JP2011075587A - Scalar multiplication computing method, program, and device in elliptic curve cryptography - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a fast elliptic curve scalar multiplication computing method in a scalar multiplication computing device using an elliptic curve capable of executing endomorphism Φ which is different from integer multiplication on the elliptic curve, and to provide a program and a device using the same. <P>SOLUTION: In the scalar multiplication computing device for computing a scalar multiple point from a scalar value and a point on the elliptic curve capable of executing the endomorphism Φ being different from integer multiplication on the elliptic curve defined on a definition field F<SB>q</SB>having a characteristic polynomial Φ<SP>2</SP>+Φ+q (q is a power of an odd prime number), Φ-ary expansion which is a first numerical sequence is computed from the scalar value and, when adjacent two digits in the Φ-ary expansion of the scalar value do not satisfy a predetermined condition, a computing is performed on the two digits and one digit next to the two digits, or each of two digits. Thereby, a second numerical sequence is computed from the scalar value, and scalar multiplication is performed from the second numerical sequence and the point on the elliptic curve. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

The present invention relates to security technology, and more particularly to message processing technology using elliptic curve calculation.

Elliptic curve cryptography is a kind of public key cryptography proposed by N. Koblitz and VS Miller. Public key cryptography includes information that can be disclosed to the public called a public key and secret information that must be kept secret, called a private key. A public key is used for encrypting a given message and verifying a signature, and a secret key is used for decrypting a given message and generating a signature.

The secret key in elliptic curve cryptography is a scalar value. The security of elliptic curve cryptography comes from the difficulty of solving discrete logarithm problems on elliptic curves. The discrete logarithm problem on an elliptic curve is a problem of obtaining a scalar value d when a certain point P on the elliptic curve and a point dP that is a scalar multiple thereof are given. A point on the elliptic curve is a set of numbers that satisfy the definition equation of the elliptic curve. The entire point on the elliptic curve is calculated based on a virtual point called an infinity point, that is, on the elliptic curve. Addition (or addition) is defined. The addition on the elliptic curve by the same points is called doubling on the elliptic curve.

The addition of two points on an elliptic curve is calculated as follows: When you draw a straight line that passes through two points, the straight line intersects the elliptic curve at another point. The point that is symmetric with respect to the intersecting point and the x-axis is the result of the addition.

For example, in the case of a Weierstrass-type elliptic curve (hereinafter referred to as an elliptic curve E), the point (x ₁ , y ₁ ) and the point (x ₂ , y ₂ ) are added (x ₃ , y ₃ ) ((x ₃ , y ₃ ) = (x ₁ , y ₁ ) + (x ₂ , y ₂ ))

x ₃ = λ ² -x ₁ -x ₂ (Formula 1)

y ₃ = (x ₁ -x ₃ ) λ-y ₁ (Formula 2)

λ = (y ₂ -y ₁ ) / (x ₂ -x ₁ ) (Formula 3)

Is obtained by calculating.

Here, the defining equation of the elliptic curve E is

y ² = x ³ + ax + b, where both a and b are elements of the finite field F _q (Equation 4)

Given in. Note that the point (x ₁ , y ₁ ), the point (x ₂ , y ₂ ), and the point (x ₃ , y ₃ ) are all on the elliptic curve E. That is, even if x _i and y _i (i = 1, 2, 3) are substituted for x and y in (Equation 4), the equation of (Equation 4) holds.

Further, the finite field F _q is called a definition field of the elliptic curve E given by (Expression 4). Here, q is a positive integer.

After that, the positive integer q uses a certain natural number r,

q = p ^r (Formula 5)

It shall be expressed as Here, p is a prime number of 3 or more.

Hereinafter, E (F _q ^m ) is considered as a commutative group used for elliptic curve cryptography.

However, E (F _q ^m ) is an elliptic curve given by the definition equation of (Equation 4). For each point P = (x, y) on the elliptic curve, both x and y are F _q ^m M is a natural number called the extension order.

The doubling of points on the elliptic curve is calculated as follows. When a tangent line at a point on the elliptic curve is drawn, the tangent line intersects at another point on the elliptic curve. The intersected point and a point that is symmetric with respect to the x-coordinate are taken as the result of doubling. For example, in the case of the elliptic curve E, the point (x ₃ , y ₃ ) ((x ₃ , y ₃ ) = 2 (x ₁ , y) as a result of doubling the point (x ₁ , y ₁ ) ₁ ) = (x ₁ , y ₁ ) + (x ₁ , y ₁ )) (Equation 1), (Equation 2) and

λ = (3x ₁ ² + a) / 2y ₁ (Formula 6)

Is obtained by calculating.

In addition, a self-homogeneous map called Frobenius map Φ can be applied to points on the elliptic curve E. Applying the Frobenius map Φ to the point (x ₁ , y ₁ )

Φ (x ₁ , y ₁ ) = (x ₁ ^q , y ₁ ^q ) (Equation 7)

Is to calculate Also,

(X ^2q , x ^2q ) + q (x, y) = t (x ^q , y ^q ) (Equation 8)

Is known to hold, and Φ by the nature of (Equation 8),

Φ ² + q = tΦ (Formula 9)

It can be thought of as a complex number that satisfies. Here, t is an integer called a trace of the elliptic curve E given by (Equation 4). Hereinafter, the trace t is -1.

Adding a certain number of times to a certain point is called scalar multiplication, the resulting point is called a scalar multiple, and the number of times is called a scalar value.

In the elliptic curve cryptography, encryption, decryption, signature generation, and verification of a given message are performed using elliptic curve computation. Among them, the calculation of the scalar multiplication on the elliptic curve is the calculation that requires the most calculation time in each processing such as encryption and decryption. Therefore, in order to execute elliptic curve cryptography at high speed, it is necessary to perform scalar multiplication on the elliptic curve at high speed.

In general, scalar multiplication on an elliptic curve looks at each digit of the encoded scalar value, adds it on the elliptic curve if it is not zero (non-zero), and doubles on the elliptic curve to shift the digit I do. Here, encoding of a scalar value is converting the expression of the scalar value into a small numerical string (hereinafter referred to as Φ-adic expansion). However, the doubling on the elliptic curve is heavier than the self-homogeneous mapping, which is different from the addition and integer multiplication on the elliptic curve.

On the other hand, in scalar multiplication on an elliptic curve that can perform a self-homogeneous mapping different from integer multiplication, integer multiplication is used instead of doubling on the elliptic curve to shift digits. It is known that different automorphisms can be used. Self-homogeneous mapping, which is different from integer multiplication, can be calculated using only shift operations when the points on the elliptic curve are implemented using normal basis when implementing elliptic curve cryptography. Processing is fast.

Therefore, if an elliptic curve having a self-homomorphic mapping different from integer multiplication is used as an elliptic curve when implementing elliptic curve cryptography, the speed of scalar multiplication can be increased.

Using this property, as one of the methods for performing high-speed scalar multiplication on an elliptic curve, there is a method for speeding up the Φ-adic expansion expression of a scalar value in elliptic curve cryptography (for example, Patent Document 1, And Non-Patent Documents 1, 2, and 3). The polynomial basis and the normal basis are described in Non-Patent Document 2, for example.

