JP2006235416A - Device for computing scalar multiplication in elliptic curve cryptosystem, and program for the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an elliptic curve scalar multiplication computing device using a Koblitz curve which is excellent in reduction of memory usage and in high speed. <P>SOLUTION: In the scalar multiplication computing device for computing a scalar multiplication point from a scalar value and a point on a Koblitz curve: the scalar value is encoded into a numerical value sequence; one number other than 0 is selected from the numerical value sequence; by referring to each digit of the encoded numerical value sequence, addition on the elliptic curve is performed on the digit coinciding with the selected number; and a second operation on the elliptic curve is performed on the digit not coinciding with the selected number. Thus, the scalar multiplication computing device which is excellent in reduction of memory usage and in high speed can be realized. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

    The present invention relates to security technology, and more particularly to a message processing method using elliptic curve calculation.

  Cryptographic technology has become an indispensable element for concealing and authenticating electronic information with the development of information and communication networks. In addition to security, requirements imposed on cryptographic technology include processing speed and low memory usage, but generally there is a trade-off relationship between security, processing speed, and memory usage. It is difficult to meet all requirements.

  Encryption techniques include common key encryption and public key encryption. One type of public key encryption is elliptic curve encryption proposed by N. Koblitz, V. S. Miller.

  Elliptic curve cryptography is very difficult to solve discrete logarithm problems on elliptic curves, so elliptic curve cryptography makes the key length relatively short compared to cryptography that is based on the difficulty of prime factorization. be able to.

  Among the elliptic curves, the elliptic curves suitable for cryptography recommended by standardization organizations (for example, NIST (National Institute of Standards and Technology)) are random characteristic 2 elliptic curves, Kobritz curves, and characteristics. It is an elliptic curve on a large prime field. The elliptic curve recommended by the standardization organization is described in Non-Patent Document 1, for example.

  Public key cryptography includes information that can be disclosed to the public called a public key and secret information that must be kept secret, called a private key. A public key is used for plaintext message encryption and signature verification, and a secret key is used for decryption of ciphertext messages and signature generation.

  The secret key in elliptic curve cryptography is a scalar value described later. The security of elliptic curve cryptography comes from the difficulty of solving discrete logarithm problems on elliptic curves. The discrete logarithm problem on an elliptic curve is a problem of obtaining a scalar value d when a certain point P on the elliptic curve and a point d P that is a scalar multiple thereof are given. The point on the elliptic curve is a set of numbers that satisfy the definition equation of the elliptic curve. The entire point on the elliptic curve is calculated based on a virtual point called an infinite point, that is, on the elliptic curve. Addition (or addition) is defined.

Adding a certain number of times to a certain point is called scalar multiplication, the result is called a scalar multiple, and the number of times is called a scalar value. The addition on the elliptic curve by the same points is called doubling on the elliptic curve. The addition of two points on an elliptic curve is calculated as follows: When you draw a straight line that passes through two points, the straight line intersects the elliptic curve at another point. The point that is symmetric with respect to the intersecting point and the x-axis is the result of the addition. For example, in the case of the above Kobritz curve, the addition of the point (x ₁ , y ₁ ) and the point (x ₂ , y ₂ ) (x ₃ , y ₃ ) = (x ₁ , y ₁ ) + (x ₂ , y ₂ )
x ₃ = λ ² + λ + x ₁ + x ₂ + a (Formula 1)
y ₃ = (x ₁ + x ₃ ) λ + x ₃ + y ₁ (Formula 2)
λ = (y ₁ + y ₂ ) / (x ₁ + x ₂ ) (Formula 3)
Is obtained by calculating.

Here, the defining equation of the Kobritz curve is
y ² + xy = x ³ + ax ² + 1, (a = 0 or 1) (Formula 4)
Given in. In other words, when x _i and y _i (i = 1, 2, 3) are substituted for x and y in Equation 4, the equation of Equation 4 holds.

The doubling of points on the elliptic curve is calculated as follows. When a tangent line at a point on the elliptic curve is drawn, the tangent line intersects at another point on the elliptic curve. The intersected point and a point that is symmetric with respect to the x-coordinate are taken as the result of doubling. For example, in the case of a Kobritz curve, the result of doubling the point (x ₁ , y ₁ ) (x ₃ , y ₃ ) = 2 (x ₁ , y ₁ ) = (x ₁ , y ₁ ) + (x ₁ , y ₁ ) is expressed by Equation 1, Equation 2, and λ = (y ₁ / x ₁ ) + x ₁ (Equation 5)
Is obtained by calculating.

Further, it is possible to perform a light calculation called τ multiplication on points on the Kobritz curve. The τ multiplication for the point (x ₁ , y ₁ ) is
(x ₃ , y ₃ ) = τ (x ₁ , y ₁ ) = (x ₁ ² , y ₁ ² ) (Equation 6)
Is to calculate Also,
(x ⁴ , x ⁴ ) + 2 (x, y) = μ (x ² , y ² ) (Equation 7)
μ = (-1) ^a (Formula 8)
Is known to hold, and τ
τ ² + 2 = μ τ (Equation 9)
It can be thought of as a complex number that satisfies

In the Kobritz curve, the scalar value d is
d = d _w [m + a-1] τ ^{m + a-1} + d _w [m + a-2] τ ^{m + a-2} +… + d _w [j] τ ^j +… + d _w [0 ] (Formula 10)
-2 ^w-1 <d _w [j] <2 ^w-1 (Equation 11)
And can be converted. Here, for each i, d _w [j] is an odd number, and m is a bit length when the scalar value d is expressed in binary. It is.

  Converting the scalar value d in the Kobritz curve into a τ-adic representation that satisfies Expressions 10 and 11 is called τ-adic encoding or simply encoding.

Conventionally, to multiply a point on an elliptic curve by a scalar, the scalar value d is
d = d [m] 2 ^m + d [m-1] 2 ^{m - 1} +… + d [0] (Equation 12)
d [i] = 0 or 1 (Equation 13)
The scalar multiplication is performed using Equations 12 and 13. Therefore, it is necessary to use doubling on an elliptic curve that is relatively heavy when shifting digits.

On the other hand, in the scalar multiplication of the point on the Kobritz curve, the scalar value d is converted into the form of Expression 10 and the scalar multiplication is performed using Expression 10. Therefore, a high-speed calculation method TNAF _w is known in which a point on the Kobritz curve can be scalar multiplied at high speed by using τ multiplication when shifting digits.

  In elliptic curve cryptography, encryption, decryption, signature generation, or verification of a given message must be performed using an elliptic curve calculation. In particular, calculation of scalar multiplication on an elliptic curve is used in cryptographic processing using a scalar value that is secret information.

Non-Patent Document 2 describes the details of the high-speed calculation method TNAF _w (Equation 10 and Equation 11) for scalar multiplication in the Kobritz curve. The polynomial basis and the normal basis are described in Non-Patent Document 2, for example. Non-Patent Document 3 describes an elliptic curve having a Frobenius map having properties such as τ multiplication.

D. Johnson, A. Menezes, “The Elliptic Curve Digital Signature Algorithm (ECDSA)”, Technial Report CORR 99-34, Dept. of C & O, University of Waterloo, Canada. <URL> http: //www.cacr.math .uwaterloo.ca / techreports / 1999 / corr99-34.pdf J.A.Solinas, “Efficient Arithmetic on Koblitz Curves”, Designs, Codes and Cryptography, 19, Kluwer Academic Publishers (2000), pp.195-249. RP Gallant, JL Lambert, and SA Vanstone “Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms”, In J. Kilian, editor, Advances in Cryptology Proceedings of CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, 190-200. , 2001.

  If elliptic curve cryptography is used as described above, it is possible to perform cryptographic processing even when resources such as calculation capability and memory capacity are relatively small. However, there are fewer resources available in smart cards (also referred to as IC cards) or the like compared to general computers, and it is necessary to optimize cryptographic processing within the limited resources.

Further, in signature verification and key exchange, it is necessary to perform scalar multiplication of points received immediately before scalar multiplication. For example, using the TNAF _w speeding-up technique of scalar multiplication in Non-Patent Document 2, before scalar multiplication is performed. It is necessary to create a pre-calculation table.

Therefore, the scalar multiplication calculation speed-up technology TNAF _w described in Non-Patent Document 2 has a very large memory usage and is difficult to apply when the available memory is limited. Here, the pre-calculation table is composed of points jP for j satisfying Expression 11.

  The present invention uses a Kobritz curve recommended by a standardization organization (e.g., NIST), encodes a scalar value into a numeric string, selects one non-zero number from the numeric string, and sets each digit of the encoded numeric string. By performing addition on the elliptic curve with digits that match the selected number at a glance, and by performing a second operation on the elliptic curve with digits that do not match the selected number, memory usage and faster An elliptic curve calculation device capable of calculation is provided.

