JP2009223035A - Key generation method of hyperbola code - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To concretely generate a key for hyperbola code, which is a collective term of a key generation method using a group of quadratic hyperbolas, a decoding method, a signature verification method, a key stream generating method, and devices therefor. <P>SOLUTION: A curve parameter of the group of quadratic hyperbolas HC for generating the key for hyperbola code is set through steps S1-S5. In the step S1, a prime number p and an order k satisfying the following relationships are determined: mod n=p<SP>h</SP>(h: natural number), and k=p<SP>h-1</SP>(p+1)/2. In the step S2, curve parameters a and c are determined so that a discriminant D/4=c<SP>2</SP>+4a may be quadratic non-residue with respect to the prime number p. In the steps S3 and S4, a parameter d providing a fixed element P(d) is determined so that d(d+c)-a may be quadratic non-residue with respect to the prime number p. In the step S5, a parameter x (x≠d) providing a base point P(x) is determined so that x(x+c)-a may be a quadratic non-residue with respect to the prime number p. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a key generation method for hyperbolic cryptography using a discrete logarithm of an extended quadratic hyperbola group.

In the mid-1980s, a method for forming a public key cryptosystem using an elliptic curve group was proposed, and research has been actively conducted in Japan in recent years. Elliptic curve cryptography is based on the discrete logarithm problem. Even if the value g ^α is known when the exponent of the primitive root g is α, it is difficult to know the exponent α if the number of bits handled is large. Elliptic Curve Cryptography is said to be able to achieve the 163 bit difficulty of 1024-bit RSA encryption, and is expected to be installed in portable devices, especially IC (Integrated Circuit) cards with slow CPU (Central Processing Unit) speeds. Has been.

  However, the elliptic curve has complicated geometric features, and it is difficult to understand the super-singular elliptic curve etc. unless you have considerable geometric knowledge. There are limits to the easy use of groups. In addition, the order of the elliptic curve group cannot be determined. For example, the famous Hasse inequality (1934) proves that the order of the elliptic curve group is in a range close to the modulus p, but the order varies depending on the parameters of the elliptic curve. Therefore, it is actually necessary to check the prime number such as checking the prime number in the range and multiplying it with a non-zero element (infinite point) to verify whether it is a zero element. become.

  Therefore, in order to solve such inconvenience, the inventor of the present application applied for a patent application filed on Feb. 20, 2007 (Japanese Patent Application No. 2007-39780, this patent application is a non-known state before the application is published, ("Previous Patent Application") discloses an invention of "a key generation method, a decryption method, a signature verification method, a key stream generation method and apparatus using a quadratic hyperbola group", and a new one that can replace elliptic curve cryptography. Has been proposed (referred to herein as “hyperbolic cryptography”).

That is, hyperbolic cryptography is a general term for a key generation method, a decryption method, a signature verification method, a key stream generation method, and a device that use a quadratic hyperbola group. Since the quadratic hyperbola group is a newly discovered group, the details of the group structure are not yet clear. However, on the basis of discrete logarithm, the number of groups is constant, the design is easy, and it has the property that security can be improved by secret key fluctuation etc. Have.
Here, the quadratic hyperbola group is, for example,

Is a finite commutative group on a finite ring with certain restrictions on the operations defined between the three roots x1, x2, and x3 formed by the intersection of the number theoretic function y and a straight line is there. A coefficient (hereinafter referred to as “curve parameter”) used in the primary expression of the numerator and the quadratic expression of the denominator of the expression (3-1) is an element of a finite ring, for example, the remainder ring Z / pZ. The denominator means not the division, but the inverse element of the remainder ring Z / pZ. However, since the denominator and the common element of the numerator are removed or added, the property that is invariant is common. The notation is adopted. actually
y = (dx + e) (ax ² + bx + c) ⁻¹ (a, b, c, d, e, x, y∈Z / pZ) (3-2)
Is the meaning. Although the expression (3-2) is not necessarily the same as the quadratic hyperbola defined on the real number by the number-theoretic function y, it functions substantially as a cubic function like the quadratic hyperbola. In the book, for the sake of convenience, it will be referred to as “second hyperbola”.

In general, the three roots of the cubic curve y = (x−x ₁ ) (x−x ₂ ) (x−x ₃ )
x ₁ x ₂ x ₃ = α or x ₁ + x ₂ + x ₃ = β
Therefore, the group operation can be defined so that the result of the binary operation of the point x1 and the point x2 is the point x3. However, only a multiplicative group can be constructed in a simple relationship where the product or sum of the three roots is constant. In contrast,
x ₁ x ₂ x ₃ = f (x ₁ , x ₂ )
When there is a complex relationship, a discrete logarithmic relationship can be established. The three roots formed by the intersections with the straight lines represented by the equations (3-1) and (3-2) have the structure. Note that the group operation in the quadratic hyperbola group (this operation symbol is represented by “+”) is defined between elements that are its constituent elements, such as P + Q, for example, so addition of the remainder ring Z / pZ There is no mistake even if mixed with +.

Now, when a cubic curve and a straight line intersect, the group operation + is simply performed between elements having the intersection as a constituent element.
R (x ₃ ) = P (x ₁ ) + Q (x ₂ )
From the nature of the straight line used for the arithmetic operation,
P (x ₁ ) = Q (x ₂ ) + R (x ₃ )
At the same time, the operation is not unique. Therefore, a method is conceivable in which the second calculation is performed between the third fixed point O and the calculation result, whereby the irreversibility of the calculation operation and the uniqueness of the calculation can be ensured at the same time.

That is, the first half operation
T = P (x ₁ ) * Q (x ₂ )
And the second half operation
R (x ₃ ) = T * O
Group operation + in the final form
R (x ₃ ) = P (x ₁ ) + Q (x ₂ )
Define in the form of As a result, the fixed point O becomes a zero element under the group operation +. The straight line formed by the first half operation of an arbitrary element P and the fixed point O coincides with the straight line formed by the second half operation formed by the fixed point and the final calculation result is the element P. Because it becomes self. That means
P + O = P
It is. Incidentally, in elliptic curve cryptography, the infinity point is set as the fixed point. Since the symmetry of the operation point x1 and the point x2 is not changed even by two half operations, the commutability of the group operation + is maintained. That means
R (x ₃ ) = P (x ₁ ) + Q (x ₂ ) = Q (x ₂ ) + P (x ₁ )
It is.

  For example, as described in the specification of the previous patent application, documents related to the conventional encryption technology include the following.

JP 2005-283694 A JP 2000-224157 A JP 2003-37482 A US Patent Application Publication No. 2002/0978868 (corresponding to the patent application related to Patent Document 3) U.S. Patent Application Publication No. 2002/118830 (corresponding to a patent application related to Patent Document 3) JP 2004-112278 A U.S. Patent Application Publication No. 2006/059403 (corresponding to a patent application related to Patent Document 6) “Introduction to Number Theory Algorithms and Elliptic Cryptography”, N.C. Kobritz, translated by Koichi Sakurai, Springer Fairlark Tokyo (ISBN4-431-70727-1 C3041) J. Daemen, C. Clapp, “Fast Hashing and Stream Encryption with PANAMA,” Fast Software Encryption, 5th International Workshop, FSE’98, Proceedings, LNCS Vol. 1372, Springer-Verlag, 1998.

