CN117353929A - Dot product computing device, digital signature device, and system on chip - Google Patents
Dot product computing device, digital signature device, and system on chip Download PDFInfo
- Publication number
- CN117353929A CN117353929A CN202210749273.0A CN202210749273A CN117353929A CN 117353929 A CN117353929 A CN 117353929A CN 202210749273 A CN202210749273 A CN 202210749273A CN 117353929 A CN117353929 A CN 117353929A
- Authority
- CN
- China
- Prior art keywords
- current
- point
- dot product
- dot
- pair
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 claims description 24
- 230000004044 response Effects 0.000 claims description 6
- 238000000034 method Methods 0.000 description 18
- 238000012545 processing Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000009795 derivation Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
Abstract
The embodiment of the invention provides a dot product operation device, a digital signature device and a system-on-chip. The dot product operation device includes: a shifter for shifting the window width of the first preset bit number to a pair of current window positions in the random bit sequence; a multiple point operator for performing multiple point operation based on previous point multiplication results corresponding to a pair of previous window positions to obtain a current multiple point result; the dot multiplication arithmetic unit is used for carrying out dot multiplication operation on the basis of the first random number, the second random number and the binary base point to obtain a current dot multiplication increment; and the point adding arithmetic unit is used for acquiring a current point doubling result from the point doubling arithmetic unit, and executing point adding operation based on the current point doubling result and the current point multiplication increment to obtain a current point multiplication result. If the current window position reaches the end window position of the random bit sequence, the dot-adding operator outputs a dot multiplication result of the random bit sequence. The scheme of the embodiment of the invention ensures the safety of the dot product operation and improves the efficiency of the dot product operation.
Description
Technical Field
The embodiment of the invention relates to the technical field of encryption, in particular to a dot product operation device, a digital signature device and a system on a chip.
Background
The elliptic curve cryptography algorithm such as SM2 encryption and decryption, ECC signature and CC encryption and decryption has the advantages of high safety, high processing speed and the like, and can be used for encryption and decryption processing or digital signature generation processing of data such as message and the like so as to reduce the risk of information leakage or tampering.
The most basic processing flow in the elliptic curve-based cryptographic algorithm is: a point multiplication result (scalar multiplication result) between the key and a certain point on the elliptic curve is calculated. After the dot multiplication result is obtained, the subsequent signature generation operation is carried out on the data such as the message based on the dot multiplication result.
The existing digital signature scheme is easy to attack by side channels when the point multiplication result is calculated, the security is poor, the time consumption is poor, and the digital signature efficiency is low.
Disclosure of Invention
In view of the above, an embodiment of the present invention provides a dot product computing device, a digital signature device and a system-on-chip to at least partially solve the above-mentioned problems.
According to a first aspect of an embodiment of the present invention, there is provided a dot product operation device including: a shifter for shifting a window width of a first preset number of bits to a pair of current window positions in the random bit sequence, wherein the first current window position and the second current window position in the pair of current window positions are separated by a second preset number of bits; a multiple point operator for performing multiple point operation based on previous point multiplication results corresponding to a pair of previous window positions to obtain a current multiple point result; a dot product operator, which obtains a first random number corresponding to the first pair of current window positions and a second random number corresponding to the second pair of current window positions from the shifter, and performs dot product operation based on the first random number and the second random number and a binary base point to obtain a current dot product increment; and the point adding arithmetic unit is used for obtaining the current multiple point result from the multiple point arithmetic unit, and executing point adding operation based on the current multiple point result and the current point multiplication increment to obtain the current point multiplication result corresponding to the one-to-one pair of current window positions. And if the pair of current window positions reach the ending window position of the random bit sequence, the point adding operator outputs the current point multiplication result as the point multiplication result of the random bit sequence.
In another implementation of the present invention, the dot product operation device further includes a register. The register stores the previous dot product, and if the pair of current window positions does not reach the end window position of the random bit sequence, the register updates the previous dot product based on the current dot product.
