CN101262345A - Time point system for ellipse curve password system - Google Patents

Abstract

The invention relates to a point-timing system of an elliptic curve cryptosystem, which pertains to the point-timing technical field of an elliptic curve cryptosystem and is characterized in that: the invention includes a controller of a point-timing register, a point-timing multipath option controller, a first multipath selector group, a middle variable register group and a second multipath selector group; under gating control signals output by the point-timing multipath option controller and in the process of six production lines, point-timing algorithm for multipliers and addends of the second multipath selector group is carried out by a modular multiplier and a modular adder positioned outside the point-timing system. In each production line, under the control of the gating control signals, the modular multiplier and the modular adder respectively return intermediate data to the first and the second multipath selector groups; under the control of operation control signals output by the controller of the point-timing register, each multipath selector controlling the first multipath selector group outputs relevant multipliers and addends to the second multipath selector group by the middle variable register group. The point-timing system of an elliptic curve cryptosystem of the invention increases point-timing arithmetic speed, optimizes point- multiplying performance of elliptic curves under a basic level and improves data throughput rate.

Description

Times dot system of elliptic curve cipher system

Technical field

The present invention relates to digital signature and authentication techniques field.

Background technology

Cryptographic system can be divided into tradition (or symmetry) encryption system and PKI (or asymmetric) encryption system two classes.W.Diffie in 1976 and M.E.Hellman have proposed the notion of public key cryptography, and whole cryptography development has been caused far-reaching influence.The common key cryptosystem of current extensive use is RSA, and its advantage is that principle is simple, and is easy to use.But along with updating and the continuous lifting of computing power of big integer factor decomposition method, guarantee that the needed key figure place of fail safe of RSA constantly increases, it is generally acknowledged that at present the figure place of RSA key just has safety guarantee more than 1024bit.The increase of key figure place has directly caused the increasing of declining to a great extent of encryption/decryption speed and hardware spending.

Elliptic curve cipher (ECC) is to be proposed by N.Koblitz and V.Miller in 1985, and it is to utilize elliptic curve finite group on the finite field to replace a class cryptographic system that obtains behind the finite cyclic group in the discrete logarithm problem.Because elliptic curve cipher has the security performance height, processing speed is fast, and bandwidth requirement hangs down and characteristics such as memory space is little, compares with RSA, and ECC has superiority on key length and arithmetic speed.

Elliptic curve E (F on the prime field _p) define by the Weierstrass equation:

E：y ²＝x ³+ax+b(mod p) (1)

Wherein p is a prime number, and a, b are two nonnegative integers less than p (0＜a, b＜∞), and satisfying

4a ³+27b ²(mod p)≠0 (2)

Equation (2) is based on set E _p(a, b) Finite Abel Group of definable.

In elliptic curve cryptosystem, its main operational is dot product (kP), and we can be decomposed into dot product two kinds of basic operations: point adds (ECPADD) and point (ECPDBL) doubly, and point adds with point doubling and can adopt different coordinate systems to realize.Coordinate system commonly used is affine coordinate system and Jacobi projected coordinate system.Below introduce affine coordinate system and Jacobi projected coordinate system respectively.

Affine coordinate system: cross a fixed point O on the plane and make two crossing axle x and y, their angle of cut is ω. O is an initial point with fixed point, and getting long measure on every axle (is respectively OE ₁, OE ₂), so just set up an affine coordinate system in the plane, as shown in Figure 1.For any point M on the plane, cross the parallel lines that M makes diaxon, meet at M respectively with diaxon ₁, M ₂, they are respectively x, y at the coordinate of diaxon, so the some M with regard to corresponding subordinate ordered array (x, y).

The Jacobi projected coordinate system: the point under the Jacobi projected coordinate system (X, Y, Z) and the following point of affine coordinate system (x, y) correspondence one by one, and satisfy x=X/Z ², y=Y/Z ³Coordinate under the given affine coordinate system (x, y), convert under the Jacobi projected coordinate system coordinate for (X, Y, Z), wherein X=x, Y=y, Z=1; (Z), the coordinate that converts under the radiation coordinate system is that (x y), and satisfies x=X/Z to coordinate under the given Jacobi projected coordinate system for X, Y ², y=Y/Z ³Simultaneously, point (1,1, the 0) correspondence under infinite point under the affine coordinate system and the Jacobi projected coordinate system.

Below introducing the prime field elliptic curve point adds and the doubly definition of point under affine coordinate system:

Point adds definition:

As shown in Figure 2, on elliptic curve, get 2 P (x ₁, y ₁) and Q (x ₂, y ₂), make O point expression infinite point.Calculate

R=P+Q is called point doubling, and wherein the R coordinate is (x _R, y _R).

1) if x ₁=x ₂And y ₁=-y ₂, R=P+Q=O then.

2) if 1) condition is false, and a R=P+Q is then arranged, satisfy

$x_R={\left(\frac{y_2-y_1}{x_2-x_1}\right)}^2-x_1-x_2---\left(3\right)$

$y_R=\left(\frac{y_1-y_2}{x_1-x_2}\right)(x_1-x_R)-y_1---\left(4\right)$

Doubly some definition:

As shown in Figure 3, on elliptic curve, get 1 P (x ₁, y ₁), make O point expression infinite point.Calculate R=2P and be called point doubling, wherein the R coordinate is (x _R, y _R).

1) if y ₁=0, R=2P=O then.

