JP2000298433A - Device and method for operating square on finite field - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize a speedy square operation on an extension field in hardware provided with a general use processor by executing the function of shifting an input bit string to a higher order, by 1 bit and executing the function of operating an exclusive OR of two input bits. SOLUTION: When a square operation is executed in a general use processor 10, each bit of a non-operated element A is divided into two of U, bounded by am/2, and they are further divided by every 8 bits and expressed respectively as U= U0, U1,...} and V= V0, V1,...}. Next, to U and V, operations of formulae: B0= T(U0)⊕(T(V0)<<1)}⊕C, B1= T(U1)⊕(T(V1)<<1)}⊕C,... in the general use processor 10. Here, << means a shift to one bit higher order. The 1 bit shift operation and the exclusive OR operation in the formulae are executed by a bit shift function 11 and an exclusive OR function 12 of the general use processor 10, respectively.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an apparatus and a method for squaring on a finite field required for encryption and decryption of information in elliptic curve cryptography, and more particularly, to a generator polynomial f =
The present invention relates to an apparatus and a method for performing an arbitrary square operation on a finite field GF (2 ^m ) having x ^m + x ^m-1 + ... + x + 1.

[0002]

2. Description of the Related Art Elliptic curve cryptography is expected as a next-generation public key cryptosystem in the information security field. Elliptic curve cryptography uses the difficulty of solving a discrete logarithm problem on an elliptic curve as a basis for security. As a definition field of the elliptic curve cryptosystem, a finite field GF (2 ^m ) is often used together with a finite field GF (p). In elliptic curve cryptography on a finite field GF (2 ^m ), speeding up a square operation on an extended field is extremely important to speed up encryption and decryption of information.

Each bit of an arbitrary element A on a finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m−1 +... ₀ , a ₁ , ..., a _m-1 and each bit of B are b0, b1, ..., b
_{Assuming m-1} , the square operation B = A ² is as follows. here

[Outside 1] Represents exclusive OR.

[0004]

(Equation 1)

FIG. 2 shows a squaring operation circuit that realizes this operation. As can be seen, the lower m / 2 bits and the upper m / 2 of the original A
Bits are subjected to bit transposition operation and alternately arranged, intermediate a
_By exclusive ORing the value of _{m / 2} to all bits,
The bits b0, b1,..., B _m-2 , b _m-1 of the square operation of the element A are obtained.

[0006]

However, a general-purpose processor does not support an instruction for performing a bit transposition operation necessary for realizing the above circuit. Therefore, it is necessary to prepare dedicated hardware separately, and there is a problem that an inexpensive system cannot be configured.

Accordingly, it is an object of the present invention to realize high-speed squaring operation on the above-mentioned expansion field in hardware having a general-purpose processor.

[0008]

To achieve the above object, the present invention provides an arbitrary finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m-1 + ... + x + 1. In the device that performs the square operation of
For an input of _m- bit element W = {w ₀ , w ₁ , w ₂ , ..., w _m-2 , w _m-1 }, T (W) = {w ₀ , 0, w ₁ , 0 , w ₂ , 0, ..., w _m− 2,0, w _m−1 , 0}, and the upper bit T of the above T (W)
(V) = {w _{m / 2} , 0, w _{m / 2 + 1} , 0, ..., w _m-2 , 0, w _m-1 , 0} , T (V) '= {0, w _{m / 2} , 0,
w _{m / 2 + 1} , 0, ..., w _m-2 , 0, w _m-1 }, and a lower bit T (U) = {w _{0,0 of} the above T (W) , w ₁ , 0, ... w _{m / 2-1} ,
0} and the result of exclusive OR operation of each bit of T (V) ′ and C / 2 of m / 2 bits (where w _{m / 2} = 1, C = {1,1,
1, ...., 1,1}, wm _{/ 2} = 0, exclusive OR operation on each bit of C = {0,0,0, ..., 0,0}) to, and provided with an exclusive OR means for obtaining the bits of square operation W ² of the original W.

