KR20190022023A - Hardware-implemented modular inversion module - Google Patents

Abstract

Provided is a hardware-implemented an elliptic curve cryptographic (ECC) algorithm processing device. The device comprises: at least one storage unit storing data during algorithm processing; a modular inverse calculation unit calculating a modulo inverse x of a in a relation of ax = 1 (mod m) in a right shift scheme, wherein x = a_-1 (mod m); and at least one modular addition operation unit performing modular addition in the algorithm process.

Description

[0001] HARDWARE-IMPLEMENTED MODULAR INVERSION MODULE [0002]

Relates to a hardware implemented modular inversion module, and more particularly to a technique for implementing a right-shift implementation of an inverse module used in an elliptic curve cryptosystem (ECC).

In the fourth industrial revolution, where products and devices are intelligent, security is expected to become more important. However, unlike existing server or optical communication environments, the computation power and the amount of wireless communication are limited. Therefore, the use of an elliptic curve cryptosystem (ECC) with a similar cryptographic strength to that of RSA Will increase.

On the other hand, the modular inverse algorithm has the most computational complexity among the finite field operations required in the elliptic curve cryptosystem. Therefore, the method of removing the modular inverse by using the projective coordinates was mainly used. However, this method increases the number of times such as modular multiplication (MM) and the complexity of calculating an operation on an elliptic curve becomes complicated, so that there is a limitation that an implementation complexity increases and an area increases. Not only does modular inversion need to be performed once in the last addition operation, but also a few modular inverse (MI) is required to perform ECDSA, an elliptic curve cryptography based signature algorithm. Therefore, if a fast modular inverse module can be implemented, it is possible to implement a hardware ECC module with a simpler and smaller area without using a projection coordinate system.

Korean Patent Publication No. 1020100062565 (Jun. 10, 2010), " How to obtain the modulus inverse of the modulus " Korean Patent No. 1005851190000 (May 26, 2006), "Encryption device, encryption method and recording medium" Korean Patent Publication No. 1020120088316 (Aug. 8, 2012), " Montgomery inversion calculation apparatus and Montgomery inversion calculation method using the same &

 &Quot; Proceedings of International Conference on SoC Design, pp. 313-314, 2015 ", " Analysis of Hardware Modular Inversion Modules for Elliptic Curve Cryptography &

According to one aspect, a hardware-implemented elliptic curve encryption algorithm processing device is provided. The apparatus comprises: at least one storage for storing data during algorithm processing; A modular inverse arithmetic unit operable to calculate a modulo inverse x (where x ≡ a ^-1 (mod m)) of a in a relation of ax ≡ 1 (mod m) in a right shift scheme; And at least one modular addition operation unit for performing modular addition in the algorithm process.

According to one embodiment, the modular inverse operation unit sets the initial values of R, S, U, and V so that aR? U (mod m), aS? V (mod m) Is subtracted through a right shift and a subtraction to determine the modular inverse cause x of the a when the U and the V become one.

According to an embodiment, the controller gives the initial value of R to 0, gives the initial value of S to 1, gives the initial value of U to -m, and gives the initial value of V to a, Stores U in place of U in the storage unit, stores-R in place of R, and processes it.

b^-1 (mod m)을 구하는 모듈라 나눗셈(MD, Modular Division)을 수행하도록 할 수 있다.According to one embodiment, the control unit may set the initial value of S to b instead of 1,

modular division (MD) in which b ^-1 (mod m) is obtained.

According to an embodiment, the modular inverse operation unit may further include an adder for adding the m or -m when the result of the (-R) + S operation is an odd number, after the adder for adding the -R and the S.

According to one embodiment, the modulo inverse operation unit right shifts in the same cycle to remove at least one of the least significant bits since the result of the (-U) + V operation is an even number so that (-U) + V And store the result in the storage unit.

According to one embodiment, the modular inverse operation unit may perform a 2-bit shift operation instead of the 1-bit shift operation when all of the least significant 2 bits of the results of the (-U), V, (-U) So that the speed can be further improved.

Furthermore, one of the results of the (-R), S, (-R) + S operations shifted together when shifting one of the results of the (-U) or (-U) If at least one of the least significant 2 bits of the bit is not 0, adding 0, m, -m, or 2m to the least significant 2-bit to 0 and then 2-bit shifting further improves the speed It is possible.

Further, when the result of the (-R) + S operation is 2-bit shifted, the result of addition of the least significant 2-bit of each of (-R) and S without waiting for the result of (-R) , -m, and 2m to reduce delay.