  The present invention further provides an encryption processing device, a decryption processing device, a signature generation device, a signature verification device, and a data sharing device using the above elliptic curve calculation method.

  Here, encoding is an operation for converting a large integer (about 2 160 bits) used as a scalar value into a small number of columns, and this small number of columns is called a numerical sequence.

  The difference between the scalar multiplication method using the prior art and the scalar multiplication method according to the present invention is shown in FIG.

In the scalar multiplication calculation method using the prior art shown in FIG.
(1) Encode the scalar value d.
(2) The point 3P is calculated from the information of the point P. The pre-calculation table includes R ₁ = P and R ₂ = 3P.
(3) The memory storing the point Q is initialized with a virtual point O called a point at infinity. However, the memory used for the point Q is a work area and is different from the memory used as the pre-calculation table. Each digit of the numerical sequence of the encoding result is examined in order, and τ multiplication is performed on the point Q to shift the digit until d _w [j] in Expression 11 becomes a non-zero digit. At this time, the contents of point Q are overwritten.
(4) In a digit where d _w [j] is not 0, addition on the elliptic curve is performed according to the value (1 or 3 in FIG. 15A). When performing addition, a pre-calculation table that stores the pre-calculated results is used. If the value is 1, P stored in R ₁ is read and added with point Q. The result is stored again at point Q.

Similarly, if the number is 3, reads 3P stored in R _2, performs addition between the point P. The result is stored again at point Q.

On the other hand, when the number is -1, P stored in R ₁ is read out, -P is obtained, and point Q and -P are added. The result is stored again at point Q.

Similarly, if the number is -3 reads 3P stored in R _2, seeking -3P, performs addition between the point Q and -3P. The result is stored again at point Q.

Note that the calculation for obtaining P from -P and 3P to -3P can be performed at high speed due to the properties of the elliptic curve.
(5) Repeat (3) and (4) above for all the digits of the numerical sequence (0 to m + a-1 in Equation 10).

On the other hand, in the scalar multiplication calculation method according to the present invention shown in FIG.
(1) Select a number in which d _w [j] is not 0 (assuming this is u) from the numerical sequence (in FIG. 15B, 1 is first selected), and the previous calculation table is represented by a point R = u Initialization is performed with P (in FIG. 15B, initialization is first performed with R = P). However, the memory used for the point Q is a work area and is different from the memory used as the pre-calculation table.
(2) τ multiplication is performed on the point R to shift the digit until the selected number appears. The point R stored in the previous calculation table is overwritten.
(3) When the selected number appears, the point R and the point Q are added, and the result is stored in the point Q.
(4) Repeat (2) and (3) above for all digits (0 to m + a-1 in Equation 10)
(5) The above (1) to (4) are repeated for all odd numbers satisfying −2 ^w−1 <d _w [j] <2 ^w−1 in Expression 11.

  As described above, according to the present invention, it suffices if there is a memory for storing the calculation result for the point R while updating it, and the pre-calculation table is sufficient for one point on the elliptic curve.

  In the example of FIGS. 15A and 15B, the case of w = 3 is described for the sake of simplicity. However, when the conventional technique shown in FIG. 15A is mounted on a product, usually, w = 5 or In order to select w = 6, it is necessary to store 16 points or 32 points on the elliptic curve in the pre-calculation table.

  Therefore, for example, if the memory area required to store one point is about 50 bytes, the size of the precalculation table in the prior art requires about 800 bytes, whereas the size of the precalculation table in the present invention is It will take about 50 bytes.

  As described above, when performing the scalar multiplication using the conventional technique, the information of the points to be stored in the pre-calculation table normally requires 16 pieces or 32 pieces. Since the information of one point on the Kobritz curve is stored in the calculation table and the content is overwritten to perform scalar multiplication, the size of the previous calculation table is 1/16 or 1/32. Therefore, it is possible to provide a scalar multiplication apparatus capable of high-speed calculation with excellent memory usage.

  In a more specific aspect of the present invention, a scalar multiple is obtained from a scalar value and a point on the elliptic curve by using an elliptic curve that can execute a second operation different from addition on the elliptic curve. A scalar multiplication calculation device for elliptic curve cryptography to be calculated, the step of encoding the scalar value into a numerical sequence, the step of selecting one non-zero number from the numerical sequence, and the same absolute value as the selected number A step of performing an operation for obtaining the scalar multiple in a digit having, and a step of repeating the step of selecting and the step of performing the operation for a number that is not 0 and constitutes the numerical sequence. It is characterized by.

  Furthermore, the scalar multiplication calculation device may include an encoding unit that executes the encoding step, an actual calculation unit that executes the selection step, and the calculation step.

  Further, the elliptic curve may be a Kobritz curve.

  Further, the second calculation may be τ multiplication.

  Further, the actual calculation unit may further execute a step of basis conversion.

  Further, the step of selecting one non-zero number from the numerical sequence includes selecting one number from non-zero and non-selected numbers constituting each digit of the numerical sequence, and selecting a number corresponding to the selected number. Comprising the first step of obtaining a previous calculation point by executing a calculation and storing the previous calculation point in a predetermined previous calculation table, the step of calculating the scalar multiple is performed by If there is a digit having a number having the same absolute value as the selected number, the second point on the elliptic curve with respect to the previous calculation point stored in the previous calculation table until that digit is reached. Executes the operation and stores the result in the previous calculation table in the second step of overwriting the previous calculation point in the previous calculation table and the digit having the same absolute value as the selected number in the numeric string. The above total is It consists of a third step for performing addition on the elliptic curve using points, and a fourth step for repeating the second and third steps, and other than 0 constituting each digit of the numerical sequence. When there is an unselected number, it may consist of a fifth step that repeats the first to fourth steps.

Further, the encoding step may further include a step of calculating a value of the Φw function for the scalar value d given by Φw (d) = (dR + dT * tw mods 2w). Note that the Φ _w function is a function used when calculating each term of the above-described number sequence in the step of encoding a large integer into a small number sequence, and details thereof are described in Non-Patent Document 2.

According to another aspect of the present invention, there is provided a signature generation apparatus including a signature unit that generates signature data from data, and a scalar multiplication calculation unit that calculates a scalar multiple necessary for creating the signature data. And
The scalar multiplication unit performs the step of calculating the scalar multiplication point using the scalar multiplication apparatus.

  According to another aspect of the present invention, a signature verification unit that outputs a signature verification result from data and signature data, a scalar multiple calculation unit that calculates a scalar multiple necessary for generating the signature verification result, And the scalar multiplication unit executes the step of calculating the scalar multiple using the scalar multiplication apparatus.

  According to another aspect of the present invention, there is provided an encryption apparatus comprising: an encryption unit that generates encrypted data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the encrypted data. The scalar multiplication calculation unit executes the step of calculating the scalar multiple using the scalar multiplication calculation device.

  Another aspect of the present invention provides a decryption unit that includes a decryption unit that generates decryption data from encrypted data, and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the decryption data. The scalar multiplication calculation unit executes the step of calculating the scalar multiplication point using the scalar multiplication calculation device.

  According to the present invention, it is possible to realize a scalar multiplication unit that uses a small amount of memory and can perform high-speed calculations.

    Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 shows a system configuration in which a computer A 101 and a computer B 121 to which an elliptic curve calculation method according to this embodiment connected by a network 142 is applied are connected by a network 142. Message on a computer A101 in the cryptographic communication system of FIG. 1 - To perform encryption di, and calculates and outputs P _m + k (d Q) and k Q, the decrypts the ciphertext with computer B121 Calculates -d (k Q) from the secret keys d and k Q
(P _m + k (d Q))-d (k Q) (Formula 14)
Can be calculated and output.

Here, P _m is a message, k is a random number, d is a constant indicating a secret key, Q is a fixed point, and d Q is a point indicating a public key. Only P _m + k (d Q), kQ is transmitted to the network 142, and in order to restore the message P _m , it is necessary to calculate kd Q, that is, d times k Q. However, since the private key d is the network 142 is not sent, only those holding the secret key d is becomes possible to restore the P _m.

  In FIG. 1, a computer A101 is equipped with an arithmetic device such as a CPU 113 and a coprocessor 114, a storage device such as a RAM 103, a ROM 106 and an external storage device 107, and an input / output interface 110 for performing data input / output with the outside of the computer. A display 108, a keyboard 109, and a removable portable storage medium read / write device for operating the computer A101 by the user are connected to the outside.