The present invention also provides a generator polynomial f = x ^m + x ^m-1 + ... +
In a device that performs a square operation of an arbitrary element on a finite field GF (2 ^m ) having x + 1, an m-bit element W = (w ₀ , w ₁ , w ₂ , ..., w _m-2 , w
the input of the _m-1}, T as the lower bits _{(U) = {w 0,} 0, w 1,
T (V) ′ = {0, w _{m / 2} , 0, ... w _{m / 2-1} , 0}
0, w _{m / 2 + 1} , 0, ..., w _m-2 , 0, w _m-1 }, the memory of the above T (U) and the above T (V) ′ The result of exclusive OR operation of each bit and C of m / 2 bits (where w _{m / 2} = 1, C = {1,1,1, ..., 1,1}, When w _{m / 2} = 0, C = {0,
0, 0, ...., 0, 0})
And a XOR means for obtaining the bits of square operation W ² and W may be constructed.

The present invention also provides a generator polynomial f = x ^m + x ^m-1 + ... +
In a method of performing a square operation of an arbitrary element on a finite field GF (2 ^m ) having x + 1, an m-bit element W = (w ₀ , w ₁ , w ₂ , ..., w _m-2 , w
_m-1 } input, T (W) = {w ₀ , 0, w ₁ , 0, w ₂ , 0, ..., w _m-2 , 0,
w _m−1 , 0} and the upper bit T (V) = T (W)
T (V) 'in which each bit of {w _{m / 2} , 0, w _{m / 2 + 1} , 0, ..., w _m-2 , 0, w _m-1 , 0} is shifted by one bit to the higher order = {0, w _{m / 2} , 0, w _{m / 2 + 1} ,
0, ..., w _m-2 , 0, w _m-1 }, and the lower bits T (U) = {w ₀ , 0, w ₁ , 0, ... w _{m / 2-1} , 0} and the result of exclusive OR operation of each bit of T (V) ′, and m / 2-bit C (where w _{m / 2} = 1, C = When {1,1,1, ...., 1,1}, w _{m / 2} = 0, each bit of C = {0,0,0, ...., 0,0}) and calculates the exclusive OR constituted by a procedure for obtaining the bits of square operation W ² of the original W.

Further, the present invention provides a generator polynomial f = x ^m + x ^m-1 + ... +
In a method of performing a square operation of an arbitrary element on a finite field GF (2 ^m ) having x + 1, an m-bit element W = (w ₀ , w ₁ , w ₂ , ..., w _m-2 , w
the input of the _m-1}, T as the lower bits _{(U) = {w 0,} 0, w 1,
T (V) ′ = {0, w _{m / 2} , 0, ... w _{m / 2-1} , 0}
0, w _{m / 2 + 1} , 0, ..., w _m-2 , 0, w _m-1 }
(U) and the result of exclusive OR operation of each bit of T (V) ′ and m / 2-bit C (where w _{m / 2} = 1, C = {1,1,
1, ...., 1,1}, wm _{/ 2} = 0, exclusive OR operation on each bit of C = {0,0,0, ..., 0,0}) and it may be configured and a procedure for obtaining the bits of square operation W ² of the original W.

[0012]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail based on one embodiment shown in the drawings. FIG. 1 is a block diagram for realizing a square arithmetic device on a finite field according to an embodiment of the present invention. The square operation on the finite field according to the present invention is realized in a general-purpose system including a general-purpose processor 10 and a ROM (Read Only Memory) 13. Regarding the square operation according to the present invention, the general-purpose processor 10 performs an operation function of shifting an input bit string by one bit to an upper bit (hereinafter referred to as a bit shift function 11) and a function of operating an exclusive OR of two input bits (hereinafter, referred to as a bit shift function). Exclusive OR function 12)
Execute

The ROM 13 has an input address of 8 bits,
The output has a 16-bit width, and stores a 16-bit value in which each of the input 8 bits is rearranged by leaving one bit at a time, and 0 is disposed therebetween. That is, for the input of W = {w ₀ , w ₁ , w ₂ , w ₃ , w ₄ , w ₅ , w ₆ , w ₇ }, the output becomes T (W) = {w ₀ , 0, w ₁ , 0, w ₂ , 0, w ₃ , 0, w ₄ , 0, w ₅ , 0, w ₆ , 0, w ₇ , 0} in advance in the ROM 13. For example, input data W is stored in ROM
And the corresponding T (W) can be stored. In this case, 2 ^m output T (W)
In order to obtain the address, 2 ^m addresses are secured on the ROM.