In addition to reducing doubling, scalar multiplication can be speeded up by reducing the number of additions on the elliptic curve necessary for scalar multiplication. In scalar multiplication on an elliptic curve, as described above, addition is performed when non-zero, so there is a method of speeding up by minimizing non-zero density. Here, the non-zero concentration refers to an asymptotic value of (number of non-zero digits) / (digit length). In general, it is known as described above that, for a given scalar value, when the non-zero density in a certain development is minimal, the scalar multiplication using that expansion is accelerated with respect to the scalar multiplication. Yes.

A non-zero density of a scalar value when encoding using a predetermined integer for a given scalar value as one of the methods for performing high-speed scalar multiplication on an elliptic curve using this property There is a method of speeding up scalar multiplication on an elliptic curve by performing expansion (rNAF) that minimizes (see Non-Patent Document 4, for example).

JP 2007-041461

N. P. Smart, Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic, Journalof Cryptology, Vol.12, No.2, pp.141 &#8211; 151, 1999. J. A. Solinas, Efficient Arithmetic on Koblitz Curves, Designs, Codes and Cryptography, Vol.19, No.2-3, Kluwer Academic Publishers, pp.195-249, 2000. K. Hakuta, H. Sato, and T. Takagi, Efficient Arithmetic on Subfield Elliptic Curves overSmall Finite Fields of Odd Characteristic, In Information Security Practice and Experience Conference &#8211; ISPEC2008, Vol.4991 of Lecture Notes in Computer Science, pp. 304-318, 2008. T. Takagi, S.M.Yen, and B. C. Wu, Radix-r Non-adjacent Form, In Information Security Conference-ISC2004, Vol.3225 of Lecture Notes in Computer Science, pp.99-110,2004.

Cryptographic technology has become an indispensable element for concealing and authenticating electronic information with the development of information and communication networks. In addition to security, requirements imposed on cryptographic technology include processing speed and memory usage. However, there is generally a trade-off relationship between safety, processing speed, and memory usage, and it is difficult to satisfy all requirements.

In general, the length of a key (key length) used for encryption is an index of security, and it is known that the longer the key, the higher the security. However, the longer the key length, the longer the processing.

Since the difficulty of finding discrete logarithm problems on elliptic curves is higher than that of prime factorization, elliptic curve cryptosystems compare key lengths with ciphers based on the difficulty of prime factorization. Can be shortened. Therefore, according to elliptic curve cryptography, even if resources such as calculation capacity and memory capacity are relatively small, cryptographic processing having the same security as cryptographic processing using difficulty of prime factorization is performed in a short time, that is, It can be realized by processing with less burden on resources.

Recently, the need for highly secure cryptographic processing is increasing even in environments where available resources are considerably limited, such as smart cards (also called IC cards). In environments with few resources such as smart cards, it is necessary to optimize cryptographic processing within limited resources, and increasing the key length to increase security increases the processing burden. High-speed processing with less burden is demanded.

Non-Patent Document 1 discloses an elliptic curve scalar multiplication method using an automorphism map different from integer multiplication for all elliptic curves that can execute an automorphism map different from integer multiplication. Are listed. However, since the reduction of the number of times of addition on the elliptic curve necessary for the scalar multiplication calculation is not taken into consideration, a sufficient speed may not be obtained.

In Non-Patent Document 2 above, only elliptic curves (Koblitz curves) with special definition equations among elliptic curves that can execute automorphism mapping different from integer multiplication are used for scalar multiplication. Reduction of the number of additions is considered. However, since elliptic curves having general definition equations have not been considered, applicable elliptic curves are limited.

In Patent Document 1 and Non-Patent Document 3 described above, addition in the case of scalar multiplication is performed for a wider range of elliptic curves among the elliptic curves that can execute self-homogeneous mapping different from integer multiplication. The reduction of the frequency is considered. However, since the elliptic curve has a condition that the trace is 1 on the definition body, the scalar multiplication method described in Patent Document 1 and Non-Patent Document 3 is used for the elliptic curve having other traces. Can not.

Further, the technique of Non-Patent Document 4 discusses development (rNAF) in which the non-zero density is minimized using a predetermined integer for a given scalar value. However, rNAF related to expansion using complex numbers other than integers is not considered.

That is, in the conventional scalar multiplication on the elliptic curve, a self-homogeneous mapping Φ different from the integer multiplication on the elliptic curve defined on the definition field F _q can be executed, and the above-mentioned Koblitz curve It is not enough to further speed up elliptic curves other than elliptic curves that have a single trace and an odd characteristic of the definition field that can perform self-homogeneous mapping different from integer multiplication It is.

The present invention has been made in view of the above problems, and can perform a self-homogeneous mapping different from a Koblitz curve or integer multiplication without reducing safety in an environment where resources are limited. For elliptic curves other than elliptic curves with a characteristic number of 1 and an odd number of characteristic definition, an elliptic curve calculation technique capable of processing at higher speed than the conventional scalar multiplication on an elliptic curve is realized.

The present invention speeds up scalar multiplication in elliptic curve cryptography. In other words, the encoding of scalar values is performed so that the Φ-adic expansion expression when expanding the digit set has a smaller non-zero density than the normal Φ-adic expansion digit set, so that elliptic curve calculation that can be calculated at high speed is possible. Providing equipment.

The present invention further provides an encryption processing device, a decryption processing device, a signature generation device, a signature verification device, and a data sharing device using the above elliptic curve calculation device.

Specifically, a self-homogeneous mapping Φ having a characteristic polynomial Φ ² + Φ + q (where q is an odd prime) and different from integer multiplication on an elliptic curve defined on the definition field F _q is executed. A method of scalar multiplication in elliptic curve cryptography that uses a elliptic curve to calculate a scalar multiple from a scalar value and a point on the elliptic curve, and the definition of the elliptic curve is F _q , The first to encode the scalar value into the first numeric string (b _n-1 , b _n-2 , ..., b ₀ ) (where n is the digit length when the scalar value is encoded into the first numeric string) A second step of encoding the first numeric sequence into a second numeric sequence different from the first numeric sequence;
From the third step of creating a pre-calculation table from points on the elliptic curve, from the second numerical sequence, and from the pre-calculation table,
And a fourth step of calculating a scalar multiplication point.

Further, the first step calculates a Φ-adic expansion for the scalar value,

The second step is

generating b _n , b _{n + 1} , b _{n + 2} and b _{n + 3} and setting them to 0 respectively (n is the digit length of Φ-adic expansion for scalar values),

i is between 0 and n

When b _i = 0 is satisfied, i is increased by 1 after performing the conversion of b _i to b _i ,

If b _i ≠ 0 and | −qb _{i + 1} + b _i | ≦ (q ² −1) / 2, then b _i → −qb _{i + 1} + b _i , b _{i + 1} → 0, b _{i + 2} → -b _{i + 1} + b _{i + 2}

When b _i ≠ 0 and -qb _{i + 1} + b _i > (q ² -1) / 2, b _i →-b _{i + 1} q + b _i -q ² , b _{i + 1} → 0 , B _{i + 2} → b _{i + 2} − b _{i + 1} − (q−1), b _{i + 3} → b _{i + 3} +1 and then i is increased by 2,

When b _i ≠ 0 and -qb _{i + 1} + b _i <-(q ² -1) / 2, b _i →-b _{i + 1} q + b _i + q ² , b _{i + 1} → 0, b _{i + 2} → b _{i + 2} -b _{i + 1} + (q-1),

and a conversion step of repeating a process of increasing i by 2 after performing conversion from b _{i + 3} → b _{i + 3} −1.

