JP2002040938A - Cyclic window adding device, method therefor and recording medium with program thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce elliptic addition and subtraction in multiplying an element P on a Z module M by k (is element of Z). SOLUTION: This cyclic window adding device obtains Ci,j} satisfying k=Σi0m'-1Σj0n'-1Ci,jDjϕi (Ci,j is element of -1, 0, 1}); calculates Qb=(Vb.Φb) (P) to two or more b; (Φb=Φ0, Φ1, ...ΦB+1), vi= (Vb,0'Vb,1' ..., Vb,B+1, B=[log3b] (omission of decimal fractions), log30=-1, Vb,h=1 at h≠0, Vb,h=[b/3h-1]mod3, mod is set to 0, 1, and -1, vb.Φb=Σh0B+1Vb,hΦh), R←0, j←n'-1 initializing, and while ±1 are contained in Ci,j}i-0m'-1, the device seeks b, e, and i satisfying Ci+h,j=(-1)eVb,h to all h(0<=h<=B+1) of Vb,h≠0 about each vb; performs Ci+h,j←Cb+h,j-(-1)evb,hm R←R+(-1)e ϕi(Qb); if j>=0,j←j-1 is carried out; coincidence with the preceding vb is repeatedly sought by setting R←DR; and the device outputs R=kP at j=0.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention is applied to, for example, elliptic cryptography used in information security technology, and applies to a cyclic window adding apparatus for multiplying an element P on a Z-module M by a scalar k (∈Z), a method thereof, and a method thereof. The present invention relates to a program recording medium.

[0002]

2. Description of the Related Art In recent years, with the development of the Internet and the like, various types of information have been exchanged using a public line. Since the public line can be used by anyone, the relay information can be easily eavesdropped or falsified. Information security (security) technology is effective in combating malicious behavior such as eavesdropping. Conventionally, modular exponentiation has often been used to implement information security technology.In recent years, however, the number of elliptic curves on a finite field has been reduced due to the fact that the amount of information that must be kept secret, called the key, can be reduced, and the speed is high. Attention has been paid to the method used, that is, elliptical encryption.

An elliptic curve used for encryption is an elliptic curve E / GF defined on a finite field GF (q) called a definition field.
The group E (GF (q (q)) of (q) consisting of GF (q ^m ) rational points
^m )) is mostly used. Most of the elliptic cryptosystems regard the group E (GF (q ^m )) as a Z-module and perform a scalar multiplication operation on the Z-module, that is, a point P∈E on the elliptic curve.
(GF (q ^m )) and obtaining kP for the scalar k∈Z are realized by frequently using. Therefore, many studies have been conducted to realize scalar multiplication at high speed.

[0004] As a method of realizing scalar multiplication at high speed by software, a document "Neal Koblitz:" CM-CURVES WITH G
OOD CRYPTOGRAPHIC PROPERTIES, ”Advances in Cryptol
ogy-CRYPTO'91, Lecture Notes in Computer Science 5
76, pp. 279-287, Springer-Verlag, 1992 ”(hereinafter abbreviated as“ Reference C ”) is effective. φ
Adic expansion method, endomorphism called the Frobenius mapping on an elliptic curve E / GF (q) φ: E (GF (q m)) → E (GF (q m)) ∀P, Q∈E (GF (Q ^m )) [φ (P + Q) = φ
(P) + φ (Q)] (where ∀x F (x) means F (x) for all x). The scalar multiplication is speeded up by using the elliptic φ multiplication faster than the ellipse doubling instead of the doubling.

[0005] In the method of Reference C, GF (2) was used as a usable definition field, but the reference "Volker Mueller:" F
ast Multiplication on Elliptic Curves over Small F
ields of Characteristic Two, ”pp.219-234, Journal
of Cryptologoy, no.4, vol.11, Springer, 1998 ''
= 2 ^e (e is small), and the document "Tetsutarou
Kobayashi, et al .: “Fast Elliptic Curve Algorithm
Combining FrobeniusMap and Table Reference to Ada
pt to Higher Characteristic, ”Advances inCryptolog
y-EUROCRYPT '99, Lecture Notes in Computer Science
1592, pp. 176-189, Springer-Verlag, 1999 ”(hereinafter abbreviated as“ Reference E ”), and q is extended to a general case.

[0006] The outline of the φ-advancing method is as follows. Step 1: k is expanded in φ. ^{_{That, k = Σ i = 0 m'}} -1 Σ j = 0 n'-1 c i, j 2 j φ i (c i, j ∈ {-1,0,1}) satisfying the (1) {c _{i, j} ｝. Step 2: Using equation (1), ^kP = (Σ _{i = 0} ^{m′− 1Σ} _{j = 0} ^n′−1 ci _{, j} 2 ^j φ ⁱ ) (P) = Σ _{i = 0} ^m′−1Σ _{j = 0} ^n′-1 ci _{, j} 2 ^j φ ⁱ (P) (2) is obtained.

Equation (1) is an equal sign as an automorphism on E (GF (q ^m )) in the sense of “k-times operation”. Further, m ′ ≧ 2 and n ′ ≧ 1. In the present invention, since only φ-base expansion is handled, the case of m ′ = 1 not being φ-base expansion is not handled. For the specific calculation of Step 2, there are various optimization methods depending on the structure of {ci _{, j} }. The method of Document E is as follows. Since the expression (2) is a finite sum, the result does not change even if the order of Σ is changed. Therefore, ^{_{kP = Σ j = 0 n'-}} 1 2 j Σ i = 0 m'-1 c i, j φ i (P). The following processing is derived from this equation.

Step 1: Initialized to R ← Ο, j ← n′−1. Step2: i = 0,1, ..., with respect to m'-1, R ← R + φ i (P) c i, if the j = 1 R ← R-φ i (P) c i, for j = -1 Case Nothing. Case where c _{i, j} = 0.

Step 3: If j = 0, output R (= kP) and end. If j> 0, R ← 2R, j ← j−1, and the process returns to Step 2. Where Ο is E (GF
(Q ^m )). The method of this document E is the formula (1), uniformly random k to c _{i, j} ≠ 0 become c _i, the average of _j are found to be about 1/3 of the total Therefore, the average calculation amount in this case is as follows.

Ellipse addition / subtraction m'n '/ 3 times Ellipse doubling n'-1 times Since φ ⁱ times can be calculated at high speed, it is not included in the above calculation amount.

[0011]

SUMMARY OF THE INVENTION
At p2, the same addition, for example, R ← R + (φ ¹ (P) + φ ² (P)) may be performed a plurality of times for different j. In order to prevent the same redundant addition, φ ¹ (P) +
Calculate and record φ ² (P), φ ¹ (P) + φ
^{When 2} (P) is needed, the recorded value is read out and added to R, so that redundant addition can be prevented.

Generally, before Step 2, all possible additions are performed in order to avoid redundant addition.

[0013]

(Equation 1)

It is conceivable that the calculation is performed in advance, but this calculation itself takes a long time, and as a result, the whole calculation becomes slow. SUMMARY OF THE INVENTION It is an object of the present invention to provide a cyclic window adding apparatus, a method thereof, and a program recording medium capable of efficiently reducing redundant additions when calculating P times k using the φ-adic expansion method. .

[0015]

[Means for Solving the Problems]

[0016]

(Equation 2)

[0017]

Embodiments of the present invention will be described below. First Embodiment [General] FIG. 1 shows an embodiment of a scalar multiplication device 10 which is a cyclic window addition device according to the present invention. This device 10 has φ times and d
An element P on a Z module M having a multiplication operation and a scalar k∈Z are input, and a scalar multiplication kP is output. Addition / subtraction unit 1 that receives two values, eg, P and Q, and outputs P + Q or P−Q
1, d multiplication unit 12, i and P are inputted phi ⁱ (P) and outputs the phi ⁱ multiplication unit 13 which P is input and outputs the d multiplication value dP, storage unit 14, k is input The φ-advancing unit 15 that outputs {c _{i, j} } is connected to the control unit 16, and the control unit 16 stores k and P input to the device 10 in the storage unit 14.
, And necessary data is taken out from the storage unit 14 and input to each unit to perform desired processing. The result (output) is stored in the storage unit, and each unit is controlled to obtain a kP value. Output.

Each part in FIG. 1 is set in accordance with M. The scalar multiplication device 10 is functionally represented as shown in FIG. That d multiplication unit 12, a storage unit 14, phi-adic expansion section 15, but includes as well a control unit 16, Q _b calculation unit 21, the search unit 22, c _{i, j} updating unit 23, R
An update unit 24 is provided. In the present invention, the Q _b is calculated by Q _b calculation unit 21, by using this Q _b, which simplifies operation. Therefore, first, what kind of _Qb is shown below.

Assuming that Log ₃₀ = −1, the following vector is defined. Φ _b = ｛φ ^h ｝ _{h = 0} ^{B + 1} = (φ ⁰ , φ ¹ , ..., φ ^{B + 1} ) v _b = ｛v _{b, h} ｝ _{h = 0} ^{B + 1} = (v _{b, 0} , v _{b, 1} , ..., v
_{b, B + 1} ) where B = [log ₃ b], that is, B is a value obtained by truncating a fraction of log ₃ b. When h = 0, v _{b, h} = 1 When h ≠ 0, let v _{b, h} = [b / (3 ^h−1 )] mod3. Here, the remainder mod takes 0, 1, and -1. That is, -1 was used instead of 2.

[0020] In addition, the v _b and Φ _b formal inner product v _b · _{Φ b} of the definition as follows. v _b · Φ _b = Σ _{h = 0} ^{B + 1} v _{b, h} φ ^h Furthermore, Q _b = (v _b · Φ _b ) (P) w _H (v _b ) = Σ _{h = 0} ^{B + 1} | v _{b, h} |

The scalar multiplication device shown in FIGS.
It works as follows. FIG. 3 shows the flow of this operation. Step 1: When the element P and the scalar k on the Z module M are input, they are stored in the storage unit 14. Step2: phi adic expansion unit 15 inputs the ^{_{k k = Σ i = 0 m'}} -1 Σ j = 0 n'-1 c i, j d j φ i (c i, j ∈ {-
{C _{i, j} } that satisfies (1,0,1)) is obtained and output, and {c _{i, j} } is stored in the storage unit 14.

Step 3: For some b, add or subtract
Arithmetic unit 11, φⁱQ using the multiplication unit 13_b In the calculation unit 21
Each Q_b And calculate these Q_b And used to calculate
V _b Is stored in the storage unit 14. However, Q₀Is always ready
I do. This Q₀Is Q_bEqual to P from the definition of Step 4: Initialize to R ← Ο, j ← n′−1, and store
14 is stored. Step5: $ c_{i, j}｝_{i = 0} ^m'-1(= (C_{0, j} , C_{1, j},
…, C_{m'-1, j}While)) contains ± 1, repeat the following.
return.

Step 5-1: First, {ci _{, j} } _{i = 0} ^m'-1
Check if ± 1 is included in
The process proceeds to p5-2, and if not included, the process proceeds to Step6. Step 5-2: v _{b, h}に つ い て for each v _{b in the} descending order of w _H (v _b ) with respect to Q _b stored in the storage unit 14
For all h of 0 (0 ≦ h ≦ B + 1), c i + h, j = (- 1) e v b, a _h b, e, looking for i. e is 0 or 1.

That is, since j = n′−1,
Number c_{i, j}Are m ′ × n ′ as shown in FIG.
The vector ｛c of j = n'-1_{i, n'-1}｝_{i = 0} ^m'-1= (C
_{0, n ' -1}, C_{1, n'-1}, C_{2, n'-1}, ..., c_{m'-1, n'-1})
From the storage unit 14, and w_H(V_bLarge)
V, in the order of the number of 1 and_bTake out,
v_{b, 0}, V_{b, 1}, v_{b, 2}, ..., v_{b, B-1}1 or -1
Something other than 0 (e = 0) or its sign inverted
(E = 1), while maintaining its array position,
｛C_{i, n'-1}｝_{i = 0} ^m'-1Identical in the sequence of
Or i is incremented by 1 from the array starting from i = 0.
The array is searched for, and if present, the value of i at that time and e
And the value of v_bIs output. For example, c_{i, n'-1}Is FIG. 5A
And v _bIs v as shown in FIG. 5B.₁₂=
If (1,0,0, -1), this v₁₂The beginning of
c_{i, n'-1}According to i = 0 (FIG. 5B), v_{b, h}$ 0 is all
To see if they match, and since they do not match,
C as shown_{i, n'-1}V for i = 1_bCompare with the beginning of
However, since they do not match, as shown in FIG._{i, n'-1}
To i = 2_bAt the beginning of Then v_bV in
_{b, 0}= 1 and v_{b, 3}= -1 and ｛c_{i, n'-1} Ｃ inside c_{2, n'-1}
= 1, c_{5, n'-1}= -1. This
And that coincidence was found at b, e = 0 and i = 2.
Become.

The value of i is sequentially determined as to whether or not they match as described above.
Do it with a stagger. If no match exists, Ste
Return to p5-2 and then w_H(V_bLarge v)_babout
Similarly, look for a match. This search for b, e, i
This is performed by the search unit 22 in FIG. Note that v_bTake out w
_H(V_b) Does not have to be performed in descending order.
_H(V _b) Is often more efficient
No. Step5-3: b, e, and i are found in Step5-2
・ C_{i + h, j}← c_{i + h, j}-(-1)^ev_{b, h} 0 ≦ h ≦
[Log_Threeb] +1 for all h For example, v as shown in FIG. 5B_b= (1,0,0,-
For 1), Δc for some j as shown in FIG. 5A
_{i, j}｝_{i = 0} ^m'-1I = 2, e = 0 and v_bV_{b, h}Essential for $ 0
If the primes match,_{i, j}｝_{i = 0} ^m'-1Match from
V_{b, h}Subtract ≠ 0 and set it to 0 as shown in Figure 5E
Sea urchin c_{i, j}｝_{i = 0} ^m-1To update. This update is shown in FIG.
Of c_{i, j}This is performed by the update unit 23.・ R ← R + (-1)^eφⁱ(Q_b) Is φⁱUsing the multiplication unit 13 and the addition / subtraction unit 11,
2 and updates the R in the storage unit 14 by calculating in the R updating unit 24 in
I do. In the example shown in FIG. 5, i = 2 and v_bAnd match
Q_bTo φ^TwoStorage unit 1
4 may be added to R. Step5-3 ends
And returns to Step 5-1 to perform the same operation. Taken out
j = n'-1 coefficient sequence ｛c_{i, j}｝_{i = 0} ^m'-1Without ± 1
If so, Σ_{i = 0} ^m'-1c_{i, j}φⁱ(P)
The calculations have been made.

Step 6-1: Check whether j = 0. Step 6-2: If j = 0, output R (= kP) and end. Step 6-3: If j> 0, use the d-times operation unit 12 to
Is multiplied by d and updated to R ← dR, and j is also decremented by 1, ie, updated to j ← j−1, and the process returns to Step 5. That is, j =
The processing of Step 5 is performed for n′−2, and when this is completed, (Σ _{i = 0} ^m′−1 ci _{, n′−1} d ^n′−1 φ ⁱ (P))
+ (Σ _{i = 0} ^m′−1 c _{i, n′−2} d ^n′−2 φ ⁱ (P)) is obtained and ^kP ₌ ^{こ と} _{j = 0} ^n′−1 Σ _{i = 0} ^m'-1
c _{i, j} d ⁱ φ ⁱ (P) is obtained.

The more also if use more way previously determined Q _b many times, it requires less calculation amount than the method of the literature E. Regarding Step 5-2, b, e, and i may be searched in any manner within the range of the condition written in this Step, but more specifically, for example, the following search may be performed (see FIG. 6). ). For v _b of Q _b stored in the storage unit 14, a set arranged in descending order of w _H (v _b ) is set as {b ₁ , b ₂ ,..., B _s }.

S-1. Initialize to r ← 0. S-2. Initialize to i ← 0. S-3. Initialize to e ← 0. S-4. vb _r, all h which becomes _{h ≠ 0 (0 ≦ h ≦} [log 3
b _r] for _{+1), c i + h,} j = (- 1) e v br, at that time if the _h b =
Output b _r , i, e and end.

S-5. If no match is obtained in S-4, e
← e + 1, and if e <2, the process returns to S-4. S-6. If e <2 in S-5, i ← i + 1, i
If <m ', the process returns to S-3. S-7. Unless i <m 'in S-6, r ← r + 1 is set,
If r ≦ s, the process returns to S-2. Second embodiment [small window size] As some b in Step 3 of the first embodiment, small windows are selected in ascending order.

In this embodiment, when m 'is finite and non-zero c _{i, j} is small, those with large b are set to Ste.
Since the probability of a match at p5-2 is low, it is effective to select b in ascending order, for example, 1, 2, 3,. Furthermore, when calculating Q _b for each b, 'because it is [(-v _b = 1, that is v _b' ∃b to 'Q _b which have already been calculated _{<b w H v b)]} ' and Since there always exists a Hamming weight whose difference from v _b is 1, the Q _{b ′} is (−1) ^e φ ⁱ
(P) can be calculated Q _b by adding. Thus the calculation volume can be decreased for Q _b.

As shown in calculation procedure example 7 of this Q _b, arranged firstly b in ascending order (S1), then select one b from the smaller to the side-by-side order (S2), and the selected and b v _b, already the ascertained whether the 1 Hamming weight of the vector difference of _{'v b'} of the calculated Q _b (S3), if the Hamming weight is one, already for the v _{b '} calculated on Q _{b 'by} adding the ^{(-1) e φ i (P} ) obtaining the Q _b (S4). After the calculation of Q _b, examine whether it has selected all of b, also if b is not selected the process returns to step S2, all selected, and ends if called for all Q _b (S5).

In general, Q_bWhen asking for
Q that is_{b '}For (-1)^eφⁱTo add (P)
The calculation amount can be further reduced. For example, step S3 in FIG.
Then Q_{b ',}e, i [Q_b= Q_{b '}+ (-1)^eφⁱ(P)]
Q that satisfies (b '<b)_{b '}Check if there is_{b '}if there are
Q_b= Q_{b '}+ (-1)^eφⁱQ by (P)_bAsk for.
For example, Q₁= P + φP and Q₇ = P + φP-φ^TwoP
But Q₇Calculation of Q ₇ = Q₁+ (-1)¹φ^TwoP's
Obtained by calculation.Third embodiment [w _H (b) + small window size] As some b in Step 3 of the first embodiment, w_H
(V_b) + Log_Two(B) in ascending order. In this case the log
The value is not limited to 2, but may be 3, 5 or the like._bof
Hamming weight and v_bWeighted and added to the number of elements of
B may be selected in ascending order. That is, v_bNumber of elements of [lo
g_Three b] +1 even if its element v_{b, h}Many of them are 0
Q if included_bAnd use this to get kP
Does not contribute significantly to reducing the amount of computation. At that point w
_H(V_b) Is large and log_TwoIt is better that (b) is smaller. This
W_H(V_b) + Log_TwoFIG. 7 is arranged in ascending order of (b).
Q by the same procedure as shown in_bCan be requested.Fourth embodiment [φ ^m = 1 (elliptic curve)] Depending on the Z modules M and P (∈M) to be calculated, φ
^m(P) = P may be satisfied. In this case, m '=
m. Generally, for b ≠ b ′, ∀i ≠ 0 [Q_b≠ φⁱ(Q_{b '})]. That is, for all i ≠ 0, Q_b= Φⁱ(Q_{b '})
There is nothing to be. But φ^mWhen (P) = P, ∃i ≠ 0 [Q_b= Φⁱ(Q_{b '})]. That is, Q_b= Φⁱ(Q_{b '}I)
Exist.

Therefore, in Step 3 of the first embodiment, Q
when determining the _b, Q _b = _φ ⁱ _'becomes, Q _b and Q _b (Q _b)' For, since it is sufficient to calculate the either one thereof is calculated by one. However,
The first subscript i of c _{i, j} used in Step 5 is mod
Consider m '. Q _b where, in order to dispense with one of the calculation of Q b _'is the following calculations for each v _b. v _b =
For (v ₀ , v ₁ ,..., V _{B + 1} ), φ (v _b ) is (v _{B + 1} , v ₀ , v ₁ ,..., V _B ) = v _{b ′} . Therefore v
^{_{b '= φ i (v b}} ) become related v _b and v _b' examined in advance,
For those having this relationship, _Qb or Qb _' may be calculated. Such a relation v _{b ′} = φ ⁱ (v _b ) = φ ^{i ′} (v
_{b ''} ), two or more v _b may be in a relation of φ ⁱ times, and one of a plurality of v _b in these relations
One of may be obtained a Q _b for b. Note Compared to calculate Q _b, the ^{_{v b '= φ i (v}} b) related whether the examined calculation of the extremely simple and can be performed at high speed. Fifth Embodiment [non-signed (Elliptic Curve)] In the first embodiment, no limitation is imposed on the sign of c _{i, j} . However, depending on the Z module, in Step 2, for each j, ∀ i [ci _{, j} ≧ 0] In other words, for one j, ci _{, j} is 1 or 0, or ま た は i [ci _{, j} ≦ 0] That is, for that i, ci _{, j} is −1 or 0. Can be said for all j. That is, for each j, c _{i, j} can have the same sign. In this case, it is sufficient to select ∀h [v _{b, h} ≧ 0] as Q _b (= v _b · Φ _b ) in Step 3, that is, v _{b, h} consisting only of 1 or 0.

That is, v _b including v _{b , h} = −1 is not used. By doing so, the amount of calculation can be significantly reduced as compared with the case where c _{i, j} can take any of −1, 0, and 1. Sixth Embodiment [m is Small] In a case where both the fourth and fifth embodiments can be applied, that is, φ ^m (P) = P, and for each j, c _{i, j} has the same sign. In some cases, w _H (｛c _{i, j} ｝ _{i = 0} ^m-1 ) = w _H ((c _{0, j} , c _{1, j} ,
.., Cm _{-1, j} )) ≦ m / 2 and {ci _{, j} }, that is, for each j _, the number of 0s in {ci _{, j} } is more than half, and m is For example, 32 or less,
When d = 1, when m is as small as 256 or less,
In Step3 of the first embodiment, it is advantageous idea to calculate all Q _b which may be as follows. For example, at many points P on the elliptic curve, (1 + φ +... + Φ ^m−1 ) (P) = 0 is satisfied, so that w _H (｛ci _{, j} ｝ _{i = 0} ^m−1 ) = w _H (( c
_{0, j} , c _{1, j} ,..., Cm _{-1, j} )) ≦ m / 2, thereby increasing the effectiveness of the present invention.

When m = 2,3 Q ₀ = P When m = 4,5 Q ₀ = P Q ₁ = (1 + φ) (P) Q ₃ = (1 + φ ² ) (P) When m = 6,7 when _{Q 0 = P Q 1 = (} 1 + φ) P Q 3 = (1 + φ 2) (P) Q 4 = (1 + φ + φ 2) (P) Q 9 = (1 + φ 3) (P) Q 10 = (1 + φ + φ 3) ( P) Q ₂₈ = (1 + φ + φ ⁴ ) (P) Q ₃₀ = (1 + φ ² + φ ⁴ ) (P) One or more of the above Qs may be multiplied by φ. Seventh Embodiment [Adaptive] In Step 3 of the first embodiment, as to which b is to be calculated for Q _b , c determined by Step 2
_i, is calculated for Q _b utilized more than once Step5 examined _j. Eighth Embodiment [Fixed P] In the first embodiment, when P inputted in advance is known, St
ep3 without running, keep precomputed for Q _b as much as prestored device allows.

In the above embodiment, the group E (GF) formed by the GF (q ^m ) rational points of the elliptic curve defined on the subfield GF (q)
(Q ^m )) / GF (q), m ′ = m, n ′ =
[Log ₂ q] +1, d = 2, which is very effective. This [log ₂ q] is an integer obtained by rounding up the decimal of log ₂ q. The above-described scalar doubling device of the present invention can be operated by a computer. In this case, for example, as shown in FIG. 8, an input / output unit 31 to which P, k and the like are input and kP is output, a storage unit 32 in which a set of elliptic parameters m, q, d and b are stored, φ adic expansion exhibition program memory 33 stored, Q memory 34 program is stored _{which b} for calculating the, phi ⁱ times the memory 35 which stores a program for performing the calculation, d times memory 36 which stores a program for performing the arithmetic operation, A memory 37 storing a program for performing addition and subtraction, a memory 38 storing a program for performing a kP operation using these programs, and a processor 3
9 is connected to the bus 41, and the processor 39 executes these programs to perform scalar multiplication. It should be noted that the present invention is not limited to operations on elliptic curves, and in general, Z modules M
It can be applied to a method of multiplying the above element P by a scalar k (∈Z).

[0037]

According to the present invention, the elliptic curve E (GF (p
^m )) / Calculation of the scalar multiplication of a point on GF (p) is performed, for example, in the case of m = 7 and p = 2 ²⁹ -3 in the sixth embodiment, reference E
As shown below, the elliptic addition / subtraction can be reduced to about half as compared with the method of (1). For example, when the speeds of the ellipse addition and subtraction and the ellipse doubling are equal, the speedup is approximately 1.7 times as a whole.

Note that such an elliptic curve is actually used as an elliptic curve encryption.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an embodiment of the apparatus of the present invention.

FIG. 2 is a block diagram functionally showing the apparatus of the present invention.

FIG. 3 is a flowchart showing an example of an operation procedure of the apparatus of the present invention.

FIG. 4 is a diagram showing an example of a φ-base expansion coefficient.

FIG. 5 is a diagram for explaining updating of a coefficient c _{i, j} .

[6] v in _b of v _b, flow diagrams illustrating an example of the procedure to find the portion where all _h ≠ 0 is consistent with some of c _{i, j} column of.

FIG. 7 is a flowchart for explaining a second embodiment.

FIG. 8 is a diagram showing an example of a case where the present invention apparatus is configured by a computer.

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Inventor Tetsutaro Kobayashi F-term (reference) in Nippon Telegraph and Telephone Corporation 2-3-1 Otemachi 2-chome, Chiyoda-ku, Tokyo 5B056 AA06 BB00 HH00 5J104 AA25 JA25 NA16

Claims (15)

[Claims] 1. A set of an integer d and a non-negative integer b is stored.
Storage unit, k is input, k = Σ_{i = 0} ^n'-1Σ_{j = 0} ^m'-1c_{i, j}d^jφⁱ Where c_{i, j} {-1, 0, 1}, φ is
｛C that satisfies the self-homomorphism_{i, j}Φ progression to find and output｝
Open part, the plurality of b and P are input, and the plurality of Qs are input._b= (V_b・ Φ
_b) Q that calculates and outputs (P)_bOperation part, where Φ_b= ｛Φ^h｝_{h = 0} ^{B + 1}= (Φ⁰, Φ¹,…, Φ
^{B + 1} ) B = [log_Threeb] ([a] means fractional rounding of a) v_b= ｛V_{b, h} ｝_{h = 0} ^{B + 1}= (V_{b, 0}, V_{b, 1} , ..., v
_{b, B + 1}) When h = 0, v_{b, h}= 1, h ≠ 0 [b / 3^(h-1) ] Mod3 log_Three0 = −1, mod 3 = 2, −1, and v_b・ Φ_b= Σ_{h = 0} ^{B + 1}v_{b, h}φ^h w_H(V_b) = Σ_{h = 0} ^{B + 1}| V_{b, h}| R is input and d times R is output on the Z module M
An operation unit, i and Q_bIs input, and on the Z module M, φⁱQ_b Calculate
OutputⁱA multiplication unit and two values are input, and these input values are adjusted on the Z module M
Adder / subtracter for calculating and outputting, and inputs P and k from the outside stored in a storage unit,
Read the important items, input them to each part, and record the output of each part.
Stored in the storage unit, and the addition / subtraction unit and the φⁱUses double operation
And above Q_b｛C_{i, j} ｝_{i = 0} ^m'-1± 1
While included, v_{b, h} Ｈ0 for all h (0 ≦ h ≦
B + 1), c_{i, j}= (-1)^ev _{b, h}B,
Find e, i, c_{i + h, j}-(-1)^ev_{b, h}By c
_{i + h, j}And φⁱR + using a multiplication unit and an addition / subtraction unit
(-1)^eφⁱ(Q_b) To update R
For j = n'-1, n'-2, ..., 0, and
R is updated by multiplying d by d multiplication unit every time j is updated.
And a control unit that outputs R at j = 0 as a calculation result of kP
A circulating window addition device comprising: 2. The relation of φ ^m (P) = P, and the Q _b operation unit is configured to calculate Q _b1 = φ ⁱ (Q _b2 ) among the plurality of b.
2. A means for predicting and calculating the predicted value, and means for calculating only one of Q _b1 and Q _{b2 for} the predicted value.
The circulating window adder as described. Wherein said Q _b calculation unit, Q that are already Motoma'
_b5 and P are inputted _{Q b6 = Q b5 + (-} 1) e φ i comprises means for calculating the (P) (b6> b5) that circulates window summing device according to claim 1 or 2, wherein . 4. The φ-advancing unit includes c _{i, j} for each _j.
There is a means for obtaining the ones of the same code, the Q _b calculation unit v _{b, h} is 1 or 0 v _b to Q
_4. A cyclic window adding apparatus according to claim 1, wherein said means is a means for calculating _b . 5. There is a relationship of φ ^m (P) = P, and the Q _b operation unit calculates Q ₀ = P when m = 2,3, 2. A circular window adding apparatus according to claim 1, wherein said means is for calculating any one of φ ⁱ times. 6. A Z-module M having d-times and φ-times operations
Input the above element P and scalar k∈Z to get scalar multiplication kP
In the output method, when P and k are input, the process of storing them in a storage unit, extracting k from the storage unit, and k = Σ_{i = 0} ^n'-1Σ_{j = 0} ^m'-1c_{i, j}d^jφⁱ Where c_{i, j} {−1,0,1}, self-quasi-quasi on Z-module M
｛C that satisfies the isomorphism_{i, j}Φ to find in 記憶 and store in storage
Hexadecimal expansion process and Q for each of a plurality of nonnegative integers b_b= (V_h・
Φ_b) (P) and each v_bIs stored in the storage unit
Q_bProcess and where Φ_b= ｛Φ^h｝_{h = 0} ^{B + 1}= (Φ⁰, Φ¹,…, Φ
^{B + 1} ) B = [log_Threeb] ([a] means fractional rounding of a) v_b= ｛V_{b, h} ｝_{h = 0} ^{B + 1}= (V_{b, 0}, V_{b, 1} , ..., v
_{b, B + 1}) When h = 0, v_{b, h}= 1, h ≠ 0 [b / 3^(h-1) ] Mod3 log_Three0 = −1, mod 3 = 2, −1, and v_b・ Φ_b= Σ_{h = 0} ^{B + 1}v_{b, h}φ^h w_H(V_b) = Σ_{h = 0} ^{B + 1}| V_{b, h}| Elliptic curve E / GF defined on finite field GF (q)
GF of (q) (q^m) Group E (GF
(Q^mR) for the identity element O and j for n'-1
Initialization process and ｛c from the storage unit_{i, j} ｝_{i = 0} ^m'-1(= (C_{0, j} , C_{1, j},
…, C_{m'-1, j})), V _bTake out and ｛c_{i, j} ｝_{i = 0}
^m'-1While ± 1 is included in_{b, h}For all h (0 ≦ h ≦ B + 1) where ≠ 0, c_{i + h, j} = (-1)^ev_{b, h} Search for b, e, and i, and when b is found, c for all h that satisfies 0 ≦ h ≦ B + 1
_{i + h, j}To c_{i + h, j}-(-1)^ev_{b, h} Update from the storage unit, R, Q_bAnd R + (-1)^eφⁱ(Q_b) Is calculated to update R.
A repetition process of repeatedly storing data in a storage unit, a check process of checking whether or not j = 0, and if j = 0, take out R from the storage unit and calculate dR
R is updated and stored in the storage unit, and j in the storage unit is -1.
Updating and returning to the above-described iterative processing;
When j = 0 is determined in the lock processing, R is stored from the storage unit.
Extracting and outputting the result as a calculation result of kP. 7. satisfying φ ^m (P) = P, and before the Q _b process, Q _b1 = φ ⁱ (Q
has a step of predicting calculate what the _b2), the Q _b process for b ₁ and b _2, which is the prediction of Q
7. The method of claim 6, further comprising the step of obtaining one of _b1 and _Qb2 . 8. The Q _b process calculates Q _b6 = Q _b5 + (− 1) ^e φ ⁱ (P) using Q _b5 that has already been obtained,
_{8. The} method of claim 6, further comprising at least one step of obtaining _b6 . 9. The above Q_bThe process is the Q_b3B
_ThreeWith w_H(V _b3-V_b4) And w_H(V_b3-V_b4) Is 1 or not, and if this judgment is 1, Q_b4= Q_b3+ (-1)^eφ
ⁱCalculate (P) and Q_b4Having a process of seeking
9. The method for adding a circular window according to claim 8, wherein: 10. The Q _b process, the process of causing the Hamming weight of v _b, v the steps of weighted addition of a number of elements _b, the process of obtaining a Q _b choose b in order that the addition result is smaller 10. The method according to claim 6, further comprising the steps of: 11. The φ-advancing process is performed for each j by ∀i [c _{i, j} ≧ 0] or ∀i [c _{i, j} ≦ 0] and the Q _b process is Δh The method according to any one of claims 6 to 10, wherein the method is performed only for [v _{b, h} ≧ 0]. 12. φ ^m (P) = P is satisfied, and the φ-amplifying process is と し i [ci _{, j} ≧ 0] or ∀i [ci _{, j} ≦ 0] for each _j , For each j, the number of zeros is more than half, and the Q _b process is 7. The method according to claim 6, further comprising the step of obtaining a value obtained by multiplying any one or a plurality of cases by φ. 13. The Δc obtained in the φ-ary expansion process
_{i, j}} 1 in sequence in each direction j in having a process of looking for those partial sequences consisting of -1 is identical ones two or more, the Q _b process the partial sequences in the two or more Corresponding Q
_10. A process for obtaining _b.
The method for adding a cyclic window according to any one of the above. 14. The process of searching for b, e, i in the iterative process is as follows: {b ₁ , b ₂ ,..., B _s } is a set arranged in descending order of w _H (v _b ). 0 and r initialization process to initialize the i initialization process to initialize i to 0, and e initialization process to initialize the e 0, v _b, all h which becomes _h ≠ 0 (0 ≦ h ≦ [log _{3 br} ] +
To _{1), c i + h,} j = (- 1) e v br, looking for _h, and the search process ends b = b _r, i, and outputs the e if found, not found in this search process In this case, e is updated by adding +1. If the updated e is smaller than 2, the process returns to the search process. If the updated e is not smaller than 2 in the e updating process, i is updated by +1. If the updated i is smaller than m ', the process returns to the e initialization process. If the updated i is not smaller than m', r is incremented by one, and if the updated r is less than s, the i initialization process is performed. 14. The method of claim 6, further comprising the step of: 15. A recording medium on which a program for causing a computer to execute the method according to claim 6 is recorded.