JP2008020757A - Encryption processing device, encryption processing computation method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device and a method realizing high-speed computation in hyperelliptic encryption processing. <P>SOLUTION: In the scalar multiplication calculation of a hyperelliptic curve encryption, it is determined which of a double multiplication, applying computational algorithm and a 1/2 fold applying computational algorithm, can perform high-speed computation on the basis of curve parameters of the hyperelliptic curve, and the scalar calculation of multiples is executed, by selectively applying the algorithm determined to be capable of performing the high-speed computation. According to the constitution, the scalar calculation of multiples associated with the encryption processing, corresponding to various curves, can be performed surely at high-speed processing. Namely, by selecting the algorithm according to the curve parameters, the high-speed computation with a reduced amount of computation in the scalar multiplication is realized. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a cryptographic processing apparatus, a cryptographic processing calculation method, and a computer program. More specifically, the present invention relates to a cryptographic processing device, a cryptographic processing calculation method, and a computer program that realize high-speed scalar multiplication in hyperelliptic curve cryptography.

  In recent years, with the development of network communication and electronic commerce, ensuring security in communication has become an important issue. One method for ensuring security is encryption technology, and currently, communication using various encryption methods is performed.

  For example, an encryption processing module is embedded in a small device such as an IC card, and data is transmitted / received between the IC card and a reader / writer as a data reading / writing device, and authentication processing or encryption / decryption of transmitted / received data is performed. The system to do is put into practical use.

  For example, IC cards that perform cryptographic processing are actively used in various gates such as ticket gates of stations, shopping centers, and the like, and demands for downsizing and speeding up of processing have become strict. Yes.

  Encryption methods are roughly classified into a common key method and a public key method. The common key method is also called a symmetric encryption method, and both the sender and the receiver have a common key. As a typical method of the common key method, there is DES (Data Encryption Standard). A feature of the DES algorithm is that encryption and decryption can be executed by almost the same algorithm.

  The public key system or the asymmetric encryption system is a configuration in which the sender and receiver have different keys for the common key encryption. Unlike the common key cryptosystem that uses a common key for encryption and decryption, the public key cryptosystem is advantageous in key management because the secret key that needs to be kept secret must be held by a specific person. . However, the public key cryptosystem has a slower data processing speed than the common key cryptosystem, and is generally used for a small amount of data such as secret key distribution and digital signature. As typical public key cryptosystems, RSA (Rivest-Shamir-Adleman) cryptography and elliptic curve cryptography (ECC) are known.

Elliptic Curve Cryptography is an elliptic curve y ² = x ³ + ax + b (4a ³ + 27b ² ≠ 0) on a prime field or an elliptic curve y ² + xy = x ³ + ax ² + b ( ² on an extension field). b ≠ 0) or the like is used. A set obtained by adding an infinite point (O) to points on these curves forms a finite group with respect to addition, and the infinite point (O) is the unit element. Hereinafter, the addition of points on the finite group is represented by +. The addition P + Q of two different points P and Q on the finite group is called “point addition”, and the addition P + P = 2P of the points P and P is called “point doubling”. Further, an operation for obtaining a point P + P +... + P = kP obtained by adding the point P k times is referred to as “scalar multiplication of points”.

  It is known that scalar multiplication of points can be constructed using point addition and point doubling. Point addition, point doubling, and point doubling in the affine coordinate system (x, y) and projective coordinates (X, Y, Z) on the elliptic curve on the prime field and the elliptic curve on the two extension field The scalar multiplication method is described in IEEE P1363 / D13 Standard Specifications for Public Key Cryptography.

  As a generalized system of elliptic curve cryptography, there is a hyper elliptic curve cryptography (HECC) system proposed by Koblitz and Cantor. The super elliptic curve cryptosystem is described in Non-Patent Document 1 and Non-Patent Document 2, for example.

In elliptic curve cryptography, a finite field Fq, where q = p ⁿ , p is a prime number, n is a positive integer, a point on the elliptic curve defined on the finite field Fq is P, and a point kP (k If εZ) is Q, the problem of obtaining k from Q can be reduced to a discrete logarithm problem. On the other hand, factors in the hyperelliptic curve cryptography is a formal sum of points a (divisor) and _{D 1,} the factors to be defined by the scalar multiplication kD ₁ and _{D 2,} issue hyperelliptic curve to determine the k from _{D 2} Called the discrete logarithm problem on the Jacobian manifold in. Public key cryptography can be constructed based on this mathematically suitable difficulty.

In a hyperelliptic curve, the value characterizing the curve is the genus g. prime p, n a positive integer, and q = ^{p n.} At this time, the hyperelliptic curve C of the genus g defined on the finite field Fq is expressed by the following equation:
y ² + h (x) y = f (x)
Defined by Here, h (x), f (x) εFq [x], f (x) is a monic polynomial of degree 2g + 1.

For a point P = (x, y) on the hyperelliptic curve C, a conjugate point is defined as −P = (x, −y−h (x)). A point where P = −P is referred to as a “ramification point”. In addition, the point at _infinity is represented as P∞.

  It is known that the computation size (bit length) of the definition of the hyperelliptic curve cryptosystem is 1 / g smaller than the computation size of the elliptic curve definition, assuming the same security as the elliptic curve cryptography. Yes. The small calculation size is advantageous in terms of implementation, and is one of the advantages of hyperelliptic curve cryptography.

Next, basic items of the super elliptic curve cryptography will be described. As described above, in hyperelliptic curve cryptography, if a factor that is a formal sum of points is D ₁ and a factor defined by scalar multiplication kD ₁ is D ₂ , the problem of obtaining k from D ₂ is It can be used as a public key cryptosystem as a discrete logarithm problem on a Jacobian manifold in a hyperelliptic curve.

Here, the factor is a formal sum of rational points and can be expressed in the following form.

Also, the semi reduced factor can be expressed in the following format.

_However, a _{P i} ≠ _{P j} with respect to _{P i = (x i, y} i) and i ≠ j.

Also, Σm _{i is referred} to as a D weight. Furthermore, a semi-reduced factor having a weight of genus g or less is referred to as a reduced divisor.

The safety of the hyperelliptic curve depends on the number of reduced factors, where N is the number of reduced factors. In order to realize secure hyperelliptic curve cryptography, N must have a prime number r of 160 bits or more as a factor. At this time, N is expressed as N = c × r. c is called a cofactor and is preferably a small number. For example,
When q = p (p is an odd prime number), c = 1,
If q = 2 ⁿ , then c = 2,
A hyperelliptic curve that satisfies is used. Also, the base point having the order r is selected.

An arbitrary semi-irreducible factor D of the hyperelliptic curve can be expressed as D = (U, V) using the following polynomial U, VεFq [x]. This is called a “Mumford” expression. For example, Non-Patent Document 3 describes the Mumford expression.

An arbitrary irreducible factor D of genus 2 uses a Mumford expression, and is a set of second-order or lower-order polynomials having elements on a finite field Fq as coefficients, ie,
(U, V) = (x ² + u ₁ x + u ₀ , v ₁ x + v ₀ ), or
(U, V) = (x + x ₀ , y ₀ )
Can be expressed as
The zero element is
(U, V) = (1, 0) = O
Is expressed as

  Next, scalar multiplication of factors used in hyperelliptic curve cryptography will be described. Scalar multiplication of factors can be calculated by a combination of factor addition and doubling called an addition algorithm, or a combination of addition and ½ multiplication. The main addition algorithm will be described below.

  The first practical algorithm proposed is the Cantor algorithm. This algorithm is described in Non-Patent Document 1 and Non-Patent Document 2, for example. This algorithm is an algorithm that can be applied to factors of any kind of hyperelliptic curve, but has a drawback in that the algorithm is more complex and computationally expensive than an elliptic curve.

  Harley limited to super-elliptic curves of genus 2, and divided the case of factor weight, and proposed an algorithm with less calculation amount by optimizing each case. In response to this research, research on improvement and expansion of arithmetic algorithms in hyperelliptic curve cryptography (HECC) has become active in recent years.

(A) The Harley algorithm uses a prime field as a definition field, a genus 2 curve, and a Mumford expression as a factor expression. Non-patent literature 4, non-patent literature 5, non-patent literature 6 etc. are mentioned as a research example of the improvement of the calculation amount of this algorithm, for example.
(A) Further, non-patent document 7 and non-patent document 8 report processing examples in which the definition body is expanded in the case of two expanded fields.
(C) Further, there are Non-Patent Document 11, Non-Patent Document 12, Non-Patent Document 6, and Non-Patent Document 13 as studies in which the amount of calculation is reduced by using extended Mumford expression and Weighted Coordinate for the expression of factors.

  The processing of the Harley algorithm will be described with reference to FIG. The present invention relates to a genus 2 hyperelliptic curve defined on a finite field of characteristic 2. In the following description, the genus of the curve is 2 and the characteristic of the definition field is 2.

FIG. 1A is a diagram showing a processing example of factor addition D ₁ + D _{2 in} the case of genus 2. Note that the factors D ₁ and D ₂ are D ₁ = (U _1, V ₁ ) and D ₂ = (U ₂ , V ₂ ), respectively. First, the case is divided according to the value of the weight of the factor. That is, depending on the value of each weight of [D ₁ + D ₂ ],
(1) weight2 + weight2
(2) weight2 + weight1
(3) Exception handling 1
The case is divided.

Then weight2 addition between: (1) For weight2 + weight2, factor _{D 1 = (U 1, V} 1), D 2 = the _(U 2, _{V 2),} the greatest common divisor _gcd (U _{1, U} 2) If = 1, the two factors D ₁ = (U _1, V ₁ ) and D ₂ = (U ₂ , V ₂ ) are not identical to each other or do not include an opposite point. in this case,
(1a) HarleyADD,
That is, addition processing according to the Harley algorithm is performed. (1a) The Harley ADD process is a process called “most frequent case” shown in Non-Patent Document 7, for example. This Most Frequent Case is a case that occurs with high probability in the factor addition D ₁ + D ₂ processing in the case of genus 2.

This (1a) Harley ADD process occurs with a very high probability. The probability of other exception handling occurring is very low. When the condition of Most Frequent Case is not satisfied, that is, for the factor D ₁ = (U _1, V ₁ ), D ₂ = (U ₂ , V ₂ ), the greatest common divisor gcd (U ₁ , U ₂ ) = 1 If you are not satisfied,
(1b) Exception processing 2 is performed.

(2) for the case of weight2 + weight1 Similarly, when checking whether the _{gcd (U 1, U 2)} = 1 , satisfies _{gcd (U 1, U 2)} = 1 is
(2a) ExHARADD ^{2 + 1 → 2} is executed,
If gcd (U ₁ , U ₂ ) = 1 is not satisfied,
(2b) Exception processing 3 is performed.
(3) The exception process 1 is a case where the case classification of “weight” is other than the above (1) and (2).

  The details of the algorithm of the genus 2 addition process described above are described in Non-Patent Document 8 (Tables 1 and 2).

Next, the flow of doubling in the case of genus 2 will be described with reference to FIG. The doubling is a process of D + D = 2D. The input is D ₁ = (U ₁ , V ₁ ) and the output is D ₂ = [2] D ₁ .
As in the case of factor _{D 1} weight of addition is (4) weight2,
(5) weight1,
(6) weight0,
Different processing is performed depending on each.

(4) In the case of weight2, it is checked whether the factor includes a branch point. If not, (4a) HarleyDBL processing is performed. If the factor includes a branch point, (4b) exception processing 6 is performed. If gcd (h, U1) = 1, D ₁ does not include a branch point. In this case, (4a) HarleyDBL processing is performed. The processing algorithm of HarleyDBL is shown as Most Frequent Case in Non-Patent Document 5, for example.

  As will be described later, this process occurs with a very high probability. The probability of other exception handling occurring is very low. As described above, when the Most Frequent Case condition is not satisfied, exception processing 6 is performed.

Similarly, in the case of weight1, it is checked whether gcd (h, U1) = 1, and the processing of (5a), ExHarDBL ^{1 + 1 → 2} or exception processing 7 which is processing of (5b) is performed. Regarding the algorithm of ExHarDBL ^{1 + 1 → 2} , Non-Patent Document 8 [4.12. (A)].

  As described above, HarleyADD and HarleyDBL are called Most Frequent Cases. When a factor is randomly generated and addition or doubling is performed, processing of HarleyADD and HarleyDBL is performed with a very high probability. In addition, the description that this HarleyADD and HarleyDBL become Most Frequent Case is described in the nonpatent literature 14, for example.

According to Non-Patent Document 14, the probability of processing other than this Most Frequent Caes is O (1 / q). Here, q is the number of elements of the definition body, and q ^g is a large number that requires about 160 bits in secure cryptographic applications, so that it can be regarded as a situation in which only HarleyADD and HarleyDBL occur in reality.

Therefore, when the addition algorithm of the super elliptic curve cryptography (HECC) is implemented as a cryptographic processing operation means such as an IC card using the Harley algorithm or its improved algorithm,
HarleyADD,
HarleyDBL
In many cases, only these arithmetic algorithm execution means are mounted, and other complicated exception processing that hardly occurs stochastically is performed. In this case, for exception processing, a method is adopted such as a configuration in which a Cantor algorithm that does not need to be divided into weight cases is executed. Since the burden of complicated exception handling increases as the genus increases, Non-Patent Documents 9 and 10 describe this mounting method.