In the general-purpose processor 10, when performing the squaring operation, each bit of the element A before the operation is divided into U and V with the boundary of am _{/ 2} , and further divided into 8 bits. Let U = {U ₀ , U ₁ , ...} and V = {V ₀ , V ₁ , ...} respectively. U ₀ = {a ₀ , a ₁ , a ₂ , a ₃ , a ₄ , a ₅ , a ₆ , a ₇ }, U ₁ = {a ₈ , a ₉ , a ₁₀ , a ₁₁ , a ₁₂ , a ₁₃ , a ₁₄ , a ₁₅ }, ... V ₀ = {a _{m / 2 + 1} , a _{m / 2 + 2} , ..., a _{m / 2 + 7} , a _{m / 2 + 8} }, V ₁ = {a _{m / 2 + 9} , a _{m / 2 + 10} , ..., a _{m / 2 + 15} , a _{m / 2 + 16} }, ...

Next, the following operation is performed on the U and V in the general-purpose processor 10.

[0016]

(Equation 2)

Here, << represents a one-bit shift to the upper side. The one-bit shift operation and the exclusive OR operation in the above equation are executed by the bit shift function 11 and the exclusive OR function 12 of the general-purpose processor 10, respectively.

Here, C is 1 corresponding to the value of am _{/ 2.}
It is a 6-bit value. That is, when a _{m / 2} = 1, C = {1,1,1, ..., 1,1}, and when a _{m / 2} = 0, C = {0,0,0 ,. ..0,0}. By the way, the exclusive OR operation of each bit and C only needs to invert all bits when C is the former, and there is no need to perform any processing when C is the latter.
This arithmetic processing can be executed at a very high speed.

Each of B ₀ , B _1, ... Obtained by the above calculation has a 16-bit width. By concatenating these as B = {B ₀ , B ₁ ,...}, B as a result of the square operation of the element A is obtained.

The embodiment of the present invention has been described with reference to the drawings. However, it is apparent that the present invention is not limited to the matters described in the above embodiments, and that changes, improvements, and the like can be made based on the description in the claims. In the above embodiment, an RO of 8 bits input and 16 bits output is used.
Although the present invention has been described using M as an example, a ROM having another bit width such as 4-bit input and 8-bit output may be used. The means for storing the conversion table is not limited to the ROM, and other storage means may be used.

Further, in the above embodiment, the upper bit T (V) of T (W) is shifted by one bit to the upper
Although an example of performing an exclusive OR operation with T (U) has been described, the ROM 13
The conversion table can be configured so that the output from the conversion table has a result in consideration of the shift of the upper bits in advance.

[0022]

As described above, according to the present invention, when performing a square operation on a finite field, a general-purpose processor is mounted simply by referring to the table on the ROM without adding any special circuit externally. In such a device, efficient operation can be performed.

[Brief description of the drawings]

FIG. 1 is a block diagram for realizing a square arithmetic device on a finite field according to an embodiment of the present invention.

FIG. 2 is a block diagram of a square operation circuit configured based on a conventional operation procedure.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 General-purpose processor 11 Bit shift function 12 Exclusive OR function 13 ROM

Claims (4)

[Claims] 1. An apparatus for performing an arbitrary square operation on a finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m-1 + ... + x + 1, comprising: For input of W = {w ₀ , w ₁ , w ₂ , ..., w _m-2 , w _m-1 }, T (W) = {w ₀ , 0, w ₁ , 0, w ₂ , 0, ..., w _m-2 , 0, w _m-1 , 0}, and the upper bit T (V) = {w _{m /} 2,0 , w _{m / 2 + 1} , 0, ...,
each bit of _{w m-2, 0, w} m-1, 0} shifted by 1 bit to the upper, T (V) '= { 0, w m / 2, 0, w m / 2 + 1, 0 , ..., w _m-2 , 0, w _m-1 }, and a lower bit T (U) = {w ₀ , 0, w ₁ , 0, .. of the above T (W). .w _{m / 2-1} , 0} and the result of exclusive OR operation of each bit of T (V) ′ and m
/ 2 bits C (where w _{m / 2} = 1, C = {1,1,1, ..., 1,
1}, w _{m / 2} = 0, each bit of C = {0,0,0, ..., 0,0}) is XORed and the square operation W of the element W ^2. A square operation device on a finite field, comprising: exclusive OR means for obtaining each bit of ² . 2. An apparatus for performing an arbitrary square operation on a finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m-1 + ... + x + 1, comprising: For the input of W = {w ₀ , w ₁ , w ₂ , ..., w _m-2 , w _m-1 }, T (U) = {w ₀ , 0, w ₁ , 0, ... w _{m / 2-1} , 0}
As the upper bits, T (V) '= {0, w _{m / 2} , 0, w _{m / 2 + 1} ,
0, ..., w _m-2 , 0, w _m-1 } and the exclusive OR of each bit of T (U) and T (V) ′ The result and C of m / 2 bits (where w _{m / 2} = 1, C = {1,
1,1, ...., 1,1}, when w _{m / 2} = 0, C = {0,0,0, ...., 0,0})
Each bit by exclusive OR operation of the original W square operation W ²
Exclusive-OR means for obtaining each of the following bits: 3. A method for performing an arbitrary square operation on a finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m−1 + ... + x + 1, comprising: For input of W = {w ₀ , w ₁ , w ₂ , ..., w _m-2 , w _m-1 }, T (W) = {w ₀ , 0, w ₁ , 0, w ₂ , 0, ..., w _m-2 , 0, w _m-1 , 0}, and the upper bit T (V) of T (W) = {w _{m / 2} , 0, w _{m / 2 + 1} , 0, ...,
w _m-2 , 0, w _m-1 , 0} is shifted one bit to the upper
T (V) ′ = {0, w _{m / 2} , 0, w _{m / 2 + 1} , 0, ..., w _m− 2,0, w _m−1 }, and T (W ) Of the lower bits T (U) = {w ₀ , 0, w ₁ , 0, ... w _{m / 2-1} , 0} and the above bits of T (V) ′ are exclusive ORed And m
/ 2 bits C (where w _{m / 2} = 1, C = {1,1,1, ..., 1,
1}, w _{m / 2} = 0, each bit of C = {0,0,0, ..., 0,0}) is XORed and the square operation W of the element W ^2. A method of calculating a square on a finite field, comprising: obtaining each bit of ² . 4. A method for performing an arbitrary square operation on a finite field GF (2 ^m ) having a generator polynomial f = x ^m + x ^m-1 + ... + x + 1, comprising: For the input of W = {w ₀ , w ₁ , w ₂ , ..., w _m-2 , w _m-1 }, T (U) = {w ₀ , 0, w ₁ , 0, ... w _{m / 2-1} , 0}
As the upper bits, T (V) '= {0, w _{m / 2} , 0, w _{m / 2 + 1} ,
0, ..., w _m-2 , 0, w _m-1 }, the result of exclusive OR operation of each bit of T (U) and T (V) ′, and m / 2 bit C (where w _{m / 2} = 1, C = {1,
1,1, ...., 1,1}, when w _{m / 2} = 0, C = {0,0,0, ...., 0,0})
Each bit by exclusive OR operation of the original W square operation W ²
And a procedure for obtaining each bit of the square.