KR100451570B1 - Method and apparatus for implementing elliptic curve cryptosystem resisting against simple power attacks - Google Patents

Abstract

The present invention relates to a method for implementing an elliptic curve encryption algorithm that withstands simple power attacks (SPA), wherein the first multiplex operator, the first multiplex operator, and the first multiplicand operator perform a multiplex operation every time the number of key values increases. A method for implementing an elliptic curve encryption algorithm for inputting an output value of the second sum operator into the first sum operator only when a second sum operator and a sum value of the key value are 1; Outputs as a second multiple operator, multiplying the first multiple operator and multiplying the second multiple operator and the first total operator to output the second multiple operator in parallel. We implemented an elliptic curve encryption algorithm that resists SP.

Description

METHOD AND APPARATUS FOR IMPLEMENTING ELLIPTIC CURVE CRYPTOSYSTEM RESISTING AGAINST SIMPLE POWER ATTACKS}

The present invention relates to a method and apparatus for implementing an elliptic curve encryption algorithm, and to a method and apparatus for implementing an elliptic curve encryption algorithm to withstand Simple Power Attacks (SPA).

With the development of information and communication network, various information is exchanged through network. When a sender wants to deliver a valuable message through an e-mail or electronic document delivery system, the sender needs to check whether the right recipient has received the right information, and from the recipient's point of view, the message creator is the right sender. Mechanism is needed.

The encryption and decryption technology of the information is transmitted by encrypting the information using the key value, and the receiver extracts the original information by decrypting the key value to find the original information even if a third party intercepts the content. It cannot be.

Encryption and decryption methods include symmetric key and asymmetric key. The encryption based on the symmetric key is the same key Ke when encrypted and key Ke when decrypted. That is, Ke = Kd.

Symmetric key cryptography has the advantage of high speed in encryption and decryption, but has the disadvantage of difficulty in key management and distribution. Since each sender and receiver must have different keys, the number of keys to be managed increases, and since the sender and receiver must have the same key, it is difficult to distribute the keys because they are likely to be exposed in the process of delivering the keys.

However, with the rapid development of the network environment, efficient key management and distribution schemes are required for anonymous and secure communication. There is a need for an efficient encryption technique that enables secure communication with a large number of parties with a small number of keys and can also be used for digital signatures. The encryption technique that appeared in such a background is the public key method.

Public key cryptography uses public and private keys to perform authentication, signing, and encryption. It is also called asymmetric cipher because the encryption key and the decryption key are different. In this case, the public key is disclosed to others, and it is also called a secret key because only the private key is kept by itself. That is, Kd! = Ke.

Public-key cryptography uses secret and public keys. Only the owner knows the private key, and the public key is public. Since public key is a public key that anyone can know, it is not a problem in terms of disclosure, but if a third party forges or tamperes with a public key in the middle, it cannot be known. There is a problem that can be suffered.

The public key infrastructure (PKI) has emerged to ensure that the public key is not tampered with. The public key infrastructure exposes certificates that link the public key with its owner. Since the certificate is signed by a trusted certificate authority, non-trusted persons cannot change the contents of the content, and if changed, the signature value can be used to find out the forgery / falsification of the certificate.

On the other hand, the public key scheme described above has a simpler key management compared to a symmetric key, but has a problem of slowing down processing speed due to an increase in complexity of an algorithm, and a burden increases when a message size increases. The most widely used algorithm for the public key method is RSA (Rivest, Shamir, Adleman).

However, it has been pointed out that the RSA requires a large amount of computation for encryption and decryption as well as a slow processing speed. In short, building a public key cryptosystem using RSA in an e-commerce environment entails a massive upscaling of hardware such as central processing units (CPUs) and memory. Furthermore, when a mobile appliance is to be used under a public key infrastructure (PKI), in which an individual will acquire one public key, processing capacity and speed improvement are inevitable.

A new public key scheme has been proposed, which is an elliptic curve encryption method using the elliptic curve principle.

