KR20050102291A - Method and apparatus for protecting public key cryptosystems from side-channel attacks, and computer readable record medium stored thereof method - Google Patents

Abstract

With two prime numbers (p, q) as the secret key, n satisfying n = p * q is the public key, phi (n) and the prime integer e are public keys, and ed = 1 mod phi (n) An encryption apparatus using an RSA public key encryption method based on a CRT used as a secret key includes dp = d mod (p-1), dq from the two prime numbers (p, q), the secret key (d), and the public key (e). First operation to calculate = d mod (q-1), ep = e mod (p-1), eq = e mod (q-1), pi = p ^-1 mod q, qi = q ^-1 mod p Way; Based on the message M, the two prime numbers p, q and the calculated values output from the first computing means Wow Second operation means for calculating a; Based on the M, ep, eq, p, and q Third operation means for calculating a; Fourth operation means for performing an exclusive OR on the Tp and the Tq and generating a result; Receive the Sp, Sq, p, q, pi and qi and based on them Fifth calculation means for calculating a; And receiving S output from the fifth calculating means and signing the S based on whether the received Sp matches (S mod p) and whether Sq matches (S mod q). And digital signature output means for outputting as an electronic signature for the message M to be intended.

Description

Method and apparatus for protecting public key cryptosystems from side-channel attacks, and computer readable record medium stored method method}

The present invention relates to an encryption apparatus and an encryption method, and more particularly, to a method and apparatus for RSA (Rivest, Shamir and Adleman) public key based on Chinese remainder theorem (CRT), and a computer readable recording the method. More particularly, the present invention relates to a digital signature device and a digital signature method using an RSA public key encryption method based on a CRT, and to a computer readable recording medium recording the method.

With the advent of the information society, the protection of information using cryptographic algorithms and cryptographic protocols is increasing in importance. Among these cryptographic algorithms, public key cryptography algorithms including RSA are rapidly being applied to various applications such as the Internet and financial networks while solving key distribution problems and digital signature problems which are disadvantages of secret key cryptography algorithms including AES. have.

The RSA algorithm, which is the first proposed public key encryption method, is composed of encryption / decryption and digital signature generation / verification by the following process.

First, a first user wanting encrypted communication generates two large primes (p, q) and calculates n = p * q. Also select phi (n) = (p-1) * (q-1) and a relatively prime integer e, calculate d that satisfies ed = 1 mod phi (n), and then (n e) is published as a public key and (p, q, d) is stored as a private key.

The second user who wants to secretly transmit the message (M) to the first user performs a modular exponentiation (Equation 1) using the public key (n, e) of the first user after The resultant value C is transmitted to the first user.

The first user, having received the result value C from the second user, recovers the original message M through a modular exponential operation as shown in Equation 2 using its secret key d.

The first user who wants to digitally sign the message (M) generates an electronic signature (S) of the message (M) through an operation as shown in Equation (3) using his private key (d).

A second user who receives the message M and the digital signature S, and wants to verify that the digital signature S is the signature of the message M created by the first user, has the public key n, e) the result of performing the operation as shown in Equation 4 using the result value (M ') is the same as the message (M), the digital signature (S) is a signature of the message (M) created by the first user Can be verified.

In the RSA public key cryptosystem, the problem of finding the secret key (p, q, d) from the public key (n, e) is to find its prime factor p, q from n = p * q, that is, the factorization of n It's like a problem.

Therefore, considering the current computer computing power and the degree of development of the prime factorization algorithm, the size of n used in the RSA will be at least 1024 bits.

However, a large amount of computation is required to perform the modular exponential operation, which is the basic operation of the RSA. In particular, computing environments with limited computing power and memory, such as smart cards, cause many problems. To solve this problem, CRT-based modular exponential operation method can be applied to RSA decoding operation or digital signature generation operation, which can bring about 4 times faster than CRT method. .

However, the CRT-based RSA (CRT_RSA) decryption method or the digital signature method is vulnerable to various side-channel attacks and fault attacks. The additional channel attack is an attack method for extracting secret key related information inside the cryptographic system by using additional information exposed during cryptographic operation. The timing and power attack proposed by Kocher et al. Etc.

In addition, fault attack is an attack method proposed by Boneh et al., Which analyzes the incorrect calculation result generated by injecting temporary error or permanent fault into the device that performs cryptographic operation, and analyzes the secret key in the system. How to extract information.

