面向多椭圆曲线的高速标量乘法器设计与实现

doi:10.11959/j.issn.1000-436X.2020226

通信学报 ›› 2020, Vol. 41 ›› Issue (12): 100-109.doi: 10.11959/j.issn.1000-436X.2020226

面向多椭圆曲线的高速标量乘法器设计与实现

于斌, 黄海, 刘志伟, 赵石磊, 那宁

哈尔滨理工大学软件与微电子学院，黑龙江哈尔滨 150080

修回日期:2020-09-17 出版日期:2020-12-25 发布日期:2020-12-01
作者简介:于斌（1984- ），男，黑龙江饶河人，哈尔滨理工大学讲师，主要研究方向为密码算法、密码芯片设计、数字集成电路设计等。
黄海（1982- ），男，内蒙古巴彦淖尔人，博士，哈尔滨理工大学副教授、硕士生导师，主要研究方向为信息安全、可重构技术、集成电路设计等。
刘志伟（1987- ），男，黑龙江哈尔滨人，哈尔滨理工大学讲师、博士生，主要研究方向为可重构计算、高速密码算法、并行加密技术、密码芯片的安全设计等。
赵石磊（1979- ），男，黑龙江肇源人，博士，哈尔滨理工大学副教授、硕士生导师，主要研究方向为信息安全、高速密码算法、密码芯片的安全设计等。
那宁（1995- ），男，黑龙江牡丹江人，哈尔滨理工大学硕士生，主要研究方向为信息安全、集成电路设计等。
基金资助:
黑龙江省自然科学基金资助项目(YQ2019F010);黑龙江省普通本科高等学校青年创新人才培养计划基金资助项目(UNPYSCT-2017081);国家重点研发计划基金资助项目(2018YFB2202100)

Design and implementation of high-speed scalar multiplier for multi-elliptic curve

Bin YU, Hai HUANG, Zhiwei LIU, Shilei ZHAO, Ning NA

School of Software and Microelectronics, Harbin University of Science and Technology, Harbin 150080, China

Revised:2020-09-17 Online:2020-12-25 Published:2020-12-01
Supported by:
The Natural Science Foundation of Heilongjiang(YQ2019F010);The University Nursing Program for Young Scholars with Creative Talents in Heilongjiang(UNPYSCT-2017081);The National Key Research and Development Program of China(2018YFB2202100)

摘要/Abstract

摘要：

针对现有标量乘法器不能适用于多椭圆曲线且运算开销较大的问题，设计了一种能应用于两类素数域椭圆曲线的高速标量乘法器。首先，在标量乘算法上，对secp256r1曲线的基点采用Comb算法，对普通点采用Shamir算法，对 Curve25519 曲线使用蒙哥马利阶梯算法；然后，优化了点加和倍点运算的操作步骤，并对点加中 Z=1的情况进行简化设计，有效减少计算周期数；最后，采用快速模约简实现模乘，设计了 Curve25519 的快速模约简算法。整个设计充分考虑复用，在55 nm CMOS工艺下需1 022×10³个等效门，在secp256r1和Curve25519上计算普通点标量乘，运算速度分别为15.3万次/秒和15.8万次/秒，其中secp256r1上的运算速度是现有设计的1.9倍。

关键词: 椭圆曲线密码学, 标量乘, 快速模约简, 硬件实现

Abstract:

Aiming at the problem that the existing scalar multiplier cannot be applied to multi-elliptic curve and the cost is expensive, a high-speed scalar multiplier was designed, applicable to two types of elliptic curves over prime fields.Firstly, in terms of the scalar multiplication, secp256r1 base points were processed with the comb algorithm, and the Shamir algorithm for ordinary points, and the Montgomery ladder algorithm for Curve25519.Secondly, the operation of point addition and point doubling was optimized, and the condition of Z=1 in point addition was simplified, thereby effectively reducing the number of calculation cycles.Lastly, a fast modular reduction algorithm of Curve25519 was designed for modular multiplication.Multiplexing was an important factor in the entire designing process.A 1022K equivalent gate was selected for the 55 nm CMOS process.This allowed ordinary point scalar multiplications performed on secp256r1 and Curve25519 respectively, calculating at the speeds of 153 000 times per second and 158 000 times per second, with the speed for secp256r1 1.9 times that of the existing designed one.