According to the present invention, it is possible to realize an elliptic curve calculation technique capable of processing at higher speed than the conventional elliptic curve calculation without reducing safety in an environment where resources are limited.

FIG. 1 is a diagram illustrating a system configuration of the cryptographic communication system according to the first embodiment. FIG. 2 is a diagram for illustrating the exchange of information between the processing units in the computer according to the first embodiment. FIG. 3 is a functional block example of the scalar multiplication unit of the first embodiment. FIG. 4 is a flowchart for illustrating the processing of the encoding unit according to the first embodiment. FIG. 5 is a flowchart for illustrating the process of the pre-calculation unit of the first embodiment. FIG. 6 is a flowchart for illustrating the process of the real calculation unit of the first embodiment. FIG. 7 is a diagram illustrating a system configuration of the signature verification system according to the second embodiment.

Hereinafter, a first embodiment to which the present invention is applied will be described with reference to the drawings.

FIG. 1 is a system configuration diagram of the cryptographic communication system of the present embodiment. As shown in the figure, the cryptographic communication system of this embodiment includes a computer A101 and a computer B121 connected by a network 142.

In the cryptographic communication system of the present embodiment, to encrypt the message P _m a computer A101, decodes the cipher text on the computer B 121.

If k is a random number, d is a constant indicating a secret key, Q is a fixed point, and dQ is a point indicating a public key, P _m + k (dQ) and kQ are calculated and output in the computer A101. Then, in the computer B121, -d (kQ) is calculated from the secret key d and kQ,

(P _m + k (dQ)) d (kQ) (Equation 10)

Is calculated and output.

Here, in order to restore the message P _m , it is necessary to calculate kdQ, that is, d times kQ. However, in the cryptographic communication system, P _m + k (dQ) and kQ are transmitted to the network 142, and the secret key d is not transmitted. Therefore, only the one holding the secret key d can restore P _m. become.

In FIG. 1, a computer A101 is equipped with an arithmetic device such as a CPU 113 and a coprocessor 114, a storage device such as a RAM 103, a ROM 106 and an external storage device 107, and an input / output interface 110 for performing data input / output with the outside of the computer. Are connected to a display 108 for operating a computer A101 by a user, a keyboard 109, and a removable portable storage medium read / write device.

Further, the computer A101 realizes the storage unit 102 by a storage device such as the RAM 103, the ROM 106, and the external storage device 107, and the arithmetic device such as the CPU 113 and the coprocessor 114 executes the program stored in the storage unit 102. The data processing unit 112, the scalar multiplication calculation unit 115, and the processing units included therein are realized.

In this embodiment, the data processing unit 112 functions as an encryption processing unit, and encrypts an input message.

The scalar multiplication calculation unit 115 calculates parameters necessary for the data processing unit (encryption processing unit) 112 to perform encryption. The storage unit 102 stores a constant 104 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 105 (for example, a secret key), and the like.

The computer B121 has the same hardware configuration as the computer A, and includes an arithmetic device such as a CPU 133 and a coprocessor 134, a storage device such as a RAM 123, a ROM 126, and an external storage device 127, and an input / output interface for performing data input / output with the outside of the computer 130, and a display 128 for operating the computer B101 by the user, a keyboard 129, a removable portable storage medium read / write device, and the like are connected to the outside.

Further, the computer B121 realizes the storage unit 122 by a storage device such as the RAM 123, the ROM 126, and the external storage device 127, and the arithmetic device such as the CPU 133 and the coprocessor 134 executes the program stored in the storage unit 122. The data processing unit 132, the scalar multiplication calculation unit 135, and the processing units included therein are realized.

In the present embodiment, the data processing unit 132 functions as a decryption processing unit, and decrypts the ciphertext 141 that is an encrypted message.

The scalar multiplication calculation unit 135 calculates parameters necessary for the data processing unit (decoding processing unit) 132 to perform decoding. The storage unit 122 stores a constant 124 (for example, a definition formula of an elliptic curve to be used or a fixed point on the elliptic curve), secret information 125 (for example, a secret key), and the like.

Note that the program may be stored in advance in the storage units 102 and 122 in the computer, or other devices via the input / output interfaces 110 and 130 and a medium usable by the computer when necessary. To the storage units 102 and 122. The medium refers to, for example, a storage medium that can be attached to and detached from an input / output interface, or a communication medium (that is, a digital signal or a carrier wave that propagates through a network or a network).

Next, transmission / reception of information between the respective processing units in the computer A101 and the computer B121 in the case of performing message encryption processing and decryption processing will be described. FIG. 2 is a diagram for explaining information exchange performed by each processing unit of the computer A101 and the computer B121.

First, an operation when the computer A101 encrypts an input message will be described. The message may be any digitized data, and may be any type of text, image, video, sound, etc.

When the data processing unit (encryption processing unit) 112 receives a plaintext message (input message) via the input / output interface 110 (step 204), whether the bit length of the input plaintext message is a predetermined bit length or not. Determine whether. When the bit length is longer than a predetermined bit length, the plaintext message is divided so as to have a predetermined bit length. In the following description, the message is assumed to be a partial message (simply called a message) divided into a predetermined bit length.

Next, the data processing unit (encryption processing unit) 112 calculates the value of the y coordinate (y ₁ ) of the point P _m on the elliptic curve having the numerical value represented by the bit string of the message at the x coordinate (x ₁ ). To do.

For example, if the elliptic curve to be used is a Weierstrass-type elliptic curve, the Weierstrass-type elliptic curve has a and b as constants.

y ₁ ² = x ₁ ³ + ax ₁ + b (Formula 11)

Therefore, the y-coordinate value can be obtained from this equation.

Next, the data processing unit (encryption processing unit) 112 generates a random number k. Then, the public key dQ and the x coordinate of Q are read from the constant 104 stored in the storage unit 102 (step 205). Then, the read public key dQ, the x coordinate of Q, the value of the obtained y coordinate, and the random number k are sent to the scalar multiplication unit 115 (step 206).

The scalar multiplication calculator 115 calculates the x-coordinate and y-coordinate values of Q, and the scalar multiplication point (x _d1 , y _d1 ) = kQ by the random number k, and the x-coordinate and y-coordinate values of the public key dQ, and the scalar multiplication by the random number The point (x _d2 , y _d2 ) = k (dQ) is calculated, and the calculated scalar multiple is sent to the data processing unit (encryption processing unit) 112 (step 207).