In another implementation of the present invention, if the pair of current window positions is the starting window position of the random bit sequence, a zero value is stored in the register as the previous dot product.
In another implementation of the present invention, the dot product operator calculates k d-1 A first random number corresponding to the first pair of current window positions, and calculating k e-1 As a second random number for the second pair of current window positions. Window position number d= [ t/w]T represents the length of the random bit sequence, w represents the first preset bit number, and the second preset bit number e= [ d/2]]。
In another implementation of the invention, the dot product operator calculates (k i+e +1)G+(k i +1) G as the current point multiplied by the delta. I is more than or equal to 0 and less than or equal to e-1, and G represents a binary base point.
In another implementation of the present invention, the shifter obtains an initial random number K and shifts the compensation K-K 0 As the random bit sequence, K 0 Is 2 d -a binary representation of 1.
According to a second aspect of an embodiment of the present invention, there is provided a digital signature apparatus including: the dot multiplication operation device acquires a random bit sequence and outputs a dot multiplication result of the random bit sequence; and a signature computing device for computing a signature value of the dot product.
In another embodiment of the present invention, the signature operation device includes: a signature value operator for calculating a first signature value of the dot product; a clock signal generator generating a first clock signal and a second clock signal; wherein the signature value operator calculates a first verification value of a second signature value in response to the first clock signal, calculates a second verification value of the second signature value in response to the second clock signal, and outputs the first verification value or the second verification value as the second signature value when the first verification value is equal to the second verification value.
According to a third aspect of embodiments of the present invention, there is provided a system on a chip comprising a digital signature device according to the second aspect.
In the scheme of the embodiment of the invention, the dot product arithmetic unit calculates the dot product increment of the random number corresponding to the current window position, and compared with the dot product increment of executing the whole random bit sequence, the dot product arithmetic unit has higher similarity in the calculation process of the dot product result of each pair of window positions, thereby effectively avoiding side channel attack and further ensuring the safety of dot product operation. In addition, a pair of the current window positions are provided with a preset second preset bit number interval, so that the shift times of the pair of windows in the random bit sequence are reduced, and the dot product operation efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1A is a schematic block diagram of a system-on-chip according to one example.
Fig. 1B is a schematic block diagram of an SM2 computing device provided on the system-on-chip of fig. 1A.
Fig. 1C is a flowchart illustrating steps of performing the SM2 digital signature method using the computing device of the embodiment of fig. 1B.
Fig. 2A is a schematic block diagram of a dot product computing device according to an embodiment of the present invention.
Fig. 2B is a schematic block diagram of a digital signature device to which the embodiment of fig. 2A is applicable.
Fig. 3A is a step flow diagram of a digital signature flow according to one example of the embodiment of fig. 2B.
Fig. 3B is a schematic diagram of a pair of window positions in the random bit sequence illustrated in fig. 3A.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood by those skilled in the art, the technical solutions in the embodiments of the present invention will be clearly and specifically described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the present invention, shall fall within the scope of protection of the embodiments of the present invention.
The implementation of the embodiments of the present invention will be further described below with reference to the accompanying drawings.
FIG. 1A is a schematic block diagram of a system-on-chip according to one example. The system on chip 1000 includes a memory 1210, a processing unit cluster 1220, and an arithmetic unit cluster 1100 connected by a bus. The processing unit cluster 1220 includes a plurality of processing units 222. The arithmetic unit cluster 1100 includes a plurality of arithmetic units 100. The processing unit 222 is a unit for performing conventional processing (data processing not performed based on the dot product operation result), and the processing unit 222 may take various forms such as a processor (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), and the like; the arithmetic unit 232 is mainly a dedicated arithmetic unit designed to promote the security of data processing based on the dot product arithmetic result in the present application.
