JP2004139125A - Signature by elliptic curve, authentication, and secret communication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a safe and secure signature, authentication, and secret communication system using an elliptic curve. <P>SOLUTION: In the elliptic curve, (1) a finite field GF(p) as the field of definition of the elliptic curve is made so that a positive integer d such that the class number of an imaginary quadratic field Q[(-d)<SP>1/2</SP>] is small is taken, and that a prime number p is expressed by 2<SP>t</SP>-α (where α is a small number), in which p+1-a or p+1+a can be divided by a large prime number and 4p-a<SP>2</SP>=d×b<SP>2</SP>is expressed for an integer a. On the finite field GF(p), the elliptic curve and an element, having a j-invariant of the root of a class polynomial H<SB>d</SB>(x)=0, are used. (2) En such as the elliptic curves E<SB>1</SB>, E<SB>2</SB>, and so forth, having a finite field GF(p<SP>r</SP>) as the field of definition, are constituted so that the number of elements is the same, although they are not isomorphic each other, and the elliptic curve to be used is properly changed. <P>COPYRIGHT: (C)2004,JPO

Description

{Circle around (1)} The present invention relates to encryption technology as information security technology, and particularly to encryption technology using an elliptic curve.

In recent years, it has become popular to communicate with each other using a publicly available digital communication network or to provide broadcast programs for a fee. By the way, when using a publicly available communication network, it is difficult to completely prevent eavesdropping and spoofing by a third party, or erroneous transmission destination by a sender. For this reason, secret communication systems and communication systems called signature and authentication systems have become important. Here, the secret communication method is a method of performing communication without leaking communication contents to a person other than a specific communication partner. The signature and authentication communication system is a communication system that shows the validity of communication contents to a communication partner or proves that the person is a person. The signature, authentication, and secret communication methods include a communication method called public key encryption. Public key cryptography is a method for easily managing a different encryption key for each communication partner when there are many communication partners, and is a fundamental technology indispensable for communicating with many communication partners. Hereinafter, the principle and procedure related to the present invention will be briefly described based on a historical background. The general technology such as the secret communication method is described in detail in Shinichi Ikeno and Kenji Koyama, "Contemporary Cryptography Theory", published by The Institute of Electronics and Communication Engineers, 1986
(1) A secret communication method using a discrete logarithm problem on a finite field.
(principle)
Let p be a prime number, g be its primitive root, u be any natural number, and α be the remainder of g raised to the power of u. That is, g ^u ≡α (mod p). In this case, it is easy to obtain α when g, p, and u are given. However, if p is a prime number of about 140 digits, it is difficult to obtain u from g, p, and α even today when large-scale computers have developed. This is because, when there are two prime numbers r and s, it is easy to find the product from r and s. However, if r and s are each about 140 digits, the product becomes 280 digits. Determining r and s by decomposition can be difficult.

Next, let v be any other natural number, and let β be the remainder modulo g to the power of v. That is, g ^v ≡β (mod p). In this case, the remainder of α raised to the power of p modulo and the remainder of β raised to the power of u raised modulo p are equal.
That is, ^{α v ≡ (g u) v} ≡ (g v) u ≡β u (mod p).
(procedure)
Hereinafter, referring to FIG. 2, a discrete logarithm problem on a finite field using this principle (in the theory of number, it is difficult to find an exponent from a modulus, a remainder, and a primitive root, but in the communication field, this is usually As an example of a procedure of a secret communication method using the above-mentioned method, a method called a shared key encryption method will be described.

P and g are given by the provider of the communication network, and each user is notified.
The user U selects an arbitrary natural number u, and calculates α by calculating g ^u ≡α (mod p).
The user V similarly selects v, and calculates β by calculating g ^v ≡β (mod p).
The user U informs the user B that u holds the secret and α using the public communication network, while the user V holds the v and keeps β using the public communication network. Notify

Both calculate the remainder k _uv modulo p of g ^uv , use this as a shared key for both, and keep it secret to third parties.
Here, k _uv ≡g ^uv (mod p).
The above procedure will be specifically described with a small prime number as an example for convenience of understanding.
Let p = 11 and g = 2. Now, assume that the user U has taken 4 as u. In this case, g ^u = 2 ⁴ = 16 and the remainder modulo 11 of 16 is 5, so α = 5. Similarly, assume that the user V has taken 8 as v. In this case, g ^v = 2 ⁸ = 256, and the remainder of 256 modulo 11 is 3, so β = 3. Further, the remainder modulo 11 is 4 (mod 11) for both α ^v = 5 ⁸ and β ^u = 3 ⁴ , so that k _uv = 4.

When the user U transmits a message to the user V, the message is divided into a certain number of pieces of message as bit information, and k _uv is calculated for each segmented bit information to keep it secret.
The sentence is (010). k _uv = 4, which is (100) in binary. Therefore, if the operation is now an exclusive OR operation, the secret sent message is ｛(010) XOR (100) =｝ (110).

Then, it transmits to the user V.
On the other hand, the user V that has received the message obtains the original message by decoding using _kuv .
If the received ciphertext is (110), the decrypted message is ｛(110) XOR (100) =｝ (010).

Of course, the above operation may be addition or subtraction assuming a binary number, or another logical operation for each corresponding bit.
This method does not know u or v, even if a third party can learn α and β from each other by eavesdropping or the like when users U and V mutually communicate α and β using a public communication network. It is based on the fact that it is difficult to know _kuv as much as possible.

Also, in the above communication method, the received user V knows K _uv only from the user U. Therefore, if the decrypted received sentence has meaningful contents, it is certainly sent from the user U. You will also get confirmation that they have
Further, the users W, X, etc. select arbitrary natural numbers w, x,..., For example, the user U and the user W use a large number of users, such as using the remainder modulo p of ^gu · ^w as a shared key. Has the advantage that it can be flexibly dealt with.

Further, each user U, V, W,... Periodically changes the secret natural numbers u, v, w, etc. to other natural numbers u ′, v ′, w ′,. May use different natural numbers u ₁ , u ₂ ,... Depending on the communication partner. Therefore, when used in an organization such as a company, it is possible to flexibly cope with an organization change.
In actual cryptographic communication, instead of the prime number p, the product of a plurality of sufficiently large prime numbers p, q, r,... Or the square or the third power of p is used, or the primitive root g is sufficiently replaced. A natural number with a large order may be used.

However, with the development of large computers in recent years, the theory of mathematics (higher-order reciprocity in the field theory, decomposition rules, etc.) is based on a method of obtaining u from g, p, and α with a relatively small amount of calculation. Various developments are underway.
One measure is to make the prime number p sufficiently large, such as 200 digits instead of 140 digits. However, in this case, inconveniences such as an increase in the absolute amount of various necessary calculations as the number of digits is large may occur.

For these reasons, a secret communication system using an elliptic curve has been developed.
This will be described below.
(2) A secret communication method using a discrete logarithm problem on an elliptic curve.
Hereinafter, the discrete logarithm problem on the elliptic curve will be described. This is described in detail in Neil Koblitz, "Explanation of Number Theory and Cryptographic Notation (Translation)", Springer Bookstore 1987, (Neal koblitz, "A Course in Number Theory and Cryptography", Springer-Verlag, 1987). I have. The theory of the elliptic curve itself is described in Japanese literature by Goro Shimura and Yutaka Taniyama, "Modern Number Theory", Kyoritsu Shuppan, 1957.
(Elliptic curve itself and operation on it)
The elliptic curve refers to a one-dimensional Abel (Abel) manifold or an irreducible nonsingular projective substitution curve of genus 1, and is represented by, for example, Y ² = X ³ + aX + b. Now, assuming that two points on the elliptic curve are BP ₁ and BP ₂ , the calculation BP ₁ + BP ₂ is defined as follows.