The data processing unit (encryption processing unit) 112 performs an encryption process using the received scalar multiple. For example, in the case of a Weierstrass-type elliptic curve, P _m + k (dQ) and kQ are calculated. That is,

x _e1 = ((y _d1 -y ₁ ) / (x _d1 -x ₁ )) ² -x ₁ -x _d1 (Equation 12)

x _e2 = x _d2 (Formula 13)

To obtain encrypted messages x _e1 and x _e2 .

The computer A101 assembles an output message encrypted from one or more partial messages encrypted by the data processing unit (encryption processing unit) 112, and outputs the output message as data 141 from the input / output interface 110 (step 208). The data 141 is transferred to the computer B121 via the network 142.

In FIG. 2, reading of information from the storage unit 102 (step 205) may be performed before the information is sent to the scalar multiplication calculation unit 115. For example, it may be before the input message is received (step 204).

Next, the operation when the computer B 121 decrypts the data 141 which is an encrypted message will be described with reference to FIG.

When the encrypted data 141 is input as an input message via the input / output interface 110 (step 204), the data processing unit (decryption processing unit) 132 sets the bit length of the data 141 to a predetermined bit length. Determine whether or not. If it is longer than the predetermined bit length, the encrypted data is divided so as to have a predetermined bit length. In the following description, the message is assumed to be partial data (also simply referred to as data) divided into a predetermined bit length.

The data processing unit (decoding processing unit) 132 calculates the value of the y coordinate on the elliptic curve having the numerical value represented by the bit string of the data 141 at the x coordinate.

If the encrypted message is a bit string of x _e1 and x _e2 and is a Weierstrass-type elliptic curve, the y coordinate value (y _e1 ) is

y _e1 ² = x _e1 ³ + ax _e1 + b (Formula 14)

(However, a and b are the same constants as in (Equation 11).)

The data processing unit (decryption processing unit) 132 reads the secret key d from the secret information 125 stored in the storage unit 122 (step 205). Then, the read secret key d and the x-coordinate and y-coordinate values (x _e2 , y _e2 ) are sent to the scalar multiplication unit 135 (step 206).

The scalar multiplication unit 135 calculates a scalar multiple (x _d3 , y _d3 ) = d (x _e2 , y _e2 ) using the x-coordinate and y-coordinate values and the secret information 125 (secret key d). The scalar multiplication calculator 135 sends the calculated scalar multiple to the data processor (decoding processor) 132 (step 207). The data processing unit (decoding processing unit) 132 performs a decoding process using the sent scalar multiple.

For example, if the encrypted message is a bit string of x _e1 and x _e2 and is a Weierstrass-type elliptic curve,

(P _m + k (dQ)) d (kQ) = (x _e1 , y _e1 ) − (x _d3 , y _d3 ) (Formula 15)

Can be achieved by calculating That is,

x _f1 = ((y _e1 + y _d3 ) / (x _e1 -x _d3 )) ² -x _e1 -x _d3 (Equation 16)

And x _f1 corresponding to the partial message x ₁ before being encrypted is obtained.

The computer B 121 assembles a plaintext message from the partial message decrypted by the data processing unit (decryption processing unit) 132, and outputs it from the display 108 or the like via the input / output interface 110 (step 208).

Next, in the present embodiment, the processing of the scalar multiplication calculation unit 115 when the computer A101 performs encryption processing will be described in detail. The process of the scalar multiplication calculation unit 135 when the computer B101 performs the decoding process is basically the same. Therefore, in the following, the process of the scalar multiplication calculation unit 115 will be described as a representative.

FIG. 3 shows functional blocks of the scalar multiplication calculation unit 115 of this embodiment. As shown in the figure, the scalar multiplication calculation unit 115 of this embodiment includes an encoding unit 302, a pre-calculation unit 303, and an actual calculation unit 304.

The encoding unit 302 includes a Φ-adic expansion unit 321, a δ residue acquisition unit 322, a bit pair determination unit 323, a bit pair conversion unit 324, a carry calculation unit 325, and a repetition determination unit 326. The pre-calculation unit 303 includes an addition unit 331, a doubling unit 332, and a repetition determination unit 333. The actual calculation unit 304 includes a bit value determination unit 341, an addition unit 342, a Φ multiplication unit 343, and a repetition determination unit 344.

The scalar multiplication unit 115 uses these functions to calculate the scalar multiple dP in the elliptic curve from the scalar value d and the point P on the elliptic curve having a self-homogeneous map Φ different from the integer multiplication. The first calculation method will be described.

Hereinafter, in the present embodiment, for example, the Frobenius map can be used as the self-homomorphic map Φ. That is, this calculation method is an encoding method in which the integer expansion rNAF described in Non-Patent Document 4 is applied to the Frobenius expansion of the scalar value described in Non-Patent Document 1, and hereinafter, this encoding method Is called FrNAF (Frobenius-adic Radix-r Non-Adjacent Form).

In order to apply rNAF to the Frobenius expansion of scalar values, in the present embodiment, on the elliptic curve defined on the definition field F _q having the characteristic polynomial Φ ² + Φ + q (q should be an odd prime number), Select an elliptic curve that can perform a self-homogeneous mapping Φ different from integer multiplication.

In addition, when calculating a scalar multiple from a point on this elliptic curve and a scalar value, after the scalar value is encoded into the first numerical sequence, it is further converted into a second numerical sequence different from the first numerical sequence. Encode and calculate a scalar multiple using the second sequence of numbers. At this time, the first numerical sequence is obtained by expanding the scalar value by Φ, and the second numerical sequence is determined whether two adjacent digits of the first numerical sequence satisfy a predetermined condition. Perform conversion according to. That is, when not satisfy | filling, it calculates with respect to each of the 2 digits and the 1 digit adjacent to the 2 digits, or 2 digits, makes the converted numerical sequence a 1st numerical sequence, and repeats this process.

By executing the scalar multiplication using the second numerical sequence and the points on the elliptic curve, speeding up is realized. Hereinafter, the calculation method will be specifically described.

First, an overview of the entire scalar multiplication calculation process of the present embodiment will be described.

When the scalar multiplication calculation unit 115 receives the scalar value d and the point P on the elliptic curve from the encryption processing unit 112, the encoding unit 302 calculates the value d ′ from the input scalar value d, and calculates the value d ′ as a numerical value. Encode to column e _i . That is,

d '= e ₀ + e ₁ Φ + e ₂ Φ ² +… + e _{n + 3} Φ ^{n + 3} (Formula 17)

-(Q ² -1) / 2≤e _i ≤ (q ² -1) / 2 (Formula 18)

e _i mod q ≠ 0 (when e _i ≠ 0) (Equation 19)

Convert the scalar value d ′ to e _i satisfying.

Where d 'is

δ = (Φ ⁿ -1) / (Φ-1) (Formula 20)

For complex number δ satisfying

d = δQ + d '(Formula 21)

Where Q is a complex number.

In addition, for each i in (Equation 17), a pair of adjacent numerical values (e _{i + 1} , e _i )

e _{i + 1} e _i = 0 (Formula 22)

Meet k

k ≦ [2log _q 2√ | d '|] +4 (Equation 23)

It is an integer that satisfies

When the pair (e _{i + 1} , e _i ) satisfies the above (formula 22), the pair (e _{i + 1} , e _i ) is said to be a non-adjacent pair.