  Further, the computer A101 realizes the storage unit 102 by a storage device such as the RAM 103, the ROM 106, and the external storage device 107, and the arithmetic device such as the CPU 113 and the coprocessor 114 executes the program stored in the storage unit 102. The data processing unit 112, the scalar multiplication calculation unit 115, and the processing units included therein are realized. In the present embodiment, the data processing unit 112 functions as the encryption processing unit 112 and encrypts the input message.

  The scalar multiplication calculation unit 115 calculates parameters necessary for the encryption processing unit 112 to perform encryption. The storage unit 102 stores a constant 104 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 105 (for example, a secret key), and the like. The computer B121 has the same hardware configuration as the computer A101.

  Further, the computer B121 realizes the storage unit 122 by a storage device such as the RAM 123, the ROM 126, and the external storage device 127, and the arithmetic device such as the CPU 133 and the coprocessor 134 executes the program stored in the storage unit 122. The data processing unit 132, the scalar multiplication calculation unit 135, and the processing units included therein are realized. In the present embodiment, the data processing unit 132 functions as the decryption processing unit 132 and decrypts the ciphertext 141 that is an encrypted message.

  The scalar multiplication calculation unit 135 calculates parameters necessary for the decoding processing unit 132 to perform decoding. The storage unit 122 stores a constant 124 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 125 (for example, a secret key), and the like. Each of the above programs may be stored in advance in a storage unit in the computer, or when necessary, via a medium that can be used by the input / output interface 110 or 130 and the computer A101 or B121. You may introduce | transduce into the said memory | storage part from another apparatus. The medium refers to, for example, a storage medium that is detachable from the input / output interface 110 or 130, or a communication medium (that is, a network or a carrier wave or a digital signal that propagates through the network).

  FIG. 2 shows how information is transferred by each processing unit of the computer A101 and the computer B121.

  Next, an operation when the computer A101 in FIG. 1 encrypts an input message will be described. Note that the message in the present specification may be any digitized data, and may be any type of text, image, video, sound, or the like. When receiving the plaintext message (input message 204 in FIG. 2) via the input / output interface 110, the encryption processing unit 112 determines whether or not the bit length of the input plaintext message is a predetermined bit length. When the bit length is longer than a predetermined bit length, the plaintext message is divided so as to have a predetermined bit length.

Hereinafter, a partial message (also simply referred to as a message) divided into a predetermined bit length will be described. The encryption processing unit 112 calculates the y coordinate value (y ₁ ) of the point P _m on the elliptic curve having the numerical value represented by the bit string of the message at the x coordinate (x ₁ ). Since the Kobritz curve is expressed by Equation 4, the value of the y coordinate can be obtained from this.

Next, the encryption processing unit 112 generates a random number k. Then, the public key dQ read from the constant 104 stored in the storage unit 102 (205 in FIG. 2), the x coordinate of Q, the value of the obtained y coordinate, and the random number k are sent to the scalar multiplication unit 115. (206 in FIG. 2). The scalar multiplication unit 115 uses the x-coordinate and y-coordinate values of Q, the scalar double point (x _d1 , y _d1 ) = k Q, and the x-coordinate of the public key d Q, the y-coordinate value, and a random number. The scalar multiple (x _d2 , y _d2 ) = k (d Q) is calculated, and the calculated scalar multiple is sent to the encryption processing unit 112 (207 in FIG. 2).

The encryption processing unit 112 performs encryption processing using the sent scalar multiple. For example, in the Kobritz curve, k Q and P _m + k (d Q) are calculated. That is,
x _e1 = x _d1 (Formula 15)
x _e2 = λ ² + λ + x ₁ + x _d2 + a (Equation 16)
λ = (y ₁ + y _d2 ) / (x ₁ + x _d2 ) (Equation 17)
To obtain encrypted messages x _e1 and x _e2 .

The computer A101 assembles an encrypted output message from the one or more partial messages encrypted by the encryption processing unit 112 (208 in FIG. 2).
The computer A101 outputs the encrypted output message as data 141 from the input / output interface 110, and transfers it to the computer B121 via the network 142.
Note that the information read from the storage unit 102 in FIG. 2 may be performed before the input message is received as long as the information is transmitted to the scalar calculation unit 115.

  Next, the operation when the computer B 121 decrypts the encrypted message 141 will be described with reference to FIG.

  When the encrypted data 141 (input message 204 in FIG. 2) is input via the input / output interface 130, the decryption processing unit 132 (the data processing unit 112 in FIG. 2) receives the input encrypted data. It is determined whether the bit length of the data 141 is a predetermined bit length. When the bit length is longer than the predetermined bit length, the encrypted data is divided so as to have the predetermined bit length.

Hereinafter, partial data (also simply referred to as data) divided into a predetermined bit length will be described. The value of the y coordinate on the elliptic curve having the numerical value represented by the bit string of the data 141 at the x coordinate is calculated. The encrypted message is a bit string of x _e1 and x _e2 , and the y-coordinate values y _e1 and y _e2 are
y _e1 ² + x _e1 y _e1 = x _e1 ³ + ax _e1 ² + 1, (a = 0 or 1) (Equation 18)
y _e2 ² + x _e2 y _e2 = x _e2 ³ + ax _e2 ² + 1, (a = 0 or 1) (Equation 19)
Can be obtained from

The decryption processing unit 132 reads the secret key d (205 in FIG. 2) from the secret information 125 stored in the storage unit 122 (102 in FIG. 2), and the x and y coordinate values (x _e1 , y _e1 ) is sent to the scalar multiplication unit 135 (115 in FIG. 2) (206 in FIG. 2). The scalar multiplication unit 135 calculates a scalar multiple (x _d3 , y _d3 ) = d (x _e1 , y _e1 ) from the x-coordinate and y-coordinate values and the secret information d. The scalar multiplication calculator 135 sends the calculated scalar multiple to the decoding processor 132 (207 in FIG. 2).

The decoding processing unit 132 performs a decoding process using the sent scalar multiple. For example, the encrypted message is a bit string of x _e1 and x _e2 , and (P _m + k (d Q)) d (k Q) = (x _e2 , y _e2 )-(x _d3 , y _d3 ). That is,
x _f1 = λ ² + λ + x _e2 + x _d3 + a (Equation 20)
λ = (y _e2 + y _d3 ) / (x _e2 + x _d3 ) (Formula 21)
And x _f1 corresponding to the partial message x1 before being encrypted is obtained.

  The computer B 121 assembles a plaintext message from the partial message decrypted by the decryption processing unit 132 (208 in FIG. 2), and outputs it from the display 128 or the like via the input / output interface 130.

  As described above, it is necessary to perform scalar multiplication in encryption processing and decryption processing.

  Next, the processing of the scalar multiplication unit 115 when the computer A101 performs encryption processing or when the computer B121 performs decryption processing will be described in detail.

In the first embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 3 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes an encoding unit 302 and an actual calculation unit 303. The encoding unit 302 includes a residue acquisition unit 321, a residue conversion unit 322, an iterative determination unit 323, a δ residue conversion unit 324, a Φ _w function calculation unit 325, and a storage unit 326. The actual calculation unit 303 includes a bit value determination unit 331, an addition unit 332, a τ multiplication unit 333, and a repetition determination unit 334.

A first calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point d P in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The first calculation method is characterized in that scalar multiplication can be performed without using a pre-calculation table. Therefore, in the scalar multiplication of the point received immediately before the scalar multiplication calculation, the scalar multiplication point can be directly calculated without using the pre-calculation table. Therefore, the memory for storing the pre-calculation table can be saved. When the scalar multiplication unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 302 encodes the input scalar value d into a numeric string d _w [j].

this is,
d P = d 'P (Equation 22)
For an integer d 'that satisfies
d '= d _w [m + a-1] τ ^{m + a-1} + d _w [m + a-2] τ ^{m + a-2} +… + d _w [j] τ ^j +… + d _w [ 0] (Formula 23)
-2 ^w-1 <d _w [j] <2 ^w-1 (Equation 24)
This corresponds to converting the scalar value d into d _w [j] that satisfies However, in order to encode the scalar value d into the numerical sequence d _w [j], the remainder obtained by dividing the scalar value d by τ ^w is d _w [j], and this operation is repeated. The detailed calculation method is described in Non-Patent Document 2.

  Here, m is the bit length when the scalar value d ′ is expressed in binary, and w is a small natural number determined in advance and is called the window width. In the present embodiment, it is assumed that w = 4 and the point P is represented by a normal basis.

The actual calculation unit 303 calculates a scalar multiple dP using the numerical sequence d _w [j].

  Next, each process performed by the encoding unit 302 and the actual calculation unit 303 will be described in detail.

  A method in which the encoding unit 302 encodes the scalar value d will be described with reference to FIG.