Key words: ECC, scalar multiplication, fast modular reduction, hardware implementation

中图分类号:

TN918
TP309

于斌, 黄海, 刘志伟, 赵石磊, 那宁. 面向多椭圆曲线的高速标量乘法器设计与实现[J]. 通信学报, 2020, 41(12): 100-109.

Bin YU, Hai HUANG, Zhiwei LIU, Shilei ZHAO, Ning NA. Design and implementation of high-speed scalar multiplier for multi-elliptic curve[J]. Journal on Communications, 2020, 41(12): 100-109.

图/表 10

图1

表1

表2

表3

表4

图2

图3

表5

图4

表6

参考文献 26

[1]	姜久兴, 厚娇, 黄海 ,等. 低面积复杂度AES低熵掩码方案的研究[J]. 通信学报, 2019,40(5): 201-210.
	JIANG J X , HOU J , HUANG H ,et al. Research on area-efficient low-entropy masking scheme for AES[J]. Journal on Communications, 2019,40(5): 201-210.
[2]	RESCORLA E , MOZILLA . The transport layer security (TLS) protocol version 1.3:RFC8446[S]. IETF,(2018-08) [2020-03-07].
[3]	KUDITHI T , SAKTHIVEL R . High-performance ECC processor architecture design for IoT security applications[J]. Journal of Supercomputing, 2019,75(1): 447-474.
[4]	HOSSAIN M S , KONG Y , SAEEDI E ,et al. High-performance elliptic curve cryptography processor over NIST prime fields[J]. IET Computers ＆ Digital Techniques, 2017,11(1): 33-42.
[5]	LIU J W , GUAN Z Y , CHENG D X ,et al. A high speed VLSI implementation of 256-bit scalar point multiplier for ECC over GF (p)[C]// 2018 IEEE International Conference on Intelligence and Safety for Robotics. Piscataway:IEEE Press, 2018: 184-191.
[6]	LEE J W , CHUNG S C , CHANG H C ,et al. Efficient power-analysis-resistant dual-field elliptic curve cryptographic processor using heterogeneous dual-processing-element architecture[J]. IEEE Transactions on Very Large Scale Integration Systems, 2014,22(1): 49-61.
[7]	CHUNG S C , LEE J W , CHANG H C ,et al. A high-performance elliptic curve cryptographic processor over GF(p) with SPA resistance[C]// IEEE International Symposium on Circuits and Systems. Piscataway:IEEE Press, 2012: 1456-1459.
[8]	AL-SOMANI T F . High-performance generic-point parallel scalar multiplication[J]. Arabian Journal for Science and Engineering, 2017,42(2): 507-512.
[9]	JAVEED K , WANG X , SCOTT M . High performance hardware support for elliptic curve cryptography over general prime field[J]. Microprocessors ＆ Microsystems, 2017,51(6): 331-342.
[10]	王敏, 吴震 . 抗SPA 攻击的椭圆曲线NAF 标量乘实现算法[J]. 通信学报, 2012,33(Z1): 228-232.
	WANG M , WU Z . Algorithm of NAF scalar multiplication on ECC against SPA[J]. Journal on Communications, 2012,33(Z1): 228-232.
[11]	MOHAMED N , HASHIM M , HUTTER M . Improved fixed-base comb method for fast scalar multiplication[C]// Proceedings of the 5th International Conference on Cryptology. Berlin:Springer, 2012: 342-359.
[12]	ZHANG N , CHEN Z , XIAO G . Efficient elliptic curve scalar multiplication algorithms resistant to power analysis[J]. Information Sciences, 2007,177(10): 2119-2129.
[13]	徐明, 史量 . 基于伪四维投射坐标的多基链标量乘法[J]. 通信学报, 2018,39(5): 74-84.
	XU M , SHI L . Pseudo 4D projective coordinate-based multi-base scalar multiplication[J]. Journal on Communications, 2018,39(5): 74-84.
[14]	IEEE Standards Association . IEEE standard specifications for public-key cryptography:IEEE Std 1363-2000[S]. IEEE,(2000-07) [2020-05-06].
[15]	LI W , ZENG X Y , FENG X . A high-throughput processor for dual-field elliptic curve cryptography with power analysis resistance[C]// 2015 IEEE 15th International Conference on Scalable Computing and Communications and Its Associated Workshops. Piscataway:IEEE Press, 2015: 570-577.
[16]	COHEN H , MIYAJI A , ONO T . Efficient elliptic curve exponentiation using mixed coordinates[C]// International Conference on the Theory＆ Applications of Cryptology ＆ Information Security:Advances in Cryptology. Berlin:Springer, 1998: 51-65.
[17]	王潮, 时向勇, 牛志华 . 基于蒙哥马利曲线改进 ECDSA 算法的研究[J]. 通信学报, 2010,31(1): 9-13.
	WANG C , SHI X Y , NIU Z H . The research of the promotion for ECDSA algorithm based on Montgomery-form ECC[J]. Journal on Communications, 2010,31(1): 9-13.
[18]	MARZOUQI H , AL-QUTAYRI M , SALAH K ,et al. A 65nm ASIC based 256 NIST prime field ECC processor[C]// 2016 IEEE 59th International Midwest Symposium on Circuits and Systems (MWSCAS). IEEE, 2016.
[19]	MARZOUQI H , AL-QUTAYRI M , SALAH K . Review of elliptic curve cryptography processor designs[J]. Microprocessors and Microsystems, 2015,39(2): 97-112.
[20]	HANKERSON D , MENEZES A , VANSTONE S . Guide to elliptic curve cryptography[M]. Berlin: Springer, 2004.
[21]	BERNSTEIN D , . CURVE25519:new Diffie-Hellman speed records[C]// International Workshop on Public Key Cryptography, Berlin:Springer, 2006: 207-228.
[22]	LANGLEY A , GOOGLE , Hamburg M ,et al. Elliptic curves for Security:RFC7748[S]. IETF,(2016-01) [2020-01-21].
[23]	SALARIFARD R BAYAT-SARMADI S . An efficient low-latency point-multiplication over Curve25519[J]. IEEE Transactions on Circuits and Systems-I:Regular Papers, 2019,66(10): 3854-3862.
[24]	DüELL M , HAASE B , HINTERWAELDER G ,et al. High-speed curve25519 on 8-bit,16-bit,and 32-bit microcontrollers[J]. Designs Codes ＆ Cryptography, 2015,77(2-3): 493-514.
[25]	CHEN Y L , LEE J W , LIU P C ,et al. A dual-field elliptic curve cryptographic processor with a radix-4 unified division unit[C]// IEEE International Symposium of Circuits and Systems. Piscataway:IEEE, 2011: 713-716.
[26]	RASHIDI B . A survey on hardware implementations of elliptic curve cryptosystems[J]. arXiv Preprint,arXiv:1710.08336, 2017.