The pre-calculation unit 303 creates a pre-calculation table. The pre-calculation table is

iP (i = 1, ..., (q ² -1) / 2) (Equation 24)

Hold. Where i is

i mod q ≠ 0 (Formula 25)

Meet.

The actual calculation unit 304 uses the encoded scalar value d = (e _{n + 3} , e _{n + 2} ,..., E ₁ , e ₀ ) and the data stored in the pre-calculation table to obtain a scalar multiple dP. Calculate

Next, each process performed by the encoding unit 302, the pre-calculation unit 303, and the actual calculation unit 304 during the scalar multiplication calculation process will be described in detail.

First, processing performed by the encoding unit 302 of the present embodiment will be described using FIG. Here, the scalar value is encoded into the first numerical sequence, and further, the first numerical sequence is encoded into the second numerical sequence. FIG. 4 is a flowchart for explaining the processing of the encoding unit 302 of this embodiment.

The encoding unit 302 receives the scalar value d (Step 401).

The δ residue acquisition unit 322 calculates an integer d ′ that satisfies (Expression 21) of the first embodiment with respect to the received scalar value d. Then, the Φ-adic expansion unit 321 converts the integer d ′ to

d '= c ₀ + c ₁ Φ +… + c _n-1 Φ ^n-1 (Formula 26)

| c _i | ≤ (q-1) / 2 (Formula 27)

(Step 402).

Non-Patent Document 1 describes a method for calculating an integer d ′ from a scalar value d and a method for expanding the integer d ′ so as to satisfy (Equation 26) and (Equation 27). That is, it is obtained by repeating the following processes i) and ii).


i) Divide the scalar value d by δ and let the remainder be d ′.


ii) Divide the integer d ′ by Φ, and let the remainder be c _i .

Next, from the first numerical sequence (c ₀ , c ₁ , c ₂ ,... C _n-1 ), (b ₀ , b ₁ , b ₂ ,... B _n−1 , b _n , b _{n + 1} , b _{n + 2, b n + 3} ) through a second numeric string _{(e 0, e 1, ...} e n, generates a _{e n + 1, e n +} 2, e n + 3).

First, the bit-to-conversion unit 324, the c ₀ to b _0, a c ₁ to b _1, a 0 to b _n, the b _{n + 1} to zero, the b _{n + 2} to 0, the b _{n + 3} Each of 0 is substituted (step 403).

The repetition determination unit 326 substitutes 0 for i (step 404).

The repetition determination unit 326 determines whether i ≦ n + 2 is satisfied (step 405). If i ≦ n + 2 holds, go to step 406. If i ≦ n + 2 does not hold, go to step 413.

The bit pair determination unit 323 determines whether b _i = 0 (step 406). If b _i = 0, go to step 407. If b _i = 0 is not true, go to step 408.

The carry calculation unit 325 substitutes c _{i + 2} for b _{i + 2} , and the storage unit 327 substitutes 0 for e _i , substitutes i + 1 for i, and goes to step 405 (step 407). .

The bit pair determination unit 323 determines whether or not | −b _{i + 1} q + b _i | ≦ (q ² −1) / 2 (step 408). If | −b _{i + 1} q + b _i | ≦ (q ² −1) / 2, go to Step 409. If | −b _{i + 1} q + b _i | ≦ (q ² −1) / 2, go to Step 410.

Carry calculation section 325, a c _{i + 3} in b _{i + 3,} the b _{i + 2} to c _{i + 2} -b _{i + 1} were respectively substituted, storage unit 327, e _{i + 1} to 0, Substitute -b _{i + 1} q + b _i into e _i , substitute i + 2 into i, and go to step 405 (step 409).

The bit pair determination unit 323 determines whether or not −b _{i + 1} q + b _i <− (q ² −1) / 2 (step 410). If -b _{i + 1} q + b _i <-(q ² −1) / 2, go to step 411. If not -b _{i + 1} q + b _i <-(q ² −1) / 2, go to step 412.

Carry calculation section 325, a c _{i + 3} -1 to _{b i + 3, b i +} 2 to _{c i + 2 -b i + 1} + a (q-1) is substituted respectively, storage unit 327, 0 is substituted for e _{i + 1} , -b _{i + 1} q + b _i + q ² is substituted for e _i , _{i +} ² is substituted for i, and the process goes to step 405 (step 411).

Carry calculation section 325, a c _{i + 3} +1 to _{b i + 3, b i +} 2 to _{c i + 2 -b i + 1} - (q-1) were respectively substituted, storage unit 327, 0 is assigned to e _{i + 1} , -b _{i + 1} q + b _i -q ² is assigned to e _i , _{i +} ² is assigned to i, and the process goes to step 405 (step 412).

The encoding unit 302 outputs (e _{n + 3} , e _{n + 2} ,..., E ₁ , e ₀ ) (step 413).

When q ≦ 5, the following steps are added.

Before determining whether b _i = 0 in step 406, it is determined whether b _i is divisible by q. If b _i is divisible by q, the b _{i + 1} to b _{i + 1} -b _i / q, the b _{i + 2} to c _{i + 2} -b _i / q, respectively substituted, substitutes i + 1 in the i To do.

Next, processing performed by the pre-calculation unit 303 of the present embodiment will be described using FIG. FIG. 5 is a flowchart for explaining the processing of the pre-calculation unit 303 of the present embodiment. Here, data stored in the pre-calculation table is generated. Data held in the pre-calculated table, as described above, the value of the point P on the elliptic curve, the value 2P of the scalar-multiplied point of the point P, 3P, ..., (( q 2 - 1) / 2) P ( where The point iP (i = q, 2q, ..., ((q-1) / 2) P) is not included.).

The pre-calculation unit 303 substitutes P for Q ₁ , the doubling unit 332 calculates the double point 2P of the point P, and the pre-calculation unit 303 substitutes 2P for Q ₂ (step 501).

The iterative determination unit 333 substitutes 2 for i (step 502).

The repetition determination unit 333 determines whether i ≦ (q ² −1) / 2 (step 503). If i ≦ (q ² −1) / 2, go to step 504. If i ≦ (q ² −1) / 2, go to Step 508.

The remainder determination unit 334 determines whether i mod q≡0 (step 504). If i mod q≡0, go to step 506. If i mod q≡0 is not true, go to step 505.

Adder 331 calculates Q _i + P, and precalculator 303 assigns the result to Q _{i + 1} (step 505).

The adding unit 331 calculates Q _i + P, and the pre-calculating unit 303 assigns the result to Q _{i + 2} (step 506).

The iterative determination unit 333 substitutes i + 1 for i and goes to Step 503 (Step 507).

The pre-calculation unit 303 stores the points Q ₁ ,..., Q _{(q2-1) / 2} in the pre-calculation table (step 508). However, in the above Q _i , i is not a multiple of q.

