JP2006078943A - Power arithmetic unit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide key sharing, ciphering, and signing methods based upon discrete logarithm on a safe finite group as to a ciphering technique as an information security technique. <P>SOLUTION: Disclosed is a power operation method for a finite group E. Namely, denoting (n)-bit data as (d) and its binary notation as d=d[n-1]×2^(n-1)+ ... +d[1]×2+d[0] (each d[i]=0 or 1) while a finite group is E, group operations on the E are additively represented and an element of the E is G, those E and G are stored in a 1st memory part, (d) and its binary notation are stored in a 2nd memory part, and a random number generation part generates an arbitrary element R of the finite group E; and the element R and the element G in the 1st memory part are input to a 1st operation part to find Q=G-R, the output Q of the 1st operation part and the element R are inputted to an initial value setting part to output Q, R, Y=R, and the outputs Q, R, and Y of the initial value setting part and the binary notation d[i] of (d) stored in the 2nd memory part are input to a 2nd operation pa rt to performs operations of Y=2Y+Q (when d[i]=1), Y=2Y+(-R) (when d[i]=0) in order from i=n-1 to 0, and i=i-1. The Y as the output of the 2nd operation part and the element R are inputted to a 3rd operation part to find Y=Y-R and the Y as the output of the 3rd operation part is output as a value of a power operation dG by an output part. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

The present invention relates to encryption technology as information security technology, and more particularly to key sharing, encryption, and digital signature technology realized using a discrete logarithm problem on elliptic curves and hyperelliptic curves.

The secret communication method is a technology that allows communication without leaking the contents of communication to other than a specific communication partner. The digital signature method is a technology that proves the correctness of the communication contents to the communication partner. An application of this is an authentication method, which is a technology that guarantees that the communication partner (device) is the correct user or device. These technologies can be realized by an encryption method called public key cryptosystem. Public key cryptography is a method for easily managing different encryption keys for each communication partner when there are many communication partners, and is an indispensable basic technology for communicating with many communication partners. This is a method that makes the decryption key secret, but the encryption key is made public. Discrete logarithm problem using a finite group as the basis for the security of this public key cryptosystem. There is. Finite groups that define discrete logarithm problems include finite fields, elliptic curves over finite fields, and hyperelliptic curves over finite fields. In particular, the discrete logarithm problem on an elliptic curve over a finite field is often used. This is a work by Niil Kobritz, “A Cous in Numbers Theory and Cryptograhi” (Neal
Koblitz, "A Course in Number theory and
Cryptography ", Spinger-Verlag, 1987).
The discrete logarithm problem (ECDLP) on elliptic curves is described below.

ECDLP
Let E (Fp) be the elliptic curve E defined on the finite field Fp, and let the base point be an element G whose E's order is divided by a large prime number.
Y = xG
Find an integer x such that x.

Technologies using the discrete logarithm problem over finite groups include public key cryptography, digital signatures, and key sharing. Here, for the sake of simplicity, operations on finite groups are expressed by addition. At this time, each technique requires a power operation between the finite group element G and the secret data d, that is, the operation dG = G + ・ ・ ・ + G, and the safety of d is easy from the result of dG and G. It comes down to what is not asked for. This is the so-called discrete logarithm problem. In general, the safety of discrete logarithm problems is a mathematical problem, and algorithms that decipher computationally in polynomial time have been studied for a long time. The discrete logarithm problem has been placed on a high level of security and reliability due to the fact that no polynomial-time algorithm has been discovered in spite of its research history. In recent years, however, side channel attacks have been proposed that actually measure d by measuring the power consumption of IC cards and other devices that calculate dG. A side channel attack is an attack that uses a measured power consumption to decipher algorithmically without assuming a special machine other than the power consumption measurement. A side channel attack is an operation that should be the basic operation of a method based on the discrete logarithm problem.
This is an attack that estimates the value of d by measuring the power consumption observed when the dG calculation is performed with an IC card. The power operation is realized by repeating two operations of addition G + G and doubling 2G.
The difference in power consumption due to doubling is a major cause of side channel attacks. The following papers are detailed on side channel attacks.
J. Coron, "Resistance against differential power analysis for
elliptic curve cryptosystem ", CHES'99, Lecture Notes in Computer Science,
1717 (1999), Springer-Verlag, 292--302.

Side-channel attacks consist of two types of attacks called simple power analysis (SPA) and differential power analysis (DPA). SPA is an attack that uses the fact that dG processing depends on the key d to produce a difference in power consumption. The SPA estimates the key by measuring the power consumption once. On the other hand, in DPA, attackers are adaptively different
The value of G is input to the IC card, the power consumption for the processing is measured, and the key is inferred from the difference. As an anti-SPA algorithm, it is sufficient to construct an addition chain that realizes a power operation without depending on the key d, but there is a problem that it is slow. Resistance
As a DPA algorithm, it is better to construct an addition chain so that different power consumption is output each time dG is calculated, but it has the problem that it becomes slow like the anti-SPA algorithm.
The following papers are detailed on these SPA and DPA algorithms.
M. Joye and C. Tymen, "Protections against Differential Analysis
for Elliptic Curve Cryptosystem ", CHES2001, Lecture Notes in Computer
Science, 2162 (2001), Springer-Verlag, 377--390.

