抵抗簡單能量攻擊法的橢圓曲線運算單元之設計與實現

Abstract

這篇論文中介紹了一個同時適用在GF(p)和GF(2m)的抗簡單能量攻擊法之橢圓曲線運算單元(ECAU)的通用型硬體架構，這個架構能支援最多512位元任意長度的有限場。在這個運算單元中提出一種隨機交錯計算k1P1+k2P2的演算法，藉此抵抗簡單能量攻擊法。其中的橢圓曲線運算建構在仿射座標系，並使用高速的蒙哥馬利除法演算法。為了減少硬體複雜度，我們提出了有限場運算單元(GFAU)來計算同餘加法、減法和蒙哥馬利乘法、除法。

使用ASIC設計流程實現這個架構後，GFAU所需的合成邏輯閘個數比先人所提出的少25%。在所提出的抵抗簡單能量攻擊法的ECAU中，我們只運用一套GFAU，因此合成結果只需277.K個邏輯閘。在133MHz的時脈下進行，計算一筆512位元的橢圓曲線純量乘法平均需要13.76ms，而計算一筆抵抗簡單能量攻擊法的k1P1+k2P2運算只需要27.53ms。

A universal hardware architecture of SPA-resistant elliptic curve arithmetic unit (ECAU) suitable for both GF(p) and GF(2m) is introduced to work in arbitrary field lengths within a maximum 512-bit length. The proposed algorithm used in ECAU can randomly interleave k1P1+k2P2 operations to cope with SPA. The elliptic curve operations are calculated over affine coordinate using high speed Montgomery division algorithm. To reduce hardware complexity, the sharing architecture called Galois field arithmetic unit (GFAU) is proposed to perform modular addition, modular subtraction, Montgomery multiplication and Montgomery division.

After implemented by ASIC design flow, the GFAU occupies 25% less synthesized gatecount than previous work. With only one set of GFAU, the proposed SPA-resistant ECAU occupies 277.5K gatecount. It averagely takes 13.76ms to perform one 512-bit scalar multiplication and 27.53ms to perform a SPA-resistant 512-bit k1P1+k2P2 operation both at 133MHz clock rate.