Curve25519 Field域2^255-19内的快速运算

已于 2024-01-11 17:19:30 修改
阅读量1.4k 收藏 4
点赞数 3
分类专栏: 基础理论 文章标签: 基础理论
于 2019-07-19 13:44:58 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mutourend/article/details/96476213
版权

1. 引言

对于Curve25519,其Field域内的module Fp = 2255-19。
若采用常规的Montgomery reduce算法,其运算性能并不是最优的。

如要求某整数 u mod (2^255-19),可将u整数用多项式做如下表示:
u = ∑ i u i x i ,其中, u i = n ∗ 2 ⌈ 25.5 i ⌉ , n ∈ N u=\sum_{i}^{}u_ix^i,其中,u_i=n*2^{\left \lceil 25.5i \right \rceil},n \in N u=iuixi,其中,ui=n225.5inN
设置x=1,通过对u多项式求值即可代表域Fp内的值。
u多项式的选取有两个限制条件:

  • 1)多项式的阶应小,来限制多项式乘法时所需系数乘法数量的次数。通常,reduced-degree多项式的阶最高为9;
  • 2)为了提升系数乘法的效率,每个系数 u i u_i ui均应为 2 ⌈ 25.5 i ⌉ 2^{\left \lceil 25.5i \right \rceil} 225.5i的整数倍。通常,reduced-coefficient多项式的系数满足 u i / 2 ⌈ 25.5 i ⌉ ∈ { − 2 25 , − 2 25 + 1 , . . . , − 1 , 0 , 1 , . . . , 2 25 − 1 , 2 25 } u_i/2^{\left \lceil 25.5i \right \rceil} \in \{-2^{25}, -2^{25}+1,...,-1,0,1,...,2^{25}-1, 2^{25}\} ui/225.5i{225,225+1,...,1,0,1,...,2251,225}

结合以上两个显示条件,一个reduced-degree reduced-coefficient多项式可表示为:
u 0 + u 1 x + . . . + u 9 x 9 ,其中 u 0 / 2 0 , u 1 / 2 26 , u 2 / 2 51 , u 3 / 2 77 , u 4 / 2 102 , u 5 / 2 128 , u 6 / 2 153 , u 7 / 2 179 , u 8 / 2 204 , u 9 / 2 230 均 ∈ { − 2 25 , − 2 25 + 1 , . . . , − 1 , 0 , 1 , . . . , 2 25 − 1 , 2 25 } u_0+u_1x+...+u_9x^9,其中u_0/2^0,u_1/2^{26},u_2/2^{51},u_3/2^{77},u_4/2^{102},u_5/2^{128},u_6/2^{153},u_7/2^{179},u_8/2^{204},u_9/2^{230}均\in \{-2^{25}, -2^{25}+1,...,-1,0,1,...,2^{25}-1, 2^{25}\} u0+u1x+...+u9x9,其中u0/20,u1/226,u2/251,u3/277,u4/2102,u5/2128,u6/2153,u7/2179,u8/2204,u9/2230{225,225+1,...,1,0,1,...,2251,225}

该多项式所代表的值即为(x=1时), u 0 + u 1 + . . . + u 9 u_0+u_1+...+u_9 u0+u1+...+u9
该值只在计算最后阶段才转换为最小值,不需要直接转换。

2. Fp=2255-19域内的加法和减法运算

将两个整数分别表示为u多项式和v多项式,则这两个整数的加法运算可表示为多项式加法运算u+v,减法运算可表示为多项式减法运算u-v。
若u和v均为reduced-degree reduced-coefficient多项式,则u+v或u-v分别有10次fp(64-bit floating-point)数字加法或减法系数运算。