In 2003, a zero-value attack that improved the DPA attack was proposed. This is because the attacker has an elliptic curve point
This attack uses the fact that the input power is manipulated so that either x or y coordinate of G becomes 0, and the power consumption of zero value can be distinguished. The resistance proposed in the 2001 paper above.
Since the DPA algorithm fixes the zero value, it is vulnerable to zero value attacks. In 2004, an algorithm that was powerful against zero-value attacks was proposed. This method uses an arbitrary elliptic curve element R when calculating dG, and Y =
This is a method of calculating dG by calculating dG + R from the least significant bit and then finding Y = YR from the result. Since an arbitrary R is added each time dG is calculated, the attacker cannot operate so that a zero value is generated during the calculation of dG. The following paper is detailed on this zero-proof attack algorithm.
K. Itoh, T. Izu, and M. Takenaka, "Efficient countermeasures against power analysis for
elliptic curve cryptosystems ", SCIS2004, 2004 (previous version).

Below, the above zero-proof attack algorithm is given as a conventional example.
Conventional Example 1
FIG.
Shows the conventional zero-proof attack algorithm. The procedure of the conventional example is explained below with reference to the figure.
Step1. Elliptic curve E (Fq),
Input the element G of E (Fq) and the element d of n bits, the input finite fields Fq and the elliptic curve E on Fq, and the element G of E (Fq).

Step2. D binary notation
Let d = d [n-1] 2 ^ (n-1) + ... + d [1] 2 + d [0].
This expresses n-bit data d in binary. In this case, each d [n-1], ..., d [0] is 0 or 1.

Step3. Take the element R of E (Fq).

Step4. Y = R, Z = G, U
= O.
To calculate dG + R from the least significant bit (LSB), the initial value Y = R,
Set Z = G, U = O. Where O is the zero element of the elliptic curve.

Step 5. Set i = 0.
Set the counter i for calculating dG + R from the least significant bit (LSB) to 0.

Step 6. i ≤ n-1
First, U = Y + Z, Z = 2Z is calculated, then the following operation according to the value of d [i], Y = U
(when d [i] = 1), Y = Y (when d [i] = 0),
, Increase i by 1 and perform step 6.

Step 7. Calculate Y = Y-R

Step 8. Output Y.
Step 6 dY + R
The result of subtracting R from the result in step 7 is input to Y, so the output value Y is the result of the power operation dG.

In the above conventional example, since the calculation of dG + R is realized from the least significant bit (LSB), the amount of necessary intermediate variables increases. In particular, for media that require small memory such as IC cards, it is desirable that the amount of variables required for mounting be small. Conversely, if you want to execute at high speed, it is necessary to increase the execution speed by using a preliminary calculation table. However, with the algorithm from the least significant bit as in the conventional example, it is difficult to increase the speed with a preliminary calculation table and the like, and there is a problem that the speed cannot be increased further.
It is described in detail in Neil Koblitz, “A Course in Number theory and Cryptography” (Spinger-Verlag, 1987), “A Cous in Number Theory and Cryptography”. M. Joye and C. Tymen, "Protections against Differential Analysis for Elliptic Curve Cryptosystem", CHES2001, LectureNotes in Computer Science, 2162 (2001), Springer-Verlag, 377--390. K. Itoh, T. Izu, and M. Takenaka, "Efficient countermeasures against power analysis for elliptic curve cryptosystems", SCIS2004, 2004.

It is indispensable to implement as strong as possible against attacks in cryptography using public key cryptography, key sharing scheme, and signature scheme. Ciphers based on the discrete logarithm problem can be estimated from the values of dG and G, where G is the element on the finite group E that is the base of the discrete logarithm problem and d is the secret data. It comes down to the difficulty. In recent years, a side-channel attack that estimates the value of d by measuring its power consumption when implementing dG on an IC card or the like has become a major threat. In particular, since this operation is used for all of encryption, key sharing, and signatures, the impact of the attack is very large. Therefore, it can be said that a powerful implementation method for side channel attacks is essential. What is important in the implementation on the IC card is the memory size and execution speed as well as safety. In other words, in a situation where small memory is required, implementation that can be realized with small memory is essential, and in a situation where high speed is required, an implementation method that can be realized at high speed is essential.

From this, it can be said that a computation algorithm that is strong against side-channel attacks and should be flexible with respect to memory size and execution speed is essential. However, as seen in the conventional example, the implementation algorithm for power operations from the LSB requires at least four intermediate variables to store the necessary elements of the finite group E, and speeding up using tables, etc. There is a problem that cannot be done.

The present invention has been made in view of the problems in this conventional example, and by realizing flexibly an operation that should be strong against side channel attacks in terms of memory size and execution speed, a discrete logarithm on a safe finite group can be obtained. Its purpose is to provide problem-based key sharing, encryption, and signature schemes.

In order to solve the above problems, the present invention
In claim 1, the finite group is E, the group operation on E is expressed additively, and the element of E is G
N-bit data d and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
These E and G are stored in the first memory part, d and its binary representation are stored in the second memory part,
An arbitrary element R of the finite group E is generated by the random number generator,
The element R and the element G of the first memory unit are input to the first arithmetic unit to obtain Q = GR, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, Q, R, Y = R is output,
Input Q, R, Y, which is the output of the initial value setting unit, and binary representation d [i] of d stored in the second memory unit to the second arithmetic unit, and from i = n-1 The following operations are sequentially performed until 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

  Claim 2 is an arithmetic device to which the power calculation method according to claim 1 should be applied.

Claim 3 is a recording medium storing a program for executing the method of claim 1.

In claim 4, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 1 is adopted.

According to claim 5, the power calculation method according to claim 1 is such that p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and an elliptic curve E on a finite field Fq having q elements. , The power on the elliptic curve for the element G and the n-bit data d on E (Fq)
The calculation method should be characterized by the use of dG.

