CN107896142A - A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium - Google Patents

A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium Download PDF

Info

Publication number
CN107896142A
CN107896142A CN201710942868.7A CN201710942868A CN107896142A CN 107896142 A CN107896142 A CN 107896142A CN 201710942868 A CN201710942868 A CN 201710942868A CN 107896142 A CN107896142 A CN 107896142A
Authority
CN
China
Prior art keywords
variable
assigned
outcome
product
precomputation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710942868.7A
Other languages
Chinese (zh)
Other versions
CN107896142B (en
Inventor
雷翻翻
李峰
刘利飞
雷黎丽
倪洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Microelectronics Technology Co Ltd
Original Assignee
Datang Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Microelectronics Technology Co Ltd filed Critical Datang Microelectronics Technology Co Ltd
Priority to CN201710942868.7A priority Critical patent/CN107896142B/en
Publication of CN107896142A publication Critical patent/CN107896142A/en
Application granted granted Critical
Publication of CN107896142B publication Critical patent/CN107896142B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/727Modulo N arithmetic, with N being either (2**n)-1,2**n or (2**n)+1, e.g. mod 3, mod 4 or mod 5
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computational Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Complex Calculations (AREA)

Abstract

This application discloses a kind of method and device for performing Montgomery Algorithm, computer-readable recording medium, including obtain truth of a matter g, index d, modulus q and window w;Index d is expressed as m system representations:Wherein 0≤di<M, m=2w, dl‑1≠0;It is precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And truth of a matter g is assigned to outcome variable A;2 from i=0 to l, by precomputation variableIt is assigned to outcome variable A product cycleAnd by AmCirculation is assigned to outcome variable A;WillIt is assigned to outcome variable A;Outcome variable A and the truth of a matter g product are assigned to outcome variable A.The application realizes completely anti-SPA attacks by setting a mould quadratic sum modular multiplication in each calculating process;By eliminating pseudo operation in the whole calculating process of mould power, anti-FA attacks are realized;By setting window w, there is faster calculating speed.

