Embodiment
Further describe elliptic curve cipher system of the present invention and method below in conjunction with accompanying drawing 1,2.
The definition of elliptic curve:
Article one, elliptic curve is to satisfy equation on projective plane:
Y
2Z+a
1XYZ+a
3YZ
2=X
3+ a
2X
2Z+a
4X
2+ a
6Z
3------------set of being had a few of----[3-1], and each point on the curve all is nonsingular or smooth.
Wherein, Y
2Z+a
1XYZ+a
3YZ
2=X
3+ a
2X
2Z+a
4X
2+ a
6Z
3Be that (Weierstrass, Karl Theodor Wilhelm Weierstrass 1815-1897), are homogeneous equations to Wei Ersite Lars equation.
So-called " nonsingular " or " smooth ", in mathematics, be meant on the curve partial derivative F of any arbitrarily
x(x, y, z), F
y(x, y, z), F
z(x, y can not be 0 simultaneously z).
If an infinity point O ∞ (0: 1: 0) is arranged on the elliptic curve, because this point satisfies equation [3-1],
X=X/Z, y=Y/Z substitution equation [3-1] obtains:
Y
2+a
1xy+a
3y=x
3+a
2x
2+a
4x+a
6-------------------------[3-2]
Wherein, (x, y) coordinate of fastening for the common plane rectangular coordinate.
That is to say that the smooth curve that satisfies equation [3-2] adds an infinity point O ∞, has formed elliptic curve.
Elliptic curve is continuous, and is not suitable for encrypting, and therefore, usually, be defined in the elliptic curve that is fit to encrypt on the Galois field.
Galois field is a kind of the territory of being made up of limited element.
Provide a Galois field F
p, this territory has only limited element, i.e. F
pIn have only the individual element 0,1,2 of p (p is a prime number) ... p-2, p-1.
Definition F
pAddition (a+b) rule be a+b ≡ c (mod p); That is, (a+b) remainder of ÷ p is identical with the remainder of c ÷ p;
F
pMultiplication (a * b) rule is a * b ≡ c (mod p);
F
pDivision (a ÷ b) rule be a/b ≡ c (mod p); Be a * b
-1≡ c (mod p); (b
-1Also be the integer between 0 to p-1, but satisfy b * b
-1≡ 1 (mod p)).
F
pIdentical element be 1, null element is 0.
But, elliptic curve on not all Galois field all is fit to encrypt, be the elliptic curve that is suitable for encrypting for the elliptic curve that is defined on the large prime field wherein, the elliptic curve on the large prime field can be transformed to simple especially form: y with general curvilinear equation by the isomorphism mapping
2=x
3+ ax+b, parameter of curve a wherein, b ∈ F
pAnd satisfy 4a
3+ 27b
2≠ 0 (mod p).
Therefore, satisfy establish an equation down have a few that (x y), adds infinity point O ∞, constitutes one and is defined in large prime field F
pOn elliptic curve.
Y
2=x
3+ax+b(mod p)
X wherein, y belongs to the big prime number between 0 to p-1, and this elliptic curve is designated as E
p(a, b).
Public key algorithm always will be based on a mathematical difficult problem.System is based on such as rsa cryptosystem: given two big prime number p, q are easy to multiply each other and obtain n, and n is carried out factorization difficulty relatively.
Consider following equation:
K=kG[is K wherein, and G is E
p(k is the integer less than n (n is the rank of a G) for a, the b) point on, be not difficult to find, and given k and G, according to the addition rule, calculating K is easy to; But given K and G ask k just quite difficult.
Here it is elliptic curve cipher system based on a mathematics difficult problem.G calls basic point (base point) point, and k (k<n, n are the rank of basic point G) is called private cipher key (private key), and K is called public-key cryptography (publickey).
The present invention is the various computings of having adopted Montgomery to count to realize in the large prime field, thereby realizes the system and method for elliptic curve cipher.
Montgomery counts and is proposed by Peter Montgomery as shown in Figure 2, its its main operational is the Montgomery multiplication, because the Montgomery multiplication neither needs to calculate and division consuming time does not need to utilize merchant's valuation technology yet, so it has simplified the modular reduction computing.
From the angle of mathematics, Montgomery territory and prime field GF (p) are isomorphisms, and each element among the GF (p) all has a unique corresponding with it element in the Montgomery territory.Element a ∈ GF (p) is expressed as a '=aR mod p in the Montgomery territory, wherein R is called Montgomery constant (R must greater than p).The feature of Montgomery constant R and large prime field must be coprime, promptly gcd (R, p)=1.Usually choose R and be 2 power: R=2
m, wherein m has reflected the scale of hardware, is preferably R=2
192
Utilize Montgomery to count to finish the prime field computing and operand need be transformed into the Montgomery territory by prime field, conversion can utilize the Montgomery multiplication to finish: a '=MonMul (a, R
2)=aR
2/ R mod p=aR mod p.
Realize the Montgomery multiplication algorithm by hardware in system, then this conversion no longer needs other computing when hardware is realized, so does not also need the hardware resource that adds, Montgomery constant R=2 during conversion
mMod p promptly calculates R by precomputation
2Need some costs, but only need calculate once for each mould p.
Being transformed into prime field by the Montgomery territory also can utilize the Montgomery multiplication to finish: a=MonMul (a ', 1)=a ' 1/R mod p=aR1/R mod p=a mod p; B is the same with the compute mode of a, promptly has following formula to set up b=MonMul (b ', 1)=b ' 1/R mod p=bR1/R mod p=b mod p to b.When carrying out a large amount of arithmetic operator in the Montgomery territory, the cost of this conversion can be ignored, and carries out once when all computings begin and finish because only need.All operands were transformed into the point processing of then finishing in the Montgomery territory in the Montgomery territory on all elliptic curves when the elliptic curve cipher system computing among the present invention began, and last operation result is transformed into large prime field.
Like this, the present invention utilizes the Montgomery of big integer to represent to realize effectively modular arithmetic in the prime field, and in the Montgomery territory, need not explicit execution modular reduction computing consuming time, and realize that all required arithmetic operators of elliptic curve cipher system can carry out in the Montgomery territory: mould adds/and mould subtracts, mould is taken advantage of, inversion operation, computing module-square and modular reduction computing.
Mould adds computing: R mod p=a '+b ' the mod p of a+b mod p=MonAdd (a ', b ')=(a+b)
R mod p=a ' the b '/R mod p of modular multiplication: abmod p=MonMul (a ', b ')=(ab)
Inversion operation: a
-1Mod p=MonInv (a ')=a
-1R mod p=a '
-1R2 mod p
Mould subtracts computing: R mod p=a '-b ' the mod p of a-b mod p=MonSub (a ', b ')=(a-b)
Computing module-square: a
2Mod p=MonSq (a '
2)=(a
2) R mod p=a '
2/ R mod p
Modular reduction computing: r=cR
-1Mod p
Wherein, MonMul: modular multiplication; MonAdd: mould adds computing; MonInv: inversion operation; MonSub: mould subtracts computing; MonSq: computing module-square
Describe the elliptic curve cipher system of the embodiment of the invention in detail below in conjunction with Fig. 1:
As shown in Figure 1, the elliptic curve cipher system of present embodiment comprises:
The Galois field algoritic module is used for utilizing Montgomery to count and realizes additive operation, multiplying, square operation and the inversion operation of large prime field.
The general prime field F that the large prime field here just is meant
p, p is the prime number greater than 2.
Described Galois field algoritic module comprises that mould adds computing module, mould subtracts computing module, modular multiplication module, computing module-square module, modular reduction computing module, inversion operation module.
Described modular multiplication module is CIOS-Montgomery multiplication algorithm module (CoarselyIntegrated Operand Scanning), and the resource that this algoritic module takies is minimum, and is fastest.
