JP2006323160A - Pairing arithmetic unit, pairing arithmetic method and pairing arithmetic program - Google Patents

Pairing arithmetic unit, pairing arithmetic method and pairing arithmetic program Download PDF

Info

Publication number
JP2006323160A
JP2006323160A JP2005146556A JP2005146556A JP2006323160A JP 2006323160 A JP2006323160 A JP 2006323160A JP 2005146556 A JP2005146556 A JP 2005146556A JP 2005146556 A JP2005146556 A JP 2005146556A JP 2006323160 A JP2006323160 A JP 2006323160A
Authority
JP
Japan
Prior art keywords
finite field
miller
pseudo
pairing
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2005146556A
Other languages
Japanese (ja)
Other versions
JP4580274B2 (en
Inventor
Tetsutaro Kobayashi
鉄太郎 小林
Kazumaro Aoki
和麻呂 青木
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2005146556A priority Critical patent/JP4580274B2/en
Publication of JP2006323160A publication Critical patent/JP2006323160A/en
Application granted granted Critical
Publication of JP4580274B2 publication Critical patent/JP4580274B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem, wherein a pairing arithmetic speed is slow, since the amount of operation required for pairing arithmetic is much larger than that of a regular ellipse arithmetic operation. <P>SOLUTION: In the invention, high speed is achieved by using a characteristic of a finite field. Assuming r as an element on the finite field GF(p<SP>k/2</SP>) and f as an element on the finite field GF(p<SP>k</SP>) which is calculated by Miller algorithm, calculation is performed using the algorithm in which a calculating amount is less than Miller algorithm for imaging to an element f' on the finite field GF(p<SP>k</SP>) which satisfies f'=rf. Instead of calculating an inverse element, p to the k-th power of a multiplying element is calculated as a quasi inverse element. The polynomial expansion of multiplications of elements of GF(p<SP>k</SP>) in which the calculation amount is large, is performed by using the quasi inverse elements. High speed is achieved by calculating terms beforehand, in which calculation amount is large, as a common term of a repeated calculation, by performing the polynomial expansion. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

本発明は、楕円曲線上の演算、特にセキュリティ技術を実現するための演算を利用した装置、方法、およびプログラムに関する。   The present invention relates to an apparatus, a method, and a program using an operation on an elliptic curve, in particular, an operation for realizing a security technique.

楕円曲線のペアリングを用いたID−base暗号や短署名長デジタル署名を実現する方法が提案されている(特許文献1)。
Tateペアリングによる暗号や署名の概要を図1に示す。有限体GF(p)上で定義される楕円をE/GF(p)とする。楕円E/GF(p)上のGF(p)有理点をP(x、y)、楕円E/GF(p)上のGF(p)有理点をQ(x、y)とする。Tateペアリングでは、PとQを入力とし、Millerアルゴリズムによって有限体GF(p)上の元fを出力し、さらにべき乗演算によってfを(p−1)/m乗することで有限体GF(p)上の元eへ写像し、出力する。ここで、pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の整数、mは(p−1)の約数ではない、かつpとmの最大公約数は1である。 A method of realizing ID-base encryption using elliptic curve pairing or a short signature digital signature has been proposed (Patent Document 1).
An outline of encryption and signature by Tate pairing is shown in FIG. Let the ellipse defined on the finite field GF (p) be E / GF (p). Let GF (p) rational point on the ellipse E / GF (p) be P (x, y), and GF (p k ) rational point on the ellipse E / GF (p) be Q (x Q , y Q ). . In Tate pairing, P and Q are input, an element f on a finite field GF (p k ) is output by the Miller algorithm, and f is raised to the power of (p k −1) / m by a power operation. Map to element e on GF (p k ) and output. Here, p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest integer that satisfies m | (p k −1), and m is a factor of (p−1). It is not a number, and the greatest common divisor of p and m is 1.

図2はTateペアリングを用いたペアリング演算装置1000の機能構成例を示している。図1に示した処理を行うため、Millerアルゴリズムを用いて入力PとQを有限体GF(p)上の元fに変換して出力するMiller演算装置30と、べき乗演算によって入力fを有限体GF(p)上の元eに写像して出力するべき乗演算装置20から構成されている。
Tateペアリングで90%の計算量を占めるMiller演算装置30の内部構成例を図3に、処理フロー例を図4に示す。Miller演算装置30は、制御部100、代入部200、楕円上点生成部400、楕円加算部500、入出力部600、GF(p)乗算部700、GF(p)逆元部850、および記録部190から構成される。制御部100は、以下に示す処理フローに沿った処理を実行するために他の構成部を制御する。また、記録部190はハードディスク等の不揮発性のメモリでもよいし、一連の計算を行う間だけ一時的に記録する揮発性のメモリでもよい。また、組み合わせてもよい。 FIG. 2 shows a functional configuration example of a pairing arithmetic device 1000 using Tate pairing. In order to perform the processing shown in FIG. 1, a Miller arithmetic unit 30 that converts and outputs inputs P and Q to elements f on a finite field GF (p k ) using the Miller algorithm and a finite input f by a power operation. The power calculation unit 20 is to be mapped to the element e on the field GF (p k ) and output.
FIG. 3 shows an example of the internal configuration of the Miller arithmetic unit 30 occupying a calculation amount of 90% in Tate pairing, and FIG. 4 shows an example of the processing flow. The Miller arithmetic device 30 includes a control unit 100, an assignment unit 200, an elliptical point generation unit 400, an ellipse addition unit 500, an input / output unit 600, a GF (p k ) multiplication unit 700, a GF (p k ) inverse element unit 850, And a recording unit 190. The control unit 100 controls other components in order to execute processing according to the processing flow shown below. The recording unit 190 may be a non-volatile memory such as a hard disk or a volatile memory that temporarily records only during a series of calculations. Moreover, you may combine.