Finally, processing performed by the actual calculation unit 304 will be described with reference to FIG. Here, the scalar multiple dP is calculated from the encoded scalar value obtained by the encoding unit 302 and the data obtained by the pre-calculation unit 303. FIG. 6 is a flowchart for explaining the processing of the actual calculation unit 304 of the present embodiment.

The iterative determination unit 344 substitutes n + 3 for i (step 601).

The bit value determination unit 341 determines whether or not e _i ≠ 0 (step 602). If e _i ≠ 0, go to step 603. If e _i ≠ 0, go to step 604.

The iterative determination unit 344 substitutes i−1 for i (step 603).

The adding unit 342 substitutes e _i P for Q (step 604).

The iterative determination unit 344 substitutes i−1 for i (step 605).

The repetition determination unit 344 determines whether i ≧ 0 (step 606). If i ≧ 0, go to step 607. If i ≧ 0 is not true, go to step 611.

The Φ multiplication unit 343 calculates Φ (Q) and substitutes it into Q (step 607).

The bit value determination unit 341 determines whether e _i ≠ 0. If e _i ≠ 0, go to step 609. If e _i ≠ 0, go to step 610. (Step 608)

The adding unit 342 calculates Q + e _i P and substitutes it into Q (step 609).

The iterative determination unit 344 substitutes i−1 for i and goes to Step 606 (Step 610).

The actual calculation unit 304 outputs Q (step 611).

Through the above processing, e _i output from the encoding unit 302 satisfies (Equation 17), and the pair (e _{i + 1} , e _i ) satisfies (Equation 22). The reason is as follows.

Just before step 406, b _{i + 1} and b _i are respectively | b _{i + 1} | ≦ (q−1) / 2, | b _i | ≦ q−1, or | b _{i + 1} | ≦ ( q + 1) / 2, | b _i | ≦ 2q-1 (b _i ≠ ± q). If the pair (b _{i + 1} , b _i ) is an adjacent pair, go to step 407. Consider the case where the pair (b _{i + 1} , b _i ) is a non-adjacent pair. At this time, in any of Step 409, Step 411, and Step 412, e _{i + 1} = 0, and the pair (e _{i + 1} , e _i ) satisfies (Equation 22).

Further, by the processing performed by the encoding unit 302, the length of the Φ-adic expansion of the integer d ′ satisfies (Equation 23). This is because, in the processing loop from step 406 to step 412, the integer d ′ is converted so as to satisfy (Equation 17) for all i, so the length of the Φ expansion of the integer d ′ is (Equation 23). You can see that it meets.

The point Q output from the actual calculation unit 304 is equal to the scalar multiple dP. The reason for this is clear from (Equation 17), (Equation 20), and (Equation 23).

The FrNAF representation of the integer d ′ is unique. The reason for this is the same as the uniqueness of normal rNAF representation.

As described above, according to the scalar multiplication method of the present embodiment, an elliptic curve having one trace and an odd number characteristic of a defining body capable of executing a self-homogeneous mapping different from a Koblitz curve or integer multiplication. The non-zero density can be reduced by using an elliptic curve other than the above, and the scalar multiplication calculation process can be speeded up. Further, the limitation of the elliptic curve is that it has a self-homogeneous map Φ different from integer multiplication, and that the trace of the elliptic curve is −1, so that a wide range of elliptic curves can be selected. For this reason, higher safety can be expected.

That is, according to the present embodiment, it is possible to perform message processing with high speed while maintaining the high security and resource utilization efficiency of the elliptic curve cryptography.

Next, a signature verification system to which the present invention is applied will be described as a second embodiment.

FIG. 7 is a system configuration diagram of the signature verification system of this embodiment. As shown in the figure, the signature verification system of this embodiment includes a smart card 701 and a computer 721 that performs signature verification processing.

The smart card 701 has a configuration similar to the computer A101 of FIG. 1 of the first embodiment and the second embodiment. That is, the configuration with the same name of the computer A101 basically has the same function. However, the smart card 701 uses a signature generation processing unit instead of the data processing unit 111 and the scalar multiplication calculation unit 115 by executing a program stored in the storage unit 702 by an arithmetic device such as the CPU 713 and the coprocessor 714. 712 and the scalar multiplication calculation unit 715 are realized. Note that the external storage device 107, the display 108, and the keyboard 109 shown in FIG.

On the other hand, the computer 721 has the same configuration as the computer A101. That is, the configuration having the same name as the computer A101 shown in FIG. 1 has the same function. However, the arithmetic unit such as the CPU 733 and the coprocessor 734 executes the program stored in the storage unit 722, so that the signature verification processing unit 732 and the scalar multiplication calculation are performed instead of the data processing unit 111 and the scalar multiplication calculation unit 115. Part 735 is realized.

The scalar multiplication calculators 715 and 735 have the same function as the scalar multiplication calculator 115 or 135 shown in FIG.

Also in this embodiment, as in the first embodiment, each program in the computer 721 may be stored in advance in the storage unit 722 in the computer 721, or the computer 721 can be used when necessary. The storage unit 722 may be introduced from another device via a medium.

Furthermore, each program in the smart card 701 may be stored in advance in the storage unit 702 in the smart card 701, or when necessary, a computer connected via the input / output interface 710 or the computer It may be introduced into the storage unit 702 via an available medium. The medium refers to, for example, a storage medium removable from the computer or a communication medium (that is, a network or a carrier wave propagating through the network).

Next, signature generation and signature verification operations in the signature verification system of this embodiment will be described with reference to FIG. In this embodiment, the data processing units 112 and 132 in FIG. 2 are the signature generation processing unit 712, the signature verification processing unit 732, the scalar multiplication calculation units 115 and 135, the scalar multiplication calculation units 715 and 735, and the storage unit. 122 and 102 will be described below as storage units 702 and 722, respectively.

There is a signature method called an elliptic curve digital signature algorithm (ECDSA) that configures a digital signature method based on a discrete logarithm problem in correspondence with a method based on a discrete logarithm problem on an elliptic curve. For ECDSA signatures, for example:

D. Johnson, A. Menezes, The Elliptic Curve Digital
Signature Algorithm (ECDSA), Technial Report CORR 99-34, Dept. of C & O,
University of Waterloo, Canada.

<URL>
http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-34.pdf

It is described in.

The computer 721 transfers the randomly selected numerical value as a challenge code 742 to the smart card 701 via the interface.

The signature generation processing unit 712 receives the challenge code 742 as an input message (step 204), takes the hash value of the challenge code 742, and converts it into a numerical value f having a predetermined bit length.

The signature generation processing unit 712 generates a random number u, and reads the fixed point Q on the elliptic curve from the constant 704 stored in the storage unit 702 (step 205). The generated random number u is sent to the scalar multiplication unit 715 together with the fixed point Q on the read elliptic curve (step 206).

Scalar multiplication unit 715, scalar-multiplied point uQ = (x _u, y _u) was calculated using the fixed point Q, a random number u, and sends the calculated scalar-multiplied point to the signature generation processing unit 712 (step 207).

The signature generation processing unit 712 generates a signature using the sent scalar multiple. For example, if the ECDSA signature mentioned above,

s = x _u mod q (Formula 28)

t = u ^-1 (f + ds) mod q (Equation 29)

To obtain a signature (s, t) 741 corresponding to the challenge code 742.

