JP2003084666A - Method and device for processing elliptic curve cryptography - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve such a problem that calculation takes a fairy long time since many times of multiplication are required for multiplication and division in cryptography processing by the OEF (optimal extension field) of an extension field proposed so far. SOLUTION: By using the extension field GP (Pm) with m original sets: ω, ω<2> ,...ω<m> }, by the zero point ω of m-th degree irreducible polynominal f(x)=(x<m+1> -1)/(x-1) on a prime field GF(P) as a base for elliptic curve cryptography processing, inverse calculation accompanying two element multiplication and division is accelerated.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an elliptic curve cryptographic method and apparatus useful for public key cryptography widely used for confidentiality and authentication of communication contents, and particularly to elliptic curve cryptographic processing using a Galois extension field. The present invention relates to an algorithm for accelerating binary multiplication and inverse operation.

With the spread of the Internet in recent years, the need for open network security has increased, and a cryptographic technology for realizing it is an indispensable basic technology.
Elliptic curve cryptography is being studied for standardization and implementation as a next-generation public key cryptography. In the cryptographic processing, a majority of the four arithmetic operations are required for multiplication and division. In particular, the calculation of the inverse element in division is an issue. The present invention provides 1
It provides one effective solution.

[0003]

2. Description of the Related Art Cryptography is used to conceal important information, pay information, and private information using a publicly available communication network, and to confirm the identity of a person by signature / authentication. In particular, cryptography is indispensable for communicating with many parties. There are two encryption methods, common key encryption and public key encryption. Generally, these two methods are used in combination. Among public-key cryptosystems, the elliptic curve cryptosystem, which has recently received attention, is a conventional cryptosystem (RSA system).
The strength against illegal deciphering is much higher than
In the A-method cryptography, a key length of 1024 bits is actually required to avoid decryption, whereas in the elliptic curve cryptography, 160 bits are sufficient to secure equivalent strength. Curve encryption is about to become an international standard,
Implementation research is being actively pursued.

The elliptic curve generally used for encryption is y ²
= X ³ + ax + b, and encryption processing is performed using a finite number of points (x, y) on the curve. The definition field of a finite number of points on the curve has a finite field GF whose characteristic is an odd prime P
(P) and 2 extension fields GF (2 ^m ) have been used (references 1 and 2). An extension field GF (2 ^m ) with a characteristic of 2 means an m-dimensional vector space of GF (2), and each element has m 0s such as (0,1,0,0, ...). It is represented by 1.
The extension field GF (2 ^m ) is the mainstream of research and development because the computer basically represents the data in the binary system and the conventional error code correction technology. For example, in the extension field GF (2 ¹⁶⁰ ) with m = 160,
The key length is 160 bits.

Recently, Bailey et al. Have proposed OEF (Optimal Extension Fi
eld) was proposed (reference 3). OEF facilitates the polynomial remainder calculation by using a polynomial basis in which the modulo polynomial is an irreducible binomial expression, and as a result, high-speed multiplication is possible. Further, a high-speed method using a normal basis and a Frobenius map has been proposed when performing an inverse element operation in OEF (references 4 and 5).

In the OEF, first, high-speed multiplication between arbitrary elements is made possible by performing a polynomial remainder operation using a characteristic as a pseudo-Mersenne prime number and a modulus polynomial as an irreducible binomial expression. Based on this high-speed multiplication, a high-speed inverse element calculation method that applies the Ito-Tsujii algorithm (reference document 4) is introduced to realize high-speed division (reference document 7). For this reason, it is said that it is most effective to use OEF as a definition structure in research on software implementation of elliptic curve cryptography.

Next, the definition of OEF and the mechanism of multiplication will be described. Definition of OEF OEF is an extension field that satisfies the following three conditions (i), (ii), and (iii).

[0008]

[Equation 7]

(I) and (ii) are conditions for selecting the characteristic P for performing multiplication on the prime field GF (P) at high speed, and (ii)
i) is a condition for performing multiplication on the extension field GF (P ^m ) at high speed. Multiplication Method in OEF First, an arbitrary element A, BεGF (P ^m ) of OEF is a polynomial basis based on a zero α of a modulus polynomial f (x) = x ^m −s: {1,
It is assumed that it is expressed as follows in the form of a linear combination of α, α ² , ... α ^m-1 }.

A = a ₀ + a ₁ α + ... a _m-1 α ^m-1 , a _i εGF (P) (1) B = b ₀ + b ₁ α + ... b _m-1 α ^m-1 , B _i ∈GF (P) A, B is obtained by the following two steps. [Step 1: Polynomial Product] The elements A and B are considered as polynomials with α as an indefinite element, and the following polynomial product is obtained.

A (α) × B (α) = a ₀ b ₀ + (a ₀ b ₁ + a ₁ b ₀ ) α + ... + a _m-1 b _m-1 α ^2m-2 = c ₀ + c ₁ α + ... + c _2m-2 α ^2m-2 (2) When the coefficient c _i (0 ≦ i ≦ 2m-2) of the above equation (2) is calculated by the textbook method, multiplication m ² times on GF (P) And addition (m-1) ² times are required. If the Karatsuba method (reference document 8) is used, the number of multiplications can be reduced although the number of additions is increased. The: [Step2 polynomial remainder calculation] ^{f (α) = α m -s} = 0 into Equation (2), we obtain the following expression (3).

[0012]

[Equation 8]

That is, the polynomial remainder operation is performed in the prime field GF.
It is executed m-1 times of multiplication and m-1 times of addition in (P). Inverse element calculation method (Ito-Tsujii algorithm) Non-zero element A ∈ GF (P ^m ) is

[0014]

[Equation 9]

The following equation (4) is obtained by satisfying the above condition, multiplying both sides of this by A ^−1, and modifying the equation.

[0016]

[Equation 10]

In order to calculate the inverse element at high speed using the equation (4), since the equation (4) uses the original P-power as a basic operation, the Frobenius map φ defined below can be performed at high speed. It is necessary.

Φ (A) = A ^P (5) One method for solving this is to use a normal basis as a basis for expressing the element as a vector (reference document 4). In this method, the mapping φ can be performed only by the cyclic shift operation of the vector representation. The Ito-Tsujii algorithm uses a normal basis as a basis and calculates the inverse element at high speed by the procedure shown in FIG. Here, in Step 1, Additi
Multiply efficiently using on Chain (reference document 8).

Considering this Ito-Tsujii algorithm on the OEF, it is as follows. First, the remainder operation is performed on A given by equation (1) using α ^m = s,
The Frobenius map φ (A) is obtained as follows.

A ^P = a ₀ + a ₁ α ^P + ... a _m-1 α ^{(m-1) P} = a ₀ + s ^d a ₁ α + ... s ^{(m-1) d} a _m-1 α ^m-1 where d = (P-1) / m. That is, if s ^id (1 ≦ i ≦ m−1) is calculated as a preliminary preparation, m−
Φ (A) can be calculated by one multiplication on GF (P). Then, in Step 1 and Step 2 in FIG. 3, the high speed multiplication method by the equation (3) is used, and in Step 3, the binary method is used. Here, c calculated in Step 2 is A
Is the norm (total product of conjugate elements) of.

[0021]

As described above, conventionally, it has been known that the OEF of the extension field proposed by Bailey et al. Is effective for speeding up the arithmetic processing of the elliptic curve cryptography. However, even with OEF, a large number of multiplications are still required for the processing of binary multiplication and inverse element calculation, and there is a problem in that calculation takes a considerable amount of time. The present invention aims to improve the above.

[0022]

According to the present invention, an m-th irreducible polynomial f (x) = on a prime field GF (P) is used for elliptic curve cryptographic processing.
A set of m elements based on the zero point ω of (x ^{m + 1} −1) / (x−1): {ω, ω ² , ... ω ^m } An extension field GF (P ^{m based on} (6) ),
It is intended to solve the problem by enabling high-speed processing of binary multiplication and inverse element calculation.

Next, the conditions for the characteristic P and the extension degree m of the extension field GF (P ^m ) will be described.

To construct the extension field GF (P ^m ) of the present invention, the m-th irreducible polynomial f (x) = (x on the prime field GF (P).
^{m + 1} −1) / (x−1) is required, and the zero point ω of f (x)
The arbitrary element of GF (P ^m ) is expressed as a vector by the basis shown in (6) using. In the following explanation, ω
Is the zero point of f (x) = (x ^{m + 1} −1) / (x−1). The conditions for the characteristic P and the expansion degree m are conditions for this f (x) to be irreducible on GF (P), and are shown in the following theorem. 1. Conditions for extension fields 1.1 The necessary and sufficient conditions for theorem f (x) = (x ^{m + 1} -1) / (x-1) to be irreducible on GF (P) are the characteristic P and the positive The integer m is to satisfy the following two conditions (i) and (ii).

[0025]

[Equation 11]

1.2 Proof of Theorem (1.1) First, if m + 1 is not a prime number and is given by m + 1 = a · b using integers a and b larger than 1, f (x) is given by It is non-irreducible because it is factored like this. That is, m + 1 must be a prime number.

[0027]

[Equation 12]

Next, pay attention to the condition (ii). According to Euler's theorem, if m + 1 is a prime number, P ^m ≡1 (mod m + 1) holds, and if condition (ii) holds, the order m + 1
Exists in GF (P ^m ), and GF (P ⁿ ) (1 ≦ n
≦ m−1) means that it does not exist. That is,
The original minimum polynomial of order m + 1 is an m-th order irreducible polynomial on GF (P). In addition to this fact,
Given that (x) has the original zero of order m + 1, the theorem is proved.

(X−1) · f (x) = (x ^{m + 1} −1) (7)

[0030]

FIG. 1 is a schematic diagram of a cryptographic communication system to which the present invention is applied, in which cryptographically processed communication is performed between arbitrary communication devices 1 to 4 coupled via a network. Be seen. The communication devices 1 to 4 do not have to be dedicated communication devices, but can be computers such as personal computers having communication functions. The elliptic curve cryptographic processing device 5 shown only in the communication device 4 is also provided in each of the other communication devices in the same manner, and performs encryption processing of message encryption and decryption by public key encryption. The elliptic curve cryptographic processing device 5 has a multiplication unit 6 and an inverse element calculation unit 7 for high-speed multiplication and division processing associated with the cryptographic processing. The multiplication unit 6 and the inverse element calculation unit 7 execute binary multiplication and inverse element calculation according to an algorithm based on the extension field defined by the present invention. The multiplication unit 6 and the inverse element calculation unit 7 can each be configured by a program or a dedicated hardware circuit. Next, algorithms for binary multiplication and inverse element calculation will be described. 2.2 Binary Multiplication 2.1 Consider the product of arbitrary binary A, BεGF (P ^m ) expressed as follows using the multiplication algorithm basis (6).

A = a ₁ ω + a ₂ ω ² + ... a _m ω ^m , a _i εGF (P) (8) B = b ₁ ω + b ₂ ω ² + ... b _m ω ^m , b _i ε As in the case of GF (P) OEF, multiplication is realized by the following two steps. [Step 1: Polynomial Product] Considering the elements A and B as polynomials with ω as an indefinite element, the following polynomial product is obtained.

A (ω) × B (ω) = a ₁ b ₁ ω ² + (a ₁ b ₂ + a ₂ b ₁ ) ω ³ + ... + a _m b _m ω ^2m = c ₂ ω ² + c ₃ ω ³ + ... + c _2m ω ^2m (9) [Step 2: polynomial remainder operation] (ω-1) · f (ω) = ω
^{If m + 1} −1 = 0 is used in the equation (9), the following equation (10) is obtained.

[0033]

[Equation 13]

Further, c _{m + 1} is as follows when expressed using the basis (6).

C _{m + 1} = −c _{m + 1} ω−c _{m + 1} ω ² −... −c _{m + 1} ω ^m Substituting the above equation into the equation (10), the following equation (11) is obtained. .

[0036]

[Equation 14]

That is, the polynomial remainder operation of the proposed method does not require multiplication on the prime field GF (P) and can be executed in addition 2m-2 times. 3. Inverse element calculation To calculate the inverse element in the extension field of the present invention, the above-mentioned Ito-
A method applying the Tsujii algorithm is used. First,
The Frobenius map φ for the element of the extension field of the present invention will be described, and then the inverse element calculation algorithm will be shown. 3.1 From Frobenius mapping theorem 1.1, the extension order m of the extension field of the present invention is m
There is a condition that +1 is a prime number, and k _i (1 ≦ i ≦
If m) is defined by the following equation (12) k _i ≡iP mod (m + 1) (12), the following equivalence relation holds for the set of bases.

{Ω, ω ² , ... ω ^m } = {ω ^P ,
ω ^2P , ... ω ^mP } = {ω ^k1 , ω ^k2 , ... ω ^km } Using this, the mapping φ for the element A given by equation (8) is obtained as follows.

Φ (A) = A ^P = a ₁ ω ^P + a ₂ ω ^2P + ... a _m ω ^mP = a ₁ ω ^k1 + a ₂ ω ^k2 + ... a _m ω ^km (13) By previously _obtaining the correspondence between i and k _i given in (12), the mapping φ of the arbitrary element can be performed by rearranging the elements of the vector. 3.1.1 When the vector representation of the element A of the example GF (5 ⁶ ) by the basis (6) is (a ₁ , a ₂ , a ₃ , a ₄ , a ₅ , a ₆ ),
The mapping φ is as follows.

Φ (A) = A^Five= (A₃, A₆, A₂, A
_Five, A₁, A_Four) 3.2 Inverse element calculation algorithm Inverse element calculation algorithm applying the Ito-Tsujii algorithm
The following terms are defined in 3.2.1 Definition Vector A = (a₁, A₂・ ・ ・ A_m),
Tor A^*= (A_m, A _m-1・ ・ ・ A₁) Is the reciprocal of A
Call it Koutor. Also, A = A^*Then A is self-reciprocal
Call it tor.

By introducing such terms and notations, the following property holds for any element represented by the vector by the basis (6). 3.2.2 Property In the extension field GF (P ^m ) of the present invention, A is an arbitrary element and B is
And C as appropriate elements represented by the self-reciprocal vector,
The following (I) to (IV) are established.

[0042]

[Equation 15]

3.2.3 Example A = (1,3,5,7,9,2,4,6,8,10) ε
The following holds for GF (13 ¹⁰ ).

[0044]

[Equation 16]

In the Ito-Tsujii algorithm shown in FIG. 3, it is necessary to actually calculate the product of conjugate elements. Since the extension field of the present invention can utilize the property of 3.2.2, the polynomial product of the conjugates can be efficiently calculated.

FIG. 2 shows an inverse element calculation algorithm of the present invention to which the Ito-Tsujii algorithm is applied. For the multiplication of each Step, the textbook method is used as the polynomial product, and Step 2 of the 2.1 multiplication algorithm is used as the polynomial remainder operation, and the operation cost is specified by using the number of additions / multiplications on the prime field. Evaluate to. Table 1 shows symbols of the number of additions / the number of multiplications.

[0047]

[Table 1]

Equation (8) is used for the base expression of the element A. Further, in the expanded body of the present invention, M _R = 0 is always satisfied, and therefore it is not shown. [Step 1] First,

[0049]

[Equation 17]

Calculate 3.2.2 Property (I),
From (II), B is a self-reciprocal vector,

[0051]

[Equation 18]

The shape becomes as follows, and the coefficient b _i (1 ≦ n ≦ m /
2) is by utilizing a plurality of times the calculation results of _{a i · a j (1 ≦} i ≦ j ≦ m), S M = m (m-1) / 2, M M =
It is calculated by m (m + 1) / 2, S _R = m−1. In this way, the self-reciprocal vector is first obtained and used in the multiplication after Step 2, so that the speed of the entire inverse element calculation algorithm is increased. [Step2] Using an appropriate addition chain

[0053]

[Formula 19]

Find The number of multiplications and mappings φ required for this addition chain is as follows using the Hamming weight Hω (·).

[0055]

[Equation 20]

[0056]

[Equation 21]

Sequentially calculated in this Step 2

[0058]

[Equation 22]

The element of etc. is the property (III) of 3.2.2,
From (IV), all are self-reciprocal vectors. For multiplication of self-reciprocal vectors, for example, B'and B "are self-reciprocal vectors.

[0060]

[Equation 23]

As a result, the coefficient of B ′ × B ″ is b ′ _i ·
By using the calculation result of b ″ _j (1 ≦ i, j ≦ m / 2) multiple times, S _M = m (m−1) / 2, M _M = m ² /
4, S _R = m−1. [Step3] The norm of A is obtained from B · C. Where B
Since both C and C are self-reciprocal vectors, Step2
Similarly to S _M = m (m−1) / 2, M _M = m ² /
4, S _R = m−1. [Step 4] Find d ⁻¹ εGF (P). By the binary method, S _M = 0,

[0062]

[Equation 24]

It can be done with. [Step 5] By multiplying the calculation result of A * C by d ⁻¹ , A
Calculate ^-1 . The calculation cost is S _M = (m−1) ² , M _M
= _M ² + m, S _R = 2m−2. 3.3 Comparison with Conventional OEF The extension element of the present invention and the conventional OEF are compared for one-time inverse element calculation operation cost using the value of M _M + M _R. here,

[0064]

[Equation 25]

It is assumed that For the polynomial product in the conventional OEF, consider the case where the textbook method is used as in the present invention.

[0066]

[Equation 26]

Table 2 shows an example in which the characteristic P = 2 ¹⁵ +3 and the expansion degree m = 10. For reference, the value of M _M + M _R required for one multiplication is also shown.

[0068]

[Table 2]

[0069]

EFFECTS OF THE INVENTION By performing encryption processing using the extension field of the present invention, the multiplication and division processing can be speeded up more than or equal to that of the conventional OEF, and the efficiency of encrypted communication can be improved. be able to. In particular, any original Frobenius map can be processed by rearranging the elements of the vector. Therefore, by pre-arranging a table of the rearrangement rules based on the combination of the characteristic and the expansion degree, the processing becomes easier. There is an advantage that it is possible to increase the speed and speed. <Reference> 1: NP Smart, "On the Performance of Hyperelliptic
Cryptosystems, "Proc.Eurocrypt'99, Springer LNCS, vo
l.1592, pp.165-175, 1999. 2: R. Harasawa, J. Shikata, J. Suzuki and H. Imai, "Co.
mparing the MOV and FR Reductions in Elliptic Curve
Cryptography, "Proc.Eurocrypt'99, SpringerLNCS, vol.
1592, pp.190-205, 1999. 3: DB Bailey and C. Paar, "Optimal Extension Field
s for Fast Arithmeticin Public-Key Algorithms, "Pro
c.Crypt'98, Springer LNCS, vol.1462, pp.472-485, 1998. 4: Toshiya Ito, Shigeo Tsujii, "Fast Inverse Algorithm in Finite Fields Using Regular Basis,", Theological Theory ( A), vo
l.J70-A, no.11, pp.1637-1645,1987. 5: Tetsutaro Kobayashi, Kazumaro Aoki, Bung Hoshino, "Incremental expansion OE"
F, "SCIS2000, B02,2000. 6: JKMassey and JKOmura, Patent Application of
"Computational method and apparatus for finite fie
ld arithmetic, "submitted in 1981. 7: DBBailey and C.Paar," Inversion in Optimal Ex
tension Fields, "Conference on The Mathematics of p
ublic Key Cryptography.The Fields Institute forRese
arch in the Mathematical Sciences, Toronto, Ontario,
1999 8: DEKnuth, The Art of Computer Programming.volu
me2: Seminumerical Algorithms, Addison Wesley, 1981 9: I. Blake, G. Seroussi and N. Smart, Elliptic Curves
in Cryptography, Cambridge University Press, LMS, vo
l.265,1999.

[Brief description of drawings]

FIG. 1 is a schematic diagram of a cryptographic communication system to which the present invention is applied.

FIG. 2 is a flowchart showing an inverse element calculation algorithm according to the present invention.

FIG. 3 is a flowchart showing an Ito-Tsujii inverse element calculation algorithm.

[Explanation of symbols]

1-4: communication device 5: Elliptic curve cryptographic processing device 6: Multiplier 7: Inverse element calculation unit

Continued front page    (72) Inventor Akinori Saito             2-3-18 Tsushima Minami, Okayama City, Okayama Sharm             Okamoto 301 F-term (reference) 5J104 AA25 JA24 NA16

Claims (8)

[Claims] 1. A Galois extension field GF in a processing method of an elliptic curve cryptosystem having a Galois extension field GF (P ^m ) as a definition field.
(P ^m ) is that its characteristic P is a prime number of the form P = 2 ⁿ ± c (log ₂ c ≦ n / 2), and the expansion order m is an even number m +
1 is a prime number, and there exists an m-th order irreducible polynomial f (x) = (x ^{m + 1} −1) / (x−1), and the set (ω ¹ , ω ² , ... , Ω
An elliptic curve cryptographic processing method characterized by being defined by using ^m ) as a basis. 2. The logarithmic value log ₂ P of the characteristic P of the Galois extension field GF (P ^m ) is a prime number near the word length 16, 32, 64 of the computer. Elliptic curve cryptography processing method. 3. An arbitrary binary A = a ₁ ω + a ₂ ω ² + ... a _m ω ^m , a _i εGF of a Galois extension field GF (P ^m ).
(P) B = b ₁ ω + b ₂ ω ² + ... b _m ω ^m , b _i εGF
For (P), the polynomial product _{A × B = a 1 b 1} ω 2 + (a 1 b 2 + a 2 b 1) ω 3 + ··· + a m b m ω 2m = c 2 ω 2 + c 3 ω 3 + ・ ・ ・ + C _2m ω ^2m is calculated by the following polynomial remainder arithmetic expression [Formula 1] The elliptic curve cryptographic processing method according to claim 1 or 2, wherein: 4. The operation of the inverse element A ⁻¹ of A is performed by setting A to an arbitrary element,
^Assuming that A ^* is a reciprocal vector of A and B and C are arbitrary elements represented by a self-reciprocal vector, the condition of the following equation Therefore, in the first step, B is calculated by B = A · A ^* , and in the second step, C is calculated by , D = B · C is calculated in the third step, the inverse element d ⁻¹ of d is calculated in the fourth step, and A ⁻¹ = A ^* · C is calculated in the fifth step. The elliptic curve cryptographic processing method according to claim 1 or 2, wherein the ^value is obtained by calculating d ^-1 . 5. A Galois extension field GF in a processor of an elliptic curve cryptosystem having a Galois extension field GF (P ^m ) as a definition field.
(P ^m ) is that its characteristic P is a prime number of the form P = 2 ⁿ ± c (log ₂ c ≦ n / 2), and the expansion order m is an even number m +
1 is a prime number, and there exists an m-th order irreducible polynomial f (x) = (x ^{m + 1} −1) / (x−1), and the set (ω ¹ , ω ² , ... , Ω
An elliptic curve cryptographic processing device comprising means for performing cryptographic processing by an elliptic curve defined by using ^m ) as a base. 6. The logarithmic value log ₂ P of the characteristic P of the Galois extension field GF (P ^m ) is a prime number near the word lengths 16, 32, 64 of the computer. Elliptic curve cryptographic processor. 7. The means for performing cryptographic processing is Galois extension field GF.
Any binary A = (a ₁ ω + a ₂ ω ² + ... a _m ω ^m , a _i εGF of (P ^m ).
(P) B = b ₁ ω + b ₂ ω ² + ... b _m ω ^m , b _i εGF
For (P), the polynomial product _{A × B = a 1 b 1} ω 2 + (a 1 b 2 + a 2 b 1) ω 3 + ··· + a m b m ω 2m = c 2 ω 2 + c 3 ω 3 + ... + c _2m ω ^2m is calculated by the following polynomial remainder arithmetic expression [Formula 4] The elliptic curve cryptographic processing device according to claim 5, further comprising a multiplication unit that calculates 8. The means for performing the cryptographic processing is the calculation of the inverse element A ⁻¹ of A, where A is an arbitrary element, A ^* is a reciprocal vector of A, and B and C are arbitrary elements represented by a self-reciprocal vector. , The condition of the following formula [Formula 5] Thus, in the first step, B is calculated by B = A · A ^* , and in the second step, C is calculated by , D = B · C is calculated in the third step, the inverse element d ⁻¹ of d is calculated in the fourth step, and A ⁻¹ = A ^* · C is calculated in the fifth step. The elliptic curve cryptographic processing device according to claim 5 or 6, further comprising an inverse element calculation unit that obtains by calculating d ^-1 .