Description

A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
Technical field
The present invention relates to, but not limited to field of information security technology, more particularly to a kind of method and dress for performing Montgomery Algorithm Put, computer-readable recording medium.
Background technology
With the development of computer technology, the continuous improvement of social informatization degree, information security issue increasingly by The extensive attention of people.Realized in embedded single chip RSA public key algorithms, SM9 id passwords algorithm or some other During cryptographic algorithm, Montgomery Algorithm can be all used, Montgomery Algorithm is exactly to do shaped like m=gdThe computing of (mod q), wherein, g is bottom Number, d is index, and q is modulus, and m is result of calculation.In these public-key cryptosystems, always there are the index d needs in the mould power of part Hold in close confidence, such as in RSA systems, when d is private key, it is necessary to hold in close confidence;In SM9 signature algorithms, if attacker can The index of Montgomery Algorithm is obtained, is signed result with reference to SM9, the private key of user can be derived.
Side-channel attack and fault attacks (Fault Attack) are propose in recent years representative and chip are threatened Two kinds of stronger attack methods of property.Simple power consumption analysis (Simple Power Analysis, SPA) attack is attacked as side channel A kind of method hit, is the power consumption profile that attacker is operated by simply observing secret data, and direct derivation goes out on secret number According to the technology of security information.The premise of power consumption analysis attack is that power consumption profile is related to the instruction that equipment performs, and with processing The value of operand is relevant, so checks that power consumption profile can expose the information of data in the instruction being carrying out and register.Failure The general principle of attack is to make chip by the means of error injection (such as addition clock bur, laser irradiation, electromagnetic pulse etc.) The logic error of transient state is produced during cryptographic algorithm performs, attacker is by analyzing the correctly encryption knot with mistake Fruit, the secret data information of chip internal is obtained, such as mistake is injected during SM9/SM2 AESs, if attacker can Random number is obtained, then in conjunction with the result of calculation of SM9/SM2 encryptions, the key of really encryption message can be derived, and then obtain Real message.
At present, the main thought of the modular exponentiation calculation method of anti-SPA attacks is that program performs circuit immobilization or randomization, allusion quotation The method of type has:Binary system pseudo Algorithm, Montgomery staircase method, Joye square-multiply staircase method, Joye improvement binary system Method.Found through analysis, binary system pseudo Algorithm, Montgomery staircase method and Joye square-multiply staircase method, no matter key ratio Specially for 0 or 1, it is both needed to carry out modular multiplication and computing module-square, if it is pseudo-operation that mistake and the modular multiplication are injected in modular multiplication, Then result is correct, and corresponding key bit value is 0, is otherwise 1, therefore, existing binary system pseudo Algorithm, Montgomery staircase method With Joye square-multiply staircase method be not resistant to FA attack;In Joye improvement binary law during precomputation, it is related to key most Low 1bit information, the situation of existence information leakage, that is to say, that Joye improvement binary law can not completely anti-SPA attacks. Furthermore, it is necessary to explanation, these modular exponentiation calculation methods are all usually to sacrifice efficiency as cost, therefore computational efficiency is relative It is relatively low.
The content of the invention
In order to solve the above-mentioned technical problem, the invention provides a kind of method and device for performing Montgomery Algorithm, computer Readable storage medium storing program for executing, can make Montgomery Algorithm can the attacks of anti-SPA completely, anti-FA attack and improve the computational efficiency of algorithm.
In order to reach the object of the invention, what the technical scheme of the embodiment of the present invention was realized in:
The embodiments of the invention provide a kind of method for performing Montgomery Algorithm, including:
Obtain truth of a matter g, index d, modulus q and window w;
Index d is expressed as m system representations:Wherein 0≤di<M, m=2w, dl-1≠0;
It is precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And by truth of a matter g assignment Give outcome variable A;
From i=0 to l-2, by precomputation variableIt is assigned to outcome variable A product cycleAnd by Am Circulation is assigned to outcome variable A;
WillOutcome variable A is assigned to, wherein, it is multiplication sign, ∏ accords with for product calculation;
Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
Further, it is described to incite somebody to actionOutcome variable A is assigned to, is specifically included:
By precomputation variable RmIt is assigned to the first intermediate variable B;
To i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by the first intermediate variable B with Precomputation variable RiProduct cycle be assigned to the first intermediate variable B;
By precomputation variable R1With R2Product be assigned to R1
WillIt is assigned to outcome variable A.
Further, it is described to incite somebody to actionOutcome variable A is assigned to, is specifically included:
By outcome variable A and precomputation variable R1Product be assigned to A;
Detect (dl-1- 1) whether > > (w-1) result of calculation is true, and if true, outcome variable A is assigned into second Intermediate variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned to the second intermediate variable Q;
To i=w-1 to 1, by the second intermediate variable Q2Circulation is assigned to Q, and detects (dl-1- 1) > > (i-1) calculating As a result whether it is true, if true, the second intermediate variable Q and A product is assigned to the second intermediate variable Q;, will if vacation Second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q;
First intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
The embodiment of the present invention additionally provides a kind of computer-readable recording medium, is deposited on the computer-readable recording medium The program for performing Montgomery Algorithm is contained, the program for performing Montgomery Algorithm is realized described in any of the above item when being executed by processor Execution Montgomery Algorithm method the step of.
The embodiment of the present invention additionally provides a kind of device for performing Montgomery Algorithm, including acquiring unit, coding unit, calculating Unit, wherein:
Acquiring unit, for obtaining truth of a matter g, index d, modulus q and window w, index d and window w value are exported to volume Code unit, truth of a matter g, modulus q and window w are exported to computing unit;
Coding unit, for index d to be expressed as into m system representations:Wherein 0≤di<M, m= 2w, dl-1≠ 0, by di, l and m value export to computing unit;
Computing unit, for being precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m; And truth of a matter g is assigned to outcome variable A;From i=0 to l-2, by precomputation variableAssigned with outcome variable A product cycle Be worth toAnd by AmCirculation is assigned to outcome variable A;WillOutcome variable A is assigned to, its In, it is multiplication sign, ∏ accords with for product calculation;Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
Further, the general of the computing unitOutcome variable A is assigned to, including:
By precomputation variable RmIt is assigned to the first intermediate variable B;
To i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by the first intermediate variable B with Precomputation variable RiProduct cycle be assigned to the first intermediate variable B;
By precomputation variable R1With R2Product be assigned to R1
WillIt is assigned to outcome variable A.
Further, the general of the computing unitOutcome variable A is assigned to, including:
By outcome variable A and precomputation variable R1Product be assigned to A;
Detect (dl-1- 1) whether > > (w-1) result of calculation is true, and if true, outcome variable A is assigned into second Intermediate variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned to the second intermediate variable Q;
To i=w-1 to 1, by the second intermediate variable Q2Circulation is assigned to Q, and detects (dl-1- 1) > > (i-1) calculating As a result whether it is true, if true, the second intermediate variable Q and A product is assigned to the second intermediate variable Q;, will if vacation Second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q;
First intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
Technical scheme, have the advantages that:
The method and device of execution Montgomery Algorithm provided by the invention, computer-readable recording medium, by counting every time Mould quadratic sum modular multiplication is set during calculation, it is achieved that completely anti-SPA attacks;Pass through the whole computing in mould power During eliminate pseudo operation, realize anti-FA attack, there is higher security;By setting window w, the present invention has faster Calculating speed, be applicable not only to software realization, be also applied for hardware realization.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is a kind of schematic flow sheet of the method for execution Montgomery Algorithm of the embodiment of the present invention;
Fig. 2 is a kind of structural representation of the device of execution Montgomery Algorithm of the embodiment of the present invention.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with accompanying drawing to the present invention Embodiment be described in detail.It should be noted that in the case where not conflicting, in the embodiment and embodiment in the application Feature can mutually be combined.
The derivation of modular exponentiation calculation is as follows:
D is rewritten as to the form of m systems first, i.e.,0≤di<M and dl-1≠0。
Thus, d can be encoded and write as
Wherein
Therefore, gd=ggd-1, gd-1Calculating process it is as follows:
WhereinUtilize with Lower step calculatesWithIt is as follows in detail:
1st, A=g, R are madej=1
2nd, j=0to l-2 are performed
2.1
2.2A=Am
It can thus be concluded that:
As shown in figure 1, according to a kind of method of execution Montgomery Algorithm of the present invention, comprise the following steps:
Step 101:Obtain truth of a matter g, index d, modulus q and window w;
Step 102:Index d is expressed as m system representations:Wherein 0≤di<M, m=2w, dl-1≠ 0, ≠ it is not equal to symbol;
Step 103:It is precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And the bottom of by Number g is assigned to outcome variable A;
Step 104:From i=0 to l-2, by precomputation variableIt is assigned to outcome variable A product cycleAnd by AmCirculation is assigned to outcome variable A, and the step-length circulated every time is 1;
Step 105:WillOutcome variable A is assigned to, wherein, it is multiplication sign, ∏ transports for product Operator;
Step 106:Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
Because step 105 implements more complicated, realize that expense is also bigger, therefore the present invention is to the reality of step 105 Existing process optimizes, by step 105It can be converted intoMake Its not only can anti-SPA attack, reduce its computation complexity again.
Derivation is as follows:
Calculated by following steps 1-3And Rm·Rm-1·…·R2R1
1st, B=R is madem
2nd, i=m-1to 2 is performed
2.1Ri=Ri·Ri+1
2.2B=BRi
3、R1=R1·R2(R is obtained according to step 22=Rm·Rm-1…·R2)
WhereinR1=Rm·Rm-1·…·R1, it can thus be concluded that
Further, will described in step 105Outcome variable A is assigned to, is specifically included:
Step 1051) is by precomputation variable RmIt is assigned to the first intermediate variable B;
Step 1052) is to i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by first Between variable B and precomputation variable RiProduct cycle be assigned to the first intermediate variable B, the step-length circulated every time is 1;
Step 1053) is by precomputation variable R1With R2Product be assigned to R1(R is obtained according to step 10522=Rm· Rm-1…·R2);
Step 1054) willIt is assigned to outcome variable A.