入出力部600にm、P、Qが入力されると、m、P、Qを記録部190に記録する(S700)。次に代入部200で、TにPを、Fに1を代入し、記録部190に記録する(S710)。楕円上点生成部400で、S≠PかつS≠Qの条件を満足する有限体GF(p)上で定義される楕円上の点S(∈E/GF(p))を生成し、記録部190に記録する(S720)。Sは条件を満足する点であれば、あらかじめ定めてもいいし、ランダムに生成してもよい。楕円加算部500で、記録部190からQとSを読み取り、Q’(=Q+S)を計算し、記録部190に記録する(S730)。代入部200で、log(m)−1の小数点以下を切り上げた整数をnに代入し、記録部190に記録する(S740)。制御部100は、記録部190からnを読み取り、n<0か否かを確認し、Yesの場合にはステップS910に進み、Noの場合にはステップS760に進む(S750)。Yesの場合、入出力部600は、記録部190からFを読み取り、出力し(S910)、Millerアルゴリズムによる演算が終了する。Noの場合、楕円加算部500は、記録部190からTを読み取り、2Tを計算し、記録部190に記録する(S760)。GF(p)乗算部700は、Q’、S、T、2Tを記録部190から読み取り、l(x,y)=0をTと2Tとを結ぶ直線、l(x,y)=0を2TとOとを結ぶ直線として、l(Q’)、l(Q’)、l(S)、l(S)を計算し、記録部190に記録する(S770)。ただし、l(Q’)とは、Q’のx座標とy座標とを、l(x,y)に代入した値である。なお、Sを有限体GF(p)の元から選定すると(この場合、残りのk−1個の有限体GF(p)の元は0である。)、l(S)、l(S)の計算は省略でき、以降のステップでl(S)、l(S)を省略できる。次に、代入部200は、記録部190から2Tを読み取り、Tに2Tの値を代入し、Tを記録部190に記録する(S780)。GF(p)逆元部850で、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S790)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、 When m, P, and Q are input to the input / output unit 600, m, P, and Q are recorded in the recording unit 190 (S700). Next, the assigning unit 200 substitutes P for T and 1 for F, and records the result in the recording unit 190 (S710). The point on the ellipse 400 generates a point S (∈E / GF (p k )) on the ellipse defined on the finite field GF (p k ) that satisfies the conditions S ≠ P and S ≠ Q. The data is recorded in the recording unit 190 (S720). S may be determined in advance or may be randomly generated as long as it satisfies the conditions. The ellipse addition unit 500 reads Q and S from the recording unit 190, calculates Q ′ (= Q + S), and records it in the recording unit 190 (S730). In the assigning unit 200, an integer obtained by rounding up the decimal point of log (m) -1 is substituted into n and recorded in the recording unit 190 (S740). The control unit 100 reads n from the recording unit 190 and checks whether n <0. If yes, the process proceeds to step S910, and if no, the process proceeds to step S760 (S750). In the case of Yes, the input / output unit 600 reads and outputs F from the recording unit 190 (S910), and the calculation by the Miller algorithm ends. In the case of No, the ellipse addition unit 500 reads T from the recording unit 190, calculates 2T, and records it in the recording unit 190 (S760). The GF (p k ) multiplication unit 700 reads Q ′, S, T, and 2T from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and 2T, l 2 (x, y) Assuming = 0 as a straight line connecting 2T and O, l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190 (S770). . However, l 1 (Q ′) is a value obtained by substituting the x and y coordinates of Q ′ into l 1 (x, y). If S is selected from elements of a finite field GF (p) (in this case, the elements of the remaining k−1 finite fields GF (p) are 0), l 1 (S), l 2 ( The calculation of S) can be omitted, and l 1 (S) and l 2 (S) can be omitted in the subsequent steps. Next, the assigning unit 200 reads 2T from the recording unit 190, assigns a value of 2T to T, and records T in the recording unit 190 (S780). The GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S790). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,

Figure 2006323160
を計算し、Fの値として記録部190に記録する(S810)。制御部100は、記録部190からmとnを読み取り、mのn番目のビットが1かを確認し、Yesの場合にはステップS830へ進み、Noの場合にはステップS900へ進む(S820)。Yesの場合、楕円加算部500で、記録部190からT、Pを読み取り、T+Pを計算し、記録部190に記録する(S830)。GF(p)乗算部700は、Q’、S、T、P,T+Pを記録部190から読み取り、l(x,y)=0をTとPとを結ぶ直線、l(x,y)=0をT+PとOとを結ぶ直線とし、l(Q’)、l(Q’)、l(S)、l(S)を計算して、記録部190に記録する(S840)。代入部200は、記録部190からT+Pを読み取り、TにT+Pを代入し、Tを記録部190に記録する(S850)。GF(p)逆元部850は、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S860)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、
Figure 2006323160
 Is recorded in the recording unit 190 as a value of F (S810). The control unit 100 reads m and n from the recording unit 190 and checks whether the n-th bit of m is 1. If Yes, the process proceeds to step S830, and if No, the process proceeds to step S900 (S820). . In the case of Yes, the ellipse addition unit 500 reads T and P from the recording unit 190, calculates T + P, and records it in the recording unit 190 (S830). The GF (p k ) multiplication unit 700 reads Q ′, S, T, P, T + P from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and P, l 2 (x, y) = 0 is a straight line connecting T + P and O, and l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190. (S840). The assigning unit 200 reads T + P from the recording unit 190, substitutes T + P for T, and records T in the recording unit 190 (S850). The GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S860). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,