Next, scalar multiplication of factors in the hyperelliptic curve cryptography (HECC) algorithm will be described. As a method of performing scalar multiplication of factors,
(A) Combination of super-elliptical addition and super-elliptical doubling,
(B) a combination of super-elliptical addition and super-elliptical ½ multiplication,
It can be calculated in either (a) or (b) above.
Hereinafter, the calculation methods (a) and (b) will be described.

(A) Scalar multiplication of factors based on a combination of super-elliptical addition and super-elliptical doubling First, scalar multiplication of factors based on a combination of super-elliptical addition and super-elliptical doubling will be described. Two types of right-to-left and left-to-right will be described in the basic Double-and-add binary method as a scalar multiplication algorithm.

As described above, in elliptic curve cryptography, if the point on the elliptic curve defined on the finite field Fq is P and the point kP (k∈Z) obtained by scalar multiplication is Q, the problem of obtaining k from Q is discrete. It can result in a logarithmic problem. On the other hand, factors in the hyperelliptic curve cryptography is a formal sum of points a (divisor) and _{D 1,} the factors to be defined by the scalar multiplication kD ₁ and _{D 2,} issue hyperelliptic curve to determine the k from _{D 2} Can be used as public key cryptography as a discrete logarithm problem on Jacobian varieties.

For a factor D, a scalar value as a multiplier applied to scalar multiplication (dD): a binary representation of d,
d = (d _l−1 ,..., d ₀ ),
However, d _l−1 = 1, d _l−2,..., D ₀ = 1 or ₀ .

The basic binary algorithm is a scalar multiplication algorithm.
binary (right-to-left) method There is a binary (left-to-right) method.

The binary (right-to-left) method is characterized in that d is viewed from the lower bits and [2 ⁱ ] D is added when d _i = 1. Algorithm 1 (Algorithm1) of the binary (right-to-left) method is shown below.

On the other hand, the binary (left-to-right) method is characterized in that d is viewed from the upper bits, each bit D is doubled, and base points are added when d _i = 1. Algorithm 2 (Algorithm 2) of the binary (left-to-right) method is shown below.

(B) Scalar multiplication of factors based on a combination of super-elliptical addition and super-elliptical ½ multiplication Next, scalar multiplication of factors based on a combination of super-elliptical addition and super-elliptical ½ multiplication will be described.

(B1) 1/2 multiplication of genus 2 and characteristic 2 First, 1/2 multiplication of genus 2 and characteristic 2 will be described. 1/2 multiplication is an inverse operation of the above-mentioned doubling. In the ½ multiplication, the factor weight is divided and the inverse operation of doubling corresponding to each case is calculated. It is known that the 1/2 multiplication can be processed faster than the doubling depending on the curve parameter and the finite field to be used. These are described in Non-Patent Document 15 and Non-Patent Document 16.

The flow of 1/2 multiplication will be described with reference to FIG. The input is D ₂ = (U ₂ , V ₂ ), and the output is D ₁ = [1/2] D ₂ . It is assumed that the factor is of order r. In other words, the factor handled does not have a branch point. The input factor D ₂ = (U ₂ , V ₂ ) can be expressed as follows:
D ₂ = (U ₂ , V ₂ ),
U ₂ = u ₂₂ x ² + u ₂₁ x + u ₂₀ ,
V ₂ = v ₂₁ x + v ₂₀ ,
u ₂₂ = 0 or 1
And Since it does not have a branch point,
Four inverse operations of ExHarDBL ^{1 + 1 → 2} , ExHarDBL ^{2 + 2 → 1} , ExHarDBL ^{2 + 2 → 2} , and HarleyDBL may be considered. Except for HarleyDBL, there are exception cases.

Here, ExHarDBL ^{2 + 2 → 1} is a method for calculating the case where the input factor weight is 2 and the output factor weight is 1. ExHarDBL ^{2 + 2 → 2} is a method for calculating the case where the weight of the input factor is 2, the coefficient of the first-order term of U ₂ satisfies u ₂₁ = 0, and the weight of the output factor is 2. However, although ExHarDBL ^{2 + 2 → 2} can be calculated by HarleyDBL, ½ multiplication that is the inverse operation of this is an exception case, so here, ExHarDBL ^{2 + 2 → 2} is treated as an exception case.

ExHEC_HLV ^{2 → 1 + 1} , ExHEC_HLV ^{1 → 2 + 2} and ExHEC_HLV ^{2 →} HLV ^{2 → 1 + 1} , ExHARDBL ^{1 + 1 → 2} , ExHarDBL ^{2 + 2 → 1} , ExHarDBL ^{2 + 2 → 2} , and 1/2 multiplication corresponding to HarleyDBL .

When the factor is multiplied by 1/2, first, the case is divided according to the input factor as shown in FIG. When the weight of the input factor is 2 and the coefficient of the first-order term of U ₂ satisfies u ₂₁ ≠ 0, the calculation is performed using HEC_HLV. The HEC_HLV algorithm is described in Non-Patent Document 15 (Algorithm 3). Since HEC_HLV is the inverse operation of HarleyDBL, the processing of HEC_HLV occurs with a very high probability in ½ multiplication. The probability of other exception handling occurring is very low. In cases other than HEC_HLV, exception processing is performed.

When the weight of the input factor is 2 and the coefficient of the term of U ₂ satisfies u ₂₁ = 0, ExHEC_HLV ^{2 → 2 + 2} that is the inverse operation of HarleyDBL ^{2 + 2 → 2 or} the inverse operation of HarleyDBL ^{1 + 1 → 2} Calculation is performed using ExHEC_HLV ^{2 → 1 + 1} . These algorithms are shown in Non-Patent Document 16 (4.2, 4.3).

When the weight of the input factor is 1, the calculation is performed by ExHEC_HLV ^{1 → 2 + 2} which is an inverse operation of HarleyDBL ^{2 + 2 → 1} . This algorithm is described in Non-Patent Document 16 (4.1).

  The 1/2 multiplication requires a square root calculation of a finite field and a calculation for solving a quadratic equation on the finite field. For this reason, a square root operation that was not included in the doubling operation, a half trace operation for solving the quadratic equation, and a trace operation are required. Although the calculation amount of the trace operation is negligible, the calculation amount of the square root operation and the half-trace operation differs depending on the finite field and may be ignored, but may not be ignored.

(B2) Scalar multiplication of factors based on the combination of addition and ½ multiplication in hyperelliptic curve cryptography Next, addition in superelliptic curve cryptography realized by applying the above ½ multiplication and 1 / The scalar multiplication of factors based on the combination of doubling will be described. The scalar multiplication of factors in hyperelliptic curve cryptography is the combination of (a) addition and doubling described above,
Can be realized by a combination of addition and 1/2 multiplication. This process is described in Non-Patent Document 16 (Algorithm 6). Hereinafter, an outline of scalar multiplication processing by a combination of addition and ½ multiplication in hyperelliptic curve cryptography will be described.

A procedure for calculating the scalar multiplication of factors in the hyperelliptic curve cryptography by superelliptic addition and superelliptical ½ multiplication will be described.
First, the scalar value d is expanded by a half number using the factor order r as the modulus, and it is defined as d ′. Specifically, d ′ is expressed as follows.

In the above formula, m is a bit length of order r. The detailed algorithm of this process is shown below as Algorithm 3 (Algorithm 3: Scalar value conversion).

In the basic Halve-and-add binary method as a scalar multiplication algorithm by a combination of addition and 1/2 multiplication,
(A) the right-to-left method;
(A) Left-to-right method,
These two types of methods will be described. Where
The binary representation of d ′ is (d ′ _l−1 ,..., d ′ ₀ ),
However,
d ′ _l−1 = 1
d ′ _l−2 ,..., d ′ ₀ = 1 or ₀
And

(A) Halve-and-add binary (right-to-left) method In the right-to-left method, the scalar value d ′ expressed in binary is viewed from the lower bits,
d ′ _i = 1
In the case of
[1/2 ⁱ ] D ₀
It is the feature to add.
The algorithm of this right-to-left method is shown below as Algorithm 4 (Algorithm 4: Halve-and-add binary (right-to-left) method).

In the algorithm 4 (Algorithm 4), in order to calculate the scalar multiplication dD ₀ , the algorithm value 3 (Algorithm 3) described above is used to input d ′ obtained by expanding the scalar value d into a half number.

(A) Halve-and-add binary (left-to-right) method The left-to-right method looks at the scalar value d 'expressed in binary from the upper bit, and doubles each bit D by 1/2. do it,
d ′ _i = 1
In this case, the base point is added.

Details of the algorithm of the left-to-right method are shown below as Algorithm 5 (Algorithm 5: Halve-and-add binary (left-to-right) method).

In the algorithm 5 (Algorithm 5), in order to calculate the scalar multiple dD ₀ , the algorithm value 3 (Algorithm 3) described above is used as an input and d ′ obtained by expanding the scalar value d into a half number.

As described above, in the hyperelliptic curve cryptosystem, as a method of calculating the scalar multiplication of factors,
(A) a method using addition and doubling,
(B) a method using addition and 1/2 multiplication,
These two types of methods are known.
Non-patent literature 15 and non-patent literature 16 exist as conventional techniques describing the above two methods. These documents describe a configuration that realizes high-speed computation by applying 1/2 multiplication.
N.Koblitz.Hyperelliptic curve cryptosystems.J.Cryptology, vol.1, No.3, pp.139-150, 1989. DGCantor. Computing in the Jacobian of hyperelliptic curve. Math. Comp., Vol. 48, No. 177, pp. 95-101, 1987 "D. Mumford, Tata lectures on theta II, Progress in Mathematics, no. 43, Birkhauser, 1984." K. Matsuo, J. Chao, and S. Tsujii.Fast Genus two hyperelliptic curve cryptosystems.Technical Report ISEC2001-31, IEICE Japan, 2001. M. Takahashi. Improving Harley algorithms for Jacobians of genus 2 hyperelliptic curves. SCIS2002. (Japanese). T. Lange. Inversion-free arithmetic on genus 2 hyperelliptic curves.Cryptology ePrint Archive, 2002/147, IACR, 2002. T. Sugizaki, K. Matsuo, J. Chao, and S. Tsujii.An extension of Harley addition algtorithm for hyperelliptic curves over finite fields of characteristic two.ISEC2002-9, IEICE, 2001 T. Lange, Efficient arithmetic on genus 2 hyperelliptic curves over finite fields via explicit formulae.Cryptology ePrint Archive, 2002/121, IACR, 2002. J. Kuroki, M. Gonda, K. Masuo, J. Chao and S. Tsujii. Fast genus three hyperellipitc curve cryptosystems. SCIS2002 J. Pelzl, T. Wollinger, J. Guajardo, and C. Paar. Hyperelliptic curve Cryptosystems: Closing the Performance Gap to Elliptic Curves. Cryptology ePrint Archive, 2003/026, IACR, 2003. Y. Miyamoto, H. Doi, K. Matsuo, J. Chao and S. Tsujii. A fast addition algorithm of genus two hyperelliptic curves. SCIS2002. (Japanese). N. Takahashi, H. Morimoto and A. Miyaji. Efficient exponentiation on genus two hyperelliptic curves (II). ISEC2002-145, IEICE, 2003. (Japanese) T. Lange. Weighed coordinate on genus 2 hyperellipitc curve.Cryptology ePrint Archive, 2002/153, IACR, 2002. N. Nagao.Improving group law algorithms for Jacobians of hyperelliptic curves.ANTS-IV, LNCS 1838, pp.439-448, Springer-Verlag, 2000. I. Kitamura, M. Katagi, and T. Takagi, A Complete Divisor Class Halving Algorithm for Hyperelliptic Curve Cryptosystems of Genus Two. ACISP 2005, LNCS 3574, pp.146-157, 2005. Kitamura, M. Katagi, and T. Takagi, A Complete Divisor Class Halving Algorithm for Hyperelliptic Curve Cryptosystems of Genus Two.Cryptology ePrint Archive, 2004/255, IACR, 2004

  In contrast to the elliptic curve cryptography (ECC) algorithm that is currently entering the practical phase, the hyperelliptic curve cryptography (HECC) algorithm, which is an extension concept, is currently researching high-speed algorithms and implementation methods at the academic society level. It is being advanced. The calculation time of scalar multiplication of the hyperelliptic curve cryptography (HECC) is only a certain level while approaching the elliptic curve cryptography (ECC), and further speedup is desired.

  The present invention has been made in view of such a current situation, and shortens the time required for scalar multiplication of the super elliptic curve cryptography (HECC) and realizes a super elliptic curve cryptography (HECC) computation process capable of high-speed processing. An object of the present invention is to provide a cryptographic processing apparatus, a cryptographic processing calculation method, and a computer program.

As described above, in the hyperelliptic curve cryptosystem, as a method of calculating the scalar multiplication of factors,
(A) a method using addition and doubling,
(B) a method using addition and 1/2 multiplication,
These two types of methods are known, and it is known that high-speed computation may be realized by applying ½ multiplication. However, the calculation speed is faster when ½ multiplication is applied than when doubling is applied when the curve parameter or finite field applied in the hyperelliptic curve cryptography satisfies a specific condition. Yes, under all conditions, the application of 1/2 doubling is not faster than the application of doubling. Depending on the conditions, there are cases where high speed computation is possible by applying doubling rather than ½.

