Analysis of Low-Power Elliptic Curve Cryptography Using Scaled Modular Arithmetic
Introduction to elliptic curve cryptography. httpwww.iaik.tugraz. ataboutuspeopleoswaldpape
2
Basic Facts about Elliptic Curves
We investigate what an elliptic curve is, and what it’s (algebraic) properties are. Please note that although we often work in finite fields we write ”=” instead of ”≡”. This is because we use the same notation as in the books of N. Koblitz ([6],[7]). If we talk about derivatives in the context of a finite field, we mean the ”formal derivative” which is defined through the nX n−1 rule (of course not as a limit). When we represent congruence classes we choose the least positive number in the class as a representative. Definition 1. An elliptic curve E over the field F is a smooth curve in the so called ”long Weierstrassform” Y 2 + a1 XY + a3 Y = X 3 + a2 X 2 + a4 X + a6 , ai ∈ F. (1)
We let E (F) denote the set of points (x, y ) ∈ F2 that satisfy this equation, along with a ”point at infinity” denoted O. Remember that smooth means that there is no point in E (F) where both partial derivatives vanish. The definition given above is valid for any field. But in cryptography we are only interested in finite fields. Considering only finite fields we get an ”easier” equation. Two finite fields are of particular interest. The finite field Fp with p ∈ P elements, because of it’s structure, and the finite field Fqm with q = pr Elements, since setting p = 2 the arithmetic in this field will be well suited for implementations in hardware.
手性样品前处理
MIP-based chiral recognition sets an exotic trend in development of chiral sensors.
Analytica Chimica Acta 853 (2015) 1–18
Contents lists available at ScienceDirect
Analytica Chimica Acta
journal homepage: /locate/aca
Molecularly imprinted polymer based enantioselective sensing devices: A review
We present about rational design of chiral sensors as selective and sensitive devices.
GRAPArticle history: Received 20 December 2013 Received in revised form 8 June 2014 Accepted 9 June 2014 Available online 12 June 2014
ã 2014 Elsevier B.V. All rights reserved.
* Corresponding author at: N 16/62 E-K, Sudamapur, Vinayaka, Varanasi 221010, Uttar Pradesh, India. Tel.: +91 9450239133. E-mail addresses: mahavirtiwari@, krineshtiwari@ (M.P. Tiwari).
高性能Ed25519算法硬件架构设计与实现
1822
电子与信息学报
第 43 卷
名算法。业界对相关算法做了大量研究,如FazHernández等人[3]使用矢量指令的方式使计算机执 行Ed25519的速度得到大幅提升;Islam等 人[4]在P-256的曲线上兼容了Ed25519的计算,使其 具有更好的通用性;戴紫彬等人[5]改善了架构,使 密码处理器能够高效并行;Kim等人[6]讨论了 Curve25519和Edwards25519曲线上加法运算的转 换效率;Salarifard等人[7]通过快速约简实现模乘并 完成了Curve25519曲线上标量乘的设计;Turan等 人[8]在可编程门阵列(Field Programmable Gate Array, FPGA)上实现了完整的Ed25519功能; Mehrabi等人[9]做了低功耗低面积的设计,完成了 X25519功能并支持ED25519的标量乘运算;魏伟 等人[10]研究了椭圆曲线密钥交换协议的比特安全问 题;在低延迟、侧信道保护方面的研究也有诸多 进展[11–13]。
用,常用的算法有RSA 和椭圆曲线数字签名算法 (Elliptic Curve Digital Signature Algorithm, ECDSA)等。在最新的传输层安全性协议1.3版(the Transport Layer Security protocol version 1.3, TLS1.3)中,椭圆曲线算法被收录为基本算法[1], 其中爱德华兹曲线数字签名算法(Edwards-curve Digital Signature Algorithm, EdDSA)作为主要的 数字签名算法之一,受到研究者的广泛关注。
椭圆曲线加密算法例题
椭圆曲线加密算法例题椭圆曲线加密算法(Elliptic Curve Cryptography,简称ECC)是一种基于椭圆曲线数学的公钥加密算法。
下面是一个简单的椭圆曲线加密算法的例题:假设Alice和Bob想要使用椭圆曲线加密算法进行通信。
他们首先选择一个合适的椭圆曲线参数,包括一个椭圆曲线方程和一个基点G。
1. 密钥生成:Alice选择一个随机数a作为她的私钥,并计算出她的公钥A=aG。
Bob选择一个随机数b作为他的私钥,并计算出他的公钥B=bG。
2. 加密过程:Alice想要发送一条消息M给Bob,她首先选择一个随机数k,并计算出点C1=kG和C2=M+kA,其中kA表示点A乘以k。
Alice将C1和C2一起发送给Bob。
3. 解密过程:Bob收到C1和C2后,使用他的私钥b计算出点C'=C2-bC1。
由于椭圆曲线上的点的加法运算具有群的性质,因此C'就等于M+kA-bkA=M+(k-bk)A。
由于A=aG,所以C'就等于M+(k-bk)aG。
由于k和b都是随机数,所以k-bk也是一个随机数,记为k'。
因此,C'就等于M+k'aG。
Bob再计算出M'=C'-k'A。
由于A=aG,所以M'就等于M+k'aG-k'aG=M。
因此,Bob成功解密出了Alice发送的消息M。
以上是一个简单的椭圆曲线加密算法的例题。
在实际应用中,椭圆曲线加密算法还需要考虑更多的安全性和效率问题,例如选择合适的椭圆曲线参数、防止重放攻击等。
此外,还需要使用合适的密码学哈希函数和随机数生成器等技术来保证算法的安全性。
TUG
Analysis of MO-1 (4)
Table 2: Conditional p(00|DD) = p(01|DD) = p(10|DD) = p(11|DD) = probabilities for “DD” and “ADAD” 1/2 p(00|ADAD) = 0 0 p(01|ADAD) = 1/4 1/4 p(10|ADAD) = 1/4 1/4 p(11|ADAD) = 1/2
P=P+Q
1
1 0 P=P+Q Q=4Q
P=P−Q Q=4Q 1
1
2
11 P=P+Q
0
0 0 Q=2Q P=P+Q Q=2Q 1 Q=2Q
M = 1 2 0 0 1 0 1 2 2 Figure 2: Transition matrix for FSM-MO-1
7
1 2
1 2
Figure 1: FSM-MO-1
DPA @ A-SIT/IAIK
DPA@IAIK
IAIK
Motivation (1)
TUG
• Recent paper of R¨ omer et. al. ”Information Leakage Attacks against Smart Card Implementations of the ECDSA” • They show how to calculate the secret key of the ECDSA by knowing some keybits of some ephemeral keys. • More precisely : At most 12 (consecutive) keybits, from about 50 ephemeral keys, for a 160-bit curve. • These are worst case bounds. • Extension of the attack is possible → arbitrary located keybits.
MIRACL大数运算库使用手册
MIRACL大数运算库使用手册游贵荣一.MIRACL简介MIRACL(Multiprecision Integer and Rational Arithmetic C/c++ Library)是一套由Shamus Software Ltd.所开发的一套关于大数运算函数库,用来设计与大数运算相关的密码学之应用,包含了RSA 公开密码学、Diffie-Hellman密钥交换(Key Exchange)、AES、DSA数字签名,还包含了较新的椭圆曲线密码学(Elliptic Curve Cryptography)等等。
运算速度快,并提供源代码。
MIARCL是当前使用比较广泛的基于公钥加密算法保护实现的大数库之一,据说要使用该库用于商业软件,需要交纳一笔昂贵的授权费——1000$。
二.MIRACL常用函数调用手册声明:此处只列出和大数相关的简单运算函数,以及产生大数随机数的函数调用手册,具体请查看manual.doc文档。
不当之处,请大家批评指正!函数原型: void absol(big x, big y);功能说明: 取x的绝对值,y=|x|函数原型: void add(big x, big y, big z);功能说明: 两个大数相加,z=x+yExample: add(x,x,x); // This doubles the value of x.函数原型: void bigbits(int n, big x);功能说明: 产生一个n位的大整数,初始化随机种子由irand函数实现Example: bigbits(100,x); //This generates a 100 bit random number函数原型: int cinstr(big x, char *s);功能说明: 将大数字符串转换成大数返回值: 输入字符数的个数Example: mip->IOBASE=16; // input large hex number into big xcinstr(x,”AF12398065BFE4C96DB723A”);函数原型: int compare(big x, big y);功能说明: 比较两个大数的大小返回值: x>y时返回+1, x=y时返回0, x<y时返回-1函数原型: void convert(int n, big x);功能说明: 将一个整数n转换成一个大数x函数原型: void copy(big x, big y);功能说明: 将一个大数赋值给另一个大数,y=x函数原型: int cotstr(big x, char *s);功能说明: 将一个大数根据其进制转换成一个字符串返回值: 字符串长度函数原型: void decr(big x, int n, big z) ;功能说明: 将一个大数减去一个整数, z=x-n.函数原型: void divide(big x, big y, big z);功能说明: 两个大数相除,z=x/y; x=x mod y,当变量y和z相同时,x为余数,商不返回(即y的值不变);当x和z相同时,x为商,余数不返回。
椭圆曲线加密算法及实例分析
The Application of Cryptographic Techniques in Secure Transmission of Streaming Media Chen Daomin1 Zhou Jinquan2 1PLA University ofForeign Languages, Henan 471003 2Kunming Military Academy, Yunnan 650207 Abstract:In this paper, after analyzing the encrypting features of streaming media, we deeply research on how to encrypt the streaming media data by using block cipher and stream cipher respectively. Keywords:Streaming Media;Encryption;Block Cipher;Stream Cipher
④依据 Bob 的公钥计算点(x , y )=kG(k 个 G 相加);
1
1
⑤计算点(x , y )=kQ,如果 x =0,则回到第③步;
2
2
2
⑥计算 C=m*x ; 2
⑦传送加密数据(x , y ,C)给Bob。
1
1
(2)Bob的解密过程
(阶)。经过计算得 n=223。 经过上面算法的验证,得知 n=223 是一个素数,所以点 v 可
1
1
(4)点 Q的倍数定义如下:在Q点作椭圆曲线的一条切线,设
切线与椭圆曲线交于点 S,定义 2Q=Q+Q=-S,类似的可定义 3Q=
(1)在椭圆曲线 E 上恰有一个点,称之为无穷远点。即(0: Q + Q + Q +,…,等。
信息安全工程师考试要点
第一章:1.3.2:1、GB17859-1999标准规定了计算机系统安全保护能力的五个等级,即:用户资助保护级、系统审计保护级、安全标记保护级、结构化保护级、访问验证保护级。
2、目前正在执行的两个分级保护的国家保密标准是BMB17《涉与国家秘密的信息系统分级保护技术要求》和BMB20《涉与国家秘密的信息系统分析保护管理规范》。
3、涉密信息系统安全分级保护根据其涉密信息系统处理信息的最高密级,可以划分为秘密级、机密级和机密级(增强)、绝密级三个等级;4、秘密级,信息系统中包含有最高为秘密级的国家秘密,其防护水平不低于国家信息安全等级保护三级的要求,并且还必须符合分级保护的保密技术的要求。
机密级,信息系统中包含有最高为机密级的国家秘密,其防护水平不低于国家信息安全等级保护四级的要求,还必须符合分级保护的保密技术要求。
属于下列情况之一的机密级信息系统应选择机密级(增强)的要求:●信息系统的使用单位为副省级以上的党政首脑机关,以与国防、外交、国家安全、军工等要害部门。
●信息系统中的机密级信息含量较高或数量较多;●信息系统使用单位对信息系统的依赖程度较高;绝密级,信息系统中包含有最高为绝密级的国家秘密,其防护水平不低于国家信息安全等级保护五级的要求。
5、安全监控可以分为网络安全监控和主机安全监控1.3.3信息安全风险评估与管理1、一般可通过以下途径达到降低风险的目的:避免风险、转移风险、减少威胁、减少脆弱性、减少威胁可能的影响、检测以外事件,并做出响应和恢复。
1.4 信息安全标准化知识1、国家标准化指导性技术文件,其代号为“GB/Z”;推荐性国家标准代号为“GB/T”2、目前国际上两个重要的标准化组织,即国际标准化组织ISO和国际电工委员会IEC。
ISO和IEC成立了第一联合技术委员会JTC1制定信息技术领域国际标准;SC27是JTC1中专门从事信息安全通用方法与技术标准化工作的分技术委员会。
3、信息安全标准体系与协调工作组(WG1),主要负责研究信息安全标准体系、跟踪国际信息安全标准发展态势,研究、分析国内信息安全标准的应用需求,研究并提出了新工作项目与设立新工作组的建议、协调各工作组项目。
椭圆曲线最常用二级结论总结
椭圆曲线最常用二级结论总结在密码学领域中,椭圆曲线被广泛用于实现安全的加密和签名算法。
下面是对椭圆曲线最常用的二级结论的总结:1. 加法结合律(Associative Law of Addition):对于任意三个点P、Q和R,它们位于同一条曲线上,有(P + Q) + R = P + (Q + R)。
这意味着椭圆曲线上的点相加的顺序不影响最终的结果。
2. 加法逆元(Additive Inverse):对于椭圆曲线上的任意点P,存在一个点Q,使得P + Q = O,其中O表示无穷远点。
这个点Q称为点P的加法逆元,记作-Q = -P。
加法逆元的存在性保证了每个点在椭圆曲线上都有一个相反的点。
3. 线性性质(Linearity Property):对于任意两个点P和Q以及一个标量k,有k(P + Q) = kP + kQ。
这意味着可以通过对点P进行重复相加来计算任意标量倍数的点。
4. 点的倍乘运算(Point Multiplication):给定一个点P和一个标量k,在椭圆曲线上可以通过连续相加点P来计算kP。
这种运算可以高效地实现加密和签名算法中的密钥生成、加密和签名验证等操作。
5. 椭圆曲线上的离散对数问题(Elliptic Curve Discrete Logarithm Problem):椭圆曲线上的离散对数问题是指给定点P和Q,求解满足kP = Q的标量k。
该问题在当前的计算能力下被认为是难解的,从而保证了椭圆曲线加密算法的安全性。
以上是椭圆曲线最常用的二级结论总结。
这些结论对于理解和使用椭圆曲线加密和签名算法非常重要,同时也为进一步研究和开发密码学算法提供了基础。
一种高效安全的椭圆曲线标量乘算法
一种高效安全的椭圆曲线标量乘算法陈熹;祝跃飞【摘要】Most secure Elliptic Curve Scalar Multiplication(ECSM) algorithms based on Point Verification(PV) and Coherency Check(CC) have low efficiency. Aiming at the problem, this paper proposes a new secure algorithm based on ternary representation and proves its correctness. The analysis about its efficiency in the affine coordinates and Jacobian coordinates is presented, whose result shows that the computational efficiency is improved while guaranteeing the security.%基于点验证和基于一致性检测的椭圆曲线标量乘安全算法一般运算效率低下.为此,通过对错误探测方法进行改进,提出一种基于三进制的椭圆曲线标量乘算法,给出算法的正确性证明,并在仿射坐标和Jacobian坐标下对其进行分析,结果表明,在保证安全性的前提下,该算法的效率有较大提高.【期刊名称】《计算机工程》【年(卷),期】2012(038)018【总页数】4页(P103-106)【关键词】点验证;一致性检测;椭圆曲线标量乘;错误分析攻击;三进制表示;仿射坐标;Jacobian坐标【作者】陈熹;祝跃飞【作者单位】解放军信息工程大学信息工程学院,郑州450002;解放军信息工程大学信息工程学院,郑州450002【正文语种】中文【中图分类】TP301.61 概述椭圆曲线密码体制(Elliptic Curve Cryptosystem, ECC)是由文献[1-2]分别提出的,而 ECC独特的优势使其成为公钥密码学研究的热点之一。
椭圆曲线加密方案原理
椭圆曲线加密方案原理
椭圆曲线加密(Elliptic Curve Cryptography,简称ECC)是一种公开密钥加密算法,其原理基于椭圆曲线上的数学问题。
其加密过
程主要涉及到以下几个步骤:
1. 选择一条合适的椭圆曲线和基点
在椭圆曲线加密方案中,需要先选择一条合适的椭圆曲线和一个
基点G,该基点是椭圆曲线上的一个不必为随机选择的点,即确定的一个点。
2. 生成私钥和公钥
ECC算法中,私钥是一个随机的整数,一般用k表示;公钥则是
基于私钥生成的一个点,表示为P=k*G,其中*是点乘运算。
3. 加密和解密
为了保护机密数据,Bob使用Alice的公钥P_A加密明文数据,
其方法是选择一个随机数r,然后计算点 C_1 = r*G 和 C_2 = M +
r*P_A,其中M是待加密的明文消息。
Bob通过发送(C_1,C_2)给Alice
来传递加密信息。
Alice使用她的私钥k_A解密经过加密和传输的消息,她将计算 P_A = k_A*G,然后使用它从C_1中恢复出随机数r,从而计算M=C_2-r*P_A。
ECC算法比传统的RSA加密算法具有更高的安全性和更短的密钥
长度。
它广泛应用于各种网络加密协议中,例如SSL/TLS协议、SSH加密等。
波特五力分析模型
Bargaming Power of Buyers
Threat of Substitute Products
petition differs; tbe forces range from intense in industries like tires, paper and steel, where no firm earns spectacular returns, to relatively mild in industries such as oil field equipment and services, cosmetics and toiletries, where bigb returns are common. The essence of competitive strategy for a company is to find a position in its industry where it can best cope with these competitive forces or can influence them in its favor. Knowledge of tbe underlying sources of competitive pressure can reveal the basic attractiveness of an industry, highlight tbe critical strengths and weaknesses of a company, clarify tbe areas where strategic changes may yield tbe greatest payoff and pinpoint tbe industry trends tbat promise the greatest significance as either opportunities or threats. Structural Detemtinants of Competition Competition in an industry continually works to drive down .the rate of return on invested capital toward the competitive floor rate of return, or the retum that would be earned by the economist's "perfectly competitive" industry. Tbis competitive floor, or "free market," retum is approximated by the yield on long-term govemment securities adjusted upward by the risk of capital loss. Investors will not tolerate retums below this rate for very long before switching their investment to other vehicles, and firms habitually earning less tban tbis return will eventually go out of business.