Figure 2006323160
を計算し、Fの値として記録部190に記録する(S880)。ステップS820でNoと判断した場合とステップS880が終了した場合、代入部200は、記録部190からnを読み取り、n−1をnに代入し、nを記録部190に記録する(S900)。次にステップS750に戻り、ステップS750の判断がYesとなるまで処理が繰り返される。
特開2004-177673号公報
Figure 2006323160
 And is recorded in the recording unit 190 as the value of F (S880). When it is determined No in step S820 and when step S880 ends, the assigning unit 200 reads n from the recording unit 190, substitutes n−1 for n, and records n in the recording unit 190 (S900). Next, the process returns to step S750, and the process is repeated until the determination in step S750 becomes Yes.
JP 2004-177673 A

ペアリングの演算に必要な演算量は、通常の楕円演算にくらべると非常に大きいため、その演算速度が遅いことが問題となっている。Tateペアリングの場合、Millerのアルゴリズムというdevisor有理式の評価を行う演算に費やされる。本発明が解決しようとする課題は、Millerのアルゴリズムの演算速度の高速化である。   The amount of calculation required for the pairing calculation is very large compared to the normal elliptic calculation, and the problem is that the calculation speed is slow. In the case of Tate pairing, Miller's algorithm is used for operations that evaluate devisor rational expressions. The problem to be solved by the present invention is to increase the calculation speed of Miller's algorithm.

本発明では、有限体の性質を用いて高速化を行う。図5に本発明による演算の高速化の原理を示す。Tateペアリングでは、有限体GF(p)上の元fをべき乗演算により有限体GF(p)上の元eに写像するが、次の条件を満足する有限体GF(p)上の元f’も、べき乗演算により有限体GF(p)上の元eに写像する。
f’=rf ただし、rは有限体GF(pk/2)上の元 (1)
そこで、本発明ではkが偶数の場合に、この有限体の性質を利用し、Millerアルゴリズムよりも計算量が少ないアルゴリズム(以下、「擬似Millerアルゴリズム」という。)で、元f’を求め、元f’をべき乗演算することで元eを求める。 In the present invention, speeding up is performed using the properties of a finite field. FIG. 5 shows the principle of high-speed operation according to the present invention. Tate The pairing, while mapping the original f on the finite field GF (p k) based on e on the finite field GF by exponentiation (p k), the finite field GF (p k) above satisfies the following condition: Is also mapped to the element e on the finite field GF (p k ) by a power operation.
f ′ = rf where r is an element on the finite field GF ( pk / 2 ) (1)
Therefore, in the present invention, when k is an even number, the property of this finite field is used, and an element f ′ is obtained by an algorithm having a smaller calculation amount than the Miller algorithm (hereinafter referred to as “pseudo Miller algorithm”). The element e is obtained by calculating the power of f ′.

擬似Millerアルゴリズムでは、Millerアルゴリズムで逆元を求める処理を、少ない計算量で求められる逆元のr倍の元(以下、「擬似逆元」という。)を求める処理に置き換える。具体的には、kが偶数であり、Lが有限体GF(p)上の元の場合、 In the pseudo Miller algorithm, the process of obtaining an inverse element using the Miller algorithm is replaced with a process of obtaining an element that is r times the inverse element obtained with a small amount of calculation (hereinafter referred to as “pseudo inverse element”). Specifically, when k is an even number and L is an element on a finite field GF (p k ),

Figure 2006323160
を満足する有限体GF(pk/2)上の元nが存在する。したがって、
Figure 2006323160
 であり、式(1)の関係を満足する。そこで、
Figure 2006323160
 を擬似逆元として使用する。
また、前記のMillerのアルゴリズムの多項式の乗算では、多項式を展開して計算する。具体的には、ステップS810とS880の多項式の乗算には、
Figure 2006323160
 There exists an element n on a finite field GF (p k / 2 ) that satisfies Therefore,
Figure 2006323160
 And satisfies the relationship of the formula (1). Therefore,
Figure 2006323160
 Is used as a pseudo inverse element.
In addition, in the multiplication of the polynomial of the Miller algorithm, the polynomial is expanded and calculated. Specifically, for the multiplication of the polynomials in steps S810 and S880,