δ residue transform unit 324, a d Modderuta variable d ', β _{| u |} in the c _0, γ _{| u |} To assign c ₁ respectively (401). However, Non-Patent Document 2 describes a method for calculating d mod δ with respect to δ and the scalar value d.

Where δ is δ = (τ ^m 1) / (τ-1) (Equation 25)
Is a number represented by
d modδ is
d '= d-kδ (Equation 26)
d '= c ₀ + c ₁ τ (Equation 27)
It is expressed in the form Here, k, c ₀ and c ₁ are all integers.

  It is known that when d modδ is encoded, the length of the numerical sequence is shorter than the length of the numerical sequence encoding the scalar value d. That is, it is possible to increase the speed of the scalar multiplication by reducing the number of additions and τ multiplications in the scalar multiplication of the Kobritz curve.

The variable i is initialized with 0, and 0 is assigned to each of j ₀ , j ₁ ,..., J ₂ ^w−1 ₋₁ (402).

The repetition determination unit 323 determines whether c ₀ ≠ 0 or c ₁ ≠ 0. If either of these two conditions is met, go to step 411. If neither of the two conditions is satisfied, the process goes to step 421 (403).

If any of the conditions is satisfied in step 403, c ₀ + t _w * c ₁ mods 2 ^w is substituted for u (411).

  The repetition determination unit 323 determines whether u is an odd number. If the condition is met, go to step 413. If the condition is not satisfied, go to step 415 (412).

If the condition is satisfied in step 412, the _{d w [u] [j u} ] to sign (u) * i, the values are the j _u + 1 to j _u (413).

to _{c 0 c 0 - sign (u} ) * β | u | a, c ₁ to _{c 1 - sign (u) *} γ | u | substitutes respective (414).

The c ₀ to i + 1, t to i, a c ₁ + μc _0/2 to c _0, c ₁ in - a t / 2, substituting respectively, goes to step 403 (415).

Substitute Ω for each of d _w [0] [j ₀ ], ..., d _w [2 ^w-1 -1] [j ₂ ^w-1 _-1 ] (421). Here, Ω is a symbol representing a termination. For example, as Ω,
Ω = 2 ^L
Is possible. Here, L is an integer satisfying 2 ^m <2 ^L.
Putting an Omega = 2 ^L, the binary representation of the Omega, only the most significant bit is 1, implementation of this embodiment is easily performed.

The encoding unit 302 outputs d _w [0],..., D _w [j ₂ ^w−1 ₋₁ ] to the actual calculation unit 303 (422).

  Next, a method for calculating the scalar multiple in the elliptic curve from the encoded scalar value and the point on the elliptic curve will be described with reference to FIG.

For w = 4, for each i, d _w [i] is ± 1, ± 3, ± 5, ± 7.

Q, R, u, and d _w [u] are input, R is initialized with (u mod τ ^w ) P, j is set to 0, and k is set to 0 (501).

| d _w [u] [j] | is substituted for i, τ ^jk R is substituted for R, and i is substituted for k (511).
Here, for the number x, | x | is a number representing the absolute value of x.

The repetition determining unit 334 determines whether d _w [u] [j]> 0. If the condition is met, go to step 513. If the condition is not satisfied, go to step 514 (512).

  The adding unit 332 adds the point Q and the point R, and stores the result in Q (513).

  The adder 332 adds the point Q and the point -R, and stores the result in Q (514).

  j + 1 is substituted for j (515).

The iterative determination unit 334 determines whether d _w [u] [j] ≠ Ω. If the condition is met, go to step 511. If the condition is not satisfied, go to step 521 (516).

  The actual calculation unit 302 outputs the point Q (521).

  The calculation from step 501 to step 521 is repeated from i = 0 to i = 3.

D _w [j] output by the processing performed by the encoding unit 302 satisfies Expression 22, Expression 23, and Expression 24. The reason for this is as follows. In step 401, d mod δ is substituted for d ′. Therefore, it can be expressed using d ′ = d + kδ and an appropriate number k. On the other hand, on the Kobritz curve, it is known that the point δP is an infinite point, and therefore Equation 22 holds.

The reason why Expression 23 is satisfied is that the remainder obtained by dividing the scalar value d by τ ⁴ is d ₄ [j], and this operation is repeated.

Moreover, if the remainder divided by τ ⁴ is d ₄ [j] and this operation is repeated, d ₄ [j] becomes
^-8 = -2 ^4-1 <d ₄ [j] <2 ^4-1 = 8
In order to satisfy, Equation 24 holds.

The point Q output from the actual calculation unit 303 is equal to the scalar multiple dP. The reason is as follows. d '
d '= Σ _{i, j} sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |} (Equation 28)
And can be transformed. At this time,
d'P = (Σ _{i, j} sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |} (P)) (Equation 29)
For each i, Σ _j sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |} (P) is calculated in FIG. Therefore, the point Q satisfies Q = dP.

The scalar multiplication calculation unit 115 does not need to include a pre-calculation unit. The reason is as follows. In FIG. 5, when the i-th calculation is completed,
Q = Σ _j sign (d _w [u [0]] [j]) τ ^{| dw [u [0]] |} (P) +… + Σ _j sign (d _w [u [i-1]] [j ]) τ ^{| dw [u [i-1]] |} (P) (Equation 30)
And when substituting (u [i] mod τ ⁴ ) P for R in step 501 of the (i + 1) th calculation, if a = 0,
(u [0] mod τ ⁴ ) P = P (Equation 31)
(u [1] mod τ ⁴ ) P = -τ P-3 P (Equation 32)
(u [2] mod τ ⁴ ) P = -τ P-P (Equation 33)
(u [3] mod τ ⁴ ) P = -τ P + P (Equation 34)
If a = 1,
(u [0] mod τ ⁴ ) P = P (Equation 35)
(u [1] mod τ ⁴ ) P = τ P-3 P (Equation 36)
(u [2] mod τ ⁴ ) P = τ P-P (Equation 37)
(u [3] mod τ ⁴ ) P = τ P + P (Equation 38)
Calculate Therefore, only the point P needs to be stored, and the point (u [i + 1] mod τ ⁴ ) P is calculated from the point (u [i] mod τ ⁴ ) P and the value is overwritten. No calculation table is required and memory can be saved.

In addition, the scalar multiplication in this embodiment is excellent in high speed. This is as follows. In the scalar multiplication using TNAF ₄ for the points received just before the scalar multiplication, the necessary calculation cost is
{(m + a) / 5 + 3} * ECADD + {(m + a) / 5 + 3} * ECFRB (Formula 39)
This is equivalent to the necessary calculation cost in the normal scalar multiplication using TNAF ₄ . However, ECADD and ECFRB represent addition on the elliptic curve and τ multiplication, respectively. In other words, Expression 35 represents the total number of times of each elliptic calculation in the scalar calculation.

The calculation cost in the scalar multiplication described in Non-Patent Document 2 is
{(m + a) / 5 + 3} * ECADD + {(m + a) / 5 + 2} * ECFRB (Formula 40)
It is. Therefore, it has the same high speed as the scalar multiplication using normal TNAF ₄ and has excellent memory usage.

Further, in the scalar multiplication calculation in this embodiment, j can be arranged in random order for each i. However, d _w [u [i]] [j] is a number whose digit is u [i] or −u [i] when the scalar value d is encoded. When j is arranged in random order for each i, if scalar multiplication is performed in this order, the scalar multiplication can be randomized.

  Moreover, the scalar multiplication calculation method in the present embodiment can be applied to an elliptic curve described in Non-Patent Document 3 and an elliptic curve having a Frobenius map.

  As described above, the above calculation method is characterized by excellent memory usage and high speed with respect to an elliptic curve having a second operation different from the addition on the elliptic curve.

  In the second embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 3 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) is the same as that in the first embodiment.

A second calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point d P in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The second calculation method is characterized in that scalar multiplication can be performed for an arbitrary window width w. Here, description will be made using w = 5 as the value of the window width w. As in the first embodiment, in the scalar multiplication of the point received immediately before the scalar multiplication calculation, the scalar multiplication point can be directly calculated without using the pre-calculation table, so that the memory can be saved. When the scalar multiplication unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 302 encodes the input scalar value d into a numeric string d _w [j].
This corresponds to the conversion of the scalar value d into d _w [j] satisfying Expressions 23 and 24 for the integer d ′ satisfying Expression 22.

  In this embodiment, it is assumed that the point P is represented by a normal basis.

The actual calculation unit 303 calculates a scalar multiple dP using the numerical sequence d _w [j].

  Next, each process performed by the encoding unit 302 and the actual calculation unit 303 will be described in detail.

  The encoding unit 302 encodes the scalar value d in the same manner as in the first embodiment.