The principle of CIOS-Montgomery multiplication algorithm is: this algorithm is integrated multiplication and reduction step.Specifically, the product that this algorithm does not directly calculate a and b carries out reduction to this product then, but multiplication and reduction are hocketed in the skin circulation, do like this is since in the i time outer circulation the used value m of reduction step only depend on s[i] value, and in the i time of multiplication circulates s[i] value finish as calculated.
Described computing module-square module is SRCIL-Montgomery square algorithm module (SquaringReduction with Inner Loop), and this algorithm speed is the fastest.SRCIL-Montgomery square algorithm principle is: this algorithm has been removed the redundancy section in the general Montgomery square algorithm and has been maximized the parallel ability of algorithm software, and its basic thought has been to use an independent cycle calculations a
i* a
i, removed the delay of carry and removed redundant part by changing the round-robin structure.
Described inversion operation module is an index inversion algorithms module, with the inversion operation in the fermat's little theorem realization Galois field, i.e. b=a
P-2(mod p), it can utilize the Montgomery multiplier resources on the hardware circuit board, and the execution time of this algoritic module on the hardware circuit board that the Montgomery multiplier is arranged is about 70% of the binary expansion Euclidean algorithm execution time.
Elliptic curve cipher system in the present embodiment also comprises:
Point adds and doubly puts the algorithm module, be used for point add operation and the point doubling realized on the basis of Galois field algorithm on the elliptic curve utilizing Montgomery to count to realize, it adopts the optimization point to add and doubly puts algorithm realization group operatione, call the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
The scalar multiplication algorithm module is used to realize its main operational of described elliptic curve cipher system: the scalar multiplication, and its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.Described scalar takes advantage of the computing in the module to adopt NAF scalar multiplication algorithm at random.
NAF random point scalar multiplication algorithm principle is: NAF random point scalar multiplication algorithm at first carries out the NAF coding to scalar, and promptly the NAF of scalar k is expressed as
, k wherein
i∈ 0, ± 1} and adjacent k
iIn have at least one to be 0.Can calculate scalar effectively by this coded system and take advantage of, be about (m/3) A+mD, wherein m=[log the working time of NAF scalar multiplication algorithm expectation
2P], A represents point add operation, D represents point doubling.
DH cipher key agreement algorithm module is used to call the scalar multiplication algorithm module, finishes key agreement.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The EC-Diffie-Hellman key agreement is to derive a shared secret value from the PKI of the private key of a main body and another main body, and two main bodys have identical EC field parameter herein.Execute this agreement if both sides can be correct, then they will obtain identical result.This algorithm can be called to produce a shared secret keys by some schemes, and wherein, the key of being imported is effective.
Digital signature and authentication module are used to call the scalar multiplication algorithm module, finish digital signature and proof procedure to message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
Digital signature of elliptic curve and verification algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA) be a kind of digital signature and the verification algorithm that is similar to DSA (Digital Signature Algorithm) based on elliptic curve, its not as discrete logarithm problem and integer resolution problem, the elliptic curve discrete logarithm problem does not have the subset index algorithm, just owing to this point, every bit intensity of the algorithm of feasible employing elliptic curve discrete logarithm is substantially stronger.
The major parameter of ECDSA comprises: be defined in the elliptic curve E on the finite field gf (p), the number #E of the GF on the E (p)-rational point (GF (p)) can be divided exactly by a big prime number n, and a basic point G ∈ E (GF (p)) can be designated as: D=(p, a, b, G, n, h), (d, Q), Hash function H.
With D=(p, a, b, G, n, h), Hash function H, Q is open, d maintains secrecy.
In the elliptic curve cipher system of present embodiment, need at first to realize that the various basic computing in the bottom Galois field comprises: additive operation, multiplying, square operation and inversion operation; Secondly at point add operation and the point doubling realized on the basis of Galois field algorithms library on the elliptic curve; Realize its main operational of elliptic curve cipher system at last: the scalar multiplication; By calling the scalar multiplication algorithm module, finish key agreement; By calling the scalar multiplication algorithm module, finish digital signature and proof procedure to message.
Below in conjunction with elliptic curve cipher system of the present invention, the implementation method of elliptic curve cipher system of the present invention is described in further detail, comprise the following steps:
(1) utilizes Montgomery to count to realize additive operation, multiplying, square operation and inversion operation in the large prime field.
The general prime field F that the large prime field here just is meant
p, p is the prime number greater than 2.
◆ mould adds computing:
The modadd algorithm:
Input: integer a, b ∈ [0, p-1], a=(a
T-1, a
T-2..., a
1, a
0), b=(b
T-1, b
T-2..., b
1, b
0).
Output: c=a+b mod p.
1.c
0← Add (a
0, b
0), // low 32 bit additions
2.For i from 1 to t-1 do:c
i← Add (a
i, b
i)+carry (a
I-1, b
I-1). //a and b bring 32 bit addition of position into
3.If c 〉=p, if then were c ← c-p. // carry (a
T-1, b
T-1) ≠ 0, then last operation result have the carry execution to subtract the p computing
4.Return (c). // operation result returned
Wherein, Add (a
i, b
i) :=(a
i+ b
i) mod2
32, carry (a
i, b
i) :=(a
i+ b
i)/2
32
◆ mould subtracts computing:
The modsub algorithm:
It is very similar subtracting computing and adding computing, and different is that it will use borrow.
Input: integer a, b ∈ [0, p-1], a=(a
T-1, a
T-2..., a
1, a
0), b=(b
T-1, b
T-2..., b
1, b
0).
Output: c=a-b mod p.
1.borrow ← 0. // initialization gives 0 with borrow borrow
2.For i from 0 to t-1 do: //a and b bring 32 bit addition of position into
2.1. c
i← (a
i-b
i-borrow) mod2
32// 32 bit subtraction operation results
2.2. If
Ai-bi-borrow 〉=0, then borrow ← 0; Otherwise borrow ← 1. // 32 the bit subtraction result is 0 for canonical borrow borrow, otherwise borrow borrow is 1
3.If borrow>0, if then were c ← c+p. // computing would also have borrow at last then carries out and add the p computing
4.Return (c). // operation result returned
Because (a 〉=b), this is the special circumstances of modsub, the step of the 3rd in the top algorithm need only be removed to get final product to have used a-b in modadd.
◆ modular multiplication:
The Montgomery multiplication has multiple implementation, and present embodiment has adopted the most effectively CIOS-Montgomery multiplication algorithm (Coarsely Integrated Operand Scanning), and the resource that this algorithm takies is minimum, and is fastest.
Input: integer a, b ∈ [0, p-1], a=(a
T-1, a
T-2..., a
1, a
0), b=(b
T-1, b
T-2..., b
1, b
0).
Output: c=abR
-1Mod p
1.For i from 0 to t-1 do:s[i] ← array of 0. // initialization storage operation result
S6 ← 0, s7 ← 0 // initialization temporary variable
2.For i from 0 to t-1 do:
2.1. C ← 0. // initialization temporary variable
2.2. Forj from 0 to t-1 do: //a and b carry out 32 bit multiplication
Calculate (C, S)=s[j]+a
jb
i+ C, the intermediate result of // 32 bit multiplication
Make t[j] ← S. // storage 32 bit carries
2.3. (C, S) ← s6+C, s6 ← S, the operation result of s7 ← C. // storage most significant digit
2.4.C ← 0, m=s[0] * p ' [0] mod 2
32, (C, S)=s[0]+m*p[0]. // minimum 32 bits are carried out reduction
2.5.Forj form 1 to t-1 do: // reduction piecemeal
Calculate (C, S)=s[j]+m*p[j]+C, // 32 bit intermediate result reduction
Make s[j-1] ← S. // storage 32 bit carries
2.6. (C, S) ← s6+C, s[t-1] ← S, s6 ← s7+C // storage reduction result
If s6!=0 // carry arranged
3.1 C=1; // initialization temporary variable
3.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=s[i] +~p[i]+C, // carry is corrected
Make s[i] ← S. // storage 32 bit carries
4.Return ((S
T-1..., s
1, s
0)) // return operation result
Here C, S is the word of 32 bits, (C S) is C, the connection of S, and it is 64 bits;
P ' [0]=-p[0]
-1Mod 2
32, p[0 wherein] and be minimum 32 bits (minimum word) of 192 bit prime number p.
◆ computing module-square:
Montgomery square also has multiple implementation, and present embodiment has adopted the most effectively SRCIL-Montgomery square algorithm (Squaring Reduction with Inner Loop), and this algorithm speed is the fastest.
Input: integer a, b ∈ [0, p-1], a=(a
T-1, a
T-2..., a
1, a
0).
Output: c=a
2R
-1Mod p
1.For i from 0 to t-1 do:(s[2i+1], s[2i]) ← a
i* a
i// calculating i section multiplied result
2.For i from 0 to t-1 do: // the 1st step operation result is carried out reduction
2.1 m=s[i] * p ' [0] mod 2
32Every section reduction value of // calculating
2.2 Forj from 0 to i do: // reduction piecemeal
(C, s[i+j])=s[i+j]+m * p[j]+C; // 32 bit intermediate result reduction
2.3 C
1=0; C
2=0; // initialization temporary variable
2.4 Forj from i+1 to t-1 do: // calculating a
iWith a
jProduct and carry out reduction
2.4.1 s
Long=2 * C
1+ C+s[i+j] // storage intermediate result
2.4.2 (C
1, S)=a
i* a
j// calculating a
iWith a
jProduct
2.4.3 (C, s[i+j]=s
Long+ 2 * S; // with the carry addition of low section operation result
2.4.4 (C
2, s[i+j]=m * p[j]+s[i+j]+C
2. // 32 bit interlude reduction
2.5 (prevcar, s[i+t])=C+2 * C
1+ C
2+ s[i+t]+prevcar; The highest 32 bits of // storage
3.s[2t]=s[2t]+prevcar; The carry of // storage most significant digit
4.For i from 0 to t-1 do:s[i] ← s[i+t] // operation result is moved to low t unit
A 5.If s[2t]!=0//if carry is not equal to 0
1.1 C=1; // initialization temporary variable
1.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=s[i] +~p[i]+C; // carry is corrected
Make s[i] ← S. // storage 32 bit carries
6.Return ((s
T-1..., s
1, s
0)) // return operation result
Wherein, C, C
1, C
2, S is the word of 32 bits, (C S) is C, the connection of S, and it is 64 bits; P ' [0]=-p[0]
-1Mod 2
32, p[0 wherein] and be minimum 32 bits (minimum word) of 192 bit prime number p.
◆ Montgomery modular reduction algorithm:
Input: c=(c
2t-1..., c
1, c
0)
Output: r=cR
-1Mod p.
1.For i from 0 to t-1 do: // reduction
1.1 C=0; // initialization temporary variable
1.2 m=c
i* p ' [0]; Every section reduction value of // calculating
1.3 Forj from 0 to t-1 do: // reduction piecemeal
Calculate (C, S)=c
I+j+ m*p[j]+C; // 32 bit intermediate result reduction
1.4 (prevcar, s[i+t])=C+s[i+t]+prevcar; The highest 32 bits of // storage
2.For i from 0 to t-1 do:c[i] ← c[i+t] // operation result is moved to low t unit
=0 // if carry is not equal to 0
3.1 C=1; // initialization temporary variable
3.2 For i from 0 to t-1 do: // carry out carry piecemeal to correct
Calculate (C, S)=c[i] +~p[i]+C; // carry is corrected
Make r[i] ← S // storage 32 bit carries
4.Return ((r
T-1..., r
1, r
0)) // return operation result
◆ the Montgomery inversion algorithms:
Consider the Montgomery multiplier resources of utilizing on the hardware circuit board, so present embodiment is considered with the inversion operation in the fermat's little theorem realization Galois field, i.e. b=a
P-2(mod p).The execution time of this algorithm on the hardware circuit board that the Montgomery multiplier is arranged is about 70% of binary expansion Euclid (Euclid) algorithm execution time.
