JP2002351314A - Method, device, and program for ciphered information generation, and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method, a device, and program for ciphered information generation which generates ciphered information at a high speed by shortening the time needed to generate an prime number and a recording medium where the program is recorded. SOLUTION: This ciphered information generating device which generates the ciphered information by ciphering information by using the prime number is equipped with a ciphered information generation part 3 which generates the ciphered information C with inputted bit width L, a Montgomery arithmetic part 5 which performs Montgomery arithmetic for a number as a prime number candidate, and a control part 1 which makes the Montgomery arithmetic part 5 carry out Montgomery arithmetic based upon last generated ciphered information C as an initial value when the number of digits of the ciphered information generated by the ciphered information generation part 3 exceeds (L/4) bits and makes the ciphered information generation part 3 update the ciphered information by using the number decided as a prime number through the Montgomery arithmetic as a new prime number.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and apparatus for generating cryptographic information, a cryptographic information generating apparatus, a cryptographic information generating program and a recording medium, and more particularly, to a method and apparatus for generating cryptographic information by using prime numbers. It relates to a program and a recording medium.

[0002]

2. Description of the Related Art In information communication over networks in recent years, security of information has become important, and various encryption techniques have been developed. However, RSA encryption as asymmetric encryption in which an encryption key and a decryption key are different. Is widely used.

In the RSA encryption, when the public key is e and the remainder is N, the sender of the information M must encrypt the information M into encrypted information C represented by the following equation (1). To send to the recipient.

[0004]

(Equation 1)

[0005] Then, the receiver executes the operation represented by the following equation (2) on the transmitted cipher information C using the remainder N and the secret key d, thereby obtaining the above-mentioned M. You will get information.

[0006]

(Equation 2)

Here, the remainder N is a product of two prime numbers. In order to ensure security in RSA encryption, it is desirable to periodically update the prime numbers.
For this reason, in the RSA encryption technology, it is necessary to repeatedly generate a new prime number.

Hereinafter, a conventional prime number generation method will be described with reference to FIG. First, prime candidates are generated by using random numbers, and in step S1, the prime candidates are divided by existing prime numbers. At this time, it is determined in step S2 whether or not the number is divisible. If it is determined that the prime candidate is a multiple of the prime, the process proceeds to step S5. On the other hand, if it is determined in step S2 that the prime candidate is not a multiple of the existing prime, the process proceeds to step S2.
In step 3, the prime number is determined by using the Montgomery method from the first step in a calculation loop such as a Fermat test or a Miller Rabin test. If it is determined in step S4 that the prime candidate is a prime, the prime generation method is terminated. If it is determined that the prime is not a prime, the process proceeds to step S5. Here, in step S5, 2 is added to the prime number candidate, and the process returns to step S1.

The above is a description of the conventional prime generation method. However, in the test in step S3, since the modular exponentiation is executed, the number of operation cycles increases as the bit width of the desired prime increases, and the prime generation time increases. There was a problem of becoming.

[0010]

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above-mentioned problems, and has been made in order to reduce the time required to generate prime numbers, thereby enabling encryption to generate cryptographic information at high speed. An object of the present invention is to provide an information generation method, an encryption information generation device, a program, and a recording medium on which the program is recorded.

[0011]

SUMMARY OF THE INVENTION An object of the present invention is to specify a bit width L of encryption information to be generated when encrypting information using a prime number, and to encrypt the information in accordance with the specified bit width L. When the number of digits of the generated cryptographic information exceeds (L / 4) bits, a Montgomery operation is performed using the immediately preceding cryptographic information as an initial value, and the number determined to be a prime number by the Montgomery operation By updating the cryptographic information as a new prime number.

According to such a means, the number of operation cycles required for Montgomery operation can be reduced, and prime numbers can be obtained more quickly.

Here, if the initial values of the parameters in the Montgomery operation are calculated by subtracting the parameters obtained in accordance with the number of the prime candidates immediately before, the operation cycle required in the Montgomery operation is calculated. The number can be further reduced and prime numbers can be obtained faster.