openssl ecc编程示例的编译命令
要编译使用OpenSSL ECC (Elliptic Curve Cryptography) 的程序,您需要确保已经安装了OpenSSL 库,并且使用适当的编译命令。
以下是一个示例程序和编译命令:```c#include <stdio.h>#include <openssl/ec.h>#include <openssl/err.h>int main() {// 创建ECC 密钥对EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);if (key == NULL) {printf("Failed to create ECC key pair\n");return 1;}// 生成随机私钥if (!EC_KEY_generate_key(key)) {printf("Failed to generate ECC private key\n");EC_KEY_free(key);return 1;}// 获取公钥ECPublicKey pubKey;EC_KEY_set_public_key(key, &pubKey);// 打印公钥和私钥printf("Public key: ");BN_print_fp(stdout, EC_KEY_get0_public_key(key)); printf("\n");printf("Private key: ");BN_print_fp(stdout, EC_KEY_get0_private_key(key)); printf("\n");// 释放密钥对和错误队列EC_KEY_free(key);ERR_free_strings();return 0;}```要编译这个示例程序,您可以使用以下命令:```bashgcc -o ecc_example ecc_example.c -lcrypto -lgmp -ldl```这将使用GCC 编译器编译名为`ecc_example.c` 的源文件,并将输出文件命名为`ecc_example`。
ecc算法源码
ecc算法源码椭圆曲线密码算法(Elliptic Curve Cryptography, ECC)是一种基于椭圆曲线数学问题的非对称加密算法,被广泛应用于互联网安全领域。
在本文中,将介绍ECC算法的基本原理,并提供一段C语言源码作为示例,帮助读者更好地理解和应用ECC算法。
一、ECC算法基本原理ECC算法基于椭圆曲线离散对数问题,通过选择合适的曲线参数和基点,实现对消息的加密与解密操作。
在ECC算法中,公钥由椭圆曲线上的一点表示,私钥是一个随机选择的整数。
加密时,将待加密的消息映射到椭圆曲线上的一点,然后利用私钥和基点的乘法运算求得密文。
解密时,利用私钥和密文进行乘法运算,得到加密前的消息。
二、ECC算法源码示例下面是一个简化的ECC算法源码示例,使用C语言实现:```c#include <stdio.h>#include <string.h>#include <openssl/ec.h>#include <openssl/rand.h>int main() {EC_KEY *ec_key;EC_GROUP *ec_group;const EC_POINT *public_key;BIGNUM *private_key;const EC_POINT *derived_public_key;unsigned char message[] = "Hello, ECC!";unsigned char ciphertext[100];unsigned char decrypted[100];int ciphertext_len, decrypted_len;// 生成椭圆曲线密钥对ec_key = EC_KEY_new_by_curve_name(NID_secp256k1); EC_KEY_generate_key(ec_key);// 获取公钥和私钥ec_group = EC_KEY_get0_group(ec_key);public_key = EC_KEY_get0_public_key(ec_key);private_key = BN_new();BN_copy(private_key,EC_KEY_get0_private_key(ec_key));// 加密derived_public_key = EC_POINT_new(ec_group);EC_POINT_mul(ec_group, derived_public_key,private_key, NULL, NULL, NULL);EC_POINT_point2oct(ec_group, derived_public_key, POINT_CONVERSION_UNCOMPRESSED, ciphertext, sizeof(ciphertext), NULL);ciphertext_len = strlen(ciphertext);// 解密decrypted_len = ECIES_decrypt(private_key, ciphertext, ciphertext_len, decrypted);// 打印解密结果printf("Decrypted message: %s\n", decrypted);// 释放内存EC_POINT_free(derived_public_key);EC_KEY_free(ec_key);BN_free(private_key);return 0;}```以上示例中,首先使用OpenSSL库的函数生成椭圆曲线密钥对,利用私钥和基点进行加密操作,并将得到的密文存储在`ciphertext`数组中。
Elliptic curve cryptosystems介绍
Elliptic curve cryptosystemsElliptic curve cryptosystems (ECCs) were developed independently in 1985 by Neal Koblitz and Victor Miller. ECCs do not use new cryptographic algorithms; they use existing algorithms; e.g., the ElGamal cryptosystem. What changes is the operation.Recall that for the ElGamal cryptosystem the exponentiation operation is based upon multiplication modulo a prime p .factorsmod mod n n b a p a a a p ==⋅"For an ECC the exponentiation operation is based upon ⊗, the multiplication of points on an elliptic curve that is defined over a finite field. What does all this mean?First, it should be noted that an ellipse is not an elliptic curve. Elliptic curves are related to integrands of elliptic integrals, and elliptic integrals first occurred in the calculation of the arc length of an ellipse. (Elliptic integrals have been explored since early in the Nineteenth Century.)For ECCs, the elliptic curves are typically of the form 23y x ax b =++ (with someconditions on a and b ). To say that the curve is defined over a finite field just means that the input x (and the output y ) come from a finite field. (See the appendix about finite fields.) So, instead of being a continuous curve, the ECC curve over a finite field is a collection of points.But, these points have the property that two points on the curve can be multiplied (we will denote the operation ), and the result is a point on the curve (i.e., the points on the curve form a group under ). Elliptic curves have the property that most straight lines meet an elliptic curve in three points. So, given two points on an elliptic curve, draw a line through the points. That line should meet the curve in one point – the product. The fact that the points on an elliptic curve over a finite field form a group has been well-known to algebraic geometers.⊗⊗For a given elliptic curve, an ECC based upon the ElGamal cryptosystem replaces the usual multiplication with and the usual exponentiation with⊗factorsn n b a a a a =⊗⊗⊗="where a is a point on the elliptic curve. The algorithm is otherwise not changed. There is a little bit of work to do to implement the ECC however because it must be arranged that blocks of a plaintext message m can be converted to and from points on the curve. (See, for example, Klima, Sigmon, and Stitzinger, below.)Why should ECC be considered? Since factoring and the discrete logarithm problem were implemented in public-key cryptosystems in the 1970s, much attention has been paid to the underlying mathematical problems. Steady progress has been made on factoring and on solving for discrete logarithms, but neither problem is solved. Cryptographers have countered mathematical successes by increasing key sizes. On the other hand, little progress seems to have been made on the elliptic curve discrete logarithm problem. Rather than continuing to increase key sizes, one can switch to “second generation” public-key cryptosystems using elliptic curves and use smaller keys. The NSA now recommends that vendors who incorporate public-key cryptosystems consider the use of ECC. In 2005 the NSA announced suite B which uses ECC. Suite B may be used for both unclassified and classified data.References/index.php?action=ecc,home Certicom is a developer of ECCs. Their website has tutorials about elliptic curves and ECCs. Their discussion of adding points on an elliptic curve includes some applets that allow the operation to be visualized.Tony Horowitz, “Elliptic Curves,” The Journal of Undergraduate Mathematics and Its Applications, 8 (2), 1987. This is an excellent introduction to elliptic curves and adding points on an elliptic curve.Richard Klima, Neil Sigmon, and Ernest