Fig. 1B is a schematic block diagram of an SM2 computing device according to one example. As shown in the figure, the SM2 arithmetic device is implemented on an arithmetic unit 100, and includes an SM2 arithmetic control module 10, a dot product arithmetic control module 20, a binary domain arithmetic control module 30, a binary domain arithmetic module 40, and a key derivation module 50. The SM2 operation control module 10 receives the control signal from the main control module, performs SM2 encryption/decryption operation, schedules the bottom sub-module (the dot product operation control module 20, the SM2 Key derivation module 50) to generate an SM2 session Key through a series of control signals, and then encrypts the AES Key (Key) according to the SM2 session Key.
The SM2 Key derivation module 50 derives a session Key required for further encryption from the dot product result calculated by the dot product operation control module 20, and then sends the session Key to the SM2 operation control module 10, and the SM2 operation control module 10 performs encryption processing on the AES Key to generate a Key block Ckey. The dot product operation control module 20, the binary domain operation control module 30 and the binary domain operation module 40 realize dot product operation on elliptic curves together. The dot product operation control module 20 performs data loading and output of the dot product operation, and converts the coordinates of the elliptic curve base point P from the affine coordinate system to the projection coordinate system, and invokes the coordinate transformer 31, the dot adder 32 and the multiple dot arithmetic unit 33 by gradually scanning each bit of K, performing the corresponding finite field operation, and performing the dot product operation in the projection coordinate system. The binary domain operation control module 30 performs coordinate transformation by the coordinate transformer 31 to reduce inverse operation before performing dot addition and multiplication by the dot addition operator 32 and the multiplication operator 33, and performs modulo addition, modulo multiplication, modulo inversion, modulo square operation by calling the underlying modulo addition operator 41, modulo multiplication operator 43, modulo inversion and modulo square operator 42 after transformation to complete dot addition and multiplication.
Specifically, the binary domain operation module 40 includes a modulo adder 41, a modulo multiply/square operator 43, and a modulo inverse operator 42. The modular arithmetic unit 41 simply performs bitwise exclusive or operation on the operand, and the modular multiplication/square arithmetic unit 43 adopts a serial-parallel mixed binary domain modular multiplication algorithm to divide the multiplier into a plurality of sections, and intercepts a certain section of the multiplier to be multiplied by the multiplicand during each calculation to obtain a partial product, which is used as data input in the next round of multiplication operation. The modular multiplication algorithm combined in series and parallel can achieve good balance between the area of the modular multiplication circuit and the operation speed. The modulo-inverse operator 42 converts the modulo-inverse calculation into a modulo-multiply and modulo-square operation by using the feima's theorem, and the modulo-multiply/square operator 43 is scheduled to realize the modulo-inverse.
Further, fig. 1C illustrates an SM2 digital signature method according to one example. The SM2 digital signature method of fig. 1C includes the steps of:
s110: the configuration m=z||m, and the step S120 is continued.
S120: calculate e 0 =hv (M), will e 0 Converting to an integer, and continuing to execute step S130.
S130: and generating a random number k by adopting a random number generator, wherein k is more than or equal to 1 and less than or equal to n-1, and continuing to execute the step S140.
S140: elliptic curve points (x 1, y 1) = [ k ] G are calculated, and the step S150 is continued.
S150: calculate r= (e) 0 +x1) mod n, determining whether r=0 or r+k=n, if yes, returning to step S130, if not, executing step S160.
S160: calculating s= ((1+da) · (k-r·da)) mod n, determining whether s=0, if yes, returning to step S130, if no, executing step S170.
S170: the data types of r and s are converted into byte strings as digital signatures of M.
Wherein M represents a signed message; dA represents the private key of the user; e, e 0 Representing the output value of the cryptographic hash function acting on the message M; g represents an elliptic curve base point; hv () represents a cryptographic hash function with a message digest length of v bits; z represents a discernible representation of the user; [ k ]]G represents a k-times point of the point P on the elliptic curve.
