JP2003507761A - Pseudo random number forming method and digital signature method - Google Patents

Abstract

(57) [Summary] The present invention relates to a method for forming a pseudo-random number and an electronic signature method. In the pseudorandom number forming method of the present invention, at least two points are obtained on at least two different elliptic curves, and the points are combined to form a pseudorandom number. By combining the points of different elliptic curves as one pseudo-random number, it is not possible to infer individual elliptic curves from the formed pseudo-random numbers. This significantly increases the security of the encryption means according to the method of the invention. This is because the calculation of the discrete logarithm becomes impossible.

Description

Detailed Description of the Invention

[0001]   The present invention relates to a pseudo random number forming method and a digital signature method.

Random numbers are required by cryptographic techniques for encrypting and signing messages. Reference Otto Leiberich, "Vom diplomatischen Code
zur Falltuerfunktion ", Jun. 1999, pp. 26-34, describes the evolution of cryptography in the Federal Republic of Germany, which describes the symbol sequence process that was once used, and in this process A very long unstructured sequence of symbols, the so-called character worm or character stream, was appended symbolically to the plaintext message to be encrypted.
These are first a = 0, b = 1 ,. ． ． , Z = 25 according to a predetermined scheme. No number greater than 25 will occur, so an addition with modulo 26 is performed. In the computer age, texts were converted to binary numbers, and 0 and 1 were added modulo 2. The receiver subtracts the character stream (modulo 26 or modulo 2) from the received secret text, thereby obtaining the plaintext.

The character stream is formed using a random number generator. Random number generators were previously based on the high frequency voltage fluctuations of certain tubes, so-called thyratrons,
It later became based on the phenomenon of radioactive decay.

However, since the character streams must be surely transmitted in parallel between the transmitters and receivers, this process requires reliable data transmission at a large flow rate.

Therefore, a so-called pseudo-random number generator, which is a method of forming pseudo-random numbers, has been developed, and it has become possible to form a pseudo-random number sequence of almost arbitrary length depending on a key. According to this, even in the above-mentioned encoding method, since only the unique key with the communication partner needs to be secretly transmitted, it can be handled much more easily than the method of transmitting the complete character stream each time.

To today's public networks, such as the Internet, processes have been developed that allow two parties trying to communicate with each other for the first time to send encrypted messages. This process is the so-called asymmetric key process, also called the public key method, which exposes the so-called public key to the recipient.

One of the known methods of this type is the so-called RSA method, in which each component of the key is
The so-called key module is the product of two large prime numbers. The sender of the message knows only the key module or product and encrypts the message according to a predetermined mathematical function. However, knowledge of the product is not enough to decode the message, and two prime numbers are required. Due to these prime numbers and the corresponding inverse functions, the encrypted message can only be decrypted by the legitimate recipient who formed the key.

Decomposing a key module into its divisors or two primes is virtually impossible at normal computational cost if the module is large. Johannes Buchmann, "Fakt
orisierung grosser Zahlen ", Spektrum der Wissenschaft, Sep. 1996 pp. 80-88
The page details the problem of prime factorization of large numbers and shows the cost of decomposing 129 digit numbers. This number has been decomposed into individual prime numbers by 600 computer-assisted volunteers.

The drawback of the RSA method is that the encryption of the message is very time consuming. This is because a very large number (about 1000 digits in binary or about 300 digits in decimal) must be used to guarantee sufficient security. As such a large number must be synergized with another, similarly large number, the encryption of the data to be transmitted cannot be done quickly enough. Therefore, the RSA method is used only for the purpose of encrypted transmission of a key that requires confidentiality with respect to the conventional process of performing the original encryption.

As an alternative to the RSA method, elliptic curve based processes have been developed. Cryptographic techniques deal only with elliptic curves over finite fields. An elliptic curve on a finite field forms a point group defined by addition and multiplication, and this addition and multiplication have nothing in common with ordinary addition and multiplication and calculation rules. Multiplication on an elliptic curve over a finite field is a one-way function, and inversion (so-called discrete logarithmic calculation) is computationally infeasible in the usual case. On the other hand, normal multiplication can be performed very easily and quickly.
This fact is exploited in the elliptic curve-based encryption process by the recipient choosing a random number t and finding the curve point T based on a multiplication of the random number t and t on the elliptic curve. The curve point T is disclosed as a key, whereas the random number t is kept secret to the receiver. The sender uses the curve point T to encrypt the message, which can only be decrypted by the recipient who knows the random number t based on the curve point T.

This type of elliptic curve based process requires significantly less computing power for the same degree of security as the RSA process. This process is incorporated in a microcomputer, eg a chip card. Siemens has a trademark SLE44C
We are dealing with the R80S chip card, which incorporates an elliptic curve based signature process.

A random number is also required when forming a public key to be disclosed to the receiver and a corresponding secret key.

It is therefore an object of the present invention to provide a simple and fast method for generating pseudo-random numbers on an elliptic curve basis, so that a large number of high quality random numbers can be generated.

[0014]   This problem is solved by a method having the features of claim 1 of the present invention.

A further object of the present invention is to provide an elliptic curve-based electronic signature method and apparatus therefor, which has a smaller memory space and a smaller computing device (eg, an electronic signature method and electronic signature apparatus based on the known elliptic curve). Chip card) is to be able to embed.

This task is solved by a method having the features of claim 11 of the invention and an apparatus having the features of claim 12 of the invention.

[0017]   Advantageous embodiments of the invention are described in the dependent claims.

In the pseudo random number forming method according to the first aspect of the present invention, a set of points existing on at least two different elliptic curves on a finite field is obtained, and a random number is obtained depending on each set of points.

According to the invention, two different elliptic curves are used and the pseudo-random numbers are derived from a set of points, where the two points of the set are on different elliptic curves. , It is not possible to infer the curve point from the pseudo random number thus obtained. If only one elliptic curve is used to form the pseudo-random number, the discrete logarithm calculation can infer the curve points from the pseudo-random number. This may cause a third party to obtain a calculation rule for a pseudo random number and predict another pseudo random number. This creates a great security risk, which is avoided with the present invention.

The method of the invention for digital signatures combines the well-known signature process with the pseudorandom number generation process of the invention. The same routine or device is used in both the signature process and the random number generation process. This can save significant program code and memory space. In addition, EC Alicemetric optimization is advantageous both when generating pseudo-random numbers and when directly performing the signature process. By using the elliptic curve based routines and equipment in duplicate, synergistic effects are achieved.

Furthermore, the pseudo-random number generated according to the present invention is not different from the random number of the true random number generator, and can be generated with a relatively small calculation cost.

The present invention will be described in detail below with reference to the illustrated embodiments. FIG. 1 schematically shows an elliptic curve on a real number. FIG. 2 schematically shows an elliptic curve on a finite field. FIG. 3 schematically shows how two points of an elliptic curve on a real number are added. FIG. 4 shows the points of the elliptic curve y ² = x ³ + 2x + 9 on the field of the modulo 13 which forms a periodic group with roughly 17 points. FIG. 5 shows a schematic flow chart of the method sequence of an embodiment of the invention. FIG. 6 is a flow chart schematically showing the basic principle of the pseudo random number forming method of the present invention.
FIG. 7 schematically shows the structure of a program for executing the electronic signature method of the present invention.

First, a mathematical basis for elliptic curve calculation will be briefly described. The elliptic curve on the field K is the curve described by the cubic equation y ² = x ³ + ax + b. Here, a and b consist of K, and 4a ³ + 27b ² ≠ 0. The set (x, y) consists of K × K and satisfies the above equation. The formal set (∞, ∞) is called the point of the curve E on K.

An elliptic curve over real numbers is shown in FIG. From this it can be seen that the elliptic curve is not an ellipse.

FIG. 2 shows an elliptic curve on a finite field. The concept "field" of algebra is defined as a "number domain" that can be added, subtracted, multiplied, and divided from rational numbers according to known formal calculation rules. There are infinite fields such as rational numbers, real numbers, complex numbers and finite fields. The finite field is, for example, a modulo p number field GF (p) where p is a prime number, or a binary vector field GF (2 ⁿ ) of length n. GF stands for "Galois field", which is synonymous with finite field. Cryptography only deals with elliptic curves over finite fields.

FIG. 3 shows the addition of _two points P ₁ and P ₂ of the elliptic curve on the real number, from which the point P ₃ results. In this addition, the connecting straight line of the points P ₁ and P ₂ is formed, and the third intersection with the elliptic curve is obtained. This intersection is inverted on the x-axis, and the result of addition of P ₁ and P ₂ is P ₃ .

[0027]   The addition of points on the elliptic curve is expressed by the following equation.

When x ₃ = r ² −x ₁ −x ₂ y ₃ = r (x ₁ −x ₃ ) −y ₁ x ₁ ≠ x ₂ , r = (y ₂ −y ₁ ) / (x ₂ −x ₁ ) When P ₁ = P ₂ , r = (3x ₁ ² + a) / 2y ₁ where x _i and y _i are coordinates of the point P _i (i = 1, 2, 3).

[0029]   These equations also hold for elliptic curves over finite fields.

By repeating the addition of the points, the multiplication of the curve points and the integer k is defined. That is, k * P = P + P +. ． ． + P (sum of k times).

The multiplication of curve points and integers is simple and fast, whereas the task of inversion, the so-called discrete logarithm calculation, is generally not solvable without enormous computational cost. . There is no quasi-exponential time algorithm for this. Therefore, since the multiplication of this point is a one-way function, it is used in the so-called public key process.

A method of forming a pseudo random number according to the present invention will be described below with reference to the embodiment shown in FIG.

The first elliptic curve E on the field GF (p) is given by That ^{(y 2) modp = (x} 3 + 6x + 605067903441846547388214966045455206952938406771) modp where a ^{p = 2 160 -47 = 1461501637330902918203684832716283019655932542929,} p is a prime number of 160bit.

[0034]   The elliptic curve E on GF (p) is the order of the group #E (GF (p)) = 7 * q Has q = 208785948190128988314812461240940947434505754881 And q is a 128-bit prime number.

The degree of the group of elliptic curves is the number of elements of the point group, and thus the number of solutions of the defining equation of the elliptic curve E on the field GF (p). As the maximum divisor of the prime of the group order increases, the discrete logarithm calculation becomes difficult. The magnitude of the group order and the maximum divisor of its prime is a measure of the quality of the method of the invention. Here, the order of the groups must be at least 2 ¹⁰⁰ or preferably 2 ¹³⁰ .

The second elliptic curve E ′ on the field GF (p) is given by the following equation. That is, (y ² ) modp = (x ³ + 3x + 168756385740498547400152923318200148712149363991) modp.

Curve E ′ is homogenous to curve E. That is, when the curve E has a shape of y ² = x ³ + ax + b, the curve E ′ has a shape of y ² = x ³ + ac ² x + bc ³ . Here, a, b, and c are composed of GF (p), and c is the modulo p square non-remainder. In this embodiment, c = 503145425704462245322517599589013227703324936803 corresponds to c.

The use of two homogeneous curves instead of two arbitrary curves has significant advantages. The order of the elliptic curve E ′ on GF (p) can be easily derived from the order of the group of elliptic curves E. This is because the sum of the two orders is 2p + 2, and therefore the formula #E '(GF (p)) = 2p + 2- # E (GF (p)) holds.

[0039]   In this embodiment, for the order of the group E ' #E '(GF (p)) = 2p + 2- # E (GF (p)) = 11 * 19 * q' Is obtained here q '= 4581509834893112596249788202965452687367789347 And q'is a prime number having a length of 152 bits.

[0040]   The two points P and P'of the curves E and E'are, for example, P (27, 1199480719563308855489368355308026541006624847440) P '(318, 767790262932904318810390534329377261151321453045) And the two start values s and s'are selected, for example, s = s' = 2.

By obtaining the elliptic curves E and E ′, the points P and P ′, and the start values s and s ′, step S1 in FIG. 5 is completed. The method sequence moves to step S2,
Here, the points P and P'are multiplied by the start values s and s'. The result is PA, PA '
Expressed as The multiplication is performed according to the addition shown in FIG. 3 as s additions or s ′ additions.

The points PA and PA ′ are delivered to the part of the rule (Vorschrift) for obtaining random bits (step S3). In this embodiment, the x coordinate of the two points PA and PA 'is XO.
Combined by R and divided by c.

The following holds for the same type of elliptic curves E and E ′. Any x from GF (p)
For x is the x-coordinate of two different points on the elliptic curve E, or x is the x-coordinate of one point on the elliptic curve E. cx is the x-coordinate of one point on the elliptic curve E ', or x is not the x-coordinate of one point on the elliptic curve E but cx is the x-coordinate of two points on the elliptic curve E'.
Coordinates. If this x coordinate is divided by c, then any x from GF (p)
Is exactly 2x times the x coordinate. That is, when the x coordinate on the elliptic curve E and the x coordinate on the elliptic curve E ′ divided by c are combined, it is equivalent to combining two arbitrary random number values between 0 and p−1. Becomes The pseudo random number bit thus derived has the property of being a true random bit.

The points PA and PA ′ are transferred from step S2 to step S4. In this step the points P, P'remain unchanged and s, s' are respectively raised by one.

From step S4, the method sequence returns again to step S2. New points PA, PA 'are now formed, passed to step S3 for the calculation of another random bit, and then sent to step S4. This method sequence can be repeated multiple times and can always form new random bits.

The applicant generated random numbers of 20 × 1 million random bits by the above-described random number generation method of the present invention, and subjected these random bits to various statistical tests. Examination revealed no deviations in these truly random bits.

What is important to the present invention is that the random number Z is obtained from the two points PA and PA ′ in step S3, and these are derived from different elliptic curves E and E ′. These two
By combining the two points PA and PA ', the point PA
, PA ′, it is guaranteed that the points P, P ′ cannot be obtained by discrete logarithmic calculation. Therefore, it cannot be inferred by steps S1, S2, S4 how to form points PA, PA 'from the result of step S3. This is indicated by the dashed line in FIG.

The invention is not limited to the embodiment shown in FIG. Within the scope of the invention, another combination of x-coordinates can be selected, for example in step S3. Eg 2
Two x-coordinates can be combined with each other by modulo p addition. Alternatively, the y coordinates may be combined. It is also possible to combine the x and y coordinates. Further, in the scope of the present invention, P is used instead of fixed elliptic curves E and E ′ having points P and P ′.
After calculating A, PA ', new curves E ^* , E ^* ', P ^* , P ^* 'are obtained and can be used in the calculation of the next points PA ^* , PA ^* '. The values s and s'can also be changed by themselves. It is only important for the present invention that the values s, s' are integers. These values need only be generated at the start of the method of the invention, for example by means of a simple random number generator, and do not have to meet high requirements.

FIG. 6 shows the basic principle of the method of the present invention. This method includes step S5,
Has a loop consisting of S6, where in step S5 two curves and two
Two elliptic curves E, E ′ and two points P, P ′ on one starting value s, s ′ are selected. In step S6, the points P, P'and s, s' are multiplied and PA
, PA 'is obtained. Each time the loop S5, S6 is repeated, E, E ', P, P',
At least one set of s and s'is changed. Also, two of these, or three
All sets may be modified according to predetermined rules.

Each time the loop is iterated, a new set of numbers PA, PA ′ is formed and passed to method step S 7. In this step, the two points PA, PA 'are each combined into one pseudo-random number Z.

Since the elliptic curve-based process uses multiplication on the elliptic curve as a one-way function, the device for performing this process is provided with routines and devices for alicemic on the elliptic curve. There is. This process also requires random numbers to form the private and public keys. By using the random number generation method of the present invention, it is possible to form a high quality pseudo random number and keep the program code small. This is because existing routines can be used in duplicate. This saves significant resources and at the same time significantly improves the security of the process.

FIG. 7 schematically shows the structure of a program for implementing the method of the present invention in a block circuit diagram. This program consists of a program section P1 which executes the signature process and a program section P2 which multiplies an elliptic curve over a finite field. A random number is supplied to the program section P1 from another program section P3, where the program section P3 further depends on the program section P2 which multiplies on an elliptic curve. Data input stream I and data output stream O are shown in program section P1. Here the data input stream is the message to be signed and the data output stream is the signature. Further, the program section P1 outputs the secret key and the public key to the data output stream O. The functions of the program section P1 correspond to the known elliptic curve-based signing process and signing device.

The method of the invention can advantageously be used in computing devices with a relatively small computing capacity, for example chip cards. This is because the corresponding program code is extremely compact and the number of numbers to be processed is much shorter than in the case of RSA processes of the same security level. However, it is also possible to run this program on an electronically readable data carrier.

[Brief description of drawings]

[Figure 1]   It is a figure which shows the elliptic curve on a real number.

[Fig. 2]   It is a figure which shows the elliptic curve on a finite field.

[Figure 3]   It is a figure which shows a mode that two points of an elliptic curve on a real number are added.

FIG. 4 is a diagram showing points of an elliptic curve y ² = x ³ + 2x + 9 on the body of mod 13.

[Figure 5]   4 is a flowchart of a method sequence according to an embodiment of the present invention.

[Figure 6]   3 is a flowchart of the basic principle of the pseudo random number forming method of the present invention.

[Figure 7]   It is a figure which shows the structure of the program which performs the electronic signature method of this invention.

Claims (12)

[Claims] 1. At least two points (P, P ′) are obtained from at least two different elliptic curves (E, E ′) on a finite field (GF), and the at least two points (P, P ′) are obtained.
, P ′) are combined to form a pseudo-random number. 2. A set of points (P, P ′) is determined to form a pseudo-random number, and the respective two elliptic curves (E, E ′) are used in determining each set. The method described in 1. 3. The two elliptic curves (E, E ′) are of the same kind as each other.
The method described. 4. The first set of points (P, P ') is defined by two start values (s, s').
The method according to any one of claims 1 to 3, which is determined depending on 5. The method according to claim 4, wherein another set of points (P, P ′) is determined by varying the start value (s, s ′) according to a predetermined rule. 6. A different set of points (P, P ′) is determined by varying the elliptic curve and / or the points (P, P ′) according to a predetermined rule. The method according to claim 1. 7. A method as claimed in claim 1, wherein the coordinates of the two points (P, P ′) are combined with each other in order to obtain a random number. 8. The x-coordinates of two points (P, P ′) are mutually connected, in which case 2
Method according to any one of claims 1 to 7, wherein the two elliptic curves (E, E ') are homogeneous. 9. A group of points (E (G) of an elliptic curve (E, E ′) on a finite field GF (p).
F (p)), E '(GF (p))) has a group order (q, q') of at least 2 ¹⁰⁰ , preferably at least 2 ^{130. 5.} The method described. 10. The method according to claim 1, wherein the elliptic curve is defined on a finite field GF (p), where p is a prime number greater than 3. 11. An elliptic curve-based digital signature method for forming a key based on a random number, wherein the random number is obtained by the random number forming method according to any one of claims 1 to 10. Based electronic signature method. 12. The apparatus for implementing the elliptic curve-based digital signature method according to claim 11, wherein the multiplication is performed within a point group of an elliptic curve (E, E ′) on a finite field (GF (p)). And a signature device, and a device that forms a pseudo-random number by the pseudo-random number forming method according to claim 1, wherein the signature device and the device that forms the pseudo-random number are An apparatus for performing an elliptic curve-based digital signature method, characterized in that the apparatus for performing the multiplication is used.