Where q is the order of the fixed point Q, that is, the q multiple point qQ of the fixed point Q is the infinity point, and the m multiple point mQ of the fixed point Q for a numerical value m smaller than q is not a infinity point. That is.

The smart card 701 outputs the signature 741 generated by the signature generation processing unit 712 from the input / output interface 710 (step 208), and transfers it to the computer 721 via the interface.

When the signature 741 is input (step 204), the signature verification processing unit 732 of the computer 721 checks whether the numerical values s and t of the signature 741 are within an appropriate range, that is, 1 ≦ s and t <q.

If the numerical values s and t are not within the above range, “invalid” is output as the signature verification result for the challenge code 742, and the smart card 701 is rejected (step 208).

On the other hand, if the numerical values s and t are within the above range, the signature verification processing unit 732

h = t ^-1 mod q (Formula 30)

h ₁ = fh mod q (Formula 31)

h ₂ = sh mod q (Formula 32)

Calculate

The signature verification processing unit 732 reads the public key dQ and the fixed point Q from the constant 724 stored in the storage unit 722 (step 205). The read public key dQ and fixed point Q and the calculated h ₁ and h ₂ are sent to the scalar multiplication calculation unit 735 (step 206).

The scalar multiplication unit 735 calculates a scalar multiple h ₁ Q based on the fixed points Q and h ₁ and a scalar multiple h ₂ dQ based on the public keys dQ and h _2, and verifies the calculated scalar multiple The data is sent to the processing unit 732 (Step 207).

The signature verification processing unit 732 performs signature verification processing using the sent scalar multiple. For example, for ECDSA signature verification, the point R is calculated by the following formula:

R = h ₁ Q + h ₂ dQ (Formula 33)

When the x coordinate is x _R ,

s' = x _R mod q (Formula 34)

If s ′ = s, “valid” is output as the signature verification result for the challenge code 742 (step 208), and the smart card 701 is authenticated and accepted.

On the other hand, if s ′ = s, “invalid” is output (step 208), and the smart card 701 is rejected.

As described above, a scalar multiple is calculated in the signature generation and verification process. Therefore, when performing signature generation and signature verification, the scalar multiplication method of the first embodiment can be used. By using the scalar multiplication method of this embodiment, high security and high-speed processing can be realized even in an environment where resources such as smart cards are limited.

Next, a key exchange system that realizes the present invention by applying an elliptical Diffie-Hellman key agreement scheme will be described as a third embodiment. The system configuration of the key exchange system of this embodiment is the same as that shown in FIG. However, the data processing units 112 and 132 in FIG. 1 function as the key exchange processing units 112 and 132, respectively, in the present embodiment.

Hereinafter, the operation when the computer A101 of the key exchange system according to the present embodiment derives the shared information from the input data 143 will be described with reference to FIGS. Also in FIG. 2, the data processing units 112 and 132 will be described as the key exchange processing units 112 and 132.

The key exchange processing unit 132 of the computer B121 reads the secret key b from the secret information 125 of the storage unit 122, and calculates the public key bQ of the computer B121. Then, the key exchange processing unit 132 transfers the public key bQ as data 143 to the computer A101 via the network 142 (step 208).

The key exchange processing unit 112 of the computer A101 receives the data 143 of the public key bQ of the computer B121 as an input message (step 204).

The key exchange processing unit 112 reads out the secret key d of the computer A101 that is the secret information 105 from the storage unit 102 (step 205), and sends the secret key d and the public key bQ of the computer B121 to the scalar multiplication unit 115 (step). 206).

The scalar multiplication unit 115 calculates a scalar multiple dbQ based on the public key bQ, and sends the calculated scalar multiple and the secret key d to the key exchange processing unit 112 (step 207).

The key exchange processing unit 112 derives shared information using the sent scalar multiple, and stores it as the secret information 105 in the storage unit 102. For example, the x coordinate of the scalar multiple dbQ is used as shared information.

Next, an operation when the computer B121 derives shared information from the input data 141 will be described.

The key exchange processing unit 112 of the computer A101 reads the secret key d from the secret information 105 of the storage unit 102 and calculates the public key dQ of the computer A101. Then, the public key dQ is transferred as data 141 to the computer B 121 via the network 142 (step 208).

The key exchange processing unit 132 of the computer B121 receives the data 141, which is the public key dQ of the computer A101, as the input message 204 (step 204).

The key exchange processing unit 132 reads the secret key b of the computer B121, which is the secret information 125, from the constant 125 of the storage unit 122 (step 205), and calculates the read secret key b and the public key dQ of the computer A101 as a scalar multiplication unit. Send to 135 (step 206).

The scalar multiplication calculation unit 135 calculates a scalar multiplication point bdQ based on the public key dQ, and sends the calculated scalar multiplication point and the secret key b to the key exchange processing unit 132 (207 in FIG. 2).

The key exchange processing unit 132 derives shared information using the sent scalar multiple and stores it as the secret information 125 in the storage unit 122. For example, the x coordinate of the scalar multiple bdQ is used as shared information.

Here, since the number db and the number bd are the same as numerical values, the point dbQ and the point bdQ are the same point, and the same information is derived.

A point dQ and a point bQ are transmitted to the network 142. However, in order to calculate the point dbQ (or point bdQ), the secret key d or the secret key b is required. That is, the shared information cannot be obtained without knowing the secret key d or the secret key b. Therefore, the shared information obtained by the above method can be used as a secret key for common key encryption.

In the key exchange system of this embodiment, the scalar multiple of the received point is calculated. Therefore, when performing key exchange, it is possible to use the scalar multiplication calculation method of the first embodiment. By using the scalar multiplication method of this embodiment, high safety and high-speed processing can be realized.

In each of the above embodiments, the encryption processing unit, the decryption processing unit, the signature generation processing unit, the signature verification processing unit, and the key exchange processing unit have been described as being realized by software. However, dedicated hardware is used. May be realized. Further, the scalar multiplication calculation unit may be realized by a coprocessor or other dedicated hardware. The data processing unit may be configured to perform any one or more of the encryption process, the decryption process, the signature generation process, the signature verification process, and the key exchange process.

101: Computer A, 102: Storage unit, 103: RAM, 104: Constant, 105: Secret information, 106: ROM, 107: External storage device, 108: Display, 109: Keyboard, 110: Input / output interface, 111: Processing Part, 112: data processing part, 113: CPU, 114: coprocessor, 115: scalar multiplication calculation part, 121: computer B, 122: storage part, 123: RAM, 124: constant, 125: secret information, 126: ROM , 127: external storage device, 128: display, 129: keyboard, 130: input / output interface, 131: processing unit, 132: data processing unit, 133: CPU, 134: coprocessor, 135: scalar multiplication calculation unit, 141: Data: 142: Network, 143: Data, 302: Encoding unit, 303: Prior calculation unit, 304: Actual calculation unit, 321: Φ-adic expansion unit, 322: δ residue acquisition unit, 323: Bit pair determination unit, 324: Bit pair conversion unit, 325: carry calculation unit, 326: repetition determination unit, 327: storage 331: adder, 332: doubling unit, 333: repetition determination unit, 341: bit value determination unit, 342: addition unit, 343: Φ multiplication unit, 344: repetition determination unit, 701: smart card, 702 : Storage unit, 703: RAM, 704: constant, 705: secret information, 706: ROM, 710: input / output interface, 711: processing unit, 712: signature generation processing unit, 713: CPU, 714: coprocessor, 715: Scalar multiplication calculation unit, 721: computer, 722: storage unit, 723: RAM, 724: constant, 725: secret information, 726: ROM, 727: external storage device, 728: display, 729: keyboard, 730: input / output interface , 731: processing unit, 732: signature verification processing unit, 733: CPU, 734: coprocessor, 735: scalar multiplication calculation unit, 741: signature, 742: challenge code.