1 is a block diagram of an apparatus for processing an ECC algorithm according to an embodiment.
2 is a reference diagram for explaining a process of the ECC algorithm according to an embodiment.
3A is a block diagram of a modular inverse operation unit according to an embodiment.
FIG. 3B is a reference diagram for explaining the comparison between the RS operation and the LS operation in the process of the ECC algorithm according to one embodiment.
4 is an exemplary block diagram of a modular inverse operation unit in accordance with one embodiment.
5 is an exemplary block diagram of a modular inverse operation unit according to another embodiment.
6 is an exemplary block diagram of a modular inverse operation unit in accordance with another embodiment.

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. However, the scope of the rights is not limited or limited by these embodiments. Like reference symbols in the drawings denote like elements.

The terms used in the following description are chosen to be generic and universal in the art to which they are related, but other terms may exist depending on the development and / or change in technology, customs, preferences of the technician, and the like. Accordingly, the terminology used in the following description should not be construed as limiting the technical thought, but should be understood in the exemplary language used to describe the embodiments.

Also, in certain cases, there may be a term chosen arbitrarily by the applicant, in which case the meaning of the detailed description in the corresponding description section. Therefore, the term used in the following description should be understood based on the meaning of the term, not the name of a simple term, and the contents throughout the specification.

Elliptic Curve Cryptosystem in GF (p)

The key length of ECC according to recently required security strength is 256-bit, it should be calculated by dividing by word when implemented with software which is larger than word length of 32-bit or 64-bit. This is not a big problem in a server-class environment with high computation capability, but ECC computation can be a burden for a resource-constrained embedded system environment. On the other hand, when ECC is implemented in hardware, it can be implemented as a dedicated module according to the characteristics of ECC algorithm, which can greatly increase the calculation speed. ECC uses modular addition (MA), modular inversion (MI), and modular multiplication (MM), which are operations on the finite field as well as other public key cryptographic algorithms. Among them, MI is rarely used in RSA, which is another typical public key encryption algorithm. However, MI is frequently used in ECC. Compared to MA and MM, MI has a large effect on overall performance of ECC. Therefore, efficient implementation of MI in hardware design of ECC is very important.

In the conventional approach for implementing MI in hardware, the MI algorithm, the Euclidean Modular inverse, the RS, the binary right-shift modular inverse, and the binary left-shift modular inverse ), RS is known to be the fastest in hardware implementation. However, it is known that the area is relatively large for reasons such as adding a lot of adders in hardware implementation.

According to the embodiments described below, the area of the RS is greatly reduced compared to the conventional implementation, while the fastest RS method is presented in the hardware implementation. In addition, it shows a structure in which the number of cycles is reduced compared to the conventional one. Also, as will be described later, these embodiments are applicable to the Montgomery Modular Inverse (MMI) algorithm.

Modular inversion algorithm

As a modular inverse (MI) algorithm, a method based on finding the greatest common B is used. To obtain the greatest common divisor, the values are sorted left or right and subtracted or added together to repeat the value In the case of software design, the right alignment method with additional addition / subtraction is slow because addition / subtraction is performed only with limited resources (CPU's ALU). However, since hardware design can add more adders, modular inverse is possible, and the invented modular inverse includes a structure that minimizes the amount of adders and greatly reduces the clock cycles consumed.

Structure of ECC arithmetic processing unit

1 is a block diagram of an apparatus for processing an ECC algorithm according to an embodiment.

Basically, it includes a storage space such as a register for storing data, a modular product for modular operation, a modular product, a modular addition / subtraction module, and a control logic for controlling operation and input / output of the module.

According to one embodiment, a hardware-implemented elliptic curve encryption algorithm processing device is provided. The apparatus includes at least one storage unit for storing data during algorithm processing, such as a register. And a modular inverse operation unit (MI module), various embodiments of the structures of the modular inverse operation unit will be described later in more detail.

The modular inverse arithmetic unit is a module that implements a right shift (RS) arithmetic operation in hardware. MI computes the modular inverse x (where x = a ^-1 (mod m)) of a in the relationship ax = 1 (mod m).

In addition, various modular addition / subtraction units are further included.

ECC operation process

2 is a reference diagram for explaining a process of the ECC algorithm according to an embodiment.

When p is a prime, the elliptic curve on the finite field GF (p) is a set of (x, y) points satisfying y ² (mod p) = x ³ + ax + b it means. The operation on two points on the elliptic curve is divided into a point sum (PA) and a point multiplication (PD).

PA is the addition between two different points, and another point where a straight line passing through two points meets an elliptic curve is obtained and then it can be obtained by x-axis symmetry again. PD is the addition between two identical points. At the two points, another point where the tangent of the elliptic curve meets the elliptic curve is obtained and then it can be obtained by x-axis symmetry again. The concrete formulas for obtaining this are shown in the following table.