The present invention is based on a given condition, for example, a setting condition of a hyperelliptic cryptocurve, in the scalar multiplication of factors in the hyperelliptic curve cryptography.
(A) a method using addition and doubling,
(B) a method using addition and 1/2 multiplication,
It is possible to determine which algorithm (a) or (b) is capable of high-speed computation, and to select and execute a high-speed algorithm as appropriate so that a high-speed cryptographic processing operation can be executed. It is an object of the present invention to provide a processing device, a cryptographic processing operation method, and a computer program.

The first aspect of the present invention is:
A cryptographic processing device that performs cryptographic processing operations based on hyperelliptic curve cryptography,
Based on the curve parameters of the hyperelliptic curve applied to the cryptographic processing operation, as a scalar multiplication algorithm, it is determined whether the calculation algorithm of the doubling application algorithm or the 1/2 multiplication application algorithm can be operated at high speed. A control unit,
An arithmetic processing unit that executes a scalar multiplication process in the hyperelliptic curve cryptography by selectively applying an algorithm determined to be capable of high-speed computation;
The cryptographic processing apparatus is characterized by comprising:

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the control unit acquires a table in which a curve parameter of the hyperelliptic curve is associated with algorithm information capable of performing high-speed computation from the storage unit, and performs cryptographic processing. Compare and match the curve parameters of the hyperelliptic curve to be applied to the calculation with the curve parameter information recorded in the table, and determine that the algorithm information set corresponding to the matching or similar table recording data is an algorithm capable of high-speed calculation It is the structure which performs the process to perform.

  Furthermore, in an embodiment of the cryptographic processing apparatus of the present invention, the arithmetic processing unit has a configuration capable of executing both a doubling-applying operation algorithm and a ½-doubling applying operation algorithm. It is the structure which performs the arithmetic processing using the arithmetic execution hardware or program utilized in common in a calculation and 1/2 multiplication.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the control unit performs scalar multiplication based on a curve parameter of a hyperelliptic curve applied to the cryptographic processing operation and a finite field type applied to the cryptographic processing operation. The algorithm is characterized in that it performs a process of determining which one of a calculation algorithm applicable to a doubling operation and an operation algorithm applying a doubling operation can be performed at high speed.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the control unit performs a high-speed execution of an arithmetic algorithm that applies 1/2 multiplication in scalar multiplication based on a curve parameter of a hyperelliptic curve that is applied to cryptographic processing. When it is determined whether or not there is a possibility, and it is determined that there is a possibility of high-speed execution of the 1 / 2-folding application algorithm, either the doubling-application algorithm or the 1 / 2-folding application algorithm It is the structure which performs the process which determines whether high-speed calculation is possible.

Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the control unit is a super elliptic curve defined on a finite field of genus 2 and characteristic 2 applied to cryptographic processing calculation: y ² + h (x) y. = When the cofactor [c] included in the curve parameter of f (x) is 2 and h (x) is an irreducible polynomial, the calculation algorithm can be executed at high speed. It is the structure determined to be.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the cryptographic processing apparatus performs a doubling application operation applying a curve parameter of a hyperelliptic curve applied to a cryptographic processing operation, and a ½ multiplication application operation. A calculation speed calculating unit that executes and measures a processing time, and the control unit, based on a calculation result of the calculation speed calculation unit, uses a doubling calculation calculation algorithm as a scalar multiplication algorithm; The present invention is characterized in that it is configured to perform a determination process as to which of the calculation algorithms of the multiplication application algorithm is capable of high-speed calculation.

Furthermore, the second aspect of the present invention provides
In the cryptographic processing apparatus, a cryptographic processing calculation method for performing cryptographic processing calculation based on hyperelliptic curve cryptography,
In the control unit, based on the curve parameter of the hyperelliptic curve, an arithmetic operation is performed to determine which one of the algorithm for doubling and the algorithm for applying the doubling can be performed at high speed as a scalar multiplication algorithm. A time verification step;
In the arithmetic processing unit, by selectively applying the algorithm determined to be capable of high-speed arithmetic in the arithmetic time verification step, an arithmetic execution step for executing scalar multiplication processing in the hyperelliptic curve cryptography,
The cryptographic processing operation method is characterized by comprising:

  Furthermore, in one embodiment of the cryptographic processing calculation method of the present invention, the calculation time verification step refers to a table that associates curve parameters of a hyperelliptic curve with algorithm information capable of executing high-speed calculation. It is a step of executing a process of determining which one of the calculation algorithm of multiplication application algorithm and the calculation algorithm of 1/2 multiplication application is capable of high-speed calculation.

  Furthermore, in one embodiment of the cryptographic processing calculation method of the present invention, the calculation time verification step is based on a curve parameter of a super elliptic curve applied to the cryptographic processing calculation and a finite field type applied to the cryptographic processing calculation. The scalar multiplication algorithm is a step of executing a process of determining which one of a computation algorithm of a doubling application algorithm and a computation algorithm of a ½ multiplication application can be performed at high speed.

  Furthermore, in one embodiment of the cryptographic processing calculation method of the present invention, the calculation time verification step includes a calculation algorithm for 1/2 multiplication applied in scalar multiplication based on a curve parameter of a hyperelliptic curve applied to the cryptographic processing calculation. In the case where it is determined whether there is high-speed feasibility of the ½ multiplication application algorithm, it is determined whether there is any of the doubling application algorithm or the ½ multiplication application algorithm. It is a step for executing a process for determining whether or not the calculation algorithm is capable of high-speed calculation.

Furthermore, in one embodiment of the cryptographic processing calculation method of the present invention, the processing for determining the presence or absence of high-speed feasibility of the ½ multiplication application calculation algorithm is a genus 2 or characteristic 2 applied to the cryptographic processing calculation. Hyperelliptic curve defined on a finite field: when the cofactor [c] included in the curve parameter of y ² + h (x) y = f (x) is 2 and h (x) is an irreducible polynomial, 1 / High-speed feasibility of doubling calculation application algorithm It is a process for determining that calculation is possible at high speed.

  Furthermore, in an embodiment of the cryptographic processing calculation method of the present invention, the cryptographic processing calculation method further includes a doubling calculation calculation using a curve parameter of a hyperelliptic curve applied to the cryptographic processing calculation in the calculation speed calculation means. And a calculation speed calculation step of measuring a processing time by executing a 1/2 multiplication application calculation, wherein the calculation time verification step is performed as a scalar multiplication algorithm based on a calculation result in the calculation speed calculation step. It is a step of executing a determination process as to which of the doubling calculation algorithm and the ½ multiplication algorithm can be performed at high speed.

Furthermore, the third aspect of the present invention provides
In the cryptographic processing device, a computer program that executes cryptographic processing calculation based on hyperelliptic curve cryptography,
In the control unit, based on the curve parameter of the hyperelliptic curve, an operation for determining which one of the algorithm for doubling and the algorithm for applying the doubling can be performed as a scalar multiplication algorithm. A time verification step;
In the arithmetic processing unit, by selectively applying the algorithm determined to be capable of high-speed arithmetic in the arithmetic time verification step, an arithmetic execution step for executing a scalar multiplication process in the hyperelliptic curve cryptography,
In a computer program characterized by causing

  The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format to a computer system capable of executing various program codes, such as a CD, FD, or MO. It is a computer program that can be provided by a recording medium or a communication medium such as a network. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of one embodiment of the present invention, in the configuration for executing the scalar multiplication on the factor D of the hyperelliptic curve cryptography, as the scalar multiplication algorithm based on the curve parameter of the superelliptic curve applied to the cryptographic processing operation, Determines which of the doubling calculation algorithm and ½ doubling calculation algorithm can be performed at high speed, and selectively applies the algorithm determined to be capable of high speed calculation to execute scalar multiplication processing. With this configuration, scalar multiplication associated with encryption processing corresponding to various curves can be reliably performed at high speed. That is, by selecting an algorithm according to the curve parameter, high-speed calculation with a reduced amount of calculation in scalar multiplication is realized.

  Details of the cryptographic processing apparatus, cryptographic processing calculation method, and computer program of the present invention will be described below.

The present invention is a high-speed calculation method for hyper elliptic curve cryptography (HECC), which is a generalization of elliptic curve cryptography. As described above, in the super elliptic curve, the value characterizing the curve is the genus g. prime p, n a positive integer, and q = ^{p n.} At this time, the hyperelliptic curve C of the genus g defined on the finite field Fq is expressed by the following equation:
y ² + h (x) y = f (x)
Defined by Here, h (x), f (x) εFq [x], f (x) is a monic polynomial of degree 2g + 1.

  The conjugate point for the point P = (x, y) on the hyperelliptic curve C is defined as -P = (x, -y-h (x)). A point where P = −P is referred to as a “ramification point”.

  It is known that the computation size (bit length) of the definition of the hyperelliptic curve cryptosystem is 1 / g smaller than the computation size of the elliptic curve definition, assuming the same security as the elliptic curve cryptography. Yes. The small calculation size is advantageous in terms of implementation, and is one of the advantages of hyperelliptic curve cryptography.

As described above, in hyperelliptic curve cryptography, if a factor that is a formal sum of points is D ₁ and a factor defined by scalar multiplication kD ₁ is D ₂ , the problem of obtaining k from D ₂ is It can be used as a public key cryptosystem as a discrete logarithm problem on a Jacobian manifold in a hyperelliptic curve.

Here, the factor is a formal sum of rational points and can be expressed in the following form.

Also, the semi reduced factor can be expressed in the following format.

_However, a _{P i} ≠ _{P j} with respect to _{P i = (x i, y} i) and i ≠ j.

Also, Σm _{i is referred} to as a D weight. Furthermore, a semi-reduced factor having a weight of genus g or less is referred to as a reduced divisor.

An arbitrary semi-reducible factor D on a hyperelliptic Jacobi manifold can be expressed as D = (U, V) using the following polynomial U, VεFq [x]. This is called a “Mumford” expression.

An arbitrary irreducible factor D of genus 2 uses a Mumford expression, and is a set of second-order or lower-order polynomials having elements on a finite field Fq as coefficients, ie,
(U, V) = (x ² + u ₁ x + u ₀ , v ₁ x + v ₀ ), or
(U, V) = (x + x ₀ , y ₀ )
Can be expressed as
The zero element is
(U, V) = (1, 0) = O
Is expressed as

As described above, in the hyperelliptic curve cryptosystem, as a method of calculating the scalar multiplication of factors,
(A) a method using addition and doubling,
(B) a method using addition and 1/2 multiplication,
These two types of methods are known. The present invention is based on given conditions, for example, curve parameters to be applied to a hyperelliptic cryptocurve and various setting conditions of a finite field in the scalar multiplication of factors in the hyperelliptic curve cryptography.
(A) a method using addition and doubling,
(B) a method using addition and 1/2 multiplication,
It is possible to execute a high-speed cryptographic processing operation by determining which algorithm (a) or (b) is capable of high-speed calculation and selecting and executing a high-speed algorithm as appropriate. It is. Hereinafter, embodiments of the present invention will be described in order according to the following items.

(1) A method of calculating doubling or ½ doubling for a factor D of a super elliptic curve defined on a finite field of genus 2 and characteristic 2.
(2) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A method to calculate scalar multiplication of factors using each of these algorithms.
(3) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A method to determine which of these processes is faster.
(4) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A configuration that performs scalar multiplication of factors by selecting an algorithm that can be operated at high speed from.

  Hereinafter, each of these items (1) to (4) will be described sequentially.

(1) A method of calculating doubling or ½ doubling for a factor D of a super elliptic curve defined on a finite field of genus 2 and characteristic 2.
First, an apparatus configuration and method for calculating doubling or ½ doubling for a factor D of a hyperelliptic curve defined on a finite field of genus 2 and characteristic 2 will be described.

  The present invention relates to a genus 2 hyperelliptic curve defined on a finite field of characteristic 2. In the following description, the genus of the curve is 2 and the characteristic of the definition field is 2.

The doubling process for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2 is executed by the process described above with reference to FIG. The doubling is a process of calculating D + D = 2D for the factor D. The input is D ₁ = (U ₁ , V ₁ ) and the output is D ₂ = [2] D ₁ .
Figure 1 as described with reference to (B), weight factors _{D 1} is weight2,
weight1,
weight0,
Different processing is performed depending on each.

In the case of weight2, whether or not the factor includes a branch point is checked. If not included, (4a) HarleyDBL processing is performed as shown in FIG. If the factor includes a branch point, (4b) exception processing 6 is performed. If gcd (h, U1) = 1, D ₁ does not include a branch point. In this case, (4a) HarleyDBL processing is performed. This process occurs with Most Frequent Case, that is, with a very high probability. The probability of other exception handling occurring is very low. If the condition of Most Frequent Case is not satisfied, exception processing 6 is performed.

Similarly, in the case of weight1, it is checked whether gcd (h, U1) = 1, and the processing of (5a), ExHarDBL ^{1 + 1 → 2} or exception processing 7 which is processing of (5b) is performed.

  As described above, HarleyDBL is called Most Frequent Case, and when a factor is randomly generated and doubling is performed, HarleyDBL is processed with a very high probability.

As described above in the Background Art section, the probability of processing other than this Most Frequent Caes is O (1 / q). Here, q is the number of elements of the definition body, and q ^g is a large number that is required to be about 160 bits for secure cryptographic use, so in reality, it can be regarded that only HarleyDBL occurs in the doubling process. it can.

