JP2002135242A - Public key distributing system, elgamal encryption system and elgamal signature system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide equipment for calculating double vectors, obtained by arranging a plurality of couples of two elements of a finite field, instead of the finite field, and various kinds of technique belonging to a public key encryption system which has a small scale and is manufactured easily in a device. SOLUTION: A double vector adder in this invention consists of a sum-set computing device 11, a point-set computing device 12, a storage device 13, an input device 14, an output device 15 and a central processor 16, and calculates the double vector X3 as a coordinate value row of a set Q3 of points, which is an addition result in a Jacobian group of curves, determined by a parameter A, of sets Q1, Q2 of points, when double vectors X1, X2 are regarded as the coordinate value row for the sets Q1, Q2 of points on a curve determined by the parameter A.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption technology as an information security technology, and more particularly, to a public key distribution method in which a user of a communication network shares a secret key using a public key, and a method of using a communication network. ElGamal-type encryption, which is a method for users to perform mutual secret communication using a public key, and Elgamal-type authentication, a method for electronic signatures, which is a method for users of communication networks to authenticate the contents and creators of messages. And the like.

[0002]

2. Description of the Related Art Various technologies belonging to a public key cryptosystem for exchanging secret information in a public communication network are difficult to solve a discrete logarithm problem on a finite field GF (p). There are many things.

[0003] For example, Diffie and Hellman in 1976, W. Duffy, M. Hermann, New Directions in Cryptography, IEE Trans Inf Theory, IT-22, 6, 644-654 (W.
Diffie, M .; Hellman, New dir
ctions in cryptography, IE
EE Trans. Inf. Theory, IT-2
2,6, pp. DH proposed in 644-654)
Public key distribution method and El-Gamal
Tee El Gamal, A Public Key Crypt System and a Signature Scheme Based on Discrete Logarithm, Plock Crypto 84, 1984 (TE El
Gamal, A Public keycryptos
system and a signature sch
embased on dis-create log
arithm, Proc. Crypto 84,198
The ElGamal cryptosystem and the Elgamal signature proposed in 4) are based on the security that the discrete logarithm problem on the finite field GF (p) is difficult.

A discrete logarithm problem on a finite field GF (p) will be described. A system G in which p is a prime number and integers {0, 1,...
Consider F (p). Now, Y = α ^X mod p (1 ≦
X ≦ p−1). Here, α is a fixed primitive root with GF (p). That is, GF
All non-zero elements of (p) can represent 1, 2,..., P-1. At this time, X is called the logarithm of Y on GF (p) with α as the base. It is easy to calculate Y from X, requiring only ₂ log ₂ X multiplications. Conversely, from Y to X
Is very difficult to calculate, even with the best algorithms currently known. The amount of calculation is almost the same as the amount of calculation for the prime factorization of a composite number having the same size as p. The problem of calculating X from Y is called a discrete log problem.

[0005] The DH public key distribution method utilizes the fact that it is difficult to solve the discrete logarithm problem described above. , The shared key K, which is secret information, can be shared without being known to a third party. First, the values of the prime number p and the primitive root α are notified to all members in advance as public information. First, A randomly selects an integer XA between [0, p-1] and keeps it secret. B also randomly selects an integer XB between [0, p-1] and keeps it secret. Then, A is to calculate the ^{_{Y A = α XA mod p (}} 1 ≦ Y A ≦ p-1), and sends the Y _A to B. B is Y _B = α ^XB mod p
(1 ≦ Y _B ≦ p−1) is calculated, and Y _B is sent to A. After exchanging Y _A and Y _B in this way, _A calculates the shared key K as follows.

[0006] calculating the ^{_{K = Y B XA mod p =}} (α XB mod p) XA mod p = α XAXB mod p (1 ≦ K ≦ p-1) shared key K B are similarly as follows.

K = Y _A ^XB mod p = (α ^XA mod p) ^XB mod p = α ^XAXB mod p (1 ≦ K ≦ p−1) In the above method, A and B ^{obtain the} key K = α ^XAXB mod p. I could share it secretly.

Thereafter, the user A and the user B can perform secret communication using the shared key K. In the above procedures, information flowing to published network is only Y _A and Y _B, since the seek X _A and X _B from these is the private information it is necessary to solve the discrete logarithm problem, discrete logarithm On the assumption that the problem is difficult, the shared key K will not be known to a third party.

Further, in the ElGamal cryptosystem, it is possible to perform secret communication in a public communication network in the following manner, utilizing the fact that it is difficult to solve the discrete logarithm problem. The values of the prime number p and the primitive root α are disclosed to all members in advance as public information. Each user U arbitrarily selects an integer XU and keeps it secret. Furthermore, each user U is YU
= Α ^XU mod p (1 ≦ YU ≦ p−1), and notifies each user as a public key. Consider a case where user A secretly communicates plaintext M to user B. First, the user A creates the following two sets of ciphertexts C1 and C2 using the random number k known only to him / her and the public key YB of the user B.

C1 = α ^k mod p C2 = M · Y _B ^k mod p Next, the user A sends the ciphertexts C1 and C2 to the user B. The user B, having received the ciphertext, obtains the plaintext M by calculating the following equation using the integer XB known only to him / her.

M = C1− ^XB · C2 mod p As described above, in the El ^Gamar cryptosystem, only information C1 and C2 that flow through the open communication network are used. Since the discrete logarithm problem needs to be solved, secret communication is realized on the assumption that the discrete logarithm problem is difficult.

Further, in the ElGamal signature, the fact that it is difficult to solve the discrete logarithm problem makes it possible to realize an electronic signature as follows. The values of the prime number p and the primitive root α are disclosed to all members in advance as public information. The prover U arbitrarily selects an integer XU as a signature key and keeps it secret. Further, the prover U ^obtains YU = α ^XU mod
Calculate p (1 ≦ YU ≦ p−1) and publish it as a verification key. Consider a case where the verifier V verifies the signature of the prover U on the plaintext M. First, the prover U creates the following two sets of signature statements R and S using the random number k known only to him and his signature key XU.

R = α ^k mod p S = (M−XU · R) k ⁻¹ mod p Next, the prover U sends the verifier V the plaintext M and the signature text R,
Send S The verifier V that has received the signature statement verifies whether or not the following equation is satisfied using the verification key YU of the prover U.

[0014] ^{α M = YU R · R S} mod p Thus, in the ElGamal signature information through the public communication network is M, is only R and S, from these determine the XU is the private information Since it is necessary to solve the discrete logarithm problem, it is difficult for a person other than the prover U to impersonate the prover U on the assumption that the discrete logarithm problem is difficult, and an electronic signature is realized.

[0015]

As described above, various techniques belonging to the public key cryptosystem for exchanging secret information in a public communication network include a discrete logarithm on a finite field GF (p). Many have found the security of the problem to be difficult. However, in recent years, the development of large computers and the development of various mathematical algorithms
Various methods for solving the discrete logarithm problem on (p) with a relatively small amount of calculation are being developed. As a countermeasure, it is recommended to use 1024 bits, that is, a large prime number p of about 300 digits or more in decimal system. However, for a large prime number p of about 300 digits, an operation on a finite field GF (p) is performed. This requires a large-scale arithmetic circuit for finite field arithmetic, which is a factor hindering the practical use of various technologies belonging to the public key cryptosystem.

The present invention provides, as an arithmetic unit for providing a cryptographic system, an apparatus for operating a double vector obtained by arranging a plurality of two sets of finite fields instead of a finite field, It is another object of the present invention to provide various techniques belonging to a public key cryptosystem that is smaller and easy to implement.

[0017]

As has been seen, the various techniques belonging to public key cryptography are based on the discrete logarithm problem of a finite field, or more precisely, a multiplicative group of a finite field. The principle of the present invention is to use a Jacobian group of an algebraic curve on a finite field (hereinafter simply referred to as a curve) instead of a multiplicative group of a finite field in order to realize various techniques belonging to the public key cryptosystem. It is.

The Jacobian group of a curve will be described. An arbitrary curve has an attribute called a genus that has a value of a positive integer. Assuming that the genus of the target curve C is g,
An addition can be defined as follows between a set of arbitrary g points on the curve C. Two sets X1 of g points on the curve C = {P11, P12,..., P1g} and X
2 = {P21, P22,..., P2g}. With respect to X1 and X2, a curve having the smallest degree among curves passing through all points belonging to X1 and X2 is defined as a curve B. Curve B consists of curve C and X
Intersect at g points other than the points belonging to 1, X2. The g points are referred to as Q1,..., Qg. Furthermore, g points Q1
,..., Qg, the curve having the minimum degree is designated as curve A. Curve A is composed of curve C and g points Q1,
,..., Rg, intersect at another g points R1,. The result of adding X1 and X2 is Y = {R1,..., Rg}. The set of arbitrary sets of g points on the curve C, for which addition is defined in this way, is called a Jacobian group of the curve C on the finite field GF (p), and the number of its elements, that is, the curve C The number of sets of the above arbitrary g points is about pg. For a more mathematically detailed and rigorous explanation, see, for example, JH Silberman, 1986, Di Arithmetic of Elliptic Curve, Springer Verlag (JH Silv).
erman, TheArithmetic of E
lliptic Curves, Springer-V
erlag, 1986).

In order to realize various techniques belonging to the public key cryptosystem having cryptographically sufficient strength, whether a multiplicative group of a finite field is used or a Jacobian group of the above curve is used, sufficient A group with the number of elements must be used. In general, the number of elements in the multiplicative group of the finite field GF (p) is p−
While the number is one, the number of elements of the Jacobian group of the curve of the genus g on the finite field GF (p) is about pg. Therefore, when the Jacobian group of a curve of the genus g on a finite field is used instead of the multiplicative group of the finite field, when the cryptographic strength is kept at the same level, that is, the number of elements of the group to be used is the same. , The number of digits of p of the finite field GF (p) to be used is
Compared to the case where a multiplicative group of a finite field is used, it can be reduced to about 1 / g. That is, the various technologies belonging to the public key cryptosystem according to the present invention can use a smaller finite field without deteriorating the cryptographic strength, so that the cryptographic method can be cryptographically performed by a cheaper and smaller device. Sufficient strength can be achieved.

[0020]

DETAILED DESCRIPTION OF THE INVENTION The present invention uses a Jacobian group of curves of genus g on a finite field GF (p) instead of a multiplicative group of a finite field. As seen above, the elements of the Jacobian group of a curve of genus g on a finite field GF (p) are a set of points {Q1,..., Qg} consisting of g points on the curve. (X (Q1), y (Q1)), (x (Q2), y
(Q2)),..., (X (Qg), y (Qg))) (where x (Qi) represents the x coordinate of point Qi and y (Qi
) Represents the y coordinate of the point Qi. ). Therefore, when a vector obtained by arranging a plurality of two element sets of a finite field is called a double vector, the elements of the Jacobian group are represented by the double vector, and various techniques belonging to the public key cryptosystem according to the present invention include: , An arithmetic unit for a double vector on a finite field.

[Double Vector Addition Apparatus] An embodiment of the double vector addition apparatus of the present invention will be described.

The double vector adding apparatus according to the present invention converts a double vector X 1, X 2 obtained by arranging a plurality of two original sets of a predetermined finite field onto a curve defined by a parameter A, respectively. When the set of points Q1 and Q2 is regarded as a sequence of coordinate values of the set of points Q1 and Q2,
It calculates and outputs a double vector X3, which is a coordinate value sequence of a group Q3 of points Q3 as a result of addition of a curve defined by the parameter A in the Jacobian group, and can be realized on a computer.

FIG. 1 shows an embodiment of a double vector adding apparatus according to the present invention. FIG. 2 shows a processing flow of the double vector addition device. FIG. 3 shows an embodiment of the point set conversion device in the double vector addition device. FIG. 4 shows a processing flow of the point set conversion device.

The double vector adder shown in FIG. 1 comprises a union calculator 11, a point set converter 12, a memory 13, an input device 14, an output device 15, and a central processing unit 16.

The input means 14 inputs the double vectors X 1 and X 2 and a parameter A for defining one curve.

The memory 13 stores an X1 storage file for storing the input X1, an X2 storage file for storing the input X2, an A storage file for storing the input A, and a calculated T1. It has a T1 storage file and a T2 storage file for storing the calculated T2.

The union calculator 11 obtains X1 from the X1 storage file, X2 from the X2 storage file, and A from the A storage file, and obtains the double vectors X1 and X2 on the curve defined by the parameter A, respectively. , A double vector T1 which is a coordinate value sequence of the union of the two sets of points is calculated.

The point set converter 12 obtains T1 from the T1 storage file and A from the A storage file, and regards the double vector T1 as a sequence of coordinate values of a set of points on the curve defined by the parameter A. A double vector T2, which is a coordinate value sequence of a set of points representing the inverse of the set of points in the Jacobian group of the curve defined by the parameter A, is calculated. Further, the point set converter 12 obtains T2 from the T2 storage file and A from the A storage file, and regards the double vector T2 as a coordinate value sequence of a set of points on the curve defined by the parameter A. Is calculated as a double vector X3, which is a coordinate value sequence of a set of points representing the inverse of the Jacobian group of the curve defined by the parameter A in the set of.

The output means 15 outputs the calculated X3.

The central processing unit 16 includes the union calculator 1
1, point set conversion device 12, memory 13, input means 14,
The output unit 15 is controlled.

The point set conversion device shown in FIG. 3 includes a common curve operation device 21, an intersection set operation device 22, a difference set operation device 23, a memory 24, an input device 25, and an output device 2.
6 and a central processing unit 27. Input device 2
5 inputs a double vector T1 and a parameter A defining one curve.

The memory 24 has a T1 storage file for storing the input T1, an A storage file for storing the input A, a B storage file for storing the calculated B,
And an S1 storage file for storing the calculated S1.

When the common curve calculation device 21 obtains T1 from the T1 storage file and A from the A storage means, and regards the double vector T1 as a coordinate value sequence of a set of points on the curve defined by the parameter A, The parameter B of the curve passing through all the points included in the set of points is calculated.

The intersection set operation unit 22 acquires B from the B storage file and A from the A storage file, and obtains a double coordinate sequence of all intersections of the curve defined by the parameter A and the curve defined by the parameter B. The vector S1 is calculated.

The difference set arithmetic unit 23 obtains T1 from the T1 storage file and S1 from the S1 storage file, and stores the double vectors T1 and S1 as a coordinate value sequence of a set of points on the curve defined by the parameter A. When it is considered, a double vector T2 which is a coordinate value sequence of a set of points obtained by removing all points belonging to the set of points represented by the double vector T1 from the set of points represented by the double vector S1 is calculated.

The output device 26 outputs the calculated T2.

The central processing unit 27 includes the common curve calculation unit 2
1, intersection set operation device 22, difference set operation device 23
, The memory 24, the input device 25, and the output device 26.

Here, as the central processing unit 27, the input unit 25, the output unit 26, and the memory 24, the central processing unit 16, the input unit 14, the output unit 15, and the memory 13 of FIG. 1 can be used. In addition, T input from the input device
1, T1 stored in the memory of FIG.
A can also be used.

Next, the operation of the double vector adder shown in FIGS. 1 and 3 will be described by referring to a curve y3 = x4 + on a finite field GF (17).
The case where 1 is used will be described as an example.

In the double vector adder of FIG. 1, two double vectors X on a finite field GF (17) of order 17
1 = ((0, 1), (1, 8), (2, 0)), X2 =
((3,10), (4,8), (5,10)) and GF
(17) Parameter A = (3,4, −1,0,0,0,0,0, A) that determines the above curve y3 = F (x) = x4 + 1
0, 0, 0, 1, -1) are input from the input device. Here, the data format of the parameter A is as shown in FIG.

First, the central processing unit temporarily stores the input double vectors X 1, X 2 and parameter A in the memory 13. Next, the central processing unit 16 acquires the double vectors X1 and X2 from the X1 storage file and the X2 storage file, respectively, and inputs them to the union calculation unit 11. The union calculation unit 11 regards the double vectors X1 and X2 as a sequence of coordinate values of a set of points, and calculates the union thereof. That is, the double vector X1 is added to the point (0,
1), a point (1, 8), and a point (2, 0), and a double vector X2 is regarded as a point (3, 10),
Considering a set consisting of three points, points (4, 8) and (5, 10), and calculating the union of the set, ｛(0,
1), (1,8), (2,0), (3,10), (4,
8), (5,10)}, the corresponding double vector T1 = ((0,1), (1,8), (2,0),
(3, 10), (4, 8), (5, 10)) are output.

Next, the central processing unit 16 stores the double vector T 1 output from the union calculation unit 11 in the memory 13.
To temporarily memorize.

Next, the central processing unit acquires the double vector T 1 from the T 1 storage file and the parameter A from the A storage file, and inputs them to the point set conversion device 12. When the double vector T1 is regarded as a sequence of coordinate values of a set of points on the curve defined by the parameter A, the point set conversion device 12 determines the parameter A of the corresponding point set by the following arithmetic processing. A double vector T2, which is a coordinate value sequence of a point set corresponding to the inverse element in the Jacobian group of the curve, is output.

The operation performed by the point set converter 12 will be described with reference to FIG.

First, in FIG. 3, a double vector T1 and a parameter A are input from an input device. Next, the central processing unit 27 temporarily stores the input double vector T1 and parameter A in the memory 24. When the result of the operation by the union calculation device 11 is stored in the memory 13, it may be read.

Next, the central processing unit 27 obtains T1 from the T1 storage file and A from the A storage file, and inputs them to the common curve calculation unit 21. Common curve calculation device 21
Outputs a parameter B defining a curve passing through all the points included in the point set represented by the double vector T1 including the degree of redundancy in the data format shown in FIG. 5 by the following arithmetic processing.

The flow of the calculation process performed by the common curve calculation device 21 will be described with reference to FIG. Step 6 in FIG.
In FIG. 1, the common curve calculation device 21 first receives the input parameter A = (3, 4, −1, 0, 0, 0, 0,
0, 0, 0, 0, 1, -1), the degree 3 of y and the degree 4 of x are read out, i is an arbitrary integer of 0 or more, and j is 0 or more 2
When the following arbitrary integer is set, the weight is set to 3i + 4j for the monomial expression xi yj composed of the indefinite elements x and y.

Next, in step 62 of FIG. 6, the common curve calculation device 21 inputs the double vector T1
点 (0,1), (1,8), (2,0),
The number of elements of (3,10), (4,8), (5,10)} is calculated to obtain the number of elements 6, and the monomial x ⁱ y ^j (i ≧
0,0 ≦ j ≦ 2), and 6 + 1 =
Select up to seven, {1, x, y, x 2, xy, y 2, x
³ }, and the selected monomials {1, x, y, x ² , x
y, y ² , x ³ } undetermined coefficients {a, b, c, d, e,
linear combination a + bx + cy + dx ² + ex
Construct y + fy ² + gx ³ .

Next, in step 63 of FIG. 6, the common curve calculator 21 calculates the linear combination a + bx + cy + dx
² + exy + fy ² + gx ³ and the double vector T1
点 (0,1), (1,8), (2,0),
The coordinates of each point included in (3,10), (4,8), (5,10)} are substituted, and the simultaneous linear equations a + c + f = 0 a + b + 8c + d + 8e + 13f + g = 0 a + 2b + 4d + 8g = 0 a + 3b + 10c + 9d + 13e + 15f + 10g =
0 a + 4b + 8c + 16d + 15e + 13f + 13g =
0a + 5b + 10c + 8d + 16e + 15f + 6g =
Get 0.

Next, at step 64 in FIG. 6, the common curve calculation device 21 solves the above-mentioned simultaneous linear equations to obtain the undetermined coefficients as a = 8, b = 4, c = 14, d =
4, e = 16, f = 12, g = 13.

Finally, the common curve computing device 21 in step 65 of FIG. 6 determines the coefficients (8, 4,
14,4,16,12,13), the information (2,3) of the order of y and x is prefixed, and the parameter B = (2,3,8,
4, 14, 4, 16, 12, 13) are output. The description of the flow of the calculation process performed by the common curve calculation device 21 is finished.

Next, referring to FIG.
Temporarily stores the parameter B output from the common curve calculation device 21 in the memory 24. Next, the central processing unit 27 acquires the parameter B from the B storage file and the parameter A from the A storage file, and inputs them to the intersection set operation device 22.

The intersection set operation unit 22 calculates the curve represented by the parameter A and the parameter B
Outputs a double vector T2, which is a coordinate value sequence of a point set consisting of all intersections with the curve represented by.

The flow of the arithmetic processing performed by the intersection set arithmetic unit 22 will be described with reference to FIG. Step 7 in FIG.
1, the intersection set operation device 22 determines that the input parameter A = (3,4, −1, 0, 0, 0, 0, 0, 0,
0, 0, 1, -1) to define equation f (x, y) of the curve
= Y ³ −x ⁴ −1 = 0, and the input parameter B = (2, ^{3, 8, 4,} 14, 4, 16, 12, 13)
From the equation g (x, y) = 8 + 4x + 14y
+ 4x ² + 16xy + 12y ² + 13x ³ = 0, and the final expression for y of f (x, y) and g (x, y) is determinant

[0055]

(Equation 1)

By expanding the polynomial s
^{(X) = 16x + 2x 2} + 13x 3 + 13x 4 + 10x 5
^{+ 2x 6 + 8x 8 + 4x} 9 obtain (For more information resultant of, for example, van der Velden, algebraic geometry Introduction, Springer-Verlag Tokyo, located in.).

Next, the intersection set operation unit 22 determines in step 72 of FIG. 7 that the solution x1 = 0, x2 of s (x) = 0
= 13, x3 = 5, x4 = 4, x5 = 3, x6 = 2, x
7 = 1, x8 = α1, x9 = α2. However, [alpha] 1, alpha 2 is the solution of the irreducible equation 16 + 13x + x ² secondary.

Next, the intersection set operation device 22 calculates f (x
i, y) and g (xi, y) are calculated by the greatest common formula ti (y), and the solution of equation ti (y) = 0 y = _{yi, 1} , ..., y
_Find all _{i and mi} .

That is, when i = 1, since x1 = 0, the greatest common equation of f (0, y) and g (0, y) is calculated to obtain 16 + y, and y1, 1
= 1. When i = 2, x2 = 13, so that f (1
3,3) and g (13, y) are calculated as 9+
y is obtained, and y2,1 = 8 is obtained as a solution of 9 + y = 0. i
= 3, x3 = 5, so f (5, y) and g
Calculate the greatest common formula of (5, y), obtain 7 + y, and calculate 7+
As a solution of y = 0, y3,1 = 10 is obtained. When i = 4,
Since x4 = 4, the greatest common denominator of f (4, y) and g (4, y) is calculated, 9 + y is obtained, and y is obtained as a solution of 9 + y = 0.
4,1 = 8 is obtained. When i = 5, since x5 = 3, f
Calculate the greatest common formula of (3, y) and g (3, y), and calculate 7+
y is obtained, and y5,1 = 10 is obtained as a solution of 7 + y = 0.
When i = 6, x6 = 2, so that f (2, y) and g
The greatest common formula of (2, y) is calculated, y is obtained, and y6,1 = 0 is obtained as a solution of y = 0. When i = 7, since x7 = 1, the maximum common formula of f (1, y) and g (1, y) is calculated, 9 + y is obtained, and y7,1 = 8 is obtained as the solution of 9 + y = 0. . When i = 8, since x8 = α1, f (α1,
y) and g (α1, y) are calculated as 8 + 8α
1 + y, and as a solution of 8 + 8α1 + y = 0, y8,1 =
9 + 9α1 is obtained. When i = 9, x9 = α2, so
The greatest common formula of f (α2, y) and g (α2, y) is calculated to obtain 8 + 8α2 + y, and y9,1 = 9 + 9α2 as a solution of 8 + 8α2 + y = 0.

Finally, the intersection set computing device 22 determines in step 74 of FIG. 7 that the point set ｛(xi, yi, j)
| 1 ≦ i ≦ n, 1 ≦ j ≦ mi} a double vector S1 = ((0,1), (13,8), (5,1)
0), (4,8), (3,10), (2,0), (1,
8), (α1, 9 + 9α1), (α2, 9 + 9α2))
Is output. The description of the calculation processing performed by the intersection set calculation device 22 is finished.

Next, referring to FIG.
Is a double vector S output from the intersection set operation device 22.
1 is temporarily stored in the memory 24. Next, the central processing unit 27 extracts the double vector T1 from the T1 storage file.
To obtain the double vector S1 from the S1 storage file,
These are input to the difference set operation device 23.

The difference set operation unit 23 calculates the double vector S 1
点 (0,1), (13,8), (5,1
0), (4,8), (3,10), (2,0), (1,
8), (α1, 9 + 9α1), (α2, 9 + 9α2)｝
And the point set ｛(0,1), (1,
8), (2,0), (3,10), (4,8), (5,
10) Difference set from {} (13, 8), (α1, 9 + 9α)
1), (α2, 9 + 9α2)}, and a double vector T2 = ((13, 8), (α1, 9)
+ 9α1), (α2, 9 + 9α2)).

Finally, the central processing unit 27 outputs the double vector T2 to the output device. The description of the arithmetic processing performed by the point set conversion device 12 is finished.

Next, in FIG. 1, the central processing unit temporarily stores the double vector T 2 output from the point set conversion unit 12 in the memory 24. Next, the central processing unit acquires the double vector T2 from the T2 storage file and the parameter A from the A storage file, and inputs them to the point set converter 12 again. When the double vector T2 is regarded as a sequence of coordinate values of a set of points on the curve defined by the parameter A, the point set conversion device 12 performs the same operation as described above. , A double vector X3 = ((1,1,2), which is a coordinate value sequence of a point set corresponding to the inverse element in the Jacobian group of the curve defined by the parameter A
8), (β1,14 + 8β1), (β2,14 + 8β2
)) Is output. Here, β1 and β2 are solutions of the second-order irreducible equation 14 + 10x + x2.

Finally, the central processing unit determines that the double vector X
Output 3 to the output device. This concludes the description of the embodiment of the double vector addition device of the present invention.

[Double Vector Doubler] An embodiment of the double vector doubler of the present invention will be described.

The double vector doubling apparatus according to the present invention provides a double vector X on a predetermined finite field as a coordinate value sequence of a set Q of points on a curve defined by a parameter A. It calculates and outputs a double vector Y, which is a coordinate value sequence of a set R of points which is twice as large as the set of points Q in the Jacobian group of the curve defined by the parameter A, and can be realized on a computer. it can.

FIG. 8 shows an embodiment of the double vector doubling device of the present invention. FIG. 9 shows a processing flow of the double vector doubling device of the present invention.

The double vector doubling device of the present invention comprises a double vector adding device 31, a memory 32, and an input device 33.
, An output device 34, and a central processing unit 35.

The double vector adding device 31 is the above-described double vector adding device. The memory 32 has an X storage file that stores the double vector X and an X ′ storage file that stores the double vector X ′.

The input device 33, the output device 34, the central processing unit 35, and the memory 32 can use the central processing unit 16, the input device 14, the output device 15, and the memory 13 of the double vector adding device.

The operation of the double vector doubling device of the present invention will be described with reference to FIG. In the double vector doubling device of FIG. 8, a finite field GF (1
7) Double vector X = ((0,1), (1,8),
(2,0)) and the curve y ³ = F (x) = on GF (17)
parameter A = (3, 4 defining the x ⁴ +1, -1,0,
0, 0, 0, 0, 0, 0, 0, 1, -1) are input from the input device. The data format of the parameter A is as shown in FIG.

First, the central processing unit 35 temporarily stores the double vector X, the duplicate vector X '= X, which is a duplicate thereof, and the parameter A in the memory 32.

Next, the central processing unit 35 acquires the double vector X from the X storage file, the double vector X 'from the X' storage file, the parameter A from the A storage file, and adds them to the double vector. Input to the device 31,
Double vector X2 = ((7,11), (11, γ1),
(11, γ 2)). Here, γ1 and γ2 are solutions of the irreducible quadratic equation x2 + 11x + 2. Finally, the central processing unit outputs the double vector X2 to an output device.

[Double Vector Integer Multiplying Apparatus] An embodiment of the double vector integer multiplying apparatus of the present invention will be described.

The double vector integer multiple device of the present invention converts a double vector X obtained by arranging a plurality of two original sets of a predetermined finite field into a set Q of points on a curve defined by a parameter A. Calculates and outputs a double vector Z which is a coordinate value sequence of a set R of points which is n times the Jacobian group of the curve defined by the parameter A of the set Q of the points when regarded as a coordinate value sequence. And can be implemented on a computer.

FIG. 10 shows an embodiment of the double vector integer multiple device of the present invention. FIG. 11 shows a processing flow of the double vector integer multiple device of the present invention.

The double vector integer multiplying device of the present invention comprises a double vector adding device 41 and a double vector doubling device 42.
, A memory 43, an input device 44, an output device 45,
And a central processing unit 46.

The double vector adding device 41 is the above-described double vector adding device. The double vector doubling device 42 is the above-described double vector doubling device. The memory 43 has an n storage file storing an integer n, an X storage file storing a double vector X, and a Y storage storing a double vector Y.
It has a storage file, a Z storage file that stores the double vector Z, and an r storage file that stores an integer r.

The input device 44, the output device 45, the central processing unit 46, and the memory 43 can use the central processing unit 16, the input device 14, the output device 15, and the memory 13 of the double vector adding device.

Next, the operation of the double vector integer multiple device of the present invention will be described with reference to FIGS.

First, an input device inputs an integer n, a double vector X, and a parameter A for defining one curve.
The input integer n is stored in the n storage file of the memory 43, the input double vector X is stored in the X storage file of the memory 43, and the input parameter A is stored in the memory 43.
(Step 110)
1).

Next, an empty double vector Z is stored as an initial value of a Z storage file in the memory 43, and a double vector Y which is a copy of the input double vector X is stored in the memory 43.
(Step 1102).

Next, the central processing unit 46 obtains an integer n from the n storage files, obtains a remainder r obtained by dividing n by 2, updates the r storage file as a new r. Similarly n
An integer n is obtained from the storage file, a quotient obtained by dividing n by 2 is obtained, and this is set as a new n, and the n storage file is updated (step 1103).

Next, the central processing unit acquires r from the r storage file and determines whether or not r is 1 (step 11).
04).

As a result of step 1104, if r is 1,
The central processing unit calculates the double vector Y from the Y storage file.
, A double vector Z from the Z storage file, a parameter A from the A storage file, and input the double vectors Y, Z and the parameter A to the double vector adder 41 to obtain the sum of Y and Z. Is updated as a new double vector Z (step 1105).

If the result of step 1104 is that r is not 1, central processing unit 46 acquires n from the n storage files and determines whether n is greater than 0 (step 110).
6).

If the result of step 1106 is that n is greater than 0, central processing unit 46 returns 2 from the Y storage file.
The double vector Y is obtained by obtaining the parameter A from the A storage file, inputting the double vector Y and the parameter A to the double vector doubling device 42, obtaining twice the double vector Y, The Y storage file is updated as the vector Y, and the process returns to step 1103 (step 1108).

As a result of step 1106, if n is equal to 0, central processing unit 46 obtains and outputs double vector Z from the Z storage file, and ends the processing (step 1).
107).

Referring to FIG. 10 and FIG.
An embodiment of the double vector integer multiple device will be described.

In the double vector integer multiple device shown in FIG. 10, the double vector X on the finite field GF (17) of order 17 is used.
= {(0,1), (1,8), (2,0)} and GF (1
7) on the curve y ³ = F (x) = parameter A = (3, 4 defining the x ⁴ +1, -1,0,0,0,0,0,0,
0, 0, 1, -1) and an integer n = 5 are input from the input device. The data format of the parameter A is as shown in FIG.

First, the central processing unit 46 temporarily stores the double vector X, the double vector Y which is a copy of X, the empty double vector Z, the parameter A and the integer n in the memory 43. (Steps 1101 and 1102).

Next, the central processing unit 46 obtains n from the n storage file, obtains a remainder r = 1 obtained by dividing n = 5 by 2, and temporarily stores the remainder in the r storage file. Further, the central processing unit 46 obtains an integer n from the n storage files,
A quotient 2 obtained by dividing n = 5 by 2 is obtained and temporarily stored in a new n storage file (step 1103).

Next, the central processing unit 46 obtains the integer r from the r storage file, and since r is 1 (step 1104), the central processing unit 46 converts the double vector Y from the Y storage file into Z
The double vector Z is obtained from the storage file, the parameter A is obtained from the storage file A, the double vectors Y and Z and the parameter A are input to the double vector addition device 41, and the output double vector ｛(0,1) is output. ), (1,8), (2,
0)｝ is temporarily stored in a new Z storage file (step 1105).

Next, the central processing unit 46 acquires the integer n from the n storage file, and since the value 2 of n is greater than 0 (step 1106), the double vector Y from the Y storage file is obtained from the A storage file. Get the parameter A, 2
The double vector Y and the parameter A are input to the double vector doubling device 42, and the output double vector ((7, 11),
(11, α 1), (11, α 2)) are newly stored temporarily in the Y storage file (step 1108). Here, α1 and α2 are the solutions of the irreducible quadratic equation x ² + 11x + 2.

Next, the central processing unit 46 obtains an integer n from the n storage files, and divides n = 2 by 2 to obtain a remainder r =
0 is obtained and temporarily stored in the r storage file. Further, the central processing unit 46 obtains the integer n from the n storage files, obtains a quotient 1 obtained by dividing n = 2 by 2, and temporarily stores the quotient 1 in the new n storage files (step 1103).

Next, the central processing unit 46 acquires the integer r from the r storage file and confirms that r is not 1 (step 1106).

Next, the central processing unit 46 acquires the integer n from the n storage file, and since the value 1 of n is greater than 0 (step 1106), the central processing unit 46 obtains the double vector Y from the Y storage file and the double vector Y from the A storage file. Get the parameter A, 2
The double vector Y and the parameter A are input to the double vector doubling device 42, and the output double vector ((β1,16 +
^{3β1 + 7β1 2), (β2} , 16 + 3β2 + 7β2 2),
(Β3, 16 + 3β3 + 7β3 2)) newly temporarily stored in the Y memory file (step 1108). Here, β1, β 2, β 3 are approximately cubic equation already x ³ + 14x ²
+ 6x + 8.

Next, the central processing unit 46 acquires the integer n from the n storage files, and since the value of n is 1, n = 1
Is divided by 2 to obtain a remainder r = 1, which is temporarily stored in a new r storage file. Further, the central processing unit 46 includes n
An integer n is obtained from the storage file, a quotient 0 obtained by dividing n = 1 by 2 is obtained, and temporarily stored in a new n storage file (step 1103).

Next, the central processing unit 46 obtains an integer r from the r storage file, and since r is 1 (step 1104), the central processing unit 46 converts the double vector Y from the Y storage file into Z
The double vector Z is obtained from the storage file, the parameter A is obtained from the storage file A, the double vectors Y and Z and the parameter A are input to the double vector adder 41, and the output double vector ((γ1, 13 + 2γ1) + 5γ1 ² ),
(Γ2, 13 + 2γ2 + 5γ2 2), (γ3, 13 + 2γ
3 + 5γ3 ² )) is temporarily stored in a new Z storage file (step 1105). Here, γ1, γ2, γ
3 is the solution of about a cubic equation already ^{x 3 + 8x 2 + 7x +} 9.

Next, the central processing unit 46 obtains the integer n from the n storage file, and since the value of n is 0 (step 1106), obtains the double vector Z from the Z storage file and outputs it to the output device. (Step 1108).

[Public Key Distribution System] An embodiment of the public key distribution system of the present invention will be described. In FIG.
1 shows an embodiment of a public key distribution system using a double vector integer multiple device of the present invention. FIG. 13 shows an embodiment of the center of the public key distribution system of FIG. FIG.
2 shows an embodiment of a user terminal of the second public key distribution system. FIG. 15 shows the contents of the procedure of the public key distribution system using the double vector integer multiple device of the present invention. FIG.
The operation of the public key distribution system of the present invention will be described with reference to FIGS.

The public key distribution system of the present invention comprises a center and a plurality of user terminals as shown in FIG. 12, and executes the procedure shown in FIG.

In the public key distribution system of the present invention, first,
The center notifies the parameter A and the double vector Q defining one curve to all members in advance (step 151).

Then, the user terminal U randomly selects an integer nU and keeps it secret. Similarly, the user terminal V randomly selects an integer nV and keeps it secret. Further, the user terminal U inputs an integer nU of its own secret information and a double vector Q and a parameter A of public information to a double vector integer multiplying device, and outputs the output double vector QU = n.
U · Q is sent to the user terminal V. Similarly, the user terminal V also inputs its own secret information integer nV and public information double vector Q and parameter A to the double vector integer multiplying device, and outputs the output double vector QV = nV.Q Is sent to the user terminal U (step 152).

Thereafter, the user terminal U inputs the double vector QV sent from the user terminal V, the integer nU which is secret information of itself and the parameter A which is public information to the double vector integer multiplying device, The output double vector K = nU.
Let QV = nU.nV.Q be the shared key K. User terminal V
Is also the double vector Q sent from the user U.
U, an integer nV that is secret information of itself, and a parameter A that is public information are input to a double vector integer multiplication device, and the output double vector K = nV · QU = nV · nU · Q is used as a shared key K. (Step 153).

Finally, the user terminal U and the user terminal V perform secret communication using the shared key K (step 154).

Next, an embodiment of the center and the user terminal of the public key distribution system of the present invention will be described.

The center is composed of a double vector parameter request receiving means and a double vector parameter disclosure means as shown in FIG. The user receives double vector Q,
When the request for parameter A is accepted, the double vector
The parameter publishing means publishes the double vector Q and the parameter A to the requesting user terminal.

FIG. 14 shows an embodiment of the user terminal U. The user terminal U includes a double vector parameter request transmitting unit, a double vector parameter receiving unit, an integer generating unit, a double vector integer multiple unit, a QU output unit, a QV receiving unit, a secret key, It comprises storage means and secret communication means.

The double vector / parameter request transmitting means requests the double vector Q and the parameter A which are disclosed to the center.

The double vector / parameter receiving means includes:
The double vector Q and the parameter A published from the center by the request of the double vector parameter request transmitting means are received, held, and output to the double vector integer multiple device.

The integer generating means randomly selects an integer nU and keeps it secret, and outputs nU to the double vector integer multiplying device.

The double vector integer multiplying device is provided by the center from the double vector parameter receiving means.
A double vector QU is calculated and output by inputting a double vector Q and a parameter A, inputting an integer nU from an integer generating means, and multiplying Q by nU.

The QU output means transmits the double vector QU calculated by the double vector integer multiple device to the user terminal V. The QV receiving means 76 receives the double vector QV transmitted from the user terminal V, and outputs it to the double vector integer multiple device.

In the double vector integer multiplying device, the double vector QV transmitted from the user terminal V, the integer nU which is secret information stored in the integer generating means, and the double vector
The parameter A held in the parameter receiving means is input, and QV is multiplied by nU to create a double vector K, which is output to the secret key storage means.

The secret key storage means stores the double vector K calculated by the double vector integer multiple device as a secret key.

The secret communication means performs secret communication with the user terminal V using the double vector K stored in the secret key storage means as a secret key.

Next, an embodiment of the public key distribution system of the present invention will be described.

First, at the center, a parameter A = (3, 4, −1, 0,
0,0,0,0,0,0,0,1, -1) and GF
(17) Double vector Q = ((0, 1), (1,
8), (2, 0)) are made public (step 151). Since the curve defined by parameter A has a genus of 3,
In this embodiment, in the conventional DH key distribution method, 17 ³ = 491
It is as secure as using a prime number of size three.

Next, a double vector is calculated and delivered at the user terminal (step 152). That is, the user terminals U and V make a double vector parameter request to the center by the double vector parameter request transmission unit 71, and make the double vector Q and the parameter publicized by the double vector parameter reception unit. Get A.
The user terminal U uses the integer generating means 73 to set the integer nU = 3.
Is randomly selected and kept secret, and the user terminal V
In addition, the user terminal U randomly selects an integer nV = 5 and holds it secretly, and the user terminal U inputs its own secret information nU and the double vector Q and the parameter A, which are public information, to the double vector integer multiplying unit 74, The output double vector QU =
((0, 1), (α1, 12 + 3α1), (α2, 12
+ 3α2)) is sent to the user terminal V by the QU output means 75. Here, α1 and α2 are irreducible quadratic expressions x ² + 6x
+6 solution. Similarly, the user terminal V also inputs its own secret information nV and public information, that is, the double vector Q and the parameter A, to the double vector integer multiple device, and outputs the output double vector QV = ((γ1, 13 + 2γ1). + 5γ
^{1 2), (γ2, 13} + 2γ2 + 5γ2 2), (γ3, 13
+ 2γ3 + 5γ3 ²⁾⁾ a letter to the user terminal U. here,
γ1, γ 2, γ 3 are approximately cubic equation already x ³ + 8x ² + 7x
+9 solution.

Next, a shared key is generated (step 15).
3). That is, the user terminal U receives the double vector QV sent from the user terminal V by the QV receiving means,
The double vector QV, the integer nU of its own secret information held in the integer generating means, and the parameter A, which is public information held in the double vector parameter receiving means, are multiplied by a double vector integer multiplier. 74, and the output double vector K = ((11, 11), (10, 1)
1), (2, 0)) as the shared key K and store it in the secret key storage means. Similarly, the user terminal V also inputs the double vector QU sent from the user terminal U, the integer nV that is secret information of itself, and the parameter A that is public information to the double vector integer multiplication device, and outputs it. Double vector K = ((1
(1, 11), (10, 11), (2, 0)) with the shared key K
And

Lastly, the user terminal U and the user terminal V perform secret communication by the secret communication means 78 using the shared key K.

The public information Q and A are, for example, as shown in FIG.
, There is a form in which the information is managed by a reliable third party center.

[Ergamal Cryptographic System] An embodiment of the ElGamal cryptographic system of the present invention will be described. FIG. 16 shows an embodiment of an ElGamal-type encryption system using the double vector integer multiple device of the present invention. FIG.
FIG. 7 shows an embodiment of the center of the El Gamal cryptosystem shown in FIG. FIG. 18 shows an embodiment of a user terminal of the ElGamal-type encryption system shown in FIG. Further, FIG.
FIG. 4 shows the contents of the procedure of the ElGamal cryptosystem using the double vector integer multiple device of the present invention. The operation of the El Gamar type cryptosystem according to the present invention will be described with reference to FIGS.

The ElGamal cryptosystem of the present invention comprises a center and a plurality of user terminals (sender terminal and receiver terminal) as shown in FIG. 16, and executes the procedure shown in FIG.

In the El Gamar type encryption system of the present invention,
First, the center notifies the parameters A and the double vector Q defining one curve to all user terminals in advance (step 191).

Each user terminal U arbitrarily selects an integer nU and keeps it secret (step 192). Further, each user terminal U inputs an integer nU, which is its own secret information, a double vector Q, which is public information, and a parameter A to a double vector integer multiplying device, and a double vector QU = nU.Q
Is calculated (step 193), and this is notified to each user as a public key (step 194).

The transmitting user terminal U uses the double vector integer multiplying device based on the arbitrarily selected integer nU and the public key QV of the transmitting destination user terminal V to transmit the transmitted message according to the rules. Encrypt (step 195).

The user terminal V that has received the ciphertext decrypts the received text according to the agreement using the double vector integer multiplication device based on the secretly held integer nV (step 136).

Next, an embodiment of the center and the user terminal of the El Gamal cryptosystem of the present invention will be described.

As shown in FIG. 17, the center comprises a double vector / parameter / public key request receiving means, a double vector / parameter / public key public means, and a public key receiving means. The public key receiving means receives a public key published from each user terminal. Double vector parameter
When the request for the double vector Q, parameter A, and public key QU is received from the user terminal by the public key request receiving means, the double vector Q, parameter A, Public key QU
Is disclosed to the user terminal that requested it.

FIG. 18 shows an embodiment of the user terminal.
The user terminal includes a double vector / parameter / public key request transmitting unit, a double vector / parameter / public key receiving unit, an integer generating unit, a double vector integer multiple unit, a public key transmitting unit, It comprises a generator, ciphertext C1 transmitting means, ciphertext C2 transmitting means, decrypting means, ciphertext C1 receiving means, and ciphertext C2 receiving means.

The double vector / parameter / public key request transmitting means requests the double vector Q, the parameter A and the public key QV of another user terminal which are made public to the center.

The double vector / parameter / public key receiving means receives the double vector Q, publicized from the center by the request of the double vector / parameter / public key request transmitting means.
The parameter A and the public key QV are received, held, and output to the double vector integer multiple device.

The integer generating means randomly selects the integer nU and keeps it secret, and outputs nU to the double vector integer multiplying device.

The double vector integer multiplying device inputs the double vector Q and parameter A published by the center from the double vector / parameter / public key receiving means, inputs the integer nU from the integer generating means, A double vector QU obtained by multiplying the vector Q by nU is calculated and output to the public key transmitting means.

The public key transmitting means transmits the QU to the center in order to make it public as a public key.

The random number generation device generates a random number RU, keeps it secret, and outputs the random number RU to the double vector integer multiple device.

In the double vector integer multiplying device, the double vector Q and the parameter A held in the double vector / parameter / public key receiving means and the integer RU which is the secret information stored in the random number generating means are converted. Input, a double vector C1 is generated by multiplying the double vector Q by RU, and this is used as a ciphertext and stored in the ciphertext C1 storage means. Further, in the double vector integer multiple device, the public key QV of another user terminal held in the double vector / parameter / public key receiving means, the parameter A, and the R held in the random number generating means.
U is input, a double vector T1 obtained by multiplying the double vector QV by RU is calculated and output to the ciphertext C2 transmitting means.

The ciphertext C2 transmitting means uses the double vector T1
Is calculated, and the message M is added to the sum t1 of the first components of each set to generate a ciphertext C2.

Thereafter, the ciphertext C1 transmitting means and the ciphertext C2
The transmitting means transmits the ciphertext set (C1, C2) to another user terminal.

On the receiving user terminal side, the ciphertext pair (C1, C2) from the user terminal of the sender is received and held by the ciphertext C1 receiving means and the ciphertext C2 receiving means.

The double vector integer multiplying device is the ciphertext C1 transmitted from the transmitting user terminal held in the ciphertext C1 receiving means, and its own secret information held in the integer generating means. The integer nv and the parameter A held in the double vector / parameter / public key receiving means are input, a double vector T2 obtained by multiplying the double vector C1 by nv is calculated and output to the decrypting means.

In the decrypting means, the ciphertext C2 transmitted from the transmitting user terminal held in the ciphertext C2 receiving means is transmitted.
2 and the double vector T2 calculated by the double vector integer multiplying device are input, the sum t2 of the first components of each set included in the double vector T2 is calculated, and t2 is subtracted from the ciphertext C2. The message M is decrypted.

Next, an embodiment of the ElGamal-type encryption system according to the present invention will be described.

First, at the center, a parameter A = (3,4, -1,0,0) defining a curve on GF (17)
0,0,0,0,0,0,0,1, -1) and GF
(17) Double vector Q = ((0, 1), (1,
8), (2, 0)) are made public (step 191). Since the curve defined by parameter A has a genus of 3,
In this embodiment, 17 ³ = 491 in the conventional El Gamal cipher.
It has the same level of security as using a prime number of about three in size.

Next, each user terminal selects an integer as a secret key (step 192). That is, for example, the user terminal U randomly selects the integer nU = 3 by the integer generating means and keeps it secret, and the user terminal V also uses the integer n
V = 5 is randomly selected and kept secret.

Next, a public key is calculated at each user terminal (step 193). That is, for example, in the user terminal U, the double vector / parameter / public key request transmission unit requests the center for the double vector Q and the parameter A, and the user terminal U discloses the double vector / parameter / public key reception unit. Double vector Q and parameter A
Get. Then, an integer nU of its own secret information and a double vector Q and a parameter A of public information are input to the double vector integer multiplying device, and the output double vector Q is output.
U = ((0, 1), (α1, 12 + 3α1), (α2,
12 + 3α2)) is the public key. Here, α1, α2
Is the root of the irreducible quadratic equation x ² + 6x + 6. Similarly,
The user terminal V also inputs its own secret information, the integer nV, and its public information, the double vector Q and the parameter A, to the double vector integer multiplying device of claim 3, and outputs the output double vector QV = ( (γ1, 13 + 2γ1 + 5γ1 2),
(Γ2, 13 + 2γ2 + 5γ2 2), (γ3, 13 + 2γ
3 + 5γ3 ² )) is the public key. Here, γ1, γ2
, Γ 3 are the roots of the irreducible cubic expression x ³ + 8x ² + 7x + 9.

Next, each user terminal publishes its own public key (step 194). For example, the user terminal U and the user terminal V have a public key QU and a public key QV, respectively.
Is transmitted from the public key transmitting means to the center.

Next, the sender encrypts the message and sends it to the receiver (step 195). For example, in order for the user terminal U to encrypt and send the message M = 11 to the user terminal V,
Perform as follows.

First, the user terminal U generates and holds a random number RU = 8 by the random number generating means. Next, the user terminal U
Is the random number RU known only to the user held in the random number generating means, the double vector Q, the parameter A and the double vector Q held in the public key receiving means.
Is input to the double vector integer multiple device, and the output double vector C1 = ((3,10), (ε1,9 + 3ε1),
(Ε2, 9 + 3ε2)) is stored as ciphertext C1 in the ciphertext C1 transmitting means. Here, ε1 and ε2 are the roots of the irreducible quadratic equation x ² + 7x + 2.

Further, the user terminal U has a double vector
The public key of the user terminal V is requested from the center by the parameter / public key request transmitting means, and the public key QV is obtained by the double vector / parameter / public key receiving means. Then, RU, which is the secret information of the self held in the random number generation means,
And the public key QV of the user terminal V and the parameter A, which are the public information held in the double vector / parameter / public key receiving means, are input to the double vector integer multiple device.
The weight vector T1 is calculated.

In the ciphertext C2 transmitting means, the double vector T1 = ((δ1
^{, 4 + 3δ1 + 14δ1 2)} , (δ2, 4 + 3δ2 +1
^{4δ2 2), (δ3, 4} + 3δ3 + 14δ3 2)) ( wherein, .delta.1, [delta] 2, [delta] 3 is irreducible cubic equation x ³ + 7x ²
+7 root. )), The sum t of the first components of each set
1 = δ1 + δ2 + δ3 = 10, and the message M
And the ciphertext C2 = M + t1 = 11 + 10 = 4 (m
od 17).

Then, the ciphertext pair (C1, C2) is transmitted to the user terminal V.

Finally, the receiver decrypts the message (step 196). That is, the user terminal V uses the ciphertext C1
Receiving means, ciphertext C2 Receiving means receives and holds the ciphertexts C1, C2 transmitted from the user terminal U. Then, the ciphertext C1 held in the ciphertext C1 receiving means, the secret key nV as its own secret information held in the integer generating means, and the public information held in the double vector / parameter / public key receiving means. Is input to the double vector integer multiple device, and the double vector T2 is calculated.

In the decoding means, a double vector integer multiple unit is used.
Double vector T2 = ((δ1, 4 + 3δ)
1 + 14δ1^Two), (Δ2, 4 + 3δ2 + 14δ2)^Two),
(Δ3,4 + 3δ3 + 14δ3^Two)) (Where δ1, δ
2 and δ 3 are irreducible cubic expressions x ^Three + 7x^Two At the root of +7
You. )), The sum t2 of the first components of each set included in the set t2 = δ1 + δ
2 + δ3 = 10, and t2 is calculated from the received ciphertext C2.
, The message M = C2 -t2 = 4-10 = 11
(Mod 17) is decoded.

The public information Q, A, QU and QV may be managed by a reliable third party center as shown in FIG. 16, for example.

[Elgamal Signature System] The Elgammal signature system of the present invention will be described. FIG. 20 shows an embodiment of an ElGamal signature system using the double vector integer multiple device of the present invention. FIG. 21 shows an embodiment of the center of the ElGamal signature system of FIG.
FIG. 22 shows an embodiment of the prover terminal of the ElGamal signature system of FIG. FIG. 23 shows an embodiment of a verifier terminal of the ElGamal type signature system of FIG. FIG.
The contents of the procedure of the ElGamal signature using the double vector integer multiple device of the present invention are shown below. The operation of the ElGamal signature system of the present invention will be described with reference to FIGS.

The ElGamal type signature system of the present invention comprises a center, a prover terminal and a verifier terminal as shown in FIG. 20, and executes the procedure shown in FIG.

In the El Gamar type signature system of the present invention,
First, the center notifies the parameter A and the double vector Q defining one curve to all users in advance (step 241).

Then, the prover terminal U arbitrarily selects an integer nU as a signature key and keeps it secret (step 242).
Further, the prover terminal U has a signature key n which is its own secret information.
U and double vector Q and parameter A which are public information
Is input to the double vector integer multiple device, and the output double vector QU = nU · Q is made public as a verification key (step 243).

After that, the prover terminal U generates a signature sentence for the message m based on the arbitrarily selected integer and the signature key nU by using a double vector integer multiplying device according to the agreement. The message is sent to the verifier terminal V together with the message m (steps 244 and 245).

The verifier terminal V verifies the communication message m based on the signature and the verification key QU of the prover terminal U by using a double vector integer multiple according to the agreement (step 246).

Next, an embodiment of a center, a signer terminal, and a verifier terminal of the El Gamal signature system of the present invention will be described.

As shown in FIG. 21, the center comprises a double vector / parameter / verification key request receiving unit, a double vector / parameter / verification key public unit, and a verification key receiving unit. The verification key receiving means receives the public key published from the verifier terminal. When the request for the double vector Q, the parameter A, and the verification key QU is received from the prover terminal or the verifier terminal by the double vector / parameter / verification key request receiving unit, the request is held by the double vector / parameter / verification key public unit. The disclosed double vector Q, parameter A, and verification key QU are disclosed to the requesting terminal.

FIG. 22 shows an embodiment of the prover terminal.
The prover terminal includes a double vector parameter request transmitting unit, a double vector parameter receiving unit, an integer generating unit, a double vector integer multiple unit, a verification key transmitting unit,
It comprises a random number generation device, a signature text R transmission means, a signature text S transmission means, and a communication text M transmission means.

The double vector / parameter request transmitting means requests the double vector Q and the parameter A which are disclosed to the center.

The double vector / parameter receiving means includes:
The double vector / parameter A received from the center upon receipt of the request from the double vector / parameter request transmitting means is received, held, and output to the double vector integer multiple unit.

The integer generating means randomly selects an integer nU and keeps it secretly as a signature key, and outputs the signature key nU to the double vector integer multiple device.

The double vector integer multiplying device is provided by the center by the double vector parameter receiving means.
The double vector Q and the parameter A are input, the signature key nU is input from the integer generation means, and the double vector Q is multiplied by nU to obtain 2
The duplicate vector QU is calculated and output to the verification key transmitting means.

The verification key transmitting means transmits the QU to the center for disclosure as a verification key.

The random number generation device generates a random number k, keeps it secret, and outputs the random number k to the double vector integer multiple device.

The double vector integer multiplying device inputs the double vector Q and the parameter A held in the double vector / parameter receiving means and the integer k which is secret information stored in the random number generating means, A double vector R obtained by multiplying the double vector Q by k is created, and this is used as a signature sentence, which is output to the signature sentence R transmitting means and the signature sentence S transmitting means and stored therein. In the signature key S transmitting means, k · Q = R from the double vector integer multiplying device, the random number k from the random number generating device, nU from the integer generating means, and the message M from the message M transmitting means. , S = (M−nU · x (R)) k ⁻¹ mod
O (Q) is calculated, and S, which is the calculation result, is used as the second signature sentence. Here, x (R) is the sum of the first components of each set included in the double vector R, and O (Q) is the order of the double vector Q.

The message M transmitting means holds the message M,
Output to the signature sentence S transmitting means.

Finally, the signature texts R, S and the communication text M are transmitted to the verifier terminal from the signature text R transmission means, the signature text S transmission means, and the communication text M transmission means, respectively.

FIG. 23 shows an embodiment of the verifier terminal.
The verifier terminal includes a double vector / parameter / verification key request transmitting unit, a double vector / parameter / verification key receiving unit, a double vector integer multiple unit, a double vector adding unit, and a signature text R receiving unit. Signature message S receiving means, message M receiving means, T1 storage means, T2 storage means,
It comprises three storage means, T4 storage means, and verification means.

The double vector / parameter / verification key request transmitting means requests the double vector Q, parameter A, and verification key which are made public to the center.

The double vector / parameter / verification key receiving unit receives the double vector Q,
The parameter A and the verification key QU are received, held, and output to the double vector integer multiple device.

The double vector integer multiple device inputs the double vector Q and the parameter A published by the center from the double vector / parameter / verification key receiving means, and inputs the message M from the message M receiving means. , M · Q, and outputs the double vector T1 as a calculation result to the T1 storage means for storage.

Further, the double vector integer multiple device inputs the sum x (R) of the first components of each set included in the received double vector R from the signature statement R receiving means, and
Input the verification key QU and parameter A published by the center from the parameter / verification key receiving means, and enter x (R) · Q
U is calculated, and the double vector T2, which is the calculation result, is output to the T2 storage means and stored.

The double vector integer multiple device converts the received double vector R from the signature statement R
The signature sentence S received from the receiving means is input to the parameter A published by the center from the double vector / parameter / verification key receiving means, SR is calculated, and the calculated double vector T3 is stored in T3. Output to means and store.

The double vector addition device inputs the double vectors T2 and T3 from the T2 storage device and the T3 storage device,
The parameter A is input from the double vector / parameter / verification key receiving means, T2 + T3 is calculated, and the calculated double vector T4 is output to the T4 storage means for storage.

The verification means comprises a double vector T1 stored in the T1 storage means and a double vector T1 stored in the T4 storage means.
It is checked whether the overlap vectors T4 match, and the plaintext M authenticates whether the prover U has created it.

Next, an embodiment of the ElGamal signature system according to the present invention will be described.

First, a parameter A = (3,4, -1,0,0,0) which defines a curve on GF (17) at the center.
0,0,0,0,0,0,1, -1) and GF (1
7) Double vector Q = ((0,1), (1,8),
(2, 0)) is made public (step 241). Since the curve defined by the parameter A has a genus of 3, the present embodiment has the same level of security as the conventional ElGamal signature using a prime number of about 173 = 4913.

Next, the prover selects an integer as a signature key (step 242). For example, the prover terminal U randomly selects an integer nU = 3 as a signature key by means of an integer generating means and secretly stores the integer nU = 3 as a signature key.

Next, the prover calculates a verification key and makes it public (step 243). For example, the prover terminal U requests the center for a double vector and a parameter by a double vector / parameter request transmitting unit, and transmits the double vector Q and the parameter A disclosed by the double vector / parameter receiving unit to the center. obtain. The prover terminal U sends nU, which is its own secret information, from the integer generating means to a double vector
Double vector Q that is public information from parameter receiving means
And the parameter A are input to the double vector integer multiplication apparatus, and the output double vector QU = ((0, 1), (α
1, 12 + 3α1) and (α2, 12 + 3α2)) are used as verification keys and stored in the verification key transmitting means. Where α1, α
2 is the root of the irreducible quadratic expression x ² + 6x + 6. The verification key transmitting means transmits the verification key QU to the center and makes it public.

Next, the prover terminal U generates a signature including two sets of signature texts R and S for the communication text M (step 244). For example, when the prover terminal U generates the signature texts R and S with the communication text M = 11, the following is performed.

First, the prover terminal U generates a random number k = 7 by the random number generating means. Next, the prover terminal U inputs k, which is secret information of itself, from the random number generation means, and the double vector Q and parameter A, which are public information, from the double vector / parameter receiving means to the double vector integer multiplying device. Then, k · Q is calculated, and a double vector R =
((3,7), (ε1, 9 + 3ε1), (ε2, 9 + 3
ε2)) is a signature text R, and the signature text R transmitting means and the signature text S
Output to transmitting means. Here, ε1 and ε2 are irreducible 2
It is the root of the following equation x ² + 7x + 2.

Further, the prover terminal U sends kQ = R from the double vector integer multiple device to the signature sentence S transmitting means,
A random number k is input from the random number generator, nU is input from the integer generating means, a message M is input from the message M transmitting means, and S =
(M−nU · x (R)) k ⁻¹ mod O (Q) is calculated, and S, which is the calculation result, is used as the second signature sentence. Here, x (R) is the sum of the first components of each set included in the double vector R, and O (Q) is the order of the double vector Q. In this embodiment, x (R) = 1 + ε1 + ε2 = 1 +
(−9) = 9 (mod 17) and O (Q) = 30
6, S = (11−3 × 9) 7 ⁻¹ mod 306
= −16 × 175 mod 306 = 260 (mod
306).

Next, the prover terminal U transmits the signature texts R, S and the communication text M to the verifier terminal V from the signature text R transmission means, the signature text S transmission means, and the communication text M transmission means (step). 245).

Finally, the verifier terminal V is calculated by the equation M · Q = x
It is verified whether (R) .QU + SR is satisfied (step 246).

That is, the verifier terminal V is a double vector. The parameter / verification key request transmission unit requests the center for the double vector Q and the parameter A, and the double vector / parameter / verification key reception unit obtains the double vector Q and the parameter A. The message M received by the message M receiving means and the double vector Q and the parameter A which are public information from the double vector / parameter / verification key receiving means are input to the double vector integer multiple device, and M · Q is inputted. Is calculated, and the double vector T1 = ((η1, 13
^{+ 15η1 + 13η1 2), (} η2, 13 + 15η2 +1
3η2 ² ) and (η3, 13 + 15η3 + 13η3 ² )) are obtained and stored in the T1 storage means. Here, η1, η2, η
3 is the root of the irreducible cubic expression x ³ + 8x + 1.

The verifier terminal V is a double vector.
The verification key of the prover terminal U is requested to the center by the parameter / verification key request transmitting means, and the verification key QU is obtained by the double vector / parameter / verification key receiving means. The sum x (R) of the first components of each set included in the double vector R received from the signature sentence R receiving means x (R) = 9, and the prover U which is public information from the double vector / parameter / verification key receiving means.
Is input to the double vector integer multiplying device, and x (R) .multidot.QU is calculated. The calculated double vector T2 = ((2,0), (.theta.1,4 + 16)
θ1), (θ2, 4 + 16θ2), (θ3, 4 + 16θ3)
)) (Where θ1, θ2, and θ3 are irreducible 2
Stores the following formula x ² + solutions of 7x + 2) T2 storage means.

Further, the signature statement S receiving means and the signature statement R
Signature text S and signature text R respectively received from the receiving means
And the parameter A, which is public information, from the double vector / parameter / verification key receiving means is input to the double vector integer multiple unit, and SR is calculated, and the double vector T3 = ((ι1, 12 + 6ι1 + 15ι1 ² ), (ι2,
12 + 6ι2 + 15ι22 ² ), (ι3,12 + 6ι3 + 1
5ι3 ²⁾⁾ obtained (here, ι1, ι 2, ι 3 is the solution of about a cubic equation already ^{x 3 + 10x 2 + 15x +} 12) is stored in the T3 storage means.

Further, the double vector T2 and the double vector T3 are stored in the T2 storage means and the T3 storage means, respectively.
And the parameter A, which is public information, from the double vector / parameter / verification key receiving means is input to the double vector adding device, and T1 + T2 is calculated. The calculated double vector T4 = ((η1, 13 + 15η1 + 13η1) ² ), (η
2, 13 + 15η2 + 13η22 ² ), (η3,13 + 15
η3 + 13η3 ² )) is obtained and stored in the T4 storage means.

The verifier terminal V has T1 storage means and T4
The double vector T1 and the double vector T4 are input from the storage unit to the verification unit, and it is confirmed that the double vector T1 and the double vector T4 match, and the message M is created by the prover terminal U. And authenticate.

The public information Q, A, and QU are, for example,
As shown in FIG. 20, there is a form in which the information is managed by a reliable third party center.

The embodiments of the public key cryptosystem, the Elgamal type cryptosystem, and the Elgamal type signature system using the double vector addition device, the double vector integer multiplication device, and the double vector integer multiplication device have been described above. ,
Lastly, a recording which records a program for realizing a public key cryptosystem, an ElGamal cryptosystem, and an ElGamal signature system using the double vector addition device, the double vector integer multiplication device, and the double vector integer multiplication device of the present invention. An embodiment of a medium will be described.

A program for realizing a public key cryptosystem, an ElGamal cryptosystem, and an ElGamal signature system using the double vector adder, the double vector integer multiplier, and the double vector integer multiplier of the present invention is recorded. The recorded recording medium is programmed by a computer-readable program language to execute the functions of the above-described device or system, and the program is stored in a CD-ROM or FD.
It can be realized by recording on a recording medium such as.

The recording medium may be storage means such as a hard disk provided in a server device or the like. Further, the computer program is recorded in the storage means, and the computer program is read via a network. It is also possible to realize a recording medium.

[0203]

As described above, according to the present invention, the operation of a double vector can be performed, and further, in various techniques belonging to the public key cryptosystem for exchanging secret information in a public communication network, about Although it was necessary to use a large prime number p as large as 300 digits, according to the public key distribution method using the double vector operation device of the present invention, a smaller prime number can be used (for example, a curve having a genus of 3 can be used). (Approximately 100 digits when used), which is advantageous in that various techniques belonging to a public key cryptosystem having cryptographically sufficient strength can be realized with a smaller device.

[Brief description of the drawings]

FIG. 1 is a diagram showing an embodiment of a double vector adding apparatus according to the present invention.

FIG. 2 is a diagram showing an embodiment of a double vector adding apparatus according to the present invention.

FIG. 3 is a diagram showing an embodiment of a point set conversion device of the double vector addition device of the present invention.

FIG. 4 is a diagram showing an embodiment of a point set conversion device of the double vector addition device of the present invention.

FIG. 5 is a diagram showing a data format of a parameter representing a curve.

FIG. 6 is a flowchart showing a calculation process performed by the common curve calculation device.

FIG. 7 is a flowchart showing an operation process performed by the intersection set operation device.

FIG. 8 is a diagram showing an embodiment of a double vector doubling device of the present invention.

FIG. 9 is a diagram showing an embodiment of a double vector doubling device of the present invention.

FIG. 10 is a diagram showing an embodiment of a double vector integer multiple device of the present invention.

FIG. 11 is a diagram showing a processing flow of the double vector integer multiple device of the present invention.

FIG. 12 is a diagram showing an embodiment of a public key distribution system of the present invention.

FIG. 13 is a diagram showing an embodiment of a center of the public key distribution system of the present invention.

FIG. 14 is a diagram showing an embodiment of a user terminal of the public key distribution system of the present invention.

FIG. 15 is a diagram showing a processing flow of the public key distribution system of the present invention.

FIG. 16 is a diagram showing an embodiment of an El Gamar type encryption system of the present invention.

FIG. 17 is a diagram showing an embodiment of the center of the El Gamal cryptosystem of the present invention.

FIG. 18 is a diagram showing an embodiment of a user terminal of the ElGamal cryptosystem of the present invention.

FIG. 19 is a diagram showing a flow of processing of the El Gamal cryptosystem of the present invention.

FIG. 20 is a diagram showing an embodiment of an ElGamal signature system of the present invention.

FIG. 21 is a diagram showing an embodiment of the center of the El Gamal signature system of the present invention.

FIG. 22 is a diagram showing an embodiment of a prover terminal of the El Gamal signature system of the present invention.

FIG. 23 is a diagram showing an embodiment of a verifier terminal of the El Gamar type signature system of the present invention.

FIG. 24 is a diagram showing a processing flow of the El Gamar type signature system of the present invention.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 11 Union set calculation device 12 Point set conversion device 13 Memory 14 Input device 15 Output device 16 Central processing unit 21 Common curve calculation device 22 Intersection set calculation device 23 Difference set calculation device 24 Memory 25 Input device 26 Output device 31 Double vector addition Device 32 Memory 33 Input device 34 Output device 35 Central processing unit 41 Double vector addition device 42 Double vector doubling device 43 Memory 44 Input device 45 Output device 46 Central processing device

Claims (9)

[Claims] 1. A parameter A for defining one curve and a double vector Q obtained by arranging a plurality of two original sets of a predetermined finite field are notified to all members in advance. nu is randomly selected and held secretly, the user terminal V randomly selects an integer nv and held secretly, and the user terminal U has the integer nU which is secret information of itself and the double which is public information. Vector Q and parameter A
And transmits the double vector QU (QU = nU · Q) obtained by multiplying the double vector Q by nU to the user terminal V. The user terminal V transmits the integer nV and the public information The double vector Q and the parameter A
, The double vector Q is multiplied by nV, and the double vector QV = nV · Q is transmitted to the user terminal U. The user terminal U receives the double vector QV sent from the user terminal V and The shared key K is a double vector K (K = nU · QV = nU · nV · Q) obtained by multiplying QV by nU using the integer nU as the secret information and the parameter A as the public information. The terminal V uses the double vector QU sent from the user terminal U, the integer nV, which is its own secret information, and the parameter A, which is public information, to multiply QU by nU to obtain a double vector K (K = A public key distribution system, wherein nV.QU = nV.nU.Q) is used as a shared key K. 2. A public key distribution system comprising a center and a plurality of user terminals, wherein the center is obtained by arranging a plurality of two sets of a parameter A defining one curve and a predetermined finite field. A double vector / parameter request receiving means for receiving a request for the double vector Q; and a double vector / parameter disclosure means for publishing the double vector Q and the parameter A to the user terminal which has made the request. A second terminal, a double vector parameter request transmitting unit, a double vector parameter receiving unit, an integer generating unit, a double vector integer multiple unit, a QU output unit, a QV receiving unit,
The double vector / parameter request transmitting means requests a double vector Q and a parameter A disclosed to a center; and the double vector / parameter receiving means comprises a secret key storing means and a secret communication means. , The double vector Q and the parameter A disclosed by the center at the request of the double vector parameter request transmitting means.
Receiving, holding, and outputting the integer nU to the double vector integer multiplying device. The integer generating means randomly selects an integer nU and holds it secretly, and outputs the integer nU to the double vector integer multiplying device. The double vector integer multiplying device is configured to transmit the double vector parameter disclosed by the center from the double vector parameter receiving means.
The double vector Q and the parameter A are input, the integer nU is input from the integer generating means, and the double vector Q is input.
Is multiplied by nU to calculate and output a double vector QU. The QU output means transmits the double vector QU calculated by the double vector integer multiple device to another user terminal, The QV receiving means transmits the 2
Receiving the double vector QV and outputting it to a double vector integer multiple unit, wherein the double vector integer multiple unit is stored in the double vector QV transmitted from the other user terminal and the integer generating means. The integer nU that is secret information
The parameter A held in the double vector parameter receiving means is input, a double vector K is created by multiplying the double vector QV by nU, and output to the secret key storage means. Storing the double vector K calculated by the double vector integer multiple device as a secret key. 3. A computer-readable recording medium storing a program for realizing a public key distribution system comprising a center and a plurality of user terminals, comprising: a computer forming the center; a parameter defining one curve; A double vector / parameter request receiving means for receiving a request for a double vector Q obtained by arranging a plurality of two original sets of A and a predetermined finite field, and requesting a double vector Q and a parameter A A program for functioning as a double vector parameter publishing unit to be disclosed to the user terminal; and a computer constituting the user terminal, a double vector parameter request transmitting unit, a double vector parameter receiving unit, Integer generating means, double vector integer multiplying device, QU output means, QV receiving means ,
Secret key storage means and a program for functioning as secret communication means, wherein said double vector parameter request transmission means requests a double vector Q and a parameter A disclosed to a center; The parameter receiving means comprises the double vector Q and the parameter A, which are made public by the center at the request of the double vector parameter request transmitting means.
Receiving, holding, and outputting the integer nU to the double vector integer multiplying device. The integer generating means randomly selects an integer nU and holds it secretly, and outputs the integer nU to the double vector integer multiplying device. The double vector integer multiplying device is configured to transmit the double vector parameter disclosed by the center from the double vector parameter receiving means.
The double vector Q and the parameter A are input, the integer nU is input from the integer generating means, and the double vector Q is input.
Is multiplied by nU to calculate and output a double vector QU. The QU output means transmits the double vector QU calculated by the double vector integer multiple device to another user terminal, The QV receiving means transmits the 2
Receiving the double vector QV and outputting it to a double vector integer multiple unit, wherein the double vector integer multiple unit is stored in the double vector QV transmitted from the other user terminal and the integer generating means. The integer nU that is secret information
The parameter A held in the double vector parameter receiving means is input, a double vector K is created by multiplying the double vector QV by nU, and output to the secret key storage means. Storing a double vector K calculated by the double vector integer multiplication device as a secret key, wherein the computer is readable by a computer storing a program for realizing a public key distribution system. Recording medium. 4. A method for informing all users in advance of a parameter A for defining one curve and a double vector Q obtained by arranging a plurality of two sets of two elements of a predetermined finite field. Arbitrarily selects an integer nU and keeps it secret. Each user terminal U converts the double vector Q into nU using an integer nU of its own secret information, a double vector Q of public information, and a parameter A. Double vector QUA (Q
U = nU.Q) as a public key to each user, and the transmitting user terminal U transmits a message using the arbitrarily selected integer nU and the public key QV of the destination user terminal V. Wherein the user terminal V that has received the encrypted transmission text decrypts the reception text using an integer nV that the user terminal V secretly holds. 5. An ElGamal cryptosystem comprising a center and a plurality of user terminals, wherein the center comprises: a public key receiving means for receiving a public key published from each user terminal; A, a double vector / parameter / public key request receiving means for receiving a request for a public key and a double vector Q obtained by arranging a plurality of two original sets of a predetermined finite field; When the request for the double vector Q, parameter A, and public key QU is received from the user terminal by the vector / parameter / public key request receiving means, the user terminal that has requested the double vector Q, parameter A, and public key KU A public vector requesting means for publishing the double vector / parameter / public key request to the user terminal. A double vector / parameter / public key receiving means, an integer generating means, a double vector integer multiple device, a public key transmitting means, a random number generating apparatus, a ciphertext C1 transmitting means, and a ciphertext C2 transmitting means. And decryption means, ciphertext C
1 receiving means, ciphertext C2 receiving means, and at the user terminal on the transmitting side, said double vector / parameter / public key request transmitting means comprises: a double vector Q A: The public key QV of another user terminal is requested, and the double vector / parameter / public key receiving means requests the public key QV from the center upon request of the double vector / parameter / public key request transmitting means. Weight vector Q,
The parameter A and the public key QV are received and held, and output to the double vector integer multiplying device. The integer generating means randomly selects and holds the integer nU secretly, and stores the integer nU in the double vector integer multiplying device. The double vector integer multiplying device inputs the double vector Q and the parameter A published by the center from the double vector / parameter / public key receiving means, and outputs the integer nU from the integer generating means. And input the double vector Q to n
U calculates a double vector QU and outputs it to the public key transmitting means. The public key transmitting means sends the double vector QU to the center to publish it as a public key. And keep it secret
The random number RU is output to the double vector integer multiplying device, and the double vector integer multiplying device outputs the random number RU.
A double vector obtained by inputting the double vector Q held in the parameter / public key receiving means, the parameter A, and the integer RU as secret information stored in the random number generating means, and multiplying the double vector Q by RU. A public key QV of another user terminal and a parameter A, which are prepared in the ciphertext C1 storage means, are stored in the ciphertext C1 storage means, and are stored in the double vector / parameter / public key receiving means. The random number RU held in the random number generating means is inputted, a double vector T1 is obtained by multiplying the double vector QV by RU, and a ciphertext C2 is obtained.
The ciphertext C2 is output to the transmitting means, and the transmitting means calculates the sum t1 of the first components of each set included in the double vector T1, and calculates
To generate a ciphertext C2 by using the ciphertext C1 transmitting means and the ciphertext C2 transmitting means to transmit a ciphertext set (C1, C2) to another user terminal. The ciphertext set (C1, C2) from the user terminal of the sender is transmitted by the ciphertext C1 receiving means and the ciphertext C2 receiving means.
The double vector integer multiplying device is stored in the integer generating means and the ciphertext C1 transmitted from the transmitting user terminal held in the ciphertext C1 receiving means. An integer nv as its own secret information and the parameter A held in the double vector / parameter / public key receiving means are inputted, and a double vector T obtained by multiplying the double vector C1 by nv.
2 and outputs it to the decryption means. In the decryption means, the ciphertext C2 transmitted from the transmitting-side user terminal held in the ciphertext C2 receiving means is calculated.
And the double vector T2 calculated by the double vector integer multiplication device is input, the sum t2 of the first components of each set included in the double vector T2 is calculated, and t2 is subtracted from the ciphertext C2. An ElGamal-type encryption device for decrypting a communication message M. 6. A computer-readable recording medium storing a program for realizing an ElGamal-type encryption system comprising a center and a plurality of user terminals, wherein the computer constituting the center is disclosed from each user terminal. Public key receiving means for receiving the generated public key, a parameter A defining one curve from the user terminal, a double vector Q obtained by arranging a plurality of two original sets of a predetermined finite field, and a public key And a request for a double vector Q, a parameter A, and a public key QU are received from the user terminal by the double vector, parameter, and public key request receiving means. And the double vector Q, the parameter A, and the public key QUA to the user terminal that has made the request. And program for functioning as a meter public key announcement means, a computer constituting the user terminal, and the double vector parameter public key request transmitting means, 2
Double vector / parameter / public key receiving means, integer generating means, double vector integer multiple device, public key transmitting means, random number generating apparatus, ciphertext C1 transmitting means, ciphertext C
(2) a program for causing a transmitting means, a decrypting means, a ciphertext C1 receiving means, and a ciphertext C2 receiving means to function, wherein the transmitting-side user terminal comprises: Requesting a double vector Q, a parameter A, and a public key QV of another user terminal, which have been disclosed to the center, and the double vector / parameter / public key receiving means includes the double vector / parameter / public key A double vector Q released from the center at the request of the request transmitting means,
The parameter A and the public key QV are received and held, and output to the double vector integer multiplying device. The integer generating means randomly selects and holds the integer nU secretly, and stores the integer nU in the double vector integer multiplying device. The double vector integer multiplying device inputs the double vector Q and the parameter A published by the center from the double vector / parameter / public key receiving means, and outputs the integer nU from the integer generating means. And input the double vector Q to n
U calculates a double vector QU and outputs it to the public key transmitting means. The public key transmitting means sends the double vector QU to the center to publish it as a public key. And keep it secret
The random number RU is output to the double vector integer multiplying device, and the double vector integer multiplying device outputs the random number RU.
A double vector obtained by inputting the double vector Q held in the parameter / public key receiving means, the parameter A, and the integer RU as secret information stored in the random number generating means, and multiplying the double vector Q by RU. C1 is created, this is used as a ciphertext, stored in the ciphertext C1 storage means, and the public key QV and the parameter A of the other user terminal held in the double vector / parameter / public key receiving means. The random number RU held in the random number generating means is input, and a double vector T1 obtained by multiplying the double vector QV by RU is calculated, and the ciphertext C
2 to the transmitting means, and the ciphertext C2 transmitting means calculates the total sum t1 of the first components of each set included in the double vector T1, and
To generate a ciphertext C2 by using the ciphertext C1 transmitting means and the ciphertext C2 transmitting means to transmit a ciphertext set (C1, C2) to another user terminal. The ciphertext set (C1, C2) from the user terminal of the sender is transmitted by the ciphertext C1 receiving means and the ciphertext C2 receiving means.
The double vector integer multiplying device is stored in the integer generating means and the ciphertext C1 transmitted from the transmitting user terminal held in the ciphertext C1 receiving means. An integer nv as its own secret information and the parameter A held in the double vector / parameter / public key receiving means are inputted, and a double vector T obtained by multiplying the double vector C1 by nv.
2 and outputs it to the decryption means. In the decryption means, the ciphertext C2 transmitted from the transmitting-side user terminal held in the ciphertext C2 receiving means is calculated.
And the double vector T2 calculated by the double vector integer multiplication device is input, the sum t2 of the first components of each set included in the double vector T2 is calculated, and t2 is subtracted from the ciphertext C2. A computer-readable recording medium storing a program for realizing an ElGamal-type encryption system, wherein the program is recorded for decrypting a communication message M. 7. A user is informed in advance of a parameter A for defining one curve and a double vector Q obtained by arranging a plurality of two element sets of a predetermined finite field. The prover terminal U arbitrarily selects an integer nU as a signature key and keeps it secret. The prover terminal U uses the signature key nU, which is its own secret information, the double vector Q, which is public information, and the parameter A to generate a double vector Q Vector KU = nU obtained by multiplying nU by nU
Publish the Q as a verification key, and the prover terminal U generates a signature sentence for the message m based on the arbitrarily selected integer and the signature key nU, and sends it to the verifier terminal V together with the message m. The verifier terminal V sends the signature statement and the verification key Q of the prover terminal U.
An El Gamal signature system that verifies a message m based on U. 8. An ElGamal type signature system comprising a center, a plurality of prover terminals, and a verifier terminal, wherein the center comprises: a verification key receiving means for receiving a verification key published from the signer terminal; Alternatively, a double vector Q obtained by arranging a plurality of two sets of a predetermined finite field from the verifier terminal, a parameter A defining one curve, and a double vector parameter for receiving a request for a verification key QU. When a request for a double vector Q, a parameter A, and a signature key QU is received from the prover terminal or the verifier terminal by the verification key request receiving means and the double vector / parameter / verification key request receiving means,
A double vector / parameter / verification key publishing means for publishing the duplicate vector Q, the parameter A, and the verification key QU to the requesting terminal. Communication between a double vector parameter receiving unit, an integer generating unit, a double vector integer multiple unit, a verification key transmitting unit, a random number generating unit, a signature sentence R transmitting unit, a signature sentence S transmitting unit, The double vector / parameter request transmitting means requests a double vector Q and a parameter A published to the center, and the double vector / parameter receiving means comprises: Receives and holds the double vector Q and the parameter A released from the center at the request of the double vector parameter request transmitting means, and performs double vector integer multiplication. The integer generating means randomly selects an integer nU and keeps it secretly as a signature key, and outputs a signature key nU to a double vector integer multiplying device. 2 published by the center from the double vector parameter receiving means
A double vector Q and a parameter A are input, and the signature key nU is input from the integer generating means.
The calculated double vector QU is calculated and output to the verification key transmitting means. The verification key transmitting means sends the double vector QU to the center to publish it as a verification key. The random number k is generated and kept secret, and the random number k is output to the double vector integer multiplying device.
A double vector Q, a parameter A, and a random number k, which is secret information stored in the random number generation unit, are stored in the parameter receiving unit, and a double vector R is generated by multiplying the double vector Q by k. The sentence R is sent to the signature sentence R transmitting means and the signature sentence S transmitting means and stored therein. The message M transmitting means holds the message M and transmits the signature sentence S. The signature sentence S transmitting means inputs k · Q = R from the double vector integer multiplying device, the random number k from the random number generating device, and nU from the integer generating means, and outputs the communication message M A message M is input from the transmitting means, and S = (M-nU.x (R)) k-1
mod O (Q) (x (R) is the sum of the first components of each set included in the double vector R, and O (Q) is the order of the double vector Q), and is the calculation result. S is the signature sentence S
The signature text R transmission means, the signature text S transmission means, and the communication text M transmission means respectively transmit the signature texts R, S and the communication text M to the verifier terminal. Vector / parameter / verification key request transmission means, 2
Double vector / parameter / verification key receiving means, double vector integer multiple device, double vector adding device, signature text R
Receiving means, signature sentence S receiving means, message M receiving means, T1 storage means, T2 storage means, T3 storage means, T4 storage means, and verification means; The vector / parameter / verification key request transmitting unit requests a double vector Q, a parameter A, and a verification key published to the center, and the double vector / parameter / verification key receiving unit transmits the double vector / parameter Receiving the double vector Q, the parameter A, and the verification key QU released from the center in response to the request of the verification key request transmitting means, holding and outputting the same to the double vector integer multiplying device; Inputting the double vector Q and parameter A published by the center from the double vector / parameter / verification key receiving means, inputting the message M from the message M receiving means, Double vector Q is M
Multiply, calculate M · Q, and calculate a double vector T
1 is output to the T1 storage means and stored therein. The double vector integer multiple unit outputs the sum x (R) of the first components of each set included in the received double vector R from the signature sentence R receiving means. The verification key QU and the parameter A published by the center are input from the double vector / parameter / verification key receiving means, and x (R) · QU
And outputs the double vector T2, which is the calculation result, to the T2 storage means and stores the double vector T2 in the T2 storage means. The double vector integer multiple unit converts the double vector R received from the signature text R receiving means into the signature text S S / R is calculated by inputting the parameter A published by the center from the double vector / parameter / verification key receiving unit to the signature sentence S received from the receiving unit and multiplying the double vector R by S times. Then, the double vector T3, which is the calculation result, is output to and stored in the T3 storage means, and the double vector addition device includes the T2 storage device and the T2 storage device.
3 The double vectors T2 and T3 are input from the storage device, the parameter A is input from the double vector / parameter / verification key receiving means, T2 + T3 is calculated, and the calculated double vector T4 is stored in the T4 storage means. The verification means outputs the data stored in the T1 storage means.
It is determined whether or not the double vector T1 matches the double vector T4 stored in the T4 storage means.
Authenticates whether the prover terminal U has created the signature or not. 9. A computer-readable recording medium on which a program for realizing an ElGamal-type signature system comprising a center, a plurality of prover terminals, and a verifier terminal is read. A verification key receiving means for receiving a verification key published from a terminal; and a double vector Q, one obtained by arranging a plurality of two sets of a predetermined finite field from the prover terminal or the verifier terminal. A parameter A for defining two curves, a double vector / parameter / verification key request receiving means for receiving a request for a verification key QU, and a double vector / parameter / verification key request receiving means for receiving a request from a prover terminal or a verifier terminal. When the request for the vector Q, the parameter A, and the signature key QU is accepted, 2
A program which functions as a double vector / parameter / verification key disclosing means for exposing the duplicate vector Q, the parameter A, and the verification key QU to the requesting terminal; and a computer constituting the prover terminal, comprising: Request transmitting means, double vector parameter receiving means, integer generating means, double vector integer multiple device, verification key transmitting means, random number generating apparatus, signature text R transmitting means, signature text S transmitting means And a program functioning as a message M transmitting means, wherein the double vector parameter request transmitting means requests a double vector Q and a parameter A published to the center, and receives the double vector parameter The means includes a double vector Q, a parameter released by the center upon request of the double vector parameter request transmitting means. Receiving and holding the data A, and outputting the received data to a double vector integer multiplying device. The integer generating means randomly selects an integer nU and secretly stores it as a signature key, and signs the double vector integer multiplying device. And outputs the key nU. The double vector integer multiplying device outputs the double vector parameter received by the center from the double vector parameter receiving means.
A double vector Q and a parameter A are input, and the signature key nU is input from the integer generating means.
The calculated double vector QU is calculated and output to the verification key transmitting means. The verification key transmitting means sends the double vector QU to the center to publish it as a verification key. The random number k is generated and kept secret, and the random number k is output to the double vector integer multiplying device.
A double vector Q, a parameter A, and a random number k, which is secret information stored in the random number generation unit, are stored in the parameter receiving unit, and a double vector R is generated by multiplying the double vector Q by k. The sentence R is sent to the signature sentence R transmitting means and the signature sentence S transmitting means and stored therein. The message M transmitting means holds the message M and transmits the signature sentence S. The signature sentence S transmitting means inputs k · Q = R from the double vector integer multiplying device, the random number k from the random number generating device, and nU from the integer generating means, and outputs the communication message M A message M is input from the transmitting means, and S = (M-nU.x (R)) k-1
mod O (Q) (x (R) is the sum of the first components of each set included in the double vector R, and O (Q) is the order of the double vector Q), and is the calculation result. S is the signature sentence S
The signature statement R transmitting means, the signature statement S transmitting means, and the message M transmitting means respectively transmit the signature statements R, S and the message M to the verifier terminal. A computer comprising a double vector / parameter / verification key request transmitting means;
Double vector / parameter / verification key receiving means, double vector integer multiple device, double vector adding device, signature text R
A program for functioning as a receiving unit, a signature sentence S receiving unit, a communication sentence M receiving unit, a T1 storage unit, a T2 storage unit, a T3 storage unit, a T4 storage unit, and a verification unit; The double vector / parameter / verification key request transmitting unit requests the double vector Q, the parameter A, and the verification key disclosed to the center, and the double vector / parameter / verification key receiving unit transmits the double vector / The double vector Q, the parameter A, and the verification key QU, which have been released from the center in response to a request from the parameter / verification key request transmitting means, are received, held, and output to a double vector integer multiplying device. Receives the double vector Q and the parameter A published by the center from the double vector / parameter / verification key receiving means, and receives the message from the message M receiving means. Input a message M and convert the double vector Q to M
Multiply, calculate M · Q, and calculate a double vector T
1 is output to the T1 storage means and stored therein. The double vector integer multiple unit outputs the sum x (R) of the first components of each set included in the received double vector R from the signature sentence R receiving means. The verification key QU and the parameter A published by the center are input from the double vector / parameter / verification key receiving means, and x (R) · QU
And outputs the double vector T2, which is the calculation result, to the T2 storage means and stores the double vector T2 in the T2 storage means. The double vector integer multiple unit converts the double vector R received from the signature text R receiving means into the signature text S S / R is calculated by inputting the parameter A published by the center from the double vector / parameter / verification key receiving unit to the signature sentence S received from the receiving unit and multiplying the double vector R by S times. Then, the double vector T3, which is the calculation result, is output to and stored in the T3 storage means, and the double vector addition device includes the T2 storage device and the T2 storage device.
3 The double vectors T2 and T3 are input from the storage device, the parameter A is input from the double vector / parameter / verification key receiving means, T2 + T3 is calculated, and the calculated double vector T4 is stored in the T4 storage means. The verification means outputs the data stored in the T1 storage means.
It is determined whether or not the double vector T1 matches the double vector T4 stored in the T4 storage means.
And a computer-readable recording medium storing a program for realizing an ElGamal-type signature system, wherein the program verifies whether or not the certificate has been created by the prover terminal U.