In claim 6, the power calculation method according to claim 1, wherein p is a prime number, r is a positive integer, and q is
Power operation on a super elliptic curve for a super elliptic curve H on a finite field Fq with q elements and q on a super elliptic curve H on H (Fq) and an n-bit data d The calculation method should be characterized by the use of dG.

In claim 7, the finite group is E, the group operation on E is expressed additively, the element of E is G, and the n-bit data d and its binary representation are
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
A first memory section for storing these E and G;
A random number generator having these d and a second memory unit for storing the binary representation thereof and generating an arbitrary element R of the finite group E;
A first calculation unit for obtaining Q = GR by using the element R and the element G of the first memory unit as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d stored in the second memory unit as input, the following operations from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 8, the finite group is E, the group operation on E is expressed additively, the element of E is G, and these E and G are stored in the first memory unit.
The first random number generator generates n-bit data d, and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
An arbitrary element R of the finite group E is generated by the second random number generator,
The element R and the element G of the first memory unit are input to the first arithmetic unit to obtain Q = GR, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, Q, R, Y = R is output,
Input the output Q, R, Y of the initial value setting unit and the binary expression d [i] of d above to the second arithmetic unit, and perform the following operations sequentially from i = n-1 to 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 9 is an arithmetic device to which the power calculation method according to claim 8 should be applied.

In claim 10, a recording medium storing a program for executing the method of claim 8 is provided.

In claim 11, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 8 is adopted.

In claim 12, the finite group is E, the group operation on E is expressed additively, the element of E is G,
A first memory section for storing these E and G;
The first random number generator that generates n-bit data d and the binary representation of d
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
A random number generator for generating an arbitrary element R of the finite group E;
A first calculation unit for obtaining Q = GR by using the element R and the element G of the first memory unit as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d above as inputs, the following operations are performed from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 13, the finite group is E, the group operation on E is expressed additively, E is stored in the first memory unit,
Enter the element G of E in the input section,
The first random number generator generates n-bit data d, and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
An arbitrary element R of the finite group E is generated by the second random number generator,
Q = GR is obtained by inputting the element R and the element G of the input to the first arithmetic unit, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, and Q, R , Y = R,
Input the output Q, R, Y of the initial value setting unit and the binary expression d [i] of d above to the second arithmetic unit, and perform the following operations sequentially from i = n-1 to 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 14 is an arithmetic device to which the power calculation method according to claim 13 should be applied.

In Claim 15, it is set as the recording medium which memorize | stored the program which performs the method of Claim 13.

In claim 16, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 13 is adopted.

In claim 17, a finite group is E, a group operation on E is represented additively, and a first memory unit for storing E,
An input unit for inputting an element G of a finite group E;
The first random number generator that generates n-bit data d and the binary representation of d
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
A random number generator for generating an arbitrary element R of the finite group E;
A first arithmetic unit for obtaining Q = GR using the element R and the input element G as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d above as inputs, the following operations are performed from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 18, the finite group is E, the group operation on E is expressed additively, and the n-bit data d and its binary representation are expressed as
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
E is stored in the first memory part,
store d and its binary representation in the second memory part,
Enter the element G of E in the input section,
An arbitrary element R of the finite group E is generated by the random number generator,
Q = GR is obtained by inputting the element R and the element G of the input to the first arithmetic unit, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, and Q, R , Y = R,
Input Q, R, Y, which is the output of the initial value setting unit, and binary representation d [i] of d stored in the second memory unit to the second arithmetic unit, and from i = n-1 The following operations are sequentially performed until 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 19 is an arithmetic device to which the power calculation method according to claim 18 is applied.

A twentieth aspect is a recording medium storing a program for executing the method according to the eighteenth aspect.

In claim 21, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 18 is adopted.

In claim 22, the finite group is E, the group operation on E is expressed additively, and the n-bit data d and its binary representation are
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
A first memory section for storing E;
an input unit for inputting an element G of a finite group E having d and a second memory unit for storing the binary representation;
A random number generator for generating an arbitrary element R of the finite group E;
A first arithmetic unit for obtaining Q = GR using the element R and the input element G as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d stored in the second memory unit as input, the following operations from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 23, the finite group is E, the group operation on E is expressed additively, the element of E is G, the data of n bits is d, the number of divisions is t (<n), and the minimum of t and n Let the common multiple be n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
These E, G, k, n, t, and n ′ are stored in the first memory unit,
The above data d and its binary representation {d [i] (i = 0, .., 2 ^ n'-1)},
Store k-bit data {a [j] (j = 0, ..., t-1)} in the second memory section,
An arbitrary element R of the finite group E is generated by the random number generator,
Input the above element R and the element G, k of the first memory unit to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit,
Input Y and binary representation {d [i]} of d stored in the second memory part,
from i = k-1
The following operations are sequentially performed until 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

In claim 24, an arithmetic device to which the power calculation method according to claim 23 is applied is provided.

In claim 25, a recording medium storing a program for executing the method of claim 23 is provided.

In claim 26, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 23 is adopted.

In claim 27, an arithmetic method according to claim 23, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and an elliptic curve E on a finite field Fq having q elements. , The power on the elliptic curve for the element G and the n-bit data d on E (Fq)
The calculation method should be characterized by the use of dG.

In claim 28, the power calculation method according to claim 23, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and a hyperelliptic curve on a finite field Fq having q elements. Power on a hyperelliptic curve for element G and n-bit data d on H and H (Fq)
The calculation method should be characterized by the use of dG.