  The arithmetic processing algorithm of HarleyDBL is publicly known, and is described in Non-Patent Document 5 described above (M. Takahashi. Improving Harley algorithms for Jacobians of genus 2 hyperelliptic curves. SCIS2002. (Japanese)).

  There are four types of finite field operations required for the doubling processing (HarleyDBL arithmetic processing algorithm) for the factor D of the hyperelliptic curve: addition, multiplication, multiplication, and inverse operation.

Further, the ½ multiplication processing for the factor D of the super elliptic curve defined on the finite field of genus 2 and characteristic 2 is executed by the processing described above with reference to FIG. The input is D ₂ = (U ₂ , V ₂ ), and the output is D ₁ = [1/2] D ₂ . It is assumed that the factor is of order r. In other words, the factor handled does not have a branch point. The input factor D ₂ = (U ₂ , V ₂ ) can be expressed as follows:
D ₂ = (U ₂ , V ₂ ),
U ₂ = u ₂₂ x ² + u ₂₁ x + u ₂₀ ,
V ₂ = v ₂₁ x + v ₂₀ ,
u ₂₂ = 0 or 1
And Since it does not have a branch point,
Four inverse operations of ExHarDBL ^{1 + 1 → 2} , ExHarDBL ^{2 + 2 → 1} , ExHarDBL ^{2 + 2 → 2} , and HarleyDBL may be considered. Except for HarleyDBL, there are exception cases.

Here, ExHarDBL ^{2 + 2 → 1} is a method for calculating the case where the input factor weight is 2 and the output factor weight is 1. ExHarDBL ^{2 + 2 → 2} is a method for calculating the case where the weight of the input factor is 2, the coefficient of the first-order term of U ₂ satisfies u ₂₁ = 0, and the weight of the output factor is 2. However, although ExHarDBL ^{2 + 2 → 2} can be calculated by HarleyDBL, ½ multiplication that is the inverse operation of this is an exception case, so here, ExHarDBL ^{2 + 2 → 2} is treated as an exception case.

ExHEC_HLV ^{2 → 1 + 1} , ExHEC_HLV ^{1 → 2 + 2} and ExHEC_HLV ^{2 →} HLV ^{2 → 1 + 1} , ExHARDBL ^{1 + 1 → 2} , ExHarDBL ^{2 + 2 → 1} , ExHarDBL ^{2 + 2 → 2} , and 1/2 multiplication corresponding to HarleyDBL .

When the factor is multiplied by 1/2, first, the case is divided according to the input factor as shown in FIG. When the weight of the input factor is 2 and the coefficient of the first-order term of U ₂ satisfies u ₂₁ ≠ 0, the calculation is performed using HEC_HLV. Since HEC_HLV is the inverse operation of HarleyDBL, the processing of HEC_HLV occurs with a very high probability in ½ multiplication. The probability of other exception handling occurring is very low. In cases other than HEC_HLV, exception processing is performed.

When the weight of the input factor is 2 and the coefficient of the term of U ₂ satisfies u ₂₁ = 0, ExHEC_HLV ^{2 → 2 + 2} that is the inverse operation of HarleyDBL ^{2 + 2 → 2 or} the inverse operation of HarleyDBL ^{1 + 1 → 2} Calculation is performed using ExHEC_HLV ^{2 → 1 + 1} . When the weight of the input factor is 1, the calculation is performed by ExHEC_HLV ^{1 → 2 + 2} which is an inverse operation of HarleyDBL ^{2 + 2 → 1} .

  The 1/2 multiplication requires a square root calculation of a finite field and a calculation for solving a quadratic equation on the finite field. For this reason, a square root operation that was not included in the doubling operation, a half-trace operation that solves the quadratic equation and obtains the root, and a trace operation that determines whether there is a root of the quadratic equation are required.

  FIG. 3 shows an example of the configuration of the computing means of the cryptographic processing apparatus that can calculate both doubling and ½ multiplication for the factor D of the hyperelliptic curve. As shown in FIG. 3, the calculation unit 100 includes a group calculation unit 110 and a finite field calculation unit 120.

  When executing the doubling or ½ doubling processing for the factor D of the super elliptic curve, the curve parameters 11, 2 doubling, and ½ doubling that define the super elliptic curve to be applied are used as the input data 10. The group calculation type information 12 indicating which of these is executed, and further, each piece of information of the input factor 13 to be actually calculated is input to the calculation means 100. Based on these input data, the arithmetic unit 100 executes doubling or halving and outputs the output factor 21 as the processing result as output data 20.

  In the arithmetic unit 100, in both cases of doubling and halving, the polynomial defined on the finite field that expresses the factor that is the input value is converted into a finite field according to each arithmetic algorithm. Perform the operation. Therefore, in order to realize the doubling and ½ doubling, the finite field computing means 120 for executing various operations of the finite field, the doubling and ½ doubling processing procedures, and the intermediate computation results are obtained. The group calculation means 110 is required as a means for storing.

  The group calculation means 110 includes a doubling processing means 111 as a means for storing an arithmetic processing procedure and an intermediate calculation result in the doubling process, and an intermediate processing procedure in the middle of the halving process. A ½ multiplication processing means 112 is included as means for storing the calculation result.

  Further, the finite field calculation means 120 includes various calculation means for executing finite field calculations in accordance with the respective calculation algorithms of doubling and halving. As described above, there are four types of finite field operations required in the doubling process for the factor D of the hyperelliptic curve: addition, multiplication, multiplication, and inverse operation. In addition to these four types of addition, multiplication, double multiplication, and inverse operation, square root calculation of a finite field and an operation for solving a quadratic equation on the finite field, that is, solving a quadratic equation, And a trace operation as a determination operation for determining whether or not there is a root of a quadratic equation.

  Accordingly, the finite field computing means 120 includes an adding means 121, a multiplying means 122, a 2 multiplying means 123, an inverse element computing means 124, a square root computing means 125, a half trace computing means 126, and a trace computing means 127. For example, the adding means 121, the multiplying means 122, the 2 multiplying means 123, and the inverse element calculating means 124 do not have a hardware configuration, a configuration dedicated to doubling and 1/2 doubling in the program, One configuration that can be used in common. As described above, the adding means 121, the multiplying means 122, the 2 multiplying means 123, and the inverse element calculating means 124 are not configured separately for doubling and halving, but are configured in a shared manner, thereby configuring the calculating means. As a result, the hardware size and program size can be reduced. When hardware is used, the number of gates can be reduced and the size of the apparatus can be reduced.

In addition, the process of adding the factor D of the super elliptic curve is executed by the process described above with reference to FIG. In the addition of factors D ₁ + D ₂ in the case of genus 2, if the factors D ₁ and D ₂ are D ₁ = (U _1, V ₁ ) and D ₂ = (U ₂ , V ₂ ), respectively, The cases are classified according to the value of the weight of the factor. That is, depending on the value of each weight of [D ₁ + D ₂ ],
(1) weight2 + weight2
(2) weight2 + weight1
(3) Exception handling 1
The case is divided.

Then weight2 addition between: (1) For weight2 + weight2, factor _{D 1 = (U 1, V} 1), D 2 = the _(U 2, _{V 2),} the greatest common divisor _gcd (U _{1, U} 2) If = 1, the two factors D ₁ = (U _1, V ₁ ) and D ₂ = (U ₂ , V ₂ ) are not identical to each other or do not include an opposite point. in this case,
(1a) HarleyADD,
That is, addition processing according to the Harley algorithm is performed. (1a) The Harley ADD process is a process called “most frequent case” shown in Non-Patent Document 7, for example. This Most Frequent Case is a case that occurs with high probability in the factor addition D ₁ + D ₂ processing in the case of genus 2.

This (1a) Harley ADD process occurs with a very high probability. The probability of other exception handling occurring is very low. When the condition of Most Frequent Case is not satisfied, that is, for the factor D ₁ = (U _1, V ₁ ), D ₂ = (U ₂ , V ₂ ), the greatest common divisor gcd (U ₁ , U ₂ ) = 1 If you are not satisfied,
(1b) Exception processing 2 is performed.

(2) for the case of weight2 + weight1 Similarly, when checking whether the _{gcd (U 1, U 2)} = 1 , satisfies _{gcd (U 1, U 2)} = 1 is
(2a) ExHARADD ^{2 + 1 → 2} is executed,
If gcd (U ₁ , U ₂ ) = 1 is not satisfied,
(2b) Exception processing 3 is performed.
(3) The exception process 1 is a case where the case classification of “weight” is other than the above (1) and (2).

  Note that the details of the algorithm of genus 2 addition processing described above are described in Non-Patent Document 8 (T. Lange, Efficient arithmetic on genus 2 hyperelliptic curves over finite fields via explicit formulae. Cryptology ePrint Archive, 2002 / 121, IACR, 2002.).

  The finite field operation required for the addition process of the factor D of the hyperelliptic curve is the same as the doubling operation, and there are four types of addition, multiplication, multiplication, and inverse operation. Therefore, a calculation means that can execute addition processing in addition to doubling and ½ multiplication is a finite field calculation means 120 of the calculation means 100 shown in FIG. A finite field calculation means 120 having the same configuration as that of the addition means 121, the multiplication means 122, the two multiplication means 123, the inverse element calculation means 124, the square root calculation means 125, the half trace calculation means 126, and the trace calculation means 127; In addition to the doubling processing means 161 and the 1/2 doubling processing means 162, a group operation means 161 having an addition processing means 163 as means for storing an operation processing procedure and an intermediate operation result at the time of addition processing is constituted. be able to.

  When the doubling, ½ doubling, or addition processing for the factor D of the hyperelliptic curve is executed, as the input data 10, parameters 11, 2 doubling to define the superelliptic curve to be applied, 1 / Group operation type information 12 indicating which of doubling and addition is to be executed, and each information of the input factor 13 to be actually calculated are input to the calculation means 100. Based on these input data, the arithmetic unit 100 executes doubling, halving, or addition, and outputs the output factor 21 as the processing result as output data 20.

  Also in this configuration, the adding means 121, the multiplying means 122, the 2 multiplying means 123, and the inverse element calculating means 124 have, for example, a hardware configuration, a configuration dedicated to each of doubling, halving, and adding operations in the program. Instead of this, a single configuration that can be commonly used in any processing is adopted. As described above, the adding means 121, the multiplying means 122, the 2 multiplying means 123, and the inverse element calculating means 124 are not configured separately for doubling and halving, but are configured in a shared manner, thereby configuring the calculating means. As a result, the hardware size and program size can be reduced. When hardware is used, the number of gates can be reduced and the size of the apparatus can be reduced.

(2) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A method to calculate scalar multiplication of factors using each of these algorithms.

As described above, the operation of scalar multiplication for the factor D of the hyperelliptic curve is as follows.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Either (a) or (b) can be applied.

(A) As described above, the calculation algorithm to which addition and doubling are applied is as follows.
The binary (right-to-left) method The binary (left-to-right) method can be applied.

The binary (right-to-left) method is characterized in that d is viewed from the lower bits and [2 ⁱ ] D is added when d _i = 1. Algorithm 1 (Algorithm1) of the binary (right-to-left) method is shown below.

On the other hand, the binary (left-to-right) method is characterized in that d is viewed from the upper bits, each bit D is doubled, and base points are added when d _i = 1. Algorithm 2 (Algorithm 2) of the binary (left-to-right) method is shown below.

In addition, as described above, (b) the arithmetic algorithm to which addition and ½ multiplication are applied is the Halve-and-add binary method,
(A) the right-to-left method;
(A) Left-to-right method,
These two types of techniques can be used. The scalar value d is expanded in half notation with the factor order r modulo, and is set as d ′.

(A) The Halve-and-add binary (right-to-left) method looks at the scalar value d ′ expressed in binary from the lower bits,
d ′ _i = 1
In the case of
[1/2 ⁱ ] D ₀
It is the feature to add. The algorithm of this right-to-left method is shown below as Algorithm 4 (Algorithm 4: Halve-and-add binary (right-to-left) method).

In the algorithm 4 (Algorithm 4), in order to calculate the scalar multiplication dD ₀ , the algorithm value 3 (Algorithm 3) described above is used to input d ′ obtained by expanding the scalar value d into a half number.

(B) The Halve-and-add binary (left-to-right) method looks at the scalar value d ′ expressed in binary from the upper bit, doubles each bit D by 1/2,
d ′ _i = 1
In this case, the base point is added. Details of the algorithm of the left-to-right method are shown below as Algorithm 5 (Algorithm 5: Halve-and-add binary (left-to-right) method).

In the algorithm 5 (Algorithm 5), in order to calculate the scalar multiple dD ₀ , the algorithm value 3 (Algorithm 3) described above is used as an input and d ′ obtained by expanding the scalar value d into a half number.

Here, in the above algorithm,
Scalar multiplication algorithm when doubling is applied: Algorithm 1 (Algorithm1)
Scalar multiplication algorithm when 1/2 multiplication is applied: Algorithm 4 (Algorithm 4)
Compare

  The application part of the doubling in the algorithm 1 (Algorithm 1) is only replaced with the ½ multiplication in the algorithm 4 (Algorithm 4), and the other parts are completely the same.