Input: integer a ∈ [0, p-1], a=(a
T-1, a
T-2..., a
1, a
0)
Output: b=a
-1Mod p.
1. a=aR mod p; // a is transformed to the Montgomery territory
2. x=1R mod p; // transform to the Montgomery territory with 1
3.For i from j-1 down to 0 do: // calculating module exponent
3.1 x=MontMult (x, x); // computing module-square
3.2 If e
i=1 then x=MontMult( x, a);
If the current bit of // p-2 is 1 then carries out modular multiplication
4.Return b=MontMult (x, 1). // operation result returned to prime field
◆ division:
Division arithmetic in the Galois field is the multiplication and the combination of inverting, those of ordinary skills can according in the present embodiment about multiplication and the description of inverting, realize division arithmetic of the present invention, therefore, be not described in detail in the present embodiment.
(2) utilizing Montgomery to count to realize point add operation and the point doubling of realizing on the basis of Galois field algorithm on the elliptic curve, present embodiment adopts the point of optimizing to add and doubly puts algorithm realization group operatione, call the Galois field algoritic module, input parameter is an element in the Montgomery territory, thereby operation result is still in the Montgomery territory.
For group operatione, present embodiment adds the point in the IEEEP1363 standard and doubly puts algorithm and optimize, adopted and the IEEEP1363 standard (list of references of IEEEP1363 standard: IEEE std1363-2000:Standard specifications for public-key cryptography, 2000, standards.ieee.org/catalog/oils/busarch.html) different order of operation in, thereby make that the needed temporary variable of algorithm is minimum, optimized Algorithm is as follows:
◆ point adds (elliptic_add)
GF (p) goes up Elliptic Curve y
2=x
3The Modified-Jacobian coordinate form that the point of+ax+b adds formula is:
And
Here
H=U
2-U
1,T=S
2-S
1, X
3=-H
3-2U
1H
2+T
2,Y
3=-S
1H
3+T(U
1H
2-X
3),Z
3=Z
1Z
2H,
Its algorithm is as follows:
Input: p, a, b, Q
In=(X, Y, Z), P=(X
2, Y
2).
Output: Q
Out=(X, Y, Z, aZ
4)=Q
In+ P.
1.If (P==O) // judge whether that a P is an infinity point
AZ
4=a*Z
4If necessary // calculating aZ when needing
4Value
Return Q
Out// reentry point adds the result
2.If (Z==0) // judge whether a Q
InIt is infinity point
Q
Out=P // add the result is P
Return Q
Out// reentry point adds the result
3.aZ
4=Z
2// calculating Z
2
4.T
1=X
2* aZ
4// calculating U
2=X
2Z
2
5.T
1=T
1-X // calculating H=U
2-U
1
6.aZ
4=Z*aZ
4// calculating Z
3
7.aZ
4=Y
2* aZ
4// calculating Y
2=Y
2Z
3
8.aZ
4=aZ
4-Y // calculating T=S
2-S
1
9.Z=Z*T
1// calculating Z
3=ZH
10.If (T
1==0) if // U
2=U
1
If (aZ
4==0) if // P=Q
In
Q
Out=P // initialization Q
Out
Double (Q
Out) // this moment, result of calculation was 2P
Return Q
Out// reentry point adds the result
Else // this moment P=-Q
In
Z=0 // this moment result of calculation is infinity point
AZ
4=0 // this moment, result of calculation was infinity point
Return Q
Out// reentry point adds the result
11.