  In the previous patent application, the point where the function value of the quadratic hyperbola = 0 was used as the fixed point O because it was still in the initial stage of the invention. Because it was considered a natural choice. However, the practicality of hyperbolic cryptography has become clear, and it has become necessary to seek hyperbolic cryptography in a more expanded form. This is because there is a need for a device that increases the number of curve parameters and the like to improve the decryption performance. When an arbitrary point d is selected as the fixed point O, that is, when the element O = O (d, f (d)) is a zero element, how the quadratic hyperbola group is expanded and what problems are newly introduced The first problem of the present invention is how to solve this problem and how to solve this problem to form a hyperbolic cipher. Also, the modulus n has been set to a prime number p, but how this is expanded in the case of a composite number, what kind of problem arises, and how to solve this to form a hyperbolic cipher. This is a second problem of the present invention.

  In the previous patent application, the problem that the non-defined region of the group operation + generates is regarded as an “equal pair problem”, and in order to avoid this and to ensure the closeness of the group operation + A condition that the quadratic function, which is the denominator of the equation (3-1), is a non-square residue per quadratic hyperbola group. The problem of equivalence pairs is equivalent to the need to prevent division by zero. That is, the uniqueness of the hyperbolic function value and the element 0 of the remainder ring Z / pZ or the element p does not have an inverse element, and therefore the group operation at that point cannot be defined, and such an inverse element occurs. This is because of the necessity of avoiding the above. As will be described later, when an arbitrary point d is selected as the fixed point O, the problem of the equivalence pair is converted into an “exclusive pair problem” and the uniqueness of the hyperbolic function value is no longer the case. It is clear that it is not a problem. It is also clear that when the modulus n is a composite number, simply introducing the Jacobi symbol does not work, and the structure of the cyclic group is broken.

  Therefore, this time, the quadratic hyperbola group must be constructed so as to simultaneously avoid the problem of the newly generated exclusive pair and ensure the closeness of the group operation +. Furthermore, a key generation method for hyperbolic cryptography will be clarified only by disclosing a method for specifically determining the curve parameters appearing in the equation (3-1) of the quadratic hyperbola while ensuring these conditions.

  Therefore, an object of the present invention is to improve the invention according to the previous patent application, and in the case where the quadratic hyperbola group is expanded, while specifically solving the problem of exclusive pairs, etc. Is to provide.

The invention according to claim 1
(A) A set consisting of a set (x, y) of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function defined with a secret key that is a scalar coefficient Selecting an element of a finite commutative group formed as a first public key; and (b) performing at least one addition operation defined in the finite commutative group on the first public key. Generating a second public key by multiplying the first public key by a scalar with the secret key. The number-theoretic function is a quadratic hyperbolic function including a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring. Furthermore, in the addition operation of the step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as solutions and the 2 When a third element excluding the first and second elements in a common solution with a second hyperbolic function is determined, the first order having the third element and a predetermined fixed element of the finite commutative group as a solution In a hyperbolic cryptography key generation method for calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions of a function and the quadratic hyperbolic function as the addition result, Take measures.
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

In the first step, a prime number p that is a modulus n = p ^h (h: natural number) is determined in the first step, and in the second step, the discriminant D / 4 = c ² + 4a is not squared with respect to the prime number p. Curve parameters a and c are determined to be a remainder, and in a third step, d (d + c) −a is determined to be a non-square remainder with respect to the prime number p with respect to the parameter d giving the fixed element P (d). The fourth step is characterized in that x (x + c) −a is determined to be a non-square remainder with respect to the prime number p with respect to the parameter x (x ≠ d) giving the base point P (x).

The invention according to claim 2 is a set of (a) a secret key that is a scalar coefficient, and a set of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function. Selecting an element of a finite commutative group formed by a set of (x, y) as a first public key; and (b) an addition defined in the finite commutative group for the first public key. Generating a second public key by multiplying the first public key by the secret key and performing a calculation at least once. The number-theoretic function is a quadratic hyperbolic function including a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring. Furthermore, in the addition operation of the step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as solutions and the 2 When a third element excluding the first and second elements in a common solution with a second hyperbolic function is determined, the first order having the third element and a predetermined fixed element of the finite commutative group as a solution In the hyperbolic cryptography design method for calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions of the function and the quadratic hyperbolic function, the following means Have taken.
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

In the first step, the modulus n is defined as the product of the primes p ₁ and p _{2 in} the _first step, and in the second step, the discriminant D / 4 = c ² + 4a is squared for any of the primes. Curve parameters a and c are determined to be non-remainder, and in a third step, d (d + c) −a is square for any of the prime numbers for a new parameter d that gives the fixed element P (d). In the fourth step, x (x + c) −a is a square non-remainder for any of the prime numbers with respect to the parameter x (x ≠ d) giving the base point P (x) in the fourth step. It is defined as follows.

The invention according to claim 3 is a set of (a) a secret key that is a scalar coefficient, and a set of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function. Selecting an element of a finite commutative group formed by a set of (x, y) as a first public key; and (b) an addition defined in the finite commutative group for the first public key. Generating a second public key by multiplying the first public key by the secret key and performing a calculation at least once. The number-theoretic function is a quadratic hyperbolic function including a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring. Furthermore, in the addition operation of the step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as solutions and the 2 When a third element excluding the first and second elements in a common solution with a second hyperbolic function is determined, the first order having the third element and a predetermined fixed element of the finite commutative group as a solution In a hyperbolic cryptography key generation method for calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions of the function and the quadratic hyperbolic function as the addition result, Take measures.
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

In the case of calculating the additive operation, the inverse operation according to the modulus n is postponed by distinguishing the numerator operation from the denominator operation.

  According to the first and second aspects of the invention, it is possible to specifically generate a key for a cipher (hyperbolic cipher) using a discrete logarithm related to a quadratic hyperbola group that is expanded with a simpler configuration than the elliptic curve cipher. As a result, since the order relation is particularly simple, it is expected that the use of hyperbolic cryptography related to discrete logarithm will be widespread for those who have elementary knowledge of number theory. For cryptography and mathematicians, it can be used as a “tool” that contributes to the advancement of conventional cryptography and mathematical theory. Moreover, hyperbolic cryptography using the extended quadratic hyperbola group is based on discrete logarithm as in the past, the group number is constant, key generation is easy, and security is ensured by secret key fluctuations, etc. It has the possibility of being able to replace elliptic curve cryptography because it has the property that it can be improved.

  According to the third aspect of the present invention, a key for hyperbolic cryptography using the extended quadratic hyperbola group EHC and the extended quadratic hyperbola semigroup can be generated specifically and at high speed.

  Among the best modes for carrying out the present invention, in the first embodiment (corresponding to Example 1 below),

For an integer point on the quadratic hyperbola, an arbitrary point d is selected as the fixed point O, and a group operation + is defined, and a new quadratic hyperbola group is defined as HC = {P (x) | group operation + X∈Z / pZ; x ² + cx−a ≠ 0; (x ² + cx−a) is a non-square residue; (d (d + c) −a) is a non-square residue} (6-2)
The configuration is as follows. Here, conversion from equation (3-1) to equation (6-1) is as follows:
y ′ = (a / d) y, b ′ = − (e / d), c ′ = (b / a), a ′ = − (c / a)
This can be done easily by conversion. Then, the curve parameter given by the equation (6-1) is specified by the method shown in FIG. 1 while solving the problem of the exclusive pair and the problem of the group operation. Further, a hyperbolic cipher such as an ElGamal cipher (HC-Elgamal cipher) is constructed using the quadratic hyperbolic group HC.