Stitzinger, Applications of Abstract Algebra with MAPLE, CRC Press, 2000. Chapter 8 is a nice discussion of a simplified ECC.Key lengthsKey length is commonly used as a measure of cryptographic security. For classical, symmetric-key ciphers, key length refers to the maximum number of trials that would have to be done in a brute force attack. Recall that Claude Shannon (1949) proved that the only absolutely secure cipher has a key that is as long as the plaintext message (OTP). The relationship between the number of keys and cryptographic security goes back at least as far as the Italian mathematician Girolamo Cardano (1501 – 1576).Recall that Kerckhoffs’ (La Cryptographie militaire, 1883) second principle states that the security of a cryptosystem should not depend on the secrecy of the method – it should only depend on the secrecy of the key. Assuming that there are no weaknesses in the cryptosystem, an attacker, who knows the method, is then forced to do a brute force attack – try all possible keys. The length of time that it would take an attacker to accomplish a brute force attack provides the security for the cryptosystem.Because of the impact of computing on cryptography, security levels are typically reported in powers of 2. A symmetric-key cryptosystem with keys that are λ-bits long is said to have security level λ if the system does not allow an attack that is faster thanbrute force. A brute force attack might require trying all 2λ possible keys. The following table was adapted from Lenstra’s article in the references.cryptosystem key length block size security levelDES566456two-key 3DES1126495 - 100three-key 3DES16864112 - 116IDEA12864128AES-128128128128AES-192192128192AES-256256128256Messages might have to remain secure for years in the future; so, the security of a cryptosystem must in some way consider technological improvements in the future. Typically Moore’s Law is the guide for the speed of technological change.Moore’s Law is based upon a 1965 prediction by Gordon Moore (a founder of Intel). The law is usually interpreted to mean that it should be expected that computing capacity will double every 18 months. Cryptosystems are designed to remain secure 10, 20,30, … years in the future. For symmetric-key cryptosystems, this means selecting key length so that, based upon present day computing capabilities and using Moore’s Law to predict future capabilities, a brute force attack would not become possible in the next 10, 20, 30, … . years.Symmetric-key cryptosystems are generally very efficient, and, hence, increasing key length has very little negative impact on the speed of the cryptosystem. Therefore, symmetric-key cryptosystems are generally designed very conservatively.Commonly used symmetric-key cryptosystem are under constant attack and scrutiny. It is unlikely that there are weaknesses in the algorithms that will appear in the future and reduce the security of those systems.Key length has a slightly different meaning for public-key cryptosystems. Such a system is typically based upon a hard mathematical problem. Attacks on such cryptosystems are generally attacks on the underlying mathematical problem rather than brute force attacks on the key. Security of these cryptosystems in the future depends upon a hope that the underlying mathematical problem will not be solved and that technological improvements will not permit efficient attacks on the mathematical problem. Recall that, for example, if a quantum computer is developed, Shor’s algorithm would allow RSA to be broken. Factoring and the discrete logarithm problem are receiving much mathematical attention. No one thinks that it is likely that these problems will be solved in the foreseeable future, but it is possible that an unexpected mathematical breakthrough could occur. Our beliefin the security of cryptosystems based upon factoring or the discrete logarithm problem is based solely upon our failure to have solved these problems.Because public-key cryptosystems are not efficient, increasing key length as a hedge against future attacks can only be done very judiciously. Security must be balanced by performance. These systems are not as conservatively designed as symmetric-key cryptosystems are.Generally it is thought that ECC key lengths should be twice as long as a symmetric-key cryptosystem to have equivalent strength. RSA typically requires even longer keys. An RSA Laboratories’ Bulletin in 2000 gives the following cost equivalent key sizes (comparing what can be broken in a given amount of time with a given amount of money).Symmetric-key cryptosystem key ECC key RSA key56112430801607609619210201282561620RSA, ElGamal, and ECC have been carefully scrutinized; therefore, there can be some confidence that they do not have undetected weaknesses. As a hedge against their underlying mathematical problems being solved, cryptosystems based upon other mathematical problems have been developed. Ntru is a well-known example. It is unlikely that these cryptosystems will be commonly used as long as RSA, ElGamal, and ECC remain secure.ReferencesArjen Lenstra, “Key Lengths,” in Handbook of Information Security, Hossein Bidgoli (ed.), Wiley, 2005. This excellent article may be downloaded at http://cm.bell-/who/akl/key_lengths.pdf/ is the website for Ntru.。
基于离群点算法的低压窃电行为主动辨识系统