// calculating H
2
12.T
1=T
1* T
2// calculating H
3
13.Y=T
1* Y // calculating S
1H
3
14.T
2=X*T
2// calculating U
1H
2
15.X=(aZ
4)
2// calculating T
2
16.X=X-T
1// calculating T
2-H
3
17.X=X-T
2// calculating T
2-U
1H
2-H
3
18.X=X-T
2// calculating X
3=T
2-2U
1H
2-H
3
19.T
2=T
2-X // calculating U
1H
2-X
3
20.T
2=aZ
4* T
2// calculating T (U
1H
2-X
3)
21.Y=T
2-Y // calculating Y
3=T (U
1H
2-X
3)-S
1H
3
22.aZ
4=Z
2// calculating Z
2
23.aZ
4=(aZ
4)
2// calculating Z
4
If 24.If (a==p-3) // a=p-3
AZ
4=0-3aZ
4// calculating-3Z
4
else
AZ
4=a*aZ
4// calculating aZ
4
This algorithm needs 9 territory multiplication, 2 temporary variables of 5 territory quadratic sums.
◆ times point (elliptic_doubl)
GF (p) goes up Elliptic Curve y
2=x
3The Modified-Jacobian coordinate form of doubly putting formula of+ax+b is:
Here:
T=M
2-2S,X
3=T,Y
3=M(S-T)-U,Z
3=2Y
1Z
1,
Its algorithm is as follows:
Input: p, a=-3, b, Q
In=(X, Y, Z, aZ
4).
Output: Q
Out=(X, Y, Z, aZ
4)=2 Q
In.
If 1.If (Z==0) return Qout // Qin is infinity point output result
2.T1=2Y // calculating 2Y
3.Z=T1*Z // calculating Z3=2YZ
4.Y=Y2 // calculating Y2
5.T1=2X // calculating 2X
6.T1=2T1 // calculating 4X
7.T1=T1*Y // calculating S=4XY2
8.T2=X2 // calculating X2
9. X=2T2 // calculating 2X2
10.T2=X+T2 // calculating 3X2
11.T2=T2+aZ4 // calculating M=3X2+aZ4
12.
// calculating M2
13.X=X-T1 // calculating M2-S
14.X=X-T1 // calculating X3=T=M2-2S
15.T1=T1-X // calculating S-T
16.T2=T2*T1 // calculating M (S-T)
17.Y=2Y // calculating 2Y2
18.Y=Y2 // calculating 4Y4
19.Y=2Y // calculating U=8Y4
20.T1=2Y // calculating 2U
21.aZ4=T1*aZ4 // calculating 2U (aZ4)
22.Y=T2-Y // calculating Y3=M (S-T)-U
The a=p-3 that present embodiment is chosen, above algorithm only need 4 territory multiplication and 4 territories square.
(3) its main operational of the described elliptic curve cipher system of realization: the scalar multiplication, its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, operation result transforms back in the prime field.Described scalar takes advantage of the computing in the module to adopt NAF scalar multiplication algorithm at random.
For scalar multiplication algorithm, consider that hardware is to adopt finite state machine that the state of scalar is encoded when realizing scalar multiplication algorithm, therefore for the big or small present embodiment of the complicacy that reduces the finite states machine control logic and storage space scalar has been carried out the NAF coding and adopted below the random point scalar multiplication algorithm, this algorithm need not to carry out precomputation.
◆ the random point scalar is taken advantage of
The random point scalar multiplication algorithm carries out NAF (non-adjacent form) coding to scalar, and is below that this arthmetic statement is as follows:
Input: integer
B wherein
i∈ 0,1} and b
l=b
L+1=0, the some P on the elliptic curve
Output: the some Q on the elliptic curve, Q=kP
/ * carries out NAF (non-adjacent form) coding to scalar:
K wherein
i∈ 0, ± 1}*/
1. α ← 0 // initialization temporary variable
2.For i from 0 to l do: //NAF (non-adiacent form) coding
k
i← b
i+ α-2 β, // calculate the NAF coding and be stored in k
iIn
α←β,
/ * by the NAF of scalar represent to calculate scalar take advantage of */
3.For i from l down to 0 do: // calculate scalar to take advantage of
3.1.Q ← 2Q // point doubling
3.2.If k
i≠ 0 then: //k
iNeed carry out point add operation when non-vanishing
If k
i==1, then Q ← Q+P; //k
iCarried out Q+P at=1 o'clock
Else Q ← Q-P //k
iCarried out Q+ (P) at=-1 o'clock
Return (Q) // return scalar multiplication result
(4) be used to call the scalar multiplication algorithm module, finish digital signature and proof procedure message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
The DH cipher key agreement algorithm:
The EC-Diffie-Hellman key agreement is to derive a shared secret value from the PKI of the private key of a main body and another main body, and two main bodys have identical EC field parameter herein.Execute this agreement if both sides can be correct, then they will obtain identical result.This algorithm can be called to produce a shared secret keys by some schemes, and wherein, the key of being imported is effective.