Similarly, in the above algorithm,
Scalar multiplication algorithm when doubling is applied: Algorithm 2 (Algorithm2),
Scalar multiplication algorithm when 1/2 multiplication is applied: Algorithm 5 (Algorithm 5)
Compare

  When these two algorithms are compared, it is the same as the above comparison, and the application part of doubling in algorithm 2 (Algorithm 2) is simply replaced with ½ multiplication in algorithm 5 (Algorithm 5). Yes, the other parts are quite common.

From this, the algorithm 1 (Algorithm1) and the algorithm 4 (Algorithm4) are set as one common algorithm and executed.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
By setting to change only part of the processing by either (a) or (b) above,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A configuration for executing both of the above is realized.

Similarly, the algorithm 2 (Algorithm 2) and the algorithm 5 (Algorithm 5) are set as one common algorithm and executed.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
By setting to change only part of the processing by either (a) or (b) above,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A configuration for executing both of the above is realized.

From these things, as the arithmetic operation of the scalar multiplication for the factor D of the hyperelliptic curve,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
The scalar multiplication means that can be executed by any of these algorithms can be configured as a doubling / 1/2 multiplication switching scalar multiplication means 250 shown in FIG.

  The doubling / 1/2 doubling switching scalar multiplication means 250 shown in FIG. 5 is the computing means 150 described with reference to FIG. 4, that is, doubling, ½ times for the factor D of the hyperelliptic curve. In addition to the arithmetic means 150 that executes the calculation and addition processing, the scalar value conversion means 251 that executes the scalar value conversion processing required in the execution of the scalar multiplication algorithm when ½ multiplication is applied, and the scalar multiplication And scalar multiplication processing means 252 for executing the algorithm.

The scalar multiplication processing means 252 is, for example,
(P) Algorithm 1 (Algorithm 1) and Algorithm 4 (Algorithm 4) are set as one common algorithm and executed.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
An execution configuration of an algorithm set to change only a part of the processing according to any one of (a) and (b) above, or
(Q) Algorithm 2 (Algorithm 2) and Algorithm 5 (Algorithm 5) are set as one common algorithm and executed.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
An algorithm execution configuration in which only a part of the processing is set to be changed by any one of the above (a) and (b),
It is assumed that at least one of the processes (P) and (Q) can be executed.

The scalar value conversion means 251 is configured to execute a scalar value conversion process necessary for executing a scalar multiplication algorithm when ½ multiplication is applied. As described above, the scalar value d is converted into a factor. Modulo the order r of ½ and expand it to a half number, and let it be d ′. Specifically, a process of expressing d ′ as follows is performed.

In the above formula, m is the bit length of order r. This scalar value conversion process is the algorithm 3 (Algorithm 3) described above, and is the following algorithm.

When the scalar multiplication with respect to the factor D of the super elliptic curve is executed by applying the doubling / 1/2 multiplication switching scalar multiplication means 250 shown in FIG. 5, the applied super elliptic curve is used as the input data 210. The group operation type information 212 indicating which of the curve parameter 211, doubling and ½ doubling to be defined is executed, and further, each information of the input factor 213 and the scalar value 214 to be actually calculated is doubled. This is input to the arithmetic / half multiplication switching scalar multiplication means 250. Based on these input data, the scalar multiplication means 250 for switching between doubling and halving
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Any one of these scalar multiplications is executed, and a scalar multiplication result 221 as a processing result is output as output data 220.

  In this configuration, the calculation unit 150 has the configuration described with reference to FIG. 4, and the finite field calculation unit 120 includes an addition unit 121, a multiplication unit 122, a two multiplication unit 123, an inverse element calculation unit 124, a square root. The calculation unit 125, the half-trace calculation unit 126, and the trace calculation unit 127 are included. However, the addition unit 121, the multiplication unit 122, the two-multiplication unit 123, and the inverse element calculation unit 124 have a hardware configuration, doubling in the program, 1 / Rather than having a dedicated configuration for each of the doubling and addition operations, a single configuration that can be used in common in both processes is used. By adopting a common configuration, it is possible to reduce the hardware size and program size as the configuration of the calculation means. When hardware is used, the number of gates can be reduced and the size of the apparatus can be reduced.

  In the above-described scalar multiplication, the processing configuration to which the binary method is applied has been described, but the scalar multiplication processing based on a method different from the binary method, for example, the scalar multiplication processing to which the window method is applied, is also shown in FIG. In the configuration, the scalar value conversion unit 251 and the scalar multiplication processing unit 252 are configured to correspond to the algorithm of the window method, so that the processing to which the calculation unit 150 is applied is possible.

(3) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A method to determine which of these processes is faster.

In the arithmetic operation of scalar multiplication for factor D of the hyperelliptic curve,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Either of these processes can be applied,
Which of the above (a) and (b) is capable of high-speed calculation depends on curve parameters and finite fields applied in the super elliptic curve cryptography.

The finite field calculation means 120 shown in FIG. 4 configured in the calculation means 150 in the doubling / 1/2 switching scalar multiplication means 250 having the configuration of FIG. 5 includes an adding means 121, a multiplying means 122, 2 multiplication means 123, inverse element calculation means 124, square root calculation means 125, half trace calculation means 126, trace calculation means 127,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
In these algorithms, each means of the finite field operation means 120 executes a finite field operation.

Less than,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
The amount of calculation in these algorithms is calculated.

The calculation amount of each operation of the finite field is defined as follows.
The amount of multiplication is M,
The amount of calculation of 2 multiplication is S,
The amount of computation of the inverse operation is I
The calculation amount of the square root operation is SR,
The amount of calculation of half-trace calculation is H,
Represented by In addition, since the addition of a finite field only calculates an exclusive logical ring for each bit, the calculation amount is very small. A finite field trace operation can be calculated by examining a very small number of bit values. Therefore, there is no problem even if the calculation amounts of the finite field addition and the race operation are ignored. Therefore, the calculation amounts of the addition and the trace calculation are not considered below.

As described above, in the super elliptic curve, the value characterizing the curve is the genus g. prime p, n a positive integer, and q = ^{p n.} At this time, the hyperelliptic curve C of the genus g defined on the finite field Fq is expressed by the following equation:
y ² + h (x) y = f (x)
Defined by Here, h (x), f (x) εFq [x], f (x) is a monic polynomial of degree 2g + 1.

The amount of calculation for doubling and halving differs depending on the hyperelliptic curve parameters and the type of finite field given when executing scalar multiplication. Super elliptic curve parameters and finite field types considered in the configuration of an embodiment of the present invention are the following information.
* Type of finite field: normal basis or polynomial basis * Irreducible polynomial: Necessary when the type of finite field is polynomial basis * Extended order of finite field: n (F _q , q = 2 ⁿ )
* Curve coefficients: h ₂ , h ₁ , h ₀ , f ₄ , f ₃ , f ₂ , f ₁ , f ₀ ,
(Y ² + (h ₂ x ² + h ₁ x + h ₀ ) y = x ⁵ + f ₄ x ⁴ + f ₃ x ³ + f ₂ x ² + f ₁ x + f ₀ )
* Whether h (x) is irreducible or reducible:
* Base point D ₀ : u ₂ , u ₁ , u ₀ , v _1, v ₀ . (D ₀ = (u ₂ x ² + u ₁ x + u ₀ , v ₁ x + v ₀ ))
* Base point order r: large prime number of 160 bits or more * cofactor c: number satisfying N = c * r (N is the number of reduced factors)

Based on the above information,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Which of these is capable of high-speed calculation. It is good also as a structure which considers all the said information, and it is good also as a structure which judges based on only one part of information.

In the following, the hyperelliptic curve parameters are
(P1) When h ₂ = 1 and f ₄ = 0 (general curve),
(P2) When h ₂ = h ₁ = 1 and f ₄ = 0,
(P3) When h ₂ = h ₁ = h ₁ = 1 and f ₄ = 0,
The calculation amount of the finite field calculation of the doubling calculation and the doubling calculation in the hyperelliptic curve defined by these three types of parameters is calculated and compared.
Note that h (x) is an irreducible polynomial. When h (x) is not an irreducible polynomial, the doubling operation is slower than the doubling operation. Therefore, the doubling and halving operations when h (x) is an irreducible polynomial are performed. Comparison of the amount of computation is omitted.

(P1) When h ₂ = 1 and f ₄ = 0 (general curve),
Double multiplication: 21M + 5S + 1I
1/2 multiplication: 19.5M + 2S + 1I + 2.5SR + 2H
(P2) When h ₂ = h ₁ = 1 and f ₄ = 0,
Double multiplication: 18M + 7S + 1I
1/2 multiplication: 14.5M + 3S + 1I + 2.5SR + 2H
(P3) When h ₂ = h ₁ = h ₁ = 1 and f ₄ = 0,
Double multiplication: 15M + 7S + 1I
1/2 multiplication: 13.5M + 3S + 1I + 2.5SR + 2H

  As described above, the amount of calculation of doubling and halving is calculated according to the applied super elliptic curve.

Furthermore, (a) an arithmetic algorithm applying addition and doubling in scalar multiplication,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
When comparing the computational complexity of these algorithms,
Since the amount of calculation differs depending on whether the finite field applied to the finite field calculation is normal or polynomial, it is necessary to distinguish between them.

[When the finite field is a regular rule]
First, if the finite field is a normal basis,
Calculation amount of two multiplications: S,
Calculation amount of square root operation: SR,
Half-trace calculation amount: H,
Can be ignored. The calculation amount of normal basis multiplication is represented as _MN .
Also,

It is known that it is expressed as described above. For example, see [A. Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993].
Note that n is the expansion order of the finite field. # (N-1) is the number of 1s when n-1 is expressed in binary. For example, assuming that I = 8M _N , the amount of calculation for doubling and halving is as follows.

(P1) When h ₂ = 1 and f ₄ = 0 (general curve),
Double calculation: 29M _N
1/2 multiplication: 27.5M _N
(P2) When h ₂ = h ₁ = 1 and f ₄ = 0,
Double calculation: 26M _N
1/2 multiplication: 22.5M _N
(P3) When h ₂ = h ₁ = h ₁ = 1 and f ₄ = 0,
Double calculation: 23M _N
1/2 multiplication: 21.5M _N

[When finite field is polynomial basis]
If the finite field is a polynomial basis,
Calculation amount of two multiplications: S,
Calculation amount of square root operation: SR,
Half-trace calculation amount: H,
Can not be ignored. The amount of calculation of multiplication of polynomial basis expressed as M _P. Depending on the irreducible polynomial defining the finite field,
1SR = 0.5M _P ,
1H = 0.5M _P
It is known that

Depending irreducible polynomial and mounting method, or greater than those calculated amount is 0.5M _P, or less. The calculation of squaring: S is known to be a fraction of the order of M _P. For example _{1S = 0.1M P, 1SR = 0.5M} P, 1H = 0.5M P, assuming 1I = 8M _P, 2 multiplication and computation of 1/2 calculation is as follows.
(P1) When h ₂ = 1 and f ₄ = 0 (general curve),
Double calculation: 29.5M _P
1/2 multiplication: 29.95M _P
(P2) When h ₂ = h ₁ = 1 and f ₄ = 0,
Double calculation: 26.7M _P
1/2 multiplication: 25.05M _P
(P3) When h ₂ = h ₁ = h ₁ = 1 and f ₄ = 0,
Double calculation: 23.7M _P
1/2 multiplication: 24.05M _P

  Thus, the amount of calculations for doubling and halving differs depending on the curve parameters and the finite field.

  As specific processing forms for executing scalar multiplication in the hyperelliptic curve encryption process, for example, processes such as signature generation, signature verification, and DH type key exchange using the superelliptic curve encryption are assumed. In addition, examples of information processing apparatuses and systems that perform such cryptographic processing operations include various devices such as servers that provide various services, information terminals such as PCs, digital home appliances, and mobile phones, and IC cards. is assumed.

  For example, when an information processing device such as a portable terminal of a user wants to receive various services such as net banking and music distribution, data processing and communication involving encryption processing are executed with different service providers. It will be. In this case, it is necessary to perform processing according to an algorithm set individually by each service provider. Information processing devices such as mobile terminals owned by users are based on different hyperelliptic curve parameters or finite fields. Cryptographic processing must be executed.

As described above, (a) an arithmetic algorithm applying addition and doubling in scalar multiplication,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Which can be executed at high speed depends on the hyperelliptic curve parameters and the finite field. Therefore, for example, in an information processing apparatus such as a portable terminal held by a user, when the configuration is such that only one of the algorithms (a) and (b) can be executed, with a certain condition setting, It will be forced to process.

  Therefore, the information processing apparatus such as a portable terminal held by the user is configured to execute both algorithms (a) and (b) above, based on different hyperelliptic curve parameters and finite field information set by the service provider. If any one of the above (a) and (b) is an algorithm capable of high-speed calculation and the calculation is performed according to an algorithm capable of high-speed processing, various conditions of the super elliptic curve parameter and the finite field can be obtained. Accordingly, it is possible to always perform high-speed processing.

  Hereinafter, a configuration for selecting and executing an algorithm capable of high-speed calculation based on different hyperelliptic curve parameters and finite fields will be described.

  In the cryptographic processing apparatus as one embodiment of the present invention, as an initial setting, processing speeds of doubling and halving are measured in advance for each of various curves used in the super elliptic curve encryption process, According to the curve, it is determined which one of doubling and 1/2 doubling can be performed at high speed, and a table recording algorithm information capable of high speed calculation corresponding to each curve is generated and stored in the storage means. Keep it. This table will be referred to as a “double / 1/2 multiplication switching table”. This initial setting is referred to as “double / 1/2 multiplication switch table initial setting”.

The encryption processing apparatus as one embodiment of the present invention has a doubling / 1/2 doubling switching scalar multiplication means 250 as shown in FIG.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
The arithmetic algorithm of (a) and (b) has a doubling / 1/2 doubling switching scalar multiplication means 250 that can be executed, and the above-mentioned “doubling / 1/2 doubling switching table”. ”Is stored in the storage means, and before the start of the cryptographic processing operation, the doubling / 1/2 doubling switching table is referred to, and the high-speed calculation is performed based on the hyperelliptic curve parameters and finite field information applied to the calculation. An algorithm that can
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
It is determined which of these is selected, and an algorithm determined to be executable at high speed is selected and executed.

First, the doubling / 1/2 multiplication switching table initial setting executed in the cryptographic processing apparatus will be described.
As a specific example, consider a case where a doubling / 1/2 doubling switching table is created for M super elliptic curves.
In other words, M curve parameters are given as inputs, and a table describing whether to use doubling or ½ multiplication for each curve is obtained as an output.

The 1/2 multiplication can be performed at high speed when the cofactor [c] is 2 and h (x) is an irreducible polynomial. As mentioned above, the cofactor [c] is
It is defined by a number satisfying N = c * r.
However,
N is the number of factors to be reduced,
r is the base point order (a large prime number of 160 bits or more)
It is.

  In this way, the ½ multiplication can be performed at high speed when the cofactor [c] is 2 and h (x) is an irreducible polynomial, and therefore M super elliptic curves to be verified When the cofactor and h (x) do not satisfy the above conditions, it is described that doubling is used in the table.

On the other hand, when the cofactor [c] and h (x) satisfy the above condition, that is,
Cofactor [c] is 2 and h (x) is an irreducible polynomial.
Only when this condition is satisfied, the calculation speeds of doubling and halving are calculated, and either one of the high-speed algorithms obtained as the calculation result is described in the table.
This process is performed on M curves, and a doubling / 1/2 doubling switching table is output.

The sequence of the doubling / 1/2 doubling switching table initial setting process will be described with reference to the flowchart shown in FIG. First, in step S101, parameters of M super elliptic curves to be verified for calculation speed are input. These parameters are as described above.
* Type of finite field: normal basis or polynomial basis * Irreducible polynomial: Necessary when the type of finite field is polynomial basis * Extended order of finite field: n (F _q , q = 2 ⁿ )
* Curve coefficients: h ₂ , h ₁ , h ₀ , f ₄ , f ₃ , f ₂ , f ₁ , f ₀ ,
(Y ² + (h ₂ x ² + h ₁ x + h ₀ ) y = x ⁵ + f ₄ x ⁴ + f ₃ x ³ + f ₂ x ² + f ₁ x + f ₀ )
* Whether h (x) is irreducible or reducible:
* Base point D ₀ : u ₂ , u ₁ , u ₀ , v _1, v ₀ . (D ₀ = (u ₂ x ² + u ₁ x + u ₀ , v ₁ x + v ₀ ))
* Base point order r: large prime number of 160 bits or more * cofactor c: number satisfying N = c * r (N is the number of reduced factors)
These data.

  Next, in step S102, i = 1 is set as the initial setting of the variable (i) corresponding to the identifier of each of the M hyperelliptic curves, i ≦ M is determined in step S103, and the i-th in step S104. Select hyperelliptic curve parameters.

  Next, in step S105, the parameter of the i-th hyperelliptic curve selected as the verification target is verified, and it is verified whether the cofactor [c] is 2 and h (x) is an irreducible polynomial. To do. As described above, there is a possibility that the 1/2 multiplication can be calculated at high speed only when the cofactor [c] is 2 and h (x) is an irreducible polynomial.

In step S105, the parameter of the i-th hyperelliptic curve selected as the verification target is
If the condition that the cofactor [c] is 2 and h (x) is an irreducible polynomial is not satisfied, it is determined that there is no possibility that the calculation of 1/2 multiplication will be fast, Double multiplication will be applied. In this case, the process proceeds to step S109, and [doubling] is recorded in the table as a high-speed calculation algorithm to be applied to the i-th hyperelliptic curve to be verified.

On the other hand, in step S105, the parameter of the i-th hyperelliptic curve selected as the verification target is
When the condition that the cofactor [c] is 2 and h (x) is an irreducible polynomial is satisfied, there is a possibility that the calculation of 1/2 multiplication may be performed at a high speed. Then, based on the condition setting of the i-th hyperelliptic curve parameter to be verified, verification processing of the calculation speeds of doubling and halving is executed.

  The verification process of the doubling and halving calculation speeds may be performed by actually executing the calculation and measuring the processing time, or by calculating the necessary number of calculations and performing the actual calculation. It is good also as a structure which calculates the processing time at the time of performing. A configuration example for executing the verification processing of the calculation speed of the doubling and halving operations in step S106 will be described with reference to FIGS.

  FIG. 7 shows a doubling / 1/2 doubling speed calculation means 320 as an example of a configuration for executing processing speed verification processing for doubling and halving. The doubling / 1/2 doubling speed calculation means 320 inputs a curve parameter 310 corresponding to the super elliptic curve to be verified, and performs doubling and ½ doubling based on the curve parameter 310. The calculation speed is verified, and the doubling and halving calculation time information 315 is output.

  The doubling / 1/2 doubling speed calculation means 320 includes a finite field calculation unit 321, a finite field calculation time measurement unit 322, a doubling / 1/2 doubling calculation time calculating unit 323, a doubling / 1 / It has a doubling finite field calculation calculation number calculation unit 324.

  The finite field calculation unit 321 executes finite field calculation according to the curve parameter 310 for each of doubling and halving, and the finite field calculation time measuring unit 322 performs doubling and halving. The finite field calculation time in the finite field calculation unit 321 is measured for each.

Next, the doubling / 1/2 finite field calculation calculation unit 324 calculates the number of calculations for each finite field operation required for the doubling and 1/2 doubling. The doubling calculation time calculation unit 323
Finite field computation time information in the finite field computation unit 321 for each of doubling and ½ multiplication measured by the finite field computation time measuring unit 322;
Information about the number of calculations of each finite field operation required for the doubling and 1/2 doubling received from the doubling / 1/2 doubling finite field calculation calculating unit 324,
Based on this information, the calculation times of doubling and halving are calculated, and the calculated doubling and halving calculation speeds of doubling and halving are calculated. The calculation speed information 315 is output.

  FIG. 8 shows doubling / 1/2 doubling speed calculation means 340 having a configuration different from the configuration shown in FIG. The doubling / 1/2 doubling speed calculation means 340 receives the curve parameter 330 corresponding to the hyperelliptic curve to be verified, and performs doubling and ½ doubling based on the curve parameter 330. The calculation speed is verified, and calculation speed information 350 for doubling and halving is output.

  The doubling / 1/2 doubling speed calculating means 340 shown in FIG. 8 includes a doubling / 1/2 doubling calculating means 341 and a doubling / 1/2 doubling calculation time calculating unit 342. In the configuration shown in FIG. 8, the curve parameter 330 corresponding to the hyperelliptic curve to be verified is input, the base point described in the curve parameter 330 is applied, and the doubling / 1/2 doubling operation 341 is performed. , Doubling / 1/2 doubling is executed, and the execution time is calculated by the doubling / 1/2 doubling calculation time calculation unit 342, and the doubling and halving calculation speeds are calculated. Information 350 is output.

  As the doubling / 1/2 doubling calculation means 341, for example, the configuration described above with reference to FIGS. 3 and 4 can be applied. That is, the doubling / 1/2 doubling speed calculation means can be configured only by adding a time measurement function to a cryptographic processing apparatus capable of executing doubling and halving calculations.

  Returning to the flow shown in FIG. 6, the description of the sequence of the doubling / 1/2 doubling switching table initial setting process will be continued. In step S106, the verification process of the doubling and halving calculation speeds based on the condition setting of the i-th hyperelliptic curve parameter to be verified is performed as described above, for example, as shown in FIGS. The doubling / 1/2 doubling speed calculation means having the configuration shown in FIG.

  In step S107, the verification result is determined. If it is determined that the ½ multiplication is faster than the doubling operation, the process proceeds to step S108, and the ½ multiplication is recorded in the table as a fast operation algorithm corresponding to the i-th curve. On the other hand, if it is determined in step S107 that the doubling is faster than the halving, the process proceeds to step S109, and the doubling is recorded in the table as a high-speed calculation algorithm corresponding to the i-th curve. .

  Next, the process proceeds to step S110, i = i + 1 is set as the update process of the variable (i) corresponding to the identifier of each of the M hyperelliptic curves, and the processes after step S103 are repeatedly executed. When all the verifications for the curve parameters corresponding to the input M hyperelliptic curves are completed, it is determined No in the i ≦ M determination process in step S103, and the process proceeds to step S121. The doubling / 1/2 multiplication switching table that records which of the multiplication and ½ multiplication can be performed at high speed is stored in the storage unit, and the process is terminated.

  Next, a specific example of the doubling / 1/2 multiplication switching table generated by the above-described processing will be described with reference to FIG. FIG. 9 is a diagram for explaining data recorded in the doubling / 1/2 doubling switching table. The doubling / 1/2 doubling switching table includes the parameters of the M superelliptic curves that have been verified, and a high-speed calculation algorithm that indicates whether doubling or 1/2 doubling can be performed at high speed. Information is recorded.

As described above, the hyperelliptic curve parameter includes a finite field type and is configured by the following data.
* Type of finite field: normal basis or polynomial basis * Irreducible polynomial: Necessary when the type of finite field is polynomial basis * Extended order of finite field: n (F _q , q = 2 ⁿ )
* Curve coefficients: h ₂ , h ₁ , h ₀ , f ₄ , f ₃ , f ₂ , f ₁ , f ₀ ,
(Y ² + (h ₂ x ² + h ₁ x + h ₀ ) y = x ⁵ + f ₄ x ⁴ + f ₃ x ³ + f ₂ x ² + f ₁ x + f ₀ )
* Whether h (x) is irreducible or reducible:
* Base point D ₀ : u ₂ , u ₁ , u ₀ , v _1, v ₀ . (D ₀ = (u ₂ x ² + u ₁ x + u ₀ , v ₁ x + v ₀ ))
* Base point order r: large prime number of 160 bits or more * cofactor c: number satisfying N = c * r (N is the number of reduced factors)
These data.

  These parameter information and high-speed calculation algorithm information as to which of doubling and 1 / 2-folding can be executed at high speed are recorded. As the high-speed calculation algorithm information, for example, [0] is recorded when the doubling is fast, and [1] is recorded when the doubling is fast.

  Specific recording data examples of the doubling / 1/2 doubling switching table are shown in FIGS. 10 to 13 show recorded data examples of four different super elliptic curves (C1, C2, C3, C4).

The data shown in FIG. 10 indicates the recording data of the super elliptic curve (C1) in the doubling / 1/2 doubling switching table shown. This recorded data has the following configuration.
Long elliptic curve identifier: C1
Type of finite field: polynomial basis Irreducible polynomial: z ⁸³ + z ⁷ + z ⁴ + z ² + 1
Expansion order of finite fields: 83
Curve coefficient: 1, 1, 26c76058679188f41f7bc, 0, 3510a16ab31776237482d,
2905946b804eae26b529d, 12e53b7f0fb5f060de6f0, 15000c12e0c816fa3c90d,
Whether h (x) is irreducible or irreducible: irreducible Base point: 1, c436c8f77259e78f912c2, d655910a524f04ae82ef3,
7c8cb3c0127db4a1e3d26, 82251eb5ca6a6bee606f7
Base point order:
46768052394603572927593652383474201578491908925599
Cofactor: 2
High-speed algorithm information: [1] = 1/2 multiplication is fast

The data shown in FIG. 11 shows the recording data of the super elliptic curve (C2) in the doubling / 1/2 doubling switching table shown. This recorded data has the following configuration.
Long elliptic curve identifier: C2
Type of finite field: polynomial basis Irreducible polynomial: z ⁸³ + z ⁷ + z ⁴ + z ² + 1
Expansion order of finite fields: 83
Curve coefficient: 1, 1, 1, 0, 6aeccc919ba7b17905576, 674ad22c4ae3a624f2662,
64ed5727767c5bd20a4d2, 12d5d21396915b5770a14,
Whether h (x) is irreducible or irreducible: irreducible Base point: 1, 3c6d393b089ae5d7f4d12, 8189d7211e26eeb0a9c7
1, 75d9b6e682bf78baa3247, 1b11732b994c91069e295,
Base point order:
46768052394606306447078621357434240674807384948657
Cofactor: 2
High-speed calculation algorithm information: [0] = doubling is fast

The data shown in FIG. 12 shows the record data of the super elliptic curve (C3) in the doubling / 1/2 doubling switching table shown. This recorded data has the following configuration.
Long elliptic curve identifier: C3
Type of finite field: polynomial basis Irreducible polynomial: z ⁸⁹ + z ³⁸ + 1
Expansion order of finite field: 89
Curve coefficient: 1, 1, 10b4e25d9f772a17f079633, 0, 1cdcfccf952029e11a6d591,
57a45459240e1b_1e9c51, 1233884427d30a923afef30, 5232b0a2cc9c4205f0a77e,
Whether h (x) is irreducible or irreducible: irreducible Base point: 1, 09b36fa3848e7e249fe8ed1, cc1478b173c15367a40ea81,
22c828ba94cd197b36de68, 2d8490ae18ed1ee4f3b5531
Base point order:
191561942608247727889817815217170268849704825025870087
Cofactor: 2
High-speed algorithm information: [1] = 1/2 multiplication is fast

The data shown in FIG. 13 indicates the recording data of the super elliptic curve (C4) in the doubling / 1/2 multiplication switching table shown. This recorded data has the following configuration.
Long elliptic curve identifier: C4
Type of finite field: polynomial basis Irreducible polynomial: z ⁸⁹ + z ³⁸ + 1
Expansion order of finite field: 89
Curve coefficients: 1, 1, 1, 0, 12c8551e2a5509652647b44, 10eed3aaec17720e2588277,
1e27989afc4eb5c4288db79, 16cc764d307ce3295795cbd,
Whether h (x) is irreducible or irreducible: irreducible Base point: 0ec349e8d803268974d6e3, 92c7e15707841b0ea57e891,
46216855c55fd3186727e7, 5fd2e671dcad8609c3ad6b
Base point order:
191561942608238453928841542765255795300282270809283583
Cofactor: 2
High-speed calculation algorithm information: [0] = doubling is fast

A cryptographic processing apparatus that performs cryptographic processing stores a doubling / 1/2 doubling switching table in which such data is recorded in a storage unit, and is a super ellipse that is applied when actually executing cryptographic processing. Whether the doubling can be performed at high speed by comparing the parameter of the curve with the parameter registered in the table and referring to the high-speed calculation algorithm information associated with the entry in which the matching parameter is registered. Determine whether doubling can be performed at high speed, select one of the algorithms registered in the table,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
One of the above (a) and (b) is executed. By this processing, it is possible to perform the calculation by the optimum, that is, the fastest processing according to the parameters of the hyperelliptic curve.

  Such processing can be executed in various digital home appliances and IC cards in addition to servers and PCs. In a device that requires cryptographic processing calculation using different curves, by holding the above-described table, the parameters of the hyperelliptic curve applied when actually executing the cryptographic processing calculation, and the parameters registered in the table, And refer to the high-speed calculation algorithm information associated with the entry in which the matching parameter is registered, and determine whether the doubling can be performed at high speed or the ½ multiplication can be performed at high speed. It is possible to execute a high-speed cryptographic processing operation by determining and selecting one of the algorithms registered in the table for processing.

(4) In the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve defined on the finite field of genus 2 and characteristic 2,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A method that performs scalar multiplication of factors by selecting an algorithm that can be operated at high speed from.

Next, in the processing described above, that is, the arithmetic operation of scalar multiplication for the factor D of the hyperelliptic curve,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
A configuration example of a cryptographic processing apparatus having a processing configuration for selecting an algorithm capable of high-speed calculation from the above and executing scalar multiplication of factors will be described.

FIG. 14 shows a configuration example of the scalar multiplication unit 430 configured in an embodiment of the cryptographic processing apparatus of the present invention. 14 includes a doubling / 1/2 doubling switching table 431 having the data structure described with reference to FIGS. 9 to 13 and a doubling / 1/2 doubling switching. Referring to table 431, group operation type determination means 432 for determining whether an operation that can be performed at high speed is doubling or ½ multiplying based on the input hyperelliptic curve parameter; 5 has the same configuration as the doubling / 1/2 doubling switching scalar multiplication means 250 described with reference to FIG.
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
(A) A scalar multiplication means 433 for switching between doubling and halving that can be executed for any algorithm of (b) is provided.

  When the scalar multiplication operation unit 430 shown in FIG. 14 is applied to execute the scalar multiplication on the factor D of the super elliptic curve, the curve parameter 411 that defines the super elliptic curve to be applied as the input data 410, the actual computation target Each information of the input factor 412 and the scalar value 413 is input to the scalar multiplication unit 430.

The group operation type determination unit 432 refers to the doubling / 1/2 doubling switching table 431, and the operation that can be executed at high speed is doubling based on the curve parameter 411 of the input super elliptic curve. Or ½ multiplication. Based on the determination, one algorithm executed at high speed by controlling the double / 1/2 multiplication switching scalar multiplication means 433,
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
Scalar multiplication based on any algorithm of (a) and (b) is executed in the scalar multiplication means 433 for switching between doubling and halving, and the scalar multiplication result 451 as the processing result is used as the output data 450. Output.

  In this configuration, the doubling / 1/2 doubling switching scalar multiplication means 433 has the same configuration as described with reference to FIG. 5, and the calculating means 150 shown in FIG. The configuration described above is described. That is, as shown in FIG. 4, the finite field computing means 120 includes an adding means 121, a multiplying means 122, a 2 multiplying means 123, an inverse element computing means 124, a square root computing means 125, a half trace computing means 126, and a trace computing means. In these means, operations necessary for the doubling / 1/2 doubling switching scalar multiplication processing are executed.

  As described above with reference to FIGS. 4 and 5, the adding means 121, the multiplying means 122, the 2 multiplying means 123, and the inverse element calculating means 124 have a hardware configuration, doubling in the program, 1/2 Instead of a dedicated configuration for each of the multiplication and addition operations, a single configuration that can be used in common in both processes is used. By adopting a common configuration, it is possible to reduce the hardware size and program size as the configuration of the calculation means. When hardware is used, the number of gates can be reduced and the size of the apparatus can be reduced.

  The group operation type determination means 432 refers to the doubling / 1/2 doubling switching table 431, and based on the curve parameter 411 of the input super elliptic curve, the operation that can be executed at high speed is doubling. A process of determining whether there is a ½ multiplication is performed. Specifically, for example, the determination is performed with reference to the doubling / 1/2 doubling switching table described with reference to FIGS. For example, if the input curve parameter matches the parameter registered in the curve identifier (C1) shown in FIG. 10, the table records that the 1/2 multiplication is high-speed as the high-speed calculation algorithm information. Therefore, based on the determination, the doubling / 1/2 doubling switching scalar multiplication means 433 is controlled to execute scalar multiplication based on an arithmetic algorithm to which addition and ½ multiplication are applied. The input factor 412 and the scalar value 413 are input to the scalar multiplication means 433 for switching between doubling and doubling, and the scalar multiplication is executed, and the scalar multiplication result 451 as the processing result is output data. It outputs as 450.

  As described above, in the configuration of the present invention, in the configuration in which the hyperelliptic curve encryption process is executed, a doubling / 1 / registering which of the doubling / 1/2 doubling is possible for each curve parameter. Referring to the doubling switching table, it is configured to select and execute a high-speed operation between doubling and ½ doubling. Therefore, high-speed scalar multiplication is always performed on the applied curve. Can be executed.

  Although the configuration example of the cryptographic processing apparatus of the present invention has been described with reference to FIG. 14, the configuration shown in FIG. 14 is one configuration example, and the configuration of the cryptographic processing apparatus of the present invention is not limited to this configuration. Absent. A configuration example of the cryptographic processing apparatus of the present invention will be described with reference to FIG.

  FIG. 15 shows an encryption processing apparatus having a control unit 481, a calculation processing unit 482, a storage unit 483, and a calculation speed calculation unit 484. Based on the curve parameters of the super-elliptic curve applied to the cryptographic processing operation and the type of the finite field, the control unit 481 uses either a doubling application algorithm or a ½ multiplication application algorithm as a scalar multiplication algorithm. It is determined whether or not the calculation algorithm is capable of high speed calculation. The arithmetic processing unit 482 selects and applies the algorithm determined by the control unit 481 to be capable of high-speed arithmetic, and executes scalar multiplication arithmetic processing on the factor D of the hyperelliptic curve. In the configuration of FIG. 14, the group operation type determination unit 432 corresponds to the control unit, and the doubling / 1/2 multiplication switching scalar multiplication unit 433 corresponds to the operation processing unit.

  For example, the control unit 481 acquires from the storage unit 483 a table associating the curve parameters of the hyperelliptic curve with the algorithm information capable of performing high-speed computation, and the curve parameters of the superelliptic curve applied to the cryptographic processing computation The curve parameter information recorded in the table is compared and collated, and the algorithm information set corresponding to the matched or similar table record data is determined as an algorithm capable of high-speed calculation.

  Arithmetic processing unit 482 has a configuration capable of executing both a doubling calculation algorithm and a doubling calculation algorithm, and performs arithmetic operations commonly used in doubling and halving Arithmetic processing using hardware or a program is executed.

The algorithm determination process of the control unit 481 is executed according to the process described above with reference to the flowchart shown in FIG. That is, first, the curve parameter of the super elliptic curve applied to the cryptographic processing operation, specifically, the super elliptic curve defined on the genus 2 and characteristic 2 finite field applied to the cryptographic processing operation: y ² + h ( x) When the cofactor [c] included in the curve parameter of y = f (x) is 2 and h (x) is an irreducible polynomial, the fast execution feasibility of the ½ multiplication application algorithm It is determined that the calculation is possible, and in this case, it is determined which of the calculation algorithm of the doubling calculation application algorithm and the doubling calculation application algorithm is capable of high-speed calculation. In the determination process, the doubling / 1/2 doubling switching table described above with reference to FIGS. 9 to 13 is acquired from the storage unit 483 and determined based on the recorded information of the table.

  Note that the calculation speed calculation means 484 is set in the cryptographic processing apparatus, and the calculation speed calculation means 484 applies the calculation processing unit 482 and applies the curve parameter of the hyperelliptic curve applied to the cryptographic processing calculation. The processing time may be measured by executing the application calculation and the ½ multiplication application calculation. In this case, based on the calculation result of the calculation speed calculation means 484, the control unit 481 uses either a doubling calculation algorithm or a ½ multiplication calculation algorithm as a scalar multiplication algorithm. Execute a process to determine whether it is possible.

Specifically, when scalar multiplication is performed, the difference between doubling and halving will be considered.
Here, it is assumed that the cofactor [c] is 2. Further, scalar multiplication uses Double-and-add or Halve-and-add. Let m be the bit length of the scalar value (bit length of the base point order). In this case, the number of non-zero bits of the scalar value is approximately m / 2. Therefore, the calculation amount of Double-and-add and Have-and-add is
((Calculation amount of addition) / 2 + (Calculation amount of doubling or 1/2)) × m
Can be calculated with

First, consider a case where curve parameters (h ₂ = h ₁ = 1, f ₄ = 0, h (x) is an irreducible polynomial) are used.
At this time, the calculation amount of addition is
21M + 3S + 1I
It is.
When using polynomial basis, _1S = 0.1M P, since it assumes that 1I = 8M _P, the computational amount of addition in the polynomial basis becomes 29.3MP.
Also, doubling the 26.7M _P, 1/2 multiplication is 25.05M _P.
Therefore,
41.357M _P × m when using Double-and-add to which doubling is applied,
39.7M _P xm when using Halve-and-add with 1/2 multiplication applied
And
Using ½ multiplication is about 4% faster than using doubling.

  If the hyperelliptic curve encryption processing means is equipped with only doubling, the above-mentioned curve parameter cannot be applied to the faster doubling algorithm, so the calculation is slow. There is. However, by using the present invention, it is possible to select 1/2 multiplication, execute Halve-and-add, and perform calculation at high speed.

Next, consider the case where curve parameters (h ₂ = h ₁ = h ₁ = 1, f ₄ = 0) are used.
At this time, the amount of calculation for addition is 21M + 3S + 1I.
When using polynomial basis, _1S = 0.1M P, since we assume that 1I = 8M _P, the computational amount of addition in the polynomial basis becomes 29.3M _P.
Also, doubling the 23.7M _P, 1/2 multiplication is 24.05M _P.
Therefore,
38.35M _P × m when using the Double-and-add of applying the doubling,
When using Halve-and-add to which 1/2 multiplication is applied, 38.7M _P × m
Thus, using the doubling is about 1% faster than using the doubling.

  When the super elliptic curve encryption processing means is equipped with only ½ multiplication, the above-mentioned curve parameter cannot be applied to a faster doubling algorithm, so that the calculation is slow. There is. However, if the present invention is used, it is possible to select doubling, execute double-and-add, and perform calculation at high speed.

Furthermore, when h (x) is an irreducible polynomial and the curve parameter color is general (h ₂ = 1, f ₄ = 0) and a polynomial basis is used, or h (x) is an irreducible polynomial. In addition, when a normal basis is used with an arbitrary curve parameter, ½ multiplication is faster than doubling. Therefore, in this case, according to the present invention, high-speed half multiplication can be selected and scalar multiplication can be calculated at high speed.

Further, when h (x) is a reducible polynomial, scalar multiplication can be performed at high speed by selecting doubling.
When the cofactor is other than 2, scalar multiplication can be performed at high speed by selecting doubling.
In the above case, the calculation speed of various finite fields is assumed. Depending on the configuration and implementation method of the actual hyperelliptic curve encryption processing means, the relationship between the doubling and ½ doubling may be different from the above, but the above is just an example. is there.