Because step 1054 implements or more complicated, the implementation process of step 1054 is optimized again, can By in step 1054Calculating be converted into
Derivation is as follows:
1st, calculateIt is described in detail as follows:And by result of calculation assignment in Q
2nd, calculate QB and result is assigned to A.
Further, will in step 1054Outcome variable A is assigned to, is specifically included:
10541) by outcome variable A and precomputation variable R1Product be assigned to A;
10542) (d is detectedl-1- 1) whether > > (w-1) result of calculation is true, if true, by outcome variable A assignment To the second intermediate variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned among second Variable Q;
10543) to i=w-1 to 1, by the second intermediate variable Q square Q2Circulation is assigned to Q, and detects (dl-1- 1) > Whether > (i-1) result of calculation is true, and if true, the second intermediate variable Q and A product is assigned into the second intermediate variable Q;If vacation, by the second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q, circulate every time Step-length is 1;
10544) the first intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
The invention also discloses a kind of computer-readable recording medium, it is stored with and holds on the computer-readable recording medium The program of row Montgomery Algorithm, the program for performing Montgomery Algorithm realize holding as described in any of the above item when being executed by processor The step of method of row Montgomery Algorithm.
As shown in Fig. 2 according to a kind of device of execution Montgomery Algorithm of the present invention, including acquiring unit 201, coding unit 202nd, computing unit 203, wherein:
Acquiring unit 201, for obtaining truth of a matter g, index d, modulus q and window w, by index d and window w value export to Coding unit 202, truth of a matter g, modulus q and window w are exported to computing unit 203;
Coding unit 202, for index d to be expressed as into m system representations:Wherein 0≤di<M, M=2w, dl-1≠ 0, by di, l and m value export to computing unit 203;
Computing unit 203, for being precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And truth of a matter g is assigned to outcome variable A;From i=0 to l-2, by precomputation variableWith outcome variable A product cycle It is assigned toAnd by AmCirculation is assigned to outcome variable A;WillOutcome variable A is assigned to, its In, it is multiplication sign, ∏ accords with for product calculation;Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
Further, the general of the computing unit 203Outcome variable A is assigned to, including:
By precomputation variable RmIt is assigned to the first intermediate variable B;
To i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by the first intermediate variable B with Precomputation variable RiProduct cycle be assigned to the first intermediate variable B;
By precomputation variable R1With R2Product be assigned to R1
WillIt is assigned to outcome variable A.
Further, the general of the computing unit 203Outcome variable A is assigned to, including:
By outcome variable A and precomputation variable R1Product be assigned to A;
Detect (dl-1- 1) whether > > (w-1) result of calculation is true, and if true, outcome variable A is assigned into second Intermediate variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned to the second intermediate variable Q;
To i=w-1 to 1, by the second intermediate variable Q square Q2Circulation is assigned to Q, and detects (dl-1- 1) > > (i-1) Result of calculation whether be true, if true, the second intermediate variable Q and A product is assigned to the second intermediate variable Q;If It is false, by the second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q;
First intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
In SM9 algorithm computings, it is related to Bilinear map, (prime field and 2 expansion domains) Elliptic Curve Scalar Multiplication, 12 expansion domains On mould idempotent calculation.The anti-SPA of present invention core concept is to expand when realizing of Montgomery Algorithm on domain at 12 times, eliminates mould power fortune Conditional jump situation during calculation, i.e. if ... else ... are unpaired, and the present invention is by using binary expansion method from left to right CalculateIt can be seen that once mould quadratic sum modular multiplication it can all be transported in each calculating process Calculate, therefore can completely anti-SPA attacks;Anti- FA core concept is to expand when realizing of Montgomery Algorithm on domain at 12 times, eliminates mould power Pseudo-operation in calculating process, is not present pseudo operation in the whole calculating process of mould power, thus can anti-FA attacks, have higher Security, any 1bit that attacker can not be inferred to need to hold in close confidence index by expanding the implementation procedure of domain mould power takes Value.Instant invention overcomes the relevant information of index when analyzing Montgomery Algorithm by power consumption profile, has stronger anti-SPA, FA The ability of attack, by setting window w size, the present invention has faster calculating speed, is applicable not only to software realization, Realized suitable for hardware.
One of ordinary skill in the art will appreciate that all or part of step in the above method can be instructed by program Related hardware is completed, and described program can be stored in computer-readable recording medium, such as read-only storage, disk or CD Deng.Alternatively, all or part of step of above-described embodiment can also be realized using one or more integrated circuits, accordingly Ground, each module/unit in above-described embodiment can be realized in the form of hardware, can also use the shape of software function module Formula is realized.The present invention is not restricted to the combination of the hardware and software of any particular form.
The preferred embodiments of the present invention are the foregoing is only, are not intended to limit the invention, for the skill of this area For art personnel, the present invention can have various modifications and variations.Within the spirit and principles of the invention, that is made any repaiies Change, equivalent substitution, improvement etc., should be included in the scope of the protection.