First, the time attack on the RSA cryptosystem is that the square and multiplication operations performed inside the exponential multiplication algorithm may have different execution times, and that the execution time may be different when the bits of the exponent are zero and one. It is an attack method that derives the secret key or Hamming weight (number of 1s from the binary expansion of the secret key) using the fact that the exponent operation time may vary depending on the point and the message.

Several countermeasures have been proposed for this time attack, typically a method of inserting a dummy operation so that the operation time is the same regardless of each bit of the exponent, and masking the exponent part using random numbers. There are ways to mask messages using random numbers. The present invention provides a countermeasure against time attack by using a false calculation and uses a method of optimizing the calculation time in the application method.

Next, power attacks against RSA cryptosystems are simple power attacks and differential power attacks. The basic principle is that the power consumed by an encryption device and the state of internal registers are correlated. Therefore, the secret key can be derived by analyzing such power. Various countermeasures have been proposed for such a power attack, and there are representative methods of masking the exponential part using random numbers and masking a message using random numbers. The present invention provides a countermeasure against power attack by using a method of masking a message using a random number together with a false operation insertion method and optimizes operation time in the application method.

Finally, it is known that the CRT-RSA cryptosystem is particularly vulnerable to error attack compared to the normal RSA cryptosystem. The error attack on the CRT-RSA, first proposed by Boneh and Lenstra et al., Can inject an error in the signature operation of one of two prime numbers for a message and cause an invalid digital signature, Can be recovered.

The error attack is known as the most powerful attack method because it does not restrict the cause of the error and can attack the CRT-RSA cryptosystem very simply, and therefore, various countermeasures have been proposed. Typical examples include inserting the verification step before signature output and Shamir's method. First, a method of inserting a verification step before outputting a signature is to perform an exponential power operation (S ^e mod n) using a public key (e) on a signature (S) to be output when a digital signature is generated. ), And if they are the same, then the output is assumed to be an error-free signature, otherwise the signature operation is performed again.

However, this method is not preferable because it performs a condition check command during its execution, which is known to be vulnerable to another additional channel attack. Shamir's method proposed in US Pat. No. 5,991,415 first generates a short length random number r, and then generates a signature generation intermediate result (Up, Uq) m as shown in the following equation.

Now generate up mod r and Uq mod r as the signature verification step, and check if the two values are the same, and if the two values are different, perform the signature generation operation again because the signature is in error. Similarly, Sp and Sq are generated, and the signature S is generated using the CRT and the value is output.

However, this method has the following problems. First, there is 1 / r probability of error that cannot be theoretically detected. That is, there is a case where an error occurs but the error cannot be detected because Up mod r = Uq mod r, and the probability is 1 / r. Selecting a large r here will reduce the probability of undetectable errors, but it requires a lot of computational overhead because it requires a modulus exponentiation on the increased modulus (p * r, q * r). do. Conversely, choosing a smaller r can reduce computational overhead, but it is not desirable because it increases the probability of undetectable errors.

The second problem is that the method can be vulnerable to another additional channel attack while performing the condition check command. The third problem is that the modulus (p * r, q * r) used in the modulus exponential operation of the above method is an extension of the original modulus (p, q), which may cause compatibility with the existing system. have. In the present invention, when an error occurs for one prime number during the process of generating a signature using a CRT, the error attack is impossible by making the error affect the result value for the other prime number.

Accordingly, a technical object of the present invention is to provide a method and apparatus for protecting a public key cryptographic system from side channel attacks, and a computer readable recording medium recording the method.

In order to accomplish the above technical problem, two prime numbers (p, q) are used as a secret key, n satisfying n = p * q as a public key, phi (n) and a mutually prime integer e as a public key, and e * d = 1 mod The CRT-based RSA public key encryption method using d as a secret key satisfying phi (n) is obtained from the two prime numbers (p, q), the secret key (d) and the public key (e). Calculating and storing; Based on the message (M) to be signed, the two prime numbers (p, q), the dp, and dq Wow Calculating; Calculating; Exclusively ORing the Tp and the Tq and generating a resultant value T; Calculating; And outputting S as an electronic signature for the message M to be signed based on whether Sp matches (S mod p) and Sq matches (S mod q). It is provided.

remind Wow Computing the step of generating a random number (r); Calculating and storing the calculated value; Compute r ^-1 mod p, M * r ^-1 mod p, r ^-1 mod q, and M * r ^-1 mod q, respectively, and calculate each calculated value to the corresponding register (Temp_p [0], Temp_p [1). ] Temp_q [0] and Temp_q [1]); decreasing i from n to 0 by 1 Calculating and storing the calculated value; based on whether ki is 0 or 1 and whether mi is 0 or 1 Calculating; And Calculating and outputting the Sp and the Sq.