  In the second embodiment (corresponding to Example 2 below), a plurality of quadratic hyperbola groups having the same group number are identified based on the hyperbolic key generation method according to the first embodiment, and a plurality of hyperbolic groups are identified. A stream cipher generation device that is a key generation device that forms a stream cipher using the cell computing unit, processes stream data such as music, and transmits / receives the data via an IP (Internet Protocol) network is disclosed.

  In the third embodiment (corresponding to Example 3 below), the extended quadratic hyperbolic group EHC when the modulus n is a composite number is

It was configured as follows. However, the Legendre symbol is introduced. A key generation method for hyperbolic cryptography using the extended quadratic hyperbolic group EHC is disclosed.

  The fourth embodiment (corresponding to Example 4 below) discloses a new prime factorization key generation method that uses the group image as an application problem of the extended quadratic hyperbolic group EHC. Furthermore, a key generation method using an extended quadratic hyperbolic semigroup is also disclosed.

  FIG. 1A is a functional block diagram illustrating a schematic configuration of a hyperbolic encryption key generation apparatus according to Embodiment 1 of the present invention.

  The hyperbolic encryption key generation apparatus 10 includes a key setting unit 11, a curve parameter setting unit 12, and a key generation unit 13.

  A finite commutative group formed by a set (x, y) of the dependent variable y of the number-theoretic function defined on the finite ring and the independent variable x of the number-theoretic function is a remainder ring Z / nZ. When the number-theoretic function y defined on the finite ring is a quadratic hyperbolic function expressed by the following equation:

The curve parameter setting unit 12 has a function of setting the curve parameters a, b, c, d, and x of the quadratic hyperbolic function to appropriate values and supplying them to the key setting unit 11 and the key generation unit 13. The key setting unit 11 sets a secret key s for cryptographic processing, which is a scalar coefficient, and first sets a base point P (x) on a quadratic hyperbolic function determined by curve parameters a, b, c, d, and x. And the secret key s and the base point P (x) are supplied to the key generation unit 13. The key generation unit 13 performs at least one addition operation defined in the quadratic hyperbola group determined by the curve parameters a, b, c, d, and x on the base point P (x), so that the base point P It has a function of generating a work key Y (= sP (x)), which is the second public key, by multiplying (x) by a scalar with the secret key s.

  All or some of the functions of the key setting unit 11, the curve parameter setting unit 12, and the key generation unit 13 are configured by hardware circuits or recorded in a storage unit such as a nonvolatile memory or an optical disk. Based on the program or program code, all or part of the processing of the functions is executed by a processor such as a CPU.

  FIG. 1B is a flowchart illustrating a key generation method for a quadratic hyperbola group according to the first embodiment of the present invention.

  The key generation method for the quadratic hyperbola group is processed by the curve parameter setting unit 12 in FIG. 1A, and represents the number-theoretic function by the processing of steps S1 to S5 (6-1). The curve parameters a, b, c, d, and x in the formula are set to appropriate values.

  Hereinafter, in order to facilitate understanding of the contents of FIGS. 1A and 1B, when an arbitrary point d is first selected as the fixed point O of the quadratic hyperbola group, that is, the element O = When O (d, f (d)) is zero, how is the quadratic hyperbola group related to the previous patent application expanded and what kind of problems arise? ((I) Previous patent application And how to solve this to form a hyperbolic cipher ((II) hyperbolic cipher forming method). Next, a method for specifically configuring a quadratic hyperbola group ((III) a method for configuring a quadratic hyperbola group, that is, a method for setting a curve parameter), and a configuration of an HC-ElGamal encryption and an HC-ElGamal signature using the method The method ((IV) key setting / key generation method) is disclosed, and numerical examples are also shown.

(I) Relation with earlier patent application First, in the elements P, Q, R of the quadratic hyperbola group
R (x ₃ ) = P (x ₁ ) + Q (x ₂ )
And the first half operation
T = P (x ₁ ) * Q (x ₂ )
And the second half operation
R (x ₃ ) = T * O
Group operation + in the final form
R (x ₃ ) = P (x ₁ ) + Q (x ₂ )
Calculate in the form of Quadratic hyperbolic function

Is established. Furthermore, in the second half operation, between the fixed point O (d)
R (x ₃ ) = T * O
Is calculated, the following formula is established.

And can be asked.
In the equation (8-6), there is no dependence on the curve parameter b, it has a parameter of x = d newly set as a zero point, and the equation replaced with d → b agrees with the conventional calculation. Show. Therefore, it has been found that setting the fixed point to x = b in the conventional group operation has the advantage of not increasing the parameters. Mostly (8-4) must be followed.

A description will be given below of what happens to the closing of the group operation when an arbitrary point d is selected as the fixed point O of the quadratic hyperbolic group HC.
From equation (8-6)

In this case as well, the expression replaced with d → b matches the conventional calculation. Therefore, because the group operation is closed,

Must be quadratic remainders, or both must be non-square remainders. In the quadratic hyperbola group HC, all are selected as non-square residue. The reason why the subset of Z / pZ is classified based on whether it is a square remainder or a square non-residue is related to the domain of the group operation described later.

  Consider what happens to the inverse element of the group operation when an arbitrary point d is selected as the fixed point O of the quadratic hyperbolic group HC.

The group inverse element P (<x ₁ >) is
O (d) = P (x ₁ ) + Q (x ₂ )
From this relationship, it can be obtained by setting x ₃ = d in equation (8-6).

It is. The denominator of the equation (10-1) indicates that there is an element P (e) having no inverse element (hereinafter referred to as “prime element”).

Consider how the equal pair changes when an arbitrary point d is selected as the fixed point O of the quadratic hyperbola group HC.
In equation (8-1), if y = f (x) is set, the following equation is obtained.

The function values are equal only when the equivalence pair holds. However, since b ≠ d, there is a possibility that the appearance condition of the equivalence pair is different. However, since the calculation relation (8-6) does not change, the equivalence pair should not change to the property of propagating from the center element. That is, when there are elements P, Q, and R of the set HC, if Q and R are an equivalence pair, (−P) + Q and R + P should be an equivalence pair. To show this,

Use the fact that That is, according to equation (8-6), if equation (11-3) is established, both sides thereof are also equal. Therefore,
{(−P) + Q} + {P + R} = Q + R
Is established. As a result, according to the equations (11-2) and (11-3), if P and Q are equivalent pairs,

It becomes. Therefore, from the equations (11-3) and (11-4),
−X ₁ X ₂ + b (X ₁ + X ₂ + c) −a = 0 (11-5)
Is established. This indicates that if Q and R are an equivalence pair, (−P) + Q and R + P are also an equivalence pair.

Here, the condition under which the center element where P + Q and Q are an equivalence pair appears is examined.
“The central element of an equivalence pair” means that when P (x ₁ , y ₁ ), R = P + Q for central elements Q (x ₂ , y ₂ ) and R (x ₃ , y ₃ ) ₃ and the relationship between equivalent pair of _{x 2} (11-2) expression, also, so that the relationship (8-6) is established for adding P between _{x 3} and _{x 2} and _{x 1,}

Relationship is established that it is possible to obtain a quadratic equation such as the following concerning the result x _2.