Claims (7)

  1. A kind of 1. method for performing Montgomery Algorithm, it is characterised in that including:
    Obtain truth of a matter g, index d, modulus q and window w;
    Index d is expressed as m system representations:Wherein 0≤di<M, m=2w, dl-1≠0;
    It is precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And truth of a matter g is assigned to knot Fruit variables A;
    From i=0 to l-2, by precomputation variableIt is assigned to outcome variable A product cycleAnd by AmCirculation It is assigned to outcome variable A;
    WillOutcome variable A is assigned to, wherein, it is multiplication sign, ∏ accords with for product calculation;
    Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
  2. 2. the method according to claim 1 for performing Montgomery Algorithm, it is characterised in that described to incite somebody to actionOutcome variable A is assigned to, is specifically included:
    By precomputation variable RmIt is assigned to the first intermediate variable B;
    To i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by the first intermediate variable B with it is expected that Calculate variable RiProduct cycle be assigned to the first intermediate variable B;
    By precomputation variable R1With R2Product be assigned to R1
    WillIt is assigned to outcome variable A.
  3. 3. the method according to claim 2 for performing Montgomery Algorithm, it is characterised in that described to incite somebody to actionOutcome variable A is assigned to, is specifically included:
    By outcome variable A and precomputation variable R1Product be assigned to A;
    Detect (dl-1- 1) whether > > (w-1) result of calculation is true, and if true, outcome variable A is assigned among second Variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned to the second intermediate variable Q;
    To i=w-1 to 1, by the second intermediate variable Q square Q2Circulation is assigned to Q, and detects (dl-1- 1) > > (i-1) meter Calculate whether result is true, if true, the second intermediate variable Q and A product is assigned to the second intermediate variable Q;If vacation, By the second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q;
    First intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
  4. 4. a kind of computer-readable recording medium, it is characterised in that execution mould is stored with the computer-readable recording medium The program of power operation, the program for performing Montgomery Algorithm are realized such as any one of claims 1 to 3 institute when being executed by processor The step of method for the execution Montgomery Algorithm stated.
  5. A kind of 5. device for performing Montgomery Algorithm, it is characterised in that including acquiring unit, coding unit, computing unit, wherein:
    Acquiring unit, for obtaining truth of a matter g, index d, modulus q and window w, index d and window w value are exported single to coding Member, truth of a matter g, modulus q and window w are exported to computing unit;
    Coding unit, for index d to be expressed as into m system representations:Wherein 0≤di<M, m=2w, dl-1≠ 0, by di, l and m value export to computing unit;
    Computing unit, for being precomputation variable R according to window w valueiAllocation space, Ri=1, i=1,2,3 ..., m;And will Truth of a matter g is assigned to outcome variable A;From i=0 to l-2, by precomputation variableIt is assigned to outcome variable A product cycleAnd by AmCirculation is assigned to outcome variable A;WillOutcome variable A is assigned to, wherein, For multiplication sign, ∏ accords with for product calculation;Outcome variable A and the truth of a matter g product are assigned to outcome variable A.
  6. 6. it is according to claim 5 perform Montgomery Algorithm device, it is characterised in that the computing unit generalOutcome variable A is assigned to, including:
    By precomputation variable RmIt is assigned to the first intermediate variable B;
    To i=m-1 to 2, by precomputation variable RiWith Ri+1Product cycle be assigned to Ri, and by the first intermediate variable B with it is expected that Calculate variable RiProduct cycle be assigned to the first intermediate variable B;
    By precomputation variable R1With R2Product be assigned to R1
    WillIt is assigned to outcome variable A.
  7. 7. it is according to claim 6 perform Montgomery Algorithm device, it is characterised in that the computing unit generalOutcome variable A is assigned to, including:
    By outcome variable A and precomputation variable R1Product be assigned to A;
    Detect (dl-1- 1) whether > > (w-1) result of calculation is true, and if true, outcome variable A is assigned among second Variable Q, wherein,>>Accorded with for shift right operation;If vacation, by precomputation variable R1It is assigned to the second intermediate variable Q;
    To i=w-1 to 1, by the second intermediate variable Q square Q2Circulation is assigned to Q, and detects (dl-1- 1) > > (i-1) meter Calculate whether result is true, if true, the second intermediate variable Q and A product is assigned to the second intermediate variable Q;If vacation, By the second intermediate variable Q and precomputation variable R1Product be assigned to the second intermediate variable Q;
    First intermediate variable B and the second intermediate variable Q product are assigned to outcome variable A.
CN201710942868.7A 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium Active CN107896142B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710942868.7A CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710942868.7A CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN107896142A true CN107896142A (en) 2018-04-10
CN107896142B CN107896142B (en) 2021-04-13