步骤	模乘	模加减
1	t₁←Z₁Z₁	—
2	t₂←Y₁Y₁	t₃←x₁+t₁, t₄←X₁-t₁
3	t₁←t₃t₄	—
4	t₃←Y₁Z₁	t₄←8t₂
5	t₅←X₁t₄	t₁←3t₁
6	t₃←t₁t₁	Z₃←t₃+t₃
7	t₂←t₂t₄	X₃←t₃-t₅, t₄←1.5t₅-t₃
8	t₁←t₁t₄	—
9	—	Y₃←t₁-t₂

步骤	模乘	模加减
1	t₁←Z₁Z₁	—
2	t₂←Z₂Z₂	—
3	X₃←X₂t₁	—
4	t₃←X₁t₂	—
5	t₁←t₁Z₁	t₆←X₃+t₃, t₄←X₃-t₃
6	t₅←t₄t₄	—
7	t₂←t₂z₂	—
8	t₁←Y₂t₁	—
9	t₂←Y₁t₂	—
10	Y₃←t₅t₆	—
11	t₆←t₄t₅	t₃←t₁-t₂, t₂←t₁+t₂
12	t₁←t₃t₃	—
13	t₅←t₂t₆	X₃←t₁-Y₃
14	Z₃←Z₁Z₂	t₆←Y₃-2X₃
15	Y₃←t₃t₆	—
16	Z₃←Z₃t₄	Y₃←Y₃-t₅
17	—	Y₃←0.5Y₃