BP ₁ and the straight line connecting the BP ₂ is a BP ₃ 'line symmetrical points with respect to the X axis of the third point BP ₃ intersects this elliptic curve. This BP ₃ ′ is BP ₁ + BP ₂ . FIG. 3 shows the contents of this calculation. If BP ₁ = BP ₂ , the _{straight line connecting} BP ₁ and BP ₂ means a tangent to BP ₁ .
By the way, when this elliptic curve is E, E {GF (q)} is used for encryption. Here, q is a prime power, GF (q) is a finite field (Galois Field), and a group generated under an element on the GF (q) of the elliptic curve E is E {GF (q)}.

As a simple example of E {GF (q)}, E is an elliptic curve of y ² = x ³ + 3x + 2, and when q = 5, its elements are (1,1) and (1, −1). ), (2,1), (2, -1) and the point at infinity.
(principle)
Next, the property of E {GF (q)}, that is, the principle of the basis of secret communication will be described.

An element BP in which the order of E {GF (q)} is divisible by a large prime number is a base point, and d is an arbitrary natural number. At this time, it is easy to calculate d · BP from BP and d (add BP d times). However, for a given element Q and BP of E {GF (q)},
Q = d ・ BP
The problem of finding d if there is a natural number d is difficult even if BP, q, etc. are natural numbers of about 30 digits even today, when computers are developed. Here, BP plays a role corresponding to g on a finite field GF (p) modulo p.
(procedure)
It is not fundamentally different from the case on the finite field.

That is, E {GF (q)} corresponds to p, BP corresponds to g, d corresponds to u or v, and u of g modulo p An operation in GF (p), such as finding the remainder of the power, is an operation in E {GF (q)}.
However, the point on the elliptic curve is given by two-dimensional coordinates of the x-axis and the y-axis, while the message is one-dimensional. For this reason, among the two-dimensional coordinate values, only one of the x-coordinate value and the y-coordinate value is used in the arrangement between the users in advance, and only one of the two coordinate values is arbitrarily selected for each communication. The difference is that a procedure such as sending data for enabling the user to determine which one is used separately is added.
(3) Current direction of development of secret communication systems using elliptic curves.

By the way, as for the discrete logarithm problem on the elliptic curve, in 1991, a solution was devised in which the discrete logarithm problem on the elliptic curve was reduced to a discrete logarithm problem on a finite field and was relatively easily solved. However, except for this, there is no solution called a sub-exponential that can be solved by a calculation of about the logarithm compared with the number of digits of p. When a subexponential solution is used, the ordinary discrete logarithm problem of an elliptic curve on a definition field having a size of about 100 bits can be relatively easily solved. This solution, devised in 1991, is called the MOV reduction method, and is written by A. Menezes, Es Vanston, and T. Okamoto. STOC 1991, (A. Menezes, S. Vanstone and T. Okamoto, "Reducing Elliptic Curve Logarithm to Logarithms in a Finite Field", STOC 91). In the MOV reduction method, q is a prime power, an elliptic curve defined on a finite field GF (q) is E, and a group composed of elements of E on GF (q) is E {GF (q)}. I do. In this case, the discrete logarithm problem on the elliptic curve based on E (GF (q)) ∋BP is such that when the order of BP and q are relatively prime, an extended field GF (q ^r ) Is solved by reducing to the above discrete logarithm problem. In particular, when E is an elliptic curve called a super singular, it can be solved by reducing to a discrete logarithm problem on a finite field GF (q) at most on a sixth-order extended field GF (q ⁶ ).

Therefore, research has been conducted to construct an elliptic curve so as to avoid the solution by the MOV reduction method. There are various methods. For example, T. Beth, F. Schaefer, "Non Supersingular Elliptic" (E.), "Non-Supersingular Elliptic Curves in Public-Key Cryptography Systems" Curves for Public Key Cryptosystems ", Eurocrypt 91, 1991) or Mitsuko Miyachi," On ordinary elliptic curve cryptosystems ", Asiacrypt'91, 1991). When constructed using these methods, there is currently no solution that gives a subexponential algorithm (rules for logical operations etc. to achieve a certain purpose), so it is as secure as the discrete logarithm problem on a finite field. Sex can be composed of much smaller definitions.

However, in the case of an elliptic curve, one or two additions on the elliptic curve require 12 or 3 multiplications.
That is, when BP ₁ (x ₁ , y ₁ ) and BP ₂ (x ₂ , y ₂ ) on the elliptic curve
Generally,
BP ₁ + BP ₂ = {f ₁ (x ₁ , y ₁ , x ₂ , y ₂ ), f ₂ (x ₁ , y, x ₂ , y ₂ )},
If BP ₁ = BP ₂ ,
2BP ₁ = {g ₁ (x ₁ , y ₁ ), g ₂ (x, y)}
Where f ₁ , f ₂ , g ₁ , g ₂ are functions of only 12.3 operations on GF (p). For this reason, even if the size of the definition field becomes small, the processing speed does not increase very much. Therefore, researches have been conducted to avoid the MOV reduction method and to further increase the processing speed. Hereinafter, the latter research will be described.
(4) A conventional technique for increasing the processing speed of encryption using an elliptic curve.

One is detailed in N. Koblitz, "CM-curves with good cryptographic properties", Crypto'91, 1991, "CM-curves with good cryptographic properties" by N. Koblitz. Explained.
FIG. 4 shows an outline of the procedure of the configuration of an elliptic curve for increasing the processing speed of the signature, authentication and secret communication system in the conventional example.

Hereinafter, the procedure of the conventional example will be described with reference to FIG.
(S1) Determination of Elliptic Curve Candidate Consider an anomalous elliptic curve having the following two GFs (2) as definition fields.
E ₁ : y ² + xy = x ³ + x ² +1
E ₂ : y ² + xy = x ³ +1
The group E {GF (2 ^m }) composed of elements on the GF (2 ^m ) of the elliptic curve E is the following group.

^{_{E 1 {GF (2 m)}} } = {x, y ∈GF (2 m) | y 2 + xy = x 3 + x 2 +1} ∪ {∞}
^{_{E 2 {GF (2 m)}} } = {x, y ∈GF (2 m) | y 2 + xy = x 3 +1} ∪ {∞}
Where ∞ represents the point at infinity.
(S2) Determination of Appropriate Expansion Order m As described above, in the above-mentioned discrete logarithm problem of the elliptic curve which is the basis of the security of the public key cryptography, the order of the elementary BP as the base point must have a large prime factor. It is known that it can be easily solved.

A necessary and sufficient condition for the existence of an element BP having a large prime factor is that the number of elements of E {GF (q)} has a large prime factor.
Therefore, m is determined such that the original number #E _i {GF (2 ^m )} of the elliptic curve E _i described in (S1) is divisible by a large prime factor. (Where i = 1, 2)
Note that the number of elements of various elliptic curves in E {GF (2 ^m )} or the like can be accurately calculated by a study of Hasse or Deu if m or the like is specifically given. I have. For example, in the above-mentioned #E _i {GF (2 ^m )}, the order is approximately 2 ^m .
(S3) Configuration of Actual Elliptic Curve Since m has a prime factor of 30 digits or more, m is approximately [30 log ₂ 10]. Here, [] is a Gaussian symbol, and means the largest integer less than or equal to the number in the symbol. Hereinafter, basically, by taking some of such m by trial and error, it is determined whether or not it has a prime factor of 30 digits or more based on a formula giving #E _i {GF (2 ^m )}.

The number of elements in the group E _i {GF (2 ^m )} composed of elements on the elliptic curve E _i {GF (2 ^m )} is obtained, and the result of the prime factorization is obtained. When m = 101, #E ₁ {GF (2 ⁿ )} = 2 × prime number p ₁
When m = 131, #E ₂ {GF (2 ^m )} = 4 × prime number p ₂
It turned out that. It is also confirmed that the finite field embedded by the MOV reduction method is sufficiently large.

Therefore, a discrete logarithm problem on an elliptic curve whose base point BP is an element whose order on E2 {GF (2 ¹³¹ )} is a prime number p ₂ or an order on E ₁ {GF (2 ¹⁰¹ )} is a prime p It is concluded that the public key cryptosystem should be constructed based on the security of the discrete logarithm problem on the elliptic curve with the element of ₁ as the base point BP.
Now, a [2] (2-fold) = T-T ² when a mapping of T from E (x, y) to E (x ^2, y ²⁾ is anomalous. This is described in "Mathematics of Elliptic Curves (Translation)" by Jay H. Silverman, Springer Bookstore, 1986 (JHSilverman, "The arithmetic of elliptic curves", Springer-Verlag, 1986). That is, when BP = (x, y), 2BP = (T−T ² ) (x, y) = (x, y) − (x ² , y ² ). For this reason, the elliptic curve configured as described above can be obtained by calculating 2 ⁱ BP = {BP = (x, y); i = 1, 2, 3, 4} as follows.

2BP = BP + BP
4BP = 2 (T−T ² ) = − T ³ −T ²
= − (X ² ＾ ³ , y ² ＾ ³ ) − (x ² ＾ ² , y ² ＾ ² )
8BP = (− T ³ −T ² ) (T−T ² )
= − (X ² ＾ ³ , y ² ＾ ³ ) + (x ² ＾ ⁵ , y ² ＾ ⁵ )
^{16BP = (T 3 + T 2} ) 2 = T 6 + 2T 5 + T 4 = 2T 6 -T 7 + T 4
= T ⁴ -T ⁸
= (X ² ＾ ⁴ , y ² ＾ ⁴ ) − (x ² ＾ ⁸ , y ² ＾ ⁸ )
(Here, ＾ in the superscript means 2 が 3 means 2 ^{3. The} same applies to other cases.)
On the other hand, the computation on the extended field of GF (2) can be neglected when using a normal basis as the basis, so that the calculation of the square is performed by the cyclic shift. Therefore, the calculation of 2 ⁱ BP (i = 1, 2, 3, 4) can be performed by adding the elliptic curves twice, and high speed can be expected. In particular, in E2, the normal base on the definition field GF (2 ¹³¹ ) is an optimal normal base, and the number of logical products and exclusive OR required for one multiplication is minimized. Multiplication) can be expected to be faster. Here, the optimal normal base is one in which the number of terms of the multiplicative function is 2m-1. This is described by R. C. Murin et al., "Optimal Normal Bases in GF (p)", Discrete Applied Mathimatex 22, pages 149-161 (RC Mullin et al., "Optimal normal bases in GF (p ^a )"). "Discrete Applied Mathematics 22 P149-161).

However, in the above conventional example, one addition of the elliptic curve does not always speed up. Therefore, in order to achieve higher speed, the condition for speeding up the operation {the finite field GF (2 ^m ) having the optimal normal basis} and the safe 2 ⁱ multiples (i = 1, 2, 3, 4) It is necessary to find an elliptic curve that satisfies both the conditions of an elliptic curve that simplifies (anoramas elliptic curve and the original number is divided by a large prime number). However, the conditions of both are not in an inclusive relation, and the number of elliptic curves satisfying both is reduced.
(6) Other techniques for speeding up elliptic curves (additive chain)
One of the methods to speed up the calculation of the kBP of an elliptic curve is to study an additive chain. The additive chain is, for example, 2 ｛2 (2BP)｝ − BP instead of simply adding BP seven times to obtain 7BP, as one addition and three doublings. It is done in parallel with the study of the additive chain in the calculation of g ⁱ of a finite field. This is a study to devise the way of holding the preliminary calculation table and the order of calculation. This is described in detail in MJ Coster, "Some algorithms on addition chains and their complexity", Center for Mathematics and Computer Science Report CS-R9024. In the calculation of k · BP using this method and the calculation of k · BP using the method that simplifies the 2i multiple points (i = 1, 2, 3, 4), it is faster to use an additive chain. Is realized.
(About finite field)
For reference, if a cryptosystem using a finite field is described, various speed-up methods have also been proposed. However, since a finite field is used, there is a problem that a definition field used for secret communication becomes large from the aspect of prevention of decryption. For this, DM Gordon, "Discrete logarithmsin GF (p) using Discrete Logarithmsin GF (p) using Discrete Logarithm Problem of Finite Field GF (p) Using Sieve Method of Numbers" the number field sieve ", to appear in SIAM Journal on Discrete Math.).
Shinichi Ikeno and Kenji Koyama, "Modern Cryptography" Published by The Institute of Electronics and Communication Engineers 1986 Neal Koblitz, Commentary on Number Theory and Cryptographic Notation, Springer Bookstore 1987, (Neal koblitz, "A Course in Number Theory and Cryptography", Springer-Verlag, 1987) Goro Shimura, Yutaka Taniyama, "Modern Number Theory" Kyoritsu Shuppan 1957 A. Menezes, S. Vanston, T. Okamoto, "How to reduce a discrete logarithm problem in an elliptic curve to a discrete logarithm problem in a finite field." Okamoto, "Reducing Elliptic Curve Logarithm to Logarithms in a Finite Field", STOC 91) T. Beth, F. Schaefer "Non Supersingular Elliptic Curves for Public Key Cryptosystems", Eurocrypt 91 , 1991) "On ordinary elliptic curve cryptosystems", Asiacrypt'91,1991 N. Koblitz, "CM-curves with good cryptographic properties", Crypto'91, 1991. JH Silverman, "The arithmetic of elliptic curves", Springer-Verlag, 1986. R. C. Mulin et al., "Optimal Normal Bases in GF (pa)" Discrete Applied Mathematics 22 (pp. 149-161) 22 P149-161) MJ Coster, "Some algorithms on addition chains and theircomplexity", Center for Mathematics and Computer Science Report CS-R9024 DM Gordon, "Discrete logarithmsin GF (p) using the number field sieve"", to appear in SIAM Journal on Discrete Math.

However, public key cryptography based on the discrete logarithm problem on the elliptic curve requires high-speed processing. In the case of the method in which the cBP speeds up for a specific natural number c as in Conventional Example 1, it is difficult to increase the kBP speed in combination with the additive chain method when speeding up kBP with respect to a general natural number k. . In addition, when an elliptic curve that satisfies both the condition that the cBP speeds up and the condition that the basic operation speeds up for a specific c becomes large, the definition field becomes large. For this reason, the definition field is small, the calculation of kBP can be performed at high speed with respect to general natural numbers, it is easy to combine with an additive chain, and signature, authentication and secret communication are performed using an elliptic curve whose basic calculation is fast. It is desired.