This discriminant DD is
DD = {- (a + db ) x 1 + (ab + ad-bcd)} 2 -
{(b + d + c) x ₁ − (a + db)} {(ab + ad−dbc) x ₁ − (bc−a) (dc−a) −abd} (11−8)
Thus, the condition under which the center element that becomes an equivalence pair appears can be examined. In order for the expression (11-8) to have an integer solution, the discriminant DD must be a quadratic residue, and conversely, if the discriminant DD is a non-square residue, the expression (11-7) has no integer solution and is equivalent. It means that no problem of pairing will occur. The expression (11-8) can be further simplified as follows.

When the above calculation results are summarized, the following (1) and (2) can be said.
(1) The condition for the center element to appear as an equivalence pair is that the equation (11-7) has an integer solution, that is, the discriminant DD is a quadratic residue. For this purpose, from the equation (11-9) do it,

When (d (d + c) -a) is a zero element P (d) and is a non-square residue, (b (b + c) -a) may be a square residue. Become a requirement.

  (2) On the other hand, to prevent the appearance of a central element that is an equivalence pair,

(B (b + c) −a) should be a non-square residue.
As will be described later, it is not always necessary to exclude equivalence pairs, and the operation itself between equivalence pairs can be defined. An operation cannot be defined when there is no inverse element, which must be excluded.

  Consider when the group operation cannot be defined when an arbitrary point d is selected as the fixed point O of the quadratic hyperbolic group HC.

In the equation (8-6), the calculation result cannot be obtained at points where the denominator is 0. Conventionally, under the condition of b = d, the denominator of the equation (8-6) is the same factor as the numerator of the equation (11-1) (−x ₁ x ₂ + b (x ₁ + x ₂ + c) −a) Therefore, eliminating the equivalence pair has the meaning of avoiding computation at points where the denominator is 0 at the same time. However, since there is no such restriction under the condition of b ≠ d, it is not possible to avoid computation at points where the denominator becomes 0 only by restricting the parameter b. To put it another way, the domain of group operations + is limited. Therefore,
−x ₁ x ₂ + d (x ₁ + x ₂ + c) −a = 0 (12-1)
The special relationship between the points x1 and x2 having the following relationship will be referred to as an “exclusive pair”. Obviously, the group operation + between elements P (x1) and Q (x2) between exclusive pairs cannot be defined.

  From the equation (12-1), in the exclusive pair,

The following relational expression holds. Therefore, in order to prevent the appearance of an exclusive pair and to apply the group operation + as an operation between all elements in a certain set, it is a natural idea to exclude one of the exclusive pairs from the set. It is done.

When an arbitrary point d is selected as the fixed point O of the quadratic hyperbola group HC, from the equation (9-1),
Set HC = {P (x) | group operation +; x∈Z / pZ; x ² + cx−a ≠ 0;
(x ² + cx−a) is a non-square residue; (d (d + c) −a) is a non-square residue} (13-1)
Or
Set HCn = {P (x) | group operation +; x∈Z / pZ; x ² + cx−a ≠ 0;
(x ² + cx−a) is a quadratic residue; (d (d + c) −a) is a quadratic residue} (13-2)
If selected as above, the closeness of the group operation can be satisfied. In addition, from the equation (12-2), it is possible to avoid computation at points where the denominator becomes 0 for the set HC. This is because the element that is the operation result becomes an element of the set HC again. As a result, the set HC satisfies the group configuration requirements and is formed as a quadratic hyperbolic group HC.

  However, for the set HCn, there remains a problem that it is not possible to avoid operations at points where the denominator becomes 0. Further, since the element P (e) having no inverse element according to the equation (10-2) is an element of the set HCn, there is a problem in the group configuration in this respect as well. In other words, in the set HCn, it can be said that the closing of the group operation and the elimination of the undefined region cannot be made compatible only by the limitation in the above definition.

P (x) is an abbreviated display of P (x, y) and P (x, f (x)), and the latter expression is not particularly expressed except for equivalence pairs. In addition, the condition “x ² + cx−a ≠ 0” can be considered by including another condition “(x ² + cx−a) is a square non-residue”. I decided to clarify it in relation to D.

(II) Hyperbolic cryptography formation method Since the definition of the quadratic hyperbola group HC is given by the equation (13-1), in order to facilitate understanding of the first embodiment, the quadratic known to date The detailed configuration of the hyperbolic group HC will be disclosed as much as possible below.

As in equation (13-1), for example, the condition “(x ² + cx−a) is a non-square remainder” is a subset of the remainder ring Z / pZ and a quadratic function value for x We need to consider a set such that is a non-square residue. Therefore, τ (x) = x ² + cx−a (14-1)
The following function τ is introduced. Since the quadratic function value is a non-square residue, the function value τ (x) is τ (x) = ρ ^{2m + 1} ... (14-2) using the primitive root ρ of the remainder ring Z / pZ. )
In this way, the exponent part of the primitive root ρ can be expressed as an odd number. Here, _assuming that P = P (x _n ) and Q = mP = Q (x _m ), from equation (9-1),

And the recurrence formula

Can be calculated at high speed. Just a factor

It should be noted that x _m itself is difficult to calculate without using Equation (8-6) even if it can be calculated at high speed.

Now consider the universal formula of the quadratic hyperbola group.
When the order of the generating group Q (x) with respect to the base point P (x) is kg (kg is a divisor of the maximum order kq of the generating group), x _kg = x ₀ = d (zero point) Therefore, from the equation (14-3),

Can be displayed. Of course, in addition with the zero element P (x _n ) = P (d), for each term of the partial product,

As a whole, the equation (14-7) is established.
Next, the meaning of a universal expression such as the expression (14-7) will be examined.
Where the correlation coefficient is the non-square residue number

It can be expressed. The equation (14-7) is generally given for the order m = kg,

First, taking into account that the correlation coefficient is a non-square residue number,
λ _mn = ρ ^{2s (m, n) −1} (15-4)
From the equation (15-2),
(2h (m, n) +1) = (2s (m, n) -1) + (2m + 1) + (2n + 1)
Or
h (m, n) = s (m, n) + m + n (15-5)
It becomes.

Therefore, at least when s (m, n) ≠ 0, the addition of the exponent operation and the group operation + of the quadratic hyperbola group HC are not the same type. That is, the primitive root of the quadratic hyperbola group HC cannot be simply replaced with an exponent as ρ _m = ρ ^m . Although the quadratic hyperbola group HC is based on a subset on the remainder ring Z / pZ, the second product “product” cannot be defined because it cannot take the same form as the exponent operation. This is the reason why it does not become a “second-order hyperbolic ring”.
(15-3) and (15-4)

It is. Therefore,

  When this result is viewed in the group operation +, when an arbitrary element P (x) is added (m−1) times, when m reaches the group number kg, kgP (x) = O. This is a natural result. That is, the expression (15-7) indicates that the addition result after kg times does not depend on P (x) at all, but only on the order of kg. In the calculation of the power of the primitive root ρ, there is a meaning that the sum of the power values does not change no matter how the group operation + is defined for the curve parameter. Further, it is shown that, although the index is parameter-dependent, as the h value, different numerical values of kg or less corresponding to the m value appear once each. This indicates that the mapping is surjective in the computation between primitive roots (fixed n) represented by equation (15-2). Here, the appearance of different numerical values of kg or less once does not necessarily mean that kg of different τ (x) values have appeared, but excludes the inclusion of the same value. It is thought that there is no.