Point addition
(x ₁ , y ₁ ) + (x ₂ , y ₂ ) Point doubling
2 (x _1, y ₁₎ x ₃

y ₃

As shown in Table 1 above, modular multiplication, modulo (or division) modular addition / subtraction is required to perform PA and PD. PA and PD are repeated to perform point multiplication (PM, Point Multiplication), which is a key operation of key generation, ECDH and ECDSA. The general hardware ECC module structure is as follows.

Basically, it includes a storage space such as a register for storing data, a modular product for modular operation, a modular product, a modular addition / subtraction module, and a control logic for controlling operation and input / output of the module.

Structure of modular station module and comparison of left alignment and right alignment

3A is a block diagram of a modular inverse operation unit according to an embodiment.

According to one embodiment, the modular inverse operation unit sets the initial values of R, S, U, and V so that aR? U (mod m), aS? V (mod m) Is subtracted through a right shift and a subtraction to determine the modular inverse cause x of the a when the U and the V become one.

Wherein the control unit gives the initial value of R to 1, gives the initial value of S to 0, gives the initial value of U to -m, gives the initial value of V to a, U is stored instead of U, and -R is stored instead of R, and processed.

The initialization value mentioned above means the initial value of the register value of the data storage part when the modular module starts its operation. The control unit reads the contents of the data storage unit, sends the data to the operation unit, and stores the result in the data storage unit. The operation performed by the arithmetic unit and the control method of the control unit are changed according to the modular inverse algorithm. If there is only one adder in the operation part, it is similar to the software environment. In this case, the left sort based modular inverse algorithm can be faster. As we will see below, the right-justification-based algorithm has additional operations, but if the number of adders is sufficient, the right-justification-based modular inverse algorithm will be faster. FIG. 3B is for explaining this.

FIG. 3B is a reference diagram for explaining the comparison between the RS operation and the LS operation in the process of the ECC algorithm according to one embodiment. In FIG. 3B, only the most significant bit (MSB) is 0, but in (b), the MSB is also 0 at a high probability due to a carry operation due to not only the least significant bit (LSB) but also the subtraction . If the number of bits to be subtracted is a value of similar size, the MSB-side bits can be 0 bits rather than 1 bit. That is, the effect of decreasing the value when subtracting is (b) is faster.

Conventional right shift binary inverse algorithm

Conventional right-justified based algorithm is a ^-1 (mod m) to when trying to obtain, that is, ax = 1 (mod m) to in calculating the x satisfying, aR≡U (mod m), aS≡V (mod m, a, r, S, U, and V are initialized to 0, 1, m, a, then right shifted by right shift, and the two expressions are subtracted from each other to reduce the U and V values. That is, if U is the right shift with the even water surface R, V is the right shift with the even water surface S, V = VU when U and V are all U> V, U = UV, R = , S = SR is performed. Thus, when U or V becomes 1, aR≡1 (mod m) or aS≡1 (mod m), R or S becomes the inverse of a.

  If R and S are odd numbers when shifting the even U or V to the right, an additional operation to add m is needed since the information of the least significant bit which is 1 is shifted when shifting immediately. Since the choice of UV and VU is determined by U> V, if UV> 0, the value of UV can be used as is, but if UV <0, an additional VU operation is needed (VU = - (UV) Addition operation is required). This additional operation requires more addition / subtraction operations than the left-aligned based modular inverse algorithm. Especially in software design, the execution speed is slowed down because addition / subtraction is performed in limited ALU.

Suggested In one embodiment : U of To the initial value  -m RS  Implementation of MI

4 is an exemplary block diagram of a modular inverse operation unit in accordance with one embodiment.

In the present invention, the right shift binary inverse algorithm based on right alignment is implemented in hardware. First, the addition is performed in unit of bit length n of modulus m (not divided in word units) to simplify the control circuit. Even when n = 256, a high-speed design of 100 MHz or more is possible. And do not perform right shift and subtraction on separate clock cycles, respectively. The result of the subtraction between U and V is always even, so the result of the subtraction is stored by right shifting in the same cycle as the subtraction without consuming a separate clock cycle (shift in hardware is only a shift wire connection without cost) . Finally, the necessary adders are included as needed to prevent the number of clock cycles from increasing due to resource sharing. In this case, the number of adders added may be large (5 ~ 6), but this can be greatly reduced by 3 (3).