In the scheme of the present example, it is necessary to use the dot multiplier 32 and the double-dot calculator 33 in fig. 1B to perform the dot addition and the double-dot calculation, respectively, to calculate the elliptic curve point (x 1, y 1) = [ k ] G, and the time and the energy consumed by the dot multiplier 32 and the double-dot calculator 33 to perform the double-dot calculation are different, and are vulnerable to attack by the side channel of SPA, DPA, FA or the like, so that sensitive data is leaked.
Fig. 2A shows a dot product operation apparatus according to an embodiment of the present invention. The dot product operation device 200 of the present embodiment may correspond to the binary domain operation control module 30 of fig. 1B, and is physically implemented by analog and/or digital circuits (e.g., logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hardwired circuits, etc.), and may optionally be driven by firmware and/or software. For example, the circuitry may be implemented in one or more semiconductor chips, or on a substrate support such as a printed circuit board or the like.
The dot product operation device 200 of the present embodiment includes a shifter 210, a double dot operator 220, a dot product operator 230, and a dot adder operator 240.
Shifter 210 shifts in the random bit sequence to a pair of current window positions with a window width of a first preset number of bits, the first current window position of the pair of current window positions being spaced from the second current window position by a second preset number of bits.
For example, a first shift range shifted by a first window position is adjacent to a second shift range shifted by a second window position, constituting a random bit sequence. In various embodiments of the present invention, the first shift range is at a high number and the second shift range is at a low number.
Further, the length of the first shift range (i.e., the number of bits) may be the same as or different from the length of the second shift range. For example, the length of the first shift range differs from the length of the second shift range by no more than 1 bit. In one example, the predetermined inter-window number of bits may be the same as the number of bits of the first shift range. The preset number of bits may be odd or even.
Further, at a first window position in the pair of windows, the first window position is shifted from the high order to the low order in a first shift range, and the second window position is shifted from the high order to the low order in a second shift range.
More specifically, fig. 3B shows a random bit sequence ABCDEFGHIJ, wherein A, B, C, D, E, F, G, H, I and J are each units of a predetermined number of bits, for example, 5 bits. Illustratively, A represents 10101, and B, C, D, E, F, G, H, I, and J may be the same as A or different from one another. The first shift range is ABCDE and the second shift range is FGHIJ. In this example, when i=0, 1, 2, 3, 4, ki+e and ki denote the second window position 2 and the first window position 1, respectively. The predetermined inter-window bit number 5*5 =25, d=10, e=5 between the second window position 2 and the first window position 1.
The double-point operator 220 performs a double-point operation based on a previous-point multiplication result corresponding to a pair of previous window positions, resulting in a current double-point result.
The dot product operator 230 acquires a first random number corresponding to the first pair of current window positions and a second random number corresponding to the second pair of current window positions from the shifter, and performs dot product operation with the binary base point based on the first random number and the second random number, to obtain a current dot product increment. Specifically, the dot product operator 230 may call the double dot operator 220 and the dot adder operator 240 to perform the dot product operation. The dot product delta may be determined based on the jacobian dot addition formula.
The dot adder 240 obtains the current multiple dot result from the multiple dot operator, and performs dot addition based on the current multiple dot result and the current dot multiplication increment, thereby obtaining a current dot multiplication result corresponding to the current window position.
If a pair of current window positions reaches an end window position of the random bit sequence, the dot-adding operator 240 outputs a current dot multiplication result as a dot multiplication result of the random bit sequence.
It should be understood that the dot product operator 230 may correspond to the dot product operation control module 20 illustrated in fig. 1B, and the double-dot operator 220 and the dot adder 240 may correspond to the double-dot operator 33 and the dot adder 32 illustrated in fig. 1B, respectively.
In the scheme of the embodiment of the invention, the dot product arithmetic unit calculates the dot product increment of the random number corresponding to the current window position, and compared with the dot product increment of executing the whole random bit sequence, the dot product arithmetic unit has higher similarity in the calculation process of the dot product result of each pair of window positions, thereby effectively avoiding side channel attack and further ensuring the safety of dot product operation. In addition, a pair of the current window positions are provided with a preset second preset bit number interval, so that the shift times of the pair of windows in the random bit sequence are reduced, and the dot product operation efficiency is improved.