Next, the number and properties of the function value τ (x) given by the equation (14-1) will be disclosed.
The function value τ (x) being a non-square residue is one of the conditions for the set HC to satisfy the group constituent requirements. From equation (14-1),

(x _m + x _n + c) = 0 (16-2)
In the case of, the left side is 0, and it is understood that the function value is not unique. This is a situation that occurs because the function value is a quadratic function. Here, the point in the relationship of the expression (16-2) will be referred to as “root pair”. In the same root pair, the condition “(x ² + cx−a) is a non-square residue” or “(x ² + cx−a) is a square remainder”, which is the condition of the set HC or the set HCn, is satisfied at the same time. , P (x _m ) and P (x _n ) are simultaneously members of the set HC or the set HCn, and particularly appear in the middle of calculation of mP in HC. However, these conditions only mean that the operation result belongs to the same group, and do not affect the operation itself. The following theorem group holds for this pair of roots.

[Theorem 16-1]
If the elements Q and R of the quadratic hyperbolic group HC generate a root pair, (−P) + Q and R + P also generate a root pair.

[Proof]
According to the equation (11-3), if (x ₂ + x ₃ + c) = 0, then (X ₁ + X ₂ + c) = 0.

[Qed]
As a result, when mP is calculated, it can be seen that the generated root pair propagates from the “center root” in the same manner as the pair of equivalents.

[Theorem 16-2]
The generation condition of the central root at the base point P (x1) of the quadratic hyperbola group HC is the discriminant DD.

Is a square remainder.

[Proof]
When calculating mP using the base point P (x1) of the quadratic hyperbolic group HC, the central root at the base point P (x1) must satisfy the following condition.

When the elements Q and R of the quadratic hyperbola group HC are adjacent and generate a root pair,
(1) Q (x3) = R (x2) + P (x1)
(2) x3 + x2 + c = 0
It is. Therefore, the following formula is established.

This is a quadratic equation for x2,

In order for x2 to have an integer solution, at least its discriminant DD must be a quadratic residue. However,

  It is.

[Qed]
As a result, the condition of the expression (16-3) is naturally satisfied in the quadratic hyperbola group HC. That is,

Is a non-square residue, and since P (d) = (d (d + c) −a) is a zero element, it is naturally selected as a non-square residue. Therefore, both elements corresponding to the root pair are included in the quadratic hyperbola group HC.

  Here, it is examined whether the root pair x2 = − (d + c) of the zero point x = d generates a new zero element P (− (d + c)). This is because the root pair has τ (d) which is the same τ (x) value as the zero point.

Therefore, using equation (8-6),
P (x3) = P (x1) + P (− (d + c))
Let's calculate If this result is P (x3) = P (x1), it is functioning as a zero element.

  The last two terms in the above equation are

Means. Therefore, P (x3) ≠ P (x1) is shown, and as a result, it was shown that the root pair does not generate a new zero element.

Now, the entire quadratic hyperbola group HC will be disclosed with reference to FIGS.
FIG. 2 is a conceptual diagram showing a configuration of a quadratic hyperbola group related to group calculation. Further, FIG. 3 shows a specific configuration example of the quadratic hyperbola group, and the quadratic hyperbola group HC (d ≠ b) in which p = 23, d = 6, a = 4, c = 1, and b = 7. It is a figure which shows the structure of the production | generation group Q (x).

In FIG. 2, the left set is a quadratic hyperbola group HC, and its elements are indicated by elements P, Q, R, and S. The central set in FIG. 2 is a subset of the remainder ring Z / pZ, and an element is an x value that satisfies the condition that “(x ² + cx−a) is not a square non-residue”. The set on the right side of FIG. 2 is a subset of the remainder ring Z / pZ, and its value is the value of the function τ (x) that satisfies the condition that “τ (x) = x ² + cx−a is not a square non-residue”. Here, the correspondence between sets indicated by arrows in FIG. 2 is considered as a mapping and considered.

Between the quadratic hyperbolic group HC and the central set of x values, the mapping g1 of g1: x1 → P (x1) is always x1 = x2 when P (x1) = P (x2). (Injective). In addition, since there exists x1 that always satisfies g1 (x1) = P (x1) for an arbitrary element P (x1), it is surjective. Therefore, the mapping g1 is bijection, and the number of sets of both coincides. The order of the quadratic hyperbola group HC is
k = (p−1) / 2 + 1
Therefore, the number of subsets of the remainder ring Z / pZ is also
k = (p−1) / 2 + 1
It becomes.

  Next, between the subset of the central remainder ring Z / pZ and the square non-residue value set of the right remainder ring Z / pZ, the mapping g2 of g2: x3 → τ (x3) is τ (x3) = τ ( In the case of x4), x3 is not necessarily x4, so it is not injection. However, since there is always x3 where g2 (x3) = P (x3) for any element τ (x3), it is surjective.

  Further, when the calculation between the root pairs and the expression (15-2) is also examined, the mapping g3 g3: τ (x1) → τ (x3) (τ (x2) fixed) is g3: τ (x5) → τ When (x3) (τ (x2) fixed), it is not necessarily τ (x3) = τ (x5). However, from equation (15-7), there is τ (x1) that always satisfies g3: τ (x1) → τ (x3) (fixed τ (x2)) for any point τ (x3). It ’s surjective.

Here, the number of function values τ (x) is calculated.
Since the number of subsets of the remainder ring Z / pZ is k = (p−1) / 2 + 1, and the two correspond to one function value, at least (p−1) / 4 function values are obtained. Have. However, it is unclear which function value the remaining one corresponds to. This is considered to correspond to the double root of the function value τ (x). (14-1)

become. Here, in the quadratic hyperbola group HC, the discriminant D is selected as a non-square residue. For the remaining factor (-1), Euler's criterion is

And p is a quadratic residue when p = 4m + 1 type prime, and a non-square remainder when p = 4m + 3 type prime, so that the value of τ (xm) is the non-square remainder in the former and the square remainder in the latter become. Accordingly, when the number of non-square residue sets of Z / pZ is counted, (p−1) / 4 function values corresponding to one pair of roots, one multiple root, and a total (p−1) / 4 + 1 Will have function values. When p is a prime number of the p = 4m + 3 type, the order of the quadratic hyperbola group HC is an even number, and the right side of the equation (17-2) is a quadratic residue. In this case, P (− c / 2) is not a source of HC. At this time, the number of function values that are non-square residue is k / 2 = (p + 1) / 4. To summarize the above results, when the order of τ (x) is expressed as # (τ (x)),

It becomes. When the order k of the quadratic hyperbola group HC is selected as a prime number, it is known that p is a prime number of the p = 4m + 1 type.

  Summarizing the above results, the element P (x) of the quadratic hyperbola group is formed by about half of the p values x of the remainder ring Z / pZ, and the square non-square of about 1/4 thereof. It can be said that the remainder value τ (x) is used for discrimination.