Also, in order to enhance the security of the cryptographic system, there is the danger that the security of all systems such as transactions that are based on confidential communication will be compromised if the security of one system is compromised, or that the security of one system will be compromised. There is a need to reduce the probability of accidental loss of security. For this reason, it is desirable to periodically change encryption parameters for each system such as a communication partner and communication purpose, or even for the same system. At this time, it is required to minimize the amount of change and to keep the system performance (speed, memory size, etc.) unchanged. In a finite field, this is like changing p periodically, as described above.

However, in the above-mentioned conventional example, it is difficult to construct an elliptic curve that does not change the system performance, because the elliptic curve on GF (2) is raised above GF (2 ^m ). For this reason, an elliptic curve that can change cryptographic parameters for each system or even at the required time even in the same system, and that requires a minimum amount of change in memory size and the like at this time and that can perform high-speed calculations is used. It is desired to perform signature, authentication and confidential communication.

(4) In these cases, the condition that the MOV reduction method cannot be applied to the elliptic curve is, of course, set.

The present invention has been made to achieve the above object. For this reason, the present invention employs a secret communication system including the following procedure.
(1) The provider of the secret communication network provides E {GF (p)} used for the secret communication and its base point BP to each user who is a user of the communication network.
(2) Each user who has been provided with the E {GF (p)} and the base point BP selects an arbitrary natural number as a secret key, and sets the base point BP on the E {GF (p)} by a natural number of times. Find the added value.
(3) Each user keeps a natural number arbitrarily selected by himself / herself confidential, and on the other hand, wishes to communicate as a public key of his / her own, a value obtained by adding BP on E {GF (p)} the natural number of times. The other user is notified to each other by, for example, a communication network.
(4) The two users who communicate with each other hold the public key notified from the other user in secret, each of them being a natural number of times selected by themselves and added on E {GF (p)}. And use this as a shared key between the two.
(5) When two users communicating with each other encrypt and decrypt a message (including video and audio information) as bit information using the shared key, the shared key and the message are kept secret. The contents of the operation used for decoding, for example, addition, exclusive OR, etc. are determined.
(6) One user confidentializes a message using a shared key according to the arrangement, and transmits the message to the other user using a public communication network.
(7) The other user who has received the confidential message decrypts it using the shared key according to the agreement.

Here, E {GF (p)} is as follows.
The positive integer d is set such that the class number of the imaginary quadratic field Q {(− d) ^1/2 } is reduced.
The prime number p is divided into a given integer a by dividing 4 × pa ² by d × square number and p + 1-a or p + 1 + a is divided by a large prime number of 30 digits or more, and is converted into a positive integer t and a small positive integer α. On the other hand, it is a prime number that can be expressed as 2 ^t ± α.

The elliptic curve E has a finite field GF (p) having a j-invariant solution of the class polynomial H _d (x) = 0 determined by _d as a modulo p.
In the present invention, the following is performed. The elliptic curve E is defined as E {GF (p)}, where E {GF (p)} is a group composed of elements on the GF (p) of the elliptic curve E having a finite field GF (p). The original number of｝ is divided by a large prime number of 30 digits or more.

In the present invention, the positive integer α has a size of 2t / 3 bits or less in binary notation.
In the present invention, prime p, a r a positive integer, finite GF (p ^r) of the elliptic curve E with the definition of GF (p ^r) on E {GF (p a group consisting of original when a ^r)}, the elliptic curve E _1, E ₂ having a finite GF (p ^r) to definition, ..., and E _n, but not isomorphic configured so that the original number are equal to each other The elliptic curve to be used is changed by at least one for each system, each communication partner, and one system and one communication partner after a certain period of time, such as one year.

In the present invention, the elliptic curve E is the order of the class polynomial H _d (x) = 0 which is determined by d and n, j ₁ solutions modulo p, ..., when the j _n, these roots elliptic curve E ₁ has the definition of the finite field GF (p) with the j invariant, ..., an E _n.
According to the present invention, in the operation at the time of confidentializing a message using a shared key according to the agreement and at the time of decryption, the property of 2 ^t ≡α (mod p) or 2 ^t ≡−α (mod p) and It is assumed that an additive chain is used.

According to the present invention, a secret communication system including the following procedure is used.
(1) The provider of the secret communication network provides each user with E {GF (p)} used for the secret communication and its base point BP.
(2) Each user who has been provided with E {GF (p)} and the base point BP selects an arbitrary natural number, and adds the base point BP on E {GF (p)} this natural number of times. Find the value.
(3) Each user keeps a natural number arbitrarily selected by himself / herself confidential, and on the other hand, wishes to communicate as a public key of his / her own, a value obtained by adding BP on E {GF (p)} the natural number of times. Notify the other user.
(4) The two users, when encrypting and decrypting the message using the notified public key and random number, determine the method of the content of the message calculation using the public key and the random number. Arrange.
(5) Based on the random number selected by the user in a predetermined procedure and the public key notified by the other user, the other users who have received the notification of the public key can change the message in hardware or software according to the agreement. Encrypt by means.
(6) The user sends the encrypted message to the user who has notified the public key.
(7) The other user who has received the message decrypts the confidential message according to the agreement by hardware or software means. At this time, an integer selected and kept secret by the user is used.

Here, E {GF (p)} is as follows.
The positive integer d is set such that the class number of the imaginary quadratic field Q {(− d) ^1/2 } is reduced. For a given integer a, 4 × p−a ² becomes d × square number for a certain integer a, and p + 1−a or p + 1 + a is broken by a large prime number of 30 digits or more, and for a positive integer t and a small positive integer α Is a prime number that can be expressed as 2 ^t ± α.

The elliptic curve E has a finite field GF (p) having a j-variable solution of a class polynomial H _d (x) = 0 determined by _d modulo p.
Further, in the present invention, when the elliptic curve E is a group formed by elements on the GF (p) of the elliptic curve E having a finite field GF (p) as a definition field, E {GF (p)}, The original number of E {GF (p)} is broken by a large prime number of 30 digits or more.

In the present invention, the positive integer α has a size of 2t / 3 bits or less.
In the present invention, prime p, a r a positive integer, finite GF (p ^r) of the elliptic curve E with the definition of GF (p ^r) on E {GF (p a group consisting of original when a ^r)}, the elliptic curve E _1, E ₂ having a finite GF (p ^r) to definition, ..., and E _n, but not isomorphic configured so that the original number are equal to each other For each system such as ordering, purchasing, pure communication, etc., for each communication partner such as customer, government office, head office, etc., change the elliptic curve used by at least one after a certain period of time with one system and the same communication partner. I have to.

In the present invention, the elliptic curve E is the order of the class polynomial H _d (x) = 0 which is determined by d and n, j ₁ solutions modulo p, ..., when the j _n, these roots elliptic curve E ₁ has the definition of the finite field GF (p) with the j invariant, ..., an E _n.
According to the present invention, in the operation at the time of confidentializing a message using a shared key according to the agreement and at the time of decryption, the property of 2 ^t ≡α (mod n) or 2 ^t ≡−α (mod p) and It is assumed that an additive chain is used.

(Action)
With the above configuration, in the present invention, secret communication is performed in the following procedure.
(1) The provider of the secret communication network provides E {GF (p)} used for the secret communication and its base point BP to each user through a public communication network or mail.
(2) Each user who has received the provision of E {GF (p)} and the base point BP selects an arbitrary natural number, and adds the base point BP to E {GF (p)} a natural number of times. Ask for.
(3) Each user keeps a natural number arbitrarily selected by himself / herself confidential, and on the other hand, wishes to communicate as a public key of his / her own, a value obtained by adding BP on E {GF (p)} the natural number of times. Notify the other user to each other.
(4) The two users communicating with each other hold the public key notified by the other user secretly, each of which is a natural number of times selected by the user and added on E {GF (p)}. And use this as a shared key between the two.
(5) Two users communicating with each other separately determine the content of the operation of the shared key and the message when encrypting and decrypting the message using the shared key.
(6) One user confidentializes a message by performing an operation according to the agreement using a shared key, and transmits the message to the other user.
(7) The other user receives and performs the inverse operation using the shared key according to the agreement, and if the exclusive OR, the exclusive OR is again used for decryption.

Here, E {GF (p)} is as follows.
The positive integer d is set such that the class number of the imaginary quadratic field Q {(− d) ^1/2 } is reduced.
For a given integer a, 4 × p−a ² becomes d × square number for a given integer a and p + 1−a or p + 1 + a is broken by a large prime number of 30 digits or more, and for a positive integer t and a small positive integer α A prime number that can be expressed as 2 ^t ± α.

The elliptic curve E has a finite field GF (p) having a j-invariant solution of the class polynomial H _d (x) = 0 determined by _d as a modulo p.
In the present invention, the elliptic curve E is defined as E {GF (p)}, where E {GF (p)} is a group composed of elements on the GF (p) of the elliptic curve E having a finite field GF (p). It is assumed that the original number of {GF (p)} is broken by a large prime number of 30 digits or more.

In the present invention, the positive integer α has a size of 2t / 3 bits or less.
In the present invention, prime p, a r a positive integer, finite GF (p ^r) of the elliptic curve E with the definition of GF (p ^r) on E {GF (p a group consisting of original when a ^r)}, the elliptic curve E _1, E ₂ having a finite GF (p ^r) to definition, ..., and E _n, but not isomorphic configured so that the original number are equal to each other The elliptic curve to be used is changed by at least one for each system, each communication partner, one system and one communication partner after a certain period of time.

In the present invention, the elliptic curve E is the order of the class polynomial H _d (x) = 0 which is determined by d and n, j ₁ solutions modulo p, ..., when the j _n, these roots elliptic curve E ₁ has the definition of the finite field GF (p) with the j invariant, ... it is assumed to be E _n.
According to the present invention, in the operation at the time of confidentializing a message using a shared key according to the agreement and at the time of decryption, the property of 2 ^t ≡α (mod p) or 2 ^t ≡−α (mod p) and By using the additive chain, signal processing at the time of concealment and decryption is performed at high speed.

In the present invention, secret communication is performed according to the following procedure.
(1) The provider of the secret communication network provides each user with E {GF (p)} used for the secret communication and its base point BP.
(2) Each user who has been provided with E {GF (p)} and the base point BP selects an arbitrary natural number, and adds the base point BP on E {GF (p)} this natural number of times. Find the value.
(3) Each user keeps a natural number arbitrarily selected by himself / herself confidential, and on the other hand, wishes to communicate as a public key of his / her own, a value obtained by adding BP on E {GF (p)} the natural number of times. Notify the other user.
(4) Two users, when encrypting and decrypting a message using the notified public key and random number, use a method of calculating the message using the public key and the random number, for example, communication. Determine the sentence block division method, etc.
(5) The other user who has received the notification of the public key encrypts the message to be transmitted according to the agreement based on the random number selected by a separate program or the like and the public key notified by the other user. Become
(6) The user sends the encrypted message to the user who has notified the public key.
(7) The other user who received the message decrypts the confidential message in hardware or software according to the agreement. At this time, an integer selected and kept secret by the user is used.

Here, E {GF (p)} is as follows.
The positive integer d is set such that the class number of the imaginary quadratic field Q {(− d) ^1/2 } is reduced. For a given integer a, 4 × p−a ² becomes d × square number for a certain integer a, and p + 1−a or p + 1 + a is broken by a large prime number of 30 digits or more, and for a positive integer t and a small positive integer α Is a prime number that can be expressed as 2 ^t ± α.

The elliptic curve E has a finite field GF (p) having a j-variable solution of a class polynomial H _d (x) = 0 determined by _d modulo p.
In the present invention, the elliptic curve E is defined as E {GF (p)}, where E {GF (p)} is a group composed of elements on the GF (p) of the elliptic curve E having a finite field GF (p). The original number of {GF (p)} is broken by a large prime number of 30 digits or more.

In the present invention, the positive integer α has a size of 2t / 3 bits or less.
In the present invention, prime p, a r a positive integer, finite GF (p ^r) of the elliptic curve E with the definition of GF (p ^r) on E {GF (p a group consisting of original when a ^r)}, the elliptic curve E _1, E ₂ having a finite GF (p ^r) to definition, ..., and E _n, but not isomorphic configured so that the original number are equal to each other The elliptic curve used is changed by at least one for each system, each communication partner, and at least one after a certain period of time for one system and the same communication partner.

In the present invention, the elliptic curve E is the order of the class polynomial H _d (x) = 0 which is determined by d and n, j ₁ solutions modulo p, ..., when the j _n, these roots elliptic curve E ₁ has the definition of the finite field GF (p) with the j invariant, ... it is assumed to be E _n.
According to the present invention, in the operation at the time of confidentializing a message using a shared key according to the agreement and at the time of decryption, the property of 2 ^t ≡α (mod n) or 2 ^t ≡−α (mod p) and It is assumed that an additive chain is used.

As described above, the present invention uses a finite field on a relatively small elliptic curve, which does not have various solutions, and thereby uses a finite field on a relatively small elliptic curve to provide a highly confidential and rapid signal processing signature, authentication and secret communication system. Can provide.
Further, at this time, it is easy to use a high-speed operation such as an additive lock.
Also, the amount of information that needs to be stored in an IC circuit or the like can be reduced.

Also, when changing the elliptic curve regularly to improve confidentiality, the necessary changes in hardware etc. are minimal.

Hereinafter, the embodiment of the present invention will be described by dividing the procedure into creation of an elliptic curve, signal processing on the created elliptic curve, and procedures for signature, authentication, and secret communication.
(First embodiment)
FIG. 1 shows an outline of a procedure for creating an elliptic curve used in the signature, authentication, and secret communication system of the present invention. In the figure, A shows the entire basic flow, and B shows a part of it, specifically, details of the step of determining the prime number p.

Hereinafter, the procedure of the embodiment will be described with reference to FIG.
(A1) Determination of Natural Number d The natural number d is set so that the class number of the imaginary quadratic field Q {(− d) ^1/2 } becomes small. Here, d = 3. Here, the reason why d is set to 3 is that it is easy to calculate a root of Hd (x) = 0 modulo p described later. It should be noted that the imaginary quadratic field Q {(− d) ^1/2 } and the class number are described in detail in Silverman.
(A2) Generation of prime number p When a and b are natural numbers, 4p−a ² = d × b ² , and p + 1−a or p + 1 + a is broken by a large prime number and becomes a natural number t and a small natural number α. On the other hand, it is taken as 2 ^t -α.

This selection procedure is based on a trial and error method, which will be described with reference to FIG. Before that, I will briefly introduce the theory of mathematics related to the feasibility of this procedure.
(1) The equation of the form 4p = a ² + d × b ² is a special one, although it is called the Pell equation. When p is given, a and b satisfying this are easily obtained by continued fraction expansion. Desired.

(2) According to the prime number theorem, it is proved that a prime number exists in the vicinity of a certain natural number n instead of approximately one logn number.
For this reason, it is understood that a natural number of about 30 digits expressed in the form of 2 ^t -α is a prime number, which is almost one out of 100. Further, since multiples of small prime numbers such as 2, 3, and 5 can be removed relatively easily, the elimination of these increases the probability of being a prime number. Therefore, whether or not the natural number 2 ^t -α, which is not a multiple of a small prime number such as 2, 3, 5, etc., is a prime number can be more easily confirmed by the current computer and mathematical theory (Miller, Cohen, Lenstra).

(3) Most natural numbers have about log logn prime factors (Hardy-Ramanujan). Therefore, if p is a number of about 30 digits, the number of prime factors of p + 1-a and p + 1 + a is 4 to 7 in many cases. Therefore, it can often be easily determined whether p + 1-a or p + 1 + a has a sufficiently large prime factor. Of course, you can also check that the natural number itself is a prime number.

Next, a specific order of selecting p, a, α, and t will be described with reference to FIG.
First, after selecting t, i = 0 and α = [2t / 3] are set as initial settings (b1).
Next, α is set to α-i (b2).
Calculate p = 2 ^t -α (b3). It is determined whether 4p can be expressed as a ² + 3b ² (b4). If not, i = i + 1 is set (b5), and the process returns to step b2.

If 4p can be represented as a ² + 3b ² , it is determined whether or not p is a prime number (b6). If not, the process returns to step b5.
If p is a prime number, it is determined whether one of p + 1 + a and p + 1-a has a large prime factor (b7). If not, the process returns to step b5.
If it is divisible by a large prime number, it ends.

Here, p = 2 ^t -α
t = 107
α = 1
a = 24 38789 23037 40815
Take.

At this time, p + 1 + a is divided by a 100-bit prime number.
(A3) Determination of Elliptic Curve E E is obtained based on the root j = 0 of the class polynomial H ₃ (X) = X modulo p. This mathematical aspect is described in Silverman's book.
By the way, since the j invariant of the elliptic curve E having the finite field GF (p) as the definition field and the number of elements being exactly p + 1 + a is 0, E is given by the following.

E: y ² = x ³ + B
B = 625
At this time, #E {GF (p)} = p + 1 + a. This is shown in Silverman's book. Therefore, secure and high-speed elliptic curve encryption can be configured.
When the elliptic curve E constructed as described above is used for signature, authentication and secret communication on the elliptic curve of the conventional example 2, the order of the base point BP is broken by a large prime number and the MOV reduction method is avoided. Therefore, a safe system is realized.

Further, the multiplication on GF (p), which is one of the basic operations required for realizing the method, can be realized as follows without obtaining the remainder by p by replacing 2 ^t = α.
_{t-1 t-1
GF (p) ∋x = Σx i} 2 i, with respect to y = Σy ^_i 2 <sub>i,
i = 0 i = 0

2t-1 t-1</sub>
x × y = Σs _i 2 ⁱ = Σ (s _i + s _{i + t} α) 2 ⁱ

_{i = 0 i = 0}
Here, s _i and s _{i + t} is 1 or 0.
Further, the calculation of c · BP is not speeded up only for a specific natural number c as in the conventional example. For this reason, a further increase in the speed can be achieved by combining this method with the addition chain method, which is a method for speeding up the calculation of k · BP with respect to a general natural number k. Regarding the data amount, the smart card for signal processing can let the smart card for signal processing memorize t and α instead of memorizing p. In this case, the number of bits of t can be ignored, and α is [2t / 3] Since the number of bits is less than the bit, the data amount of the definition field can be reduced. It also contributes to speeding up the operation.

In the above-described embodiment, the natural number d was set to 3. However, this is because the calculation for finding the prime number p is easy and the class of the imaginary quadratic field Q {(− d) ^1/2 } is small. Any other natural number can be used as long as the class number of the other imaginary quadratic field Q {(− d) ^1/2 } is reduced. Further, the reason why the class number of the imaginary quadratic field Q {(− d ^1/2 )} is small is that the calculation for obtaining an elliptic curve is easy, and the class number is not limited to one. Note that if d <1000, the calculation is practically possible. For reference, as d for forming an imaginary quadratic field having a class number of 1, all are not necessarily suitable for the practice of the present invention, but 1, 2, 7, 11, 19, 43 , 67, and 163. Similarly, as d for forming an imaginary quadratic field having a class number of 2, there are 10, 15, 26, 30, and the like. Further, the prime p satisfying the condition with respect to d is not limited to the above-described embodiment, but may be any prime that satisfies the condition regarding p shown in the present embodiment. On the other hand, if p is 30 digits or more, sufficient security, that is, difficulty of inverse operation will be maintained in the near future.
(Second embodiment)
5 shows an embodiment of another procedure for creating an elliptic curve used for the signature, authentication and secret communication schemes of the present invention. The creation procedure of the present embodiment is basically the same as that shown in FIG. Hereinafter, the procedure of the embodiment will be described using A in FIG.
(A1) Determination of Natural Number d The natural number d is set so that the class number of the imaginary quadratic field Q {(− d) ^1/2 } becomes small. Here, d = 24.
(A2) Generation of prime number p When a and b are natural numbers, 4p−a ² = 24 × b ² , and p + 1−a or p + 1 + a is broken by a large prime number and becomes a natural number t and a small natural number α. On the other hand, it is taken as 2 ^t -α.

Here, p = 2 ^t -α
t = 127
α = 1
a = 10671 93179 31455 45219
Take. At this time, p + 1-a is divided by a 124-bit prime number.

The detailed procedure at this time is basically the same as that shown in FIG. 4B.
(A3) Determination of Elliptic Curve E The root of the class polynomial H ₂₄ (X) = X ² -483944X + 14670139392 modulo p is j ₁ = 3 14934 62074 25766 39325 56096
j ₂ = 1701 41183 46043 77382 69613 04605 19563 84575
It is. Have finite field GF a (p) in definition, j invariant of the elliptic curve E the original number is p + 1-a number just is given by j ₁ and j _2. Thus, the elliptic curves each having j invariants are given by:

E ₁ : y ² = x ³ + A ₁ x + B _{1
A 1 = 915 03150 65123 53429 89289} 36723 21130 54488
B ₁ = 1177 15828 25431 33059 03422 01272 67034 04901
E ₂ : y ² = x ³ + A ₂ x + B ₂
A ₂ = 1400 68970 50479 08325 24538 34292 93927 22673
_{B 2 = 366 65585 84970 41444 39129} 79404 76337 79873
At this time, although #E ₁ {GF (p)} = # E ₂ {GF (p)} = p + 1-a, they are not isomorphic because the j invariants are different. It never Accordingly cryptosystem according E ₁ is the encryption method according to E ₂ where is decrypted and decoded.

In order to make a cryptographic system more robust, it is desirable to periodically change cryptographic parameters for each system or even for the same system. At this time, it is easier to change the basic operation (operation by modulating p of the definition field and the original number N of the elliptic curve) if they are the same. The elliptic curves E ₁ and E ₂ configured as described above can provide cryptosystems having the same basic operation but not the same type, that is, different cryptosystems. Therefore, the encryption system can be easily strengthened by using E ₁ and E ₂ separately in the two systems, or by changing E ₂ to E ₂ in one system. Further, the multiplication on GF (p), which is one of the basic operations required for realizing the method, can be realized at a higher speed than the general multiplication on a finite field from the form of p = ^2t ± α. Further, the calculation of c.BP is not fast for only a specific natural number c as in the conventional example. For this reason, the speed can be increased by easily combining with the method of the addition chain, which is a method of speeding up the calculation of k · BP with respect to a general natural number k. As for the data amount, since t and α need only be stored instead of storing p as the data of the definition body, the data amount of the definition body becomes small.

In this embodiment, the positive integer d is set to 24. However, any positive integer may be used as long as the class of another imaginary quadratic field Q {(-d) ^1/2 } is reduced. Further, the prime number p that satisfies the condition for d is not limited to the above-described embodiment, but may be any prime number that satisfies the condition regarding p described above. These are the same as in the previous embodiment.
Next, an embodiment of a signature, authentication and secret communication system based on a discrete logarithm problem using an elliptic curve created by the procedure shown in the first and second embodiments will be described.
(Third embodiment)
This embodiment is a shared key cryptosystem using the elliptic curve of the first embodiment, and the basic procedure is the same as that based on the difficulty of the discrete logarithm problem of the prior art shown in FIG.

That is, the provider of the communication network discloses E {GF (p)} and BP to all users, and each user U, V, W,... Selects an arbitrary natural number u, v, w,. This is kept secret. .. Inform each other of u · BP, v · BP, w · BP.
Any two users calculate the product of the natural number held in their secret and the value notified from the communication partner, and use this as a shared key between them. For example, in the case of the users U and V, the user U calculates a product u · v · BP of u and v · BP notified from V, which are kept secret. Similarly, the user V calculates v · u · BP from v and u · BP. Here, of course, u · v · BP = v · u · BP. On top of this, they both keep uvBP secret.

By the way, in this case, the message is a one-dimensional numerical value, and u, v, BP is a two-dimensional numerical value having an x coordinate value and a y coordinate value. Alternatively, only one of the y-coordinate values is used, and 1-bit data C (uv-BP) is separately notified in order to indicate which one has been used. At this time, since the elliptic curve of the first embodiment has p≡3 (mod 4), the following property is used.
(X ³ + Ax + B) ^p-1 = 1 (Fermer's theorem)
y ⁴ = (x ³ + Ax + B) ² = (x ³ + Ax + B) ^{4S + 2} * (x ³ + Ax + B) ²
Here, S = (p−3) / 4
Therefore, y = ± (x ³ + Ax + B) ^{S + 1}
Therefore, when C (u · v · Bp) = 1, y = − (x ³ + Ax + B),
When C (u · v · Bp) = − 1, it is determined in advance that y = (x ³ + Ax + B).
(Fourth embodiment)
In the present embodiment, secret communication is performed according to the same principle as in the third embodiment, but an intermediary W serving as a witness exists between the user U and the user V.

First, intermediary W _{is, E 1 {GF (p)} } and the base point BP _u and E ₂ to be used for secret communication based on two elliptic curves E ₁ and E ₂ as shown in the second embodiment seek {GF (p)} and the base point BP _v.
Then, the user W notifies the user U of E ₁ {GF (p)} and the base point BP _u selected by the user W. Here, BP _u is a nonzero element of E ₁ {GF (p)}. Of course, E ₁ {GF (p)} and BP _u are kept secret from the user V.

The user V is notified of E ₂ {GF (p)} and the base point BP _v selected by the user. Here, BP _v is a nonzero element of E ₂ {GF (p)}. Of course, E ₂ {GF (p)} and BP _v are kept secret from the user U.
Thereafter, the user U selects an arbitrary integer d _u secret, his identity Y _u for the user W is calculated by the formula _{Y u = d u · BP u} .

The user W is selected an arbitrary integer d _uw secret, his identity Y _uw for the user U is calculated by the equation _{Y uw = d uw · BP u} .
On this, the user U and the user W mutually mutually notify the Y _u and Y _uw, the _{K uw = d u · Y uw} = d uw · Y u and both shared key. Then, the user U transmits to the user W the plaintext M desired to be signed by the secret key encryption communication method using the shared key _Kuw as an encryption key and a decryption key. The operation in this case can be, for example, an exclusive OR of the plaintext M and the shared key (at the time of encryption) and its inverse operation (at the time of decryption).

Incidentally, the Y _u, Y _uw and K _uw user V, of course, also to third parties is kept secret.
Next, the user W is selected an arbitrary integer d _v secret, his identity Y _v for the user V is calculated by the equation _{Y v = d v · BP v} .
The user W is selected an arbitrary integer d _vw secret is calculated by your identity Y _vw = d _vw · BP _v for the user V.

This user V and user W on mutually mutually notify Y _v and Y _vw, the _{K vw = d vw · Y v} = d v · BP v shared key between them. Further, in the communication between the user V and the user W, the operation of confidentializing the communication message using the shared key K _vw is not exclusive OR, but EXCLUSTIVE-NOR is adopted. Also in this case, Y _v , Y _vw and K _vw are kept secret not only to the user U but also to a third party.

Here, the reason why the elliptic curves adopted by the users U and W and between the users V and W are changed is that the contents of the communication message between the users U and W are known to the user V and the user V This is to prevent the user U from knowing the contents of the message of the user W and the user W at all.
The reason why the secrecy and decryption operations are changed is to increase the security against the error of the user W even a little. Exclusive OR (EXCLUSIVE-OR), The reason why the exclusive OR (EXCLUSIVE-NOR) is employed is that the communication efficiency is good because the time required for the confidentiality and decryption processes is almost the same.

Based on the above, the communication between the user U and the user V is performed via the user W. In this case, when the user W interposes a communication message from one user (U or V) to the other user (V or U), the user W also adds a certification statement to the effect that the user has been authenticated and the date and time of reception and transmission. I do. As a result, the secret communication between the user U and the user V is authenticated by the user W.
In this case, different elliptic curves E ₁ and E ₂ are used to improve the confidentiality. However, since the operations of the definition field p and the original number N of the elliptic curves are the same, the processing of the mediator W is performed. This is also convenient for various purposes, such as a common remainder calculation routine.
(Fifth embodiment)
In the present embodiment, the elliptic curve of the first embodiment is used for signature and authentication communication. FIG. 5 shows the procedure.

The network provider discloses E {GF (p)} and BP to all users.
On the other hand, the user U and the user V who desire the secret communication create an arbitrary integer u and v secretly (step 3), and use the original BP obtained from the network provider to obtain E {GF (p)}. Calculate Y _u = u · BP and Y _v = v · BP above. Then, the Y _u, notifies to each other using a public communication network Y _v.

Next, when the plaintext M is sent from the user U to the user V,
U chooses a random number r _u is an integer in secret, to create the following two sets of communication statement C _1, C ₂ by using the public key Y _v of the random number r _u and V that only you know.
C ₁ = _ru · BP [2]
C ₂ = M + r _u · Y _v [3]
Then U sends C ₁ and C ₂ to V.

The user V who has received the messages C ₁ and C ₂ calculates M using the v known only to him to obtain M.
M = C ₂ −v · C ₁ [4]
In this case, even if the user U erroneously transmits the communication destination to another user W who is a third party, this W cannot know v and cannot decode the message.
(Sixth embodiment)
Next, signal processing of a message will be described.

An operation such as C ₁ = _ru · BP ₁ , C ₂ = M + x ( _ru · Y _v ) or the like is required for each communication for confidentiality and decryption of the generated random number and message.
In this case, for example, if a random number _ru is taken, it consists of only 1 and 0 in binary, and if it is 15 in decimal, it is expressed as 2 ³ +2 ² + 2 + 1 in binary. In this case, E {GF (p)} 2 3 BP 1 in operation was determined in advance of r _u · BP ₁ for on, ^{2 2} BP _1, instead of the use of 2BP ₁ 2 ⁴ BP ₁ - BP ₁ is adopted.

Further, since the calculation of the 2 ⁴ BP-BP is Dekiru using multiplication over GF (p),
The property of 2 ^t ≡α (mod p) or 2 ^t ≡−α (mod p) is used.
In addition to this, the additive chain described in Related Arts may be used depending on the value.
As described above, the present invention has been described based on the embodiments. However, it is a matter of course that the present invention is not limited to the above embodiments. That is, for example, (1) the natural number d and the class number are relatively small numbers for the convenience of a program for calculating a prime number or an elliptic curve or the convenience of the calculation itself. However, when the demand for secrecy such as diplomacy or finance is high, the calculation cost may be somewhat higher, but may be a value with a higher number of digits, for example, around 10,000, 50,000, 100,000.
(2) The encryption or the like using the operation with the BP on the elliptic curve of the message is a logical operation so as not to increase the number of digits in the embodiment, and is not limited to this. More specifically, a random number may be used together in the arrangement of the sender and the receiver, or the message may be divided into blocks and used to replace the divided blocks. In these cases, it is needless to say that the notification of the random number used separately and the arrangement of the block division method and replacement are performed. These are described in detail in "Modern Cryptography Theory" mentioned earlier.
(3) Both the x-coordinate and the y-coordinate of a point on the elliptic curve E {GF (p)} are alternately used or used depending on whether it is an even-numbered day or an odd-numbered day.

5 is a flowchart for creating an elliptic curve used for a signature, authentication, and secret communication system in the present invention. FIG. 11 is a diagram showing the contents of a procedure of a secret communication system based on the difficulty of a discrete logarithm problem on a finite field. It is a figure showing the contents of operation of an elliptic curve. It is a flowchart of the procedure of finding the conventional elliptic curve. FIG. 4 is a diagram showing an example of a procedure for encrypting and decrypting a communication message at the time of secret transmission using an elliptic curve used for a signature, authentication, and secret communication method in the present invention.

Claims (8)

A secret communication system comprising a provider device, first and second user devices, and performing secret communication between the first user device and the second user device,
(1) The provider device in the secret communication network sets an elliptic curve E {GF (p)} used for secret communication, and sets E {GF (p)} and its base point BP to the first and second users. To the device,
(2) The first and second user devices respectively receive E {GF (p)} and a base point BP, select an arbitrary natural number, and set the base point BP to E @ GF (P) Find the value added on｝,
(3) The first and second user devices each keep secret a natural number arbitrarily selected by themselves, and on the other hand, add a value obtained by adding the BP on E {GF (p)} the natural number of times. Mutually transmitting to the user device of the other party wishing to communicate as its own public key,
(4) Each of the first and second user devices that communicate with each other, the public key and the E @ GF ( p) Find the value added on｝, and use this as the shared key between the two.
(5) The first and second user devices that communicate with each other determine the contents of operation of the shared key and the message when encrypting and decrypting the message using the shared key, respectively.
(6) The first user device transmits the message to the second user device after confidentially using the shared key according to the agreement,
(7) the second user device decrypts using the shared key according to the arrangement;
The provider device,
Storage means for storing a positive integer t and a positive integer α having a size of 2t / 3 bits or less;
Positive integer setting means for setting the positive integer d to be smaller than a predetermined value;
For a given integer a, 4 × pa ² is a d × square number for a given integer a, and p + 1-a or p + 1 + a is divided by a large prime number of 30 digits or more, and 2 for a positive integer t and a positive integer α. prime number setting means for setting a prime number that can be expressed as ^t ± α,
Using the set prime number p, the elliptic curve is defined so that a finite field GF (p) having a solution of the class polynomial H _d (x) = 0 determined by d modulo p as a j invariant is defined. A secret communication system comprising an elliptic curve setting means for setting E {GF (p)}. The elliptic curve setting means sets E {GF (p)} as a group formed by elements on the GF (p) of the elliptic curve E having a finite field GF (p) as a definition field. The secret communication system according to claim 1, wherein the elliptic curve E is set such that the original number of p)｝ is broken by a large prime number of 30 digits or more. The elliptic curve setting means, as the elliptic curve E, the order of the class polynomial Hd (x) = 0 which is determined by d and n, j ₁ solutions modulo p, ..., when the j _n, these roots elliptic curve E ₁ has the definition of the finite field GF (p) with the j invariant and ... secret communication method according to any one of claims 1 and 2, characterized in that setting the E _n . Said first and second user equipment in operation at the time of and decoding time secret in accordance with arrangements by the communication text, respectively using the shared key, 2 ^t ≡α (mod p) or 2 ^t ≡α ( The secret communication system according to any one of claims 1 to 3, wherein a property called mod p) and an additive chain are used. A secret communication system comprising a provider device, first and second user devices, and performing secret communication between the first user device and the second user device,
(1) The provider device in the secret communication network sets an elliptic curve E {GF (p)} used for secret communication, and sets E {GF (p)} and its base point BP to the first and second users. To the device,
(2) The first and second user devices receive E {GF (p)} and a base point BP, and the first user device selects an arbitrary natural number, and performs the natural number of times on the base point A value obtained by adding BP on E {GF (p)} is obtained,
(3) The first user device keeps a natural number arbitrarily selected by the first user device secret, and, on the other hand, adds the value obtained by adding BP on E {GF (p)} to the public key of the first user device. As a notification to the second user device,
(4) When encrypting and decrypting a message using the notified public key and random number, the first and second user devices use a method of calculating the public key, the random number, and the message. Extremely
(5) The second user device that has received the notification of the public key encrypts the message according to the agreement based on the random number selected by itself and the public key notified from the first user device,
(6) The second user device transmits the encrypted message to the first user device that has notified the public key,
(7) The received first user device decrypts the confidential message in accordance with the agreement, using the integer selected and kept secret by the first user device;
The provider device,
Storage means for storing a positive integer t and a positive integer α having a size of 2t / 3 bits or less;
Positive integer setting means for setting the positive integer d to be smaller than a predetermined value;
For a given integer a, 4 × pa ² is a d × square number for a given integer a, and p + 1-a or p + 1 + a is divided by a large prime number of 30 digits or more, and 2 for a positive integer t and a positive integer α. prime number setting means for setting a prime number that can be expressed as ^t ± α,
Using the set prime number p, the elliptic curve is defined so that a finite field GF (p) having a solution of the class polynomial H _d (x) = 0 determined by d modulo p as a j invariant is defined. A secret communication system comprising an elliptic curve setting means for setting E {GF (p)}. The elliptic curve setting means sets E {GF (p)} as a group formed by elements on the GF (p) of the elliptic curve E having a finite field GF (p) as a definition field. The secret communication system according to claim 5, wherein the elliptic curve E is set such that the original number of p)｝ is divided by a large prime number of 30 digits or more. When the elliptic curve setting means sets the degree of the class polynomial Hd (x) = 0 determined by d to n and the solutions modulo p to j1,. 7. The secret communication system according to claim 5, wherein an elliptic curve E1,..., En having a finite field GF (p) having an invariant as a definition field is set. The first and second user apparatuses respectively perform 2 ^t ≡α (mod n) or 2 ^t ≡-α in the operation of concealing and decrypting the message according to the agreement using the shared key. The secret communication system according to any one of claims 5 to 7, wherein a property called (mod p) and an additive chain are used.

Images