第45卷第5期2023年9月沈 阳 工 业 大 学 学 报JournalofShenyangUniversityofTechnologyVol 45No 5Sep 2023收稿日期:2020-09-08.基金项目:国家自然科学基金项目(11957203);国家电网公司总部科技项目(5400-201925177A-0-0-00).作者简介:黄荣国(1983-),男,湖北黄梅人,高级工程师,硕士,主要从事电能计量、反窃电技术等方面的研究.doi:10.7688/j.issn.1000-1646.2023.05.02基于离群点算法的低压窃电行为主动辨识系统黄荣国1,2,陆春光1,姚 力1,玄 鑫3(1 国网浙江省电力有限公司电力科学研究院,杭州310000;2 三峡大学电气信息学院,湖北宜昌443002;3 国网信通产业集团北京中电普华信息技术有限公司,北京100008)摘 要:为了更有效地打击窃电行为、提高对窃电行为的辨识能力,基于离群点算法设计了一种低压窃电行为主动辨识系统,用以实现对窃电现象的全面分析.根据距离离群点检测算法对原始数据进行预处理,利用判别规则筛选出离群点,再通过数据采集器直接采集用户侧用电信息,作为判断窃电的依据.基于此,通过管理电力负荷来监控电路数据信息,并引入椭圆曲线密码体制,确保用电信息的安全传输,从而构建低压窃电行为主动辨识系统.实验结果表明:该系统能够准确、安全地获取用电信息,及时辨识窃电行为,增强反窃电能力.关 键 词:离群点算法;低压窃电行为;数据采集器;主动辨识;椭圆曲线密码体制;数据预处理;电力负荷;用电信息采集中图分类号:TM761 文献标志码:A 文章编号:1000-1646(2023)05-0486-05Activeidentificationsystembasedonoutlieralgorithmagainstlow voltageelectricitystealingbehaviorHUANGRongguo1,2,LUChunguang1,YAOLi1,XUANXin3(1.ElectricPowerResearchInstitute,StateGridZhejiangElectricPowerCorporation,Hangzhou310000,China;2.SchoolofElectricandInformation,ChinaThreeGorgesUniversity,Yichang443002,China;3BeijingChina PowerInformationTechnologyCo.Ltd.,StateGridInformation&TelecommunicationGroup,Beijing100008,China)Abstract:Inordertocombatelectricitystealingbehaviormoreeffectivelyandimprovetheidentificationabilityofthisbehavior,anactiveidentificationsystembasedonoutlierpointalgorithmagainstlow voltageelectricitystealingwasdesignedtorealizeacomprehensiveanalysisofelectricitystealingphenomenon.Accordingtothedistanceoutlierdetectionalgorithm,theoriginaldatawaspreprocessed,andtheoutlierswerescreenedoutbythediscriminantrules.Thenthedatacollectordirectlycollectedtheusers’sideelectricityinformation,whichwasusedasthebasisforthejudgementofelectricitystealingbehavior.Onaccountofthis,thecircuitdatainformationwasmonitoredbypowerloadmanagement,andtheellipticcurvecryptosystemwasintroducedtoensurethesafetransmissionofelectricityinformation,inordertoconstructtheactiveidentificationsystemagainstlow voltageelectricitystealingbehavior.Theexperimentalresultsshowthatthesystemcanaccuratelyandsafelyobtainelectricityinformation,identifyelectricitystealingbehaviorintime,andenhancetheabilityofanti electricitystealingbehavior.Keywords:outlieralgorithm;low voltageelectricitystealingbehavior;datacollector;activeidentification;ellipticcurvecryptosystem;datapreprocessing;powerload;electricityinformationcollection 智能窃电不仅造成巨大的经济损失和严重的社会危害,还干扰正常供电秩序、破坏电力设施、威胁电网安全,也破坏了电力市场的经济秩序和公平.近年来,窃电现象愈演愈烈,反向连接、锻造铅封、使用强电磁干扰、改变极性以及高频干扰等越来越复杂并且技术化的窃电手段相继出现,窃Copyright ©博看网. All Rights Reserved.电主体多元化的趋势导致配网线损率越来越高.因此,必须高度重视反盗窃工作,采取有效的措施限制甚至防止窃电行为的发生,并加强对反窃电方法的开发和研究.张承智等[1]设计了基于实值深度置信网络的用户侧窃电行为检测系统,在分析支持向量机原理和用电数据特征的基础上,利用实值深度置信网络获得基于功率涨落特征的实际值,根据实际值分析用电数据,判断其中是否存在窃电行为;史玉良等[2]设计了基于用电特征分析的窃电行为识别系统,利用滤波算法和规则阈值设置提取数据样本特征,然后利用逻辑回归算法来建立用户窃电诊断模型,采用推送和检查的方式判断疑似窃电用户.然而传统系统识别过程与电力用户的功耗模式存在较大差距,导致其在实际应用中容易出现误判的情况,需要人工干预才能获得更准确的检测结果.针对这一问题,本文基于离群点算法设计了一种新的低压窃电行为主动辨识系统.1 基于用电特征离群分析的窃电检测1 1 用电特征提取一般来说,用电异常信息并不是单独存在的,某个窃电状况也许会触发很多其他异常情况[3-4],所以,有效的反窃电工作应该是对多种窃电特征的综合性提取.本文通过某用户一段时间用电情况来对窃电现象进行分析,分析指标如下:1)每天平均电压U.通过数据分析可知,正常用户电压波动非常小,若产生异常电压,则说明用户有可能存在异常功耗.2)每天平均功率因数P.由于负荷特性的影响,用户功率因数会在一个小范围内波动且数值稳定,一般不会出现暴涨、暴跌的状况.3)每天平均电流的不平衡率B.正常电流随着负荷的变化而不断变化,电流差很小,因此,可以使用该指标来监测用户的用电行为.4)上周平均每天冻结电量C.如果某用户存在窃电行为,那么该用户的用电信息与其他用户相比较是异常的.为了消除负荷容量的影响,以用户申报容量为参考值,将电力数据转化为单位值.5)功率不平衡率I.通过采集数据得到一段时间内的固定电流,结合平均电压和功率,能够计算出电流增量,然后与同样时间段内通过电表采集到的数据进行对比,以此计算出不平衡率.通常情况下,正常用户用电不会出现突然变化的情况.如果某用户存在窃电行为,理论功率WT和实测功率WR两者间的不平衡度较大,其表达式为I=WT-WRmax{WT,WR} (1)对所有输入数据进行标准化处理,以减少不同计量单位和各指标取值范围对检验结果的影响.可灵活选择待测数据的标准化区间,本文将数据限定在区间[0,1]内,标准化处理表达式为vi′=vi-vminvmax-vmin (2)式中:vi′为标准化处理后的数据;vi为输入原始数据;vmax为相对属性最大值;vmin为相对属性最小值.结合上述5项特征指标,采用专家经验分析与加权分析相结合的方式判断窃电行为.经定量化专家评分后,获得特征指标的加权值分别为:每天平均电压为0 30、每天平均功率因数为0 25、每天平均电流的不平衡率为0 20、上周平均每天冻结电量为0 15、功率不平衡率为0 10,则提取到的综合性用电特征判别表达式为W=0 30U+0 25P+0 20B+0 15C+0 10Iv′(3)1 2 基于距离的离群点检测算法离群点是指在数据序列中,远离序列一般水平的极大值和极小值数据点[5-6].离群点检测的目的就是找到这些异常的数据点.将基于距离的离群值定义为:若数据集中某些数据与对象之间的距离大于D,那么将这些数据判定为在D约束下基于距离的离群点.本文将D的值设置为0 1.在基于距离的离群点检测算法中,距离是影响算法有效性和时间复杂度的关键因素,通常采用欧氏距离进行判定.假设xi和xj是两个m维对象,(Vi1,Vi2,…,Vim)是每个对象的m维属性集.在基于欧氏距离的离群点检测过程中,利用xi和xj两者间的距离d(xi,xj)来度量相关差异,其表达式为d(xi,xj)=(Vi1-Vj1)2+(Vi2-Vj2)2+…+(Vim-Vjm)槡2(4)在此基础上,需要对原始数据进行预处理和降维处理.当被检测对象各属性的单位和取值范围不同时,可以进行数据标准化,然后确定参数D,利用参数和判断规则筛选出离群点.2 低压窃电行为主动辨识系统2 1 防窃电电路描述图1为本文提出的用户配电线路图.图1中,在主站前置机的控制下,用户专变终端与微功率784第5期 黄荣国,等:基于离群点算法的低压窃电行为主动辨识系统Copyright©博看网. All Rights Reserved.采集器和电表总线相连,通过客户监控主机对其状态进行监控.在被监控电网的客户端安装防窃电客户端模块,在线实时监控电能值或功率值,并将监测结果发送到安装在变电站出口的电源模块,实时在线监测供电终端的电能.利用无线或电力载波通信模块,将监测到的电流或功率值实时传达到各客户机.图1 用户配电线路图Fig 1 Userdistributioncircuitdiagram2 2 系统组织结构电力负荷管理监控系统能够实现电力需求侧管理,其主要功能是自动抄表、用电分析和安全监控等[7-8].电力负荷管理监控系统组织结构图如图2所示.图2 电力负荷管理监控系统结构图Fig 2 Structurediagramofpowerloadmanagementandmonitoringsystem图2中,在RS485协议的控制下,在负荷管理终端中采集电表信息,并通过GPRS2M专线与主站系统、前置通信系统、数据处理系统互联.同时,管理员、基层稽查通过网络实现对3个系统的管理监控.2 3 系统编码实现为了保证用电信息在网络上能够安全传输,在开发过程中引入椭圆曲线加密机制[9-11],其能够在网络上对电力的实时参数进行监控,获取各种报表及变压器的信息.设定系统参数H=(q,F,a,b,G,n),其中,q表示有限域的范围,F表示q中元素,a,b表示椭圆曲线G的上点,n表示椭圆曲线G的阶数.私钥di由用户Ui持有,并对最终用户的公钥Qi保密[12-13].利用椭圆曲线加密机制能够保证Q1对Q2所发送的签过字的加密用电信息和签名信息安全传送,收到信息后再用di解密并进行验证处理,具体步骤如下:1)Qi首先完成信息签字;2)Q1、Q2从分发中心获得对方的公钥;3)Q1和Q2分发交换d1以获得彼此的公钥,实施加密传输[14-15];4)用户U1解密信息;5)用户U2验证接收到的功耗信息.综上所述,在提取用电特征后,利用基于距离的离群点检测算法筛选出其中的离群数据点,然后通过管理电力负荷来监控电路数据信息,并引入椭圆曲线密码体制,确保用电信息的安全传输,继而通过组织结构的设计完成了对低压窃电行为主动辨识系统的构建.3 实验与结果分析为验证基于离群点算法低压窃电行为主动辨识系统的实际应用性能,设计相关仿真实验.为避免实验结果的单一性,采用基于实值深度置信网络的用户侧窃电行为检测系统进行对比.首先采集某市多家中小企业的电力数据和用电数据样本,并将采集数据转换为单位值作为研究对象.对象集中有50项加载记录,每个记录有24个时间属性.将其输出到离群数据集内,并分别利用本文系统和对比系统筛选窃电用户,具体结果如表1所示.表1 辨识结果及现场核实情况Tab 1 Identificationresultsandspotverificationsituation序号本文系统筛选出的窃电用户现场核实传统系统筛选出的窃电用户现场核实1负荷2窃电负荷2窃电2负荷6窃电负荷8正常3负荷13正常负荷15正常4负荷18窃电负荷18窃电5负荷25窃电负荷20正常6负荷29窃电负荷29窃电7负荷30窃电负荷31窃电8负荷33窃电负荷33窃电9负荷42窃电负荷42窃电10负荷47窃电负荷50正常884沈 阳 工 业 大 学 学 报 第45卷Copyright©博看网. All Rights Reserved. 由表1可知,本文系统仅出现了1次辨识失误的情况,将正常用电行为辨识为窃电行为;而传统系统共出现4次辨识错误.通过对比可知,本研究通过离群值算法能够更有效地识别窃电用户,失误次数较少.为进一步验证本文系统的应用性能,以中小企业的用电数据样本为基础,将数据转换为单位值后,利用本系统和对比系统进行用电侧采样电量和脉冲电量的测试分析,实验结果如图3所示.实验环境参数如下:采样频率为75Hz,利用RS 232/RS 485标准通讯接口进行电子脉冲采样.图3 采样电量和脉冲电量负荷对比Fig 3 Comparisonofsamplingandpulsechargeloads通过两种电量负荷对比结果可以准确地计算出被盗功率和被盗时间,为及时发现窃电和追缴失电提供技术支持.由图3可知,本文系统能够有效感知到采样电量和脉冲电量负荷之间的差别,从而实现对窃电行为的辨识.而对比系统感知到的采样电量和脉冲电量负荷之间的差别很微弱,导致其容易对窃电行为产生误判.4 结 论为有效缓解因智能窃电造成的经济损失和社会危害,维护电力市场的秩序,本文利用用电特征离群分析结果辨识用电特征,并通过防窃电电路、系统组织结构完成对低压窃电行为的主动辨识.根据实际应用情况可知,该系统能够有效辨识低压用户侧的窃电行为,有效改善配网环境.在接下来的研究中,将考虑从提高辨识时效性的角度进一步优化该技术.参考文献(References):[1]张承智,肖先勇,郑子萱.基于实值深度置信网络的用户侧窃电行为检测[J].电网技术,2019,43(3):1083-1091.(ZHANGChengzhi,XIAOXianyong,ZHENGZixuan.Electricitytheftdetectionforcustomersinpowerutilitybasedonreal valueddeepbeliefnetwork[J].PowerSystemTechnology,2019,43(3):1083-1091.)[2]史玉良,荣以平,朱伟义.基于用电特征分析的窃电行为识别方法[J].计算机研究与发展,2018,55(8):1599-1608.(SHIYuliang,RONGYiping,ZHUWeiyi.Stealingbehaviorrecognitionmethodbasedonelectricitycharacteristicsanalysis[J].JournalofComputerResearchandDevelopment,2018,55(8):1599-1608.)[3]蔡耀年,王明琪,刘建森,等.一种基于离群算法的窃电行为检测的研究[J].计算技术与自动化,2018,37(2):73-77.(CAIYaonian,WANGMingqi,LIUJiansen,etal.Researchondetectionofelectriclarcenybasedonout lieralgorithm[J].ComputingTechnologyandAuto mation,2018,37(2):73-77.)