Figure 2006323160
が含まれるが、前記の擬似逆元を用いると、
Figure 2006323160
 に置き換えることができる。また、Q’=(XQ’,YQ’)とすると、
(Q’)=cXQ’+dYQ’+e、l(Q’)=gXQ’+h (7)
と表すことができる。ここで、c、d、e、g、hはGF(p)上の元である。さらに、フェルマーの小定理から、
Figure 2006323160
 Is included, but using the above pseudo inverse element,
Figure 2006323160
 Can be replaced. If Q ′ = (X Q ′ , Y Q ′ ),
l 1 (Q ′) = cX Q ′ + dY Q ′ + e, l 2 (Q ′) = gX Q ′ + h (7)
It can be expressed as. Here, c, d, e, g, and h are elements on GF (p). From Fermat's little theorem,

Figure 2006323160
と変形することができる。ここでX^Q’はXQ’の共役元である。
したがって、式(6)は、
(cXQ’+dYQ’+e)・(gX^Q’+h) (9)
と表現できる。
そこで、あらかじめA=XQ’X^Q’、B=YQ’X^Q’を求めておき、
cgA+dgB+egX^Q’+chXQ’+dhYQ’+eh (10)
により計算する。
Figure 2006323160
 And can be transformed. Here, X ^ Q ' is a conjugate element of XQ ' .
Therefore, equation (6) becomes
(CX Q '+ dY Q' + e) · (gX ^ Q '+ h) (9)
Can be expressed.
Therefore, A = X Q ′ X ^ Q ′ and B = Y Q′X ^ Q ′ are obtained in advance,
cgA + dgB + egX ^ Q ′ + chX Q ′ + dhY Q ′ + eh (10)
Calculate with

本発明によれば、楕円曲線上のTateペアリング演算において、kが偶数である場合に、有限体の性質を用いて、E/GF(p)からGF(p)への写像を高速に行うことができる。また、本発明では、特殊な楕円曲線の性質を用いず高速化できる。さらに、任意の標数の楕円曲線に適用することが可能であり、応用範囲が広い。 According to the present invention, in the Tate pairing operation on an elliptic curve, when k is an even number, the mapping from E / GF (p k ) to GF (p k ) is performed at high speed using the property of a finite field. Can be done. In the present invention, the speed can be increased without using special elliptic curve properties. Furthermore, it can be applied to an elliptic curve of an arbitrary characteristic and has a wide application range.

以下では、説明の重複を避けるため同じ機能を有する構成部や同じ処理を行う処理ステップには同一の番号を付与し、説明を省略する。
[第1実施形態]
図6に本発明のペアリング演算装置の機能構成例を示す。図2との違いはMiller演算装置30の代わりに、擬似Miller演算装置10が備えられていることである。擬似Miller演算装置10は、前記の擬似逆元を用い、多項式を展開した乗算を行うことで、擬似Millerアルゴリズムを実現する装置である。擬似Miller演算装置10の内部構成例を図7に、擬似Miller演算装置10の処理フローを図8に示す。図7と図3との違いは、図7の記録部150に記録するデータの種類が、図3の記録部190に記録するデータの種類と異なるものがあること、擬似逆元を計算するためにGF(p)逆元部850が擬似GF(p)逆元部800に置き換えられたことである。まず、図4の説明中での「記録部190への記録」または「記録部190からの読み取り」は、図8では「記録部150への記録」または「記録部150からの読み取り」と読み替える。その他の図8の処理フローと図4の処理フローとの違いは、以下のとおりである。 Below, in order to avoid duplication of description, the same number is given to the structural part which has the same function, and the process step which performs the same process, and abbreviate | omits description.
[First Embodiment]
FIG. 6 shows an example of the functional configuration of the pairing arithmetic device of the present invention. The difference from FIG. 2 is that a pseudo Miller arithmetic device 10 is provided instead of the Miller arithmetic device 30. The pseudo Miller arithmetic device 10 is a device that realizes a pseudo Miller algorithm by performing multiplication by expanding a polynomial using the pseudo inverse element. An example of the internal configuration of the pseudo Miller arithmetic device 10 is shown in FIG. 7, and the processing flow of the pseudo Miller arithmetic device 10 is shown in FIG. The difference between FIG. 7 and FIG. 3 is that the type of data recorded in the recording unit 150 in FIG. 7 is different from the type of data recorded in the recording unit 190 in FIG. In other words, the GF (p k ) inverse element 850 is replaced with the pseudo GF (p k ) inverse element 800. First, “recording to the recording unit 190” or “reading from the recording unit 190” in the description of FIG. 4 is read as “recording to the recording unit 150” or “reading from the recording unit 150” in FIG. . The other differences between the processing flow of FIG. 8 and the processing flow of FIG. 4 are as follows.