In claim 29, the finite group is E, and the group operation on E is expressed additively, the element G of E and n-bit data d, the number of divisions is t (<n), and the least common multiple of t and n is n Let '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj + 1] ・ 2+ d [kj]
And
A first memory unit for storing these E, G, k, n, t, and n ′;
A second memory unit for storing d and its binary representation and k-bit data {a [j]};
A random number generator for generating an arbitrary element R of the finite group E;
Using the above element R and elements G and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]},
Using Y and binary representation {d [i]} of d stored in the second memory part as input
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 30, the finite group is E, and the group operation on E is expressed additively, the element of E is G, the number of bits is n, the number of divisions is t (<n),
Let the least common multiple of t and n be n '= kt,
These E, G, k, n, t, and n ′ are stored in the first memory unit,
The first random number generator generates n-bit data d, and the binary representation with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
An arbitrary element R of the finite group E is generated by the second random number generator,
Input the above element R and the element G, k of the first memory unit to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit,
Enter Y and the binary representation {d [i]} of d above,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 31 is an arithmetic device to which the power calculation method according to claim 30 should be applied.

According to a thirty-second aspect, a recording medium storing a program for executing the method according to the thirty-third aspect is provided.

In claim 33, a signature, authentication, secret communication and key sharing method using the operation method according to claim 30 is adopted.

In claim 34, the finite group is E, and the group operation on E is expressed additively, the element of E is G, the number of bits is n, the number of divisions is t (<n),
Let the least common multiple of t and n be n '= kt,
A first memory unit for storing these E, G, k, n, t, and n ′;
A first random number generator that generates n bits of data d, and a binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
A random number generator for generating an arbitrary element R of the finite group E;
Using the above element R and elements G and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 35, the finite group is E, the group operation on E is expressed additively, the number of bits is n, the number of divisions is t (<n),
Let the least common multiple of t and n be n '= kt,
These E, k, n, t, and n ′ are stored in the first memory unit,
Enter the element G of E in the input section,
The first random number generator generates n-bit data d, and the binary representation with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
An arbitrary element R of the finite group E is generated by the second random number generator,
The element R, the input element G, and k of the first memory unit are input to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit,
Enter Y and the binary representation {d [i]} of d above,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 36 is an arithmetic device to which the power calculation method according to claim 35 is applied.

In a thirty-seventh aspect, a recording medium storing a program for executing the method according to the thirty-fifth aspect is provided.

In claim 38, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 35 is adopted.

In claim 39, the finite group is E, the group operation on E is expressed additively, the number of bits is n, the number of divisions is t (<n),
Let the least common multiple of t and n be n '= kt,
A first memory section for storing these E, k, n, t, and n ′ as inputs;
An input unit for inputting an element G of a finite group E;
A first random number generator that generates n bits of data d, and a binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
A random number generator for generating an arbitrary element R of the finite group E;
Using the element R, the input source G, and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

In claim 40, E is a finite group, and a group operation on E is expressed additively, d is n-bit data, t (<n) is the number of divisions, and n '= kt is the least common multiple of t and n. age,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
These E, k, n, t, and n ′ are stored in the first memory unit,
Data d and its binary representation {d [i] (i = 0, .., 2 ^ n'-1)}, k-bit data {a [j] (j = 0, ..., t- 1)} is stored in the second memory section,
Enter the element G of E in the input section,
An arbitrary element R of the finite group E is generated by the random number generator,
The element R, the input element G, and k of the first memory unit are input to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit,
Enter Y and {d [i]} stored in the second memory,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
The power of the finite group E is characterized in that Y, which is the output of the third arithmetic unit, is output as the value of the power operation dG by the output unit.

Claim 41 is an arithmetic device to which the power calculation method according to claim 40 should be applied.

In claim 42, a recording medium storing a program for executing the method of claim 40 is provided.

In claim 43, a signature, authentication, secret communication, and key sharing method using the operation method according to claim 40 is adopted.

In claim 44, the finite group is E, the group operation on E is expressed additively, n-bit data d, the number of divisions is t (<n), the least common multiple of t and n is n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj + 1] ・ 2+ d [kj]
And
A first memory section for storing these E, k, n, t, and n ′ as inputs;
A second memory unit for storing d and its binary representation and k-bit data {a [j]};
An input unit for inputting an element G of a finite group E;
A random number generator for generating an arbitrary element R of the finite group E;
Using the element R, the input source G, and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
The power unit of the finite group E is characterized by having an output unit that outputs the output Y of the third arithmetic unit as the value of the power operation dG.

As described above, in the conventional example, in order to obtain the operation dG that should be safe against the side channel attack, the problem is that the minimum amount of necessary intermediate variables increases, and a preliminary calculation table is used. There was a problem that it was difficult to increase the execution speed.

The present invention has been made in view of the problems in this conventional example, and by realizing flexibly an operation that should be strong against side channel attacks in terms of memory size and execution speed, a discrete logarithm on a safe finite group can be obtained. The purpose is to provide problem-based key sharing, encryption, and signature methods. This makes it possible to realize faster and more compact software or hardware, and to provide key sharing, encryption, and signature methods using the discrete logarithm problem that can be easily implemented on mobile terminals. If public key cryptosystems such as secure key sharing, cryptography, and signature schemes can be realized at high speed and compactly, the security of applications on low-performance machines can be strengthened, and its practical value is great.

Figure 1 shows the power unit. Fig. 6 shows the method of realizing power calculations on an elliptic curve in time series, and the correspondence with each part in Fig. 1 is also described.
The power calculation method on the elliptic curve is described below with reference to FIGS.

Step 1. Elliptic curve E (Fq),
Enter the element G of E (Fq) and the number of bits n. Enter the elliptic curve E on the input finite fields Fq and Fq, the element G of E (Fq), and the number of bits n.

Step 2. d and its binary notation d =
d [n-1] 2 ^ (n-1) + ・ ・ ・ + d [1] 2 + d [0] is input
This expresses n-bit data d in binary. In this case, each d [n-1], ..., d [0] is 0 or 1.

Step 3. Take the element R of E (Fq).

Step 4. Set Z = GR.
This calculates the element Z = GR that is required when calculating dG + R from the most significant bit (MSB).

Step 5. Set Y = R, Z = GR.
Set the initial value Y = R to calculate dG + R from the most significant bit (MSB).

Step
6 to 7 correspond to the second calculation unit.
Step 6. Set i = n-1.
Set the counter i for calculating dG + R from the most significant bit (MSB) to 0.
Step 7. i ≧ 0
Depending on the value of d [i],
Y = 2Y + Z (when d [i] = 1),
Y = 2Y-R (when d [i] = 0),
To reduce i by 1 and step
Judgment 7 is made.

Step 8. Calculate Y = Y-R

Step 9. Output Y.
Step 7 dY + R
Since the result of subtracting R from the result in step 8 is input to Y, the output value Y becomes the result of the power operation dG.

The first embodiment is an embodiment of the invention according to claim 5. The first embodiment is an apparatus for calculating and outputting an elliptic power operation dG for an input elliptic curve element G and secret data d. In this device, the power consumption of the intermediate process varies with each input, and the input G cannot be manipulated so that the element of the elliptic curve has 0 coordinate or 0 register in the intermediate process. Therefore, it is safe against side channel attacks. Furthermore, the number of intermediate variables that hold the elliptic curve elements required during the course is three, which can be reduced by the conventional example.

  In the first embodiment, the arithmetic unit is a power unit when an elliptic curve on a finite field is used as a finite group, but the embodiment is not limited to this. For example, as described in claim 6, a super elliptic curve on a finite field can be used as a finite group. Further, the first embodiment deals with the case of claim 1 in which d and G of the power operation dG are both stored in the memory, but the embodiment is not limited to this. For example, if d is generated as a random number and G is stored in the memory as in claims 8, 13, and 18, d is generated as a random number and G is input by the user, d is stored in the memory It is also possible for G to be entered by the user. These examples correspond to FIGS. 2, 3 and 4, respectively.

Although only the arithmetic unit is described in the first embodiment, the arithmetic to be used for encryption, signature, key sharing, authentication, etc. using the discrete logarithm problem is realized by using this method, and the side channel attack is prevented. And safe implementations are also included.

Figure 5 shows the power unit. Fig. 7 shows the method of realizing power calculation on an elliptic curve in time series, and also describes the correspondence with each part in Fig. 5.
The power calculation method on the elliptic curve is described below with reference to FIGS.
This section explains how to perform power operations on elliptic curves with reference to.
Step 1. Elliptic curve E (Fq),
Enter element G of E (Fq), bit number n, number of divisions t, n '= kt Input finite field Fq and elliptic curve E on Fq, element G of E (Fq).

Step 2. Binary notation of d and n 'bits d = d [n-1] 2 ^ (n-1) + ... + d [1] 2 + d [0] and {a [j]} input
The n-bit data d is expanded to n 'bits by adding 0 to the upper part and expressed in binary.
d = d [n'-1] 2 ^ (n'-1) +… + d [n] 2 ^ n + d [n-1] 2 ^ (n-1) +… + d [1] 2 +
d [0]
At this time, d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] are 0 or 1.
Next, using the binary representation of d above, k-bit data a [j]
For j = 0 to t-1,
a [j] =
d [kj + (k-1)] ・ 2 ^ (k-1) + ・ ・ ・ + d [kj]
Is written.

Step
3. Element R of E (Fq)
Take

Step
4. G [i] = 2 ^ ki G (i = 1, ..., k-1) and creation of preliminary calculation table {T [b]} First, G [j] = 2 ^ (kj) G (j = 1, ..., k-1)
Find the element G [j] of E and express G [0] = G.
Next, any b with 0 ≦ b ≦ 2 ^ t-1 and its binary representation
b = b [t-1] 2 ^ (t-1) + ・ ・ ・ +
b [0] (each b [i] is 0 or 1)
Using,
T [b] = b [t-1] G [t-1] + ・ ・ ・ +
b [0] G [0]
This finds 2 ^ t E elements {T [0], .., T [2 ^ t-1]}.

Step 5. Set Y = R.
dG + R = a [t-1] G [t-1] + ... + a [0] G [0] is set to the initial value Y = R to calculate from the most significant bit (MSB).

Step
6 to 7 correspond to the second calculation unit.
Step 6. Set i = k-1.
Step
7. i ≧ 0
a [t-1] [i],
…, A [0] [i] is used to index the elements of the preliminary calculation table,
The following operations,
Y = 2Y + T [d [i + k (t-1)] 2 ^ {(t-1) k} +
… + D [i + k] 2 ^ k + d [i]]
To reduce i by 1 and step 7
Judgment of

Step 8. Calculate Y = Y-R

Step 9. Output Y.
Step 7 dY + R
Since the result of subtracting R from the result in step 8 is input to Y, the output value Y becomes the result of the power operation Y = dG.

The second embodiment is an embodiment of the invention according to claim 8. The second embodiment is an apparatus for calculating and outputting an elliptic power operation dG for an input elliptic curve element G and secret data d. In this device, the power consumption in the middle process is different for each input, and the input G cannot be manipulated so that the element of the elliptic curve has 0 coordinate or 0 register in the middle process. Therefore, it is safe against side channel attacks. Furthermore, it is possible to provide fast power operations by efficiently storing the intermediate variables that hold the elements of the elliptic curve required during the process as a table.

  In the second embodiment, the arithmetic unit is a power unit when an elliptic curve on a finite field is used as a finite group, but the embodiment is not limited to this. For example, as described in claim 28, a superelliptic curve on a finite field can be used as a finite group. Further, the second embodiment deals with the case of claim 1 in which d and G of the power operation dG are both stored in the memory, but the embodiment is not limited to this. For example, if d is generated as a random number and G is stored in the memory as in claims 30, 35 and 40, d is generated as a random number and G is input by the user, d is stored in the memory It is also possible for G to be entered by the user. Needless to say, in this embodiment, only the arithmetic unit is shown, but the arithmetic to be used for encryption, signature, key sharing, authentication, etc. using the discrete logarithm problem is realized by using this method. It also includes methods that have been implemented safely against channel attacks.

Fig. 9 shows a comparison of the amount of memory and the amount of calculation between the conventional example and the example. Regarding the computational complexity, the computational complexity per bit was expressed when the definition field Fq was 160 bits. D and A are the calculations for the doubling and addition on the elliptic curve, and M and S are the calculations for the multiplication and doubling on the definition field Fq. According to this table, when the memory limit is very strict, using the first embodiment, it is possible to realize a safe and high-speed operation with a minimum amount of memory. In addition, when high speed is required, high-speed arithmetic can be realized by changing the division number t in the second embodiment. In fact, if t = 4 is used as the number of divisions, the power calculation can be realized in about 50% of the execution time, and its impact on applications such as key sharing, encryption, and signature method is very large. For industrial use, the required specification conditions differ depending on the application and the platform that implements the application. The present invention can provide optimal and safe operations for different specifications such as memory and high speed. In addition, operations to be realized by the present invention are basic technologies used in a wide range of applications such as key sharing, encryption, and signature systems, and their industrial applicability is very high.

The block diagram of the power method of the finite group E of Claim 1 The block diagram of the power method of the finite group E of Claim 8 The block diagram of the power method of the finite group E of Claim 13 The block diagram of the power calculation method of the finite group E of Claim 18 The block diagram of the finite group E power calculation method of Claim 23 Configuration diagram of the elliptic curve power calculation method of the first embodiment Configuration diagram of power calculation method of elliptic curve of embodiment 2 Configuration diagram of power calculation method of elliptic curve of Conventional Example 1 Performance comparison table between the conventional example and Examples 1 and 2

Claims (44)

Let E be a finite group, represent the group operation on E additively, G be the element of E, and n-bit data d and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
These E and G are stored in the first memory part, d and its binary representation are stored in the second memory part,
An arbitrary element R of the finite group E is generated by the random number generator,
The element R and the element G of the first memory unit are input to the first arithmetic unit to obtain Q = GR, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, Q, R, Y = R is output,
Input Q, R, Y, which is the output of the initial value setting unit, and binary representation d [i] of d stored in the second memory unit to the second arithmetic unit, and from i = n-1 The following operations are sequentially performed until 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   A computing device to which the computing method according to claim 1 is applied. A recording medium storing a program for executing the method according to claim 1. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 1. The arithmetic method according to claim 1, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and elliptic curves E and E (Fq) on a finite field Fq having q elements Power operation on elliptic curve for above element G and n-bit data d
An arithmetic method that should be used to calculate dG. The power calculation method according to claim 1, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and hyperelliptic curves H, H (Fq on a finite field Fq having q elements ) Power operation on hyperelliptic curve for element G and n-bit data d
An arithmetic method that should be used to calculate dG. Let E be a finite group, represent the group operation on E additively, G be the element of E, and n-bit data d and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
A first memory section for storing these E and G;
A random number generator having these d and a second memory unit for storing the binary representation thereof and generating an arbitrary element R of the finite group E;
A first calculation unit for obtaining Q = GR by using the element R and the element G of the first memory unit as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d stored in the second memory unit as input, the following operations from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. E is a finite group, and the group operation on E is expressed additively, the element of E is G, and these E and G are stored in the first memory part.
The first random number generator generates n-bit data d, and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
An arbitrary element R of the finite group E is generated by the second random number generator,
The element R and the element G of the first memory unit are input to the first arithmetic unit to obtain Q = GR, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, Q, R, Y = R is output,
Input the output Q, R, Y of the initial value setting unit and the binary expression d [i] of d above to the second arithmetic unit, and perform the following operations sequentially from i = n-1 to 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   A computing device to which the computing method according to claim 8 is applied. A recording medium storing a program for executing the method according to claim 8. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 8. Let E be a finite group, add group operations on E additively, and let G be an element of E
A first memory section for storing these E and G;
The first random number generator that generates n-bit data d and the binary representation of d
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
A random number generator for generating an arbitrary element R of the finite group E;
A first calculation unit for obtaining Q = GR by using the element R and the element G of the first memory unit as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d above as inputs, the following operations are performed from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. Let E be a finite group, represent the group operations on E additively, store E in the first memory part,
Enter the element G of E in the input section,
The first random number generator generates n-bit data d, and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
An arbitrary element R of the finite group E is generated by the second random number generator,
Q = GR is obtained by inputting the element R and the element G of the input to the first arithmetic unit, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, and Q, R , Y = R,
Input the output Q, R, Y of the initial value setting unit and the binary expression d [i] of d above to the second arithmetic unit, and perform the following operations sequentially from i = n-1 to 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   An arithmetic device to which the arithmetic method according to claim 13 is applied. A recording medium storing a program for executing the method according to claim 13. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 13. A finite group E, a group operation on E additively expressed, a first memory unit storing E,
An input unit for inputting an element G of a finite group E;
The first random number generator that generates n-bit data d and the binary representation of d
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
age,
A random number generator for generating an arbitrary element R of the finite group E;
A first arithmetic unit for obtaining Q = GR using the element R and the input element G as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d above as inputs, the following operations are performed from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. Let E be a finite group, the group operation on E is represented additively, and n-bit data d and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
E is stored in the first memory part,
store d and its binary representation in the second memory part,
Enter the element G of E in the input section,
An arbitrary element R of the finite group E is generated by the random number generator,
Q = GR is obtained by inputting the element R and the element G of the input to the first arithmetic unit, the output Q of the first arithmetic unit and the element R are input to the initial value setting unit, and Q, R , Y = R,
Input Q, R, Y, which is the output of the initial value setting unit, and binary representation d [i] of d stored in the second memory unit to the second arithmetic unit, and from i = n-1 The following operations are sequentially performed until 0,
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   An arithmetic device to which the arithmetic method according to claim 18 should be applied. A recording medium storing a program for executing the method according to claim 18. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 18. Let E be a finite group, the group operation on E is represented additively, and n-bit data d and its binary representation
d = d [n-1] ・ 2 ^ (n-1) +… + d [1] ・ 2 + d [0]
(Each d [i] = 0 or 1)
When
A first memory section for storing E;
an input unit for inputting an element G of a finite group E having d and a second memory unit for storing the binary representation;
A random number generator for generating an arbitrary element R of the finite group E;
A first arithmetic unit for obtaining Q = GR using the element R and the input element G as inputs;
An initial value setting unit for setting R, Q, and Y = R as initial values of the second calculation unit, with the element R and the output Q of the first calculation unit as inputs,
Using the output Y, R, Q of the initial value setting unit and the binary representation {d [i]} of d stored in the second memory unit as input, the following operations from i = n-1 to 0:
Y = 2Y + Q (when d [i] = 1),
Y = 2Y + (-R) (when d [i] = 0),
i = i-1,
A third arithmetic unit that calculates Y = YR, using Y as the output of the second arithmetic unit and the output of the second arithmetic unit and the above element R as input.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. E is a finite group, and the group operation on E is expressed additively, the element of E is G, the data of n bits is d, the number of divisions is t (<n), and the least common multiple of t and n is n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
These E, G, k, n, t, and n ′ are stored in the first memory unit,
The above data d and its binary representation {d [i] (i = 0, .., 2 ^ n'-1)},
Store k-bit data {a [j] (j = 0, ..., t-1)} in the second memory section,
An arbitrary element R of the finite group E is generated by the random number generator,
Input the above element R and the element G, k of the first memory unit to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit, to the second arithmetic unit Input Y and binary representation {d [i]} of d stored in the second memory part,
from i = k-1
The following operations are sequentially performed until 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   An arithmetic device to which the arithmetic method according to claim 23 is applied. A recording medium storing a program for executing the method according to claim 23. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 23. An arithmetic method according to claim 23, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and elliptic curves E and E (Fq) on a finite field Fq having q elements Power operation on elliptic curve for above element G and n-bit data d
An arithmetic method that should be used to calculate dG. The power calculation method according to claim 23, wherein p is a prime number, r is a positive integer, q is an integer such that q = p ^ r, and hyperelliptic curves H, H (Fq on a finite field Fq having q elements ) Power operation on hyperelliptic curve for element G and n-bit data d
An arithmetic method that should be used to calculate dG. E is a finite group, and the group operation on E is expressed additively, the element G of E and n-bit data d, the number of divisions t (<n), the least common multiple of t and n is n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj + 1] ・ 2+ d [kj]
And
A first memory unit for storing these E, G, k, n, t, and n ′;
A second memory unit for storing d and its binary representation and k-bit data {a [j]};
A random number generator for generating an arbitrary element R of the finite group E;
Using the above element R and elements G and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]},
Using Y and binary representation {d [i]} of d stored in the second memory part as input
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. Let E be a finite group, and the group operations on E be expressed additively, where G is the element of E, n is the number of bits, t (<n) is the number of divisions, and n '= kt is the least common multiple of t and n. ,
These E, G, k, n, t, and n ′ are stored in the first memory unit,
The first random number generator generates n-bit data d, and the binary representation with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
An arbitrary element R of the finite group E is generated by the second random number generator,
Input the above element R and the element G, k of the first memory unit to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0 ≦ b ≦ 2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit, to the second arithmetic unit Enter Y and the binary representation {d [i]} of d above,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   An arithmetic device to which the arithmetic method according to claim 30 is applied. A recording medium storing a program for executing the method according to claim 30. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 30. Let E be a finite group, and the group operations on E be expressed additively, where G is the element of E, n is the number of bits, t (<n) is the number of divisions, and n '= kt is the least common multiple of t and n. ,
A first memory unit for storing these E, G, k, n, t, and n ′;
A first random number generator that generates n bits of data d, and a binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
A random number generator for generating an arbitrary element R of the finite group E;
Using the above element R and elements G and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. Let E be a finite group, and the group operation on E is expressed additively, the number of bits is n, the number of divisions is t (<n), the least common multiple of t and n is n '= kt,
These E, k, n, t, and n ′ are stored in the first memory unit,
Enter the element G of E in the input section,
The first random number generator generates n-bit data d, and the binary representation with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
An arbitrary element R of the finite group E is generated by the second random number generator,
The element R, the input element G, and k of the first memory unit are input to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation of that b
b = b [t-1] · 2 ^ (t-1) + ... + b [0] (each b [i] is 0
Or 1),
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit, to the second arithmetic unit Enter Y and the binary representation {d [i]} of d above,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   A computing device to which the computing method according to claim 35 is applied. A recording medium storing a program for executing the method according to claim 35. A signature, authentication, secret communication and key sharing method using the calculation method according to claim 35. Let E be a finite group, and the group operation on E is expressed additively, the number of bits is n, the number of divisions is t (<n), the least common multiple of t and n is n '= kt,
A first memory section for storing these E, k, n, t, and n ′ as inputs;
An input unit for inputting an element G of a finite group E;
A first random number generator that generates n bits of data d, and a binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… + d [0 ],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
A random number generator for generating an arbitrary element R of the finite group E;
Using the element R, the input source G, and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG. E is a finite group, and the group operation on E is expressed additively. The data of n bits is d, the number of divisions is t (<n), the least common multiple of t and n is n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj]
And
These E, k, n, t, and n ′ are stored in the first memory unit,
Data d and its binary representation {d [i] (i = 0, .., 2 ^ n'-1)}, k-bit data {a [j] (j = 0, ..., t- 1)} is stored in the second memory section,
Enter the element G of E in the input section,
An arbitrary element R of the finite group E is generated by the random number generator,
The element R, the input element G, and k of the first memory unit are input to the first arithmetic unit,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
The above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation of that b
b = b [t-1] · 2 ^ (t-1) + ... + b [0] (each b [i] is 0
Or 1),
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
Find 2 ^ t E elements {T [0], .., T [2 ^ t-1]}
The above elements {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]} are output,
The output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}
Input the above element R and output {G [0], ..., G [t-1]} and {T [0], .., T [2 ^ t-1]}, Y = R,
{G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, which are the outputs of the initial value setting unit, to the second arithmetic unit Enter Y and {d [i]} stored in the second memory,
Perform the following operations sequentially from i = k-1 to 0,
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1,
Input Y, which is the output of the second calculation unit, and the above element R to the third calculation unit to obtain Y = YR,
A power operation method for a finite group E, wherein the output of the third operation unit Y is output as the value of the power operation dG by the output unit.   41. A computing device to which the power computing method according to claim 40 is applied. 41. A recording medium storing a program for executing the method according to claim 40. A signature, authentication, secret communication, and key sharing method using the calculation method according to claim 40. Let E be a finite group, add group operations on E additively, n-bit data d, the number of divisions t (<n), the least common multiple of t and n is n '= kt,
Binary representation of d with n 'bits
d = d [n'-1] ・ 2 ^ (n'-1) +… + d [n] ・ 2 ^ n + d [n-1] ・ 2 ^ (n-1) +… +
d [0],
(d [n'-1] = ... = d [n] = 0 and d [n-1], ..., d [0] is 0 or 1)
And using the binary representation of d above, k-bit data a [j] for j = 0 to t-1
a [j] = d [kj + (k-1)] ・ 2 ^ (k-1)
+ ... + d [kj + 1] ・ 2+ d [kj]
And
A first memory section for storing these E, k, n, t, and n ′ as inputs;
A second memory unit for storing d and its binary representation and k-bit data {a [j]};
An input unit for inputting an element G of a finite group E;
A random number generator for generating an arbitrary element R of the finite group E;
Using the element R, the input source G, and k of the first memory unit as inputs,
Element of E as G [j] = 2 ^ (kj) G from j = 1 to t-1
Find G [j]
G [0] = G
Next, the above element G [j] (j = 0, .., t-1), the integer b of 0≤b≤2 ^ t-1, and the binary representation b of that b
= b [t-1] ・ 2 ^ (t-1) + ・ ・ ・ + b [0] (each b [i] is 0 or 1)
T [b] = b [t-1] ・ G [t-1] + ・ ・ ・ + b [0] ・ G [0] -R
A first computing unit for finding 2 ^ t E elements {T [0], .., T [2 ^ t-1]};
Using the element R and the output {G [0], .., G [t-1]} and {T [0], .., T [2 ^ t-1]} as inputs, {G [0], .., G [t-1]}, {T [0], .., T [2 ^ t-1]},
An initial value setting unit for setting Y = R as an initial value of the second calculation unit;
Output of initial value setting part {G [0], ..., G [t-1]}, {T [0], .., T [2 ^ t-1]}, Y and binary representation of d above { d [i]} as input,
The following operations from i = k-1 to 0:
Y = 2Y +
T [d [i + k (t-1)] 2 ^ {(t-1) k} +… + d [i + k] 2 ^ k + d [i]]
i = i-1
A second arithmetic unit that sequentially loops
It has a third calculation unit that calculates Y = YR, using Y as the output of the second calculation unit and the above element R as inputs.
A power unit for a finite group E, comprising an output unit for outputting the output Y of the third arithmetic unit as the value of a power operation dG.

Images