In one example, the dot product operation device further includes a register. The register stores a previous dot product, and if a pair of current window positions does not reach an end window position of the random bit sequence, the register updates the previous dot product based on the current dot product.
Alternatively, if the pair of current window positions is the start window position of the random bit sequence, a zero value is stored in the register as the previous point multiplication result.
In other examples, the dot product operator calculates k d-1 A first random number corresponding to a first pair of current window positions, and calculating k e-1 As a second random number for a second pair of current window positions. Window position number d= [ t/w]T represents the length of the random bit sequence, w represents a first preset number of bits, and a second preset number of bits e= [ d/2]]。
In other examples, the dot product operator calculates (k i+e +1)G+(k i +1) G, wherein 0.ltoreq.i.ltoreq.e-1, represents a binary base point, as a current point multiplication increment. (k) i+e +1)G+(k i +1) G compared to k i+e G+k i G, avoiding the condition that the first random number and the second random number are 0, improving the reliability of the dot multiplication calculation of the embodiment of the invention, bringing about the result increment in the dot multiplication calculation process, correspondingly, acquiring the initial random number K by a shifter, and shifting and compensating K-K 0 As a random bit sequence, the initial random number k is compensated to obtain the random bit sequence, so that the influence of the result increment is counteracted, and the accuracy of the dot multiplication operation is improved.
Fig. 2B shows a digital signature apparatus 300 to which the embodiment of fig. 2A is applied, and as shown, the digital signature apparatus 300 includes a dot product operation apparatus 200 and a signature operation apparatus 3000.
The dot product operation device 200 acquires a random bit sequence and outputs a dot product result of the random bit sequence. For example, the corresponding operations may be implemented using the scheme depicted in FIG. 2A.
The signature computing device 3000 calculates a signature value of the dot product. For example, based on the dot product result, the r value and the s value are determined. For other encryption algorithms, the corresponding signature value can be determined by the dot multiplication result, and signature processing is performed.
In other examples, the signature operation apparatus 3000 includes a signature value operator and a signature value operator.
For SM2 signatures, the signature value operator calculates a first signature value r of the dot product.
The clock signal generator generates a first clock signal and a second clock signal. For example, the clock signal generator randomly generates the first clock signal and the second clock signal. In this case, the signature value operator calculates a first verification value s1 of the second signature value in response to the first clock signal, calculates a second verification value s2 of the second signature value in response to the second clock signal, and outputs the first verification value or the second verification value as the second signature value s when the first verification value s1 is equal to the second verification value s2, thereby improving the reliability of the signature value and thus the reliability of the signature process.
In addition, the embodiment of the invention also provides a system on a chip, which comprises the digital signature device 300.
An exemplary SM2 signature process will be specifically described below with reference to fig. 3A and 3B, fig. 3B is a schematic diagram of a first window position and a second window position in the random bit sequence illustrated in fig. 3A, and the digital signature process of fig. 3A will be specifically described below with reference to the schematic diagram of fig. 3B, and is specifically performed by a digital signature device on a system on a chip, including the following steps:
s301: the configuration m=z||m, and the step S302 is continued.
S302: calculating e0=hv (M), converting e0 into an integer, and continuing to execute step S303.
S303: generating t-bit random numbers k by adopting a random number generator, wherein k is more than or equal to 1 and less than or equal to n-1, and continuing to execute the step S304, wherein t represents the sequence bit number of the random bit sequence.
It should be understood that the steps S301 to S303 may be performed by using a random number generator in the dot product computing device, which is not described herein.
S304: a random number random of 32 bits, k=k+rand n, is generated by a random number generator, and then step S305 is performed. It should be understood that steps S301-S304 may be taken as examples of obtaining the initial random number k. This step may also be performed using a random number generator.