[0014]

Embodiments of the present invention will be described below in detail with reference to the drawings. The same reference numerals in the drawings indicate the same or corresponding parts.

In the RSA encryption, the remainder N of the remainder operation is periodically changed to maintain the security of the information communication system. Here, since the remainder number N is a product of two prime numbers, it is necessary to generate two prime numbers.

For example, in the case of 1024-bit RSA encryption, it is necessary to generate two 512-bit prime numbers. At this time, whether a certain number is a prime number is determined by a Fermat test, a Miller-Rabin test, or the like.

The Fermat test uses Fermat's small theorem, that is, the following theorem that when p is a prime number, the following equation (3) holds for any number a satisfying 0 <a <p. It is.

[0018]

(Equation 3)

That is, this is a test in which a is raised to the power of (p-1) and the remainder is taken as a prime candidate p, and when the result is 1, p is a prime number. However, since the calculation result may be 1 even if p is not a prime number, the calculation is usually performed on a plurality of a, and when any of the calculation results is 1, the p is a prime number for the first time. Is determined. Hereinafter, the prime number generation method according to the present embodiment will be described with reference to FIG. First, prime candidates are generated by using, for example, random numbers, and in step S1, the prime candidates are divided by some existing small prime numbers. Then, step S2
In, it is determined whether or not it is divisible by the above division. If it is divisible, the process proceeds to step S5. If it is not divisible, the process proceeds to step S3. Then, in step S3, Montgomery (Montgome) is executed from an intermediate step in an operation loop such as the Fermat test or the Miller-Rabin test.
The prime number is determined by using the ry) method. Step S3 will be described later in detail. In step S4, it is determined whether or not the prime candidate is determined to be a prime number. If it is determined that the prime number is a prime number, the process ends. If not, the process proceeds to step S5. Here, in step S5, 2 is added to the prime number candidate, and the process returns to step S1. The required prime numbers can be generated by the above method.
Fermat test or Miller shown in step S3 above
The -Rabin test can be realized by (a) a remainder operation using the prime candidate p or (b) an operation using the Montgomery method. When the Montgomery method is adopted, it is necessary to calculate some parameters necessary for the operation in advance. When performing the operation while changing the prime candidates in the prime generation, the parameter is set for each operation. Needs to be calculated. However, since the calculation time is much shorter than when the remainder calculation of (a) is performed, it is desirable to employ the Montgomery method. When the Montgomery method is used, for example, when an (L / 2) -bit prime is obtained using an α-bit multiplier in an L-bit RSA encryption, a prime decision is performed on one prime candidate. The number of cycles Nc required to execute the above equation is expressed by the following equation (4) if the cycles for calculating the above parameters are ignored.

[0020]

(Equation 4)

Therefore, according to the above equation (4), for example, if the bit width L of the RSA encryption is doubled, the operation cycle becomes eight times. Further, according to the prime number theorem, the distribution probability D of a prime number in the vicinity of 2 ^{L / 2} is expressed by the following equation (5) when the bit width L is sufficiently large.

[0022]

(Equation 5)

Here, it can be seen that when the bit width L of the RSA encryption is doubled, the existence probability of the prime number is halved. Therefore, if the division by the known prime number shown in step S1 of FIG. 1 is ignored, when the bit width L of the RSA encryption is doubled, the number of cycles required for generating the prime number becomes 16 times. In consideration of the above-mentioned division by the known prime number, the magnification is slightly reduced, but becomes 10 times or more.
In any case, the prime number generation time becomes long.

Therefore, the cipher generation method and the cipher generating apparatus, the cipher generating program and the recording medium on which the program is recorded according to the present embodiment are compatible with the Fermat test or Miller.
-By reducing the number of operation cycles required in the Rabin test, the total number of cycles for generating prime numbers is reduced, and the time for generating prime numbers is reduced, and the time for generating RSA encryption information is also reduced. Specifically, in the generation of the prime numbers according to the present embodiment, first, the value of a is 2
Second, as an operation for determining a prime number, the Montgomery method is executed with a value immediately before the number of digits of the operation result exceeds (L / 4) bits as an initial value. Third, the parameter (M *) used for the operation of the Montgomery method is generated by subtracting it from the latest prime candidate. Hereinafter, the prime number generation method according to the present embodiment will be described in detail. FIG. 2 is a program showing a procedure of a prime number judgment test using division. As shown in FIG. 2, in the primality judgment by division, in the operation loop L1, in the operation step CAL1, the remainder operation by p is performed after the multiplication.
Here, since the initial value of the cryptographic information C is 2, and p is a number of L / 2 bits, it is not necessary to execute the remainder operation while the value of the cryptographic information C is smaller than p. That is, when the encryption information C is a number smaller than p, the calculation result of (C mod p) is C. For example, when L is 1024 bits, L / 2 is 512 bits, but the maximum value of the key (e
= P-1 = {11111111...}) And the minimum value (e = {1000000)
0 ...}) are shown in Tables 1 and 2 below for i = 510 to 503, respectively.

[0025]

[Table 1]

[0026]

[Table 2]

As described above, during the range of i = 510 to 503, the value of C is smaller than the prime candidate p (2 ⁵¹¹ <p <2 ⁵¹² ), so there is no need to perform a remainder operation, and the operation result is initialized. The calculation may be started as a value.

The operation loop L1 in the procedure shown in FIG. 2 is divided into an operation loop L2 that does not require a remainder operation from i = 510 to 503, and an operation loop L3 that executes a remainder operation when i = 502 or less. And the prime number determination can be performed by the procedure shown in the program of FIG. Further, as shown in Tables 1 and 2, i is 50
The value of the cryptographic information C after the operation at the time of 3 is equal to the value obtained by cutting out the upper 8 bits of the key e and setting it as a power of 2. Accordingly, the modular exponentiation operation at i = 510 to 503 executed in the operation loop L2 shown in FIG. 3 becomes unnecessary, and the operation step CAL2 in the program shown in FIG. 4 is executed instead of the operation loop L2. Can determine the prime number. Here, the procedure of the prime number judgment by the Montgomery method is described by the program shown in FIG. This Montgomery method is shown in FIG.
As shown in the figure, steps before entering the operation loop L4
This is a method in which parameter conversion is performed in CAL3, and then multiplication is performed in place of the remainder operation in the operation loop L4. Then, when the Montgomery method shown in FIG. 5 is applied to the execution of the operation loop L3 shown in FIG. 4, the program shown in FIG. 6 can be obtained. At this time, comparing the operation procedure shown in FIG. 6 with the prime number determination procedure shown in FIG.
= 510 to 503, while the number of operation cycles required to calculate M ^* increases. Here, in the calculation of M ^* according to the conventional method, since r = 2 ^{L / 2} and the encryption information C is a constant of 2, X ^* (= r mo
It is sufficient to double dp) and subtract p. On the other hand, according to the method according to the present embodiment, when the Montgomery method is applied from i = 502, the value of the cryptographic information C is 2 ²⁵⁶ to 2 ⁵¹¹ , and the number of operation cycles of the remainder calculation by p increases. . Hereinafter, a method of calculating the above M ^* will be described. First,
Let α be the number of ps having the same quotient by division represented by (C · r) / p. At this time, since the cryptographic information C is a power of 2 of the most significant bit in the prime candidate, it is assumed that it does not change even if the prime candidate is changed. At this time, Expression (7) can be obtained from Expression (6).

[0029]

(Equation 6)

[0030]

(Equation 7)

Here, from the following equation (8), equations (9) and (10) can be obtained.

[0032]

(Equation 8)

[0033]

(Equation 9)

[0034]

(Equation 10)

When the Montgomery calculation is executed with the calculation result at i = 503 as an initial value, the maximum value of the encryption information C is ²⁵¹¹ . When this is substituted into the above equation (10), 1/2 <α <2, and the value of the quotient changes each time the prime number candidate changes. That is, it is necessary to perform the division every time the prime candidate changes to obtain the initial value M ^* of the Montgomery operation.

On the other hand, when the Montgomery operation is executed with the operation result at i = 504 as the initial value, the maximum value of the encryption information C is ²²⁵⁵ . When this is substituted into the above equation (10), 2 ²⁵⁵ <α <2 ²⁵⁷ , and the value that α can take is calculated by the following equation (11).

[0037]

[Equation 11]

The probability of the existence of a prime number near 2 ⁵¹² can be found to be about 1/355 by substituting 1024 for L in the above equation (5). That is, prime numbers can be obtained by testing 355 prime number candidates in terms of probability. Here, since 355≪3 2 ²⁵⁵ -2, once the following equation (12) is calculated to obtain the quotient D and the remainder M ^* , the subsequent prime candidates can be obtained by subtraction.

[0039]

(Equation 12)

That is, assuming that the quotient and remainder when C · r is divided by (p + 2) are D ′ and M ^* ′, respectively, the following equation (1)
3) can be obtained.

[0041]

(Equation 13)

Here, when the above equations (12) and (13) are solved for M ^* ′, the following equation (14) can be obtained.

[0043]

[Equation 14]

At this time, the probability that D ≠ D 'is (3.2
²⁵⁵ -2), and ^therefore D in the above equation (14)
= D ′, the following equation (15) can be derived.

[0045]

(Equation 15)

Therefore, the calculation of the initial value in the Montgomery operation for the second and subsequent prime candidates is only subtraction,
The required number of cycles is the same as compared with the calculation of the initial value of M ^* by the conventional method. If the result of the calculation according to the above equation (15) is negative, it is sufficient to return to the above equation (14) and add (p + 2) to the previous calculation result.

As described above, by setting the maximum value of the cryptographic information C in a range in which the remainder operation is unnecessary as an initial value, and subsequently executing the Montgomery operation, it is necessary to calculate the initial value M ^* of the Montgomery operation. The number of cycles, and thus the total number of operation cycles, can be reduced. Than this,
According to the cryptographic information generation method according to the present embodiment, a prime number can be obtained at high speed by the above-described method, so that cryptographic information can be generated at high speed.

In the following, the number of operation cycles actually required in the above-described prime number generation method according to this embodiment is
A specific description will be made in comparison with the number of operation cycles according to the conventional method. First, the number of Montgomery operation cycles that decreases when i = 510 to 503 can be obtained by the following equation (16) when a 32-bit multiplier is used, for example.

[0049]

(Equation 16)

On the other hand, the number of increasing cycles is as follows. That is, as described above, since the calculation of M ^* for the second and subsequent prime candidates is realized by subtraction, the same cycle number as that conventionally required for the calculation of M ^* is required. You. However, only the first prime number candidate needs to be calculated by division. Here, the number of cycles required in this division is obtained. FIG.
FIG. 7 is a diagram illustrating a division operation in a case where a dividend is composed of 32 words a0 to a31 and a divisor is composed of 16 words b0 to b15. Here, referring to Tables 1 and 2 above, as shown in FIG.
Of the 1024-bit dividend consisting of the product of
There is only one 1 in the region R between the bits. Then, for example, in the worst case where 1 is at the 767th bit, division is performed eight times, and the number of cycles at this time is 117 × 8 = 936 [cycles].

From the above, by taking the difference between the number of decreasing cycles obtained by the above equation (16) and the number of increasing cycles,
It can be seen that the operation cycle of about 10,000 cycles can be reduced.

Finally, a division method in units of words (for example, in units of 32 bits) will be described with reference to FIG. First, in step S1, the most significant two words (64 bits) including 1 in the dividend (M · r) are divided by the most significant 32 bits of the divisor (p), and the quotient D is obtained by the number of 32 cycles. Next, in step S2, the quotient D
And the divisor p are calculated in 17 cycles.

In step S3, the 2's complement Dp 'of the product obtained in step S2 is calculated in 17 cycles. Then, in step S4, the upper 544 bits of the dividend (M · r) and the complement Dp 'are added in 17 cycles, and in step S5, it is determined whether or not there is a carry from the most significant digit. If there is, go to step S9, and if there is no carry, go to step S6. Then, in step S6, the divisor p is added by the number of 17 cycles, and in step S7, it is determined whether or not there is a carry from the most significant digit. Here, if there is a carry, the process proceeds to step S9, and if there is no carry, the process proceeds to step S8. In step S8, the divisor p is added by the number of 17 cycles, and the process proceeds to step S9. In step S9, it is determined whether or not the number of digits of the most significant word including 1 is equal to the number of digits of the most significant word of the divisor. If they are equal, the operation is terminated. Return to

Next, the encryption information generation method according to the embodiment of the present invention is realized by, for example, the encryption information generation apparatus shown in FIG. The encryption information generation device shown in FIG. 9 includes a control unit 1, an encryption information generation unit 3, and a Montgomery operation unit 5.

Here, the cryptographic information provisional generation unit 3 is connected to the control unit 1, and the Montgomery operation unit 5 is connected to the control unit 1 and the provisional encryption information generation unit 3.

In the cryptographic information generation apparatus having the above configuration, the bit width L of the RSA encryption is supplied to the control unit 1, and the cryptographic information generation unit 3 uses the bit width L supplied from the control unit 1. , And generates and outputs the cryptographic information C. The initial value of the encryption information C is generated by the method shown in FIG. 6, but is sequentially updated by the procedure described below.

When the prime number update command RN is supplied to the control unit 1, the control unit 1 receives the latest encryption information C generated by the encryption information generation unit 1, and the number of digits of the encryption information C becomes (L / L). 4) Identify operation cycles that exceed bits. Then, the control unit 1 supplies the specified number i _C of the cycle to the Montgomery calculation unit 5. The Montgomery operation unit 5
Receives the cryptographic information C obtained in the (i _C -1) -th cycle from the cryptographic information generation unit 3 and executes the Montgomery operation as described above using this as an initial value. Here, the parameter (M *) used for the Montgomery operation
Is generated by subtracting from the latest prime candidate as described above.

The prime number obtained by the operation by the Montgomery operation unit 5 is supplied to the encryption information generation unit 3. The cryptographic information generation unit 3 updates the remainder N using the supplied prime numbers as described above, and uses the remainder N to generate the cryptographic information C.
Is updated and output. As described above, according to the cryptographic information generation method and the cryptographic information generation device according to the embodiment of the present invention, the prime number generation time can be reduced by reducing the number of operation cycles required for generating a prime number. Therefore, encrypted information can be generated at high speed. In addition,
The prime generated by the above method can be effectively used not only for generating the RSA encryption but also for generating other cryptographic information using the prime.

Further, as shown in FIGS. 2 to 6, the encryption information generating method according to the embodiment of the present invention can be easily programmed, and the program is recorded on a computer-readable recording medium. Then, the program can be easily realized by executing the program by a computer on which the recording medium is mounted.

[0060]

According to the cryptographic information generating method, the cryptographic information generating apparatus, the cryptographic information generating program, and the recording medium of the present invention, the number of operation cycles required for Montgomery operation can be reduced, and prime numbers can be reduced more quickly. Therefore, the cryptographic information can be generated at high speed.

Here, if the initial values of the parameters in the Montgomery operation are calculated by subtracting the parameters obtained in accordance with the number of the prime candidates immediately before, the operation cycle required for the Montgomery operation is calculated. Since the number can be further reduced and prime numbers can be obtained faster,
The cryptographic information can be generated at higher speed.

[Brief description of the drawings]

FIG. 1 is a flowchart showing a prime number generation method according to an embodiment of the present invention.

FIG. 2 is a program showing a procedure of a prime number judgment test using division.

FIG. 3 is a diagram showing a program in which the procedure of the prime number judgment test shown in FIG. 2 is improved.

FIG. 4 is a diagram showing a program in which the procedure of the prime number judgment test shown in FIG. 3 is improved.

FIG. 5 is a program showing a procedure of a prime number judgment test using the Montgomery method.

6 is a program showing a procedure in which the Montgomery method is applied to the procedure shown in FIG.

FIG. 7 is a diagram illustrating a division operation according to the embodiment of the present invention.

FIG. 8 is a flowchart illustrating a remainder calculation method in word units according to the embodiment of the present invention.

FIG. 9 is a diagram showing a configuration of a cryptographic information generation device according to an embodiment of the present invention.

FIG. 10 is a flowchart showing a conventional prime number generation method.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Control part 3 Encryption information generation part 5 Montgomery operation part

Claims (8)

[Claims] 1. A cryptographic information generating method for encrypting information using a prime number, comprising: a first step of specifying a bit width L of generated cryptographic information; and the bit specified in the first step. Width L
A second step of generating the cryptographic information, and when the number of digits of the cryptographic information generated in the second step exceeds (L / 4) bits, the cryptographic information generated immediately before A third step of performing a Montgomery operation with the initial value as the initial value, and a fourth step of updating the cryptographic information with the number determined to be a prime number by the Montgomery operation in the third step as a new prime number. A method for generating cryptographic information, comprising: 2. An initial value of a parameter of the Montgomery operation executed in the third step is calculated by subtracting the parameters obtained in accordance with the number of the prime candidates immediately before. Method for generating cryptographic information described in 1. 3. A cryptographic information generating apparatus for encrypting information using a prime number and generating cryptographic information, comprising: cryptographic information generating means for generating the cryptographic information having an input bit width L; Montgomery operation means for performing a Montgomery operation on the number to be processed, and when the number of digits of the encryption information generated by the encryption information generation means exceeds (L / 4) bits, the encryption information generated immediately before Control means for causing the Montgomery operation means to execute the Montgomery operation with the initial value as the initial value, and causing the cryptographic information generation means to update the encryption information with the number determined to be a prime number by the Montgomery operation as a new prime number. A cryptographic information generation device. 4. The Montgomery calculation unit executes the Montgomery calculation using a value obtained by subtracting the parameters obtained according to the number of the prime candidates immediately before, as an initial value of the parameter. Item 4. The encryption information generation device according to item 3. 5. A computer-readable recording medium in which a program for encrypting information using a prime number by a computer is recorded, wherein the program comprises:
Bit width of encryption information to be generated for the computer
Inputting L, and generating the encryption information according to the bit width L. When the number of digits of the generated encryption information exceeds (L / 4) bits, the encryption information generated immediately before is initialized to an initial value. A recording medium characterized by executing a Montgomery operation, and updating the cryptographic information with a number determined to be a prime number by the Montgomery operation as a new prime number. 6. The program causes the computer to calculate an initial value of a parameter of the Montgomery operation by subtracting the parameter from each other obtained according to a number which is a prime candidate immediately before. The recording medium according to claim 5, wherein: 7. An encryption information generating program for encrypting information using a prime number by a computer, wherein the computer inputs a bit width L of the encryption information to be generated. When encryption information is generated, when the number of digits of the generated encryption information exceeds (L / 4) bits, a Montgomery operation is performed using the encryption information generated immediately before as an initial value. A cryptographic information generating program for updating the cryptographic information with a number determined to be present as a new prime number. 8. The cryptographic information generation program causes the computer to calculate an initial value of a parameter of the Montgomery operation by subtracting the parameter obtained from each other according to the number of the prime candidates immediately before. The encryption information generation program according to claim 7, wherein