  Next, a method of calculating a scalar multiple in an elliptic curve from an encoded scalar value and a point on the elliptic curve will be described with reference to FIGS.

  If w = 5, u [0] = 1, u [1] = 3, u [2] = 11, u [3] = 15, u [4] = 5, u [5] = 13, u [ 6] = 7 and u [7] = 9.

  When the real calculation unit 303 receives the point P and the scalar value d, when u [0] = 1, u [3] = 15, u [5] = 13, and u [7] = 9, FIG. To calculate the point Q, and when u [1] = 3, u [2] = 11, u [4] = 5, u [6] = 7, using FIG. Calculate The processing in FIG. 5 is the same as that in the first embodiment.

Q, R, u, and d _w [u] are input, and R is initialized with (u mod τ ^w ) P, j is set to 0, and k is set to 0 (601).

| d _w [u] [j] | is substituted for i, τ ^jk R is substituted for R, and i is substituted for k (611).

The repetition determining unit 334 determines whether d _w [u] [j]> 0. If the condition is met, go to step 613. If the condition is not satisfied, go to step 614 (612).

  The adding unit 332 adds the point Q and the point R, and stores the result in Q (613).

  The adding unit 332 adds the point Q and the point -R, and stores the result in Q (614).

  j + 1 is substituted for j (615).

The iterative determination unit 334 determines whether d _w [u] [j] ≠ Ω. If the condition is met, go to step 611. If the condition is not satisfied, go to Step 621 (616).

Substituting τ ^mk R into R, the actual calculation unit 302 outputs points Q and R (621).
D _w [j] output by the processing performed by the encoding unit 302 satisfies Expression 22, Expression 23, and Expression 24. The reason is as follows.

  The reason why Expression 22 is satisfied is the same as in the first embodiment.

The reason why Expression 23 is satisfied is that the remainder obtained by dividing the scalar value d by τ ⁵ is d ₅ [j], and this operation is repeated.

Moreover, when the remainder divided by τ ⁵ is d ₅ [j] and this operation is repeated, d ₅ [j] becomes
^-16 = -2 ^5-1 <d ₅ [j] <2 ^5-1 = 16
In order to satisfy, Equation 24 holds.

The point Q output from the actual calculation unit 303 is equal to the scalar multiple dP. The reason is as follows. d '
d '= Σ _{i, j} sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |}
And can be transformed. At this time,
d'P = (Σ _{i, j} sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |} (P)) (Equation 42)
And for each i, Σ _j sign (d _w [u [i]] [j]) τ ^{| dw [u [i]] |} (P) is calculated in FIG. 5 or FIG. ing. Therefore, the point Q satisfies Q = dP.

The scalar multiplication calculation unit 115 does not need to include a pre-calculation unit. The reason is as follows. In FIG. 5 or FIG. 6, when the i-th calculation is completed,
Q = Σ _j sign (d _w [u [0]] [j]) τ ^{| dw [u [0]] |} (P) +… + Σ _j sign (d _w [u [i-1]] [j ]) τ ^{| dw [u [i-1]] |} (P) (Formula 43)
In (i + 1) -th step 501 or step 601,
When (u [i] mod τ ⁵ ) P is substituted for R, if a = 0,
(u [0] mod τ ⁵ ) P = P (Equation 44)
(u [1] mod τ ⁵ ) P = τ ² P-P (Equation 45)
(u [2] mod τ ⁵ ) P = τ ³ P + (u [1] mod τ ⁵ ) P (Equation 46)
(u [3] mod τ ⁵ ) P = τ P-(u [2] mod τ ⁵ ) P (Equation 47)
(u [4] mod τ ⁵ ) P = -τ P-P (Equation 48)
(u [5] mod τ ⁵ ) P = -τ ² (u [4] mod τ ⁵ ) P + P (Equation 49)
(u [6] mod τ ⁵ ) P = -τ P + P (Equation 50)
(u [7] mod τ ⁵ ) P = -τ ⁴ P-(u [6] mod τ ⁵ ) P (Equation 51)
If a = 1,
(u [0] mod τ ⁵ ) P = P (Formula 52)
(u [1] mod τ ⁵ ) P = τ ² P-P (Equation 53)
(u [2] mod τ ⁵ ) P = -τ ³ P + (u [1] mod τ ⁵ ) P (Formula 54)
(u [3] mod τ ⁵ ) P = -τ P-(u [2] mod τ ⁵ ) P (Equation 55)
(u [4] mod τ ⁵ ) P = τ P-P (Formula 56)
(u [5] mod τ ⁵ ) P = -τ ² (u [4] mod τ ⁵ ) P + P (Equation 57)
(u [6] mod τ ⁵ ) P = τ P + P (Formula 58)
(u [7] mod τ ⁵ ) P = -τ ⁴ P-(u [6] mod τ ⁵ ) P (Formula 59)
Calculate Therefore, only the point P need be stored, and the point (u [i + 1] mod τ ⁵ ) P can be calculated from the point (u [i] mod τ ⁵ ) P and overwritten with the value. No calculation table is required and memory can be saved.

  In the first embodiment, the reason for performing the scalar multiplication using FIGS. 5 and 6 in FIGS. 5 and 2 is as follows.

In the first embodiment, all (u [i] mod τ ⁵ ) P are calculated using the point P, whereas in the second embodiment, (u [i] mod τ ⁵ ) P is calculated as i = 0,1,4,6, use point P, and if i = 2,3,5,7, use (u [i-1] mod τ ⁵ ) P Do. This, when performing ^{(u [i] mod τ 5} ) calculation of the P, when using a (u [i-1] mod τ 5) P, in step 621
R = (u [i-1] mod τ ⁵ ) P (Equation 60)
It must be kept as. Therefore, in Example 2, scalar multiplication is performed using FIGS.

In addition, the scalar multiplication in this embodiment is excellent in high speed. This is as follows. In the scalar multiplication using TNAF ₅ for the points received just before the scalar multiplication, the necessary calculation cost is
{(m + a) / 6 + 7} * ECADD + {(m + a) / 6 + 7} * ECFRB (Formula 61)
It becomes. The calculation cost in the scalar multiplication described in Non-Patent Document 2 is
{(m + a) / 6 + 7} * ECADD + {(m + a) / 6 + 4} * ECFRB (Formula 62)
It is. It is equivalent to the necessary calculation cost in the normal scalar multiplication using TNAF ₅ . Therefore, it has the same high speed as a scalar multiplication calculation using ordinary TNAF ₅ and has excellent memory usage.

Further, in the scalar multiplication calculation in this embodiment, j can be arranged in random order for each i. However, d _w [u [i]] [j] is a number whose digit is u [i] or −u [i] when the scalar value d is encoded. As in the first embodiment, when scalars are calculated in this order when j is arranged in a random order for each i, the scalar multiplications can be randomized.

  As in the first embodiment, the scalar multiplication calculation method in the present embodiment can be applied to the elliptic curve described in Non-Patent Document 3 and the elliptic curve having the Frobenius map.

  As described above, the above calculation method is characterized by excellent memory usage and high speed with respect to an elliptic curve having a second operation different from the addition on the elliptic curve.

In the third embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 7 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes an encoding unit 702 and an actual calculation unit 703. The encoding unit 702 includes a residue acquisition unit 721, a residue conversion unit 722, an iterative determination unit 723, a δ residue conversion unit 724, a Φ _w function calculation unit 725, and a storage unit 726. The actual calculation unit 703 includes a bit value determination unit 731, an addition unit 732, a τ multiplication unit 733, a repetition determination unit 734, and a base conversion unit 735.

  A third calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point d P in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. In the third calculation method, the point P can be expressed using an arbitrary basis. Therefore, in the scalar multiplication calculation, it is not necessary to limit the basis used for expressing the coordinates of the point P to the normal basis. Here, a description will be given using a polynomial basis.

As in the first and second embodiments, in the scalar multiplication of the points received immediately before the scalar multiplication, the scalar multiple can be calculated directly without using the pre-calculation table. When the scalar multiplication calculation unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 702 encodes the input scalar value d into a numerical string d _w [j].

The calculation method for encoding the scalar value d into the numerical sequence d _w [j] is the same as in the embodiment, and details thereof are described in Non-Patent Document 2.

  In this embodiment, it is assumed that w = 4 and the point P is represented by a polynomial basis.

The actual calculation unit 703 calculates the scalar multiple dP using the numerical sequence d _w [j].

  Next, each process performed by the encoding unit 702 and the actual calculation unit 703 will be described.

  The encoding unit 702 encodes the scalar value d in the same manner as in the first and second embodiments.

  Next, a method for calculating a scalar multiple in an elliptic curve from the encoded scalar value and a point on the elliptic curve will be described with reference to FIG.

Q, u, R _p , d _w [u] are input, R _p is initialized with (u [i] mod τ ^w ) P, j is set to 0, and k is set to 0, respectively. a polynomial basis representation R _p into a regular basis representation R _n of (801).

the _{i | d w [u] [} j] | a, to R _n tau ^jk R _n, i and assigns each k, converts the normal basis representation R _n of the point R in a polynomial basis representation R _p (811 ).

The repetition determination unit 734 determines whether d _w [u] [j]> 0. If the condition is met, go to Step 813. If the condition is not satisfied, go to step 814 (812).

Adding section 732 adds the point Q and the point R _p, and stores the result in Q (813).

The adding unit 732 adds the point Q and the point −R _p and stores the result in Q (814).

  j + 1 is substituted for j (815).

The iterative determination unit 734 determines whether d _w [u] [j] ≠ Ω. If the condition is met, go to Step 811. If the condition is not satisfied, go to Step 821 (816).

The actual calculation unit 703 outputs the point Q (821).
The calculation from step 801 to step 821 is repeated from i = 0 to i = 3.

D _w [j] output by the processing performed by the encoding unit 702 satisfies Expression 22, Expression 23, and Expression 24. The reason is the same as in the first embodiment.

  The point Q output from the actual calculation unit 703 is equal to the scalar multiple dP. The reason for this is the same as in the first and second embodiments.

  The scalar multiplication calculation unit 115 does not need to include a pre-calculation unit. The reason for this is also the same as in the first and second embodiments.

In addition, the scalar multiplication in this embodiment is excellent in high speed. This is as follows. In the scalar multiplication using TNAF ₄ for the points received just before the scalar multiplication, the necessary calculation cost is
{(m + a) / 5 + 3} * ECADD + {(m + a) / 5 + 7} * ECFRB + {(m + a) / 5 + 4} COB (Formula 63)
It becomes.
The calculation cost in the scalar multiplication described in Non-Patent Document 2 is
{(m + a) / 5 + 3} * ECADD + {(m + a) + 3} * ECFRB (Formula 64)
It is.
In the scalar multiplication calculation using ordinary TNAF ₄ , it is equivalent to the necessary calculation cost. However, COB represents basis conversion. Therefore, it has the same high speed as the scalar multiplication using normal TNAF ₄ and has excellent memory usage. Here, the calculation cost is the total number of operations necessary for scalar multiplication (for example, addition on an elliptic curve or τ multiplication).

  In addition, by combining Example 2 and Example 3, in the scalar multiplication calculation of the point received immediately before the scalar multiplication calculation, an arbitrary window width w and an arbitrary base are used, and a pre-calculation table is obtained. It is possible to calculate the scalar multiple directly without using it. In this case, FIG. 8 and FIG. 9 are used in the scalar multiplication calculation. The reason is the same as in the second embodiment.

Further, in the scalar multiplication calculation in this embodiment, j can be arranged in random order for each i. However, d _w [u [i]] [j] is a number whose digit is u [i] or −u [i] when the scalar value d is encoded. For each i, when j is arranged in a random order, if scalar multiplication is performed in this order, the scalar multiplication can be randomized in the same manner as in the first and second embodiments. is there.

  Further, as described in Non-Patent Document 2, normal bases and polynomial bases are represented using column vectors, and basis transformations are represented using matrices.

In step 811, a process of substituting tau ^jk R _n in R _n, the shift operation of the column vectors, and the process of converting the normal basis representation R _n of the point R in a polynomial basis representation R _p is the column vector and the Matrix product. Therefore, when the embodiment is implemented, the calculation of the product of the column vector and the matrix in the basis conversion process does not start the calculation from the first term of the column vector, but becomes the first term after the shift operation. by implemented to start the calculation from the term, it is possible to omit the shift operation processing for substituting tau ^jk R _n to R _n. This may further increase the speed.

  As in the first and second embodiments, the scalar multiplication method in this embodiment can be applied to the elliptic curve described in Non-Patent Document 3 and the elliptic curve having the Frobenius map. .

  As described above, the above calculation method is characterized by excellent memory usage and high speed with respect to an elliptic curve having a second operation different from the addition on the elliptic curve.

In the embodiment, the functional block of the scalar multiplication unit 115 shown in FIG. 10 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes an actual calculation unit 1002. The actual calculation unit 1002 includes a residue acquisition unit 1021, a residue conversion unit 1022, an iterative determination unit 1023, a delta residue conversion unit 1024, a Φ _w function calculation unit 1025, a bit value determination unit 1031, an addition unit 1032, and a τ multiplication unit 1033. Become.

  A fourth calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The fourth calculation method has a feature that a scalar multiplication can be directly performed without encoding a scalar value. Therefore, the actual calculation unit 1002 does not need to include an encoding unit. As in the first, second, and third embodiments, there is a feature that scalar multiplication can be performed without using the pre-calculation table. Therefore, in the scalar multiplication of the point received immediately before the scalar multiplication calculation, the scalar multiplication point can be directly calculated without using the pre-calculation table. Therefore, the memory for storing the pre-calculation table can be saved. In the present embodiment, it is assumed that w = 4 and the point P is represented by a normal basis.

  Next, each process performed by the actual calculation unit 1002 will be described in detail.

  A method in which the actual calculation unit 1002 calculates a scalar multiple point in an elliptic curve from a scalar value and a point on the elliptic curve will be described with reference to FIG.

  A point P and a scalar value d are input (1101).

TNAF _w (d mod δ) is assigned to d _w [0],..., d _w [2 ^w−1 −1] (1102).

  Q is initialized to infinity point O and i is initialized to 0 (1103).

The iterative determination unit 1023 determines whether i <2 ^w−1 . If the condition is met, go to step 1111. If the condition is not satisfied, go to Step 1121 (1104).

Assign u [i] to v, (v modτ ^w ) P to R, and Q + Σ _j sign (d _w [v] [j]) * τ ^{| dw [v] [j] |} R to Q (1111).

  i + 1 is substituted for i, and the process goes to Step 1104 (1112).

  The actual calculation unit 1002 outputs the point Q (1121).

  By combining the embodiment 2 and the embodiment 4, in the scalar multiplication of the point received immediately before the scalar multiplication calculation, the scalar multiplication point can be directly set at an arbitrary window width w without using the previous calculation table. It is possible to calculate. The reason is the same as in the first to third embodiments.

  In addition, by combining Example 3 and Example 4, in the point scalar multiplication calculation received immediately before the scalar multiplication calculation, the point P is expressed using an arbitrary window width w and an arbitrary base. The scalar multiple can be directly calculated without using the pre-calculation table. This is as follows.

Here, the functional block of the scalar multiplication unit 115 shown in FIG. 12 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes an actual calculation unit 1202. The actual calculation unit 1202 includes a residue acquisition unit 1221, a residue conversion unit 1222, an iterative determination unit 1223, a delta residue conversion unit 1224, a Φ _w function calculation unit 1225, a bit value determination unit 1231, an addition unit 1232, a τ multiplication unit 1233, The base conversion unit 1234 is included.

  A method in which the actual calculation unit 1202 calculates a scalar multiple point in an elliptic curve from a scalar value and a point on the elliptic curve will be described with reference to FIG.

  A point P and a scalar value d are input, Q is initialized to an infinite point O, and i is initialized to 0 (1301).

The repetition determination unit 1223 determines whether i < ^2w−1 . If the condition is met, go to Step 1311. If the condition is not satisfied, go to step 1351 (1302).

(U [i] mod τ ^w ) P is substituted for R, d mod δ is substituted for c ₀ + c ₁ τ, 0 is substituted for j, and 0 is substituted for k (1311).

The repetition determining unit 1223 determines whether c ₀ ≠ 0 or c ₁ ≠ 0. If either one of these two conditions is met, go to Step 1313. If neither of the two conditions is satisfied, the process goes to step 1341 (1312).

If any of the conditions in step 1312 is satisfied, v assigns the _{c 0 + t w * c 1} mods 2 w in, go to step 1314 (1313).

  The iterative determination unit 1223 determines whether or not | v | = u [i]. If the condition is met, go to step 1321. If the condition is not satisfied, go to Step 1325 (1314).

Τ ^jk R is substituted for R and j is substituted for k (1321).

  The repetition determination unit 1223 determines whether v> 0. If the condition is met, go to Step 1323. If the condition is not satisfied, go to Step 1324 (1322).

  The adding unit 1232 adds the point Q and the point R, and stores the result in Q (1323).

  The adding unit 1232 adds the point Q and the point -R, and stores the result in Q (1324).