2) if y ₁≠ 0, a R=2P is then arranged, satisfy

$x_R={\left(\frac{{{3x}_1}^2+a}{{2y}_1}\right)}^2-{2x}_1---\left(5\right)$

$y_R=\left(\frac{{{3x}_1}^2+a}{{2y}_1}\right)(x_1-x_R)-y_1---\left(6\right)$

Because inversion operation is slower than multiplication in elliptic curve cryptosystem, does not invert and do not relate in projected coordinate system, calculates so generally affine coordinate can be converted to projection coordinate again.Provide the Jacobi computing formula that point adds and doubly puts under projection coordinate below.As can be seen, formula has only used that mould adds and modular multiplication.

Table 1 adds computing formula table 2 times some computing formula

Point adds: times point:

Input: P (X ₁, Y ₁, Z ₁), Q (X ₂, Y ₂, 1) and input: P (X ₁, Y ₁, Z ₁)

Output: R (X ₃, Y ₃, Z ₃)=P+Q output: R (X ₃, Y ₃, Z ₃)=2P

Formula: formula:

${\mathrm{<figure-callout\; id="3"\; label="X"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">X</figure-callout>}}_3={(Y_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^3-Y_1)}^2-(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2+X_1){(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)}^2$ $X_3={({3X}_1^2+{\mathrm{<figure-callout\; id="1"\; label="aZ"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">aZ</figure-callout>}}_1^4)}^2-{8X}_1{\mathrm{<figure-callout\; id="1"\; label="Y"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">Y</figure-callout>}}_1^2$

$Y_3=(Y_2{Z}_1^3-Y_1)[X_1{(X_2{Z}_1^2-X_1)}^2-X_3]-Y_1{(X_2{Z}_1^2-X_1)}^3$ $Y_3=({3X}_1^2+{\mathrm{aZ}}_1^4)({4X}_1{Y}_1^2-X_3)-{8Y}_1^4$

$Z_3=Z_1(X_2{\mathrm{<figure-callout\; id="1"\; label="Z"\; filenames="A20081005561800231.png,A20081005561800251.png"\; state="\{\{state\}\}">Z</figure-callout>}}_1^2-X_1)$ Z ₃＝2Y ₁Z ₁

For modular multiplication, generally use the Montgomery modular multiplication algorithm, this algorithm is as follows:

Input: X, Y, N, R

Output: S=XYR ^-1Mod N

Step:

1.N′＝-N ^-1 mod R

2.T＝X×Y

3.M＝T×N′mod R

$4.S=\frac{T+M\&times;N}{R}$

5. if S 〉=N, then S=S-N

6. return S.

As can be seen, one-off pattern is taken advantage of and mainly is decomposed into three multiplyings.

The point that calculates elliptic curve adds and times point, be in the consideration of dwindling area, generally usefulness is the method for serial computing, but, the efficient of serial computing is lower, adds data dependence with point doubling by analysis site, can draw that a lot of separate operations also have been regarded as dependence in serial computing, thereby cause the waste of clock periodicity, the present invention has proposed for doubly putting the effective solution that calculates according to this problem just.

Summary of the invention

The objective of the invention is to propose a kind of times dot system of elliptic curve cipher system, under the situation that does not increase area, improve the doubly arithmetic speed of point, on a basic aspect, optimize the performance of elliptic curve dot product.

The invention is characterized in:

This times dot system adopts the ASIC flow process to realize in the special digital integrated circuit (IC) chip.Contain: doubly put register controller; Doubly put the multichannel selection control; The first MUX group is made of six MUX mux1, mux2, mux3, mux4, mux5, mux6; The intermediate variable registers group is made of six intermediate variable register Reg1, Reg2, Reg3, Reg4, Reg5, Reg6; The second multichannel selection control is made of four MUX lmux1, lmux2, lmux3, lmux4, wherein:

Described times of some register controller, it is a finite state machine, the form of being input as is 010101 ... and duty ratio is 1: 1 square wave clock signal Clk, and the effective commencing signal Start of low level, be output as six operating control signal that is 2 bits separately: C1, C2, C3, C4, C5, C6, described times of some register controller pressed the combination that timeticks is exported different each operating control signals of C1_C2_C3_C4_C5_C6 in following each wheel at each clock in the effective back of commencing signal:

During initialization, make each intermediate variable register be respectively:

Reg1←X ₁，Reg2←Y ₁，Reg3←Z ₁，Reg4←1，Reg5←1，Reg6←a，

(X ₁, Y ₁, Z ₁) be the coordinate of the some P on the elliptic curve under the Jacobi projection coordinate,

1 is constant,

A is prime field elliptic curve equation E:y ²=x ³Parameter a among the+ax+b (mod p),

Order: R=2P, the coordinate of some R is (X ₃, Y ₃, Z ₃),

Each operating control signal is 00 among the C1_C2_C3_C4_C5_C6, omits the sign of each operating control signal in the following description;

In the first round Δ 1:

In the 1st clock cycle, operating control signal is 11_11_11_11_10_11,

In the 2nd clock cycle, operating control signal is 11_10_11_11_11_11,

In the 3rd clock cycle, operating control signal is 10_11_11_11_11_11,

In the 4th～the 8th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 9th clock cycle, operating control signal is 11_11_11_11_01_11;

Second takes turns in the Δ 2:

In the 10th clock cycle, operating control signal is 11_11_11_11_01_11,

In the 11st clock cycle, operating control signal is 11_01_11_10_11_11,

In the 12nd clock cycle, operating control signal is 10_11_11_11_11_11,

In the 13rd clock cycle, operating control signal is 11_11_11_11_11_11,

In the 14th clock cycle, operating control signal is 10_11_11_11_11_11,

In the 15th～the 17th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 18th clock cycle, operating control signal is 11_01_11_11_11_11;