[Hardware configuration example of cryptographic processor]
Finally, FIG. 16 shows a configuration example of the IC module 500 as a device that executes the above-described encryption processing. The above-described processing can be executed in, for example, various information processing apparatuses such as a PC, an IC card, a reader / writer, and the IC module 500 shown in FIG. 16 can be configured in these various devices.

  A CPU (Central processing Unit) 501 shown in FIG. 16 starts and ends cryptographic processing, controls data transmission / reception, controls data transfer between components, and further performs the above-described doubling / 1/2 multiplication switching. It is a control unit as a processor that executes a high-speed algorithm determination process referring to a table and executes other various programs.

Specifically, the CPU 501 as the control unit is registered in an entry having a parameter that matches or is similar to the manually input parameter with reference to the doubling / 1/2 doubling switching table based on the input curve parameter. Operations that acquire and execute high-speed calculation algorithm information
(A) an arithmetic algorithm to which addition and doubling are applied,
(B) an arithmetic algorithm to which addition and 1/2 multiplication are applied,
(A) The process which determines which algorithm of (b) is used is performed.

  The memory 502 is a ROM (Read-Only-Memory) that stores a program executed by the CPU 501 or fixed data as an operation parameter, a program executed in the processing of the CPU 501, and a parameter storage area that changes as appropriate in the program processing, It consists of RAM (Random Access Memory) used as a work area.

  The operation execution program stored in the memory 502 is set as a program including the above-described base point setting process, addition as scalar multiplication, doubling, and ½ multiplication. The memory 502 can be used as a storage area for key data and the like necessary for encryption processing, and further as a storage area for the above-described doubling / 1/2 multiplication switching table. These data storage areas are preferably configured as a memory having a tamper resistant structure.

  The encryption processing unit 503 executes encryption processing, decryption processing, and the like including the above-described scalar multiplication processing. Here, an example is shown in which the cryptographic processing means is an individual module, but such an independent cryptographic processing module is not provided, for example, a cryptographic processing program is stored in the ROM, and the CPU 501 reads and executes the ROM stored program. You may comprise.

  The random number generator 504 executes random number generation processing necessary for generating a key necessary for cryptographic processing.

  The transmission / reception unit 505 is a data communication processing unit that performs data communication with the outside. For example, the data transmission / reception unit 505 performs data communication with an IC module such as a reader / writer and outputs ciphertext generated in the IC module, or an external reader. Data input from devices such as writers is executed.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims should be taken into consideration.

  The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, or a semiconductor memory. It can be stored (recorded). Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the removable recording medium as described above, or is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet. The computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  According to the configuration of one embodiment of the present invention, in the configuration for executing the scalar multiplication on the factor D of the hyperelliptic curve cryptography, as the scalar multiplication algorithm based on the curve parameter of the superelliptic curve applied to the cryptographic processing operation, Determines which of the doubling calculation algorithm and ½ doubling calculation algorithm can be performed at high speed, and selectively applies the algorithm determined to be capable of high speed calculation to execute scalar multiplication processing. With this configuration, scalar multiplication associated with encryption processing corresponding to various curves can be reliably performed at high speed. That is, by selecting an algorithm according to the curve parameter, high-speed calculation with a reduced amount of calculation in scalar multiplication is realized. For example, by applying the present invention to an information processing apparatus that needs to receive various services such as net banking and music distribution and execute cryptographic processing operations corresponding to different hyperelliptic curve parameters for each service, In this process, it is possible to execute an operation in which an algorithm that can always be processed at high speed is selected.

It is a figure explaining the algorithm of the addition process in a scalar multiplication of the genus 2 super elliptic curve encryption, and a 2 multiplication process. It is a figure explaining the case division process of the 1/2 multiplication of the super-elliptic curve encryption of the genus 2. FIG. It is a figure which shows the structural example of the calculating means of the encryption processing apparatus which enabled calculation of both the doubling with respect to the factor D of a hyperelliptic curve, and a 1/2 multiplication. It is a figure which shows the structural example of the calculating means which can also perform an addition process in addition to a doubling and a 1/2 multiplication. It is a figure which shows the structural example of a doubling / 1/2 multiplication switching scalar multiplication means. It is a figure which shows the flowchart explaining the sequence of a doubling / 1/2 multiplication switching table initial setting process. It is a figure explaining the structural example for performing the verification process of the calculation speed of a doubling and a 1/2 multiplication. It is a figure explaining the structural example for performing the verification process of the calculation speed of a doubling and a 1/2 multiplication. It is a figure explaining the specific example of a doubling / 1/2 multiplication switching table. It is a figure explaining the specific example of a doubling / 1/2 multiplication switching table. It is a figure explaining the specific example of a doubling / 1/2 multiplication switching table. It is a figure explaining the specific example of a doubling / 1/2 multiplication switching table. It is a figure explaining the specific example of a doubling / 1/2 multiplication switching table. It is a figure which shows one Example structure of the scalar multiplication means in the encryption processing apparatus of this invention. It is a figure which shows one Example structure of the encryption processing apparatus of this invention. It is a figure which shows the structural example of IC module as an example of the encryption process execution device which performs the encryption process calculation of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Input data 11 Curve parameter 12 Group calculation type information 13 Input factor 20 Output data 21 Output factor 100 Calculation means 110 Group calculation means 111 Double multiplication processing means 112 1/2 Multiplication processing means 120 Finite field calculation means 121 Addition means 122 Multiplying means 123 2 Multiplying means 124 Inverse element computing means 125 Square root computing means 126 Half trace computing means 127 Trace computing means 150 Computing means 160 Group computing means 161 Double multiplication processing means 162 1/2 Multiplication processing means 163 Addition processing means 210 Input data 211 Curve parameter 212 Group operation type information 213 Input factor 220 Output data 221 Scalar multiplication result 250 Scalar multiplication unit 251 Scalar value conversion unit 252 Scalar multiplication processing unit 310 Curve parameter 315 doubling / 1/2 doubling calculation time information 320 doubling / 1/2 doubling speed calculation means 321 finite field calculator 322 finite field calculator time measuring unit 323 doubling / 1/2 doubling Calculation time calculation unit 324 doubling / 1/2 doubling finite field calculation calculation number calculating unit 330 curve parameter 340 doubling / 1/2 doubling speed calculating means 341 doubling / 1/2 doubling calculating means 342 Doubling / 1/2 doubling calculation time calculation unit 350 doubling / 1/2 doubling calculation time information 410 input data 411 curve parameter 412 input factor 413 scalar value 430 scalar doubling calculation means 431 doubling / 1 / Double multiplication switching table 432 Group operation type determination means 433 Double multiplication / 1/2 multiplication switching scalar multiplication means 450 Output data 451 Scalar multiplication result 481 Control unit 482 Operation processing unit 483 Storage unit 484 Calculation speed calculation unit 500 IC module 501 CPU (Central Processing Unit)
502 Memory 503 Cryptographic Processing Unit 504 Random Number Generator 505 Transceiver

Claims (14)

A cryptographic processing device that performs cryptographic processing operations based on hyperelliptic curve cryptography,
Based on the curve parameters of the hyperelliptic curve applied to the cryptographic processing operation, as a scalar multiplication algorithm, it is determined whether the calculation algorithm of the doubling application algorithm or the 1/2 multiplication application algorithm can be operated at high speed. A control unit,
An arithmetic processing unit that executes a scalar multiplication process in the hyperelliptic curve cryptography by selectively applying an algorithm determined to be capable of high-speed computation;
A cryptographic processing device comprising: The controller is
A table associating the curve parameter of the hyperelliptic curve with the algorithm information capable of performing high-speed calculation is acquired from the storage unit, and the curve parameter of the superelliptic curve to be applied to the cryptographic processing calculation and the curve parameter recorded in the table 2. The configuration according to claim 1, wherein the information is compared and collated, and processing for determining algorithm information set in correspondence with matching or similar table recording data as an algorithm capable of high-speed calculation is executed. Cryptographic processing device. The arithmetic processing unit includes:
Arithmetic execution hardware or program that can be used in both doubling and halving operations, and has a configuration that can execute both doubling and halving algorithms The cryptographic processing device according to claim 1, wherein the cryptographic processing device is configured to execute the arithmetic processing performed. The controller is
Based on the curve parameters of the super elliptic curve applied to the cryptographic processing operation and the type of the finite field applied to the cryptographic processing operation, the scalar multiplication algorithm is the doubling application algorithm and the ½ multiplication application algorithm The cryptographic processing apparatus according to claim 1, wherein the cryptographic processing apparatus is configured to execute a process of determining which of the calculation algorithms is capable of high-speed calculation. The controller is
Based on the curve parameters of the hyperelliptic curve applied to the cryptographic processing operation, the existence of high-speed feasibility of the ½ multiplication application algorithm in scalar multiplication is determined, and the ½ multiplication application algorithm is executed at high speed. When it is determined that there is a possibility, it is configured to execute a process for determining which one of a calculation algorithm of a doubling calculation algorithm and a calculation algorithm of a doubling calculation application is capable of high-speed calculation. The cryptographic processing apparatus according to claim 1. The controller is
A hyperelliptic curve defined on a finite field of genus 2 and characteristic 2 applied to the cryptographic processing operation: cofactor [c] included in the curve parameter of y ² + h (x) y = f (x) is 2 , H (x) is an irreducible polynomial, the high-speed feasibility of the ½ multiplication application algorithm is determined to be capable of high-speed calculation. Cryptographic processing device. The cryptographic processing device includes:
A calculation speed calculating means for measuring a processing time by executing a doubling calculation calculation using a curve parameter of a super elliptic curve applied to a cryptographic processing calculation and a ½ doubling calculation calculation;
The controller is
Based on the calculation result of the calculation speed calculation means, a determination process as to which of the calculation algorithm of the doubling application algorithm and the ½ multiplication application algorithm is possible as the scalar multiplication algorithm is executed. The cryptographic processing apparatus according to claim 1, wherein the cryptographic processing apparatus is configured. In the cryptographic processing apparatus, a cryptographic processing calculation method for performing cryptographic processing calculation based on hyperelliptic curve cryptography,
In the control unit, based on the curve parameter of the hyperelliptic curve, an arithmetic operation is performed to determine which one of the algorithm for doubling and the algorithm for applying the doubling can be performed at high speed as a scalar multiplication algorithm. A time verification step;
In the arithmetic processing unit, by selectively applying the algorithm determined to be capable of high-speed arithmetic in the arithmetic time verification step, an arithmetic execution step for executing scalar multiplication processing in the hyperelliptic curve cryptography,
A cryptographic processing operation method characterized by comprising: The operation time verification step includes:
By referring to a table in which curve parameters of a hyperelliptic curve are associated with algorithm information that can be executed at high speed, either the doubling calculation algorithm or the ½ doubling calculation algorithm is fast. 9. The cryptographic processing calculation method according to claim 8, wherein the cryptographic processing calculation method is a step of executing processing for determining whether calculation is possible. The operation time verification step includes:
Based on the curve parameters of the super elliptic curve applied to the cryptographic processing operation and the type of the finite field applied to the cryptographic processing operation, the scalar multiplication algorithm is the doubling application algorithm and the ½ multiplication application algorithm The cryptographic processing operation method according to claim 8, wherein the operation processing is a step of determining which of the operation algorithms is capable of high-speed operation. The operation time verification step includes:
Based on the curve parameters of the hyperelliptic curve applied to the cryptographic processing operation, the existence of high-speed feasibility of the ½ multiplication application algorithm in scalar multiplication is determined, and the ½ multiplication application algorithm is executed at high speed. When it is determined that there is a possibility, this is a step of executing a process for determining which one of a computation algorithm of a doubling calculation application algorithm and a ½ multiplication application operation algorithm can be performed at high speed The cryptographic processing operation method according to claim 8. The process of determining whether there is a high-speed feasibility of the 1/2 multiplication application algorithm is as follows:
A hyperelliptic curve defined on a finite field of genus 2 and characteristic 2 applied to the cryptographic processing operation: cofactor [c] included in the curve parameter of y ² + h (x) y = f (x) is 2 , H (x) is an irreducible polynomial, the high-speed feasibility of the ½ multiplication application algorithm is a process for determining that calculation is possible at high speed. Cryptographic calculation method. The cryptographic processing calculation method further includes:
The calculation speed calculation means has a calculation speed calculation step of measuring a processing time by executing a doubling calculation calculation using a curve parameter of a hyperelliptic curve applied to a cryptographic processing calculation and a ½ multiplication calculation calculation. And
The operation time verification step includes:
Based on the calculation result in the calculation speed calculation step, a determination process as to which one of the calculation algorithm of the doubling application algorithm and the ½ multiplication application algorithm can be performed at high speed as the scalar multiplication algorithm is executed. The cryptographic processing operation method according to claim 8, wherein the cryptographic processing operation method is a step. In the cryptographic processing device, a computer program that executes cryptographic processing calculation based on hyperelliptic curve cryptography,
In the control unit, based on the curve parameter of the hyperelliptic curve, an operation for determining which one of the algorithm for doubling and the algorithm for applying the doubling can be performed as a scalar multiplication algorithm. A time verification step;
In the arithmetic processing unit, by selectively applying the algorithm determined to be capable of high-speed arithmetic in the arithmetic time verification step, an arithmetic execution step for executing a scalar multiplication process in the hyperelliptic curve cryptography,
A computer program for executing

Images