The Elliptic Curve Cryptosystem (hereinafter referred to as an 'ECC System') is a public key cryptography system that is widely used in communication systems using mobile communication devices, smart cards, electronic money, small computers, and the like. The ECC system is more efficient in terms of bandwidth and computation time than other public key cryptographic standards such as RSA, and provides the same level of stability as other cryptographic standards while providing the same key value used for encryption and decryption. It offers the advantage of smaller size.

The ECC system, as is well known to those skilled in the art, operates on a set of points on an elliptic curve, such as addition, doubling, subtraction, scalar multiplication, and the like. A public key cryptosystem that defines and implements. In other words, the ECC system is a cryptographic system based on a discrete algebra problem in a set of elliptic curves defined on finite fields. The concept of such an ECC system is shown in FIG.

Referring to FIG. 1, an elliptic curve and a point operation are defined. Addition is the operation of P and Q and is denoted by "P + Q". A multiple means P + P and is usually labeled "2P". Subtraction is an addition operation of P and Q = (x ₂ , -y ₂ ), denoted by "PQ". Scalar multiplication "nP" means n P additions, ie P + P + ... + P. The operation of nP can be obtained by repeatedly adding, multiplying, and subtracting, which is implemented in a manner similar to the binary method used in the implementation of modular power. For example, when 33P is obtained, (100001) _{2 in} which 33 is expressed in binary not using P is added 32 times. In other words, if (100001) ₂ P = 2 (2 (2 (2 (2P)))) + P, 33P can be obtained by 5 multiples and 1 addition. Various definitions exist for the elliptic curve, but are typically defined as follows. Elliptic curve is polynomial Is the solution set and infinite origin (0). Operations on such elliptic curves are typically expressed as shown in Table 1 below. Expression as shown in Table 1 below is well known to those skilled in the art, so a detailed description thereof will be omitted.

As can be seen from Table 1, operations on x ₁ , y ₁ , x ₂ , y _2, and the like are modular addition, subtraction, multiplication, and division. ECC in connection with the present invention uses an elliptic curve on Galois field GF (2 ⁿ ) of size 2 ⁿ , as shown in Table 2 below. Typically such finite bodies are called extension galois fields. Therefore, the x + y or xy operation is a simple exclusive OR (XOR: eXclusive OR) operation. Therefore, in ECC using the Galoache concept, multiplication operations (x × y) and inverse operations (x- ¹ ) become important operations.

2 is a block diagram of a general ECC system to which the present invention is applied.

Referring to FIG. 2, the ECC system includes an input / output (Chip IO Block) 70, a controller (Control Logic Block) 60, a square operation (Squaring Logic Block) 20, and an addition / multiply / subtraction operator (Addition / Doubling / Subtraction Logic Block 20) and a multiplier logic block 10. Such an ECC system is usually implemented with one chip.

The multiplier 10 inputs n bits s and t to perform a multiplication operation on the finite field GF (2 ⁿ ), and obtains n bits s * t according to the multiplication operation result. The square operator 20 performs a square operation on n-bit z on the finite field GF (2 ⁿ ) and obtains z ² according to the square operation result. The square operator 20 may be implemented in conjunction with the multiplier 10 or may be implemented separately from the multiplier 10. The Inversion Logic Block 30 inputs g to perform inverse operation on the finite field GF ( ²ⁿ ), and outputs g ⁻¹ according to the result of the inverse operation. In this case, the inverse operator 30 may perform an inverse operation using the multiplier 10 and the square operator 20, or perform an inverse operation by independently implementing the inverse operator 30. The add / multiply / subtractor 40 inputs P ₁ and P ₂ to perform addition, multiplication, and subtraction on finite field GF (2 ⁿ ), and outputs P ₃ according to the result of the operation. In this case, the addition / multiply / subtractor 40 performs an operation using the inverse operator 30, the multiplier 10, and the square operator 20. The scalar multiplication operator 50 inputs ⁿ to perform a scalar multiplication operation on the finite field GF (2 ⁿ ), and outputs kP according to the operation result. In this case, the scalar multiplication operator 50 performs a scalar multiplication operation by repeatedly using the addition / multiply / subtraction operator 40. The controller 60 interprets instructions (addition, doubling, subtraction, scalar multiplication) stored in an internal control register of the chip input / output 70 to control operations of each block. The chip input / output unit 70 receives an address adder and data from the outside of the chip, transfers n, P ₁ , P ₂ , and a required for the calculation to the corresponding block, and receives the calculation result P ₃ . Output as data. In addition, the chip input / output 70 stores instructions in an internal control register and transmits the instructions to the controller 60.