S305: k=k-111..1, where 111..1 is d 1 in binary representation, then step S306 is performed. This step may be taken as an example of determining K-K0, i.e. K0 is a binary representation of 2d-1, d= [ t/w ], w representing a preset number of bits, e= [ d/2]. For example, an initial random number K is obtained by a shifter and a shift offset K-K0 is used as the random bit sequence.
S306: k=comb (k), yielding k i+e And k i S307 is continued. That is, by shifting the first window position and the second window position in the first shift range and the second shift range, the respective first random numbers and the respective second random numbers are obtained. k (k) i And k i+e Each first random number and each second random number may be separately, both corresponding to a pair of window positions. This step may be performed by the shifter and output the first random number and the second random number to the multiple point operator 220 and the point multiplication operator 230.
Specifically, fig. 3B shows a random bit sequence ABCDEFGHIJ, wherein A, B, C, D, E, F, G, H, I and J are each units of a predetermined number of bits, for example, 5 bits. Illustratively, A represents 10101, and B, C, D, E, F, G, H, I, and J may be the same as A or different from one another. The first shift range is ABCDE and the second shift range is FGHIJ. In this example, when i=0, 1, 2, 3, 4, k i+e And k i The second window position 2 and the first window position 1 are indicated, respectively. The predetermined inter-window bit number 5*5 =25, d=10, e=5 between the second window position 2 and the first window position 1.
S307: first calculating a start window position of the first window positionThe initial point multiplication result and the second initial point multiplication result of the start window position of the second window position continue to execute S308. Specifically, the dot multiplication operator 230 may be employed to invoke the double dot operator 220 and the dot addition operator 240 to calculate q1= (k) d-1 +1)G,Q2=(k e-1 +1) G, G is the binary base point of the elliptic curve.
S308: and performing point addition operation on the first initial point multiplication result and the second initial point multiplication result, and continuing to execute S309. Specifically, q=q1+q2, i.e., when i=e-1, q= (k i+e +1)G+(k i +1)G=(k d-1 +1)G+(k e-1 +1) G. It should be understood that (k) i +1) and (k) i+e +1) avoid k i And k i+e In the case of 0, the reliability of the dot product operation is improved, and accordingly, the initial random number is determined based on K-K0, so that the compatibility with the existing standard is ensured.
S309: if the check point Q is on the elliptic curve, if not, S310 is executed, and if yes, step S311 is executed.
S310: sensitive information in the digital signature process is cleared and errors are reported.
S311: whether i >0 is determined, if yes, S312 is performed, and if no, S313 is performed.
S312: i=i-1, and performs a double-point operation and a point addition operation. Specifically, q=2q may be calculated using the double-point operator 220, and then q=q+ (k) may be calculated using the point-adding operator 240 continuously i+e +1)G+(k i +1) G, and S310 is performed. It should be understood that this step S312 may be used as an example of obtaining the dot product increment of the next window position by performing the dot product operation based on the dot product of the current window position. For steps S311 and S312, without loss of generality, a pair of dot product results for the current window position is determined based on the initial dot product results for the current window position and the dot product result increment for the current window position until the current window position reaches the end window position of the first shift range and the end window position of the second shift range.
S313: output (x) 1 ,y 1 ) =q, and if the checkpoint is on the elliptic curve, ifIf yes, S314 is executed, and if no, S309 is executed.
It should be understood that the following steps S314 to S320 may be performed by the signature operation device 3000.
S314: based on the dot multiplication result Q of the random bit sequence, the first signature value r of the signature process is determined, and S315 is continued. Specifically, r= (e+x) is calculated 1 )mod n。
S315: whether r=0 or r+k=n is determined, and if yes, the process returns to step S303, and if no, S316 is executed.
S316: at a first time, a first verification value s1 of the second signature value is determined based on the first signature value. Specifically, calculateJudging whether s is 1 =0, if yes, return to step S303, and if no, execute S317. The first time may be a time indicated by the first clock signal.
