Apparatus and method for calculating a result in a scalar multiplication

摘要

An apparatus for calculating a result of a scalar multiplication of a reference number with a reference point on an elliptic curve includes a random number generator and processor. The random number generator generates a random bit. The processor calculates the result of the scalar multiplication based on a calculation algorithm using a first auxiliary variable storing a first interim result representing an integer multiple of the reference point or a coordinate of an integer multiple of the reference point and a second auxiliary variable storing a second interim result representing another integer multiple of the reference point or a coordinate of another integer multiple of the reference point. The processor swaps a value stored by the first auxiliary variable and a value stored by the second auxiliary variable during calculation of the result of the scalar multiplication, if a swap condition depending on the generated random bit is fulfilled.

主权项

1. An apparatus for calculating a result of a scalar multiplication of a reference number with a reference point on an elliptic curve, comprising:
a random number generator comprising electric circuitry and configured to generate random bits; and a processor configured to calculate the result of the scalar multiplication based on a Montgomery ladder algorithm involving a loop over every bit of the reference number, the processor comprising a first auxiliary variable storing a first interim result representing an integer multiple of the reference point or a coordinate of an integer multiple of the reference point and a second auxiliary variable storing a second interim result representing another integer multiple of the reference point or a coordinate of another integer multiple of the reference point, wherein the processor is configured to, per loop i of the Montgomery ladder algorithm, swap a value stored by the first auxiliary variable and a value stored by the second auxiliary variable, if a swap condition is fulfilled, and controlled via a computation condition which at least depends on an ith bit of the reference number, and
if the computation condition is fulfilled, perform an addition of the values stored in the first and second auxiliary variable registers and perform a duplication of the value stored in the second auxiliary variable register, and update the first auxiliary variable with a sum of the addition and the second auxiliary variable with a result of the duplication, andif the computation condition is not fulfilled, perform an addition of the values stored in the first and second auxiliary variable registers and perform a duplication of the value stored it the first auxiliary variable register, and update the second auxiliary variable with a sum of the addition and the first auxiliary variable with a result of the duplication, wherein at least one of the swap condition and the calculation condition depends on the ith bit of the reference number, and the swap condition depends directly on at least one bit of the generated random bits and the calculation condition depends on at least one bit of the generated random bits respectively, and wherein a result of scalar multiplication is determinable from values stored by the first and second auxiliary variables after the loop over every bit of the reference number.