Input:
---EC basic parameter q, a, b, n and G and corresponding key s and W ' (for s and W ', basic parameter should be the same)
---the private key s of main body oneself
---the PKI W ' of another main body
Wherein: private key s, EC basic parameter q, a, b, r and G, and PKI W ' is effective; All keys are all relevant with same basic parameter.
Output: the shared secret value z ∈ GF (q) of derivation; Perhaps " error "
Operation. the secret value z that shares must carry out according to following steps:
1. calculate elliptic curve point P=s W '.
2. if P=O exports " error " and stops.
3. make z=xP, both put the x coordinate of P.
4. output z is as the secret keys of sharing.
(5) call the scalar multiplication algorithm module, finish digital signature and proof procedure message.Its input parameter is an element in the prime field, is converted into before the computing in the Montgomery territory, and operation result transforms back in the prime field.
Digital signature of elliptic curve and verification algorithm (ECDSA):
ECDSA (Elliptic Curve Digital Signature Algorithm) is a kind of digital signature and the verification algorithm based on elliptic curve that is similar to DSA (DigitalSignature Algorithm).Not as discrete logarithm problem and integer resolution problem, the elliptic curve discrete logarithm problem does not have the subset index algorithm, just because this point, makes that every bit intensity of the algorithm that adopts the elliptic curve discrete logarithm is substantially stronger.
The major parameter of ECDSA comprises: be defined in the elliptic curve E on the finite field gf (p), the number #E of the GF on the E (p)-rational point (GF (p)) can be divided exactly by a big prime number n, a basic point G ∈ E (GF (p)).We can be designated as: D=(p, a, b, G, n, h), (d, Q), Hash function H.
With D=(p, a, b, G, n, h), Hash function H, Q is open, d maintains secrecy.
◆ signature generates:
Parameter above signer A utilizes and public private key pair is following that a message m is signed:
At random or pseudorandom ground select an integer
2. calculate kG=(x
1, y
1), r=x
1Mod n is if r=0 then turns back to 1;
3. calculate k
-1Mod n;
4. calculate e=H (m);
5. calculate s=k
-1(e+dr) mod n is if s=0 then turns back to 1.
Wherein, (r s) is the signature of A to message m.
◆ signature verification:
The following checking of verifier B (r s) is the signature of A to message m:
1. verify r, s is the integer in [1, n-1];
2. calculate e=H (m);
3. calculate w=s
-1Mod n;
4. calculate u
1=ew mod n, u
2=rw mod n;
5. calculate X=u
iG+u
2Q=(x
1, y
1), if X=O then refuses this signature, otherwise, v=x calculated
1Accept this signature when mod n, and if only if v=r.
The invention provides a kind of hard-wired elliptic curve cipher system and implementation method of being fit to, it has adopted Montgomery to count to realize the various computings in the large prime field, required all arithmetic operators of realizing elliptic curve cipher system can carry out in the Montgomery territory: and mould adds/and mould subtracts, mould multiply by and inversion operation, need not to show and carry out modular reduction computing consuming time, make it be fit to software and hardware simultaneously and realize.
Present embodiment is to the detailed description that the present invention carried out for those of ordinary skills are understood; but those of ordinary skills can expect; can also make other variation and modification in the scope that does not break away from claim of the present invention and contained, it is all in protection scope of the present invention.