S317: at a random time after the first time, a second verification value s2 of the second signature value is determined based on the first signature value. Specifically, calculateJudging whether s is 2 =0, if yes, return to step S303, and if no, execute S318. The random time after the second time may be a time indicated by the second clock signal.
S318: and judging whether the first verification value is equal to the second verification value, and if so, determining the first verification value or the second verification value as a second signature value. Specifically, judge s 1 And s 2 Whether or not they are equal, and if they are equal, S319 is performed; if not, S320 is performed.
S319: s=s1 or s=s2 is set, and a signature value (r, s) is output as a signature of M.
S320: s1 and S2 are deleted and S303 is continued.
It should be noted that, according to implementation requirements, each component/step described in the embodiments of the present invention may be split into more components/steps, or two or more components/steps or part of operations of the components/steps may be combined into new components/steps, so as to achieve the objects of the embodiments of the present invention.
The above-described methods according to embodiments of the present invention may be implemented in hardware, firmware, or as software or computer code storable in a recording medium such as a CD ROM, RAM, floppy disk, hard disk, or magneto-optical disk, or as computer code originally stored in a remote recording medium or a non-transitory machine-readable medium and to be stored in a local recording medium downloaded through a network, so that the methods described herein may be stored on such software processes on a recording medium using a general purpose computer, special purpose processor, or programmable or special purpose hardware such as an ASIC or FPGA. It is understood that a computer, processor, microprocessor controller, or programmable hardware includes a storage component (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code that, when accessed and executed by a computer, processor, or hardware, performs the methods described herein. Furthermore, when a general purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general purpose computer into a special purpose computer for performing the methods illustrated herein.
Those of ordinary skill in the art will appreciate that the elements and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present invention.
The above embodiments are only for illustrating the embodiments of the present invention, but not for limiting the embodiments of the present invention, and various changes and modifications may be made by one skilled in the relevant art without departing from the spirit and scope of the embodiments of the present invention, so that all equivalent technical solutions also fall within the scope of the embodiments of the present invention, and the scope of the embodiments of the present invention should be defined by the claims.
Claims (9)
1. A dot product operation device comprising:
a shifter for shifting a window width of a first preset number of bits to a pair of current window positions in the random bit sequence, wherein the first current window position and the second current window position in the pair of current window positions are separated by a second preset number of bits;
a multiple point operator for performing multiple point operation based on previous point multiplication results corresponding to a pair of previous window positions to obtain a current multiple point result;
a dot product operator, which obtains a first random number corresponding to the first pair of current window positions and a second random number corresponding to the second pair of current window positions from the shifter, and performs dot product operation based on the first random number and the second random number and a binary base point to obtain a current dot product increment;
a point adding arithmetic unit, which obtains the current multiple point result from the multiple point arithmetic unit, and performs point adding operation based on the current multiple point result and the current point multiplication increment to obtain a current point multiplication result corresponding to the one-to-one pair of current window positions;
and if the pair of current window positions reach the ending window position of the random bit sequence, the point adding arithmetic unit outputs the current point multiplication result as the point multiplication result of the random bit sequence.
2. The apparatus of claim 1, wherein the apparatus further comprises:
a register storing the previous dot product,
wherein the register updates the previous dot product based on the current dot product if the pair of current window positions does not reach an end window position of the random bit sequence.
3. The apparatus of claim 2, wherein if the pair of current window positions is a starting window position of the random bit sequence, a zero value is stored in the register as the previous dot product.
4. The apparatus of claim 1, wherein the dot product operator calculates k d-1 A first random number corresponding to the first pair of current window positions, and calculating k e-1 As a second random number corresponding to the second pair of current window positions,
wherein the window position number d= [ t/w ], t represents the length of the random bit sequence, w represents the first preset bit number, and the second preset bit number e= [ d/2].
5. The apparatus of claim 4, wherein the dot product operator calculates (k i+e +1)G+(k i +1) G, wherein 0.ltoreq.i.ltoreq.e-1, represents a binary base point, as a current point multiplication increment.