In the third round Δ 3:

In the 19th clock cycle, operating control signal is 11_11_01_11_11_11,

In the 20th clock cycle, operating control signal is 11_11_11_11_11_01,

In the 21st clock cycle, operating control signal is 11_10_11_11_11_11,

In the 22nd～the 26th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 27th clock cycle, operating control signal is 11_11_11_01_11_11;

In the four-wheel Δ 4:

In the 28th clock cycle, operating control signal is 01_11_11_10_11_11,

In the 29th～the 36th clock cycle, operating control signal is 11_11_11_11_11_11;

The 5th takes turns in the Δ 5:

In the 37th clock cycle, operating control signal is 01_11_11_11_11_10,

In the 38th clock cycle, operating control signal is 10_01_11_11_11_11,

In the 39th clock cycle, operating control signal is 11_11_11_10_11_11,

In the 40th～the 45th clock cycle, operating control signal is 11_11_11_11_11_11;

The 6th takes turns in the Δ 6:

In the 46th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 47th clock cycle, operating control signal is 11_01_11_11_11_11,

In the 48th clock cycle, operating control signal is 11_10_11_11_11_11;

Described times of some multichannel selection control, it is a finite state machine, be input as described commencing signal Start, described clock signal C lk, output is the gating control signal of 3 bits: CL1, CL2, CL3, CL4, in described times of some multichannel selection control each wheel after described commencing signal Start is effective, the combination of all exporting different gating control signal CL1, CL2, CL3, CL4 in following each clock cycle;

When described initialization, each gating control signal is 000 among the CL1_CL2_CL3_CL4, omits the sign of each gating control signal afterwards in the narration;

In described first round Δ 1:

In described the 1st clock cycle, the gating control signal is 011_011_001_001,

In described the 2nd clock cycle, the gating control signal is 010_010_010_010,

In described the 3rd clock cycle, the gating control signal is 001_001_101_101,

In described the 4th～the 9th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 2 described second:

In described the 10th clock cycle, the gating control signal is 000_000_000_000,

In described the 11st clock cycle, the gating control signal is 010_011_111_111,

In described the 12nd clock cycle, the gating control signal is 001_101_111_111,

In described the 13rd clock cycle, the gating control signal is 000_000_000_000,

In described the 14th clock cycle, the gating control signal is 000_000_001_010,

In described the 15th～the 18th clock cycle, the gating control signal is 000_000_000_000;

In described third round Δ 3:

In described the 19th clock cycle, the gating control signal is 110_000_000_000,

In described the 20th clock cycle, the gating control signal is 100_100_000_000,

In described the 21st clock cycle, the gating control signal is 110_110_111_111,

In described the 22nd～the 27th clock cycle, the gating control signal is 000_000_000_000;

In described four-wheel Δ 4:

In described the 28th clock cycle, the gating control signal is 000_000_001_111,

In described the 29th clock cycle, the gating control signal is 111_111_000_000,

In described the 30th clock cycle, the gating control signal is 100_110_000_000,

In described the 31st～the 36th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 5 the described the 5th:

In described the 37th clock cycle, the gating control signal is 000_000_001_001,

In described the 38th clock cycle, the gating control signal is 000_000_111_010,

In described the 39th clock cycle, the gating control signal is 111_100_111_110,

In described the 40th～the 45th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 6 the described the 6th:

In described the 46th clock cycle, the gating control signal is 000_000_000_000,

In described the 47th clock cycle, the gating control signal is 000_000_000_000,

In described the 48th clock cycle, the gating control signal is 000_000_100_111;

The described first MUX group, wherein:

Each MUX mux1～mux6 selection signal input part separately successively links to each other with each operating control signal output of described times of some register controller respectively successively, imports each operating control signal C1～C6 respectively,

Each MUX mux1～mux6 00 end is separately successively imported X successively ₁, Y ₁, Z ₁, 1,1, a,

Each MUX mux1～mux6 mould multiplier separately according to input 01 jointly with described times of dot circuit system outside mould take advantage of the mould multiplier of device to link to each other according to the r_mul output,

Each MUX mux1～mux6 mould separately add data input 10 jointly with described times of dot circuit system outside the mould mould that adds device add data r_add output and link to each other;

Described intermediate variable registers group, wherein:

The first input end that each intermediate variable register is deposited Reg1～Reg6 successively links to each other with the output of signal D1, the D2 of described each MUX mux1～mux6, D3, D4, D5, D6 respectively successively, connects the output of clock signal C lk after second input of described Reg1～Reg6 interconnects;

The described second MUX group, wherein:

Each MUX lmux1～lmux4 selection signal input part separately successively links to each other with each gating control signal output ends of described times of some multichannel selection control respectively successively, imports each gating control signal CL1～CL4 respectively,

Connect described constant 1 after the 000 input interconnection of MUX lmux1, lmux2,

Connect the output that described mould adds the mould plus signal r_add of device after the 000 input interconnection of MUX lmux3, lmux4,

Connect the output of the signal T1 of described intermediate variable register Reg1 after the 001 input interconnection of each MUX lmux1～lmux4, the output of described signal T1 links to each other with 11 inputs of MUX mux1 in the described first MUX group simultaneously

Connect the output of the signal T2 of described intermediate variable register Reg2 after the 010 input interconnection of each MUX lmux1～lmux4, the output of described signal T2 links to each other with 11 inputs of MUX mux2 in the described first MUX group simultaneously

Connect the output of the signal T3 of described intermediate variable register Reg3 after the 011 input interconnection of each MUX lmux1～lmux4, the output of described signal T3 links to each other with 11 inputs of MUX mux3 in the described first MUX group simultaneously