Here, numerical examples are given.
Since the calculation parameter is set to p = 23, a = 4, b = 7, c = 1, d = 6, and τ (13) is a non-square remainder when x = 13, P (13, 3) is the starting point. (14-3) and (14-7) are sequentially calculated until the order k = 12.

Values appear in the order of 17, 21, 22, 22, 21, 17, 15, 14, 19, 19, 14, 15 (m = 1, 12, 12), and their appearance values are 6 . This is because, when p = 4m + 3 type, the number of function values that are non-square residue is k / 2 = (p + 1) / 4. Therefore, when p = 23, the number of function values is six. Is shown. Moreover, it has a structure that repeats in the same root pair. For example, when x3 = 14 and x4 = 8, τ (x3) = 22 and τ (x4) = 22, which indicates that x3 and x4 are the same root pair. Note that the x value is not necessarily a non-square residue.

  When an arbitrary point d is selected as the fixed point O of the quadratic hyperbola group, that is, when the element O = O (d, f (d)) is a zero element, the quadratic hyperbola group according to the previous patent application For comparison purposes, specific numerical examples will be given.

  4 and 5 of the previous patent application disclosed the quadratic hyperbola group HC with p = 23, a = 7, b = 2, and c = 0, but in the first embodiment, p = 23 in FIG. , A = 4, b = 7, c = 1, d = 6 (d ≠ b).

When both are compared, it can be seen that the configuration of the quadratic hyperbola group HC is exactly the same except that the generation group Q (x) is replaced. The reason is that the configuration of the quadratic hyperbola group HC is determined depending only on the order. The order k of the quadratic hyperbolic group HC here corresponds to the maximum order kq of the generation group. When the maximum order kq = 12, the divisor is 12, 6, 4, 3, 2, 1, so this is the order kg of each generation group. The number of each generation group can be expressed using Euler's function φ (x), φ (12) = 4, φ (6) = 2, φ (4) = 2, φ (3) = 2, φ (1) = 1. They are totally independent of the curve parameters of the quadratic hyperbola. The generation group Q (x) is a group generated using the element P (x) of the quadratic hyperbolic group HC as a generation source, and mP (x) is an element in the group calculation +,
Q (x) = {mP (x) | mP (x) εHC, 1 ≦ m ≦ kg, kgP (x) = O} (18-1)
It is a group that is defined as

(III) Method of configuring a quadratic hyperbola group, that is, a method for setting curve parameters Since the hyperbola cryptography uses the quadratic hyperbola group HC, the first task in generating a key for encryption is a quadratic hyperbola used for encryption. Identifying the group HC (ie setting the curve parameters). The identification of the quadratic hyperbola group HC is approximately the flow of steps S1 to S5 in FIG. 1B by selection / calculation processing using a hardware circuit or selection / calculation processing using a processor such as a CPU. Done according to

  When the process of FIG. 1B starts (starts), in the first step S1, an operation for determining the modulus n and the order k is performed.

In this step S1, first, a prime number p and an order k that satisfy the relationship of n = ^ph (h: natural number) and k = ^ph-1 (p + 1) / 2 are determined. Here, it is taken up only when h = 1, and will be described later when h> 1.

Now, when h = 1, the order # (HC) = k of the quadratic hyperbola group HC is, as clearly shown in the previous patent application,
# (HC) = (p−1) / 2 + 1 (19-1)
The same applies when an arbitrary point d is selected as the fixed point O of the quadratic hyperbola group HC. This is because, when the number of x values that satisfy the condition that “(x ² + cx−a) is a non-square residue” is counted as a different element of the equivalence pair, it becomes the original number of the quadratic hyperbola group HC as it is. It is. The fact that the order # (HC) of the quadratic hyperbola group HC does not depend on the curve parameters and is constant is a remarkable feature compared to the elliptic curve group, but the remainder ring Z / pZ. This suggests that the condition that “(x ² + cx−a) is a non-square residue” in forming the finite set above is very loose.

It is known that the maximum group number kq is highly practical when the prime number kq = q. In the case where the maximum group number kq is a composite number, it is necessary to check which divisor kg of the maximum group number kq corresponds to the selected base point P (x). The maximum order kq is selected. However, if a prime number kq = q is selected as the order, if any one other than the zero element P (d) is selected as the base point P (x), it is guaranteed that the order kg = kq. Therefore, the trouble is unnecessary. At this time,
q = (p−1) / 2 + 1 (19-2)
It is. In general, a pair of p and q primes having the relationship of the equation (19-2) is known as a Germain prime number or a Sophie-Germain prime number. Since both prime numbers are odd numbers, the Germain prime number is p = 4m + 1 type, and the Sophie-Germain prime number is p = 4m + 3 type. Since the quadratic hyperbola group HC is p = 4m + 1 type, Germain prime numbers are used.

In the prime number determination method, the Euler-Lagrange method by Henri Lifchiz (1998) can be used. Specifically, it is checked whether or not the number factor 2 ^q−1 −1 etc. is divisible by the prime number p. For example, when p = 541 and q = 271,
2 ^q−1 −1 = p (350672382626333734229570992455554226769441417290734969959368252733671699251148987925)
P = 541 is estimated to have a high possibility of a prime number, and is actually a prime number. However, the pan-Euler-Lagrange method has a drawback that it consumes a large amount of memory when the exponent is 100 digits or more, and is difficult with a normal calculation method. The record of prime numbers of Sophie-Germain as of 2007 has reached about 50,000 digits.

In step S2 of FIG. 1B, an operation for determining the parameters a and c is performed. In the quadratic hyperbolic group HC, a condition of “x ² + cx−a ≠ 0” is imposed as shown in the equation (13-1). This is because the denominator of the equation (6-1) is 0. The inverse element does not exist, and therefore the group operation + cannot be defined. This condition is

This means that the discriminant D is a non-square residue. Therefore, the parameters a and c must be determined so that the discriminant D / 4 = c ² + 4a is a non-square residue. Note that discriminant D / 4 and discriminant D may be identified. This is because the value 4 is a square number.

  In step S3 of FIG. 1B, an operation for determining the parameter b is performed. The parameter b must be selected such that b ≠ d and (b (b + c) −a) ≠ 0. However, the latter condition (b (b + c) −a) ≠ 0 is automatically satisfied when the discriminant D is left as a non-square residue. Furthermore, when (b (b + c) −a) is selected as the non-square residue, it is possible to prevent an equivalence pair from appearing. However, since the appearance of an equivalence pair is irrelevant to the domain of the group operation +, whether to prevent the occurrence of an equivalence pair is arbitrarily determined at the time of design.

  In step S4 of FIG. 1B, an operation for determining the parameter d is performed. The parameter d must be chosen such that b ≠ d and (d (d + c) −a) are non-square remainders. For the selected parameter d, P (d) becomes a zero element.

  In the last step S5 in FIG. 1B, an operation of determining the x value is performed. For the x value, it must be chosen so that x ≠ d and (x (x + c) −a) is a non-square residue. For the selected x value, P (x) is the base point.

  Through the processes in steps S1 to S5 described above, the quadratic hyperbola group HC used for encryption can be specified (that is, the curve parameters are set), and thus the process ends (end).

  According to the key generation method of FIG. 1B, since the order k is constant in the quadratic hyperbola group HC as will be described later, the curve parameter, the zero element P (d), and the base point P (x) Even if is changed, there is an advantage that the structure of the quadratic hyperbola group HC is not changed, the previous calculation formula can be used as it is, and the program change can be minimized. Therefore, a new cipher that changes the group operation + every moment by using a new base point P (x1) using the x value (x = x1) that appears in the middle of the operation, or adopting it as a new zero element. (Calculation-variable encryption) can be easily configured.

Next, a specific calculation of the quadratic hyperbola group HC is performed by slightly increasing the numerical value.
Here, a quadratic hyperbola group to be used is specified according to steps S1 to S5 of FIG.

  The first step S1 in FIG. 1B is an operation for determining the modulus p and the order k, but handling a large prime number is not appropriate as an example. Therefore, a combination of p and q prime numbers and a Germain prime number having the relationship of the equation (19-2) is selected from a prime number table with a numerical value of 100,000 or less, and p = 97177 and q = 48589 are determined.

Step S2 in FIG. 1B is an operation for determining the parameters a and c. Since any numerical value is arbitrary, it is first determined as c = 1235. Therefore, Euler's standard is calculated for discriminant D. If we consider increasing the value from around a = 23456,
a = 23456 c = 12345 D = 22136 Euler reference D = 97176
a = 23457 c = 12345 D = 22140 Euler criterion D = 1
a = 23458 c = 12345 D = 22144 Euler criterion D = 1
a = 23459 c = 12345 D = 22148 Euler criterion D = 97176
a = 23460 c = 12345 D = 22152 Euler reference D = 97176
Therefore, it is possible to employ a = 23459 in which the discriminant D is a non-square residue.

Step S3 in FIG. 1B is an operation for determining the parameter b. The parameter b can be arbitrarily determined if an equivalence pair is allowed. Here, the equivalence pair is prohibited, and the value (b * (b + c) −a) is selected as the non-square residue. If we consider increasing the value from around b = 45678,
b = 45678 a = 223459 c = 1345 (b * (b + c) −a) = 42814 Euler's criterion (b * (b + c) −a) = 1
b = 45679 a = 223459 c = 1345 (b * (b + c) −a) = 49339 Euler's criterion (b * (b + c) −a) = 97176
b = 45680 a = 223459 c = 1345 (b * (b + c) −a) = 55866 Euler's criterion (b * (b + c) −a) = 1
b = 45681 a = 223459 c = 1345 (b * (b + c) −a) = 62395 Euler's criterion (b * (b + c) −a) = 1
b = 45682 a = 223459 c = 1345 (b * (b + c) −a) = 68926 Euler's criterion (b * (b + c) −a) = 97176
Therefore, b = 45679 in which the value (b * (b + c) −a) is a non-square residue can be adopted.

Step S4 in FIG. 1B is an operation for determining the parameter d. The parameter d must be chosen such that b ≠ d and (d (d + c) −a) are non-square remainders. Assuming that the value (d * (d + c) −a) is selected as the non-square residue, and considering increasing the numerical value from around d = 34567,
d = 34567 a = 223459 c = 1345 (d * (d + c) −a) = 88223 Euler criterion (d * (d + c) −a) = 97176
d = 34568 a = 23459 c = 12345 (d * (d + c) −a) = 72526 Euler's criterion (d * (d + c) −a) = 97176
d = 34569 a = 223459 c = 1345 (d * (d + c) −a) = 56831 Euler's criterion (d * (d + c) −a) = 97176
d = 34570 a = 223459 c = 1345 (d * (d + c) −a) = 41138 Euler's criterion (d * (d + c) −a) = 97176
d = 34571 a = 223459 c = 1345 (d * (d + c) −a) = 25447 Euler's criterion (d * (d + c) −a) = 97176
Therefore, d = 34568 in which the value (d * (d + c) −a) is a non-square residue can be adopted.

The last step S5 in FIG. 1B is an operation for determining the x value. For the x value, it must be chosen so that x ≠ d and (x (x + c) −a) is a non-square residue. Assuming that the value (x (x + c) −a) is selected as the non-square residue, and considering increasing the numerical value from around x = 56789,
x = 56789 and (x * x + c * x−a) = 76467 Euler criterion (x * x + c * x−a) = 1
x = 56790 and (x * x + c * x−a) = 8037 Euler standard (x * x + c * x−a) = 1
x = 56791 and (x * x + c * x−a) = 36786 Euler's criterion (x * x + c * x−a) = 97176
x = 56792 and (x * x + c * x−a) = 65537 Euler's reference (x * x + c * x−a) = 97176
x = 56793 and (x * x + c * x−a) = 94290 Euler's criterion (x * x + c * x−a) = 1
Therefore, x = 56791 in which the value (x * x + c * x−a) is a non-square residue can be adopted.

  As described above, the secondary hyperbolic group HC to be used can be specified as p = 97177, q = 48589, c = 12345, a = 23459, d = 34568, b = 45679, and x = 56791.

(IV) Key setting / key generation method In the key setting unit 11 and the key generation unit 13 in FIG. 1A, an ElGamal cipher (HC-ElGamal) which is a key setting / key generation method using a quadratic hyperbolic group HC is used. A configuration example will be described.

  In general, it is said that the ElGamal cipher can be applied not only to irreducible residue groups modulo prime numbers but also to all other cyclic groups. Therefore, since the quadratic hyperbolic group HC is also a kind of cyclic group using discrete logarithms, the HC-ElGamal cipher can be configured. That is, in addition to the previously known point group of elliptic curves on finite fields, point group of rational points of Jacobian varieties of elliptic curves on finite fields, and ideal class groups of integer rings on imaginary quadratic fields, A quadratic hyperbolic point group on a finite ring can be added to. This key setting / key generation method using the quadratic hyperbola group HC is executed as follows by arithmetic processing using a hardware circuit or arithmetic processing using a processor such as a CPU.

First, when the order of the quadratic hyperbolic group HC is k, the secret key is a random number s (1 <s <k), and the working key Y = sP is calculated by the group operation +. Here, sP means that P is added (s−1) times by the group operation +. The public key is a point Y and a point P (base point), a curve parameter a, b, c, d specifying a quadratic hyperbola, and a prime p specifying a finite ring Z / pZ, and the order k is (19-2) ). That is, public key = (a, b, c, d, p, P, Y), and the secret key is s. Based on the difficulty of calculating the discrete logarithm, the adversary cannot know the secret key s directly even if the Y = sP value is known, but can know s if it is calculated at most k times. Therefore, in order to make such a calculation difficult in practice, a large prime value p and a random value s must actually be selected. In the quadratic hyperbola group HC, the point Y and the point P are determined depending on the x value, and therefore, actually specified by the x component values P _x and Y _x . In addition, since the d value is known, a fast exponential calculation method can be used when calculating Y = sP. Here, the fast exponentiation method is

This is a method of reducing the total number of calculations by calculating the elements 2 ⁱ p one after another.

On the transmission side, a ciphertext can be created for each message m using a public key. On the transmission side, C ₁ = rP, C ₂ = rY, and C ₃ = mC ₂ (mod p) are calculated using a random number r (1 <r <k). However, (C ₂ ) _x means the X component value of C ₂ . The ciphertext is a point C ₁ and a point C ₃ , or a combination of the x component values ((C ₁ ) _x , (C ₃ ) _x ).