The scalar multiplication operation in the operation logic can be obtained simply by a plurality of multiple operations and addition operations as described above. Typically, the method may be implemented by the right-to-left binary method, such as <Algorithm 1> below, on the contrary, the left-to-right binary method that calculates from the top of k Can also be implemented.

Algorithm 1

INPUT: P∈E _{a, b} , k = (k _n-1 , k _n-2 ,…, k ₁ , k ₀ ) is an integer

OUTPUT: kP

1.Q ₁ ← O, R ₁ ← P

2.for i from 0 to n-1

2.1. if (k _i ! = 0) Q ₂ ← Q ₁ + R ₁

2.2. R ₁ ← R ₁ + R ₁

3. return Q ₁

On the other hand, step 2.1 of <Algorithm 1> is vulnerable to Simple Power Attacks (SPA) since the calculation is performed only when k _i is 1. That is, when the addition operation of step 2.1 is performed, power consumption is greater than when the operation is not performed, and thus the k value may be determined by externally detecting the difference in power consumption. Therefore, there is a disadvantage of having a vulnerability to security.

In order to solve the security vulnerability of <Algorithm 1>, the following <Algorithm 2> method of performing the addition operation regardless of the value of k _i has been proposed.

Algorithm 2

INPUT: P∈E _{a, b} , k = (k _n-1 , k _n-2 ,…, k ₁ , k ₀ ) is an integer

OUTPUT: kP

1.Q ₁ ← O, Q ₂ ← O, R ₁ ← P

2.for i from 0 to n-1

2.1. Q ₂ ← Q ₁ + R ₁

2.2. R ₁ ← R ₁ + R ₁

2.3.

3. return Q ₁

According to the above <Algorithm 2>, a temporary buffer called Q ₂ is provided so that the addition operation is always performed regardless of the k _i value. Therefore, the key value k is not exposed to the SPA intrusion by the outside.

In addition, in step 2.3, in order to implement the same operation effectively without using the conditional operator implemented in Algorithm 1, it may be implemented as in Step 2.3 of Algorithm 2.

[Algorithm 2>, on the other hand, can prevent the SPA as described above, but the calculation time is long due to calculating for all k _i values that step 2.1 was calculated only when k _i = 1 in <Algorithm 1>. I lost.

More specifically, if the integer value k is any number, then in normal ascending binary operation, the number of operations is If the number of operations is expressed using NAF (Non-Adjacent Form), an efficient scalar multiplication method, which is applied to a general elliptic curve without performing line calculation to be. However, the algorithms that withstand SPA described above Therefore, as n increases, the number of operations becomes significantly larger than those of the above two methods, and thus, the operation time also becomes significantly longer.

Accordingly, it is an object of the present invention to provide a method and apparatus for implementing a scalar multiplication operation method in an elliptic curve encryption algorithm that can improve computation speed and withstand simple power attacks (SPA).

The present invention for achieving the above object, the first multiplex operator (R ₂ ) and the first multiplexer (R ₂ ) to perform a multiply operation every time the number of digits of the key value increases during the scalar multiplication operation in the elliptic curve encryption algorithm ₂₎ and the first summing operator (second summing operator (Q ₂₎ and the spot value of the key value 20 001 when the first sum of the output of the second summing operator (Q ₂₎ for summing the outputs Q ₁₎ In a method for implementing an elliptic curve encryption algorithm input by an operator Q ₁ , the first multiple operator R ₂ is output as a second multiple operator R ₁ , and the first multiple operator R ₂ is output. Multiplying the second multiplexing operator R ₁ with the first summation operator Q ₁ and outputting it to the second summation operator Q ₂ in parallel.