In the conventional algorithm, U = UV, V = VU, R = RS and S = SR are performed but if the U and R are stored in the register to store -U and -R, + V, V = (- U) + V, (-R) = (- R) + S and S = . Only three adders are needed, including the adders for R and S to + m. All that is needed is to change the initial values of U and R to negative numbers. Since the initial values of U and R are m, 0, only U can be changed to -m. The right shift binary inverse algorithm is only possible when modulus m is odd. In elliptic curve cryptosystem, m is always odd. Therefore, -m can be easily obtained by bitwise inverting only the least significant bit of m.

Another embodiment that suggests: to further improve speed

4 is an exemplary block diagram of a modular inverse operation unit in accordance with another embodiment.

UV represents V when both V is an even number (-U), (-U) is an even number, and (-U) + V when both are odd numbers, RS is a (-R) -U) is an even number, and (-R) + S when both are odd numbers.

According to an embodiment, the modular inverse operation unit may further include an adder for adding m or -m when the RS is an odd number, after an adder for adding the -R and the S.

According to one embodiment, the modulo inverse operation unit right shifts in the same cycle to remove at least one of the least significant bits since the result of the (-U) + V operation is an even number so that (-U) + V And store the result in the storage unit.

According to an exemplary embodiment, the modular inverse operation unit may further improve the speed by being shifted by 2-bit when the least significant two bits of the UV are all zeros.

Further, when at least one of the least significant 2 bits of the RS is not 0, the modular inverse operation unit adds 0, m, -m, and 2m to make the least significant 2-bit to 0, bit shifted to further improve speed.

More specifically, in the present embodiment, if the least significant 2 bits of UV are all 0, the 2-bit shift is performed to the left to further improve the speed. At this time, the least significant 2-bit of RS may not be 0, but it is possible to add 0, m, -m or 2m to the least significant 2-bit. The selection method of * in Fig. 2 is shown in the following table.

UV RS's least significant 2-bit When the lowest 2-bit of m = 1 When the lowest 2-bit of m = 3 The least significant 1-bit only 0 0, 2 0 1, 3 m If the least significant 2-bit is 0 0 0 One -m m 2 2m 3 m -m

As compared with the embodiment described with reference to FIG. 4, since the m-type selection is added to the existing 0, -m, m only by 2m, and the 2-bit shift is further added to the 1-bit shift, The area overhead is not large because there are no expensive devices such as resistors.

Additional embodiments: Application to the Montgomery inverse module

2ⁿ(mod m)을 계산하는 알고리즘으로 크게 두 단계로 나뉜다. 첫 단계는 almost Montgomery inverse라 불리며 a^-1

2^k(mod m) (n<k<2n)을 계산하고 두 번째 단계에서는 이를 a^-1

2ⁿ로 변환한다. almost Montgomery inverse는 RS와 흡사하기 때문에 앞서 사용했던 방법을 적용하면 다음과 같은 구조를 갖는다.6 is an exemplary block diagram of an Almost Montgomery inverse module in accordance with another embodiment. The methods described above (reducing area and increasing speed) are also applicable to the Montgomery inverse module, which is similar in structure to the RS algorithm. The Montgomery inverse algorithm is a ^-1

2 ⁿ (mod m). The algorithm is divided into two stages. The first step is called the almost Montgomery inverse and a ^-1

^{2 k (mod m) (n} <k <2n) calculating and the second step it a ^-1

2 ⁿ . Almost Montgomery inverse is similar to RS, so we apply the previous method and it has the following structure.

The amount of adders can be reduced by storing -U and -R in variables U and R as in RS algorithm. Unlike the RS algorithm, there are no operations to add m, -m, and 2m to the R and S computation side, and fewer adders are consumed. 6, a 2-bit shift and a multiplexer may be added as in the case of improving the speed of the RS algorithm in the " proposed invention 2 " in the 1-bit shift part. In contrast to the RS algorithm, It is possible to add a 3-bit shift and a multiplexer for it. You can add more shifts, but the speeding effect is getting worse.

Algorithm Description

Algorithm 1 is an algorithm that improves the area of RS and RS. The left side of the shaded area represents the original RS and the right side represents the RS variant that improves the area of RS. The remaining part is the common use part. The loop invariant of the while statement of Algorithm 1

aR? U (mod m), aS? V (mod m) --- (1)

to be. In the first line of Algorithm 1, R, S, U, and V are initialized to 0, 1, m, and a respectively, and the values stored in U and V are continuously reduced by right-shift and subtraction in the while statement. If V is 0, then a ^-1 (mod m) does not exist if U is 0, aR≡ 1 (mod m) if U is 1 and the value stored in R is a ^-1 mod m). In the ECC algorithm, the modulus m is always a prime number, so there is no case where the inverse does not exist. In the following description, it is assumed that only the inverse exists. Table 3 is an example of Algorithm 1 described above.

