DE10101884A1 - Cryptography implementation based on inversion using elliptic curves, intended for use with processors having long number registers, but limited processing power, the algorithm used reducing processing time considerably - Google Patents

Abstract

The invention uses the extended, Euclidean algorithm for detecting an inverse in the prime number field. The method uses an algorithm such that in one processing step the results of two necessary operators are determined. To do this two numbers are successively stored in the long number registers of a computer processor. Further acceleration is obtained because typical processors store long numbers in an external register, so that by dropping half the operations half of the load cycles to the external arithmetic unit register are also dropped. An Independent claim is made for a smart card with a processor for carrying out the cryptography method.

Description

Field of the Invention

The invention relates to the field of cryptographic methods and devices, namely methods and devices that allow the implementation of a special Enable calculation, namely an inversion in the prime number field as z. B. at encryption using elliptic curves is required.

Background of the Invention

To encrypt and decrypt information of all kinds known various mathematical methods that the components of a z. B. from Numbers or letters assign existing information to numbers and from them Numbers calculate new numbers that, without knowing a key number, in short a key that does not preserve the original information.

These mathematical methods can be divided into

• - symmetrical procedures, in which the same key is used to decrypt is used as for encryption, and
• - Asymmetric procedures in which another decryption Key is used as for encryption.

Should encrypted information be in a different location than the location of the Encryption should be decrypted. B. information from one Computer system (transmitter) to another computer system (receiver) z. B. about the Internet must be transmitted, so with the symmetrical procedure Recipients also receive the key in some form. Because the danger If the key is intercepted during this transmission, apply to the Transmission of encrypted information using the asymmetric procedures as more secure.  

In a group of asymmetric methods also known as public key cryptography, the sender and receiver each calculate and exchange a private key G ^S or G ^E for themselves from a public key G, and then exchange a key G for encryption or decryption ^SE is used. Even if a third party would query both G ^S and G ^E , he would not be able to decipher the message encrypted with the key G ^SE due to the so-called "problem of the discrete logarithm".

Asymmetric encryption methods and devices for execution at least partial steps in the encryption and decryption using asymmetrical methods, in particular by means of elliptic curves, are from one A large number of publications are known, for example from the publications US 5,159,632, US 5,271,061, US 5,463,690, US 5,581,616, US 5,805,703, US 5,442,707, EP 0 892 520 A2, PCT / DE 99/00278 and PCT / US 99/12749, in which also the mathematical basics of elliptic curves and their application in the Cryptography is described and its total technical disclosure content hereby made fully part of this application by citation becomes.

The cited documents also highlight the advantages and disadvantages of encryption techniques based on elliptic curves compared to the currently most widespread type of asymmetric encryption technology, the the so-called RSA procedure. The RSA process is based on the problem of Factoring large numbers. Smart cards currently available use this Algorithm.

The essential operation in the RSA method is the potentiation of a number m in a number field Z _n , where n is a number resulting from the multiplication of two large prime numbers p and q, which as a binary number typically has a bit length of between 1024 and 2048 bits ( p and q usually have bit lengths between 512 and 1024 bits). Implementations of the RSA method on smart cards normally limit n to 1024 bits.

Unlike the RSA method, cryptographic methods are based on elliptic curve divisions in the prime number field necessary. Have enough resources is available, the execution of such divisions by means of appropriate Computer programs easily implemented.

Now there is the problem that in many applications, for example the aforementioned smart cards, the processors available for the Application of the RSA method are optimized, which means that so-called Long number registers are available that allow very long numbers to be handle that with these numbers but only a few arithmetic functions can be executed. Divisions in prime number fields are known by the Processors for smart cards and the like are not supported. It is possible that To increase computing power even with smart cards, but this increases the Chip area and increases costs.

The previous realizations of based on elliptic curves Encryption techniques essentially use the standard commands of the Processor and use the long number register only in a few places and are therefore not very efficient. All known implementations on processors from Smart cards (also called smart card ICs) and the like accelerate this Computing times by taking the underlying elliptic curve and / or the Define basic body. So it is not possible, for. B. with a smart card Perform operations for user groups with different parameter sets.

The object of the invention is therefore on the one hand, methods and devices specify that make it possible to use standard algorithms for cryptography elliptical curves on the processors of smart cards (also smart card ICs to implement efficiently with long-number crypto coprocessors.

Another object is to specify methods and devices in which Number body and elliptic curve are freely selectable and only when personalizing an appropriate storage medium, e.g. B. a smart card, e.g. B. in that EEPROM of the smart card can be read.  

Summary of the invention

Since a general division is divided by an inversion (1 / x) and a multiplication Have replaced, a generally applicable procedure for inversions in the Prime number field.

The invention proposes the use of the extended Euclidean algorithm Determination of an inverse in the prime number field before.

The inverse of an element q in Z _p (denoted by q ^-1 ) is a number, so that applies

qq ^-1 = 1 (mod p).

The background to the new solution is that cryptographic based elliptic curves manage with fewer bit numbers than RSA methods, so that the registers available in known smart card ICs are more than twice as long than actually needed for calculations on elliptic curves. The core of the The idea now is to add two numbers in a row in the long number registers to save.

For programming elliptic curve based Encryption algorithms (hereinafter referred to as ECC algorithms) Smart cards or other processors with limited performance is the Inversion of a number modulo a prime number necessary, otherwise more Buffer is usually required than on these processors Available.

This inversion is carried out using the extended Euclidean algorithm. For the input of two numbers a, b <0, the value d = ggT (a, b) (ggT = greatest common divisor) and two numbers x and y with d = x.a + y.b calculated.

The basic structure is as follows:

• a) Initialize A = a, B = b, x = 0, y = 1  
• b) As long as B <0
  • 1. i) Calculate q = A / B
  • 2. ii) Calculate r = A mod B
  • 3. iii) Change x and y
  • 4. iv) Recalculate A and B.

According to the recalculation of A and the calculation of x summarized by storing the two values in a register (which then necessarily has to be at least twice the length).

In principle, the algorithm looks like this:

Initialize X = P.2 ^{l + k} + B _P and Y = Q.2 ^{l + k} + B _Q

where X can be written in a long number register as follows: P (left-justified), followed by a number of free bits (length k), B _P (right-justified).

Accordingly, Q can be written in another long number register as follows: Q (left-justified), free (length k), B _Q (right-justified).

The actual algorithm then works with the values of X and Y, ie processes P and B _P or Q and B _Q simultaneously.

A sub-step now ensures that (in the case of processing X) P is set to the rest of the division of P / Q and (at the same time) the value in B _P is adjusted accordingly. If Y is processed, the same procedure is followed. These calculations are performed as long as P and Q are greater than zero. If one has reached zero, then B _P or B _{Q contains} the inverse sought.

For an efficient realization of the inversions with these methods in the substantially half as many registers twice as long. The number of memory bits therefore remains unchanged. This new process comes with one Long-term accumulator and without substantial support from a host processor, since only elementary commands for the long number register (add, shift, bit test and  a way to compare what can also be done by a bit test) are needed and the dividers with remainder (P and Q) are not buffered have to.

The procedure describes how a certain class of cryptographic Procedures on special microprocessors can be implemented efficiently. At The necessary computing time can thus be based on the same security requirements market processors significantly reduce compared to the known methods.

The algorithm is independent of the special parameters which the Underlying the calculation. So that it is z. B. on implementation Smart cards possible, these parameters only with the so-called personalization of the Play card (instead of already during the manufacture of the microprocessor to be determined).

On the SLE66CxxS smart card processor from Infineon, which serves as a reference, the creation of a digital signature takes approximately 500 milliseconds to one second when using the RSA algorithm. With the method used here based on elliptic curves, the necessary time amounts to 100 to 200 milliseconds with comparable security. This speed advantage results from two aspects of the process:
On the one hand, the algorithm described here makes it possible to obtain the results of two necessary operators in one calculation step; this definitely means acceleration.
In addition, there is a further acceleration due to the following fact: typically the arithmetic unit for the long number arithmetic (the so-called mathematical coprocessor) is outsourced in smart card processors and forms an arithmetic unit with a separate register set. A calculation therefore takes place in several steps:

• a) The registers of the coprocessor are loaded with the operands.
• b) The actual calculation is carried out on the coprocessor.  
• c) The main processor reads the results from the registers of the coprocessor.

Since the time required for steps a) and c) compared to the time for the actual Calculation in step b) is relatively large, so is another time advantage due to the given simultaneous calculation of more than one value.

The algorithm presented is an optimization in the event that the microprocessor Provides arithmetic routines for numbers with a bit length which is real is greater than twice the bit length of the numbers to be processed.

Brief description of the drawing

Fig. 1 shows a in the range of real numbers of two seemingly unrelated pieces existing elliptic curve and three points P, Q and R on this curve.

Description of preferred embodiments

For the programming of ECC algorithms on smart cards (or more generally on microprocessors with limited scope of performance), the inversion of a number modulo a prime number is normally necessary (since an alternative method of calculation requires more intermediate storage than is usually available on these processors). If you have a fast inversion available, the group law for points on elliptic curves is very simple, for the operation on the curve y ² = x ³ + ax + b:
P + O = O + P = P for all P ∈ E (Z _p ).
For P = (x, y) ∈ E (Z _p ) is (x, y) + (x, -y) = O. (The point (x, -y) is denoted by -P and is called the negative of P; note that -P is actually a point on the curve).
For P = (x ₁ , y ₁ ) ∈ E (Z _p ) and Q = (x ₂ , y ₂ ) ∈ E (Z _p ) with P ≠ -Q, P + Q = (x ₃ , y ₃ ) by
x ₃ = λ ² - x ₁ - x ₂
y ₃ = λ * (x ₁ - x ₃ ) - y ₁ ,
in which
λ = (y ₂ - y ₁ ) / (x ₂ - x ₁ ) if P is not equal to Q and
λ = (3.x ₁ ² + a) / (2.y ₁ ) if P is Q.

Figure 1 graphically illustrates these operations.

The inversion is carried out using the advanced Euclidean algorithm, in other words, a method which, for the input of 2 numbers a, b <0, has the value d = ggT (a, b) and 2 numbers x and y calculated with d = x.a + y.b.

For the application in the inversion this is used as follows: The first argument (a) is set to the prime number modulo which one wants to invert the second argument (b); Since the greatest common divisor of a prime number with any other number (smaller than this prime number) is always 1, one has the following identity:

1 = ggT (a, p) = xa + yp = xa (mod p)

where the last equality applies since yp mod p is identical to 0. This shows that x = a ^-1 mod p and that x is the inverse of a.

In this case, the exact algorithm is as follows (the first swapping of the roles of a & p only serves to avoid an additional step that would otherwise have been carried out):
Given a, p in Z with 0 <a <p, p is a prime number.
We are looking for x in Z, 0 <x <p with xa = 1 mod p.

• a) Initialize A = p, B = a, x ₁ = 1, x ₂ = 0
• b) As long as B <0:
  q = A / B
  r = A - qB
  x ₀ = x ₂ - qx ₁
  A = B
  B = r
  x ₂ = x ₁
  x ₁ = x ₀
• c) Set x = x ₀

The advantage of the new algorithm is that the recalculation of A and the Calculation of x can be summarized by combining the two values in one Registers are saved (which then necessarily at least double Length).

The advantage of this approach is to summarize the two calculations lies not only in the acceleration of the computing times. Rather, it is the case that Processors sometimes used register loading with operands Time costs as the actual arithmetic operation. Because this makes the simultaneous If a load cycle is not processed, the algorithm alone is clear more quickly.

The algorithm to be implemented looks in principle as follows:

Initialize T = A.2 ^{l + k} + x ₂ and U = B.2 ^{l + k} + x ₁

Below, the frames are the register length of the processor used clarify:

Representation of T

Representation of U

The algorithm then works with the values of T and U, i.e. processes A and B or x ₂ and x ₁ simultaneously. The subtraction V = T - qU then provides the results for r & x ₀ in one step.

As long as B <0:
q = A / B
V = T - qU (V = (r, x ₀ ))
T = U
U = V

If B ≦ 0: set x = x ₂ .

The quotient q is not really calculated in practice. Instead, the maximum possible multiples are successively subtracted (with a power of two). With the subtraction of X ₂ and the respective multiple of X ₁ , the sign bit propagates until the representation of A in the usual binary representation of the operands.

Because this wording makes the calculations much faster, one is able to completely independent of the program code on the card keep the curve parameters and can therefore only at a later Load the time (e.g. when personalizing the card) into the EEPROM.

Brief description of the Euclidean algorithm

The algorithm calculates the largest common divisor D = gcd (P, Q) (gcd = greatest common divisor = ggT = largest common divisor) of two elements _P and _Q and in the extended form also two elements A _P and B _Q

A _P .P + B _Q .Q = D (1)

The Euclidean algorithm is mainly required to calculate an inverse. Let P be a prime element, so the greatest common divisor is the 1 element, and B _Q is also searched for

B _Q .Q ∼ 1 mod P (2)

The general procedure of the algorithm is first described in a symmetrical form; the reason for this will be added. Two other elements A _Q and B _P are used; The following initializations take place at startup:

P '= P
Q '= Q
B _Q = A _Q = 1
A _P = B _P = 0 (3)

The algorithm consists of steps of the form

Part a: Determine four elements p _P , q _P , p _Q , q _Q with gcd (p _P .P '+ q _P .Q', p _Q .P '+ q _Q .Q') = D

Part b: Calculate new intermediate values
temp: = p _P .P '+ q _P .Q'
Q ': = p _Q .P' + q _Q .Q '
P ': = temp
temp: = p _Q .A _Q + q _Q .A _P
A _Q : = p _P .A _Q + q _P .A _P
A _P : = temp
temp: = p _Q .B _P + q _Q .B _Q
B _P : = p _P .B _P + q _P .B _Q
B _Q : = temp (4)

which ensures that the following equations are satisfied:

A _Q .P + B _P .Q = P '
A _P .P + B _Q .Q = Q '(5)

The symmetrical wording makes it clear (this is the reason for its use) how intermediate steps can be summarized. Applies:

D = gcd (P ', Q')
D = gcd (p _P .P '+ q _P .Q', p _Q .P '+ q _Q .Q')
P ": = p _P .P '+ q _P .Q'
Q ": = p _Q .P '+ q _Q .Q'
such as
D = gcd (p ' _P .P "+ q' _P .Q", p ' _Q .P "+ q' _Q .Q"
P ''': = p' _P .P "+ q ' _P .Q"
Q ''': = p' _Q .P "+ q ' _Q .Q" (6)

then the two steps can be summarized:

The calculation of the pre-factors can of course be summarized in the same way:
Be valid
P '= A _Q .P + B _P .Q
Q '= A _P .P + B _Q .Q
and will

A _{Q, g} : = p _{P, g} .A _Q + q _{P, g} .A _P
A _{P, g} : = p _{Q, g} .A _Q + q _{Q, g} .A _P
B _{P, g} : = p _{P, g} .B _P + Q _{P, g} .B _Q
B _{Q, g} : = p _{Q, g} .B _P + q _{Q, g} .B _Q (7)

also applies:
P '''= A _{Q, g} .P + B _{P, g} .Q
Q '''= A _{P, g} .P + B _{Q, g} .Q.

Obviously the factors (A for P and B for Q) do not influence each other and the steps for their calculation are always completely analogous to those of P 'and Q'. This means on the one hand that the inverse Q ^-1 mod P can be calculated independently of A and on the other hand that the steps for updating B _{P are} parallel to those of P '

P ' _new = p _P .P' + q _P .Q '
B _{P, new} = p _P .B _P + q _P .B _Q (8)

and the calculation of B _Q parallel to that of Q '

Q ' _new = p _Q .P' + q _Q .Q '
B _{Q, new} = p _Q .B _P + q _Q .B _Q (9)

is.

The algorithm ends because gcd (P, Q) = gcd (P ', Q') if P 'or / and Q' the value of the greatest common divisor of P and Q. In this case, either the two values P 'and Q' are the same, or one of them is 0; identify these cases the end of the algorithm.

If P is the prime element, only the values B _Q and B _{P are} included in the calculation of the inverses. The algorithm ends when one of the values, P 'or Q', is the 1 element.

The algorithm described can be further generalized; instead of multiplications (with p _P , p _Q , q _P , q _Q ), divisions are also possible.

Basic implementation of the Euclidean algorithm

The usual formulation of the Euclidean algorithm is based on division by remainder. In each sub-step, one of the following two operations is carried out:

P ' _new = P' + q _P .Q ', P' _new thus the rest of the above division and Q ' _new = Q'
or
p _P = q _Q = 1; q _P = 0

Q ' _new = Q' + p _Q .P ', Q' _new thus the rest of the above division and P ' _new = P',
where it is elementary to calculate that gcd (P ' _new , Q' _new ) = gcd (P ', Q').

The latter obviously also applies somewhat more generally:

gcd (a, b) = gcd (a + p.b, b) (10)

Of course, a real division with long numbers is not in the concrete implementation practicable, more efficient procedures are necessary. The exact implementation depends thereby on the concrete representation of the elements in the computer. With the usual Binary representation and a consistent order relation are enough Bits of P 'and Q' for (possibly approximate) determination of the factors p and q of the usual Euclidean algorithm. These (mostly "small") factors can be over summarize several steps before going with the full long number must multiply.

You can also do without real multiplications with long numbers and use only comparatively cheap shift operations (binary methods). This amount to implicitly performing divisions and multiplications.

Since a concrete representation of the number plays a role in each case, one of the two cases will be discussed below

• - prime arithmetic
• - polynomial arithmetic (characteristic 2 arithmetic)

based on.  

Efficient implementation of inversion in the prime number field with long number registers

If registers with more than twice the length of a long number are available, leave implement the binary method with low hardware requirements. An inversion for prime number arithmetic is described, the same technique works but also for characteristic 2. The implementation is algorithmically equivalent to usual advanced Euclidean algorithm.

The "advanced crypto" serves as a concrete model for the underlying hardware engine (ACE) "of the Sienens / Infineon" ALE66CX. . . "- Smartcard processor family.

Principles of the procedure

There are two registers N and Z with a fixed bit length 2.l + k, two binary-coded numbers P (= P ') and Q (= Q'), where P is a prime number and Q ≦ P (= only in the case of polynomial arithmetic) as well as two numbers B _P and B _Q , initialized with B _P = 0 and B _Q = 1, respectively. All numbers are represented with 1 bit and are optionally provided with leading zeros. In the implemented Euclidean algorithm, the division with remainder is not carried out directly, but through individual steps of the form

P = P - 2 ^s .Q (if P ≧ 2 ^s .Q), (11)

where s is counted down to 0. In the end (then P <Q) P is the rest of the division. At the start of the algorithm

Z = P.2 ^{l + k} + B _P
N = Q.2 ^{l + k} + B _Q (12)

set; since all numbers are represented with max 1 bits (of course the number of separating bits must be k <0), there is no (significant) influence between P and Q on the one hand and B _P and B _Q on the other. The current number of bits n of the representation of P is noted for the execution of the algorithm, and the same procedure is used with Q or m. A sub-step follows the following pattern:

After each step, Z and N swap roles; the whole thing repeats until the inverse of Q is determined. They are sufficient for the algorithm to run Basic arithmetic operations (+ and -, shift operations and the possibility of using the leading bit from Z to test).

A concrete implementation

For the concrete implementation, a representation of the numbers in two's complement is used provided that the leading (negative) bit must be able to be tested; the overflow of one Addition is recognized by the set negative bit.  

At the start of the algorithm the leading l <2 bits of Z are filled with P '= P, followed by k-many zero bits and then B _P. In the N register, Q '= Q is analogously stored in the first bits and B _Q in the last bits. Two counting variables m and n indicate the length of P and Q in bits, l <n ≧ m (as well as n <2) must apply. The starting position is as follows:

where 0.1 and the lower case letters p and q represent individual bits.

In a first step, the registers are adjusted:

the difference between n and m is essential. Specifically, this means that a subtraction (Z = Z - N) for P 'and B _{P has the} following meaning:

P '= P' - 2 ^nm Q '
B ' _P = B' _P - 2 ^nm B ' _Q (15)

It is assumed that n-m - 1 ≧ 0. Because in the algorithm except Shift operations only subtractions and additions are performed and that  Shift only the adjustment of P 'and Q' to the high bits of the register Z and N is used (no 0-bits are added, instead the bit length smaller), (15) are the only real arithmetic operations.

In the course of the substep, the leading bit from Z is shifted to 0 by operations of the form (15) and the Z register is shifted to the left by 1 bit; It is not known in advance whether the leading bit of Z is 1. Because of this, the subtraction is in the form

carried out; as long as the leading bit is set, Z <N is ensured. If the hardware offers a simple mechanism for size comparison, it makes more sense to work with an N shifted to the left. In this case it is a good idea

on. If you try the same thing without having the operation (Z <N) available, you can use the following code fragment:

This is equivalent to the first code fragment (where the leading bit of N = 0).

After subtraction, the leading bit is safely deleted, the contents of the registers now look like this:

where B _P borrows a 1 from P ', so the bits representation of P' in Z is that of P'-1.

In any case, the length of P '(leading 0 bits are not counted) is now at most n-1. Depending on the value in N (more precisely, if n-1 ≧ m):
shift_left Z, 1;
n = n-1;
what to

leads (the leading bit of Z can be 0), and the subtraction is repeated. On the other hand, if n = m, Z <N can still apply, so at the end of the substep:

carried out. If n = m at the very beginning, only the conclusion just described may be carried out. Overall, the following pseudocode results for the sub-step that does the essential work:
Substep

The other sub-steps, except for the conclusion, are unproblematic.

The overall process is then described by the following pseudocode:

For the still missing completion it is ensured under reasonable conditions that there are exactly 2 bits of Q 'in the N register, the first of which is 0, so Q' ≦ 1 must be. There are more than 2 bits in the Z register, the leading bit is also 0 and the following 1, in particular P '<1. Since it is known that 1 is the largest common divisor of P and Q, Q' = 1 be valid. Essentially, the pseudocode substep can therefore be carried out again in order to also bring P 'to 1. Now one of the numbers B _P or B _{Q is} positive, this is the inverse to Q mod P.