Connect the output of the signal T4 of described intermediate variable register Reg4 after the 100 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T4 links to each other with 11 inputs of MUX mux4 in the described first MUX group simultaneously

Connect the output of the signal T5 of described intermediate variable register Reg5 after the 101 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T5 links to each other with 11 inputs of MUX mux5 in the described first MUX group simultaneously

Connect the output of the signal T6 of described intermediate variable register Reg6 after the 110 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T6 links to each other with 11 inputs of MUX mux6 in the described first MUX group simultaneously

Connect the output that described mould adds the mould plus signal r_add of device after the 111 inputs interconnection of MUX lmux1, lmux2,

Connect described mould after the 111 inputs interconnection of MUX lmux3, lmux4 and take advantage of the mould of device to take advantage of the output of signal r_mul,

The output signal mul1 of described MUX lmux1, lmux2, mul2 send into two inputs that described mould is taken advantage of device respectively;

The output signal add1 of described MUX lmux3, lmux4, add2 send into two inputs that described mould adds device respectively;

In described first round Δ 1:

Described mould takes advantage of the output r_mul of device to make:

T ₅←T ₃ ²，T ₅←T ₂ ²，T ₂←T ₁ ²，

The output r_add that described mould adds device makes:

T ₅←T ₁+T ₁，T ₂←T ₂+T ₂，T ₁←T ₅+T ₅；

Take turns in the Δ 2 described second:

Described mould takes advantage of the output r_mul of device to make:

T ₂←T ₅ ²，T ₃←T ₂×T ₃，T ₆←T ₁×T ₅，

The output r_add that described mould adds device makes:

T ₄←T ₅+T ₅，T ₁←T ₂+T ₂，T ₁←T ₁+T ₂；

In described third round Δ 3:

Described mould takes advantage of the output r_mul of device to make:

T ₄←T ₂×T ₆，T ₁←T ₄ ²，T ₁←T ₄ ²

The output r_add that described mould adds device makes:

T ₄←T ₅+T ₅，T ₂←T ₆+T ₆；

In described four-wheel Δ 4:

Described mould takes advantage of the output r_mul of device to make:

T ₁←T ₄ ²，T ₁←T ₄ ²，T ₂←T ₄×T ₆，

The output r_add that described mould adds device makes:

T ₄←T ₁+T ₄；

Take turns in the Δ 5 the described the 5th:

Described mould-take advantage of the output r_mul of device to make:

T ₂←T ₁×T ₄，T ₂←T ₁×T ₄，T ₂←T ₁×T ₄，

The output r_add that described mould adds device makes:

T ₆←T ₁+T ₁，T ₁←T ₁-T ₂，T ₄←T ₂-T ₆；

Take turns in the Δ 6 the described the 6th:

The output r_add that described mould adds device makes:

T ₂← T ₄-T ₂, obtain X ₃=T ₁, Y ₃=T ₂, Z ₃=T ₃

Symbol " ← " expression goes to replace the data on the left side with the data on the right.

The big digital-to-analogue that the present invention is based on three grades of flowing water is taken advantage of device, by analyzing the data dependence of elliptic curve cipher point doubling, wherein separate computing is extracted, utilize six intermediate variable registers, reuse mould and taken advantage of device logical block and register cell, improve the doubly arithmetic speed of point, on a basic aspect, improved the arithmetic speed of dot product.

Realize with ASIC on the design's hardware, carry out the behavioral scaling modeling, carry out RTL level coding and emulation with Verilog with Verilog.Finish comprehensively based on the worst technology of SMIC 0.18 μ m, and extract gate delay information, carry out the gate leve simulating, verifying.The result of test shows that compare with existing design, the present invention has improved the throughput of data under the situation that does not increase area.

Table 3 has provided the comparative result of this times some solution and serial scheme.

Table 3 scheme comparative result

Implementation	Times point/clock cycle	Resource
			Serial (ieee standard)	90	1 mould takes advantage of 1 mould of device to add 7 distributors of device
This paper	49	1 mould takes advantage of 1 mould of device to add 6 distributors of device

Description of drawings

Fig. 1 affine coordinate system;

Fig. 2 elliptic curve point adds operation definition;

The definition of Fig. 3 elliptic curve point doubling;

Fig. 4 elliptic curve times point data correlation analysis;

The module multiplier structure of a kind of three grades of flowing water of Fig. 5;

A kind of mould of Fig. 6 adds the device structure;

Fig. 7 elliptic curve is doubly put implementation structure;

Fig. 8 elliptic curve is doubly put realization flow figure.

Embodiment

Thinking of the present invention is: 1) utilize the computing formula that elliptic curve is doubly put under the Jacobi projected coordinate system, carry out data dependence analysis, separate operation is extracted, determine that pipeline series is three grades.2) analyze key operation in the point doubling, it is changed to limit priority, then the operation of lower priority is put into pipelined process successively according to order of operation, make used intermediate variable register number minimum simultaneously.3) take advantage of the required clock periodicity that expends according to the single mould, at the doubly time consumption of point that extracts in general sense at three class pipeline.

Below describe these three thinkings in detail:

1) data dependence analysis of doubly putting:

As shown in table 1, utilize the computing formula that elliptic curve is doubly put under the Jacobi projected coordinate system, the data dependence that analyzes is more doubly distinguished as shown in Figure 4.