As described above, the selection of U-V and V-U depends on the result of U> V on the 14th line of RS. The U-V operation is basically performed because U-V> 0, and if the result is negative, an additional operation for V-U is required. These can be calculated as V-U = - (U-V) as the inverse relation of addition, but the process of calculating the complement of 2 also requires an adder. If you do not want to consume a separate clock cycle, you need one adder for each of U-V and V-U. Two adders are also required for performing R-S and S-R operations for the same reason. Considering the + m operation (6th and 10th lines) for right-shifting the odd R and S, the hardware design of the RS with minimizing the number of consumed clock cycles and the critical path is at least 5 ~ Six adders are required.

By the way, in the present embodiment which is alternatively shown on the right, only a simple expression is changed by storing (-U) in a register in which U is stored and storing (-R) in a register in which R is stored, We reduced the number of adders by half. The modified algorithm stores -U and -R in the variables U and R. In the modified algorithm, For this, U is initialized to -m, not m, and there is no change in R with initial value 0. As a result of the change, there are only add operations, and a total of three adders are required, one for (-U) + V, (-R) + S and one for odd R and S for + m (shared use). The number of adders is reduced to three compared to the five additional adders that were previously required.

The apparatus described above may be implemented as a hardware component of a memory, a memory control software component, and / or a combination of hardware components and software components. For example, the apparatus and components described in the embodiments may be implemented within a computer system, such as, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA) A programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions.

The software may include a computer program, code, instructions, or a combination of one or more of the foregoing, and may be configured to configure the processing device to operate as desired or to process it collectively or collectively Device can be commanded. The software and / or data may be in the form of any type of machine, component, physical device, virtual equipment, computer storage media, or device , Or may be permanently or temporarily embodied in a transmitted signal wave. The software may be distributed over a networked computer system and stored or executed in a distributed manner. The software and data may be stored on one or more computer readable recording media.

The memory operation control method according to the embodiment may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions to be recorded on the medium may be those specially designed and configured for the embodiments or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the embodiments, and vice versa.

Although the embodiments have been described with reference to the drawings, various modifications and variations may be made by those skilled in the art. For example, it is to be understood that the techniques described may be performed in a different order than the described methods, and / or that components of the described systems, structures, devices, circuits, Lt; / RTI &gt; or equivalents, even if it is replaced or replaced. Therefore, other implementations, other embodiments, and equivalents to the claims are also within the scope of the following claims.

Claims (7)

A hardware-implemented elliptic curve encryption algorithm processing apparatus comprising:
At least one storage for storing data during algorithm processing;
A modulo inverse calculation unit operable to calculate a modulo inverse x (where x = a ^-1 (mod m)) of a in a relation of ax = 1 (mod m) in a right shift scheme; And
At least one modular addition operation unit for performing modular addition in the algorithm process,
And an elliptic curve encryption algorithm processing unit.
The method according to claim 1,
Wherein the modular inverse operation unit comprises:
S, U, and V are set so that aR? U (mod m) and aS? V (mod m) are satisfied, the values of U and V are reduced, And determines the modulo-denominator cause x of the a if any one is 1. The apparatus of claim &lt; RTI ID = 0.0 &gt; 1, &lt; / RTI &gt;
3. The method of claim 2,
The modular inverse operation unit gives the initial value of R to 0, gives the initial value of S to 1, gives the initial value of U to -m, and gives the initial value of V to a, Storing an -U in place of the U and storing -R in place of the R and processing the elliptic curve algorithm.
The method of claim 3,
Wherein the modular inverse operation unit further includes an adder for adding m to the adder for adding the -R and the S when the result of the (-R) + S operation is negative.
The method of claim 3,
The modular inverse operation unit right shifts in the same cycle so as to eliminate at least one of the least significant bits since the result of the (-U) + V operation is an even number, thereby outputting a result of (-U) + V, The elliptic curve algorithm processing device stores in.
6. The method of claim 5,
Wherein the modular inverse arithmetic unit is 2-bit shifted when the least significant 2 bits of the result of the (-U) + V operation are all 0, thereby further improving the speed.
6. The method of claim 5,
The modular inverse calculation unit calculates 0, m, -m, and 2m when at least one of the least significant two bits of the results of the (-R), S, (-R) + S operations to be shifted is not 0 Wherein the least significant 2-bit is set to 0, and the 2-bit is shifted again to further improve the speed.

Images