There are still a few things that require closer examination:  

correctness

First of all, it must be ensured that the algorithm has "reasonable" start values is fed. This means that P ≧ 2 is a prime number and Q ≧ 1 must be.

Since B _P borrows a 1 from P ', the bit representation of P', i.e. the first n bits of the Z register, is actually that of P'-1. However, the difference between P 'and Q' is greater than the largest common divisor, at least 2, until the conclusion. The sign of P'-Q 'or Q'-P' is not affected by this "error".

A second consequence of the "bit borrow" is the bit length of P '. If the correct value were a power of two (2 ^n-1 ), the actual bit representation is 2 ^n-1 -1, i.e. the bit length of the number is 1 shorter. If the number in Q 'is too small by 1, this only means that the for loop of partial step performs one loop pass (the first) more than necessary. If, after the subsequent exchange_Z_mit_N, the number in the Z register reduced by 1, the loop passage is "optimized away" in partial step.

As expected, the actual calculation is not falsified by the "borrow bit", since it is traced back to the register as a whole:

((P '- 1) .2 ^{l + k} + (2 ^{l + k} - (-B _P ))) - (Q'.2 ^{l + k} + B _Q )). 2 ^s = ((P' - Q '.2 ^s - 1) .2 ^{l + k} + (2 ^{l + k} - (-B _P ) - B _Q .2 ^s ))

(Q'.2 ^{l + k} + B _Q )) - ((P '- 1) .2 ^{l + k} + (2 ^{l + k} - (-B _P ))). 2 ^s = ((Q' - P '.2 ^s ) .2 ^{l + k} + (B _Q + (-B _P ) .2 ^s ))

where P ', Q', -B _P , B _Q ≧ 0.

Overall, it is therefore clear that the bit representation reduced by 1 does not have an incorrect effect on the Euclidean algorithm. It is also clear that B _Q and -B _{P are} always positive.

The last question (at least in principle) is whether one of the numbers B _P , B _{Q can be} longer than 1 bits (more precisely: greater than P). However, this danger does not exist for the Euclidean algorithm, cf. such as "Knuth Vol. 2, p. 343".

Instructions for efficient implementation

How the algorithm is implemented so that it runs as effectively as possible depends of course on the specific hardware used. Are loop constructs relative expensive, it makes sense to combine the for loop in partial steps, so that in each pass s (if large enough) by a constant value (approximately between 4 and 10) is reduced. This procedure is recommended for the "SLE66CX -" family.

Examples Problem with ECC algorithms

For simplicity's sake, an example is the creation of a so-called digital signature; there are also protocols for encrypting data. This ECDSA algorithm (see [ANSI], (IEEE]) for creating digital signatures works in the following way:
Legend:
Domain parameters:
q Prime number (<160 bit)
E: y ² = x ³ + ax + b elliptic curve over F _q
a coefficient of E (from F _q )
b coefficient of E (from F _q )
P = (x _G , y _G ): base point on the curve
x _G coefficient of G (from F _q )
y _G coefficient of G (from F _q )
n order of G
l order of E, is not used
h Co-factor (l = nh) is not used
Other elements:
k random number
m message
H hash function
H (m) hash value of the message
Key elements
d private key
Q = dP public key
Generate signatures:

• 1. Calculate e = H (m)
• 2. Generate a random number k with 1 <k <n-1
• 3. Calculate G = (x ₁ , y ₁ ) = kP
• 4. Set r = x ₁ mod n
• 5.Calculate s = k ^-1 (e + dr)
• 6. The signature for m is (r, s)

Check signatures:

• 1. Calculate e = H (m)
• 2. Calculate s ^-1 mod n
• 3. Calculate u ₁ = e ^s-1 mod n
• 4. Calculate u ₂ = r ^s-1 mod n
• 5.Calculate u ₁ P + u ₂ Q = (x ₁ , y ₁ )
• 6. Calculate t = x ₁ mod n
• 7. Signature is valid if t = r

Mathematical basics

With the help of the Euclidean algorithm, for two given numbers a and b calculate the greatest common factor d; the extended version also delivers Coefficients x and y, so that d is a linear combination of a and b lets, d. H. the following applies: d = xa + yb.

This can be used for the necessary inversion as follows: The inverse of an element q in Z _P (denoted by q ^-1 ) is a number, so that:
qq ^-1 = 1 (mod p)
ie qq ^-1 = np for an arbitrary n (is therefore an arbitrary multiple of p). If you now calculate (with the extended version of the algorithm) the PGD of q and p (and note that this is 1, since p is a prime number in our case), then you keep numbers a and b with
1 = d = aq + bp.