6. The apparatus of claim 5, wherein the shifter obtains an initial random number K and shifts a compensation K-K 0 As the random bit sequence, K 0 Is 2 d -a binary representation of 1.
7. A digital signature device, comprising:
the dot multiplication operation device acquires a random bit sequence and outputs a dot multiplication result of the random bit sequence;
and a signature computing device for computing a signature value of the dot product.
8. The apparatus of claim 7, wherein the signature operation apparatus comprises:
a signature value operator for calculating a first signature value of the dot product;
a clock signal generator generating a first clock signal and a second clock signal;
wherein the signature value operator calculates a first verification value of a second signature value in response to the first clock signal, calculates a second verification value of the second signature value in response to the second clock signal, and outputs the first verification value or the second verification value as the second signature value when the first verification value is equal to the second verification value.
9. A system on a chip, comprising:
a digital signature device as claimed in claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210749273.0A CN117353929A (en) | 2022-06-29 | 2022-06-29 | Dot product computing device, digital signature device, and system on chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210749273.0A CN117353929A (en) | 2022-06-29 | 2022-06-29 | Dot product computing device, digital signature device, and system on chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117353929A true CN117353929A (en) | 2024-01-05 |
Family
ID=89354462
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210749273.0A Pending CN117353929A (en) | 2022-06-29 | 2022-06-29 | Dot product computing device, digital signature device, and system on chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117353929A (en) |
-
2022
- 2022-06-29 CN CN202210749273.0A patent/CN117353929A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4668931B2 (en) | Encryption processor with tamper resistance against power analysis attacks | |
| US6307935B1 (en) | Method and apparatus for fast elliptic encryption with direct embedding | |
| US9772821B2 (en) | Cryptography method comprising an operation of multiplication by a scalar or an exponentiation | |
| US6751318B2 (en) | Method and apparatus for digital signature authentication | |
| US8850221B2 (en) | Protection against side channel attacks with an integrity check | |
| US10361854B2 (en) | Modular multiplication device and method | |
| EP0840478A2 (en) | Digital signature generating/verifying method and system using public key encryption | |
| JP7123959B2 (en) | Elliptic curve point multiplication device and method | |
| JP2008252299A (en) | Encryption processing system and encryption processing method | |
| WO2012090288A1 (en) | Cryptographic processing device, method of cryptographic processing and program | |
| JP2003208097A (en) | Cipher operation device and method having side channel attack resistance | |
| JP5449576B2 (en) | Arithmetic device, elliptic scalar multiplication method for arithmetic device, elliptic scalar multiplication program, remainder arithmetic method for arithmetic device, and remainder arithmetic program | |
| US7227947B2 (en) | Cryptographic method and cryptographic device | |
| US6480606B1 (en) | Elliptic curve encryption method and system | |
| US20030044014A1 (en) | Method for scrambling a calculation with a secret quantity | |
| US6609141B1 (en) | Method of performing modular inversion | |
| US7113593B2 (en) | Recursive cryptoaccelerator and recursive VHDL design of logic circuits | |
| CN117353929A (en) | Dot product computing device, digital signature device, and system on chip | |
| US10133554B2 (en) | Non-modular multiplier, method for non-modular multiplication and computational device | |
| KR100564599B1 (en) | Inverse calculation circuit, inverse calculation method, and storage medium encoded with computer-readable computer program code | |
| US11616994B2 (en) | Embedding information in elliptic curve base point | |
| US20240163074A1 (en) | Circuit for a Combined Key Value-Dependent Exchange and Randomization of Two Values | |
| US7480380B2 (en) | Method for efficient generation of modulo inverse for public key cryptosystems | |
| JP3024549B2 (en) | Method and apparatus for decrypting ciphertext based on cyclic operation | |
| JP2004053814A (en) | Elliptic curve cryptosystem device and elliptic curve cryptosystem operation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |