JP2006330497A - Pairing computation method, and apparatus and program using same - Google Patents

Pairing computation method, and apparatus and program using same Download PDF

Info

Publication number
JP2006330497A
JP2006330497A JP2005156083A JP2005156083A JP2006330497A JP 2006330497 A JP2006330497 A JP 2006330497A JP 2005156083 A JP2005156083 A JP 2005156083A JP 2005156083 A JP2005156083 A JP 2005156083A JP 2006330497 A JP2006330497 A JP 2006330497A
Authority
JP
Japan
Prior art keywords
finite field
point
calculated
recorded
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2005156083A
Other languages
Japanese (ja)
Other versions
JP4630132B2 (en
Inventor
Tetsutaro Kobayashi
鉄太郎 小林
Kazumaro Aoki
和麻呂 青木
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2005156083A priority Critical patent/JP4630132B2/en
Publication of JP2006330497A publication Critical patent/JP2006330497A/en
Application granted granted Critical
Publication of JP4630132B2 publication Critical patent/JP4630132B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To make a computation speed of Miller algorithm high, specifically, to increase the number of bits of 0, when m is expressed in a binary digit. <P>SOLUTION: When m is expressed, not only 0 and 1 but -1 is used and when 1 is consecutive in bits for expressing m, the number of 0 is increased by using -1. Moreover, (y<SB>Q'</SB>+y<SB>P</SB>)/(X<SB>Q'</SB>-X<SB>P</SB>) is computed beforehand. When the n-th bit of m is -1, by setting a line for passing a point T and a point -P as l<SB>1</SB>(x,y), a parallel line to x-axis for passing T-P as l<SB>2</SB>(x,y) and a parallel line to y-axis for passing a point PF as l<SB>3</SB>(x,y), A=l<SB>1</SB>(Q')/l<SB>3</SB>(Q') is independently computed by utilizing expression using (y<SB>Q'</SB>+y<SB>P</SB>)/(X<SB>Q'</SB>-X<SB>P</SB>)-λ, and F×(A×l<SB>2</SB>(S)l<SB>3</SB>(S))/(l<SB>2</SB>(Q')l<SB>1</SB>(S)) is computed. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

本発明は、楕円曲線上の演算、特にセキュリティ技術を実現するための演算を利用した装置、方法、およびプログラムに関する。   The present invention relates to an apparatus, a method, and a program using an operation on an elliptic curve, in particular, an operation for realizing a security technique.

楕円曲線のペアリングを用いたID−base暗号や短署名長デジタル署名を実現する方法が提案されている(特許文献1)。
Tateペアリングによる暗号や署名の概要を図1に示す。有限体GF(p)上で定義される楕円をE/GF(p)とする。楕円E/GF(p)上のGF(p)有理点をP(x、y)、楕円E/GF(p)上のGF(p)有理点をQ(x、y)とする。Tateペアリングでは、PとQを入力とし、Millerアルゴリズムによって有限体GF(p)上の元fを出力し、さらにべき乗演算によってfを(p−1)/m乗することで有限体GF(p)上の元eへ写像し、出力する。ここで、pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の整数、mは(p−1)の約数ではない、かつpとmの最大公約数は1である。 A method of realizing ID-base encryption using elliptic curve pairing or a short signature digital signature has been proposed (Patent Document 1).
An outline of encryption and signature by Tate pairing is shown in FIG. Let the ellipse defined on the finite field GF (p) be E / GF (p). The GF (p) rational point on the ellipse E / GF (p) is P (x P , y P ), and the GF (p k ) rational point on the ellipse E / GF (p) is Q (x Q , y Q ). And In Tate pairing, P and Q are input, an element f on a finite field GF (p k ) is output by the Miller algorithm, and f is raised to the power of (p k −1) / m by a power operation. Map to element e on GF (p k ) and output. Here, p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest integer that satisfies m | (p k −1), and m is a factor of (p−1). It is not a number, and the greatest common divisor of p and m is 1.

図2はTateペアリングを用いたペアリング演算装置1000の機能構成例を示している。図1に示した処理を行うため、Millerアルゴリズムを用いて入力PとQを有限体GF(p)上の元fに変換して出力するMiller演算装置30と、べき乗演算によって入力fを有限体GF(p)上の元eに写像して出力するべき乗演算装置20から構成されている。
Tateペアリングで90%の計算量を占めるMiller演算装置30の内部構成例を図3に、処理フロー例を図4に示す。Miller演算装置30は、制御部100、代入部200、楕円上点生成部400、楕円加算部500、入出力部600、GF(p)乗算部700、GF(p)逆元部850、および記録部190から構成される。制御部100は、以下に示す処理フローに沿った処理を実行するために他の構成部を制御する。また、記録部190はハードディスク等の不揮発性のメモリでもよいし、一連の計算を行う間だけ一時的に記録する揮発性のメモリでもよい。また、組み合わせてもよい。 FIG. 2 shows a functional configuration example of a pairing arithmetic device 1000 using Tate pairing. In order to perform the processing shown in FIG. 1, a Miller arithmetic unit 30 that converts and outputs inputs P and Q to elements f on a finite field GF (p k ) using the Miller algorithm and a finite input f by a power operation. The power calculation unit 20 is to be mapped to the element e on the field GF (p k ) and output.
FIG. 3 shows an example of the internal configuration of the Miller arithmetic unit 30 occupying a calculation amount of 90% in Tate pairing, and FIG. 4 shows an example of the processing flow. The Miller arithmetic device 30 includes a control unit 100, an assignment unit 200, an elliptical point generation unit 400, an ellipse addition unit 500, an input / output unit 600, a GF (p k ) multiplication unit 700, a GF (p k ) inverse element unit 850, And a recording unit 190. The control unit 100 controls other components in order to execute processing according to the processing flow shown below. The recording unit 190 may be a non-volatile memory such as a hard disk or a volatile memory that temporarily records only during a series of calculations. Moreover, you may combine.

入出力部600にm、P、Qが入力されると、m、P、Qを記録部190に記録する(S700)。次に代入部200で、TにPを、Fに1を代入し、記録部190に記録する(S710)。楕円上点生成部400で、S≠PかつS≠Qの条件を満足する有限体GF(p)上で定義される楕円上の点S(∈E/GF(p))を生成し、記録部190に記録する(S720)。Sは条件を満足する点であれば、あらかじめ定めてもいいし、ランダムに生成してもよい。楕円加算部500で、記録部190からQとSを読み取り、Q’(=Q+S)を計算し、記録部190に記録する(S730)。代入部200で、log(m)−1の小数点以下を切り上げた整数をnに代入し、記録部190に記録する(S740)。制御部100は、記録部190からnを読み取り、n<0か否かを確認し、Yesの場合にはステップS910に進み、Noの場合にはステップS760に進む(S750)。Yesの場合、入出力部600は、記録部190からFを読み取り、出力し(S910)、Millerアルゴリズムによる演算が終了する。Noの場合、楕円加算部500は、記録部190からTを読み取り、2Tを計算し、記録部190に記録する(S760)。GF(p)乗算部700は、Q’、S、T、2Tを記録部190から読み取り、l(x,y)=0をTと2Tとを結ぶ直線、l(x,y)=0を2TとOとを結ぶ直線として、l(Q’)、l(Q’)、l(S)、l(S)を計算し、記録部190に記録する(S770)。ただし、l(Q’)とは、Q’のx座標とy座標とを、l(x,y)に代入した値である。なお、Sを有限体GF(p)の元から選定すると(この場合、残りのk−1個の有限体GF(p)の元は0である。)、l(S)、l(S)の計算は省略でき、以降のステップでl(S)、l(S)を省略できる。次に、代入部200は、記録部190から2Tを読み取り、Tに2Tの値を代入し、Tを記録部190に記録する(S780)。GF(p)逆元部850で、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S790)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、

Figure 2006330497
を計算し、Fの値として記録部190に記録する(S810)。ここで、ステップS760からS810までの過程を、楕円2倍演算(TDBL、S800)と呼ぶ。制御部100は、記録部190からmとnを読み取り、mのn番目のビットが1かを確認し、Yesの場合にはステップS830へ進み、Noの場合にはステップS900へ進む(S820)。Yesの場合、楕円加算部500で、記録部190からT、Pを読み取り、T+Pを計算し、記録部190に記録する(S830)。GF(p)乗算部700は、Q’、S、T、P,T+Pを記録部190から読み取り、l(x,y)=0をTとPとを結ぶ直線、l(x,y)=0をT+PとOとを結ぶ直線とし、l(Q’)、l(Q’)、l(S)、l(S)を計算して、記録部190に記録する(S840)。代入部200は、記録部190からT+Pを読み取り、TにT+Pを代入し、Tを記録部190に記録する(S850)。GF(p)逆元部850は、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S860)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、
Figure 2006330497
 を計算し、Fの値として記録部190に記録する(S880)。ここで、ステップS830からS880までを、楕円加算演算(TADD、S900)と呼ぶ。ステップS820でNoと判断した場合とステップS880が終了した場合、代入部200は、記録部190からnを読み取り、n−1をnに代入し、nを記録部190に記録する(S890)。次にステップS750に戻り、ステップS750の判断がYesとなるまで処理が繰り返される。
特開2004-177673号公報 When m, P, and Q are input to the input / output unit 600, m, P, and Q are recorded in the recording unit 190 (S700). Next, the assigning unit 200 substitutes P for T and 1 for F, and records the result in the recording unit 190 (S710). The point on the ellipse 400 generates a point S (∈E / GF (p k )) on the ellipse defined on the finite field GF (p k ) that satisfies the conditions S ≠ P and S ≠ Q. The data is recorded in the recording unit 190 (S720). S may be determined in advance or may be randomly generated as long as it satisfies the conditions. The ellipse addition unit 500 reads Q and S from the recording unit 190, calculates Q ′ (= Q + S), and records it in the recording unit 190 (S730). In the assigning unit 200, an integer obtained by rounding up the decimal point of log (m) -1 is substituted into n and recorded in the recording unit 190 (S740). The control unit 100 reads n from the recording unit 190 and checks whether n <0. If yes, the process proceeds to step S910, and if no, the process proceeds to step S760 (S750). In the case of Yes, the input / output unit 600 reads and outputs F from the recording unit 190 (S910), and the calculation by the Miller algorithm ends. In the case of No, the ellipse addition unit 500 reads T from the recording unit 190, calculates 2T, and records it in the recording unit 190 (S760). The GF (p k ) multiplication unit 700 reads Q ′, S, T, and 2T from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and 2T, l 2 (x, y) Assuming = 0 as a straight line connecting 2T and O, l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190 (S770). . However, l 1 (Q ′) is a value obtained by substituting the x and y coordinates of Q ′ into l 1 (x, y). If S is selected from elements of a finite field GF (p) (in this case, the elements of the remaining k−1 finite fields GF (p) are 0), l 1 (S), l 2 ( The calculation of S) can be omitted, and l 1 (S) and l 2 (S) can be omitted in the subsequent steps. Next, the assigning unit 200 reads 2T from the recording unit 190, assigns a value of 2T to T, and records T in the recording unit 190 (S780). The GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S790). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,
Figure 2006330497
 Is recorded in the recording unit 190 as a value of F (S810). Here, the process from step S760 to S810 is referred to as an elliptic doubling operation (TDBL, S800). The control unit 100 reads m and n from the recording unit 190 and checks whether the n-th bit of m is 1. If Yes, the process proceeds to step S830, and if No, the process proceeds to step S900 (S820). . In the case of Yes, the ellipse addition unit 500 reads T and P from the recording unit 190, calculates T + P, and records it in the recording unit 190 (S830). The GF (p k ) multiplication unit 700 reads Q ′, S, T, P, T + P from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and P, l 2 (x, y) = 0 is a straight line connecting T + P and O, and l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190. (S840). The assigning unit 200 reads T + P from the recording unit 190, substitutes T + P for T, and records T in the recording unit 190 (S850). The GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S860). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,
Figure 2006330497
 And is recorded in the recording unit 190 as the value of F (S880). Here, steps S830 to S880 are referred to as ellipse addition calculation (TADD, S900). When it is determined No in step S820 and when step S880 ends, the assigning unit 200 reads n from the recording unit 190, substitutes n−1 for n, and records n in the recording unit 190 (S890). Next, the process returns to step S750, and the process is repeated until the determination in step S750 becomes Yes.
JP 2004-177673 A

ペアリングの演算に必要な演算量は、通常の楕円演算にくらべると非常に大きいため、その演算速度が遅いことが問題となっている。Tateペアリングの場合、Millerのアルゴリズムというdevisor有理式の評価を行う演算に費やされる。本発明が解決しようとする課題は、Millerのアルゴリズムの演算速度の高速化である。
特に、図4に示した楕円加算演算S900は、mを2進数で表現した場合の1の数だけ行われる。そこで、mを2進数で表現した場合に、0のビットの数を多くすることができれば、演算速度の高速化が図れる。本発明の解決しようとする課題は、mを2進数で表現するときに、0のビットの数を多くすることである。 The amount of calculation required for the pairing calculation is very large compared to a normal elliptic calculation, and the problem is that the calculation speed is slow. In the case of Tate pairing, Miller's algorithm is used for operations that evaluate devisor rational expressions. The problem to be solved by the present invention is to increase the calculation speed of Miller's algorithm.
In particular, the ellipse addition operation S900 shown in FIG. 4 is performed by the number of 1 when m is expressed in binary. Therefore, when m is expressed in binary, if the number of 0 bits can be increased, the calculation speed can be increased. The problem to be solved by the present invention is to increase the number of 0 bits when m is expressed in binary.

本発明では、mを表現するときに0と1だけでなく、−1も用いて、mを表現するビットに1が連続する場合には、−1を用いて0の数を増やす。たとえば、図5に示したようにmが101111と表現される場合には、11000(−1)と表現する。この表現は、110000−1を意味しており、101111と同じ値である。このように−1を用いた場合には、楕円減算演算が必要となる。そこで、mのn番目のビットが−1の場合には、点Tと点−Pとを通る直線をl(x、y)、T−Pを通るy軸に平行な直線をl(x、y)、Pを通るy軸に平行な直線をl(x、y)として、F・(l(Q’)l(S)l(S))/(l(Q’)l(Q’)l(S))をFに代入する楕円減算を行う。 In the present invention, when m is expressed, not only 0 and 1 but also −1 is used, and when 1 continues to a bit expressing m, the number of 0 is increased using −1. For example, when m is expressed as 101111 as shown in FIG. 5, it is expressed as 11000 (−1). This expression means 110000-1, which is the same value as 101111. Thus, when −1 is used, an elliptic subtraction operation is required. Therefore, when the n-th bit of m is −1, a straight line passing through the point T and the point −P is l 1 (x, y), and a straight line passing through the TP and parallel to the y-axis is l 2 ( A straight line parallel to the y-axis passing through x, y) and P is defined as l 3 (x, y), and F · (l 1 (Q ′) l 2 (S) l 3 (S)) / (l 2 (Q ') El 3 (Q') l 1 (S)) is substituted into F for elliptic subtraction.

また、Q’の座標を(xQ’、yQ’)とすると、l(x、y)は、点Tと点−Pとを通る直線だから、(yQ’+y)−λ(xQ’−x)を用いて表現できる。また、l(x、y)は、Pを通るy軸に平行な直線だから、(xQ’−x)を用いて表現できる。したがって、l(x、y)/l(x、y)は、(yQ’+y)/(xQ’−x)−λを用いて表現できる。また、(yQ’+y)/(xQ’−x)は、Q’とPによって決まる値であるから、最初に計算しておけば、繰り返し利用することができる。そこで、(yQ’+y)/(xQ’−x)をあらかじめ計算しておき、A=l(Q’)/l(Q’)を(yQ’+y)/(xQ’−x)−λを用いて表現できることを利用して個別に計算し、F・(A・l(S)l(S))/(l(Q’)l(S))を計算する。 Further, assuming that the coordinates of Q ′ are (x Q ′ , y Q ′ ), l 1 (x, y) is a straight line passing through the point T and the point −P, so (y Q ′ + y P ) −λ ( x Q ′ −x P ). Since l 3 (x, y) is a straight line passing through P and parallel to the y-axis, it can be expressed using (x Q ′ −x P ). Therefore, l 1 (x, y) / l 3 (x, y) can be expressed using (y Q ′ + y P ) / (x Q ′ −x P ) −λ. In addition, (y Q ′ + y P ) / (x Q ′ −x P ) is a value determined by Q ′ and P. Therefore, if it is calculated first, it can be used repeatedly. Therefore, (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance, and A = l 1 (Q ′) / l 3 (Q ′) is changed to (y Q ′ + y P ) / ( x · Q ′ −x P ) −λ can be expressed separately using the fact that it can be expressed using F · (A · l 2 (S) l 3 (S)) / (l 2 (Q ′) l 1 ( S)) is calculated.

本発明によれば、mの表現で0のビットの数が増えるため、楕円加算演算を行う頻度が少なくなり、演算量を減少させることができる。また、l(x、y)もl(x、y)もPを通る直線であることから、(yQ’+y)/(xQ’−x)をあらかじめ計算しておき、l(x、y)/l(x、y)をまとめて計算することで、計算量を削減することができる。さらに、任意の標数の楕円曲線に適用することが可能であり、応用範囲が広い。 According to the present invention, since the number of 0 bits increases in the representation of m, the frequency of performing the ellipse addition operation is reduced, and the amount of calculation can be reduced. Also, since l 1 (x, y) and l 3 (x, y) are straight lines passing through P, (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance. By calculating l 1 (x, y) / l 3 (x, y) together, the amount of calculation can be reduced. Furthermore, it can be applied to an elliptic curve of an arbitrary characteristic and has a wide application range.

以下では、説明の重複を避けるため同じ機能を有する構成部や同じ処理を行う処理ステップには同一の番号を付与し、説明を省略する。
[第1実施形態]
図6に本発明のMiller演算装置30’を示す。図3との違いは、m符号化部300を有していることである。m符号化部300では、図5に示したmの表現の変更を行う。図7に図6のMiller演算装置30’の処理フローを示す。図4に示した従来の処理フローとの違いは、以下のとおりである。ステップS740の後にmのビット列変換(S110)が追加されたこと、ステップS820がNoの場合にmのn番目のビットが−1かを確認する過程(S130)が追加されたこと、ステップS130がYesの場合に楕円減算演算(TSUB、S140またはS140’)が追加されたことである。 Below, in order to avoid duplication of description, the same number is given to the structural part which has the same function, and the process step which performs the same process, and abbreviate | omits description.
[First Embodiment]
FIG. 6 shows a Miller arithmetic unit 30 ′ according to the present invention. The difference from FIG. 3 is that an m encoding unit 300 is provided. The m encoding unit 300 changes the expression of m shown in FIG. FIG. 7 shows a processing flow of the Miller arithmetic device 30 ′ of FIG. Differences from the conventional processing flow shown in FIG. 4 are as follows. After step S740, m bit string conversion (S110) is added, and when step S820 is No, a process of confirming whether the nth bit of m is −1 (S130) is added, step S130 In the case of Yes, an ellipse subtraction operation (TSUB, S140 or S140 ′) is added.

図8にステップS110の詳細を、図9にステップS140の詳細を示す。ステップS110では、まずiに0を代入し、記録部190に記録する(S111)。制御部100が、mのi番目のビットが1かを確認する(S112)。ステップS112の確認がNoの場合には、ステップS115に進む。ステップS112の確認がYesの場合には、制御部100が、mのi+1晩目のビットが1かを確認する(S113)。ステップS113の確認がNoの場合には、ステップS115に進む。ステップS113の確認がYesの場合には、制御部100が、mのi番目のビットを−1とし、i+1番目のビットを2とし、新しいmを記録部190に記録する(S114)。次に、制御部100が、mのi番目のビットが2かを確認する(S115)。ステップS115がNoのときはステップS117に進む。ステップS115がYesのときは、制御部100が、mのi番目のビットを0にし、i+1番目のビットに1を加え、新しいmを記録部190に記録する(S116)。次にi=nかを確認し(S117)、Noの場合にはステップS118に進む。ステップS118では、代入部200がi+1をiに代入する(S118)。Yesの場合には、制御部100が、mのn+1番目のビットが1かを確認する(S119)。ステップS119がNoの場合にはステップS110を終了する。ステップS119がYesの場合には、代入部200がnにn+1を代入して、記録部190に記録し(S120)、ステップS110を終了する。   FIG. 8 shows details of step S110, and FIG. 9 shows details of step S140. In step S110, 0 is first substituted for i and recorded in the recording unit 190 (S111). The control unit 100 confirms whether the i-th bit of m is 1 (S112). If the confirmation in step S112 is No, the process proceeds to step S115. When the confirmation in step S112 is Yes, the control unit 100 confirms whether the bit of the i + 1th night of m is 1 (S113). If the confirmation in step S113 is No, the process proceeds to step S115. If the confirmation in step S113 is Yes, the control unit 100 sets the i-th bit of m to -1, sets the i + 1-th bit to 2, and records the new m in the recording unit 190 (S114). Next, the control unit 100 confirms whether the i-th bit of m is 2 (S115). When step S115 is No, it progresses to step S117. When Step S115 is Yes, the control unit 100 sets the i-th bit of m to 0, adds 1 to the i + 1-th bit, and records the new m in the recording unit 190 (S116). Next, it is confirmed whether i = n (S117). If No, the process proceeds to step S118. In step S118, the assigning unit 200 assigns i + 1 to i (S118). In the case of Yes, the control unit 100 checks whether the n + 1-th bit of m is 1 (S119). If step S119 is No, step S110 is terminated. If step S119 is Yes, the assigning unit 200 assigns n + 1 to n, records it in the recording unit 190 (S120), and ends step S110.

図9に楕円減算演算(TSUB、S140)の詳細を示す。楕円加算部500で、記録部190からT、Pを読み取り、T−Pを計算し、記録部190に記録する(S141)。GF(p)乗算部700は、Q’、S、T、P,T−Pを記録部190から読み取り、l(x,y)=0をTと−Pとを結ぶ直線、l(x,y)=0をT−Pを通るy軸と平行な直線、l(x,y)=0をPを通るy軸に平行な直線とし、l(Q’)、l(Q’)、l(Q’)、l(S)、l(S)、l(S)を計算して、記録部190に記録する(S142)。代入部200は、記録部190からT−Pを読み取り、TにT−Pを代入し、Tを記録部190に記録する(S143)。GF(p)逆元部850は、記録部190からl(Q’)、l(Q’)、l(S)を読み取り、l(Q’)−1、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S144)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(S)、l(Q’)−1、l(Q’)−1、l(S)−1を読み取り、

Figure 2006330497
を計算し、Fの値として記録部190に記録する(S145)。このような処理によって楕円減算演算(S140)は終了する。
上述のように処理することによって、mを表現するビット列の0を多くすることができ、演算量の削減が期待できる。 FIG. 9 shows the details of the ellipse subtraction operation (TSUB, S140). The ellipse adding unit 500 reads T and P from the recording unit 190, calculates TP, and records it in the recording unit 190 (S141). The GF (p k ) multiplication unit 700 reads Q ′, S, T, P, and TP from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and −P, l 2 Let (x, y) = 0 be a straight line parallel to the y-axis passing through TP, and l 3 (x, y) = 0 be a straight line parallel to the y-axis passing through P, and l 1 (Q ′), l 2 (Q ′), l 3 (Q ′), l 1 (S), l 2 (S), and l 3 (S) are calculated and recorded in the recording unit 190 (S142). The assigning unit 200 reads TP from the recording unit 190, assigns TP to T, and records T in the recording unit 190 (S143). The GF (p k ) inverse element unit 850 reads l 2 (Q ′), l 3 (Q ′), l 1 (S) from the recording unit 190, and l 2 (Q ′) −1 , l 3 (Q ') -1 and l 1 (S) -1 are calculated and recorded in the recording unit 190 (S144). The GF (p k ) multiplication unit 700 starts from the recording unit 190 with F, l 1 (Q ′), l 2 (S), l 3 (S), l 2 (Q ′) −1 , l 3 (Q ′). −1 , l 1 (S) −1 is read,
Figure 2006330497
 And is recorded in the recording unit 190 as a value of F (S145). The ellipse subtraction operation (S140) is completed by such processing.
By performing the processing as described above, it is possible to increase the number of 0s in the bit string expressing m and reduce the amount of calculation.

[変形例]
本変形例では、l(x、y)もl(x、y)もPを通る直線であることを利用して、演算量を削減する。具体的には、(yQ’+y)/(xQ’−x)をあらかじめ計算しておき、A=l(x、y)/l(x、y)を計算した上で、F・(A・l(S)l(S))/(l(Q’)l(S))を計算する。図10と図11に第1実施形態で示した処理フローとの変更点を示す。
図10は、図7のステップS730の代わりとなるステップS730’である。ステップS730’では、Q’の座標を計算しておくだけでなく、記録部からPの座標も読み出し、(yQ’+y)/(xQ’−x)も計算して、記録部190に記録する。 [Modification]
In the present modification, the amount of calculation is reduced by utilizing the fact that both l 1 (x, y) and l 3 (x, y) are straight lines passing through P. Specifically, (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance and A = l 1 (x, y) / l 3 (x, y) is calculated. F · (A · l 2 (S) l 3 (S)) / (l 2 (Q ′) l 1 (S)). FIG. 10 and FIG. 11 show changes from the processing flow shown in the first embodiment.
FIG. 10 shows a step S730 ′ that replaces the step S730 in FIG. In step S730 ′, not only the coordinates of Q ′ are calculated, but also the coordinates of P are read out from the recording unit, and (y Q ′ + y P ) / (x Q ′ −x P ) is also calculated. 190.

図11は、図9のステップS140の代わりとなるステップS140’である。ステップS140’とステップS140との違いは、ステップS142’、ステップS144’、およびステップS145’である。ステップS142’では、GF(p)乗算部700が、Q’、S、T、P、T−P、(yQ’+y)/(xQ’−x)を記録部190から読み取り、l(x,y)=0をTと−Pとを結ぶ直線、l(x,y)=0をT−Pを通るy軸と平行な直線、l(x,y)=0をPを通るy軸に平行な直線とし、λ、l(Q’)/l(Q’)、l(Q’)、l(S)/l(S)、l(S)を計算して、記録部190に記録する。ステップS144’では、GF(p)逆元部850が、記録部190からl(Q’)、l(S)/l(S)を読み取り、l(Q’)−1、(l(S)/l(Q’))−1を計算し、記録部190に記録する。ステップS145’では、GF(p)乗算部700が、記録部190からF、l(Q’)/l(Q’)、l(S)、l(Q’)−1、(l(S)/l(Q’))−1を読み取り、

Figure 2006330497
を計算し、Fの値として記録部190に記録する。このような処理によって(yQ’+y)/(xQ’−x)をあらかじめ計算しておけるので、繰り返し処理での演算量を削減できる。 FIG. 11 shows a step S140 ′ that replaces the step S140 of FIG. Differences between step S140 ′ and step S140 are step S142 ′, step S144 ′, and step S145 ′. In step S142 ′, the GF (p k ) multiplication unit 700 reads Q ′, S, T, P, TP, (y Q ′ + y P ) / (x Q ′ −x P ) from the recording unit 190. , L 1 (x, y) = 0 is a straight line connecting T and −P, l 2 (x, y) = 0 is a straight line passing through TP and parallel to the y axis, and l 3 (x, y) = Let 0 be a straight line passing through P and parallel to the y-axis, and λ, l 1 (Q ′) / l 3 (Q ′), l 2 (Q ′), l 1 (S) / l 3 (S), l 2 (S) is calculated and recorded in the recording unit 190. In step S144 ′, the GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) / l 3 (S) from the recording unit 190, l 2 (Q ′) −1 , (L 1 (S) / l 3 (Q ′)) −1 is calculated and recorded in the recording unit 190. In step S145 ′, the GF (p k ) multiplication unit 700 starts from the recording unit 190 with F, l 1 (Q ′) / l 3 (Q ′), l 2 (S), l 2 (Q ′) −1 , (L 1 (S) / l 3 (Q ′)) −1 is read,
Figure 2006330497
 Is recorded in the recording unit 190 as the value of F. Since (y Q ′ + y P ) / (x Q ′ −x P ) can be calculated in advance by such processing, the amount of calculation in the repetitive processing can be reduced.

[第2実施形態]
本発明では、有限体の性質を用いてさらに高速化を行う。図12に演算の高速化の原理を示す。Tateペアリングでは、有限体GF(p)上の元fをべき乗演算により有限体GF(p)上の元eに写像するが、次の条件を満足する有限体GF(p)上の元f’も、べき乗演算により有限体GF(p)上の元eに写像する。 [Second Embodiment]
In the present invention, the speed is further increased by using the property of a finite field. FIG. 12 shows the principle of speeding up the operation. Tate The pairing, while mapping the original f on the finite field GF (p k) based on e on the finite field GF by exponentiation (p k), the finite field GF (p k) above satisfies the following condition: Is also mapped to the element e on the finite field GF (p k ) by a power operation.

f’=rf ただし、rは有限体GF(pk/2)上の元 (1)
そこで、本発明ではkが偶数の場合に、この有限体の性質を利用し、Millerアルゴリズムよりも計算量が少ないアルゴリズム(以下、「擬似Millerアルゴリズム」という。)で、元f’を求め、元f’をべき乗演算することで元eを求める。 f ′ = rf where r is an element on the finite field GF ( pk / 2 ) (1)
Therefore, in the present invention, when k is an even number, the property of this finite field is used, and an element f ′ is obtained by an algorithm having a smaller calculation amount than the Miller algorithm (hereinafter referred to as “pseudo Miller algorithm”). The element e is obtained by calculating the power of f ′.

擬似Millerアルゴリズムでは、Millerアルゴリズムで逆元を求める処理を、少ない計算量で求められる逆元のr倍の元(以下、「擬似逆元」という。)を求める処理に置き換える。具体的には、kが偶数であり、Lが有限体GF(p)上の元の場合、

Figure 2006330497
を満足する有限体GF(pk/2)上の元nが存在する。したがって、
Figure 2006330497
 であり、式(1)の関係を満足する。そこで、
Figure 2006330497
 を擬似逆元として使用できる。
さらに、特に、l(Q’)の逆元の場合には、以下のような擬似逆元を使うことができる。l(Q’)は、
(Q’)=gXQ’+h (5)
と表すことができる。ここで、g、hはGF(p)上の元である。さらに、フェルマーの小定理から、
Figure 2006330497
 と変形することができる。ここでX^Q’はXQ’の共役元、l^(Q’)はl(Q’)の共役元である。そこで、l^(Q’)をl(Q’)の擬似逆元として用いることができる。 In the pseudo Miller algorithm, the process of obtaining an inverse element using the Miller algorithm is replaced with a process of obtaining an element that is r times the inverse element obtained with a small amount of calculation (hereinafter referred to as “pseudo inverse element”). Specifically, when k is an even number and L is an element on a finite field GF (p k ),
Figure 2006330497
 There exists an element n on a finite field GF (p k / 2 ) that satisfies Therefore,
Figure 2006330497
 And satisfies the relationship of the formula (1). Therefore,
Figure 2006330497
 Can be used as a pseudo inverse element.
Furthermore, in particular, in the case of the inverse element of l 2 (Q ′), the following pseudo inverse element can be used. l 2 (Q ′) is
l 2 (Q ′) = gX Q ′ + h (5)
It can be expressed as. Here, g and h are elements on GF (p). From Fermat's little theorem,
Figure 2006330497
 And can be transformed. Here X ^ Q 'is X Q' conjugate original, l ^ 2 (Q ') is l 2 (Q' is a conjugate original). Therefore, l 2 (Q ′) can be used as a pseudo inverse element of l 2 (Q ′).

図13に本発明のペアリング演算装置の機能構成例を示す。図2との違いはMiller演算装置30の代わりに、擬似Miller演算装置10が備えられていることである。擬似Miller演算装置10は、前記の擬似逆元を用いることで、擬似Millerアルゴリズムを実現する装置である。擬似Miller演算装置10の内部構成例を図14に示す。図14と図3との違いは、図14の記録部150に記録するデータの種類が、図3の記録部190に記録するデータの種類と異なるものがあること、擬似逆元を計算するために擬似GF(p)逆元部800が追加されたことである。図15は、図9と差し替えられる楕円減算演算S140”の処理フローである。本処理フローの全般に共通することであるが、図4、図7〜11の説明中での「記録部190への記録」または「記録部190からの読み取り」は、図15では「記録部150への記録」または「記録部150からの読み取り」と読み替える。図15の処理フローと図9の処理フローとの違いは、ステップS144がステップS146に、ステップS145がステップS147に置き換えられていることである。 FIG. 13 shows a functional configuration example of the pairing arithmetic device of the present invention. The difference from FIG. 2 is that a pseudo Miller arithmetic device 10 is provided instead of the Miller arithmetic device 30. The pseudo Miller arithmetic device 10 is a device that realizes a pseudo Miller algorithm by using the pseudo inverse element. An example of the internal configuration of the pseudo Miller arithmetic device 10 is shown in FIG. 14 differs from FIG. 3 in that the type of data recorded in the recording unit 150 in FIG. 14 is different from the type of data recorded in the recording unit 190 in FIG. 3 and the pseudo inverse element is calculated. The pseudo GF (p k ) inverse element 800 is added to the above. 15 is a processing flow of the ellipse subtraction operation S140 ”replaced with FIG. 9. This processing flow is common to all of the processing flows, but“ to the recording unit 190 ”in the description of FIGS. “Recording” or “reading from the recording unit 190” is read as “recording in the recording unit 150” or “reading from the recording unit 150” in FIG. The difference between the processing flow in FIG. 15 and the processing flow in FIG. 9 is that step S144 is replaced with step S146, and step S145 is replaced with step S147.

ステップS146では、擬似GF(p)逆元部800が、記録部150からl(Q’)、l(Q’)、l(S)を読み取り、l(Q’)、l(Q’)、l(S)の擬似逆元を計算し、記録部150に記録する。ステップS147では、GF(p)乗算部700が、記録部150からl(Q’)とl(Q’)とl(S)の擬似逆元と、F、l(Q’)、l(S)、l(S)を読み取り、

Figure 2006330497
を計算し、Fの値として記録部150に記録する。 In step S146, the pseudo GF (p k ) inverse element unit 800 reads l 2 (Q ′), l 3 (Q ′), l 1 (S) from the recording unit 150, and l 2 (Q ′), l 3 (Q ′), a pseudo inverse element of l 1 (S) is calculated and recorded in the recording unit 150. In step S 147, the GF (p k ) multiplication unit 700 performs the pseudo inverse of l 2 (Q ′), l 3 (Q ′), and l 1 (S) from the recording unit 150, and F, l 1 (Q ′ ), L 2 (S), l 3 (S),
Figure 2006330497
 Is recorded in the recording unit 150 as the value of F.

[変形例]
本変形例では、第1実施形態の変形例と同じように、l(x、y)もl(x、y)もPを通る直線であることを利用して、演算量を削減する。具体的には、(yQ’+y)/(xQ’−x)をあらかじめ計算しておき、A=l(x、y)/l(x、y)を計算した上で、擬似のF・(A・l(S)l(S))/(l(Q’)l(S))を計算する。図10と図16に第2実施形態で示した処理フローとの変更点を示す。
図10は、図7のステップS730の代わりとなるステップS730’である。ステップS730’では、Q’の座標を計算しておくだけでなく、記録部からPの座標も読み出し、(yQ’+y)/(xQ’−x)も計算して、記録部150に記録する。 [Modification]
In this modification, as in the modification of the first embodiment, the amount of calculation is reduced by utilizing the fact that both l 1 (x, y) and l 3 (x, y) are straight lines passing through P. . Specifically, (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance and A = l 1 (x, y) / l 3 (x, y) is calculated. , Pseudo F · (A · l 2 (S) l 3 (S)) / (l 2 (Q ′) l 1 (S)) is calculated. FIG. 10 and FIG. 16 show changes from the processing flow shown in the second embodiment.
FIG. 10 shows a step S730 ′ that replaces the step S730 in FIG. In step S730 ′, not only the coordinates of Q ′ are calculated, but also the coordinates of P are read out from the recording unit, and (y Q ′ + y P ) / (x Q ′ −x P ) is also calculated. Record 150.

図16は、図15のステップS140”の代わりとなるステップS140’’’である。ステップS140’’’とステップS140”との違いは、ステップS142’、ステップS146’、およびステップS147’である。ステップS142’では、GF(p)乗算部700が、Q’、S、T、P、T−P、(yQ’+y)/(xQ’−x)を記録部150から読み取り、l(x,y)=0をTと−Pとを結ぶ直線、l(x,y)=0をT−Pを通るy軸と平行な直線、l(x,y)=0をPを通るy軸に平行な直線とし、λ、l(Q’)/l(Q’)、l(Q’)、l(S)/l(S)、l(S)を計算して、記録部150に記録する。ステップS146’では、GF(p)逆元部800が、記録部150からl(Q’)、l(S)/l(S)を読み取り、l(Q’)、(l(S)/l(Q’))の擬似逆元を計算し、記録部150に記録する。ステップS147’では、GF(p)乗算部700が、記録部190からl(Q’)と(l(S)/l(Q’))の擬似逆元、F、l(Q’)/l(Q’)、l(S)、を読み取り、

Figure 2006330497
を計算し、Fの値として記録部150に記録する。このような処理によって(yQ’+y)/(xQ’−x)をあらかじめ計算しておけるので、繰り返し処理での演算量をさらに削減できる。 FIG. 16 shows step S140 ′ ″ instead of step S140 ″ in FIG. 15. The difference between step S140 ′ ″ and step S140 ″ is step S142 ′, step S146 ′, and step S147 ′. . In step S142 ′, the GF (p k ) multiplication unit 700 reads Q ′, S, T, P, TP, (y Q ′ + y P ) / (x Q ′ −x P ) from the recording unit 150. , L 1 (x, y) = 0 is a straight line connecting T and −P, l 2 (x, y) = 0 is a straight line passing through TP and parallel to the y axis, and l 3 (x, y) = Let 0 be a straight line passing through P and parallel to the y-axis, and λ, l 1 (Q ′) / l 3 (Q ′), l 2 (Q ′), l 1 (S) / l 3 (S), l 2 (S) is calculated and recorded in the recording unit 150. In step S146 ′, the GF (p k ) inverse element unit 800 reads l 2 (Q ′), l 1 (S) / l 3 (S) from the recording unit 150, and l 2 (Q ′), (l 1 (S) / l 3 (Q ′)) is calculated and recorded in the recording unit 150. In step S147 ′, the GF (p k ) multiplication unit 700 starts recording from the pseudo-inverse element of l 2 (Q ′) and (l 1 (S) / l 3 (Q ′)) F, l 1 ( Q ′) / l 3 (Q ′), l 2 (S),
Figure 2006330497
 Is recorded in the recording unit 150 as the value of F. Since (y Q ′ + y P ) / (x Q ′ −x P ) can be calculated in advance by such processing, the amount of calculation in the repetitive processing can be further reduced.

なお、本発明は、コンピュータ本体とコンピュータプログラムとして実行することが可能であるし、デジタルシグナルプロセッサや専用LSIに実装して実現することも可能である。   The present invention can be executed as a computer main body and a computer program, or can be realized by being mounted on a digital signal processor or a dedicated LSI.

Tateペアリング演算の概要を示す図。The figure which shows the outline | summary of Tate pairing calculation. Tateペアリングを用いたペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing calculating device using Tate pairing. Miller演算装置の内部構成例を示す図。The figure which shows the internal structural example of a Miller arithmetic unit. Millerアルゴリズムの処理フローを示す図。The figure which shows the processing flow of a Miller algorithm. mを(−1)を含むビット列で表現する方法の例を示す図。The figure which shows the example of the method of expressing m by the bit sequence containing (-1). 本発明のMiller演算装置を示す図。The figure which shows the Miller arithmetic unit of this invention. 本発明のMiller演算装置の処理フローを示す図。The figure which shows the processing flow of the Miller arithmetic unit of this invention. mのビット列変換の処理フローを示す図。The figure which shows the processing flow of bit string conversion of m. 楕円減算演算の処理フローを示す図。The figure which shows the processing flow of an ellipse subtraction calculation. ステップS730をステップS730’に変更することを示す図。The figure which shows changing step S730 into step S730 '. 楕円減算演算の処理フローの変形例を示す図。The figure which shows the modification of the processing flow of an ellipse subtraction calculation. 演算の高速化の原理を示す図。The figure which shows the principle of the speeding-up of a calculation. 本発明のペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing calculating apparatus of this invention. 擬似Miller演算装置の内部構成例を示す図。The figure which shows the internal structural example of a pseudo Miller arithmetic unit. 擬似逆元を用いた場合の楕円減算演算の処理フローを示す図。The figure which shows the processing flow of the ellipse subtraction calculation at the time of using a pseudo inverse element. 擬似逆元を用いた場合の楕円減算演算の処理フローの変形例を示す図。The figure which shows the modification of the processing flow of the ellipse subtraction calculation at the time of using a pseudo inverse element.

Claims (9)

有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元fを求めるMiller演算部と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算部とを備えるペアリング演算装置において、
pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の偶数、mは(p−1)の約数ではない、かつpとmの最大公約数は1、Tを有限体GF(p)上の元、SとFを有限体GF(p)上の元、Q’をQ+Sとして、
mを2進数で表した値を、0、1、および−1を用いて表現するm符号化手段を有し
mのn番目のビットが−1の場合には、
T−Pを計算して記録手段に記録し、
点Tと点−Pとを通る直線をl、T−Pを通るy軸に平行な直線をl、Pを通るy軸に平行な直線をlとして、F・(l(Q’)l(S)l(S))/(l(Q’)l(Q’)l(S))をFに代入する楕円減算を行うこと
を特徴とする前記Miller演算部
を備えるペアリング演算装置。 The point P on the elliptic curve on the finite field GF (p) and the point Q on the elliptic curve on the finite field GF (p k ) are input, and the element f on the finite field GF (p k ) is input from the input point. In a pairing arithmetic unit comprising: a Miller arithmetic unit for obtaining a power and a power arithmetic unit for mapping the element on the obtained finite field to the element e (P, Q) on the finite field GF (p k )
p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest even number satisfying m | (p k −1), and m is not a divisor of (p−1) , And the greatest common divisor of p and m is 1, T is an element on a finite field GF (p), S and F are elements on a finite field GF (p k ), and Q ′ is Q + S.
When m encoding means for expressing a value representing m in binary number using 0, 1, and -1 is provided, and the nth bit of m is -1,
TP is calculated and recorded on the recording means,
A straight line passing through the point T and the point -P is l 1 , a straight line parallel to the y-axis passing through TP is l 2 , and a straight line parallel to the y-axis passing through P is l 3 , and F · (l 1 (Q ') L 2 (S) l 3 (S)) / (l 2 (Q') l 3 (Q ') l 1 (S)) is substituted into F and the Miller operation is performed A pairing arithmetic device comprising a unit. 請求項1記載のペアリング演算装置において、
Q’とPの座標をそれぞれ(xQ’,yQ’)(x,y)とするときに、あらかじめ(yQ’+y)/(xQ’−x)を計算して、記録手段に記録しておき、
前記楕円減算を行うときに、あらかじめ記録されている(yQ’+y)/(xQ’−x)を用いてA=l(Q’)/l(Q’)を計算して記録部に記録し、
F・(l(Q’)l(S)l(S))/(l(Q’)l(Q’)l(S))を計算するときには、記録部に記録した、Aを読み出し、F・(A・l(S)l(S))/(l(Q’)l(S))を計算すること
を特徴とする前記Miller演算部
を備えるペアリング演算装置。 In the pairing arithmetic device according to claim 1,
When the coordinates of Q ′ and P are respectively (x Q ′ , y Q ′ ) (x P , y P ), (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance. , Record it on the recording means,
When performing the elliptical subtraction, A = l 1 (Q ′) / l 3 (Q ′) is calculated using (y Q ′ + y P ) / (x Q ′ −x P ) recorded in advance. Recorded in the recording section,
When F · (l 1 (Q ′) l 2 (S) l 3 (S)) / (l 2 (Q ′) l 3 (Q ′) l 1 (S)) is calculated, it is recorded in the recording unit. , A is read, and F · (A · l 2 (S) l 3 (S)) / (l 2 (Q ′) l 1 (S)) is calculated. Ring arithmetic unit. 有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求める擬似Miller演算部と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算部とを備えるペアリング演算装置において、
pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の偶数、mは(p−1)の約数ではない、かつpとmの最大公約数は1、Tを有限体GF(p)上の元、SとFを有限体GF(p)上の元、Q’をQ+Sとして、
mを2進数で表した値を、0、1、および−1を用いて表現するm符号化手段を有し
mのn番目のビットが−1の場合には、
T−Pを計算して記録手段に記録し、
点Tと点−Pとを通る直線をl、T−Pを通るy軸に平行な直線をl、Pを通るy軸に平行な直線をl、l(Q’)の擬似の逆元をLとする場合に、F・(l(Q’)l(S)l(S))・L/(l(Q’)l(S))をFに代入する楕円減算を行うこと
を特徴とする前記擬似Miller演算部と、
前記似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像することを特徴とする前記べき乗演算部と、
を備えるペアリング演算装置。 The point P on the elliptic curve on the finite field GF (p) and the point Q on the elliptic curve on the finite field GF (p k ) are input, and the element f on the finite field GF (p k ) is input from the input point. In a pairing arithmetic unit comprising: a pseudo Miller arithmetic unit for obtaining ', and a power arithmetic unit that maps the obtained element on the finite field to the element e (P, Q) on the finite field GF (p k ) and outputs the result ,
p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest even number satisfying m | (p k −1), and m is not a divisor of (p−1) , And the greatest common divisor of p and m is 1, T is an element on a finite field GF (p), S and F are elements on a finite field GF (p k ), and Q ′ is Q + S.
When m encoding means for expressing a value representing m in binary number using 0, 1, and -1 is provided, and the nth bit of m is -1,
TP is calculated and recorded on the recording means,
A straight line passing through the point T and the point -P is l 1 , a straight line parallel to the y axis passing through the TP is l 2 , and a straight line passing through the P is parallel to the y axis is expressed as l 3 , l 2 (Q ′). the inverse in the case of the L 2, F · a (l 1 (Q ') l 2 (S) l 3 (S)) · L 2 / (l 3 (Q') l 1 (S)) F Performing the elliptic subtraction to be substituted into the pseudo Miller arithmetic unit,
Mapping the element f ′ obtained by the similar Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation;
A pairing arithmetic device comprising: 請求項3記載のペアリング演算装置において、
Q’とPの座標をそれぞれ(xQ’,yQ’)(x,y)とするときに、あらかじめ(yQ’+y)/(xQ’−x)を計算して、記録手段に記録しておき、
前記楕円減算を行うときに、あらかじめ記録されている(yQ’+y)/(xQ’−x)を用いてA=l(Q’)/l(Q’)を計算して記録部に記録し、
F・(l(Q’)l(S)l(S))・L/(l(Q’)l(S))を計算するときには、記録部に記録した、Aを読み出し、F・(A・l(S)l(S))・L/l(S)を計算すること
を特徴とする前記擬似Miller演算部
を備えるペアリング演算装置。 In the pairing arithmetic unit according to claim 3,
When the coordinates of Q ′ and P are respectively (x Q ′ , y Q ′ ) (x P , y P ), (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance. , Record it on the recording means,
When performing the elliptical subtraction, A = l 1 (Q ′) / l 3 (Q ′) is calculated using (y Q ′ + y P ) / (x Q ′ −x P ) recorded in advance. Recorded in the recording section,
When calculating F · (l 1 (Q ′) l 2 (S) l 3 (S)) · L 2 / (l 3 (Q ′) l 1 (S)), A recorded in the recording unit is A pairing arithmetic device comprising the pseudo Miller arithmetic unit, characterized in that reading, F · (A · l 2 (S) l 3 (S)) · L 2 / l 1 (S) is calculated. 有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元fを求めるMiller演算と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算とを行うペアリング演算方法において、
pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の偶数、mは(p−1)の約数ではない、かつpとmの最大公約数は1、Tを有限体GF(p)上の元、SとFを有限体GF(p)上の元、Q’をQ+Sとして、
Miller演算部で、
mを2進数で表した値を、0、1、および−1を用いて表現し、
mのn番目のビットが−1の場合には、
T−Pを計算して記録手段に記録し、
点Tと点−Pとを通る直線をl、T−Pを通るy軸に平行な直線をl、Pを通るy軸に平行な直線をlとして、F・(l(Q’)l(S)l(S))/(l(Q’)l(Q’)l(S))をFに代入する楕円減算を行う
ことを特徴とするペアリング演算方法。 The point P on the elliptic curve on the finite field GF (p) and the point Q on the elliptic curve on the finite field GF (p k ) are input, and the element f on the finite field GF (p k ) is input from the input point. In a pairing operation method for performing Miller operation for obtaining, and mapping the obtained element on the finite field to the element e (P, Q) on the finite field GF (p k ) and outputting the power,
p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest even number satisfying m | (p k −1), and m is not a divisor of (p−1) , And the greatest common divisor of p and m is 1, T is an element on a finite field GF (p), S and F are elements on a finite field GF (p k ), and Q ′ is Q + S.
In the Miller calculation unit,
Express the value of m in binary using 0, 1, and -1,
If the nth bit of m is -1,
TP is calculated and recorded on the recording means,
A straight line passing through the point T and the point -P is l 1 , a straight line parallel to the y-axis passing through TP is l 2 , and a straight line parallel to the y-axis passing through P is l 3 , and F · (l 1 (Q ') L 2 (S) l 3 (S)) / (l 2 (Q') l 3 (Q ') l 1 (S)) is substituted into F for elliptical subtraction Method. 請求項5記載のペアリング演算方法において、
前記Miller演算部で、
Q’とPの座標をそれぞれ(xQ’,yQ’)(x,y)とするときに、あらかじめ(yQ’+y)/(xQ’−x)を計算して、記録手段に記録しておき、
前記楕円減算を行うときに、あらかじめ記録されている(yQ’+y)/(xQ’−x)を用いてA=l(Q’)/l(Q’)を計算して記録部に記録し、
F・(l(Q’)l(S)l(S))/(l(Q’)l(Q’)l(S))を計算するときには、記録部に記録した、Aを読み出し、F・(A・l(S)l(S))/(l(Q’)l(S))を計算すること
を特徴とするペアリング演算方法。 In the pairing calculation method according to claim 5,
In the Miller calculation unit,
When the coordinates of Q ′ and P are respectively (x Q ′ , y Q ′ ) (x P , y P ), (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance. , Record it on the recording means,
When performing the elliptical subtraction, A = l 1 (Q ′) / l 3 (Q ′) is calculated using (y Q ′ + y P ) / (x Q ′ −x P ) recorded in advance. Recorded in the recording section,
When F · (l 1 (Q ′) l 2 (S) l 3 (S)) / (l 2 (Q ′) l 3 (Q ′) l 1 (S)) is calculated, it is recorded in the recording unit. , A is read, and F · (A · l 2 (S) l 3 (S)) / (l 2 (Q ′) l 1 (S)) is calculated. 有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元f’を求める擬似Miller演算と、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するべき乗演算とを行うペアリング演算方法において、
pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の偶数、mは(p−1)の約数ではない、かつpとmの最大公約数は1、Tを有限体GF(p)上の元、SとFを有限体GF(p)上の元、Q’をQ+Sとして、
擬似Miller演算部で、
mを2進数で表した値を、0、1、および−1を用いて表現し、
mのn番目のビットが−1の場合には、
T−Pを計算して記録手段に記録し、
点Tと点−Pとを通る直線をl、T−Pを通るy軸に平行な直線をl、Pを通るy軸に平行な直線をl、l(Q’)の擬似の逆元をLとする場合に、F・(l(Q’)l(S)l(S))・L/(l(Q’)l(S))をFに代入する楕円減算を行い、
べき乗演算部で、
前記擬似Miller演算で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する
ことを特徴とするペアリング演算方法。 The point P on the elliptic curve on the finite field GF (p) and the point Q on the elliptic curve on the finite field GF (p k ) are input, and the element f on the finite field GF (p k ) is input from the input point. In a pairing operation method for performing a pseudo Miller operation for obtaining 'and a power operation for mapping an element e (P, Q) on a finite field GF (p k ) and outputting the element e (P, Q)
p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest even number satisfying m | (p k −1), and m is not a divisor of (p−1) , And the greatest common divisor of p and m is 1, T is an element on a finite field GF (p), S and F are elements on a finite field GF (p k ), and Q ′ is Q + S.
In the pseudo Miller calculation unit,
Express the value of m in binary using 0, 1, and -1,
If the nth bit of m is -1,
TP is calculated and recorded on the recording means,
A straight line passing through the point T and the point -P is l 1 , a straight line parallel to the y axis passing through the TP is l 2 , and a straight line passing through the P is parallel to the y axis is expressed as l 3 , l 2 (Q ′). the inverse in the case of the L 2, F · a (l 1 (Q ') l 2 (S) l 3 (S)) · L 2 / (l 3 (Q') l 1 (S)) F Perform elliptic subtraction to assign to,
In the power calculator,
A pairing operation method, wherein the element f ′ obtained by the pseudo Miller operation is mapped to an element e (P, Q) on a finite field GF (p k ) by a power operation. 請求項7記載のペアリング演算方法において、
前記擬似Miller演算部で、
Q’とPの座標をそれぞれ(xQ’,yQ’)(x,y)とするときに、あらかじめ(yQ’+y)/(xQ’−x)を計算して、記録手段に記録しておき、
前記楕円減算を行うときに、あらかじめ記録されている(yQ’+y)/(xQ’−x)を用いてA=l(Q’)/l(Q’)を計算して記録部に記録し、
F・(l(Q’)l(S)l(S))・L/(l(Q’)l(S))を計算するときには、記録部に記録した、Aを読み出し、F・(A・l(S)l(S))・L/l(S)を計算すること
を特徴とするペアリング演算方法。 In the pairing calculation method according to claim 7,
In the pseudo Miller calculation unit,
When the coordinates of Q ′ and P are respectively (x Q ′ , y Q ′ ) (x P , y P ), (y Q ′ + y P ) / (x Q ′ −x P ) is calculated in advance. , Record it on the recording means,
When performing the elliptical subtraction, A = l 1 (Q ′) / l 3 (Q ′) is calculated using (y Q ′ + y P ) / (x Q ′ −x P ) recorded in advance. Recorded in the recording section,
When calculating F · (l 1 (Q ′) l 2 (S) l 3 (S)) · L 2 / (l 3 (Q ′) l 1 (S)), A recorded in the recording unit is A pairing calculation method characterized by calculating F · (A · l 2 (S) l 3 (S)) · L 2 / l 1 (S). 請求項1から4のいずれかに記載の装置をコンピュータにより実現するペアリングプログラム。
The pairing program which implement | achieves the apparatus in any one of Claim 1 to 4 with a computer.
JP2005156083A 2005-05-27 2005-05-27 Pairing calculation method, apparatus and program using the method Active JP4630132B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2005156083A JP4630132B2 (en) 2005-05-27 2005-05-27 Pairing calculation method, apparatus and program using the method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2005156083A JP4630132B2 (en) 2005-05-27 2005-05-27 Pairing calculation method, apparatus and program using the method