3. Fp=2255-19域内的乘法运算

注意:对于多项式 a = 2 255 x 10 − 19 a=2^{255}x^{10}-19 a=2255x1019,当取x=1时, a = 2 255 − 19 a=2^{255}-19 a=225519, 对应的 a m o d F p = 0 a \quad mod \quad F_p =0 amodFp=0,因此可用多项式 a = 2 255 x 10 − 19 a=2^{255}x^{10}-19 a=2255x1019代表域Fp内的零值。
进一步推论:
2 255 x 10 − 19 ≡ 0 \quad 2^{255}x^{10}-19\equiv 0 2255x10190
⇔ 2 255 x 10 ≡ 19 \Leftrightarrow 2^{255}x^{10}\equiv 19 2255x1019
⇔ x 10 ≡ 2 − 255 ∗ 19 \Leftrightarrow x^{10}\equiv 2^{-255}*19 x10225519

将两个整数分别表示为u多项式和v多项式,且u和v均为reduced-degree reduced-coefficient多项式。乘法运算会转换为多项式乘法运算b=u*v,多项式的阶最大为18。可利用上面的推论结论 x 10 ≡ 2 − 255 ∗ 19 x^{10}\equiv 2^{-255}*19 x10225519,对系数 x 10 , x 11 , . . . , x 18 x^{10},x^{11},...,x^{18} x10,x11,...,x18分别进行替换,如取b多项式部分内容,有:
b 8 x 8 + b 18 x 18 = b 8 x 8 + b 18 x 8 x 10 ≡ ( b 8 + b 18 ( 2 − 255 ∗ 19 ) ) x 8 b_8x^8+b_{18}x^{18}=b_8x^8+b_{18}x^{8}x^{10}\equiv(b_8+b_{18}(2^{-255}*19))x^8 b8x8+b18x18=b8x8+b18x8x10(b8+b18(225519))x8

实际计算机执行时,充分利用64位存储器的性能,上述表示可进一步优化,参见论文《High-speed high-security signatures》和《Sandy2x: New Curve25519 Speed Records》,以51位标识,对于F_p域内的元素f,可表示为 ( f 0 , f 1 , f 2 , f 3 , f 4 ) , f = ∑ i = 0 4 f i 2 51 i = f 0 + 2 51 f 1 + 2 102 f 2 + 2 153 f 3 + 2 204 f 4 , f i ∈ [ 0 , . . . , 2 51 − 1 ] (f_0,f_1,f_2,f_3,f_4),f=\sum_{i=0}^{4}f_i2^{51i}=f_0+2^{51}f_1+2^{102}f_2+2^{153}f_3+2^{204}f_4,f_i \in [0,...,2^{51}-1] (f0,f1,f2,f3,f4)f=i=04fi251i=f0+251f1+2102f2+2153f3+2204f4fi[0,...,2511]

注意x=1时有:
x 10 ≡ 2 − 255 ∗ 19 x^{10}\equiv 2^{-255}*19 x10225519
⇔ 2 − 255 ∗ 19 ≡ 1 \Leftrightarrow 2^{-255}*19\equiv 1 2255191
⇔ 2 255 ≡ 19 \Leftrightarrow 2^{255}\equiv 19 225519

则f和g多项式乘积h=f*g module 2 255 − 19 2^{255} -19 225519可表示为:
h 0 = f 0 g 0 + 19 f 1 g 4 + 19 f 2 g 3 + 19 f 3 g 2 + 19 f 4 g 1 h_0=f_0g_0+19f_1g_4+19f_2g_3+19f_3g_2+19f_4g_1 h0=f0g0+19f1g4+19f2g3+19f3g2+19f4g1
h 1 = f 0 g 1 + f 1 g 0 + 19 f 2 g 4 + 19 f 3 g 3 + 19 f 4 g 2 h_1=f_0g_1+f_1g_0+19f_2g_4+19f_3g_3+19f_4g_2 h1=f0g1+f1g0+19f2g4+19f3g3+19f4g2
h 2 = f 0 g 2 + f 1 g 1 + f 2 g 0 + 19 f 3 g 4 + 19 f 4 g 3 h_2=f_0g_2+f_1g_1+f_2g_0+19f_3g_4+19f_4g_3 h2=f0g2+f1g1+f2g0+19f3g4+19f4g3
h 3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 + 19 f 4 g 4 h_3=f_0g_3+f_1g_2+f_2g_1+f_3g_0+19f_4g_4 h3=f0g3+f1g2+f2g1+f3g0+19f4g4
h 4 = f 0 g 4 + f 1 g 3 + f 2 g 2 + f 3 g 1 + f 4 g 0 h_4=f_0g_4+f_1g_3+f_2g_2+f_3g_1+f_4g_0 h4=f0g4+f1g3+f2g2+f3g1+f4g0