Ki is the i th coefficient when dp is binary developed, and dp = kn * 2 ⁿ +. + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed, and dq = mn * 2 ⁿ +. + mi * 2 ⁱ +… + m1 * 2 + m0.

In order to achieve the above technical problem, two prime numbers (p, q) are used as a secret key, n satisfying n = p * q as a public key, phi (n) and a prime integer e which are mutually primed, and ed = 1 mod phi ( An encryption method using an RSA public key encryption method based on CRT using d as a secret key satisfying n) satisfies a message (M) to be signed, the two prime numbers (p and q), the secret key (d), and the public key. from (e) Calculating and storing; Wow Calculating; Calculating; Exclusive ORing the Tp and the Tq and generating a result; Calculating; And And outputting the S as an electronic signature for the message (M) to be signed.

A computer readable program for executing the method is stored on the recording medium.

In order to accomplish the above technical problem, two prime numbers (p, q) are used as a secret key, n satisfying n = p * q is a public key, phi (n) and a prime integer e are mutual keys, and ed = 1 mod phi ( An encryption apparatus using an RSA public key encryption scheme based on CRT using d as a secret key satisfying n) is obtained from the two prime numbers (p, q), the secret key (d), and the public key (e). First operating means for calculating a; Based on the message M, the two prime numbers p, q and the calculated values output from the first computing means Wow Second operation means for calculating a; Based on the M, ep, eq, p, and q Third operation means for calculating a; Fourth operation means for performing an exclusive OR on the Tp and the Tq and generating a result; Receive the Sp, Sq, p, q, pi and qi and based on them Fifth calculation means for calculating a; And receiving S output from the fifth calculating means and signing the S based on whether the received Sp matches (S mod p) and whether Sq matches (S mod q). And digital signature output means for outputting as an electronic signature for the message M to be intended.

The second computing means comprises: random number generating means for generating a random number r; And And compute r ⁻¹ mod p, M * r ⁻¹ mod p, r ⁻¹ mod q, and M * r ⁻¹ mod q, respectively, and compute each computed value in the corresponding register (Temp_p [0]). , Temp_p [1], Temp_q [0] and Temp_q [1]), Is calculated, and based on the values of ki and mi And calculate Sp and Sq generating means for outputting.

Ki is the i th coefficient when dp is binary developed, and dp = kn * 2 ⁿ +. + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed, and dq = mn * 2 ⁿ +. + mi * 2 ⁱ +… + m1 * 2 + m0.

In order to achieve the above technical problem, two prime numbers (p, q) are used as a secret key, n satisfying n = p * q as a public key, phi (n) and a prime integer e which are mutually primed, and ed = 1 mod phi ( An encryption apparatus using an RSA public key encryption scheme based on CRT using d as a secret key satisfying n) is obtained from the two prime numbers (p, q), the secret key (d), and the public key (e). First operating means for calculating a;

Based on the message (M) to be signed, the two prime numbers (p, q), the dp and the dq Wow Second operation means for calculating a; Based on Sp and Sq, M, ep, eq, p and q outputted from the second calculating means Third operation means for calculating a; Fourth computing means for receiving the Tp and the Tq outputted from the third computing means, exclusive-ORing them, and outputting the result T; Based on the value T output from the fourth calculating means and p, q, pi, and qi Fifth calculation means for calculating a; And values Sp and Sq output from the second calculation means, a value T output from the fourth calculation means, a value D output from the fifth calculation means, p, q, pi and qi. Based on And digital signature output means for outputting the calculated S as an electronic signature for the message M to be signed.

In order to fully understand the present invention, the operational advantages of the present invention, and the objects achieved by the practice of the present invention, reference should be made to the accompanying drawings which illustrate preferred embodiments of the present invention and the contents described in the accompanying drawings.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. Like reference numerals in the drawings denote like elements.