[4]柳林溪,陈泰屹.在智能电网中进行用户异常用电行为辨识的研究[J].信息技术,2018,42(12):97-102.(LIULinxi,CHENTaiyi.Researchonidentificationofuserabnormalpowerbehaviorinsmartgrid[J].InformationTechnology,2018,42(12):97-102.)[5]胡昌斌,张亚,李迎丽,等.基于朴素贝叶斯的电网用户行为分析[J].沈阳工业大学学报,2020,42(3):259-263.(HUChangbin,ZHANGYa,LIYingli,etal.AnalysisofelectricalgriduserbehaviorbasedonNaiveBayesian[J].JournalofShenyangUniversityofTechnology,2020,42(3):259-263.)[6]李波,曹敏,朱元静,等.基于网络特征与用户行为分析的联合窃电检测方法[J].武汉大学学报(工学版),2019,52(12):1121-1128.(LIBo,CAOMin,ZHUYuanjing,etal.Jointdetec tionmethodforelectricitytheftbasedonnetworkcharacteristicsanduserbehavioranalysis[J].Engi neeringJournalofWuhanUniversity,2019,52(12):1121-1128.)[7]刘正飞,孙金生,胡斯乔.基于模型有效性评价的主动队列管理算法[J].控制理论与应用,2019,36(4):570-578.(LIUZhengfei,SUNJinsheng,HUSiqiao.Anactivequeuemanagementalgorithmbasedonmodeleffec tivenessevaluation[J].ControlTheory&Applications,2019,36(4):570-578.)[8]青志明,张宏艳,龙漪澜,等.基于图像处理和无人机的反窃电精准取证系统的设计与实现[J].电子设计工程,2018,26(19):189-193.(QINGZhiming,ZHANGHongyan,LONGYilan,etal.Designandrealizationofanti tippingaccurateforensicssystembasedonimageprocessingandUAV[J].ElectronicDesignEngineering,2018,26(19):189-193.)[9]卢峰,丁学峰,尹小明,等.基于样本优化选取的支持向量机窃电辨识方法[J].计算机测量与控制,2018,26(6):223-226.(LUFeng,DINGXuefeng,YINXiaoming,etal.Electricitytheftidentificationusingsupportvectormachinebasedonsampleoptimizationselection[J].ComputerMeasurement&Control,2018,26(6):223-226.)[10]何新洲.基于嵌入式的用电信息远程智能监控系统研究[J].计算机测量与控制,2019,27(4):267-270.(HEXinzhou.Researchonremoteintelligentmonito984第5期 黄荣国,等:基于离群点算法的低压窃电行为主动辨识系统Copyright ©博看网. All Rights Reserved.ringsystemofpowerconsumptioninformationbasedonembeddedsystem[J].ComputerMeasurement&Control,2019,27(4):267-270.)[11]冯歆尧,黄剑文,孟禹.基于半监督三训方法的窃电用户识别的研究及应用[J].微型电脑应用,2020,36(1):154-156.(FENGXinyao,HUANGJianwen,MENGYu.Re searchandapplicationofidentificationstealingusersbasedonsemi supervisedthreetrainingmethods[J].MicrocomputerApplications,2020,36(1):154-156.)[12]何山,汪文达,张伟.基于数据挖掘的低压配电网运行状态评估方法[J].广东电力,2019,32(5):80-86.(HEShan,WANGWenda,ZHANGWei.Evaluationmethodforoperatingstateoflow voltagedistributionnetworkbasedondatamining[J].GuangdongElec tricPower,2019,32(5):80-86.)[13]侯佳萱,林振智,杨莉,等.面向需求侧主动响应的工商业用户电力套餐优化设计[J].电力系统自动化,2018,42(24):11-19.(HOUJiaxuan,LINZhenzhi,YANGLi,etal.Designofelectricityplansforindustrialandcommercialcustomersorientedtoactivedemandresponseonpowerdemandside[J].AutomationofElectricPowerSystems,2018,42(24):11-19.)[14]耿俊成,张小斐,周庆捷,等.基于局部离群点检测的低压台区用户窃电识别[J].电网与清洁能源,2019,35(11):30-36.(GENGJuncheng,ZHANGXiaofei,ZHOUQingjie,etal.AlowvoltageelectricitytheftidentificationmethodbasedonimprovedLOF[J].AdvancesofPowerSystem&HydroelectricEngineering,2019,35(11):30-36.)[15]张合川,石盼,徐相波,等.基于动态测量数据的低压窃电行为辨识系统设计[J].电子设计工程,2020,28(8):43-47.(ZHANGHechuan,SHIPan,XUXiangbo,etal.Designoflowvoltageelectricitystealingbehavioridentificationsystembasedondynamicmeasurementdata[J].ElectronicDesignEngineering,2020,28(8):43-47.)(责任编辑:景 勇 英文审校:尹淑英)094沈 阳 工 业 大 学 学 报 第45卷Copyright©博看网. All Rights Reserved.。
抗能量分析攻击的门限窗口NAF标量乘算法
抗能量分析攻击的门限窗口NAF标量乘算法谷建光【期刊名称】《《计算机工程》》【年(卷),期】2019(045)008【总页数】5页(P296-299,308)【关键词】椭圆曲线密码; 标量乘算法; 能量分析攻击; 非相邻形式编码; 基点掩码【作者】谷建光【作者单位】郑州工业应用技术学院信息工程学院郑州451150【正文语种】中文【中图分类】TP3090 概述椭圆曲线密码(Elliptic Curve Cryptography,ECC)算法具有密钥长度短、处理速度快、存储空间小、带宽要求低和安全性高等优点,因此,其被广泛应用于安全芯片等各类资源受限的密码系统中[1-2]。
ECC算法极易遭受能量分析攻击[3-4],但如果直接在算法中施加抵抗能量分析攻击措施,将会降低椭圆曲线密码效率。
采用非相邻形式(Non-Adjacent Form,NAF)编码方法[5]计算ECC算法中的标量乘运算,可以显著提高运算效率。
这是因为与传统二进制编码方法相比,采用NAF编码方法的标量乘运算虽然增加了1次倍点操作,但同时也减少了约1/3的点加操作次数。
然而,采用NAF编码方法的标量乘运算同样无法抵抗能量分析攻击,依然存在效率与安全性的矛盾。
为能兼顾椭圆曲线密码标量乘运算的安全性与效率,本文提出一种抗能量分析攻击的的椭圆曲线密码方案TWNAF。
采用带门限窗口的NAF编码方法,同时结合预计算和基点掩码技术,提高椭圆曲线密码运算效率,并使其能够抵抗简单能量分析(Simple Power Analysis,SPA)攻击、差分能量分析(Differential Power Analysis,DPA)攻击、零值点功耗攻击(Zero-value Power Attack,ZPA)与修正功耗攻击(Refined Power Attack,RPA),解决椭圆曲线密码安全性与效率矛盾的问题。
1 相关研究近年来,研究者从兼顾安全性与效率方面对椭圆曲线密码标量乘算法进行了大量研究[6-7],如采用带符号双基数系统[8]、带符号整数拆分形式[9]、带符号阶乘展开式[10]等编码方法的抗能量分析攻击方案,都可确保椭圆曲线密码安全性与效率两方面的性能。
椭圆曲线密码体制安全性分析
椭圆曲线密码体制安全性分析李殿伟;王正义;赵俊阁【摘要】Elliptic curve cryptosystem has becoming the popular public-key cryptosystem gradually,thus it is important for us to comprehend its security state. Firstly, it has researched the definition of ECC and ECDLP. And then according to the selecting of elliptic curve as well as the application and the disverfied attacks of elliptic curve cryptosystem, the security analysis of elliptic curve cryptosystem was proposed in detail. Compared with other public-key cryptosystem,conclude that elliptic curve cryptosystem wiil be popularity in the future for the characters of short key, high security, fast encryption, little computation and small storage space. Therefore elliptic curve cryptosystem has important theoretical value and wide application prospect.%椭圆曲线密码体制已成为当前最流行的公钥加密体制.为明确椭圆曲线密码的当前总体安全形势,首先研究椭圆曲线的定义及椭圆曲线离散对数问题,然后分别从安全椭圆曲线的选择方法、椭圆曲线密码的应用和针对椭圆曲线密码的攻击等几个方面,着重分析了椭圆曲线密码的安全性问题.根据与其它公钥密码体制的安全强度分析比较表明:椭圆曲线密码体制具有许多优点,主要包括密钥短、安全强度高、加密快、运算量小、占用存储空间少等.因此椭圆曲线密码体制的研究具有重要的理论价值和广阔的应用前景.【期刊名称】《计算机技术与发展》【年(卷),期】2012(022)004【总页数】5页(P227-230,234)【关键词】椭圆曲线密码;公钥密码体制;椭圆曲线离散对数;安全性分析【作者】李殿伟;王正义;赵俊阁【作者单位】海军司令部,北京100841;海军工程大学电子工程学院,湖北武汉430033;海军工程大学电子工程学院,湖北武汉430033【正文语种】中文【中图分类】TP3090 引言由于Internet网在全球范围内的迅速流行和普及,使得通过网络传输各种信息和数据的交换量迅猛增加,所以针对网络信息的安全问题日益凸显出来,从而对于各类信息的加密研究显得尤为重要。
curve的生僻用法
curve的生僻用法【释义】curven.曲线,弧线;转弯,弯道;图表曲线;曲线球;(女子身体的)曲线v.(使)弯曲,(使)呈曲线形adj.弯曲的,曲线形的复数curves第三人称单数curves现在分词curving过去式curved过去分词curved【短语】1phillips curve菲利普曲线;菲利浦曲线;菲力浦曲线2indifference curve无差异曲线;计无差别曲线;等优曲线3elliptic curve数椭圆曲线4Demand curve经需求曲线;必须曲线;即期汇票5Bézier curve贝塞尔曲线;又称贝赛尔曲线6Curve fitting统计曲线拟合;曲线配合;拟合7French curve云尺;曲线规;云板;曲线板8characteristic curve特性曲线;数特征曲线;特怔线;特性曲线图9Laffer curve拉弗曲线;拉佛曲线;拉菲曲线【例句】1The slope increases as you go up the curve.你顺着那条弯路往上走,坡度越来越大。
2We just change the curve into straight lines.我们只是把曲线变成了直线。
3It's a tough learning curve and it won't always make you popular.这是一条艰难的学习曲线,且并不一定让你受欢迎。
4On the track,the form embodies power.Each curve and line is moulded for speed.在赛道上,外形体现了力量,每条曲线和线条都是为了速度而塑造的。