若f=g,则为求f2。curver25519-dalek中的pow2k即为求 x 2 k x^{2^k} x2k,代码中对进位的处理很赞:

/// Given `k > 0`, return `self^(2^k)`.
    pub fn pow2k(&self, mut k: u32) -> FieldElement51 {

        debug_assert!( k > 0 );

        /// Multiply two 64-bit integers with 128 bits of output.
        #[inline(always)]
        fn m(x: u64, y: u64) -> u128 { (x as u128) * (y as u128) }

        let mut a: [u64; 5] = self.0;

        loop {
            // Precondition: assume input limbs a[i] are bounded as
            //
            // a[i] < 2^(51 + b)
            //
            // where b is a real parameter measuring the "bit excess" of the limbs.

            // Precomputation: 64-bit multiply by 19.
            //
            // This fits into a u64 whenever 51 + b + lg(19) < 64.
            //
            // Since 51 + b + lg(19) < 51 + 4.25 + b
            //                       = 55.25 + b,
            // this fits if b < 8.75.
            let a3_19 = 19 * a[3];
            let a4_19 = 19 * a[4];

            // Multiply to get 128-bit coefficients of output.
            //
            // The 128-bit multiplications by 2 turn into 1 slr + 1 slrd each,
            // which doesn't seem any better or worse than doing them as precomputations
            // on the 64-bit inputs.
            let     c0: u128 = m(a[0],  a[0]) + 2*( m(a[1], a4_19) + m(a[2], a3_19) );
            let mut c1: u128 = m(a[3], a3_19) + 2*( m(a[0],  a[1]) + m(a[2], a4_19) );
            let mut c2: u128 = m(a[1],  a[1]) + 2*( m(a[0],  a[2]) + m(a[4], a3_19) );
            let mut c3: u128 = m(a[4], a4_19) + 2*( m(a[0],  a[3]) + m(a[1],  a[2]) );
            let mut c4: u128 = m(a[2],  a[2]) + 2*( m(a[0],  a[4]) + m(a[1],  a[3]) );

            // Same bound as in multiply:
            //    c[i] < 2^(102 + 2*b) * (1+i + (4-i)*19)
            //         < 2^(102 + lg(1 + 4*19) + 2*b)
            //         < 2^(108.27 + 2*b)
            //
            // The carry (c[i] >> 51) fits into a u64 when
            //    108.27 + 2*b - 51 < 64
            //    2*b < 6.73
            //    b < 3.365.
            //
            // So we require b < 3 to ensure this fits.
            debug_assert!(a[0] < (1 << 54));
            debug_assert!(a[1] < (1 << 54));
            debug_assert!(a[2] < (1 << 54));
            debug_assert!(a[3] < (1 << 54));
            debug_assert!(a[4] < (1 << 54));

            const LOW_51_BIT_MASK: u64 = (1u64 << 51) - 1;

            // Casting to u64 and back tells the compiler that the carry is bounded by 2^64, so
            // that the addition is a u128 + u64 rather than u128 + u128.
            c1 += ((c0 >> 51) as u64) as u128;
            a[0] = (c0 as u64) & LOW_51_BIT_MASK;

            c2 += ((c1 >> 51) as u64) as u128;
            a[1] = (c1 as u64) & LOW_51_BIT_MASK;

            c3 += ((c2 >> 51) as u64) as u128;
            a[2] = (c2 as u64) & LOW_51_BIT_MASK;

            c4 += ((c3 >> 51) as u64) as u128;
            a[3] = (c3 as u64) & LOW_51_BIT_MASK;

            let carry: u64 = (c4 >> 51) as u64;
            a[4] = (c4 as u64) & LOW_51_BIT_MASK;