1 shows a flow diagram illustrating an encryption and a method in accordance with one embodiment of the present invention. 2 shows a flowchart illustrating a method for obtaining Sp and Sq according to the present invention. 3 is a block diagram of an encryption apparatus according to an embodiment of the present invention. FIG. 4 shows a detailed block diagram of the second computing means shown in FIG.

Referring to FIGS. 1 to 4, a CRT-based modular exponential operation is performed on a decryption operation or an electronic signature operation of an encryption apparatus using an RSA using a public key (n, e) and a secret key (p, q, d). The process of doing this is as follows.

The first computing means 210 receives two prime numbers (p, q), a secret key (d), and a public key (e) (step 110), and dp, dq, ep, eq, pi as shown in Equation (7). , And qi are calculated and the calculation result is stored in a predetermined register (step 120).

Where dp and dq represent the result of modular operation of the secret key (d) with (p-1) and (q-1), respectively, and ep and eq represent the public key (e) with (p-1) and (q- 1) shows the result of each modular operation, pi shows the result of the modular operation p- ¹ to q, and qi shows the result of the modular operation p- ¹ to p.

The second computing means 220 receives the dp, dq, secret keys (p, q), and the message M to be signed (step 1301) calculated by the first computing means 210 and uses them. Calculate Sp and Sq. The second operation means 220 Wow Calculate Here, the multiplication operation means modular multiplication of modulus p and modular multiplication of modulus q.

3 and 4, detailed operations of the second operation unit 220 will be described below. The random number generating means 221 generates a random number r (step 1303).

The C1 and C2 generating means 223 performs a multiplication operation on the message M and the random number r, and as a result, generates C1 and C2 as shown in Equation 8 (step 1305), and generates the generated C1 and C2. Is stored in each predetermined register. The C1 and C2 generating means 223 performs a masking step of multiplying the ciphertext by a random number r in order to respond to a time attack.

The C1 and C2 generating means 223 calculates the inverse r ^-1 mod p for the multiplication of the random number r with respect to the decimal number p as shown in Equation (9) and registers the result of the register (Temp_p [0]; And multiply r ⁻¹ by the message M and store the result in a register Temp_p [1] (not shown) (step 1307).

The C1 and C2 generating means 223 calculates the inverse r ^-1 mod q for the multiplication of the random number r with respect to the prime number q as shown in Equation 10, and the result is a register (Temp_q [0]). ], And multiplies r ⁻¹ by the message M to store the result in a register (Temp_q [1]) (not shown) (step 1307).

The C1 and C2 generating means 223 calculates C1 and C2 through Equation 11 while decreasing the variable i from n to 0, and stores the result in a predetermined register. Where ki is the i-th coefficient when dp is binary developed.

Where dp = kn * 2 ⁿ +... + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed. Where dq = mn * 2 ⁿ +... + mi * 2 ⁱ +… + m1 * 2 + m0.

The C1 and C2 generating means 223 performs a multiplication operation on C1 and Temp_p [0] when ki is 0, and stores the result in a predetermined register. The multiplication operation is performed on the result, and the result is stored in the predetermined register C2 (step 1309).

The C1 and C2 generating means 223 performs a multiplication operation on C2 and Temp_q [0] when mi is 0, and stores the result in a predetermined register C2. If mi is 1, C2 and Temp_q [ Multiplication is performed in step 1309 and the result is stored in a predetermined register (step 1309). That is, the C1 and C2 generating means 223 performs an operation as shown in Equation 12.

Sp and Sq generating means 225 receives p, q, C1 and C2 calculated by the C1 and C2 generating means 223, Temp_p [ki] and Temp_q [mi], and multiplies them to obtain Equation (13). Sp and Sq are calculated, and the result is stored in a corresponding register (not shown) (step 1311), and Sp and Sq are output to the third calculating means 230 (step 1313).

That is, the second operation unit 220 performs a modular exponential operation based on the CRT including a dummy operation on the data generated in step 1305 to prepare for a time attack and a power attack through steps 1307 to 1313.

The third calculation means 230 performs a modular exponential power operation and a modular subtraction operation using the message M, ep, eq, p, and q as shown in Equation 14, and generates the resulting Tp and Tq. Stored in a predetermined register (step 140).