The first summation operator is configured to input the mth summation operator by setting the value obtained by adding 1 to the value '0' or '1' of the predetermined position of the key value as the m value.

On the other hand, the multiplication operation of the first fold operator, characterized in that it proceeds to include any one or more operations selected from the inverse transform operation, square operation and multiplication operation, the sum operation of the second fold operator and the first summing operator The process is characterized by including an inverse transform operation, a square operation and a multiplication operation.

In addition, the second fold operator used in the summing operation of the second fold operator and the first summing operator uses the value output from the first fold operator generated in the multiplication operation of the previous digit operation of the key value. It features.

The present invention for achieving the above object, according to the scalar multiple calculation unit in the elliptic curve cryptographic algorithms, the first of the first register for storage of multiple operators (R _2), wherein the first multiple operators (R ₂₎ A second register for storing the output from the second multiplex operator R ₁ , a third register for storing the first sum operator Q ₁ , and for storing the second sum operator Q ₂ . A multiplier operator that receives a fourth register, a first multiplier operator R ₂ output from the first register, and multiplies the second multiplier operator R ₁ and the first sum operator Q ₁ . from the summing arithmetic unit for summing operation by the second summer output to the operator (Q _2), said scalar first summing operator (Q ₁₎ and said second summing operator (Q ₂₎ in accordance with the position values of the key values in a multiple operation optionally, the first selection of output to the first summation operator (Q ₁₎ In that it comprises the features.

A second selector may be further added to an input terminal of the first register to set an initial value of the first multiplex operator R ₂ .

The multiplier operator may include one or more logic selected from inverse transform logic, square logic, and multiplication logic, and the summing operator includes one or more logic selected from inverse transform logic, square logic, and multiplication logic. It features.

In addition, the inverse transform logic, the square logic, and the multiplication logic of the multiple operator are reusable in the sum operator.

The present invention for achieving the above object is, in the scalar multiple arithmetic unit in the elliptic curve encryption algorithm, the first register for storing the x-coordinate value and the y-coordinate value of the first multiple operator R ₂ , respectively; 2 registers, a third register and a fourth register for storing the x and y coordinate values of the second multiplex operator R ₁ , and the x and y coordinate values of the first sum operator Q _1, respectively. A fifth register and a sixth register for storing the data, a seventh register and an eighth register for storing the x- and y-coordinate values of the second sum operator Q ₂ , respectively; A controller for receiving the input values and outputting values used in each process of the scalar multiple operation, an inverse transform calculator for receiving and inversely transforming the respective operators selected and output from the controller, and the controller And a multiplication operator for receiving and multiplying the operators output from the inverse transform operator, and receiving the values of the fifth and eighth registers from the fifth and sixth registers according to the position values of the key values. And a selector for selecting and outputting a value and an input value from the seventh register and the eighth register.

1 is a diagram illustrating a concept of an elliptic curve encryption method according to the prior art.

2 is a view of implementing an elliptic curve encryption algorithm according to the prior art.

3 is a block diagram of a scalar multiple operation of an elliptic curve encryption algorithm according to an embodiment of the present invention.

4 is a block diagram embodying and implementing an elliptic curve encryption algorithm according to an embodiment of the present invention.

DETAILED DESCRIPTION A detailed description of preferred embodiments of the present invention will now be described with reference to the accompanying drawings. It should be noted that reference numerals and like elements among the drawings are denoted by the same reference numerals and symbols as much as possible even though they are shown in different drawings. In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

In the present invention, the following <Algorithm 3> is implemented to improve the speed of the above-described <Algorithm 2>.

Algorithm 3

INPUT: P∈E _{a, b} , k = (k _n-1 , k _n-2 ,…, k ₁ , k ₀ ) is an integer

OUTPUT: kP

1.Q ₁ ← O, Q ₂ ← O, R ₁ ← O, R ₂ ← P

2.for i from 1 to n

2.1. R ₁ ← R ₂

2.2. R ₂ ← R ₂ + R ₂

2.3. Q ₂ ← Q ₁ + R ₁

2.4.