            // To see that this does not overflow, we need a[0] + carry * 19 < 2^64.
            //
            // c4 < a2^2 + 2*a0*a4 + 2*a1*a3 + (carry from c3)
            //    < 2^(102 + 2*b + lg(5)) + 2^64.
            //
            // When b < 3 we get
            //
            // c4 < 2^110.33  so that carry < 2^59.33
            //
            // so that
            //
            // a[0] + carry * 19 < 2^51 + 19 * 2^59.33 < 2^63.58
            //
            // and there is no overflow.
            a[0] = a[0] + carry * 19;

            // Now a[1] < 2^51 + 2^(64 -51) = 2^51 + 2^13 < 2^(51 + epsilon).
            a[1] += a[0] >> 51;
            a[0] &= LOW_51_BIT_MASK;

            // Now all a[i] < 2^(51 + epsilon) and a = self^(2^k).

            k = k - 1;
            if k == 0 {
                break;
            }
        }

        FieldElement51(a)
    }

4. Fp=2255-19域内的倒数运算

curver25519-dalek中的实际实现主要时基于:
在这里插入图片描述

/// Given a nonzero field element, compute its inverse.
    ///
    /// The inverse is computed as self^(p-2), since
    /// x^(p-2)x = x^(p-1) = 1 (mod p).
    ///
    /// This function returns zero on input zero.
    pub fn invert(&self) -> FieldElement {
        // The bits of p-2 = 2^255 -19 -2 are 11010111111...11.
        //
        //                                 nonzero bits of exponent
        let (t19, t3) = self.pow22501();   // t19: 249..0 ; t3: 3,1,0
        let t20 = t19.pow2k(5);            // 254..5
        let t21 = &t20 * &t3;              // 254..5,3,1,0

        t21
    }

5. Fp=2255-19域内的module求模运算

实际本文第1~4节的代码,并没有做module运算,实际的mod Fp代码见reduce和to_bytes()代码:

/// Given 64-bit input limbs, reduce to enforce the bound 2^(51 + epsilon).
    #[inline(always)]
    fn reduce(mut limbs: [u64; 5]) -> FieldElement51 {
        const LOW_51_BIT_MASK: u64 = (1u64 << 51) - 1;

        // Since the input limbs are bounded by 2^64, the biggest
        // carry-out is bounded by 2^13.
        //
        // The biggest carry-in is c4 * 19, resulting in
        //
        // 2^51 + 19*2^13 < 2^51.0000000001
        //
        // Because we don't need to canonicalize, only to reduce the
        // limb sizes, it's OK to do a "weak reduction", where we
        // compute the carry-outs in parallel.

        let c0 = limbs[0] >> 51;
        let c1 = limbs[1] >> 51;
        let c2 = limbs[2] >> 51;
        let c3 = limbs[3] >> 51;
        let c4 = limbs[4] >> 51;

        limbs[0] &= LOW_51_BIT_MASK;
        limbs[1] &= LOW_51_BIT_MASK;
        limbs[2] &= LOW_51_BIT_MASK;
        limbs[3] &= LOW_51_BIT_MASK;
        limbs[4] &= LOW_51_BIT_MASK;

        limbs[0] += c4 * 19;
        limbs[1] += c0;
        limbs[2] += c1;
        limbs[3] += c2;
        limbs[4] += c3;

        FieldElement51(limbs)
    }


	 /// Serialize this `FieldElement51` to a 32-byte array.  The
    /// encoding is canonical.
    pub fn to_bytes(&self) -> [u8; 32] {
        // Let h = limbs[0] + limbs[1]*2^51 + ... + limbs[4]*2^204.
        //
        // Write h = pq + r with 0 <= r < p.
        //
        // We want to compute r = h mod p.
        //
        // If h < 2*p = 2^256 - 38,
        // then q = 0 or 1,
        //
        // with q = 0 when h < p
        //  and q = 1 when h >= p.
        //
        // Notice that h >= p <==> h + 19 >= p + 19 <==> h + 19 >= 2^255.
        // Therefore q can be computed as the carry bit of h + 19.