  The repetition determination unit 1223 determines whether v is an odd number. If the condition is met, go to Step 1331. If the condition is not satisfied, go to step 1332 (1325).

The, c ₁ to _{c 1 - sign (v) *} γ | | v | sign (v) * β - to c ₀ c _{0 v |} is substituted respectively (1331).

The j + 1 to j, a c ₁ + μc _0/2 to c _0, c ₀ to t, the c ₁ - t / 2 is substituted, respectively (1332).

i + 1 is assigned to i and τ ^mk R is assigned to R, respectively, and the process goes to Step 1302 (1341).

  The actual calculation unit 1202 outputs the point Q (1351).

  The point Q output from the actual calculation unit 1202 is equal to the scalar multiple dP. The reason for this is the same as in Example 1, Example 2, and Example 3.

The scalar multiplication calculation unit 115 does not need to include a pre-calculation unit. The reason for this is the same as in the first, second, and third embodiments.
In addition, the scalar multiplication in this embodiment is excellent in high speed. The reason for this is the same as in the first, second, and third embodiments.

  Further, the implementation of the present embodiment may further increase the speed by omitting the shift calculation process using the same method as in the third embodiment.

  As in the first to third embodiments, the scalar multiplication calculation method in the present embodiment can be applied to the elliptic curve described in Non-Patent Document 3 and the elliptic curve having the Frobenius map.

  As described above, the above calculation method is characterized by excellent memory usage and high speed with respect to an elliptic curve having a second operation different from the addition on the elliptic curve.

  Next, an embodiment in which the present invention is applied to a signature verification system will be described with reference to FIGS.

  The signature verification system in FIG. 2 includes a smart card 1401 and a computer 1421 that performs signature verification processing.

  The smart card 1401 has a configuration similar to that of the computer A101 in FIG. 1, and an arithmetic device such as the CPU 113 and the coprocessor 114 executes a program stored in the storage unit 102, thereby not the data processing unit 112, A signature generation processing unit 1412 is realized.

  However, the external storage device 107, the display 108, and the keyboard 109 shown in FIG. The computer 1421 has the same configuration as the computer A101, and the signature verification processing unit 1432 is realized instead of the data processing unit 112 when the CPU 113 executes the program. The scalar multiplication calculators 1415 and 1435 have the same functions as the scalar multiplication calculator 115 or 135 shown in FIG.

  In the present embodiment, each program in the computer 1421 may be stored in advance in the storage unit in the computer, or may be stored in another device via a medium that can be used by the computer 1421 when necessary. To the storage unit.

  Furthermore, each program in the smart card 1401 may be stored in advance in the storage unit in the smart card 1401, or when necessary, a computer connected via the input / output interface or the computer uses the program. The storage unit may be introduced via a possible medium. The medium refers to, for example, a storage medium removable from the computer or a communication medium (that is, a network or a carrier wave propagating through the network).

  A signature generation and signature verification operation in the signature verification system of FIG. 14 will be described with reference to FIG. There is a signature method called an elliptic curve digital signature algorithm (ECDSA) that configures a digital signature method based on a discrete logarithm problem in correspondence with a method based on a discrete logarithm problem on an elliptic curve. The ECDSA signature is described in Non-Patent Document 1, for example.

  The computer 1421 transfers the randomly selected numerical value as the challenge code 1442 to the smart card 1401 via the interface.

  The signature generation processing unit 1412 (112 in FIG. 2) receives the challenge code 1442, takes the hash value of the challenge code 1442, and converts it into a numerical value f having a predetermined bit length.

  The signature generation processing unit 1412 generates a random number u, and reads out from the constant 1404 stored in the storage unit 1402 (102 in FIG. 2) (205 in FIG. 2) together with the fixed point Q on the elliptic curve, a scalar multiplication calculation unit 1415 (115 in FIG. 2) (206 in FIG. 2).

The scalar multiplication unit 1415 calculates a scalar multiple u Q = (x _u , y _u ) based on the fixed point Q and the random number u, and sends the calculated scalar multiple to the signature generation processing unit 1412 (207 in FIG. 2). .
The signature generation processing unit 1412 generates a signature using the sent scalar multiple. For example, if it is the ECDSA signature of Non-Patent Document 1,
s = x _u mod q (Equation 65)
t = u ^-1 (f + ds) mod q (Equation 66)
To obtain a signature (s, t) corresponding to the challenge code 1442 (208 in FIG. 2).

  Here, q is the order of the fixed point Q, that is, the q-fold point q Q of the fixed point Q is an infinite point, and the m-fold point m Q of the fixed point Q for a numerical value m smaller than q is not an infinite point. It is such a numerical value.

The smart card 1401 outputs the signature 1441 generated by the signature generation processing unit 1412 from the input / output interface 1410 and transfers it to the computer 1421 through the interface.
When the signature 1441 is input (204 in FIG. 2), the signature verification processing unit 1432 (112 in FIG. 2) of the computer 1421 has a numerical value s, t within the appropriate range, that is, 1 ≦ s, t <q Find out if it is.

If the numerical values s and t are not within the above range, “invalid” is output as the signature verification result for the challenge code 1442, and the smart card 1401 is rejected. If the numerical values s and t are within the above range, the signature verification processing unit 1432
h = t ^-1 mod q (Formula 67)
h ₁ = fh mod q (Formula 68)
h ₂ = sh mod q (Formula 69)
Calculate

Then, the scalar key calculator 1435 (Fig. 2) converts the calculated h ₁ and h ₂ with the public key dQ and the fixed point Q (205 in Fig. 2) read from the constant 1424 stored in the storage unit 1422 (102 in Fig. 2). 2 of 115) (206 of FIG. 2).

The scalar multiplication unit 1435 calculates a scalar multiple h ₁ Q based on the fixed points Q and h ₁ and a scalar multiple h ₂ d Q based on the public keys d Q and h ₂ and verifies the calculated scalar multiple The data is sent to the processing unit 1432 (207 in FIG. 2).

The signature verification processing unit 1432 performs signature verification processing using the sent scalar multiple. For example, for ECDSA signature verification, point R
R = h ₁ Q + h ₂ d Q (Equation 70)
And the x coordinate is x _R ,
s' = x _R mod q (Equation 71)
If s ′ = s, “valid” is output as the signature verification result for the challenge code 1442, and the smart card 1401 is authenticated and accepted (208 in FIG. 2).
If s ′ = s, “invalid” is output and the smart card is rejected (208 in FIG. 2).
For signature generation and verification, a scalar multiple is calculated. Therefore, when performing signature generation and signature verification, it is possible to use the scalar multiplication calculation method described in any one of the first to fourth embodiments.

In the signature verification, a multiple scalar multiple h ₁ Q + h ₂ d Q based on the point Q received immediately before the verification and the public key d Q is calculated from Equation 70. Therefore, when using the method of Non-Patent Document 2, it is necessary to create a pre-calculation table before calculating Formula 66. However, if the scalar multiplication calculation method described in any one of Example 1 to Example 4 is used, it is not necessary to create a pre-calculation table, and scalar multiplication calculation is performed even when usable memory is limited. It can be done at high speed.

  Next, an embodiment in which the present invention is applied to a key exchange system will be described. In the present embodiment, the system configuration of FIG. 1 can be applied.

  The data processing units 112 and 132 in FIG. 1 function as the key exchange processing units 112 and 132, respectively, in this embodiment. The operation when the computer A101 of the key exchange system derives the shared information from the input data 143 will be described with reference to FIGS.

  The data processing unit 132 (112 in FIG. 2) of the computer B121 reads the secret key b from the secret information 125 of the storage unit 122 (102 in FIG. 2), and calculates the public key bQ of the computer B121. Then, the public key bQ is transferred as data 143 to the computer A101 via the network 142. When the key exchange processing unit 112 (112 in FIG. 2) of the computer A101 receives the input of the public key bQ of the computer B121 (204 in FIG. 2), the key exchange processing unit 112 reads it from the storage unit 102 (FIG. 2). 205) The secret key a of the computer A101, which is the secret information 105, and the public key bQ of the computer B121 are sent to the scalar multiplication unit 115 (206 in FIG. 2).

  The scalar multiplication calculator 115 calculates a scalar multiple dbQ based on the secret key d and the public key bQ, and sends the calculated scalar multiple to the key exchange processing unit 112 (207 in FIG. 2).

  The key exchange processing unit 112 derives shared information using the sent scalar multiple, and stores it as the secret information 105 in the storage unit 102. For example, the x coordinate of the scalar multiple dbQ is used as shared information.

  Next, an operation when the computer 121 derives shared information from the input data 141 will be described.

  The data processing unit 112 of the computer A101 reads the secret key d from the secret information 105 of the storage unit 102 and calculates the public key dQ of the computer A101. Then, the public key dQ is transferred as data 141 to the computer B 121 via the network 142.

  When the key exchange processing unit 132 (112 in FIG. 2) of the computer B121 accepts the input of the public key dQ of the computer A101 (204 in FIG. 2), the key exchange processing unit 132 is stored in the storage unit 122 (102 in FIG. 2). The private key b of the computer B121 and the public key dQ of the computer A101 which are the secret information 125 read from the constant 125 (205 in FIG. 2) are sent to the scalar multiplication unit 135 (115 in FIG. 2) (206 in FIG. 2). ).

The scalar multiplication calculator 135 calculates a scalar multiple bd Q based on the secret key b and the public key d Q, and sends the calculated scalar multiple to the key exchange processor 132 (207 in FIG. 2).
The key exchange processing unit 132 derives shared information using the sent scalar multiple and stores it as the secret information 125 in the storage unit 122. For example, the x coordinate of the scalar multiple bd Q is used as shared information. Here, since the number db and the number bd are the same as numerical values, the point db Q and the point bd Q are the same point, and the same information is derived.

  In key agreement, the scalar multiple of the received point is calculated. Therefore, when performing key exchange, it is possible to use the scalar multiplication calculation method described in any one of the first to fourth embodiments.

  In key sharing, a scalar multiple is calculated based on the points received when exchanging keys. Therefore, when using the method of Non-Patent Document 2, it is necessary to create a pre-calculation table before calculating a scalar multiple of the received point. However, when the scalar multiplication calculation method described in any one of the first to fourth embodiments is used, it is not necessary to create a pre-calculation table.

  The point d Q and the point b Q are transmitted to the network 142, and the secret key d or the secret key b must be used to calculate the point db Q (or the point bd Q). That is, the shared information cannot be obtained without knowing the secret key d or the secret key b. The shared information obtained in this way can be used as a secret key for common key cryptography.

  In addition, the encryption processing unit, the decryption processing unit, the signature generation processing unit, the signature verification processing unit, and the key exchange processing unit in each of the above embodiments may be performed using dedicated hardware. Further, the scalar multiplication calculation unit may be realized by a coprocessor or other dedicated hardware. The data processing unit may be configured to perform any one or more of the encryption processing, decryption processing, signature generation processing, signature verification processing, and key exchange processing.

It is a system configuration diagram in each embodiment. It is a sequence diagram which shows delivery of the information in each embodiment. FIG. 10 is a configuration diagram of a scalar multiplication calculator in the embodiments of Example 1 and Example 2. FIG. 10 is a flowchart illustrating an encoding method performed by an encoding unit according to the first embodiment, the second embodiment, and the third embodiment. FIG. 6 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit according to the first embodiment and the second embodiment. FIG. 10 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit in the second embodiment. 6 is a configuration diagram of a scalar multiplication calculation unit in the embodiment of Example 3. FIG. FIG. 10 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit in the third embodiment. FIG. 10 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit in the third embodiment. 6 is a configuration diagram of a scalar multiplication calculation unit in the embodiment of Example 4. FIG. FIG. 10 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit in the fourth embodiment. 6 is a configuration diagram of a scalar multiplication calculation unit in the embodiment of Example 4. FIG. FIG. 10 is a flowchart illustrating a method of calculating a scalar multiple of an actual calculation unit in the fourth embodiment. It is a block diagram which shows a signature verification system. It is a figure explaining the concept of the scalar multiplication calculation method by a prior art and this invention.

Explanation of symbols

101, 121, 1421: Computer, 1401: Smart card, 102, 122, 1402, 1422: Storage unit, 111, 131, 1411, 1431: Processing unit, 115, 135, 1415, 1435: Scalar multiplication unit, 112, 132: Data processing unit, 1412: Signature generation processing unit, 1432: Signature verification processing unit, 104, 124, 1404, 1424: Constant, 105, 125, 1405, 1425: Confidential information, 110, 130, 1410, 1430: On Output interface, 108, 128, 1428: Display, 109, 129, 1429: Keyboard, 142: Network, 1442: Challenge code, 141, 143: Data, 302: Encoding unit, 303: Actual calculation unit, 321: Remainder acquisition unit , 322: residue conversion unit, 323: repetition determination unit, 324: delta residue conversion unit, 325: Φ _w function calculation unit, 326: storage unit, 331: bit value determination unit, 332: addition unit, 333: τ multiplication 334: Repetition determination unit 702: Encoding unit 703: Actual calculation unit 721: Remainder acquisition unit 722: Remainder conversion unit 723: Repetition Determination unit, 724: [delta] residue transform unit, 725: [Phi _w function calculating unit, 726: storage unit, 731: the bit value determination unit, 732: addition unit, 733: tau multiplication unit, 734: repetition determining unit, 735 : Basis conversion unit, 1002: actual calculation unit, 1021: residue acquisition unit, 1022: residue conversion unit, 1023: repetition determination unit, 1024: delta residue conversion unit, 1025: Φ _w function calculation unit, 1031: bit value determination unit , 1032: addition unit, 1033: τ multiplication unit, 1202: actual calculation unit, 1221: remainder acquisition unit, 1222: residue conversion unit, 1223: iteration determination unit, 1224: delta residue conversion unit, 1225: Φ _w function calculation Part, 1231: bit value determination part, 1232: addition part, 1233: τ multiplication part, 1234: basis conversion part.

Claims (11)

A scalar multiplication unit in elliptic curve cryptography that calculates a scalar multiple from a scalar value and a point on the elliptic curve using an elliptic curve that can execute a second operation different from addition on the elliptic curve. There,
Encoding the scalar value into a numeric string;
Selecting one non-zero number from the numeric sequence;
Performing an operation to find the scalar multiple in a digit having the same absolute value as the selected number;
Repeating the step of selecting and the step of performing the calculation for numbers that are not 0 and that constitute the numeric sequence;
A scalar multiplication apparatus characterized by executing The scalar multiplication apparatus according to claim 1,
An encoding unit for performing the encoding step;
A scalar multiplication calculation device comprising: an actual calculation unit that executes the selecting step and the calculating step. The scalar multiplication apparatus according to claim 1,
The elliptic curve is a scalar multiplication calculator which is a Kobritz curve. The scalar multiplication method according to claim 1,
A scalar multiplication apparatus in which the second operation is τ multiplication. The scalar multiplication apparatus according to claim 2, wherein
The real multiplication unit further executes a step of basis conversion. The scalar multiplication apparatus according to claim 1,
Selecting one non-zero number from the numeric sequence,
Select one number from non-zero and non-selected numbers constituting each digit of the numeric string, and obtain a previous calculation point by executing a pre-calculation corresponding to the selected number, It consists of the first step of storing in a pre-calculated table that has been determined in advance.
The step of calculating the scalar multiple includes
When there is a digit having a number having the same absolute value as the selected number in the numeric string, the elliptical curve is moved up to the previous calculation point stored in the previous calculation table until the digit is reached. A second step of executing the second operation of and overwriting the result on the previous calculation point of the previous calculation table;
A third step of performing addition on the elliptic curve using the previous calculation point stored in the previous calculation table in a digit having the same absolute value as the selected number in the numerical sequence;
A fourth step that repeats the second and third steps, and
The step of selecting and the step of repeating the calculation step include:
If there is an unselected number other than 0 that constitutes each digit of the numeric string,
A scalar multiplication apparatus comprising a fifth step in which the first to fourth steps are repeated. The scalar multiplication apparatus according to claim 1,
The encoding step further includes calculating a value of a Φ _w function for the scalar value d;
The scalar multiplication apparatus, wherein the Φ _w function is given by Φ _w (d) = (d _R + d _T * t _w mods 2 ^w ). A signature generation apparatus comprising: a signature unit that generates signature data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the signature data,
2. The signature generation apparatus according to claim 1, wherein the scalar multiplication calculation unit executes the step of calculating the scalar multiple using the scalar multiplication apparatus according to claim 1. A signature verification apparatus comprising: a signature verification unit that outputs a signature verification result from data and signature data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the signature verification result,
2. The signature verification apparatus according to claim 1, wherein the scalar multiplication calculation unit executes the step of calculating the scalar multiplication point using the scalar multiplication calculation apparatus according to claim 1. An encryption device comprising: an encryption unit that generates encrypted data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the encrypted data,
The encryption device according to claim 1, wherein the scalar multiplication unit executes the step of calculating the scalar multiple using the scalar multiplication device according to claim 1. A decryption device comprising: a decryption unit that generates decryption data from encrypted data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the decryption data,
The decoding device according to claim 1, wherein the scalar multiplication unit executes the step of calculating the scalar multiplication point using the scalar multiplication device according to claim 1.

Images