ステップS730とステップS740との間に、ステップS110を追加している。ステップS110では、Q’のx座標とy座標であるXQ’とYQ’(∈GF(p))、およびPのx座標とy座標であるxとy(∈GF(p))とを記録部150から読み取り、X^Q’、A=XQ’X^Q’、B=YQ’X^Q’、C=(XQ’−x)X^Q’、D=(YQ’ −y)X^Q’を計算し、X^Q’、A、B、C、Dを記録部150に記録する。
ステップS770はステップS120に置き換える。ステップS120では、GF(p)乗算部700が、Q’、S、T、2Tを記録部150から読み取り、l(x,y)=0をTと2Tとを結ぶ直線、l(x,y)=0を2TとOとを結ぶ直線として、l(S)、l(S)を計算し、記録部150に記録する。また、多項式l(x,y)=cx+dy+eとl(x,y)=gx+hの係数であるc、d、e、g、hとを求め、記録部150に記録する。 Step S110 is added between step S730 and step S740. In step S110, the X and Y coordinates of Q ′ are X Q ′ and Y Q ′ (∈GF (p k )), and the x and y coordinates of P are x P and y P (∈GF (p )) and read from the recording unit 150, X ^ Q ', a = X Q' X ^ Q ', B = Y Q' X ^ Q ', C = (X Q' -x P) X ^ Q ', D = (Y Q ′ −y P ) X ^ Q ′ is calculated, and X ^ Q ′ , A, B, C, and D are recorded in the recording unit 150.
Step S770 is replaced with step S120. In step S120, the GF (p k ) multiplication unit 700 reads Q ′, S, T, and 2T from the recording unit 150, and l 1 (x, y) = 0 is a straight line connecting T and 2T, l 2 ( Assuming that x, y) = 0 is a straight line connecting 2T and O, l 1 (S) and l 2 (S) are calculated and recorded in the recording unit 150. Further, c, d, e, g, and h, which are coefficients of the polynomial l 1 (x, y) = cx + dy + e and l 2 (x, y) = gx + h, are obtained and recorded in the recording unit 150.

ステップS790とステップS810は、ステップS130〜S150に置き換える。ステップS130では、擬似GF(p)逆元部800が、記録部150からl(S)を読み取り、l(S)の擬似逆元を計算し、記録部150に記録する。ステップS140では、GF(p)乗算部700が、記録部150からA、B、c、d、e、g、h、Q’のx座標XQ’とy座標YQ’、XQ’の共役元X^Q’を読み取り、(cXQ’+dYQ’+e)・(gX^Q’+h)をcgA+dgB+egX^Q’+chXQ’+dhYQ’+ehのように計算し、 Steps S790 and S810 are replaced with steps S130 to S150. In step S130, the pseudo GF (p k) inverse element unit 800 reads the l 1 (S) from the recording unit 150 calculates the pseudo-inverse of l 1 (S), is recorded in the recording unit 150. In step S140, GF (p k) multiplying unit 700, A from the recording unit 150, B, c, d, e, g, h, Q and y-coordinate Y Q 'x-coordinate X Q of' ', X Q' 'I read, (cX Q' of the conjugated original X ^ Q calculated as + dY Q '+ e) · (gX ^ Q' + h) the cgA + dgB + egX ^ Q ' + chX Q' + dhY Q '+ eh,

Figure 2006323160
として記録部150に記録する。ステップS150では、GF(p)乗算部700が、記録部150からF、l(S)、l(S)の擬似逆元、および
Figure 2006323160
 を読み取り、
Figure 2006323160
Figure 2006323160
 Is recorded in the recording unit 150. In step S150, the GF (p k ) multiplication unit 700 performs a pseudo inverse of F, l 2 (S), l 1 (S) from the recording unit 150, and
Figure 2006323160
 Read
Figure 2006323160

を計算し、Fの値として記録部150に記録する。
ステップS840は、ステップS160に置き換えられる。ステップS160では、GF(p)乗算部700が、Q’、S、T、P,T+Pを記録部150から読み取り、l(x,y)=0をTとPとを結ぶ直線、l(x,y)=0をT+PとOとを結ぶ直線とし、l(S)、l(S)を計算して、記録部150に記録する。また、多項式l(x,y)=cx+dyとl(x,y)=gx+hの係数であるc、d、g、hとを求め、記録部150に記録する。なお、ステップS160とS120とを比べてみると、ステップS160には多項式l(x,y)の係数eがない。これは、ステップS160では、e=0となるので、省略できるからである。 Is recorded in the recording unit 150 as the value of F.
Step S840 is replaced with step S160. In step S160, the GF (p k ) multiplication unit 700 reads Q ′, S, T, P, and T + P from the recording unit 150, and l 1 (x, y) = 0 is a straight line connecting T and P, l 2 (x, y) = 0 is a straight line connecting T + P and O, and l 1 (S) and l 2 (S) are calculated and recorded in the recording unit 150. Further, c, d, g, and h which are coefficients of the polynomial l 1 (x, y) = cx + dy and l 2 (x, y) = gx + h are obtained and recorded in the recording unit 150. Note that comparing Steps S160 and S120, Step S160 does not have the coefficient e of the polynomial l 1 (x, y). This is because e = 0 in step S160 and can be omitted.

ステップS860とステップS880は、ステップS170〜S190に置き換える。ステップS170では、擬似GF(p)逆元部800が、記録部150からl(S)を読み取り、l(S)の擬似逆元を計算し、記録部150に記録する。ステップS180では、GF(p)乗算部700が、記録部150からC、D、c、d、g、h、Q’のx座標XQ’とy座標YQ’、XQ’の共役元X^Q’、 Pのx座標とy座標であるxとyを読み取り、(cX’+dY’)・(gX^Q’+h)をcgC+dgD+chX’+dhY’のように計算し、 Steps S860 and S880 are replaced with steps S170 to S190. In step S170, the pseudo GF (p k) inverse element unit 800 reads the l 1 (S) from the recording unit 150 calculates the pseudo-inverse of l 1 (S), is recorded in the recording unit 150. In step S180, GF (p k) multiplying unit 700, coupled from the recording unit 150 C, D, c, d , g, h, 'x -coordinate of the X Q' Q and y-coordinate Y Q ', X Q' based X ^ Q ', read the x P and y P wherein x and y coordinates of P, (cX' calculated as + dY ') · (gX ^ Q' + h) the cgC + dgD + chX '+ dhY ',