Family

ID=61803232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710942868.7A Active CN107896142B (en) 2017-10-11 2017-10-11 Method and device for executing modular exponentiation and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN107896142B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112332970A (en) * 2019-08-05 2021-02-05 上海复旦微电子集团股份有限公司 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm
CN112769557A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system
CN112769552A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Method and device for accelerating linear pair operation in embedded system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1492316A (en) * 2003-09-09 2004-04-28 大唐微电子技术有限公司 Montgomery analog multiplication algorithm and its analog multiplication and analog power operation circuit
US20120039461A1 (en) * 2009-03-16 2012-02-16 Marc Joye Exponentiation method resistant against side-channel and safe-error attacks
US20120321075A1 (en) * 2011-06-17 2012-12-20 Marc Joye Fault-resistant exponentiationi algorithm
CN103246494A (en) * 2013-05-27 2013-08-14 上海爱信诺航芯电子科技有限公司 Safety modular exponentiation method for resisting energy analysis and fault attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1492316A (en) * 2003-09-09 2004-04-28 大唐微电子技术有限公司 Montgomery analog multiplication algorithm and its analog multiplication and analog power operation circuit
CN1259617C (en) * 2003-09-09 2006-06-14 大唐微电子技术有限公司 Montgomery analog multiplication algorithm and its analog multiplication and analog power operation circuit
US20120039461A1 (en) * 2009-03-16 2012-02-16 Marc Joye Exponentiation method resistant against side-channel and safe-error attacks
US20120321075A1 (en) * 2011-06-17 2012-12-20 Marc Joye Fault-resistant exponentiationi algorithm
CN103246494A (en) * 2013-05-27 2013-08-14 上海爱信诺航芯电子科技有限公司 Safety modular exponentiation method for resisting energy analysis and fault attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MARC JOYE等: "Highly Regular m-Ary Powering Ladders", 《SPRINGER》 *
YOO-JIN BAEK: "Regular 2w-ary right-to-left exponentiation algorithm with very efficient DPA and FA countermeasures", 《SPRINGER》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112332970A (en) * 2019-08-05 2021-02-05 上海复旦微电子集团股份有限公司 Side channel analysis method, device, medium and equipment for attacking SM9 signature algorithm
CN112769557A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system
CN112769552A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Method and device for accelerating linear pair operation in embedded system
CN112769553A (en) * 2020-12-30 2021-05-07 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system
CN112769553B (en) * 2020-12-30 2022-08-19 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system
CN112769552B (en) * 2020-12-30 2022-08-23 北京宏思电子技术有限责任公司 Method and device for accelerating linear pair operation in embedded system
CN112769557B (en) * 2020-12-30 2022-10-18 北京宏思电子技术有限责任公司 Implementation method and device for accelerating SM9 bilinear pairing operation in embedded system

Also Published As

Publication number Publication date
CN107896142B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
Aranha et al. LadderLeak: Breaking ECDSA with less than one bit of nonce leakage
US8402287B2 (en) Protection against side channel attacks
US8185749B2 (en) System and method for revising boolean and arithmetic operations
CN107896142A (en) A kind of method and device for performing Montgomery Algorithm, computer-readable recording medium
TWI462010B (en) Cryptographic method and system using a representation change of a point on an elliptic curve
CN106464483B (en) Countermeasure, electronic circuit and the electronic system of elliptic curve cryptography are realized for electronic component
CN107040362A (en) Modular multiplication apparatus and method
US10025559B2 (en) Protection of a modular exponentiation calculation
CN103095450A (en) Finite Field Crytographic Arithmetic Resistant To Fault Attacks
US11824986B2 (en) Device and method for protecting execution of a cryptographic operation
CN109582284A (en) Scalar multiplication implementation method and device, computer readable storage medium in a kind of chip
US11392725B2 (en) Security processor performing remainder calculation by using random number and operating method of the security processor
Brenner et al. How practical is homomorphically encrypted program execution? an implementation and performance evaluation
WO2018019233A1 (en) Operation method and security chip
US11902432B2 (en) System and method to optimize generation of coprime numbers in cryptographic applications
JP2007187958A (en) Cryptography processing device, cryptography processing method, and computer program
JP2004304800A (en) Protection of side channel for prevention of attack in data processing device
JP5261088B2 (en) Unauthorized operation detection circuit, device provided with unauthorized operation detection circuit, and unauthorized operation detection method
CN110048840B (en) Information processing method, system and related components based on RSA algorithm
US20140079214A1 (en) Cryptographic countermeasure method by deriving a secret data
TW586086B (en) Method and apparatus for protecting public key schemes from timing, power and fault attacks
JP4351987B2 (en) Montgomery conversion device, arithmetic device, IC card, encryption device, decryption device, and program
CN103246494A (en) Safety modular exponentiation method for resisting energy analysis and fault attack
JP2005020735A (en) Side channel attack prevention in data processor
US11985221B2 (en) Efficient masking of secure data in ladder-type cryptographic computations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant