JP2000293101A - Elliptic cipher safety evaluation device, its method and program recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To vary the level of safety. SOLUTION: Besides elliptic cipher parameters (q, p, a, b, P, Q, m and l), an auxiliary parameter L is inputted. Then, when, m=q-1 or l=P, it is judged to be not safe. When m≠q-1 and l≠P, a remainder multiplier 111 is repeatedly used to obtain a minimum natural number k in which qk-l (mod l). At that time, an investigation is made till k<[(log q)L]. If it is not i<=[(log q)L], it is judged to be safe. When qi=l (mod l), it is judged to be not safe. Note that L is varied in accordance with the level of safety.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an apparatus, a method, and a program recording medium for evaluating the security of elliptical cryptography based on the security of an elliptic discrete logarithm problem.

[0002]

2. Description of the Related Art In a public key cryptosystem represented by RSA, the security is based on the difficulty of solving a mathematical problem called a prime factorization problem from the viewpoint of computational complexity. Research has forced the public key size, a parameter of its security, to increase year by year. On the other hand, for elliptic cryptography, which bases its security on a problem called the elliptic discrete logarithm problem, security research has not yet progressed at this stage.
It is considered that the security is higher than A or the like, the size of the public key can be shortened, and it is considered to be effective for use in mounting on a low power IC card. Regarding public key cryptography, for example, Okamoto-Yamamoto,
See “Modern Cryptography”, Industrial Books (hereinafter referred to as Reference 1). Regarding elliptic curves and elliptic encryption, see, for example, Menezes, A. et al. J. Author, "Elliptic
Curve Public Key Cryptos
systems, Kluwer Academic P
ublishers (1993) (hereinafter, this reference is referred to as reference 2).

[0003] The elliptical encryption system will be briefly described. Hereinafter, E represents an elliptic curve defined on a finite field GF (q) (characteristic p is 5 or more). The definition equation is y ² = x ³ + ax + b. At this time, the elliptic cryptosystem using E is configured as follows:
E (GF (q)) has a sufficiently large prime order l. An arbitrary integer of 0 <n <l is taken, and Q = nP by addition on E. At this time, encryption processing (E ₁ ) and decryption processing (D ₁ ) are performed using C = (C ₁ , C 2) = E ₁ ((q, E, P, Q, l) as a public key and n as a secret key. M) (1) C ₁ = rP (2) C ₂ = rQ + M (3) M = D ₁ (C) = (X−coordinate of C ₂ −xC ₁ ) (4) Here, r is an arbitrary integer that satisfies 0 <r <l, and is selected each time encryption processing is performed. Also, rQ
+ M represents the sum of the point on the elliptic curve where the X-coordinate is M and the point rQ on the elliptic curve. In general, it is not known whether a point having M on the X-coordinate always exists on a given elliptic curve (in this case, the probability 1 /
2), a certain rule common to the system is determined and a certain amount of redundant information is added to M, so that a point having the redundant information added to the X-coordinate can always be obtained. Can be

Here, the basis of the security of this cryptosystem is that given (P, Q), the problem of finding a natural number n such that nP = Q is difficult. This is called the elliptic discrete logarithm problem. Only a few algorithms have been proposed for attacking elliptic cryptography when using elliptic curves that satisfy special properties.
When a general elliptic curve is used, only those whose execution time is the exponential time of the input size are known. First, when an elliptic curve called a hypersingular is used, the elliptic discrete logarithm problem on the elliptic curve can be reduced to a discrete logarithm problem on a multiplicative group of an extended field of the definition field. For this, a function called a Weil pair is used. A technique similar to this, but using a function called a Tate pair has also been proposed. These are methods in which the elliptic curve is embedded in a multiplicative group of an extended field of the definition field and converted into a classical discrete logarithm problem that has been well studied so far.
On the other hand, there has been proposed a method of solving a discrete logarithm problem by embedding an elliptic curve having a property called anomalous by regarding the definition field as an additive group and embedding it.

[0005] One of the methods to solve the elliptic discrete logarithm problem
An algorithm using Weil pairs will be described (this Wel pair).
For details of the algorithm using the il pair, see Reference 2.
See). [Algorithm by Weil pair] Input: P∈E (GF (q)) of order l. Q∈
<P> = ｛P¹, P^Two, P ^Three, ..., P^l(= Ο)｝ Output: Integer Q = nP (0<n <l) (1) E [l] ⊂E (GF (q^k))
Determine k. E [l] is unity when multiplied by 1 at a point on E
Represents the whole point.

(2) R∈E [l] is randomly taken. (3) Calculate α = e _l (P, R) and β = e _l (Q, R). (4) Solving the discrete logarithm problem on GF ^x (q ^k )

[0007]

(Equation 1) Ask for. The calculation of the Weil pair is performed as follows. (A) P + T ≠ R + U, P + TU ≠ T and T ≠ R + U, T
Select points T and U∈E that satisfy ≠ U.

(B) div (f) = 1 (P + T) −1
(T), div (g) = l (R + U) -l (U)
The rational functions f and g are calculated. (C) e_l(P, R) = (f (R + U) / f (U))
(G (T) / g (P + T)) Further, the algorithm using the Tate pair was described in Reference 3.
Therefore, m = q-1 = 1 ^vIn the case of
M is the number of GF (q) rational points of the elliptic curve E.

[Algorithm by Tate pair] Input: P∈E (GF (q)) of order l. Q∈
<P> = ｛P¹, P^Two, P ^Three, ..., P^l(= Ο)｝ Output: Integer Q = nP (0<n <l) (1) Select T∈ <P> (≠ P, Q, O) and div (h
_T) = L (T) -l (O) h_TAsk for.

(2) When X, Y∈ <P>, D _P = (P +
X) - (X) and _{div (h T), D Q} = (Q + Y) -
(Y) and div (h _T ) find a support (distribution) that is a disjoint (having no common point). (3) α = h _T (D _P ), β = h _T (D _Q ) ∈GF
Calculate ^x (q). (4) Solve the discrete logarithm problem from α ′ = α ^v and β ′ = β ^v

[0011]

(Equation 2) Ask for. Regarding the above attack method, for example, Uchiyama-Saito, "A Note on the Discrett"
e Log-arithm Problem on E
lliptic Curves of Trace T
WO ", Technical Report of I
EICE, ISEC98-27, pp. 51-57 (1
998) (hereinafter referred to as Document 3), written by Sato-Araki, "FermatQuoteants and th.
e Polynomial Time Discrett
e Log Algorithm for Anoma
Lous Elliptic Curves, Comm
entari Math. Univ. Sancti
Pauli, 47, 1 pp. 88-92 (1998)
(Hereinafter, this is referred to as Reference 4.)

[0012]

As for the Weil pair algorithm, when the elliptic curve is called supersingular by Menezes et al. (Q + 1− # E (GF (q))
(= M) ≡0 (modp)), it is known that this algorithm works effectively. In general, however, there is an efficient method for realizing that R∈E [l] is taken at random. , Was not explicitly indicated.

One object of the present invention is to sift elliptic cryptography using parameters in a range that can be actually attacked according to auxiliary parameters of security set by a user, and in particular, attack by embedding in a multiplicative group. In the case of the present invention, an object is to provide an elliptic cryptographic security evaluation device utilizing the conversion up to the problem of the finite field. Another object of the present invention is to provide We
Taking a random R∈E [l] in the il pair algorithm, that is, a torsin point
t) An object of the present invention is to provide an elliptic cryptographic security evaluation device that efficiently realizes searching for R.

[0014]

According to the first invention, an elliptic cryptographic parameter includes an auxiliary security parameter L. If l = P, the input elliptic cryptographic parameter is determined to be insecure. = Q−1, it is similarly unsafe, and if l = P and m = q−1,
The minimum natural number k that satisfies q ^k = 1 (mod l) is obtained, and [(logq) ^L ] is calculated. If [] is a Gaussian symbol and k <[(log q) ^L ], it is unsafe. If k <[(log q) ^L ], the input elliptical encryption parameter is assumed to be secure.

According to the second aspect of the present invention, R∈E [l] in the Weil pair algorithm is obtained,
Given an equidistant point P, weil versus e _l (P, R)
Generates a point R that is not 1. That is, for the point P of the prime order 1 on the elliptic curve #, a point R of the prime order on the elliptic curve is generated such that the Weil pair is a source of a non-trivial (not 1) finite field. Thus, the security of the elliptic encryption is evaluated by utilizing the fact that the Weil pair algorithm works effectively if k is sufficiently small (currently works effectively when k <log q).

An algorithm for efficiently realizing finding the point R
The algorithm is shown below. (Symbol used in this
Are all based on the above Weil pair algorithm
And Where e is the largest width index that divides m of l, that is,
m / l^eIs the maximum e that can be calculated.) (1) λ≡1 (mod l) and λ^Two−tλ
+ Q≡0 (mod l ^e-1Λ を 満 た す Z / l that satisfies^e-1Z
= {0,1,2, ..., l^e-1-1} (2) A point S is randomly taken from E (GF (qk)).

[0017] (3) S '= calculates the (m / l ^e) S. (4) Calculate S ″ = (φ−λ) S ′ If S ″ = Ο, go to (2). (5) Calculate T = 1S ″. If T = Ο, terminate as R = S ″. Next if T. (5-1) Calculate T ′ = 1T.

(5-2) If T '= Ο, end as R = T
OK. If T '≠ Ο, set T' to T again and (5-
Go to 1). Where φ is called Frobenius map
(X, y) → (x^q, Y ^q). Ma
Further, t is called a trace, and t = q + 1− # E (GF
(Q)). #E (GF (q))
= M and the number of GF (q) rational points of the elliptic curve.

[0019]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of an elliptic encryption security evaluation device will be described. FIG. 1 is a block diagram of an embodiment of the present invention. An elliptic encryption security evaluation device 100 includes a parameter classifying unit 110, a Weil pair algorithm unit 12
0, having a Tate pair algorithm unit 130. 2 is a parameter classifier 110, FIG. 3 is a Weil pair algorithm unit 120, FIG. 4 is a Tate pair algorithm unit 130,
FIG. 5 is a block diagram of each of the torsion point generators.

First, the parameter classifying unit 110 determines the parameters of the elliptic encryption (the order q of the rational field defining the elliptic curve,
When the characteristic p, the coefficients a and b of the elliptic curve, the public keys P and Q, the order 1 of P, the number m of GF (q) rational points of the elliptic curve, and the auxiliary security parameter L), m Calculate-(q-1). If it is 0 (S1), the parameter is output to the Teta pair algorithm unit 130. Otherwise p
-L is calculated, and if 0 (S2), Reject is output and the operation is stopped. That is, it is assumed that the elliptical encryption parameter has no security. Otherwise, i is set to 1 (S
3) The minimum natural number k such that q ^k ≡l (mod l) is obtained by repeatedly using the operation of q ⁱ (mod l) in the remainder multiplier 111 (S5). At this time, k <[(log
q) Check up to ^L ] ([] is a gauss symbol) (S4, S6, S7). If there is no one that satisfies this, Accept, that is, output that the elliptical encryption parameter is secure, is stopped. Here, L is a safety auxiliary parameter set by the user, q ⁱ ≡l (m
If it is odl), i is set to k (S8), and the parameter is output to the Weil pair algorithm unit 120.

In the Tate pair algorithm section 130, FIG.
A point T is generated by the torsion point generator 131 as shown in FIG.
Tate vs. calculator 132 and α = h _T (D _P ),
β = h _T (D _Q ) is output. These are DLP generator 1
33 to calculate α ′ = α ^v , β ′ = β ^v ,
and outputs a set of a.ject and α ', β'. In the Weil pair algorithm unit 120, when parameters are input to the torsion point generation unit 121 as shown in FIG. 3, a λ generator 121-1 generates λ as shown in FIG. -3 generates a random number γ and inputs it to the rational point generator 121-2, whereby a random point S is generated. Next, S is input to the ellipse adder [1] 121-4. Calculated m / l ^e in divider 121-5 is input to the elliptical adder [1] 121-4, S '= (m / l e)
Output S. This is connected to the Frobenius converter 12
1-6 and output S "= ([phi]-[lambda]) S ', where if S" = 、, return to 121-2; [2] Input to 121-7 and calculate T = 1S ″. If T = Ο, then R =
As S ″, R is input to the Weil pair calculator 122.
Otherwise, T is input to the ellipse adder [3] 121-8, and T ′ = 1T is calculated. If T ′ = Ο, R = T and R is input to the Weil pair calculator 122. Otherwise, set T 'to T again, and 121
Return to -8. The Weil pair calculator 122 uses the input R, P, and Q to calculate the Weil pair value α = e _l (P,
R), β = e _l (Q, R) is calculated, and α, β, Reje
Output a pair of ct and k.

In the above, Weil pair algorithm unit 1
20, omitting the Tate pair algorithm section 130,
= Q-1, this elliptic encryption parameter is output as insecure, and m ≠ q-1, l ≠ P, i < [(log
q) ^L ] and q ⁱ = 1 (modl), the elliptical encryption parameter may be output as insecure. That is, in these cases, the elliptic cryptography based on the elliptic cryptographic parameters is replaced by a discrete logarithm problem on a finite field, and thus may possibly be solved.

It is known that when l = P, the elliptical encryption parameter is not secure. The order of the determination of m = q-1 and the determination of 1 = P may be any order. When k is large, it can be said that the elliptical encryption parameter has high security. The larger the auxiliary parameter L, the higher the security. Therefore, L can be changed and the security level can be changed for evaluation.

Each of the processes shown in FIGS. 1 to 5 may be performed by decoding and executing a program by a computer.

[0025]

As described above, by appropriately setting the security auxiliary parameters other than the public key by the user, it is possible to evaluate the security of the elliptical cryptosystem whose evaluation criterion is also variable. In addition, by providing an algorithm that can be used for searching for a twist point such that the calculation of a Weil pair for a general elliptic curve is successful, the security of the elliptic encryption can be evaluated using an algorithm using the Weil pair.

[Brief description of the drawings]

FIG. 1 is a diagram showing an overall configuration of one embodiment of an elliptical encryption security evaluation device of the present invention.

FIG. 2 is a diagram showing details of a parameter classification unit 110 in FIG. 1;

FIG. 3 is a diagram showing details of a Weil pair algorithm unit 120 in FIG. 1;

FIG. 4 is a diagram showing details of a Tate pair algorithm unit 130 in FIG. 1;

FIG. 5 is a diagram showing details of a torsion point generation unit 121 in FIG. 3;

Claims (13)

[Claims] 1. An order q of a finite field defining an elliptic curve, a characteristic p, coefficients a and b of an elliptic curve, an order l of a public key P, Q, and P, and a GF (q) rational point of the elliptic curve , And an auxiliary security parameter L are inputted. It is determined whether or not 1 = p. If it is determined that 1 = p, the inputted elliptical encryption parameter is Means for judging that it is not secure; means for judging whether or not m = q−1, and judging that the input elliptical encryption parameter is not secure when it is judged that m = q−1, l = P and not m = q-1,
and q ^k = 1 (mod l) means for determining the minimum natural number k which satisfies either a means for calculating the ^{[(log q) L],} [] is Gauss symbol ^{k <[(log q) L} ] Means for judging whether or not the input elliptical encryption parameter is determined to be secure if determined to be false, and determining that the input elliptical encryption parameter is determined to be insecure if determined to be true. Elliptical cryptographic security evaluation device. 2. A means for executing a Tate pair algorithm on the input elliptical encryption parameter when it is determined that m = q−1, and when it is determined that k <[(log q) ^L ]. , Weil about the input elliptical cryptographic parameters
2. The elliptic encryption security evaluation device according to claim 1, further comprising: 1) means for executing a pair algorithm. 3. The order q of the finite field defining the elliptic curve, the characteristic p, the coefficients a and b of the elliptic curve, the order l of the public keys P, Q and P, and the GF (q) rational point of the elliptic curve To generate a point R where the Weil pair e _l (P, R) is not 1 when an elliptic cryptographic parameter consisting of the number m of , We calculate the Weil pair using the points R, P and Q
An elliptic cryptographic security evaluation device consisting of an il pair calculator. 4. The torsion point generator according to claim 1, wherein λ = 1 (mod
l) cutlet λ to satisfy the ^{2 -tλ + q = 0 (mod} l e-1), {0,1,2, ..., l e-1 -1} and λ generator for generating λ is the former, e Is the largest width exponent dividing l by m, t
= A q + 1-m, the elliptic curve GF (q ^k) and S selector randomly selecting a point S from rational points, and a divider for calculating the ^{m / l e, S '=} (m / l e) A first elliptic adder for calculating S, and a Frobenius (Fro) for calculating S ″ = (φ−λ) S ′
and a means for repeating the above selection of S until S ″ ≠ θ, a second elliptic adder that calculates T = 1S ″ with S ″ ≠ θ, and if T = θ Means for outputting R = S "; a third elliptic adder for calculating T '= IT if T θ; means for repeating the calculation of T' = IT as T = T 'until T' = θ 4. An elliptic cryptographic security evaluation device according to claim 3, further comprising means for outputting T = R if T '= θ. 5. An order q of a finite field defining the elliptic curve, a characteristic p, coefficients a and b of the elliptic curve, an order l of the public keys P, Q and P, and a GF (q) rational point of the elliptic curve , And an auxiliary security parameter L is input. It is determined whether or not 1 = p. If l = p, the input elliptical encryption parameter is determined to be insecure. It is determined whether or not m = q-1. If m = q-1, it is determined that the input elliptical encryption parameter is not secure. L = p and m = q-1 Otherwise, q ^k = 1 (m
od l) is obtained, the smallest natural number k that satisfies is obtained, [(log q) ^L ] is calculated, and [] is determined whether or not Gaussian symbol k <[(log q) ^L ]. An elliptical cryptographic parameter is determined to be secure if it is true, and if true, it is determined that the input elliptical cryptographic parameter is not secure. 6. If m = q−1, execute a Tate pair algorithm on the input elliptical encryption parameter, and if k <[(log q) ^L ], perform Weil on the input elliptical encryption parameter. The method according to claim 5, wherein a (Weil) pair algorithm is executed. 7. The elliptic cryptographic security evaluation method according to claim 5, wherein the value of the auxiliary security parameter L is changed and the security level is changed for evaluation. 8. The order q of the finite field defining the elliptic curve, the characteristic p, the coefficients a and b of the elliptic curve, the order l of the public keys P, Q and P, and the GF (q) rational point of the elliptic curve And the elliptic cryptographic parameter consisting of m is input, and given a l-equivalent point P on the elliptic curve, a torsion point that generates a point R where Weil versus e _l (P, R) is not 1 Generation process, We calculate the Weil pair using the points R, P and Q
An elliptic cryptographic security evaluation method having an il pair calculation process. 9. The process of generating torsion points according to claim 1, wherein λ = 1 (mod
to satisfy the l) cutlet ^{λ 2 -tλ + q = 0 (} mod l e-1), {0,1,2, ..., l e-1 -1} and generating a lambda which is the former, e is l Of the maximum width index divided by m, t = q
+ A 1-m, and S selection process to choose the random point S from GF (q ^k) rational point of the elliptic curve, a division process of calculating the ^{m / l e, S '=} (m / l e) S , And a Frobenius (Fro) that calculates S ″ = (φ−λ) S ′
(Benius) transformation process, φ is a Frobenius mapping, a process of repeating the above selection of S until S ″ ≠ θ, a second elliptic addition process of calculating T = 1S ″ with S ″ ≠ θ, and if T = θ A process of outputting R = S ″, a third elliptic addition process of calculating T ′ = IT if T ≠ θ, and a process of repeating the calculation of T ′ = IT as T = T ′ until T ′ = θ. 8. The method according to claim 7, further comprising the step of outputting T = R if T '= θ. 10. The order q of a finite field defining an elliptic curve,
Elliptic cryptographic parameters consisting of characteristic p, coefficients a and b of elliptic curve, order l of public keys P, Q, and P, number m of GF (q) rational points of elliptic curve, and auxiliary security Parameter L
A process of determining whether or not l = p; a process of determining that the input elliptical cryptographic parameter is not secure if it is determined that l = p; A process of determining whether or not there is any data; a process of determining that the input elliptical cryptographic parameter is not secure when it is determined that m = q−1; a determination that l = p and m = q−1 are not satisfied When done
minimum and process for obtaining a natural number k q ^k = 1 to (mod l) is established, whether it is [(log q) ^L] a process of calculating the [] is Gauss symbol ^{k <[(log q) L} ] When it is determined that k <[(logq) ^L ] is not satisfied, the input elliptical encryption parameter is determined to be secure, and k <
A recording medium storing a program for causing a computer to execute a process of determining that an input elliptical encryption parameter is not secure when it is determined to be [(log q) ^L ]. 11. A process for executing a Tate pair algorithm on an input elliptic encryption parameter when it is determined that m = q−1, and when it is determined that k <[(log q) ^L ]. , Weil about the input elliptical cryptographic parameters
11. The recording medium according to claim 10, wherein the program includes a program for causing the computer to execute 1) a process of executing an algorithm. 12. An order q of a finite field defining an elliptic curve,
A process of inputting an elliptic cryptographic parameter consisting of a characteristic p, coefficients a and b of an elliptic curve, an order l of public keys P, Q, and P, and the number m of GF (q) rational points of the elliptic curve; Given an equidistant point P, a torsion point generating process for generating a point R where Weil versus e _l (P, R) is not 1; and a Weil using the points R, P and Q We calculate pairs
A recording medium on which a program for causing a computer to execute il pair calculation processing is recorded. 13. The torsion point generation process according to claim 1, wherein λ = 1 (mo
d l) cutlet λ to satisfy the ^{2 -tλ + q = 0 (mod} l e-1), {0,1,2, ..., l e-1 -1} and λ generating process for generating a λ is the original, maximum width exponent e dividing the m of l, a t = q + 1-m, and S selection process to choose the point S at random from GF (q ^k) rational point of the elliptic curve, split to calculate the m / l ^e and calculation processing, S '= a first elliptic curve addition processing for calculating the ^{(m / l e) S,} S "= (φ-λ) S' Frobenius to calculate the (Fro
benius) transformation processing, φ is a Frobenius mapping, processing of repeating the selection of S until S ″ ≠ θ, second elliptic addition processing of calculating T = 1S with S ″ ≠ θ, and if T = θ A process of outputting as R = S ″, a third elliptic addition process of calculating T ′ = IT if T ≠ θ, and a process of repeating the calculation of T ′ = IT as T = T ′ until T ′ = θ 13. The recording medium according to claim 12, further comprising a process of outputting T = R if T '= θ.