5The total amount of the work that we can get out is just given by the area inside this curve.我们可以得出来的工作的总量只是由这条曲线里的区域给出的。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Analysis of Low-Power Elliptic Curve Cryptography Using Scaled Modular ArithmeticAhmed Al FaresiElectrical and Computer EngineeringOregon State UniversityCorvallis,Oregon97331–4501Email:alfaresi@Abstract—We present a custom class of primes using modular scaling that facilitate efficientfinitefiled operations.In addition we introduce an inversion algorithm that utilizes such special modulus.This inversion algorithm is an improvement on the available Euclidean algorithm,incorporating the use of the scaled modulus and proving to be of high performance and efficiency for hardware ing both the scaled modulus and the inversion algorithm we define a cryptographic processor for Elliptic curves Cryptography(ECC).This processor offers a superior performance in terms of area,power and speed.I.I NTRODUCTIONThe applications of Modular arithmetic in cryptography are endless.Many cryptographic schemes like the RSA algorithm [1],Diffe-helman key exchange algorithm[2],the Digital signature schemes[3]and elliptic curve cryptography[4], utilize modular arithmetic.The implementation of certain schemes requires the arithmetic operations modulo the product of two large primes i.e.n=pq.Others schemes like Diffe-Helman and El-Gamal are based on arithmetic of integers modulo a large prime p.In Elliptic Curve Digital Signature Algorithm(ECDSA)the arithmetic operations are modular operations with respect to a large prime modulus GF(p) or polynomial arithmetic modulo a high degree irreducible polynomial defined over the GF(2k).The key for efficient implementation of ECDSA over GF=2k is to choose irre-ducible polynomials that allow for efficient modular reduction. By doing so we reduce the complexity,power consumption and low speed of the implementation process.To date,the best irreducible polynomial obtained is either a trinomial or an equally-space polynomial(ESP).Unfortunately,there exist only a few irreducible ESPs in the range of interst of most applications, e.g.,error-correcting code,computer algebra,and elliptic curve cryptography[5].Therefore less efficient trinomials or pentanomials are used instead.However such less efficient polynomials result in extra additons and alignment adjustment rendering the implementation to be poor.A solution to such a problem is to use low hamming weight polynomials with a special modulus.To achieve such desired modulai equivalent to the low hamming weight we introduce a modulai of Mersenne form using modulus scaling.This in turn allowed for the development of an inversion algorithm that utilized the modulai to push the margin and create very efficient inversion hardware resulting in a very fast,area-efficient,low power scalable hardware implementation.II.M ATHEMATICAL B ACKGROUNDFinitefiled defined over the GF=2k.Arithmetic is fundamental to the implementation of a number of modern cryptographic systems and schemes of certain cryptographic systems.Most arithmetic operations,such as exponentiation, inversion,and division operations,can be carried out using just a modular multiplier[6].Simple modular multiplication is implemented byfirst computing the product of the two operands,c= a.b,the result is then reduced using the modulus x=c(mod p).Since reduction would mean a division operation,and that is to be avoided,certain modulai have been proposed to alleviate such a problem.Of such modulai is a Mersenne Prime given in the form2k c with log2c<[k/2],where k is an integer for which0<|k|< 2[m/2]If c=1,then p is a Mersenne Prime and k must necessarily be a prime.If n is positive integer less than p2, then can be written n=u.22k=a.2k+b,Where u=0 or1and a and b are nonnegative integers less than2m then n=u.c2+ac+b(mod p).Repeating this substitution a few times will yield n modulo p.This method requires a small number of additions and subtractions rather than the usual division step.Unfortunately Mersenne primes and primes of the from2k+1are scarce.For degrees up to1000no primes of the form2k+1and only two Mersenne primes2521−1 and2607−1exist.[8].However for ECDSA such primes are too large and are unsuitable.Therefore an alternative solution is to use primes of the form2k−3.III.M ODULUS S CALINGModular scaling plays a vital role in cryptographic implementations since it allows for a key bit increase if need be without having to change or reconfigure the cryptographic design the earliest works on modular scalability where introduced by Walter.The basic idea is to obtain a modulus scalable in the higher order bits.This is achieved by scaling a prime modulus to obtain a new one m=ps where p is the original modulus scaled to m.Now for a given integer a reduced by the new modulus m will give a result congruent to a:(a(mod m))(mod p)≡a(mod p)When a scaled modulus is used,residues will be in the range[m−1,0]=[s.p−1,0].The number is not fully reduced and essentially we are using a redundant representation where an integer is represented using[log2s]more bits than necessary.Therefore it will be necessarily that thefinal result be reduced by p to obtain a fully reduced representation.Now in order to scale a modulus and obtain one of low-hamming wait we need tofind a small suitable constant to scale the prime p.Its worth noting that if a random pattern appears in a modulus than a low hamming weight optimization will not be possible.Two heuristics are presented that form a basis for efficient on thefly scaling[8]:Heuristic1if the base B representation of an integer contains a series of repeating digits,scaling the integer with the largest possible digits,produces a string of repeating zero digits in the scaled and recoded integer.Assume that base B representation contains a repeating value D.Then we use the scaling factor s=B−1to compute m.When a string of repeating D-digits is multiplied with the scaling factor,and written in base B we get: (DDDD....DDD)B.(B−1)=(DDDD...DDD0)B−(DDDD....DDD)B=(D000...000¯D)B.The bar over the least significant digit denotes a negative valued digit.Heuristic2Given a modulus containing repeating D-digits in base B representation,if B-1is divisible by the repeating digit,then the modulus can be efficiently scaled by the factor B−1D =((B−1)(B−1)(B−1)...