3. return Q ₁

Algorithm 3 proposed in the present invention sets the parameter R ₁ in addition to R ₂ performing doubling, thereby simultaneously performing the doubling and addition operations. can do. Therefore, even if the addition operation is performed on all k _i values, it is possible to make it faster than the calculation speed of the conventional <Algorithm 2>.

That is, in Algorithm 2 of the prior art, a sum operation of a next digit is performed after the multiplication operation is performed, but in Algorithm 3, the previous multiplication operation result value is R ₁ even during the multiplication operation. In addition, since the summation operation is simultaneously performed using the R ₁ value, the entire calculation speed can be increased.

3 is a diagram of hardware implementation of the <Algorithm 3> according to the embodiment of the present invention.

Referring to FIG. 3, an apparatus for implementing an elliptic curve encryption algorithm according to an embodiment of the present invention includes a plurality of selectors 100 and 150, a plurality of registers 110, 130, 140, 160, and 180, And a multiplier operator 120 and a sum operator 170. The selectors 100 and 150 may be implemented as multiplexers.

The multiple computing unit 120 is receiving the first multiple operators (R ₂₎ carried out once for every index i, the draining operation for draining the first operator (R _2). Therefore, the output value of the multiple operator 120 is input to the first registers R ₂ and 110 via the first selector 100. The first selector 100 is a device for setting the initial value of the first drain (R ₂ ). That is, a P value is output as an initial output value of the first selector, and then a value received from the multiplier operator 120 is output to the first register 110 at every index i.

In addition, the R ₂ value stored in the first register 110 is input to the second registers R ₁ and 130 added according to the present invention and used for the summation calculation process. That is, the R ₁ value output from the second registers R ₁ and 130 is input to the sum calculator 170. The summing arithmetic unit 170 is the second register (R _1, 130), the R ₁ value and a third register for receiving with a Q ₁ stored in the (Q _1, 160) output from the computed sum of the two input values.

Meanwhile, the sum operation value output from the sum operator 170 is stored in the fourth registers Q ₂ and 140, and the stored value is input to the second selector 150.

The second selector 150 determines whether the value of k _i-1 is '1' or '0' for each index i and outputs the result to the third registers Q ₁ and 160.

If the result of the determination k _i-1 is '1', the Q ₂ value received from the fourth register 140 is output. When k _i-1 is '0', the third register is output. Outputs the Q ₁ value received from (160). That is, when the value of k _i-1 is '0', there is no change in the Q ₁ value, thereby satisfying the algorithm of the present invention.

The reason why the second selector 150 determines the previous value of the index i currently being performed is different from that of the conventional algorithm, since the doubling is performed first. This is because the shift operation is continuously performed by the index value.

In addition, it is preferable to further include a fifth register 180 to store the k value, output a k _i-1 value for each operation unit, and input the k _i-1 value to the second selector 150.

Finally, when each operation for all index i values is finished, the value stored in Q ₁ is outputted, and the output value is kP.

Meanwhile, as described above, the doubling and addition operations include a plurality of inverse transform operations, a square operation, and a plurality of multiplication operations.

Hereinafter, the algorithm implementation shown in FIG. 3 will be described in more detail with reference to FIG. 4.

4 is a detailed hardware diagram of an elliptic curve algorithm including internal operations of multiplication and summation operations.

First, R ₂ = (R _{2, x} , R _{2, y} ), R ₁ = (R _{1, x} , R _{1, y} ), Q ₁ = (Q _{1, x} , Q _{1, y} ), Q ₂ = Assume (Q _{2, x} , Q _{2, y} ).

Referring to FIG. 4, the apparatus for implementing an elliptic curve encryption algorithm according to an embodiment of the present invention as a detailed implementation diagram of FIG. 3 includes a plurality of selectors 202, 203, 216, and 217, and a plurality of registers 201,. 204 through 213, a plurality of controllers 214 and 219, an inverse transform operator 215, and a multiplication operator 218.

The registers 201, 204 to 213 are k, g, a, Q _{1, x} , Q _{1, y} , R _{1, x} , R _{1, y} , R _2, as the respective parameters used in the operation of the present invention _. Stores the values _x , R _{2, y} , Q _{2, x} , Q _{2, y,} and so on.