Publications (2)

Publication Number Publication Date
JP2006330497A true JP2006330497A (en) 2006-12-07
JP4630132B2 JP4630132B2 (en) 2011-02-09

Family

ID=37552227

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2005156083A Active JP4630132B2 (en) 2005-05-27 2005-05-27 Pairing calculation method, apparatus and program using the method

Country Status (1)

Country Link
JP (1) JP4630132B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009109986A (en) * 2008-09-03 2009-05-21 Okayama Univ Pairing computation device, pairing computation method, and pairing computation program
JP2013517527A (en) * 2010-01-13 2013-05-16 マイクロソフト コーポレーション Determining pairing on a curve using integrated reversal

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006323160A (en) * 2005-05-19 2006-11-30 Nippon Telegr & Teleph Corp <Ntt> Pairing arithmetic unit, pairing arithmetic method and pairing arithmetic program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006323160A (en) * 2005-05-19 2006-11-30 Nippon Telegr & Teleph Corp <Ntt> Pairing arithmetic unit, pairing arithmetic method and pairing arithmetic program

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
JPN6010048213, Paulo S.L.M. Barreto, Hae Y. Kim, Ben Lynn, and Michael Scott, ""Efficient Algorithms for Pairing−Based Cryptosystems"", LNCS, 200208, Vol.2442, p.354−368 *
JPN7010002622, 小林鉄太郎,青木和麻呂,今井秀樹, ""ペアリング高速演算"", 2005年暗号と情報セキュリティシンポジウム SCIS2005 予稿集付録CD−ROM, 20050125, 3F4 ソフトウェア実装, 3F4−5, JP *
JPN7010002623, Seiichi Matsuda, Atsuo Inomata, Takeshi Okamoto, and Eiji Okamoto, ""PERFORMANCE EVALUATION OF EFFICIENT ALGORITHMS FOR TATE PAIRING"", 2005 IEEE Pacific Rim Conference on Communications, Computers and signal Processing, 20050824, p.657−660 *
JPN7010002624, Tetsutaro KOBAYASHI, Kazumaro AOKI, and Hideki IMAI, ""Efficient Algorithms for Tate Pairing"", IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences, 20060101, VOL.E89−A, NO.1, p.134−143, JP *
JPN7010002625, 岡本栄司,岡本健,金山直樹, ""ペアリングに関する最近の研究動向"", Fundamentals Review, 200707, Vol.1, No.1, p.51−59, JP *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009109986A (en) * 2008-09-03 2009-05-21 Okayama Univ Pairing computation device, pairing computation method, and pairing computation program
JP2013517527A (en) * 2010-01-13 2013-05-16 マイクロソフト コーポレーション Determining pairing on a curve using integrated reversal

Also Published As

Publication number Publication date
JP4630132B2 (en) 2011-02-09

Similar Documents

Publication Publication Date Title
Chaurasiya et al. Parameterized posit arithmetic hardware generator
Imran et al. Throughput/area optimised pipelined architecture for elliptic curve crypto processor
WO2016046949A1 (en) Method for calculating elliptic curve scalar multiplication
JP6621813B2 (en) Electronic computing device for performing obfuscated arithmetic
JP6331756B2 (en) Test case generation program, test case generation method, and test case generation apparatus
JP4630132B2 (en) Pairing calculation method, apparatus and program using the method
Leon et al. Energy‐efficient VLSI implementation of multipliers with double LSB operands
Sriram et al. Plug-ins for gnu radio companion
US11502836B2 (en) Method for performing cryptographic operations on data in a processing device, corresponding processing device and computer program product
JP4580274B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
KR101666974B1 (en) Prime number generation
JP4644039B2 (en) Pairing calculation method, apparatus and program using the method
Häner et al. Lowering the T-depth of quantum circuits by reducing the multiplicative depth of logic networks
CN115714644B (en) Random number generation method and device
JP4585372B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
US9405509B2 (en) Parallel computation of a remainder by division of a sequence of bytes
JP2018503862A (en) Electron generator
McQuillan et al. A systematic methodology for the design of high performance recursive digital filters
Amini-Harandi et al. Quasi-contractive mappings in fuzzy metric spaces
Ramezani et al. An Efficient Implementation of Low-Latency Two-Dimensional Gaussian Smoothing Filter using Approximate Carry-Save Adder
JP4630117B2 (en) Multi-pairing calculation method, pairing comparison method, apparatus using the same, and program
JP5858938B2 (en) Calculation apparatus, calculation system, calculation method
WO2021130958A1 (en) Final exponentiation calculation device, pairing operation device, encryption processing device, final exponentiation calculation method, and final exponentiation calculation program
CN110289943B (en) Method for rapidly generating variable fractional order chaotic sequence
WO2024013877A1 (en) Parameter generation device, parameter generation method, and parameter generation program

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20070810

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20100824

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20101012

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20101102

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20101112

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20131119

Year of fee payment: 3

R150 Certificate of patent or registration of utility model

Ref document number: 4630132

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150

S531 Written request for registration of change of domicile

Free format text: JAPANESE INTERMEDIATE CODE: R313531

R350 Written notification of registration of transfer

Free format text: JAPANESE INTERMEDIATE CODE: R350