步骤	模乘	模加减
1	—	t₁←X₂+Z₂
2	t₆←t₁t₁	t₂←X₂-Z₂
3	t₇←t₂t₂	t₃←X₃-Z₃
4	t₈←t₁t₃	t₄←X₃+Z₃, t₅←t₆-t₇
5	t₉←t₂t₄	—
6	X₂←t₆t₇	X₃←t₈+t₉,Z₃=t₈-t₉
7	X₃←X₃X₃	—
8	Z₂←121665t₅	—
9	Z₃←Z₃Z₃	Z₂←Z₂+t₆
10	Z₂←Z₂t₅	—
11	Z₃←Z₃X₁	—
12	—	Z₃约简

步骤	模乘	模加减
1	t₁←Z₁Z₁	—
2	t₂←Y₂Z₁	—
3	t₃←X₂t₁	—
4	t₁←t₁t₂	t₂←t₃-X₁, t₃←t₃+x₁
5	t₄←t₂t₂	t₁←t₁-Y₁
6	Z₃←Z₁t₂	—
7	t₂←t₂t₄	—
8	t₃←t₃t₄	—
9	t₅←t₁t₁	—
10	t₄←X₁t₄	X₃←t₅-t₃
11	t₂←Y₁t₂	t₃←t₄-X₃
12	t₁←t₁t₃	—
13	—	Y₃←t₁-t₂

运算	λG/周期	λP/周期	λP+μG/周期	Curve25519/周期
预计算	0	24	168	0
迭代（平均）	1 233	3 684	3 684	3 572
迭代（最大）	1 285	4 228	4 228	3 572
模逆（平均）	384	384	384	384
模逆（最大）	512	512	512	510
后处理	7	7	7	3
合计（平均）	1 624	4 099	4 243	3 956
合计（最大）	1 804	4 771	4 915	4 082

面向多椭圆曲线的高速标量乘法器设计与实现

Design and implementation of high-speed scalar multiplier for multi-elliptic curve

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 26

相关文章 7

Metrics

推荐阅读 0

方案	曲线	工艺/nm	主频/MHz	门数/个	运算速度/（千次·秒^-1）	单次时间/μs	AT
	secp256r1(λG)				384.8	2.60	2 657
本文工作	secp256r1(λP)	55	625.00	1 022×10³	152.5	6.56	6 704
	Curve25519				157.9	6.33	6 469
文献[4]	secp256r1	65	549.45	447×10³	1.38	0.73	326 310
文献[5]	secp256r1	65	188.00	3.5×10⁶	80	12.5	43 750
文献[6]	secp256r1	90	217.00	313×10³	1.71	0.76	237 880
文献[7]	secp256r1	90	185.00	540×10³	8.30	120	64 800
文献[25]	secp256r1	90	256.40	82.8×10³	3.22	0.31	25 668
文献[26]	secp256r1	130	215.00	208×10³	4.76	0.21	43 680

[1]	薛一鸣, 刘树荣, 郭书恒, 李岩, 胡彩娥. 高速Ed25519验签算法硬件架构的设计与实现[J]. 通信学报, 2022, 43(3): 101-112.
[2]	姜占鹏, 孙铭玮, 黄海, 徐江, 刘志伟, 白瑞, 方舟, 曲家兴. 面向双线性对的 $F_{p^{2}}$ -FIOS模乘算法及其实现架构研究[J]. 通信学报, 2022, 43(2): 100-108.
[3]	徐明,史量. 基于伪四维投射坐标的多基链标量乘法[J]. 通信学报, 2018, 39(5): 74-84.
[4]	罗鹏,李慧云,王鲲鹏,王亚伟. 对ECC算法实现的选择明文攻击方法[J]. 通信学报, 2014, 35(5): 79-87.
[5]	罗鹏1,2，李慧云3，王鲲鹏4，王亚伟5. 对ECC算法实现的选择明文攻击方法[J]. 通信学报, 2014, 35(5): 11-87.
[6]	殷新春,张海灵,杨婷. 基于多基数系统的优化多标量乘快速算法[J]. 通信学报, 2010, 31(8A): 122-126.
[7]	张宝华,殷新春,张海灵. Edwards曲线安全快速标量乘法运算算法——EDSM[J]. 通信学报, 2008, 29(10): 76-81.