(B−1)B=(1000...0¯1)B.IV.I NVERSION A LGORITHMElliptic curve cryptography relies on efficient algorithms for finitefiled arithmetic.For instance,the elliptic curve digital signature algorithm requires efficient addition,multiplication and inversion in thefinitefields of sizes larger than2160. This poses a significant problem in embedded systems where computational power is quite limited and public-key operations are unacceptably slow[7].An efficient way to calculate multiplicative inverses is to use binary extended Euclidean based Algorithms.One such efficient inversion algorithm is the Montgomery.However this algorithm uses only Montgomery arithmetics and renders to be unsuitable for a special modulai.There is however an Algorithm proposed for Mersenne primes of the form2q-1.[8]Algorithm A-modified for divison with scaled modulus Input:a∈[1,p−1],p,and q where p is prime and p=2q−1 Output:b∈[1,p−1]where b=a−1(mod p)1:(b,c,u,v):=(1,0,a,p);2:Find e such that2e u3:u:=u/2e;//shift of trailing zeros4:b:=∓(2q−e b)(mod m);//circular left shift5:if u=1returnb;6:(b,c,u,v):=(b+c,b,u+v,u);7:go to step2The above algorithm has been modified.This simple modification saves one multiplication in elliptic curve operations.The Algorithm A modified is shown below: Algorithm A-modified for divison with scaled modulus Input:a∈[1,m−1],d∈[1,m−1],m,and q where m=2q±1 Output:b∈[1,m−1]where b=d/a(mod m)1:a:=a.·s(mod m)2:(b,c,u,v):=(d,0,a,m);3:Find e such that2e u4:u:=u/2e;//shift of trailing zeros5:b:=∓(2q−e b)(mod m);//circular left shift6:if u=sreturnb;7:(b,c,u,v):=(b+c,b,u+v,u);8:go to step3Inversion algorithms efficiency is measured by the number of iterations k.To show that Algorithm A is efficient in terms of iteration number,we compared its distribution for k against that of a Montgomery inversion algorithm.We com-puted the inverse of1000randomly chosen integers modulo m=2167+1using Algorithm A.Since p=m/3is a166-bit prime we repeated the same experiment with the Montgomery inversion algorithm using p and we depicted the two distributions in Figure1.Besides having much easier operations in each iteration one can easily observe the average number of iterations of Algorithm A is slightly lower than the number of iterations of the Montgomery inversion algorithm.V.E LLIPTIC C URVE A RCHITECTUREIn developing the arithmetic architecture we primarily fo-cused onfinding the minimal circuit to implement the Al-gorithm A efficiently.Since the architecture is build around the idea of maximizing hardware sharing among operations, the multiplication,squaring and addition operations are all achieved by the same arithmetic core.The simplicity of Algorithm A and scaled arithmetic allows us to accomplish all operations using only a few small state machines.The arithmetic unit is depicted in Figure2.What follows is an outline for the implementation of basic arithmetic operations as follows:Fig.1.Distribution of k in Algorithm A and the Montgomery inversion algorithm•Modulo Reduction:Since the hardware works for m=2167+1,168bit registers would be sufficient.However,we used an extra bit to detect when the number becomes greater than m.If one of the left-most bits of the number(carry or sum)is one,the number is reduced modulo m.2168=2.(2167+1)−2=2m−2=m−2(mod m).Hence the reduction is achieved by subtracting 2168(or simply deleting this bit)and adding m−2=(11...11111)2(167bits)to the number.If both of the leftmost bits are1then:2.(2168)=4.(2167+1)−4=4m−4=m−4(mod m).Therefore m−4=(111...11101)2(167bits)has to be added to the number and both of the leftmost bits are deleted.•Subtraction:Suppose k is a168bit number which we want to subtract from another number modulo m.The bitwise complement of k is found ask′=(2168−1)k=2.(2167+1)−3−k=−3−k (mod m).Thus−k=k′+3(mod m).This means to subtract k from a number we simply add the bitwise complement of k and3to the number.It is worth noting that our numbers are kept in a carry save represntaion, there are two168-bit numbers represnting k.•Multiplication:We serialize our multiplication algorithm by processing one bit of one operand and all bits of the second operand in each iteration.The standard multiplication algorithm had to be modified to make it compatible with the carry save representation.Due to the redundant representation,the value of the leftmost bit of the multiplier is not known.Hence the left torightFig.2.Block diagram of the arithmetic unit multiplication algorithm many not be used directly.We prefer to use the right to left multiplication algorithm. There are3registers used for the multiplication:R0 (multiplicand),R1(product)and R2(multiplier).The multiplication algorithm has three steps:1.Initialization:the control circuit does this step. The multiplicand is loaded to R0,the multiplier is loaded to R2and R1is reset.2.Addition:This step is only done when the rightmost bit of register R2is1.The content of register R0is added to R1.3.Shifting:The multiplier has to be processed bit-by-bit starting from right.We do this by shifting register R2to the right in each iteration of the multiplication.Since the register R2is connected to the comparator,the algorithm terminates after this step if the number becomes0 else the algorithm continues with Step2.Note that no counters are used in the design.This eliminates potential increases in the critical path delay.The multiplicand needs to be doubled in each iteration as well.This is achieved by shifting register R0to the left.This operation is performed in parallel with shifting R2,so no extra clock cycles are needed.However shifting to the left can cause overflow.Therefore,the result needs to be reduced modulo m if the leftmost bit of the register R0 is1.•Inversion:To realize the inversion operation there are four registers used to hold b,c,u and v,two temporary registers are used for the addition of two numbers in carry-savearchitecture.Two carry-save adders,multiplexers and comparator architecture are also utilized.The inversion algorithm shown in Algorithm A has5steps,which are depicted in Figure3.2:Shift off all trailing zeros and rotate bu←u>>e b←b>>e(mod m)4:Update variables(b,c,u,v)←(b+c,b,u+v,u);Area Avg.Delay(MHz)(mW)200.99100 4.342009.89。