In addition, the inverse transform operator 215 and the multiplication operator 218 perform an inverse transform operation and a multiplication operation, which are detailed calculation procedures that are performed in the multiplication and summation operations according to the present invention. Since the multiplying and summing operations are performed simultaneously in a pipelined manner, even if the inverse transform operator 215 and the multiplication operator 218 are provided one by one, they can be commonly used in the two operations. That is, when the inverse operator 215 is used in the multiplication operation, a multiplication operator 218 is used in the addition operation, and when the inverse operator 215 is used in the addition operation, the multiplication operator 218 is used in the multiplication operation. It is possible to use). The detailed procedure of the above operation will be described later.

On the other hand, the first controller 214 and the second controller 219 controls the sum operation and the multiplication operation procedure so that each parameter can be calculated according to the predetermined procedure of the algorithm described above. For example, when the drainage operation process starts R _2, by storing the _x wherein R _2, received from the register 210, which outputs a _x in the inverse computing unit 215, in the inverse computing unit 215 To be calculated. While the operation is being performed, the first controller 214 may store the parameters from the registers 206 to 209 storing Q _{1, x} , Q _{1, y} , R _{1, x} , R _{1, y} . These signals are received and output to the fourth selector 217, and finally the Q _{2, x} and Q _{2, y} values are calculated by the multiplication operator 218.

In addition, the first selector 202 and the second selector 203 receive a k _i-1 value for each index i from the register 201 storing the k value, and apply the k _i-1 value to the input k _i-1 value. Therefore, Q _{1, x} and Q _{1, y} and Q _{2, x} and Q _{2, y} are selected and output as Q _{1, x} and Q _{1, y ,} respectively.

Hereinafter, a detailed execution procedure of an elliptic curve encryption algorithm with improved speed according to the present invention by the hardware configuration described above with reference to FIGS. 3 and 4 will be described with reference to <Algorithm 3> and <Table 3>.

Detailed Procedure for Algorithm 3

[When T = 1]

Step 1: Calculate (substep 2.2), (using Inversion (215)),

Step 2: , Value of each , Store in (step 2.1)

Step 3: Calculate and store in λ. (substep 2.2), (using Multiplication (218)),

Start the calculation of (detailed steps in step 2.3).

Step 4: To calculate temporary storage ( ) (In detail in step 2.2), ( Is used in step 2.3 but not until step 4)

Continue with the calculation of (detailed steps in step 2.3).

Step 5: To calculate temporary storage ( ) (In detail in step 2.2)

Complete the calculation of (detailed steps in step 2.3).

Step 6: , Value of each , Store in (final final step in step 2.2)

[When T> 1]

Step 1: Begin the calculation of. (details in step 2.2)

Calculate and store in λ (Detailed Step in Step 2.3)

Step 2: Continue counting. (details in step 2.2)

By calculating Save in (Step 2.3)

Step 3: Complete the calculation. (details in step 2.2)

By calculating (In step 2.3)

Step 4: by k _i-1 value , The value of , Save to or don't save (step 2.4)

Step 5: , Value of each , Store in (step 2.1)

Step 6: Calculate and store in λ. (details in step 2.2)

Start the calculation of (detailed steps in step 2.3).

Step 7: To calculate temporary storage ( ) (In detail in step 2.2), ( In step 4 The value is stored or discarded and can be used as temporary storage here.)

Continue with the calculation of (detailed steps in step 2.3).

Step 8: To calculate temporary storage ( ) (In detail in step 2.2), ( In step 4 The value is stored or discarded and can be used as temporary storage here.)

Complete the calculation of (detailed steps in step 2.3).

Step 9: , Value of each , Store in (final final step in step 2.2)

<Comparison of speed between the prior art and the present invention>

In the following, the implementation of the improved elliptic curve encryption algorithm according to an embodiment of the present invention and the performance of the algorithm according to the prior art are compared by the following Tables 4 and 5.