        // First, reduce the limbs to ensure h < 2*p.
        let mut limbs = FieldElement51::reduce(self.0).0;

        let mut q = (limbs[0] + 19) >> 51;
        q = (limbs[1] + q) >> 51;
        q = (limbs[2] + q) >> 51;
        q = (limbs[3] + q) >> 51;
        q = (limbs[4] + q) >> 51;

        // Now we can compute r as r = h - pq = r - (2^255-19)q = r + 19q - 2^255q

        limbs[0] += 19*q;

        // Now carry the result to compute r + 19q ...
        let low_51_bit_mask = (1u64 << 51) - 1;
        limbs[1] +=  limbs[0] >> 51;
        limbs[0] = limbs[0] & low_51_bit_mask;
        limbs[2] +=  limbs[1] >> 51;
        limbs[1] = limbs[1] & low_51_bit_mask;
        limbs[3] +=  limbs[2] >> 51;
        limbs[2] = limbs[2] & low_51_bit_mask;
        limbs[4] +=  limbs[3] >> 51;
        limbs[3] = limbs[3] & low_51_bit_mask;
        // ... but instead of carrying (limbs[4] >> 51) = 2^255q
        // into another limb, discard it, subtracting the value
        limbs[4] = limbs[4] & low_51_bit_mask;

        // Now arrange the bits of the limbs.
        let mut s = [0u8;32];
        s[ 0] =   limbs[0]        as u8;
        s[ 1] =  (limbs[0] >>  8) as u8;
        s[ 2] =  (limbs[0] >> 16) as u8;
        s[ 3] =  (limbs[0] >> 24) as u8;
        s[ 4] =  (limbs[0] >> 32) as u8;
        s[ 5] =  (limbs[0] >> 40) as u8;
        s[ 6] = ((limbs[0] >> 48) | (limbs[1] << 3)) as u8;
        s[ 7] =  (limbs[1] >>  5) as u8;
        s[ 8] =  (limbs[1] >> 13) as u8;
        s[ 9] =  (limbs[1] >> 21) as u8;
        s[10] =  (limbs[1] >> 29) as u8;
        s[11] =  (limbs[1] >> 37) as u8;
        s[12] = ((limbs[1] >> 45) | (limbs[2] << 6)) as u8;
        s[13] =  (limbs[2] >>  2) as u8;
        s[14] =  (limbs[2] >> 10) as u8;
        s[15] =  (limbs[2] >> 18) as u8;
        s[16] =  (limbs[2] >> 26) as u8;
        s[17] =  (limbs[2] >> 34) as u8;
        s[18] =  (limbs[2] >> 42) as u8;
        s[19] = ((limbs[2] >> 50) | (limbs[3] << 1)) as u8;
        s[20] =  (limbs[3] >>  7) as u8;
        s[21] =  (limbs[3] >> 15) as u8;
        s[22] =  (limbs[3] >> 23) as u8;
        s[23] =  (limbs[3] >> 31) as u8;
        s[24] =  (limbs[3] >> 39) as u8;
        s[25] = ((limbs[3] >> 47) | (limbs[4] << 4)) as u8;
        s[26] =  (limbs[4] >>  4) as u8;
        s[27] =  (limbs[4] >> 12) as u8;
        s[28] =  (limbs[4] >> 20) as u8;
        s[29] =  (limbs[4] >> 28) as u8;
        s[30] =  (limbs[4] >> 36) as u8;
        s[31] =  (limbs[4] >> 44) as u8;

        // High bit should be zero.
        debug_assert!((s[31] & 0b1000_0000u8) == 0u8);

        s
    }

6. Fp=2255-19域内的batch_invert运算

总体的算法原理可参见curve25519-dalek中Scalar的Montgomery inversion及batch_invert算法中的第四节batch_invert算法。只是在求倒数的过程中,scalar域中采用的是通用的montgomery算法,而2255-19域采用的是更快的求倒数算法(见本文第四节内容)。

	/// Given a slice of public `FieldElements`, replace each with its inverse.
    ///
    /// All input `FieldElements` **MUST** be nonzero.
    #[cfg(feature = "alloc")]
    pub fn batch_invert(inputs: &mut [FieldElement]) {
        // Montgomery’s Trick and Fast Implementation of Masked AES
        // Genelle, Prouff and Quisquater
        // Section 3.2

        let n = inputs.len();
        let mut scratch = vec![FieldElement::one(); n];

        // Keep an accumulator of all of the previous products
        let mut acc = FieldElement::one();

        // Pass through the input vector, recording the previous
        // products in the scratch space
        for (input, scratch) in inputs.iter().zip(scratch.iter_mut()) {
            *scratch = acc;
            acc = &acc * input;
        }

        // Compute the inverse of all products
        acc = acc.invert();

        // Pass through the vector backwards to compute the inverses
        // in place
        for (input, scratch) in inputs.iter_mut().rev().zip(scratch.into_iter().rev()) {
            let tmp = &acc * input;
            *input = &acc * &scratch;
            acc = tmp;
        }
    }

参考资料:
[1] 论文《Curve25519: new Diffie-Hellman speed records》
[2] 论文《Verifying Curve25519 Software》
[3] 论文《High-speed high-security signatures》
[4] 论文 《Sandy2x: New Curve25519 Speed Records》
[5] https://briansmith.org/ecc-inversion-addition-chains-01#curve25519_field_inversion

mutourend
关注
专栏目录
写给开发人员的实用密码学 - 非对称加密算法
云水木石
03-18 5008
在前面的文章《写给开发人员的实用密码学 - 对称加密算法》中,介绍了现代密码学中非常重要的加密解密算法。从工程学的角度,选取密钥足够长的加密算法(比如AES 256、AES 512),是无...
Curve25519加密解密
marko_zheng的博客
09-16 7155
Curve25519加密解密 出于安全性的考虑,在原本明文传输的基础上需要对传输内容进行加密,首先,curve25519是一个不对称加密算法,需要前后端相配合,双方一起使用该加密算法,逻辑如下: 前端使用generateKeyPair得到自己的公钥和私钥,用自己前端的公钥去交换后端的公钥 后端使用generateKeyPair得到自己的公钥和私钥,将后端的公钥返回给前端,同时,用自己的私钥...
edwards25519 double算法
mutourend的博客
08-07 469
edwards25519 curve表示为: −x2+y2=1+dx2y2,q=225519-x^2+y^2=1+dx^2y^2,q=2^{255}-19−x2+y2=1+dx2y2,q=225519 根据博客Extended twisted Edwards curve坐标系中提及: 注意,在Extended坐标系下,可提供更快的加法运算,在Projective坐标系下,可提供更快的doub...
Curve25519 共享密钥生成 GUI:使用 curve-25519 的椭圆曲线密码术。 生成私钥乘以椭圆曲线上的给定 x 坐标点(输入)。-matlab开发
05-29
程序在提供的 x 坐标点 P(输入)和提供的 256 位随机生成的私钥 d(输入)上执行标量乘法。 程序默认为点 (x=9),它是曲线 25519 的基点。 输入应为十六进制(小端)。 程序仅使用各种私钥在几个点上进行了测试。 用户通过 Q=dP 生成用户的公钥并将其提供给另一个用户。 另一个用户提供他们的公钥,生成共享密钥,S=dQ。 共享密钥用于使用 AES (Advanced_Encryption_Standard) 等算法对两个用户之间共享的消息进行加密和解密。 该程序不是为高速而设计的,但执行速度仍然相当快。 程序使用蒙哥马利阶梯进行标量乘法。 学习椭圆曲线密码学很有趣。 了解如何轻松完成点加法和标量乘法以及为什么离散对数反转如此困难是非常有趣的。 如果有人有任何建议,请告诉我。
Curve25519加密算法
热门推荐
虎哥LoveDroid
04-28 1万+
Curve25519加密算法1. Curve25519简介2. 下载及编译Curve255193.使用Curve255194. 参考 1. Curve25519简介 Curve25519 是目前最高水平的 Diffie-Hellman函数,适用于广泛的场景,由Daniel J. Bernstein教授设计。在密码学中,Curve25519是一个椭圆曲线提供128位安全性,设计用于椭圆曲线Diffi...
curve25519-c++调用,...转换成椭圆曲线上的一个点。
niujinya的博客
11-04 1368
curve25519-c++调用,及如何使一个数转换成椭圆曲线上的一个点。
dalek-Curve25519 avx2并行计算学习笔记
mutourend的博客
09-02 595
1. 引言 Curve25519 Field Element在有限2255192^{255}-19225519内,采用64bit 串行计算时,采用的是5个FieldElement51元素来表示一个Element;若采用32-bit AVX2并行计算,则每个Element由10个FieldElement2526元素来表示。 即对于某Curve25519 Field Element a,对应的...
Curve25519加解密与Ed25519加密签
HORHEART的博客
09-17 8106
Curve25519加解密与Ed25519加密签几种著名的椭圆曲线的方程和对应的实际应用 几种著名的椭圆曲线的方程和对应的实际应用 魏尔斯特拉斯曲线和基于魏尔斯特拉斯曲线的若干种椭圆曲线公钥算法 蒙哥马利曲线和基于蒙哥马利曲线的Curve25519密钥协商算法 爱德华曲线和基于爱德华曲线的Ed25519数字签名算法 ...
2椭圆曲线密码学:有限和离散对数
qq_40965639的博客
07-13 1777
原文链接:https://andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms/ 这篇文章是ECC系列的第二篇。 在前一篇文章中,我们已经看到了如何基于实数上的椭圆曲线来定义一个群。具体如下,我们定义了点的加法规则:给定三个共线的点,它们的和是零(P...
椭圆曲线密码算法
让我思考一下
10-20 1815
椭圆曲线密码算法(Elliptic Curve Cryptography,ECC)是基于椭圆曲线数学的一种公钥密码算法,其安全性依赖于椭圆曲线离散对数问题的困难性。本文介绍了椭圆曲线密码算法的基本概念......
curve25519-java-master
05-06
curve25519-java 一个Java Curve25519实现,如果可用,则由本机代码支持,而当不具有本机库时,则支持纯Java。 还有一个J2ME构建变体。 正在安装 要在Android上使用: dependencies { compile 'org.whispersystems:curve25519-android:(latest version number here)' } 要从纯Java使用: <dependency> <groupId>org.whispersystems</groupId> <artifactId>curve25519-java</artifactId> <version>(latest version number here)</version> </dependency> 要从J2ME使用: <dependency> <
Android代码-curve25519-java
08-06
curve25519-java A Java Curve25519 implementation that is backed by native code when available, and pure Java when a native library is not available. There is also a J2ME build variant. Installing To use on Android: dependencies { compile 'org.whispersystems:curve25519-android:(latest version number here)' } To use from pure Java: org.whispersystems curve25519-java (latest version number here) To use from J2ME: org.whispersystems curve25519-j2me (latest version number here) The
curve25519-verilog:Curve25519 的 Verilog 实现的开始
07-08
未在真实硬件上测试。 除非您真的知道自己在做什么,否则不要使用。 使用 15 个 17 位乘法器和一组 42 位加法器,每个 Curve25519 乘法有 69378 个周期(截至提交 d0a51a88b0)。 打算花费恒定的时间。 公共区
用零知识证明连接多链宇宙
FeelTouch Labs
12-26 2255
Bridges是一种通信协议,有助于在区块链之间传输消息、资金或其他数据等信息。虽然有用,但搭建Bridges是一项有风险的业务。区块链历史上一些最昂贵的黑客攻击仅针对Bridges。截至 2022 年,估计过去一年损失的资金中有 69% 是由于对Bridges的袭击,造成的损失高达数十亿美元。在本文中,我们重点关注使用零知识证明 (ZKP) 的桥梁建设的具体实施。虽然一些黑客无法仅仅因为使用 ZKP 就可以预防,但 ZKP 的稳健性将区块链共识协议的安全性扩展到了桥接器。
Spring Security-用户密码自定义国密SM2加密
weixin_34032792的博客
01-17 3253
为什么80%的码农都做不了架构师?>>> ...
Curve25519:重构椭圆曲线密码学的性能边界
最新发布
gitblog_00010的博客
06-13 296
Curve25519:重构椭圆曲线密码学的性能边界 curve25519Highly efficient implementation of elliptic curve 25519项目地址:https://gitcode.com/gh_mirrors/cu/curve25519 项目简介 Curve25519是一个高性能的椭圆曲线算法实现库,专注于提供高速度和高安全性的同时保持轻量级的设计理念...
Curve25519 秘密共享系统
mutourend的博客
07-02 1667
1. Curve25519基本定义 Curve25519 is a state-of-the-art Diffie-Hellman function suitable for a wide variety of applications. Given a user’s 32-byte secret key, Curve25519 computes the user’s 32-byte public...
Curve25519 Field2^255-19代码实现对fieldelement值的限制要求?
mutourend的博客
07-31 203
src/backend/serial/u64/field.rs中的乘法运算fn mul(self, _rhs: &'b FieldElement51) -> FieldElement51函数中有如下限制: // Alias self, _rhs for more readable formulas let a: &[u64; 5] = &self....
curve25519-dalek中field reduce原理分析
mutourend的博客
07-30 697
对于Curve25519,其Field内的module Fp = 2255-19。 对于64位系统 /// A `FieldElement51` represents an element of the field /// \\( \mathbb Z / (2\^{255} - 19)\\). /// /// In the 64-bit implementation, a `FieldEleme...
Na=Nd=10^16 cm^(-3),ni=1.5×10^10 cm^(-3),Dn=25cm^2/s,Dp=10cm^2/s,τp0=τn0=5×10^(-7) s,基于以上条件,写出y-x曲线的半对数图matlab和P-N结的I-V特性曲线matlab
06-06
以下是y-x曲线的半对数图matlab代码: ``` % 定义常数 Na = 1e16; % cm^-3 Nd = 1e16; % cm^-3 ni = 1.5e10; % cm^-3 Dn = 25; % cm^2/s Dp = 10; % cm^2/s tp0 = 5e-7; % s tn0 = 5e-7; % s k = 1.38e-23; % J/K q = 1.6e-19; % C % 定义x轴范围 x = logspace(0, 4, 100); % 计算y值 y = zeros(size(x)); for i = 1:length(x) n = Na + (ni^2) ./ Nd .* exp(x(i) / k); p = Nd + (ni^2) ./ Na .* exp(-x(i) / k); Tn = tp0 .* (n ./ ni).^(-2/3); Tp = tn0 .* (p ./ ni).^(-2/3); y(i) = sqrt(Dn .* Tn) + sqrt(Dp .* Tp); end % 画图 semilogx(x, y); xlabel('log(x)'); ylabel('y'); title('y-x Curve'); ``` 以下是P-N结的I-V特性曲线matlab代码: ``` % 定义常数 Na = 1e16; % cm^-3 Nd = 1e16; % cm^-3 ni = 1.5e10; % cm^-3 Dn = 25; % cm^2/s Dp = 10; % cm^2/s tp0 = 5e-7; % s tn0 = 5e-7; % s k = 1.38e-23; % J/K q = 1.6e-19; % C % 定义x轴范围 V = linspace(-1, 1, 100); % 计算I值 I = zeros(size(V)); for i = 1:length(V) if V(i) <= 0 n = ni^2 ./ Na .* exp(V(i) / k); p = Nd; else n = Na; p = ni^2 ./ Nd .* exp(-V(i) / k); end Tn = tp0 .* (n ./ ni).^(-2/3); Tp = tn0 .* (p ./ ni).^(-2/3); Jn = q .* n .* sqrt(Dn .* Tn) .* exp(q .* V(i) / (k .* Tn)); Jp = q .* p .* sqrt(Dp .* Tp) .* exp(-q .* V(i) / (k .* Tp)); I(i) = Jn - Jp; end % 画图 plot(V, I); xlabel('V'); ylabel('I'); title('P-N Junction I-V Characteristic'); ```
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值