field based SM9 identity cryptographic algorithm hardware implementation system of claim 1, wherein the algorithm functions of the SM9 algorithm comprise: generating a digital signature, verifying the digital signature, exchanging a secret key protocol, encrypting a public key and decrypting the public key; the algorithm function performs the calculations according to the steps in the SM9 algorithm standard.
CN202110763602.2A 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field Active CN113660087B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110763602.2A CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110763602.2A CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Publications (2)

Publication Number Publication Date
CN113660087A true CN113660087A (en) 2021-11-16
CN113660087B CN113660087B (en) 2023-09-26

Family

ID=78477161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110763602.2A Active CN113660087B (en) 2021-07-06 2021-07-06 SM9 identification cipher algorithm hardware realization system based on finite field

Country Status (1)

Country Link
CN (1) CN113660087B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338049A (en) * 2022-03-14 2022-04-12 山东区块链研究院 Rapid realization method and system of SM2 cryptographic algorithm based on modular reduction
CN117353926A (en) * 2023-12-01 2024-01-05 苏州元脑智能科技有限公司 SM2 algorithm password processing method, device and equipment based on chip
CN117650951A (en) * 2024-01-30 2024-03-05 北京格尔国信科技有限公司 IKE authentication and negotiation method based on identification cipher algorithm

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739396A (en) * 2011-04-11 2012-10-17 航天信息股份有限公司 Co-processor applied in information security
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
CN103023659A (en) * 2013-01-08 2013-04-03 武汉大学 ECC (elliptic curve cryptosystem) encryption hardware device with expandable parameter bit width
US20150124970A1 (en) * 2011-11-30 2015-05-07 China Iwncomm Co., Ltd. Key negotiation method and apparatus according to sm2 key exchange protocol
CN107147488A (en) * 2017-03-24 2017-09-08 广东工业大学 A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms
CN206712805U (en) * 2017-04-26 2017-12-05 美的智慧家居科技有限公司 Key chip system and internet of things equipment
CN108259179A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of encryption-decryption coprocessor and its operation method based on SM9 id password algorithms
CN108650078A (en) * 2018-03-22 2018-10-12 北京中电华大电子设计有限责任公司 A kind of accelerated method of SM9 id passwords algorithm
CN112202568A (en) * 2020-10-09 2021-01-08 天津大学 Software and hardware collaborative design SM9 digital signature communication method and system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739396A (en) * 2011-04-11 2012-10-17 航天信息股份有限公司 Co-processor applied in information security
CN102761413A (en) * 2011-04-27 2012-10-31 航天信息股份有限公司 Implementation system of p-element domain SM2 elliptic curve public key cryptographic algorithm
US20150124970A1 (en) * 2011-11-30 2015-05-07 China Iwncomm Co., Ltd. Key negotiation method and apparatus according to sm2 key exchange protocol
CN103023659A (en) * 2013-01-08 2013-04-03 武汉大学 ECC (elliptic curve cryptosystem) encryption hardware device with expandable parameter bit width
CN108259179A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of encryption-decryption coprocessor and its operation method based on SM9 id password algorithms
CN107147488A (en) * 2017-03-24 2017-09-08 广东工业大学 A kind of signature sign test system and method based on SM2 enciphering and deciphering algorithms
CN206712805U (en) * 2017-04-26 2017-12-05 美的智慧家居科技有限公司 Key chip system and internet of things equipment
CN108650078A (en) * 2018-03-22 2018-10-12 北京中电华大电子设计有限责任公司 A kind of accelerated method of SM9 id passwords algorithm
CN112202568A (en) * 2020-10-09 2021-01-08 天津大学 Software and hardware collaborative design SM9 digital signature communication method and system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王明东;何卫国;李军;梅瑞;: "国密SM9算法R-ate对计算的优化设计", 通信技术, no. 09 *
袁峰;程朝辉;: "SM9标识密码算法综述", 信息安全研究, no. 11 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114338049A (en) * 2022-03-14 2022-04-12 山东区块链研究院 Rapid realization method and system of SM2 cryptographic algorithm based on modular reduction
CN117353926A (en) * 2023-12-01 2024-01-05 苏州元脑智能科技有限公司 SM2 algorithm password processing method, device and equipment based on chip
CN117353926B (en) * 2023-12-01 2024-02-27 苏州元脑智能科技有限公司 SM2 algorithm password processing method, device and equipment based on chip
CN117650951A (en) * 2024-01-30 2024-03-05 北京格尔国信科技有限公司 IKE authentication and negotiation method based on identification cipher algorithm
CN117650951B (en) * 2024-01-30 2024-05-10 北京格尔国信科技有限公司 IKE authentication and negotiation method based on identification cipher algorithm

Also Published As

Publication number Publication date
CN113660087B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
CN111106936B (en) SM 9-based attribute encryption method and system
CN112367175B (en) Implicit certificate key generation method based on SM2 digital signature
CN108418686B (en) Multi-distributed SM9 decryption method and medium, and key generation method and medium
CN104539423B (en) A kind of implementation method without CertPubKey cipher system of no Bilinear map computing
CN107395368B (en) Digital signature method, decapsulation method and decryption method in media-free environment
CN110247757B (en) Block chain processing method, device and system based on cryptographic algorithm
EP0786178B1 (en) Secret-key certificates
CN110830236B (en) Identity-based encryption method based on global hash
CN113660087B (en) SM9 identification cipher algorithm hardware realization system based on finite field
US7007164B1 (en) Method and array for authenticating a first instance and a second instance
CN112564907B (en) Key generation method and device, encryption method and device, and decryption method and device
CN101262341A (en) A mixed encryption method in session system
US20210152370A1 (en) Digital signature method, device, and system
US9088419B2 (en) Keyed PV signatures
CN114268439B (en) Identity-based authentication key negotiation method based on grid
CN111355582A (en) Two-party combined signature and decryption method and system based on SM2 algorithm
CN110855425A (en) Lightweight multiparty cooperative SM9 key generation and ciphertext decryption method and medium
CN111030801A (en) Multi-party distributed SM9 key generation and ciphertext decryption method and medium
CN109698747A (en) A kind of identity base identity based on Bilinear map hides cryptographic key negotiation method
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
CN116346336B (en) Key distribution method based on multi-layer key generation center and related system
Maurer et al. Information Security and Cryptography
CN113904777B (en) SM2 digital signature algorithm-based signcryption method
CN112564910A (en) Generalized signcryption method based on certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant