Design and Implementation of SM2 Co-processor with Specific Instructions

doi:10.3778/j.issn.1002-8331.2008-0066

Abstract

Abstract: The national commercial cryptography algorithmnamed SM2 is a public key cryptographyprotocol based on elliptic curve cryptography（ECC）. It has been established as an international standard by the International Organization for Standardization（ISO）. In practical applications, the complexity of SM2 algorithm makes it face the problem of low implementation efficiency. And side channel information related to the key may be leaked in the process of implementation. In order to solve these problems, a hardware co-processor with specific instructions for SM2 is designed. The co-processor contains interface logic, fetch unit, decode unit, execution unit, program storage unit, and data storage unit. The implementation process of an instruction can be divided into four stages, which are instruction fetch, decode, execute and write back. The four stages are performed in the way of pipeline, which uses general CPU’s pipeline technology for reference, to improve the performance. After?experimental tests on the platform of Xilinx ZYNQ-7 FPGA, the co-processor can complete the calculation process of SM2 encryption, decryption, signature and verification correctly by automatically executing a sequence of instructions in the program storage unit. The time cost for one scalar multiplication calculation is around 2.25 ms, and 7 146 Slices are occupied. The instruction sequences can be further optimized according to the software implementation mode. It shows that the co-processor has the characteristics of fast speed, small area and high flexibility. Through theoretical analysis, the co-processor can implement a sequence of instructions with constant time, which indicates that it has?certain security against side channel attacks.

Key words: SM2 algorithm, specific instruction, co-processor, pipelining, field programmable gate array（FPGA）

摘要： 国家商用密码算法SM2是基于椭圆曲线密码学（ECC）而制定的公钥密码协议，已被国际标准化组织（ISO）确立为国际标准。在实际应用中，SM2算法计算过程的复杂性使其面临实现效率低的问题，并且在实现过程中还会出现与密钥相关的侧信道信息泄露。为了解决上述问题，设计了一种适用于SM2的专用指令硬件协处理器。协处理器包含接口逻辑、取指单元、译码单元、执行单元、程序存储单元和数据存储单元，借鉴通用CPU的流水线技术，将指令的实现过程分为取指、译码、执行、写回四级流水，以提高计算效率。经过在Xilinx ZYNQ-7 FPGA上的实验验证，协处理器可以通过自动执行程序存储单元中的指令序列正确实现SM2加密、解密、签名、验签的计算过程，计算一次标量乘的时间约为2.25?ms，共占用7?146个Slice，其指令序列还可以按照软件实现方式进一步优化，说明协处理器具有速度快、面积小、灵活性高的特点。经过理论分析，协处理器可以实现常时的指令序列，具有一定的抵御侧信道攻击的安全性。

关键词: SM2算法, 专用指令, 协处理器, 流水线技术, 现场可编程门阵列（FPGA）

WANG Tengfei, ZHANG Haifeng, XU Sen. Design and Implementation of SM2 Co-processor with Specific Instructions[J]. Computer Engineering and Applications, 2022, 58(2): 102-109.

王腾飞, 张海峰, 许森. SM2专用指令协处理器设计与实现[J]. 计算机工程与应用, 2022, 58(2): 102-109.

References

[1] KOBLITZ N.Elliptic curve cryptosystems[J].Mathematics of Computation，1987，48（177）：203-209.
[2] 国家密码管理局.SM2椭圆曲线公钥密码算法：GM/T 0003—2012[S].北京：国家密码管理局，2012.
State Cryptography Administration.SM2 elliptic curve public key cryptography：GM/T 0003—2012[S].Beijing：State Cryptography Administration，2012.
[3] LOI K C C，KO S B.Scalable elliptic curve cryptosystem FPGA processor for NIST prime curves[J].IEEE Transactions on Very Large Scale Integration Systems，2015，23（11）：2753-2756.
[4] ZHANG D，BAI G.High-performance implementation of SM2 based on FPGA[C]//2016 8th IEEE International Conference on Communication Software and Networks（ICCSN），Beijing，Jun 4-6，2016.Piscataway，NJ：IEEE，2016：718-722.
[5] KEUTZER K，MALIK S，NEWTON A R.From ASIC to ASIP：the next design discontinuity[C]//Proceedings of the 2002 IEEE International Conference on Computer Design（ICCD’02），Freiberg，Sept 18，2002.Piscataway，NJ：IEEE，2002：84-90.
[6] 张军.ECC协处理器专用指令与可重构单元设计技术研究[D].郑州：解放军信息工程大学，2010.
ZHANG Jun.Research on technology of application specific instruction and reconfigurable unit of elliptic curve cryptography coprocessor design[D].Zhengzhou：PLA Information Engineering University，2010.
[7] 夏辉，于佳，秦尧，等.嵌入式领域ECC专用指令处理器的研究[J].计算机学报，2017，40（5）：1092-1108.
XIA Hui，YU Jia，QIN Yao，et al.The researches on the ASIP of ECC in embedded domain[J].Chinese Journal of Computers，2017，40（5）：1092-1108.
[8] MONTGOMERY P L.Modular multiplication without trial division[J].Mathematics of Computation，1985，44（170）：519-521.
[9] MENEZES A J，OORSCHOT P C V，VANSTONE S A.Handbook of applied cryptography[M].New York：CRC Press，1996：606-609.
[10] HANKERSON D，MENEZES A，VANSTONE S.Guide to elliptic curve cryptography[M].Berlin：Springer，2004：153-171.
[11] MONTGOMERY P L.Speeding the pollard and elliptic curve methods of factorization[J].Mathematics of Computation，1987，48（177）：243-264.
[12] WANG Tengfei，GUO Wei，WEI Jizeng.Highly-parallel hardware implementation of optimal ate pairing over Barreto-Naehrig curves[J].Integration，2019，64：13-21.
[13] GUERON S，KRASNOV V.Fast prime field elliptic-curve cryptography with 256-bit primes[J].Journal of Cryptographic Engineering，2014，5（2）：141-151.
[14] ANANYI K，ALRIMEIH H，RAKHMATOV D.Flexible hardware processor for elliptic curve cryptography over NIST prime fields[J].IEEE Transactions on Very Large Scale Integration Systems，2009，17（8）：1099-1112.
[15] MARZOUQI H，QUTAYRI M A，SALAH K.An FPGA implementation of NIST 256 prime field ECC processor[C]//2013 IEEE 20th International Conference on Electronics，Circuits，and Systems（ICECS），Abu Dhabi，Dec 8-11，2013.Piscataway，NJ：IEEE，2013：493-496.