Table 4 below shows a calculation step for Algorithm 2 according to the prior art.

i Cycle Addition (Q ₂ ← Q ₁ + R ₁ ) Q ₂ change Doubling (R ₁ ← 2R ₁ ) Change in R ₁ i = 0 1c Inv 2c 3c 4c 5c Mult Inv 6c Sq Update x value of Q ₂ 7c Mult Update the y value of Q ₂ 8c 9c Mult 10c Sq Update x value of R ₁ i = 1 11c Inv Mult Update y value of R ₁ 12c 13c 14c 15c Mult Inv 16c Sq Update x value of Q ₂ 17c Mult Update the y value of Q ₂ 18c 19c Mult 20c Sq Update x value of R ₁

Referring to Table 4, when f (x) is an n-bit polynomial, the inverse transform operation is performed using an approximation Montgomery Inverse algorithm or an approximate Inverse algorithm. It takes at least 4c cycles (160bits) to 6.2c cycles (256bits). The results are published in the articles "Architectures for Unified Field Inversion with Applications in Elliptic Curve Cryptography", E. Savas and C. K. Koc, The 9th IEEE International Conference on Electronics, Circuits and Systems-ICECS 2002.

In this case, multiplication is calculated in cycle c when the serial calculation is performed using a double-and-add algorithm. Therefore, referring to Table 4, when inversion is being performed in the doubling portion, multiplication required in addition may be performed three times. Thus, three multiplication operations can be reduced in the full scalar multiplication algorithm. However, addition Since R ₁ is used in the process of, doubling At least a square operation must be completed during the detailed operation of to perform the inversion, which is a detailed operation of the next step addition operation.

Therefore, the calculation time for each index i for k _i takes 10c cycles. As a result, the total operation time for the n-bit key is 10 nc.

Meanwhile, referring to Table 5 below, 8nc is calculated by calculating the calculation time according to the algorithm of the present invention.

i Cycle Doubling (R ₂ ← R ₂ + R ₂ ) Change in R ₂ Addition (Q ₂ ← Q ₁ + R ₁ ) Q ₂ change i = 0 1c Inv 2c 3c 4c R ₁ ← R ₂ (ie R ₁ = P) 5c Mult Inv 6c Sq Update x value of R ₂ 7c Mult Y value update of R _2, namely R ₂ = 2P 8c i = 1 9c Inv Mult 10c Sq Update x-coordinate of Q ₂ 11c Mult Update the y coordinate value of Q ₂ 12c R ₁ ← R ₂ (ie R ₁ = 2P) 13c Mult Inv 14c Sq Update x value of R ₂ 15c Mult Y value update of R _2, namely R ₂ = 4P 16c

Referring to Table 5, an inversion of the addition operation may be performed immediately after the inversion of the doubling operation is completed. That is, the addition operation does not use R ₂ generated as a result of the multiple operation, but uses the R ₁ value buffered from the previous step R ₂ , so it is necessary to wait for the doubling operation to be completed. There is no. In addition, in the related art, the sum operation is performed first for each index i and the multiplication operation is performed. However, in the present invention as described above, the multiplication operation may be performed earlier than the sum operation by buffering a value for the previous drain operation.

Therefore, since the computation time of the 5c and 6c portion is shortened compared to the conventional operation, the computation time takes 8c cycle for each index i for k _i . In conclusion, since the time required for the total operation for the key of n bits is 8 nc, the operation time difference between the two operations becomes larger as the number of bits to be operated increases.

For reference, the above computational methods are called pipelines and are methods for processing more instructions in a smaller time. That is, since the instructions are partially executed in one cycle, a processor is divided into several subprocessors having different functions so that each processor can process different data at the same time.

Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications are possible without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined not only by the scope of the following claims, but also by those equivalent to the scope of the claims.

The present invention as described above, while implementing the SPA-resistant algorithm in the elliptic curve encryption algorithm, the problem that the speed that is generated in implementing the structure to withstand SPA is improved. In addition, as the key value of the encryption algorithm increases, the difference in processing speed of the encryption algorithm becomes more noticeable than in the prior art.