Since bp = 0 (mod p) applies by definition, we have aq = 1 (mod p) and the desired result is q ^-1 = a.

Adaptation of the extended Euclidean algorithm

In the extended Euclidean algorithm, two triplets of numbers (P, a, b) and (Q, c, d) are used, which switch roles after each step. A single step essentially consists of an arithmetic operation of the form
P = P - pQ
a = a - pc
b = b - pd
with a suitably determinable, relatively small number (a few bits) p. The fact that the triples swap roles means that in the next step
Q = Q - qP
c = c - qa
d = d - qb
is calculated. The Euclidean algorithm works in that the numbers p and q to be determined in each step can be chosen such that the long numbers P and Q become smaller with each double step. At the start of the algorithm, c and d are set to 1, a and b to 0, Q to the number to be inverted and P to the prime number, modulo which is inverted.

In general, the largest common divisor T of P and Calculated Q, the result is cP + bQ = T.  

In the case of an inversion with respect to a prime number one knows the ggT (T = 1) and that Inverse of Q is b or d; there is no need to calculate c and a. The successively too determining numbers p and q result from dividing with remainder of P by Q (p = P / Q + rest).

Adjustments for long number registers

Processors with long number registers have two problems when implementing the Euclidean algorithm:

• 1. Divisions with remainder, even those with small numbers, are not easily possible. Therefore, only a power of two for p can be determined in the division. In practice this means that P = P - pQ step by step, first P = P - x (n) 2 ^∧ nQ, then P = P - x (n-1) 2 ^∧ (nl) Q and finally P = P - x (0) 2Q (x (i) is always 0 or 1), where n is the difference in length of P and Q in bits; the division of P by Q is therefore carried out implicitly.
• 2. The grouping of calculation steps, here P = P - pQ and b = b - pd, is not easily possible, d. H. also a similar calculation with new ones Operands cannot be performed using commands for long number registers alone (at least not with the existing processors for smart cards). The Solution to determine p in the controlling host processor is always possible, but inefficient. The solution is that P and b, and Q and d, each together in one Registers are housed, each separated by a few bits. Becomes now the calculation P = P - pQ, for a power of two p, is carried out simultaneously also calculated b = b - pd. As a result, the calculation is sufficient, as described above of p or P = P - pQ to be carried out step by step; this is with little effort efficiently possible (e.g. on the SLE chips). One problem is that b and d are the numbers P and Q must not (significantly) influence. An analysis shows that p and q are always are positive, so d is always positive (and therefore unproblematic) and b is always negative. In the usual binary representation of the long numbers, this means that "b of P is a 1 borrows ", a fact that must be taken into account in the algorithm.

Specific implementation procedure

Determination of an inverse in the prime number field, ie
given:
a prime number P
a positive number Q less than P
a number D, so that DP = 1 mod P.

Initialization of the procedure

Let the number of bits in the binary representation of P be n.
Let the number of bits in the binary representation of Q be m (m <= n).
The number of separating 0 bits between P and b, or Q and d, is x (x <= 1).
The length of the long number register is at least 2n + x bits.
P and b are loaded into a long number register Z and Q and d into a long number register y and adjusted according to the separating x 0 bits:

Here b is initialized with 0 and d with 1 and it is possible that m = n, otherwise letters denote bits that can be 0 or 1; are the leading 0 bits optional.

Depending on the specific hardware architecture - at least the leading bit of P must be able to be tested - both registers are shifted in parallel to the left until the leading bit of the Z register is set (this is necessary for the implementation on CCP / ACE). The leading bit from P to Z is always set after initialization. Depending on the hardware implementation, it may not be possible to test the most physically significant bit of the Z register. In the following, "testing the most significant bit of the Z register" means the most significant bit of the Z register that can be tested. At the end of the initialization, the most significant bit of the Z register is the most significant bit of P and Z and Y are adjusted according to the separating x 0 bits:

Main loop of the process

• 1. Calculate the difference u of the leading zeros of y and Z (u equals "number of leading zeros of Y" minus "number of leading zeros of Z"). u is greater than or equal to 0.
  If 2 ^∧ uY <Z, set Z = Z-2 ^∧ uY
  Set u = u-1;
  if u is negative, end the loop, otherwise go to the line with Z = Z -. , ,
• 2. Set u = 0
  If the leading bit of Z is not set, shift Z left by 1, set n = n-1.
  Repeat the previous step if n <O and the leading bit of Z is not set.
• 3. Swap Y and Z as well as m and n.
• 4. If m = 0, end the main loop.