Figure 2006323160
として記録部150に記録する。ただし、X’=XQ’ −x、Y’=YQ’ −yである。ステップS190では、GF(p)乗算部700が、F、l(S)、l(S)の擬似逆元、および
Figure 2006323160
 を記録部150から読み取り、
Figure 2006323160
Figure 2006323160
 Is recorded in the recording unit 150. However, X '= X Q' -x P, is a Y '= Y Q' -y P . In step S190, the GF (p k ) multiplication unit 700 performs the pseudo inverse of F, l 2 (S), l 1 (S), and
Figure 2006323160
 From the recording unit 150,
Figure 2006323160

を計算し、Fの値として記録部150に記録する。
なお、本発明でもSを有限体GF(p)の元から選定すると(この場合、残りのk−1個の有限体GF(p)の元は0である。)、l(S)、l(S)の計算や演算を省略できる。
このように変更した処理フローによって、Millerアルゴリズムよりも計算量を少なくし、有限体GF(p)上の元f’を求めることができる。
本発明によれば、擬似逆元を用いることで、演算量の多いGF(p)の元どうしの乗算を多項式展開できる。また、多項式展開できるため、演算量の多いGF(p)の元どうしの乗算を、多項式展開した上で、繰り返し計算に共通の項をあらかじめ計算しておくことができる。GF(p)の元どうしの乗算の演算量をO(k)と表現すると、通常GF(p)の元どうしの乗算の演算量はO(k)となり、Karatsuba法などを用いた場合でもO(k1.5)の演算量となる。一方、GF(p)の元とGF(p)の元との乗算の演算量は、O(k)となるため、演算量を削減することができる。特に、kが大きくなると本発明の効果も大きくなる。 Is recorded in the recording unit 150 as the value of F.
In the present invention, when S is selected from elements of a finite field GF (p) (in this case, the elements of the remaining k−1 finite fields GF (p) are 0), l 1 (S), Calculation and calculation of l 2 (S) can be omitted.
With the processing flow thus changed, the calculation amount can be reduced as compared with the Miller algorithm, and the element f ′ on the finite field GF (p k ) can be obtained.
According to the present invention, by using a pseudo inverse element, multiplication of elements of GF (p k ) having a large amount of computation can be expanded in a polynomial form. Further, since polynomial expansion can be performed, it is possible to calculate in advance a common term for iterative calculation after performing polynomial expansion of multiplication of elements of GF (p k ) having a large amount of calculation. If the amount of multiplication between elements of GF (p) is expressed as O (k), the amount of multiplication between elements of GF (p k ) is usually O (k 2 ), and the Karatsuba method is used. However, the calculation amount is O (k 1.5 ). On the other hand, the amount of calculation of multiplication of the element of GF (p k ) and the element of GF (p) is O (k), so the amount of calculation can be reduced. In particular, the effect of the present invention increases as k increases.

なお、本発明は、コンピュータ本体とコンピュータプログラムとして実行することが可能であるし、デジタルシグナルプロセッサや専用LSIに実装して実現することも可能である。   The present invention can be executed as a computer main body and a computer program, or can be realized by being mounted on a digital signal processor or a dedicated LSI.

Tateペアリング演算の概要を示す図。The figure which shows the outline | summary of Tate pairing calculation. Tateペアリングを用いたペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing calculating device using Tate pairing. Miller演算装置の内部構成例を示す図。The figure which shows the internal structural example of a Miller arithmetic unit. Millerアルゴリズムの処理フローを示す図。The figure which shows the processing flow of a Miller algorithm. 擬似Millerのアルゴリズムを用いた演算の高速化の原理を示す図。The figure which shows the principle of the speeding-up of a calculation using the pseudo Miller algorithm. 擬似Millerアルゴリズムを用いたペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing arithmetic unit using a pseudo Miller algorithm. 擬似Miller演算装置の機能構成例を示す図。The figure which shows the function structural example of a pseudo Miller arithmetic unit. 擬似Millerアルゴリズムの処理フローを示す図。The figure which shows the processing flow of a pseudo Miller algorithm.

Claims (5)

pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求める擬似Miller演算部と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算部とを備えるペアリング演算装置において、
XとYをGF(p)上の元、X^をXの共役元、c、d、e、g、hをGF(p)上の元とする場合に、
PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 2006323160
 を用いること、
(cX+dY+e)・(gX^+h)の計算を、あらかじめA=XX^、B=YX^を求めて記録手段に記録しておき、cgA+dgB+egX^+chX+dhY+ehにより求めること
を特徴とする前記擬似Miller演算部と、
前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像することを特徴とする前記べき乗演算部と、
を備えるペアリング演算装置。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. The pseudo Miller operation unit for obtaining the element f ′ on the finite field GF (p k ) from the determined points, and mapping the obtained element on the finite field to the element e (P, Q) on the finite field GF (p k ) And a pairing operation device comprising a power operation unit to output,
When X and Y are elements on GF (p k ), X ^ is a conjugate element of X, and c, d, e, g, and h are elements on GF (p),
A Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 2006323160
 Using
The calculation of (cX + dY + e) · (gX ^ + h) is obtained in advance by recording A = XX ^ and B = YX ^ in the recording means, and calculated by cgA + dgB + egX ^ + chX + dhY + eh. ,
Mapping the element f ′ obtained by the pseudo Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation;
A pairing arithmetic device comprising: pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求める擬似Miller演算部と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算部とを備えるペアリング演算装置において、
XとYをGF(p)上の元、X^をXの共役元、x、y、c、d、g、hをGF(p)上の元とする場合に、
PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 2006323160
 を用いること、
(c(X−x)+d(Y−y))・(gX^+h)の計算を、あらかじめC=(X−x)X^、D=(Y−y)X^を求めて記録手段に記録しておき、cgC+dgD+ch(X−x)+dh(Y−y)により求めること
を特徴とする前記擬似Miller演算部と、
前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像することを特徴とする前記べき乗演算部と、
を備えるペアリング演算装置。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. The pseudo Miller operation unit for obtaining the element f ′ on the finite field GF (p k ) from the determined points, and mapping the obtained element on the finite field to the element e (P, Q) on the finite field GF (p k ) And a pairing operation device comprising a power operation unit to output,
When X and Y are elements on GF (p k ), X ^ is a conjugate element of X, and x, y, c, d, g, and h are elements on GF (p),
A Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 2006323160
 Using
(C (X−x) + d (Y−y)) · (gX ^ + h) is calculated in advance by obtaining C = (X−x) X ^ and D = (Y−y) X ^ in the recording means. The pseudo Miller arithmetic unit, which is recorded and obtained by cgC + dgD + ch (X−x) + dh (Y−y),
Mapping the element f ′ obtained by the pseudo Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation;
A pairing arithmetic device comprising: pは素数または素数のべき乗、kは偶数であって、擬似Miller演算部で、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求め、べき乗演算部で、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算方法において、
XとYをGF(p)上の元、X^をXの共役元、c、d、e、g、hをGF(p)上の元とする場合に、
前記擬似Miller演算部で、PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 2006323160
 を用いる過程と、
前記擬似Miller演算部で、(cX+dY+e)・(gX^+h)の計算を、あらかじめA=XX^、B=YX^を求めて記録手段に記録しておき、cgA+dgB+egX^+chX+dhY+ehにより求める過程と、
前記べき乗演算部で、前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する過程と、
を有することを特徴とするペアリング演算方法。 p is a prime number or a power of a prime number, k is an even number, and a point on the elliptic curve on the finite field GF (p k ) on the elliptic curve on the finite field GF (p k ) The element f ′ on the finite field GF (p k ) is obtained from the input point with Q as an input, and the element on the finite field GF (p k ) is obtained as the element e ( P, Q) In the pairing calculation method of mapping and outputting,
When X and Y are elements on GF (p k ), X ^ is a conjugate element of X, and c, d, e, g, and h are elements on GF (p),
In the pseudo Miller operation unit, a Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 2006323160
 The process of using
In the pseudo Miller computing unit, the calculation of (cX + dY + e) · (gX ^ + h) is obtained in advance by recording A = XX ^, B = YX ^ on the recording means, and obtained by cgA + dgB + egX ^ + chX + dhY + eh;
A process of mapping the element f ′ obtained by the pseudo Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation in the power operation unit;
A pairing calculation method characterized by comprising: pは素数または素数のべき乗、kは偶数であって、擬似Miller演算部で、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求め、べき乗演算部で、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算方法において、
XとYをGF(p)上の元、X^をXの共役元、x、y、c、d、g、hをGF(p)上の元とする場合に、
前記擬似Miller演算部で、PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 2006323160
 を用いる過程と、
前記擬似Miller演算部で、(c(X−x)+d(Y−y))・(gX^+h)の計算を、あらかじめC=(X−x)X^、D=(Y−y)X^を求めて記録手段に記録しておき、cgC+dgD+ch(X−x)+dh(Y−y)により求める過程と、
前記べき乗演算部で、前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する過程と、
を有することを特徴とするペアリング演算方法。 p is a prime number or a power of a prime number, k is an even number, and a point on the elliptic curve on the finite field GF (p k ) on the elliptic curve on the finite field GF (p k ) The element f ′ on the finite field GF (p k ) is obtained from the input point with Q as an input, and the element on the finite field GF (p k ) is obtained as the element e ( P, Q) In the pairing calculation method of mapping and outputting,
When X and Y are elements on GF (p k ), X ^ is a conjugate element of X, and x, y, c, d, g, and h are elements on GF (p),
In the pseudo Miller operation unit, a Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 2006323160
 The process of using
In the pseudo Miller operation unit, the calculation of (c (X−x) + d (Y−y)) · (gX ^ + h) is performed in advance by C = (X−x) X ^ and D = (Y−y) X. ^ Is obtained and recorded in the recording means, and obtained by cgC + dgD + ch (X−x) + dh (Y−y);
A process of mapping the element f ′ obtained by the pseudo Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation in the power operation unit;
A pairing calculation method characterized by comprising: 請求項3または4記載のペアリング演算方法の各過程をコンピュータにより実現するペアリング演算プログラム。
A pairing calculation program for realizing each process of the pairing calculation method according to claim 3 or 4 by a computer.
JP2005146556A 2005-05-19 2005-05-19 Pairing calculation device, pairing calculation method, and pairing calculation program Active JP4580274B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2005146556A JP4580274B2 (en) 2005-05-19 2005-05-19 Pairing calculation device, pairing calculation method, and pairing calculation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2005146556A JP4580274B2 (en) 2005-05-19 2005-05-19 Pairing calculation device, pairing calculation method, and pairing calculation program

Publications (2)

Publication Number Publication Date
JP2006323160A true JP2006323160A (en) 2006-11-30
JP4580274B2 JP4580274B2 (en) 2010-11-10

Family

ID=37542888

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2005146556A Active JP4580274B2 (en) 2005-05-19 2005-05-19 Pairing calculation device, pairing calculation method, and pairing calculation program

Country Status (1)

Country Link
JP (1) JP4580274B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006330497A (en) * 2005-05-27 2006-12-07 Nippon Telegr & Teleph Corp <Ntt> Pairing computation method, and apparatus and program using same
JP2009109986A (en) * 2008-09-03 2009-05-21 Okayama Univ Pairing computation device, pairing computation method, and pairing computation program
JP5147085B2 (en) * 2007-08-09 2013-02-20 国立大学法人 岡山大学 Calculation method and calculation device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004177673A (en) * 2002-11-27 2004-06-24 Fujitsu Ltd Pairing ciphering device, pairing ciphering calculation program
JP2005316267A (en) * 2004-04-30 2005-11-10 Hitachi Ltd Elliptic curve pairing arithmetic unit

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004177673A (en) * 2002-11-27 2004-06-24 Fujitsu Ltd Pairing ciphering device, pairing ciphering calculation program
JP2005316267A (en) * 2004-04-30 2005-11-10 Hitachi Ltd Elliptic curve pairing arithmetic unit

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006330497A (en) * 2005-05-27 2006-12-07 Nippon Telegr & Teleph Corp <Ntt> Pairing computation method, and apparatus and program using same
JP4630132B2 (en) * 2005-05-27 2011-02-09 日本電信電話株式会社 Pairing calculation method, apparatus and program using the method
JP5147085B2 (en) * 2007-08-09 2013-02-20 国立大学法人 岡山大学 Calculation method and calculation device
JP2009109986A (en) * 2008-09-03 2009-05-21 Okayama Univ Pairing computation device, pairing computation method, and pairing computation program

Also Published As

Publication number Publication date
JP4580274B2 (en) 2010-11-10

Similar Documents

Publication Publication Date Title
Bhardwaj et al. Power-and area-efficient approximate wallace tree multiplier for error-resilient systems
Lai et al. Elixir: High-throughput cost-effective dual-field processors and the design framework for elliptic curve cryptography
JP2006227562A (en) Computing method for encryption processing, encryption processor, and computer program
Khan et al. High speed ECC implementation on FPGA over GF (2 m)
JP6621813B2 (en) Electronic computing device for performing obfuscated arithmetic
JP4580274B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
US11502836B2 (en) Method for performing cryptographic operations on data in a processing device, corresponding processing device and computer program product
Mao et al. High-performance and configurable SW/HW co-design of Post-Quantum Signature CRYSTALS-Dilithium
JPWO2006030496A1 (en) Elliptic curve cryptography calculation device, calculation method of calculation device using elliptic curve, and program for causing computer to execute scalar multiplication of points on elliptic curve
KR102184189B1 (en) Method for computing 4-isogeny on twisted edwards curves
JP4630132B2 (en) Pairing calculation method, apparatus and program using the method
JP4585372B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
JP4644039B2 (en) Pairing calculation method, apparatus and program using the method
Nath et al. Security and efficiency trade-offs for elliptic curve Diffie–Hellman at the 128-bit and 224-bit security levels
KR101707334B1 (en) Apparatus for efficient elliptic curve cryptography processor and method for the same
KR102184188B1 (en) Method for computing 3-isogeny on twisted edwards curves
JP7016457B2 (en) Final power unit, pairing arithmetic unit, cryptographic processing unit, final power calculation method and final power calculation program
JP4630117B2 (en) Multi-pairing calculation method, pairing comparison method, apparatus using the same, and program
JP4599859B2 (en) Cryptographic processing operation method, cryptographic processing apparatus, and computer program
Karshon et al. Circle and torus actions on equal symplectic blow-ups of CP^ 2
WO2022009384A1 (en) Final exponentiation calculation device, pairing calculation device, code processing unit, final exponentiation calculation method, and final exponentiation calculation program
Inala et al. Relative performance of multipliers: A fault tolerance perspective for parallel FFTs
JP6040052B2 (en) Pairing calculation device, pairing calculation method, and program
US9311052B2 (en) Method of performing multiplication operation in binary extension finite field
KR100377185B1 (en) Method for improving operation speed in cryptography

Legal Events

Date Code Title Description
RD03 Notification of appointment of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7423

Effective date: 20070323

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20070810

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20100728

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20100817

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20100827

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130903

Year of fee payment: 3

R150 Certificate of patent or registration of utility model

Ref document number: 4580274

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150

S531 Written request for registration of change of domicile

Free format text: JAPANESE INTERMEDIATE CODE: R313531

R350 Written notification of registration of transfer

Free format text: JAPANESE INTERMEDIATE CODE: R350