Claims (11)

The first multiplex operator R ₂ , the first multiplex operator R ₂ , and the first summation operator Q ₁ that perform a multiply operation each time the number of digits of a key value increases in the scalar multiplication operation in an elliptic curve encryption algorithm. Elliptic curve encryption for inputting the output value of the second sum operator Q ₂ to the first sum operator Q ₁ only when the sum of the second sum operator Q ₂ and the position of the key value is 1 In the method of implementing the algorithm, Said first multiple operators (R ₂₎ a second multiple operators (R ₁₎ to the output, the first multiple operators (R ₂₎ a multiple operation first summation process and the second multiple operators (R ₁₎ to operator to implement the (Q ₁₎ and the sum calculated by the second summation operator sp elliptic curve cryptography algorithms resistant thereto, characterized in that the parallel output to a process for (Q _2). The method of claim 1, The first summing operator, And an m-th summation operator is input by setting a value obtained by adding 1 to a value '0' or '1' of the predetermined value of the key value as an m value. The method of claim 1, The multiple operation process of the first multiple operator, 18. A method for implementing an elliptic curve cryptographic algorithm, which is tolerate an SP, comprising at least one operation selected from an inverse transform operation, a square operation, and a multiplication operation. The method of claim 1, The summing operation process of the second fold operator and the first summing operator, 18. A method for implementing an elliptic curve cryptographic algorithm, which is tolerate an SP, comprising at least one operation selected from an inverse transform operation, a square operation, and a multiplication operation. The method of claim 1, The second fold operator used in the summing operation of the second fold operator and the first summing operator uses a value output from the first fold operator generated in the multiplication operation of the previous digit operation of the key value. A method of implementing an elliptic curve encryption algorithm that resists SP. In the scalar multiple operation apparatus in an elliptic curve encryption algorithm, A first register for storing the first multiple operator R ₂ , A second register for storing the output from the first multiple operator R ₂ as a second multiple operator R ₁ ; A third register for storing the first sum operator Q ₁ , A fourth register for storing the second sum operator Q ₂ , A multiplier calculator for receiving a first multiplier operator R ₂ output from the first register and performing a multiply operation; A sum calculator configured to sum the second multiple operator R ₁ and the first sum operator Q ₁ and output the sum sum to the second sum operator Q ₂ ; A first selector for selectively outputting from the first sum operator Q ₁ and the second sum operator Q ₂ to the first sum operator Q ₁ according to the position value of the key value in the scalar multiplication operation; Elliptic curve encryption device, characterized in that. The method of claim 6, Elliptic curve encryption device further comprises a second selector in addition to the input terminal of the first register for setting the initial value of the first multiple operator (R ₂ ). The method of claim 6, The multiplier calculator, An elliptic curve encryption device comprising at least one logic selected from inverse transform logic, square logic, and multiplication logic. The method of claim 6, The sum calculator, An elliptic curve encryption device comprising at least one logic selected from inverse transform logic, square logic, and multiplication logic. The method according to claim 8 or 9, The inverse transform logic, the square logic and the multiplication logic of the multiplier operator are reusable in the sum calculator. In the scalar multiple operation apparatus in an elliptic curve encryption algorithm, A first register and a second register for storing the x and y coordinate values of the first multiple operator R ₂ , respectively; A third register and a fourth register for storing the x and y coordinate values of the second multiplex operator R ₁ , respectively; A fifth register and a sixth register for storing the x- and y-coordinate values of the first sum operator Q ₁ , respectively; A seventh and eighth registers for storing the x and y coordinate values of the second sum operator Q ₂ , respectively; A controller which receives values output from the registers and outputs values used during each scalar multiple operation; An inverse transform calculator configured to receive the inverse transform operation by receiving the respective operators selected and output from the controller; A multiplication operator for receiving and multiplying the operators output from the controller and the inverse transform operator; A selector which receives the values of the fifth to eighth registers and selects among the input values from the fifth and sixth registers and the input values from the seventh and eighth registers according to the position values of the key values and outputs the selected values; Elliptic curve encryption device, characterized in that it comprises a.