The concrete implementation using the example of the SLE66CxxS

This processor has a mathematical coprocessor with a length of 1120 bits (ACE, Advanced Crypto Engine) or 560 bit (CCP, Crypto Coprocessor) and fulfilled thus the necessary conditions for the implementation of the proposed Algorithm. It is the use of the maximum in standardization efforts provided parameter sizes possible (NIST, ANSI 512 bit).

For the use of the commonly used parameter sizes (160-256 bit) it is sufficient to operate the processor in the operating mode with the short register length.

application areas

• 1. Encrypt data: As the sender of a message, I would like it to be like this handle that only the intended recipient can read them. I'll take it with you  publicly known key and perform a mathematical transformation, which can be undone with knowledge of the secret key.
• 2. Digital signatures: As the sender of a message, I want the message to be like this indicate that the recipient can be convinced that this message really comes from me. Usually you create with the help of the secret Key additional information so that the recipient is safe by checking whether a certain relationship between the received message, this additional information and my public key consists.

The advantages of the algorithm stem from the fact that the register length of the processor used more than twice as long as the numbers to be processed are.

The algorithm described is also in this form in finite fields Characteristic 2 can be used.

Claims (10)

1. A method for performing an inversion in the prime number field, in particular in the case of encryption by means of elliptic curves, an inverse being to be determined, characterized in that the results of two necessary operators are obtained in one calculation step. 2. The method in particular according to claim 1 for performing an inversion in Prime number field, particularly when encrypting using elliptic curves, where an inverse is to be determined, characterized in that the expanded Euclidean algorithm used to determine the inverse in the prime number field becomes. 3. The method in particular according to claim 1 or 2 for performing an inversion in the prime number field, in particular when encrypting by means of elliptic curves using a microprocessor, the microprocessor being able to access at least two registers T and U, the register length of which is actually greater than twice the bit length the numbers to be calculated, the microprocessor having arithmetic routines for such numbers,
where a, p in Z with 0 <a <p, p is a prime number,
looking for x in Z, 0 <x <p with xa = 1 mod p,
characterized by the following steps:
Initialize A = p, B = a, x ₁ = 1, x ₂ = 0 and
T = A.2 ^{l + k} + x ₂ and U = B.2 ^{l + k} + x ₁
As long as B <0:
q = A / B
V = T - qU (V = (r, x ₀ ))
T = U
U = V
If B ≦ 0: set x = x ₂ 4. The method according to any one of claims 1 to 3, characterized in that the Prime number field and the parameters of the elliptic curve can be chosen freely.   5. Device, in particular smart card, for performing an inversion in Prime number field, especially in the case of encryption using elliptical Curves, an inverse to be determined, characterized in that the Device has a microprocessor which is designed such that in one Arithmetic step the results of two necessary operators can be obtained. 6. The device, in particular a smart card, in particular according to claim 5 Implementation of an inversion in the prime number field, particularly in the case of encryption by means of elliptic curves, whereby an inverse is to be determined, thereby characterized in that the microprocessor is provided with a memory in which Commands are stored which represent the extended Euclidean algorithm, by means of which the determination of the inverses in the prime number field is possible. 7. The device, in particular a smart card, in particular according to claim 5 or 6 for performing an inversion in the prime number field, in particular when encrypting by means of elliptic curves using a microprocessor, the microprocessor being able to access at least two registers T and U, the register length of which is really greater than twice the bit length of the numbers to be calculated, the microprocessor having arithmetic routines for such numbers,
where a, p in Z with 0 <a <p, p is a prime number,
looking for x in Z, 0 <x <p with xa = 1 mod p,
characterized in that the microprocessor has a memory for automatically performing the following steps:
Initialize A = p, B = a, x ₁ = 1, x ₂ = 0 and
T = A.2 ^{l + k} + x ₂ and U = B.2 ^{l + k} + x ₁
As long as B <0:
q = A / B
V = T - qU (V = (r, x ₀ ))
T = U
U = V
If B ≦ 0: set x = x ₂ 8. Device, in particular smart card, in particular according to one of the claims 5 to 7 for performing an inversion in the prime number field, in particular in the case of Encryption using elliptic curves using a microprocessor, characterized in that the prime number field and the parameters of the elliptical Curve only after manufacture of the device in a readable by the microprocessor Memory, in particular an EEPROM, have been read in, especially when Personalize the device. 9. Use of a method or a device according to one of the preceding claims in digital data transmission, in particular in the Generation of digital signatures for mobile radio, internet and other digital Transmission methods such as GSM, UMTS and DAB. 10. Machine readable memory containing those for automatic execution a method according to one of claims 1 to 4 required commands.