Among Fig. 4, be operating as modular multiplication in oval, be operating as the mould add operation in the square frame.Modular multiplication and mould add operation are parallel to be carried out, and calls mould respectively and takes advantage of device and Mo Jia device.Be operating as one deck on the horizontal direction, the operation between each layer inside is separate, does not have data dependency.Then there is data dependency in operation between each layer, must wait the data computation of last layer just can descend the calculating of one deck after finishing.The streamline of secondary and level Four can make that all the utilance of whole streamline is not high.The progression that can be determined streamline by Fig. 4 is three grades, makes the utilance of streamline near 100%.

Describe the doubly data dependence analysis conclusion of point below in detail:

The data dependence analysis figure of point doubly as shown in Figure 4, the separate modular multiplication of the first order is Z ₁ ², Y ₁ ², X ₁ ², the separate mould add operation of the first order is 2Y ₁, 4X ₁The separate modular multiplication in the second level is Z ₁ ⁴, Z ₃=(2Y ₁) Z ₁, (4X ₁) Y ₁ ², the separate mould add operation in the second level is 2Y ₁ ², 3X ₁ ², λ ₂=8X ₁Y ₁ ²The separate modular multiplication of the third level is aZ ₁ ⁴, 4Y ₁ ⁴, the separate mould add operation of the third level is λ ₁=3X ₁ ²+ aZ ₁ ⁴, 8Y ₁ ⁴The separate modular multiplication of the fourth stage is λ ₁ ², λ ₃=4X ₁Y ₁ ²λ ₁, λ ₂=λ ₁X ₃, the separate mould add operation of the fourth stage is X ₃=λ ₁ ²-λ ₂, λ ₄=λ ₃-8Y ₁ ⁴, Y ₃=λ ₄-λ ₂

The mould that is a kind of three grades of flowing water is as shown in Figure 5 taken advantage of the device example.It is input as multiplier X, multiplicand Y, and mode m ode.Respectively to X, Y's first order flowing water encodes to X; Second level flowing water is that partial product is selected and the PPA partial product array compression; Third level flowing water is the compressions of 42 PPA partial product arrays.Wherein two MUX gatings of mode signal controlling are imported the sum result who has still calculated from the outside.

Be illustrated in figure 6 as a kind of mould and add the device example, it is made up of two adders and a CSA, is input as x, y, and n and sel signal are output as z, are that mould adds computing at the sel signal when being high, and the sel signal is that mould subtracts computing when low.

2) times scheduling sequence of point in streamline:

According to 1) analysis determine after the pipeline series.From the computing formula of table 2, crucial operation is X ₃Draw.So need will calculate X ₃Order of operation to be changed to priority the highest.From Fig. 4, find X ₃The path, with the operation on the path be placed on each flowing water before.Then other operation is assigned respectively on streamline, make the flowing water least number of times.In addition, by scheduling and allocation algorithm, the number of middle variable register is optimized, the optimization result who obtains under three class pipeline needs six intermediate variable registers, can finish whole times of point operations.

3) time consumption of doubly putting:

By 2) optimizing process, carry out 1 independent modular multiplication and expend 9 clock cycle, 1 independent mould adds computing and expends 1 clock cycle, the conclusion that draws is to utilize three grades of flowing water, use six intermediate variable registers, can finish point doubling through six fluvial processeses, make the spent clock periodicity C of point doubling and satisfy

C＝49 (8)

According to above three thinkings, the present invention proposes the doubly realization of point of concrete elliptic curve cipher, be illustrated in figure 7 as the hardware chart that elliptic curve is doubly put realization, comprise that register and mould take advantage of device and mould to add being connected of device.

The register controller of doubly putting among Fig. 7 is a finite state machine, it be input as commencing signal Start and clock Clk, control signal C1, C2, C3, C4, C5, C6 that output is 2 bits control MUX mux1, mux2, mux3, mux4, mux5, mux6 respectively.Doubly put register controller each clock cycle after Start is effective and all export different C1_C2_C3_C4_C5_C6 combinations.C1, C2, C3, C4, the occurrence of C5, C6 each clock cycle after Start is effective are shown in C1_C2_C3_C4_C5_C6 among Fig. 8.

The multichannel selection control of doubly putting among Fig. 7 is a finite state machine, it be input as commencing signal Start and clock Clk, output is control signal CL1, CL2, CL3, the CL4 of 3 bits, control MUX lmux1, lmux2, lmux3, lmux4 respectively, doubly put multichannel selection control each clock cycle after Start is effective and all export different CL1_CL2_CL3_CL4 combinations.The occurrence of CL1, CL2, CL3, CL4 each clock cycle after Start is effective is shown in C1_C2_C3_C4_C5_C6 among Fig. 8.

There are 6 intermediate variable registers to be respectively Reg1, Reg2, Reg3, Reg4, Reg5, Reg6 among Fig. 7, are used for depositing results of intermediate calculations.They have a public input signal is clock Clk.In addition Reg1 also has input signal D1, output signal T1, and wherein D1 is the output of MUX mux1; Reg2 also has input signal D2, output signal T2, and wherein D2 is the output of MUX mux2; Reg3 also has input signal D3, output signal T3, and wherein D3 is the output of MUX mux3; Reg4 also has input signal D4, output signal T4, and wherein D4 is the output of MUX mux4; Reg5 also has input signal D5, output signal T5, and wherein D5 is the output of MUX mux5; Reg6 also has input signal D6, output signal T6, and wherein D6 is the output of MUX mux6.

MUX mux1 among Fig. 7, mux2, mux3, mux4, mux5, mux6 are used for the input signal of gating intermediate variable register Reg1, Reg2, Reg3, Reg4, Reg5, Reg6 respectively.They are 4 inputs, 1 output, have two public input signals to be respectively r_mul and r_add, and wherein r_mul is the output that mould is taken advantage of device, and r_add is the output that mould adds device.In addition, mux1 also has input signal X1, output signal D1, and wherein X1 is used for initialization register T1, and D1 is the input of register Reg1; Mux2 also has input signal Y 1, output signal D2, and wherein Y1 is used for initialization register T2, and D2 is the input of register Reg2; Mux3 also has input signal Z1, output signal D3, and wherein Z1 is used for initialization register T3, and D3 is the input of register Reg3; Mux4 also has input signal constant 1, output signal D4, and wherein constant 1 is used for initialization register T4, and D4 is the input of register Reg4; Mux5 also has input signal constant 1, output signal D5, and wherein constant 1 is used for initialization register T5, and D5 is the input of register Reg5; Mux6 also has input signal a, output signal D6, and wherein a is used for initialization register T6, and D6 is the input of register Reg6.

4 MUX lmux1, lmux2, lmux3, lmux4 are 8 inputs, 1 output among Fig. 7, and wherein lmux1, lmux2 are used for the gating mould respectively and take advantage of the multiplier and the multiplicand of device, mux3, lmux4 to be used for the gating mould respectively to add the addend and the summand of device.T1～T6 is the output of six intermediate variable registers, and 1 is constant.Mould is taken advantage of the mul1 that is input as of device, and mul2 is output as r_mul; Mould adds the add1 that is input as of device, and add2 is output as r_add; MUX lmux1 be input as 1, T1, T2, T3, T4, T5, T6, r_add, be output as mul1; MUX lmux2 be input as 1, T1, T2, T3, T4, T5, T6, r_add, be output as mul2; MUX lmux3 is input as r_add, T1, T2, T3, T4, T5, T6, r_mul, is output as add1; MUX lmux4 is input as r_add, T1, T2, T3, T4, T5, T6, r_mul, is output as add2;

According to the doubly streamline realization flow of point shown in Figure 8, its concrete steps are described as follows:

Make the intermediate variable register be respectively T ₁～T ₆, make R=(X ₃, Y ₃, Z ₃), P=(X ₁, Y ₁, Z ₁), promptly calculate R=2P.

Step (1). initial phase:

Middle variable register is carried out initialization, T ₁← X ₁, T ₂←, Y ₁T ₃← Z ₁, T ₄← 1, T ₅← 1, T ₆← a, wherein a is the coefficient in the elliptic curve;

Step (2). carry out fluvial processes the 1st time, take advantage of device to carry out T successively for mould ₅← T ₃ ², T ₅← T ₂ ², T ₂← T ₁ ², add device for mould and carry out T successively ₅← T ₁+ T ₁, T ₂← T ₂+ T ₂, T ₁← T ₅+ T ₅, it is 9 that each modular multiplication expends the clock cycle, each mould adds computing, and to expend the clock cycle be 1.Take advantage of device for mould, at two multiplier T of the 1st rising edge clock input of this time flowing water ₃And T ₃, before the 10th rising edge clock, upgrade T ₅, at two multiplier T of the 2nd rising edge clock input ₂And T ₂, before the 11st rising edge clock, upgrade T ₅, at two multiplier T of the 3rd rising edge clock input ₁And T ₁, before the 12nd rising edge clock, upgrade T ₂Take advantage of device invalid from the 4th input for mould to the 9th rising edge clock.Add device for mould, at two addend T of the 1st rising edge clock input of this time flowing water ₁And T ₁, before the 2nd rising edge clock, upgrade T ₅, at two addend T of the 2nd rising edge clock input ₂And T ₂, before the 3rd rising edge clock, upgrade T ₂, at two addend T of the 3rd rising edge clock input ₅And T ₅, before the 4th rising edge clock, upgrade T ₁

Step (3). carry out fluvial processes the 2nd time, take advantage of device to carry out T successively for mould ₂← T ₅ ², T ₃← T ₂* T ₃, T ₆← T ₁* T ₅, add device for mould and carry out 0 ← 0+0, T successively ₄← T ₅+ T ₅, T ₁← T ₂+ T ₂, T ₁← T ₁+ T ₂, wherein on behalf of mould, 0 ← 0+0 take advantage of device not carry out any operation;

Step (4). carry out fluvial processes the 3rd time, take advantage of device to carry out T successively for mould ₄← T ₂* T ₆, T ₁← T ₄ ², T ₁← T ₄ ², add device for mould and carry out T successively ₄← T ₅+ T ₅, 0 ← 0+0, T ₂← T ₆+ T ₆

Step (5). carry out the 4th fluvial processes, take advantage of device to carry out T successively for mould ₁← T ₄ ², T ₁← T ₄ ², T ₂← T ₄* T ₆, add device for mould and carry out T successively ₄← T ₁+ T ₄, 0 ← 0+0,0 ← 0+0;

Step (6). carry out the 5th fluvial processes, take advantage of device to carry out T successively for mould ₂← T ₁* T ₄, T ₂← T ₁* T ₄, T ₂← T ₁* T ₄, add device for mould and carry out T successively ₆← T ₁+ T ₁, T ₁← T ₁-T ₂, T ₄← T ₂-T ₆

Step (7). mould takes advantage of device to quit work, and adds device for mould and carries out 0 ← 0+0,0 ← 0+0, T successively ₂← T ₄-T ₂, X is arranged afterwards ₃=T ₁, Y ₃=T ₂, Z ₃=T ₃, doubly point calculates and finishes.

Claims (1)

1. be used for times dot system of elliptic curve cryptosystem, it is characterized in that: this times dot system adopts the ASIC flow process to realize in the special digital integrated circuit (IC) chip.Contain: doubly put register controller; Doubly put the multichannel selection control; The first MUX group is made of six MUX mux1, mux2, mux3, mux4, mux5, mux6; The intermediate variable registers group is made of six intermediate variable register Reg1, Reg2, Reg3, Reg4, Reg5, Reg6; The second multichannel selection control is made of four MUX lmux1, lmux2, lmux3, lmux4, wherein:

Described times of some register controller, it is a finite state machine, the form of being input as is 010101 ... and duty ratio is 1: 1 square wave clock signal Clk, and the effective commencing signal Start of low level, be output as six operating control signal that is 2 bits separately: C1, C2, C3, C4, C5, C6, described times of some register controller pressed the combination that timeticks is exported different each operating control signals of C1_C2_C3_C4_C5_C6 in following each wheel at each clock in the effective back of commencing signal:

During initialization, make each intermediate variable register be respectively:

Reg1←X ₁，Reg2←Y ₁，Reg3←Z ₁，Reg4←1，Reg5←1，Reg6←a，

(X ₁, Y ₁, Z ₁) be the coordinate of the some P on the elliptic curve under the Jacobi projection coordinate,

1 is constant,

A is prime field elliptic curve equation E:y ²=x ³Parameter a among the+ax+b (mod p),

Order: R=2P, the coordinate of some R is (X ₃, Y ₃, Z ₃),

Each operating control signal is 00 among the C1_C2_C3_C4_C5_C6, omits the sign of each operating control signal in the following description;

In the first round Δ 1:

In the 1st clock cycle, operating control signal is 11_11_11_11_10_11,

In the 2nd clock cycle, operating control signal is 11_10_11_11_11_11,

In the 3rd clock cycle, operating control signal is 10_11_11_11_11_11,

In the 4th～the 8th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 9th clock cycle, operating control signal is 11_11_11_11_01_11;

Second takes turns in the Δ 2:

In the 10th clock cycle, operating control signal is 11_11_11_11_01_11,

In the 11st clock cycle, operating control signal is 11_01_11_10_11_11,

In the 12nd clock cycle, operating control signal is 10_11_11_11_11_11,

In the 13rd clock cycle, operating control signal is 11_11_11_11_11_11,

In the 14th clock cycle, operating control signal is 10_11_11_11_11_11,

In the 15th～the 17th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 18th clock cycle, operating control signal is 11_01_11_11_11_11;

In the third round Δ 3:

In the 19th clock cycle, operating control signal is 11_11_01_11_11_11,

In the 20th clock cycle, operating control signal is 11_11_11_11_11_01,

In the 21st clock cycle, operating control signal is 11_10_11_11_11_11,

In the 22nd～the 26th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 27th clock cycle, operating control signal is 11_11_11_01_11_11;

In the four-wheel Δ 4:

In the 28th clock cycle, operating control signal is 01_11_11_10_11_11,

In the 29th～the 36th clock cycle, operating control signal is 11_11_11_11_11_11;

The 5th takes turns in the Δ 5:

In the 37th clock cycle, operating control signal is 01_11_11_11_11_10,

In the 38th clock cycle, operating control signal is 10_01_11_11_11_11,

In the 39th clock cycle, operating control signal is 11_11_11_10_11_11,

In the 40th～the 45th clock cycle, operating control signal is 11_11_11_11_11_11;

The 6th takes turns in the Δ 6:

In the 46th clock cycle, operating control signal is 11_11_11_11_11_11,

In the 47th clock cycle, operating control signal is 11_01_11_11_11_11,

In the 48th clock cycle, operating control signal is 11_10_11_11_11_11;

Described times of some multichannel selection control, it is a finite state machine, be input as described commencing signal Start, described clock signal C lk, output is the gating control signal of 3 bits: CL1, CL2, CL3, CL4, in described times of some multichannel selection control each wheel after described commencing signal Start is effective, the combination of all exporting different gating control signal CL1, CL2, CL3, CL4 in following each clock cycle;

When described initialization, each gating control signal is 000 among the CL1_CL2_CL3_CL4, omits the sign of each gating control signal afterwards in the narration;

In described first round Δ 1:

In described the 1st clock cycle, the gating control signal is 011_011_001_001,

In described the 2nd clock cycle, the gating control signal is 010_010_010_010,

In described the 3rd clock cycle, the gating control signal is 001_001_101_101,

In described the 4th～the 9th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 2 described second:

In described the 10th clock cycle, the gating control signal is 000_000_000_000,

In described the 11st clock cycle, the gating control signal is 010_011_111_111,

In described the 12nd clock cycle, the gating control signal is 001_101_111_111,

In described the 13rd clock cycle, the gating control signal is 000_000_000_000,

In described the 14th clock cycle, the gating control signal is 000_000_001_010,

In described the 15th～the 18th clock cycle, the gating control signal is 000_000_000_000;

In described third round Δ 3:

In described the 19th clock cycle, the gating control signal is 110_000_000_000,

In described the 20th clock cycle, the gating control signal is 100_100_000_000,

In described the 21st clock cycle, the gating control signal is 110_110_111_111,

In described the 22nd～the 27th clock cycle, the gating control signal is 000_000_000_000;

In described four-wheel Δ 4:

In described the 28th clock cycle, the gating control signal is 000_000_001_111,

In described the 29th clock cycle, the gating control signal is 111_111_000_000,

In described the 30th clock cycle, the gating control signal is 100_110_000_000,

In described the 31st～the 36th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 5 the described the 5th:

In described the 37th clock cycle, the gating control signal is 000_000_001_001,

In described the 38th clock cycle, the gating control signal is 000_000_111_010,

In described the 39th clock cycle, the gating control signal is 111_100_111_110,

In described the 40th～the 45th clock cycle, the gating control signal is 000_000_000_000;

Take turns in the Δ 6 the described the 6th:

In described the 46th clock cycle, the gating control signal is 000_000_000_000,

In described the 47th clock cycle, the gating control signal is 000_000_000_000,

In described the 48th clock cycle, the gating control signal is 000_000_100_111;

The described first MUX group, wherein:

Each MUX mux1～mux6 selection signal input part separately successively links to each other with each operating control signal output of described times of some register controller respectively successively, imports each operating control signal C1～C6 respectively,

Each MUX mux1～mux6 00 end is separately successively imported X successively ₁, Y ₁, Z ₁, 1,1, a,

Each MUX mux1～mux6 mould multiplier separately according to input 01 jointly with described times of dot circuit system outside mould take advantage of the mould multiplier of device to link to each other according to the r_mul output,

Each MUX mux1～mux6 mould separately add data input 10 jointly with described times of dot circuit system outside the mould mould that adds device add data r_add output and link to each other;

Described intermediate variable registers group, wherein:

The first input end that each intermediate variable register is deposited Reg1～Reg6 successively links to each other with the output of signal D1, the D2 of described each MUX mux1～mux6, D3, D4, D5, D6 respectively successively, connects the output of clock signal C lk after second input of described Reg1～Reg6 interconnects;

The described second MUX group, wherein:

Each MUX lmux1～lmux4 selection signal input part separately successively links to each other with each gating control signal output ends of described times of some multichannel selection control respectively successively, imports each gating control signal CL1～CL4 respectively,

Connect described constant 1 after the 000 input interconnection of MUX lmux1, lmux2,

Connect the output that described mould adds the mould plus signal r_add of device after the 000 input interconnection of MUX lmux3, lmux4,

Connect the output of the signal T1 of described intermediate variable register Reg1 after the 001 input interconnection of each MUX lmux1～lmux4, the output of described signal T1 links to each other with 11 inputs of MUX mux1 in the described first MUX group simultaneously

Connect the output of the signal T2 of described intermediate variable register Reg2 after the 010 input interconnection of each MUX lmux1～lmux4, the output of described signal T2 links to each other with 11 inputs of MUX mux2 in the described first MUX group simultaneously

Connect the output of the signal T3 of described intermediate variable register Reg3 after the 011 input interconnection of each MUX lmux1～lmux4, the output of described signal T3 links to each other with 11 inputs of MUX mux3 in the described first MUX group simultaneously

Connect the output of the signal T4 of described intermediate variable register Reg4 after the 100 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T4 links to each other with 11 inputs of MUX mux4 in the described first MUX group simultaneously

Connect the output of the signal T5 of described intermediate variable register Reg5 after the 101 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T5 links to each other with 11 inputs of MUX mux5 in the described first MUX group simultaneously

Connect the output of the signal T6 of described intermediate variable register Reg6 after the 110 inputs interconnection of each MUX lmux1～lmux4, the output of described signal T6 links to each other with 11 inputs of MUX mux6 in the described first MUX group simultaneously

Connect the output that described mould adds the mould plus signal r_add of device after the 111 inputs interconnection of MUX lmux1, lmux2,

Connect described mould after the 111 inputs interconnection of MUX lmux3, lmux4 and take advantage of the mould of device to take advantage of the output of signal r_mul,

The output signal mul1 of described MUX lmux1, lmux2, mul2 send into two inputs that described mould is taken advantage of device respectively;

The output signal add1 of described MUX lmux3, lmux4, add2 send into two inputs that described mould adds device respectively;

In described first round Δ 1:

Described mould takes advantage of the output r_mul of device to make:

T ₅←T ₃ ²，T ₅←T ₂ ²，T ₂←T ₁ ²，

The output r_add that described mould adds device makes:

T ₅←T ₁+T ₁，T ₂←T ₂+T ₂，T ₁←T ₅+T ₅；

Take turns in the Δ 2 described second:

Described mould takes advantage of the output r_mul of device to make:

T ₂←T ₅ ²，T ₃←T ₂×T ₃，T ₆←T ₁×T ₅，

The output r_add that described mould adds device makes:

T ₄←T ₅+T ₅，T ₁←T ₂+T ₂，T ₁←T ₁+T ₂；

In described third round Δ 3:

Described mould takes advantage of the output r_mul of device to make:

T ₄←T ₂×T ₆，T ₁←T ₄ ²，T ₁←T ₄ ²，

The output r_add that described mould adds device makes:

T ₄←T ₅+T ₅，T ₂←T ₆+T ₆；

In described four-wheel Δ 4:

Described mould takes advantage of the output r_mul of device to make:

T ₁←T ₄ ²，T ₁←T ₄ ²，T ₂←T ₄×T ₆，

The output r_add that described mould adds device makes:

T ₄←T ₁+T ₄；

Take turns in the Δ 5 the described the 5th:

Described mould takes advantage of the output r_mul of device to make:

T ₂←T ₁×T ₄，T ₂←T ₁×T ₄，T ₂←T ₁×T ₄，

The output r_add that described mould adds device makes:

T ₆←T ₁+T ₁，T ₁←T ₁-T ₂，T ₄←T ₂-T ₆；

Take turns in the Δ 6 the described the 6th:

The output r_add that described mould adds device makes:

T ₂← T ₄-T ₂, obtain X ₃=T ₁, Y ₃=T ₂, Z ₃=T ₃

Symbol " ← " expression goes to replace the data on the left side with the data on the right.

Images