Claims (10)

Definition on definition field F _q , with characteristic polynomial Φ ² + Φ + q (q should be an odd prime number) in a scalar multiplication unit realized on a computer by CPU executing a program stored in memory An elliptic curve that calculates a scalar multiple from a scalar value and a point on the elliptic curve using an elliptic curve that can perform an automorphism Φ different from the integer multiplication on the elliptic curve A method of scalar multiplication in cryptography,

The scalar value is encoded into a first numerical sequence (b _n−1 , b _n−2 ,..., B ₀ ) (n is a digit length when the scalar value is encoded into the first numerical sequence). One step,

A second step of encoding the first numeric sequence into a second numeric sequence different from the first numeric sequence;

A third step of creating a pre-calculation table from points on the elliptic curve;

And a fourth step of calculating the scalar multiple from the second numerical sequence and the pre-calculation table.

A scalar multiplication calculation method characterized by that.

The scalar multiplication method according to claim 1,

The first step calculates a Φ-adic expansion for the scalar value;

The second step includes

generating b _n , b _{n + 1} , b _{n + 2,} and b _{n + 3} and setting them to 0 (n is the digit length of the Φ-adic expansion for the scalar value),

i is between 0 and n

When b _i = 0 is satisfied, i is increased by 1 after performing the conversion of b _i to b _i ,

If b _i ≠ 0 and | −qb _{i + 1} + b _i | ≦ (q ² −1) / 2, then b _i → −qb _{i + 1} + b _i , b _{i + 1} → 0, b _{i + 2} → -b _{i + 1} + b _{i + 2}

When b _i ≠ 0 and -qb _{i + 1} + b _i > (q ² -1) / 2, b _i → -b _{i + 1} q + b _i -q ² , b _{i + 1} → 0 , B _{i + 2} → b _{i + 2} −b _{i + 1} − (q−1), b _{i + 3} → b _{i + 3} +1 and then i is increased by 2,

When b _i ≠ 0 and -qb _{i + 1} + b _i <-(q ² -1) / 2, b _i → -b _{i + 1} q + b _i + q ² , b _{i + 1} → 0, b _{i + 2} → b _{i + 2} -b _{i + 1} + (q-1),

a conversion step that repeats the process of increasing i by 2 after performing the conversion from b _{i + 3} → b _{i + 3} −1

A scalar multiplication calculation method characterized by that.

An elliptic curve having a characteristic polynomial Φ ² + Φ + q (where q is a power of odd primes) and capable of performing an automorphism Φ different from integer multiplication on an elliptic curve defined on the definition field F _q A scalar multiple calculation device in elliptic curve cryptography that calculates a scalar multiple from a scalar value and a point on the elliptic curve using

The scalar value is encoded into a first numerical sequence (b _n−1 , b _n−2 ,..., B ₀ ) (n is a digit length when the scalar value is encoded into the first numerical sequence). An encoding means,

Second encoding means for encoding the first numerical sequence into a second numerical sequence different from the first numerical sequence;

Pre-calculation means for creating a pre-calculation table from points on the elliptic curve;

Real calculation means for calculating the scalar multiple from the second numerical sequence and the pre-calculation table.

A scalar multiplication calculator characterized by that.

The scalar multiplication apparatus according to claim 3, wherein

The first encoding means encodes the first numeric string by calculating a Φ-adic expansion for the scalar value,

In the second encoding means,

b _n , b _{n + 1} , b _{n + 2,} and b _{n + 3} are generated and set to 0, respectively.

i is between 0 and n

When b _i = 0 is satisfied, i is increased by 1 after performing the conversion of b _i to b _i ,

If b _i ≠ 0 and | −qb _{i + 1} + b _i | ≦ (q ² −1) / 2, then b _i → −qb _{i + 1} + b _i , b _{i + 1} → 0, b _{i + 2} → -b _{i + 1} + b _{i + 2}

When b _i ≠ 0 and -qb _{i + 1} + b _i > (q ² -1) / 2, b _i → -b _{i + 1} q + b _i -q ² , b _{i + 1} → 0 , B _{i + 2} → b _{i + 2} −b _{i + 1} − (q−1), b _{i + 3} → b _{i + 3} +1 and then i is increased by 2,

When b _i ≠ 0 and -qb _{i + 1} + b _i <-(q ² -1) / 2, b _i → -b _{i + 1} q + b _i + q ² , b _{i + 1} → 0, b _{i + 2} → b _{i + 2} -b _{i + 1} + (q-1),

Encoding the first numerical sequence to the second numerical sequence by repeating the process of increasing i by 2 after performing the conversion from b _{i + 3} → b _{i + 3} −1

A scalar multiplication calculator characterized by that.

The scalar multiplication apparatus according to claim 3 or 4, wherein

The automorphism map is a Frobenius map

A scalar multiplication calculator characterized by that.

A signature generation apparatus comprising: a signature generation processing unit that generates signature data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the signature data,

The scalar multiplication unit includes means for calculating a scalar multiple using the scalar multiplication apparatus according to any one of claims 3 to 5.

A signature generation apparatus characterized by the above.

A signature verification apparatus comprising: a signature unit that verifies signature data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the signature data,

The scalar multiplication unit includes means for calculating a scalar multiple using the scalar multiplication apparatus according to any one of claims 3 to 5.

A signature generation apparatus characterized by the above.

An encryption device comprising: an encryption unit that generates encrypted data from data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the encrypted data,

The scalar multiplication unit includes means for calculating a scalar multiple using the scalar multiplication apparatus according to any one of claims 3 to 5.

An encryption device characterized by that.

A decryption device comprising: a decryption unit that generates decryption data from encrypted data; and a scalar multiple calculation unit that calculates a scalar multiple necessary for creating the decryption data,

The scalar multiplication unit includes means for calculating a scalar multiple using the scalar multiplication apparatus according to any one of claims 3 to 5.

A decoding device characterized by the above.

In the elliptic Diffie-Hellman key agreement scheme, a key generation device having a generation unit that generates a public key from a secret key, and a scalar multiplication unit that calculates a scalar multiple necessary for generating the public key. And

The scalar multiplication unit includes means for calculating a scalar multiple using the scalar multiplication apparatus according to any one of claims 3 to 5.

A key generation device characterized by that.

Images