The fourth calculating means 240 receives Tp and Tq output from the third calculating means 230, calculates T through Equation 15 by performing an exclusive OR (XOR) (step 150).

The third operation means 230 and the fourth operation means 240 of the encryption apparatus according to the present invention generate an error detection factor for detecting a temporary error from the data generated in steps 1307 through 1313.

The fifth calculating means 250 receives T, Sp, Sq, p, q, n, pi and qi, and adds to the modulus n based on them, i. The calculation is performed as in step 16, and the electronic signature S is stored in a predetermined register (step 160).

The fifth calculation means 250 detects a permanent error in the device (eg, a smart card) that may occur during the calculation of each calculation means and outputs a result.

The digital signature output means 260 checks whether the digital signature S calculated by the fifth computation means 250 and Sq and the modulus p are congruent (step 170). That is, when Sp = S mod p, the digital signature output means 260 checks again whether the digital signature S is congruent with respect to Sq and modulus p (step 180).

As a result, when Sq = S mod q is satisfied, the digital signature output means 260 outputs the digital signature S as the digital signature for the message M. That is, the digital signature output means 260 outputs the digital signature S as the digital signature for the message M only when Sp = S mod p is satisfied and Sq = S mod q is satisfied (190). step). Otherwise, the digital signature generation operation is performed again.

The digital signature output means 260 generates a desired digital signature using the CRT from the data generated by each computing means.

5 is a flowchart illustrating a cryptography and method according to another embodiment of the present invention. 6 shows a flowchart illustrating a method for obtaining Sp and Sq according to the present invention. 7 is a block diagram of an encryption apparatus according to another embodiment of the present invention.

Referring to FIGS. 4 to 7, the CRT-based modular exponential operation is performed on the decryption operation or the digital signature operation of the encryption apparatus using the RSA using the public key (n, e) and the secret key (p, q, d). The following describes the process to be performed.

The first operation means 210 receives a prime number (p, q), a secret key (d) and a public key (e) (step 310), and dp, dq, ep, eq, pi and qi as shown in Equation (7). Is calculated and the calculation result is stored in a predetermined register (step 320).

The second operation unit 220 receives the dp, dq, secret key (p, q), and the message M to be signed (step 3301) calculated by the first operation unit 210 and uses them. Calculate Sp and Sq. Here, the multiplication operation means modular multiplication of modulus p and modular multiplication of modulus q.

The random number generating means 221 generates a random number r (step 3303).

The C1 and C2 generating means 223 performs a multiplication operation on the message M and the random number r as shown in Equation 8, and generates C1 and C2 as a result (step 3305).

The C1 and C2 generating means 223 calculates the inverse r ^-1 mod p for the multiplication of the random number r with respect to the decimal number p as shown in Equation 9, and stores the result in the register (Temp_p [0]). , r ⁻¹ is multiplied by the message M, and the result is stored in the register Temp_p [1] (step 3307).

The C1 and C2 generating means 223 calculates the inverse r ⁻¹ mod q for the multiplication of the random number r with respect to the decimal number q as shown in Equation 10, and the result is stored in the register Temp_q [0]. And store the result in a register (Temp_q [1]) by multiplying r ⁻¹ by M (step 3307).

The C1 and C2 generating means 223 performs operations similar to Equation 11 while decreasing i from n to 0, and stores the result in a predetermined register. Where ki is the i-th coefficient when dp is binary developed.

Where dp = kn * 2 ⁿ +… + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed. Where dq = mn * 2 ⁿ +... + mi * 2 ⁱ +… + m1 * 2 + m0.

The C1 and C2 generating means 223 performs a multiplication operation on C1 and Temp_p [0] when ki is 0 as shown in Equation 12, and stores the result in a predetermined register. A multiplication operation is performed on Temp_p [1], and the result is stored in a predetermined register (step 3309).

The C1 and C2 generating means 223 performs a multiplication operation on C2 and Temp_q [0] when mi is 0, as shown in Equation 12, and stores the result in a predetermined register. A multiplication operation is performed on Temp_q [1], and the result is stored in a predetermined register (step 3309). That is, the C1 and C2 generating means 223 performs the following operation.

Sp and Sq generating means 225 receives C1 and C2, Temp_p [ki] and Temp_q [mi] calculated by the C1 and C2 generating means 223, multiplies them to obtain Sp and Sq as shown in Equation (13). The calculation results are stored in a corresponding register (step 3311), and Sp and Sq are output to the third calculating means 230 (step 3313).

The third calculation means 230 performs a modular exponential power operation and a modular subtraction operation using the message M, ep, eq, p, and q as shown in Equation 14, and generates the resulting Tp and Tq. Stored in a predetermined register (step 340).

The fourth calculating means 240 receives Tp and Tq, and calculates T by performing an exclusive OR (XOR) on them, as shown in Equation 15 (step 350).

The fifth calculating means 250 receives T, p, q, pi, and qi, performs an integer subtraction operation on the value obtained by the exclusive OR of the secret key q and T, and qi, and modulates the result value. Modular subtraction operation for p, and the value obtained by exclusive OR of secret key (p) and T, and integer subtraction operation for pi, and then the result of modular subtraction operation of 1 for modulus q In operation 360, the integer addition operation is performed to store the generated value in a predetermined register.

The digital signature output means 420 calculates S1, S2, and S as shown in Equation 18 (step 370), and then outputs the result as the electronic signature S (step 380).

An encryption device and an encryption method according to the present invention can be written as a program that can be executed in a computer system. In addition, the program can be read from a computer readable recording medium having recorded such a program and executed in a general-purpose digital computer system. Such recording media include magnetic storage media (e.g., ROM, floppy disk, hard disk, etc.), optical reading media (e.g., CD-ROM, DVD, etc.) And media such as carrier waves (eg, transmission over the Internet).

Although the present invention has been described with reference to one embodiment shown in the drawings, this is merely exemplary, and those skilled in the art will understand that various modifications and equivalent other embodiments are possible therefrom. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

As described above, the encryption apparatus and the encryption method according to the present invention can be securely implemented in a time attack.

The encryption apparatus and encryption method according to the present invention can be securely implemented in a power attack.

The encryption device and encryption method according to the present invention can be securely implemented for temporary error injection.

The encryption device and encryption method according to the present invention can be securely implemented for permanent error injection.

The encryption device and the encryption method according to the present invention have the effect of minimizing the operation time.

The detailed description of each drawing is provided in order to provide a thorough understanding of the drawings cited in the detailed description of the invention.

1 shows a flow diagram illustrating an encryption and a method in accordance with one embodiment of the present invention.

2 shows a flowchart illustrating a method for obtaining Sp and Sq according to the present invention.

3 is a block diagram of an encryption apparatus according to an embodiment of the present invention.

FIG. 4 shows a detailed block diagram of the second computing means shown in FIG.

5 is a flowchart illustrating a cryptography and method according to another embodiment of the present invention.

6 shows a flowchart illustrating a method for obtaining Sp and Sq according to the present invention.

7 is a block diagram of an encryption apparatus according to another embodiment of the present invention.

Claims (11)

Satisfies two primes (p, q) as a private key, n as a public key that satisfies n = p * q, phi (n) and a prime integer e as a public key, and satisfies e * d = 1 mod phi (n) An encryption method using an RSA public key encryption method based on a CRT using d as a secret key, From the two prime numbers (p, q), the secret key (d) and the public key (e) Calculating and storing; Based on the message (M) to be signed, the two prime numbers (p, q), the dp, and dq Wow Calculating; Calculating; Exclusively ORing the Tp and the Tq and generating a resultant value T; Calculating; And Outputting S as an electronic signature for the message M to be signed based on whether Sp matches (S mod p) and Sq matches (S mod q) Encryption method characterized in that it comprises. The method of claim 1, wherein Wow The step of calculating Generating a random number r; Calculating and storing the calculated value; Compute r ^-1 mod p, M * r ^-1 mod p, r ^-1 mod q, and M * r ^-1 mod q, respectively, and calculate each calculated value to the corresponding register (Temp_p [0], Temp_p [1). ] Temp_q [0] and Temp_q [1]); decreasing i from n to 0 by 1 Calculating and storing the calculated value; based on whether ki is 0 or 1 and whether mi is 0 or 1 Calculating; And And calculating Sp and outputting the Sp and the Sq. 3. The method of claim 2, wherein ki is the i-th coefficient when dp is binary developed, and dp = kn * 2 ⁿ +. + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed, and dq = mn * 2 ⁿ +. + mi * 2 ⁱ +… Encryption method characterized in that + m1 * 2 + m0. With two prime numbers (p, q) as the secret key, n satisfying n = p * q as the public key, phi (n) and mutually prime integer e as the public key, and d satisfying ed = 1 mod phi (n) In the encryption method using the RSA public key encryption method based on the CRT used as the secret key, From the message (M) to be signed, the two prime numbers (p, q), the secret key (d) and the public key (e) Calculating and storing; Wow Calculating; Calculating; Exclusive ORing the Tp and the Tq and generating a result; Calculating; And And outputting the S as an electronic signature for the message (M) to be signed. The method of claim 4, wherein Wow The step of calculating Generating a random number r; Calculating and storing the calculated value; Compute r ^-1 mod p, M * r ^-1 mod p, r ^-1 mod q, and M * r ^-1 mod q, respectively, and calculate each calculated value to the corresponding register (Temp_p [0], Temp_p [1). ] Temp_q [0] and Temp_q [1]); decreasing i from n to 0 by 1 Calculating and storing the calculated value; based on whether ki is 0 or 1 and whether mi is 0 or 1 Calculating; And And calculating Sp and outputting the Sp and the Sq. 6. The method of claim 5, wherein ki is the i-th coefficient when dp is binary developed, and dp = kn * 2 ⁿ +. + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed, and dq = mn * 2 ⁿ +. + mi * 2 ⁱ +… Encryption method characterized in that + m1 * 2 + m0. A computer-readable recording medium having recorded thereon a program for executing the method according to any one of claims 1 to 6 on a computer. With two prime numbers (p, q) as the secret key, n satisfying n = p * q is the public key, phi (n) and the prime integer e are public keys, and ed = 1 mod phi (n) An encryption device using an RSA public key encryption method based on a CRT used as a secret key, From the two prime numbers (p, q), the secret key (d) and the public key (e) First operating means for calculating a; Based on the message M, the two prime numbers p, q and the calculated values output from the first computing means Wow Second operation means for calculating a; Based on the M, ep, eq, p, and q Third operation means for calculating a; Fourth operation means for performing an exclusive OR on the Tp and the Tq and generating a result; Receive the Sp, Sq, p, q, pi and qi and based on them Fifth calculation means for calculating a; And To receive the S output from the fifth calculating means and to sign the S based on whether the received Sp matches (S mod p) and whether the Sq matches (S mod q) And digital signature output means for outputting as an electronic signature for a message (M). The method of claim 8, wherein the second operation means, Random number generating means for generating a random number (r); And And compute r ⁻¹ mod p, M * r ⁻¹ mod p, r ⁻¹ mod q, and M * r ⁻¹ mod q, respectively, and compute each computed value in the corresponding register (Temp_p [0]). , Temp_p [1], Temp_q [0] and Temp_q [1]), Is calculated, and based on the values of ki and mi And calculate And Sp generating means for outputting the Sq. The method according to claim 9, wherein ki is the i-th coefficient when dp is binary developed, and dp = kn * 2 ⁿ +. + ki * 2 ⁱ +… + k1 * 2 + k0, and mi is the i-th coefficient when dq is binary developed, and dq = mn * 2 ⁿ +. + mi * 2 ⁱ +… Encryption device characterized in that + m1 * 2 + m0. With two prime numbers (p, q) as the secret key, n satisfying n = p * q as the public key, phi (n) and mutually prime integer e as the public key, and d satisfying ed = 1 mod phi (n) An encryption device using an RSA public key encryption method based on a CRT used as a secret key, From the two prime numbers (p, q), the secret key (d) and the public key (e) First operating means for calculating a; Based on the message (M) to be signed, the two prime numbers (p, q), the dp and the dq Wow Second operation means for calculating a; Based on Sp and Sq, M, ep, eq, p and q outputted from the second calculating means Third operation means for calculating a; Fourth computing means for receiving the Tp and the Tq outputted from the third computing means, exclusive-ORing them, and outputting the result T; Based on the value T output from the fourth calculating means and p, q, pi, and qi Fifth calculation means for calculating a; And The values Sp and Sq output from the second computing means, the value T output from the fourth computing means, the value D output from the fifth computing means, p, q, pi and qi. Based on And digital signature output means for calculating a and outputting the calculated S as an electronic signature for the message M to be signed.