On the receiving side, m = (C ₃ ) _x / (sC ₁ ) _x (mod p) is calculated using the secret key s. The decrypted numerical value m is a hidden message and can only be decrypted by a recipient who knows the secret key s. To calculate the sC ₁ during decoding, the group arithmetic +, and the fast exponential operation method is used.

  Here, a specific calculation example of ElGamal encryption (HC-ElGamal) using a quadratic hyperbola group HC will be given.

  First, the secondary hyperbola group HC to be used was specified as p = 97177, q = 48589, c = 12345, a = 23459, d = 34568, b = 45679, and x = 56791. The base point P is P (x) = P (56791), and the zero point O is O (d) = O (34568). If the secret key s is appropriately set to s = 32109 (1 <s <q) and the work key Y is calculated, Y = sP = Y (66629) can be obtained. At this stage, the public key (a, b, c, d, p, P, Y) = (23459, 45679, 12345, 34568, 97177, P (56791), Y (66629)) is determined.

On the transmission side, a ciphertext is created for the message m with reference to the public key. Here, the message m is, for example, m = 221098. If the random number r is appropriately set to r = 43210, and C ₁ = rP, C ₂ = rY, and C ₃ = mC ₂ (mod p) are calculated, C ₁ = C ₁ (21600) and C ₂ = C _{2 respectively.} (2965), and C ₃ = C ₃ (70759). Therefore, since the ciphertext becomes ((C ₁ ) _x , (C ₃ ) _x ) = (21600, 70759), this is transmitted to the receiving side.

If the receiving side that has received the ciphertext has the secret key s, m = (C ₃ ) _x / (sC ₁ ) _x (mod p) can be calculated using the secret key s. it can. As a result, (sC ₁ ) _x = 2965, ₁ / (sC ₁ ) _x = 88885, and m = 21098 can be obtained. Therefore, the receiving side can know that the transmitted message is m = 221098.

  Next, a configuration example of an ElGamal signature (HC-ElGamal signature) that is a key setting / key generation method using the quadratic hyperbolic group HC in the key setting unit 11 and the key generation unit 13 in FIG. .

  There is always the possibility of malicious accusations on the Internet or the like, and there is a risk of falsification of transmitted data. Therefore, digital signature is effective as a method for confirming the signer and the authenticity of the received data for the received message. Here, an example of imitating a digital signature using an elliptic curve group and configuring an HC-Elgamal signature as follows will be described.

  First, the element P (x) of the quadratic hyperbola group is selected as a base point, the signature generation key is s (1 <s <k), and the public keys are (a, b, c, d, p, P, Y). ). Here, the work key Y = sP.

Next, a random number r (1 <r <k) is generated, a hash value h (m) is generated for the message m using the hash function h, and a signature (R, t) is generated. However, R = rP and t = (h (m) −s (R) _x ) r ⁻¹ (mod q). The signer transmits the signature (R, t) in addition to the message m from the transmission side.

On the receiving side, it is confirmed by using the signature (R, t) and the public key whether the message m is truly from the signer or has not been tampered with. On the receiving side, a hash value h (m) is generated for the message m using the hash function h, and it is confirmed that h (m) P = tR + (R) _x Y is established. Since only the signer who knows the signature generation key s can create the signature (R, t), the receiving side can be sure that the message m is truly from the signer.

  Here, a specific calculation example of the ElGamal signature (HC-ElGamal signature) using the quadratic hyperbola group HC is given.

  First, the secondary hyperbola group HC to be used was specified as p = 97177, q = 48589, c = 12345, a = 23459, d = 34568, b = 45679, and x = 56791. The base point P is P (x) = P (56791), and the zero point O is O (d) = O (34568). If the signature generation key s is appropriately set to s = 39876 (1 <s <q) and the work key Y is calculated, Y = sP = Y (16537) can be obtained. At this stage, the public key (a, b, c, d, p, P, Y) = (23459, 45679, 12345, 34568, 97177, P (56791), Y (16537)) is determined.

The signer can calculate the signature key R as R = R (27753) if the random number r is appropriately set to r = 47654 (1 <r <q), for example. If the calculated hash value h (m) is set as h (m) = 28765, the other signature key t can be calculated. Furthermore, since r ⁻¹ (mod q) = 39183 and t = (h (m) −s (R) _x ) r ⁻¹ (mod q) = 24878, the signature (R, t) = (R (27753) ), 24878). Therefore, the signer adds the signature (R, t) to the message m and transmits it from the transmission side.

On the receiving side, tR = 75231 is calculated from the received signature (R, t), (R) _x Y = 12249 is calculated from the public key, and the sum (tR + (R) _x Y) _x = 17781 is calculated. Ask. Next, the receiving side generates a hash value h (m) = 28765 for the message m, and calculates (h (m) P) _x = 17781 therefrom. At this time, since the _{(tR + (R) x Y} ) x value (h _(m) P) _x values match, the signature that was attached to the message m (R, t) is valid, from the signer It can be confirmed that it is a message.

  FIG. 4 is a schematic configuration diagram showing a secret key variable stream cipher generation device according to Embodiment 2 of the present invention.

  The secret key variable stream cipher generation device 20 of the second embodiment is a quadratic hyperbolic group key generation device corresponding to the key setting unit 11 and the key generation unit 13 of FIG. m + 1) cell calculators 21-0 to 21-m and cell outputs C0 to Cm of the respective cell calculators 21-0 to 21-m are sequentially added to obtain stream outputs (C0, C1,..., Cm). ) And m adders 22-1 to 22-m and the like.

  The secret key variable stream cipher generation device 20 is configured using a quadratic hyperbola group HC identified according to the key generation method shown in the first embodiment. In general, the computational burden of hyperbolic cryptography based on discrete logarithm is heavy, and it cannot be said that it is suitable for stream cryptography. Therefore, a device for reducing the number of bits to be calculated and increasing the number of apparent effective bits is required. In the secret key variable stream cipher generation device 20 of the second embodiment, a plurality of cell calculators 21-0 to 21-m perform a quadratic hyperbola group operation with a small number of bits and combine the cell outputs. , A stream that is a pseudo-random number is generated.

  Each of the cell calculators 21-0 to 21-m calculates a work key Y by a group calculation + determined in advance by the cell calculator based on the secret key s provided by the previous cell calculator from the base point P. From the work key Y, the cell output C and a new secret key s to be delivered to the next cell computing unit are output by the stirring function. In the first cell computing unit 21-0, s0 is adopted as the initial secret key, and from the next time, the secret key sm output from the final cell computing unit 21-m is used. Therefore, after the initial value s0 of the secret key is determined, the secret keys s1 to sm adopted by the respective cell computing units 21-0 to 21-m fluctuate one after another. It becomes disposable.

  In addition, since the group calculation + in each of the cell calculators 21-0 to 21-m is different, even if the base point P is the same, the calculated work key Y is different and passes through the stirring function. Thereafter, a cell output C that is virtually independent and a new secret key s that is virtually independent are output. Therefore, when stream outputs (C0, C1,... Cm) are configured by simply combining the cell outputs C0 to Cm, a stream that looks like a stream output having m + 1 times the number of bits is generated. The

  In the second embodiment, it is necessary to determine the initial state by operating each cell computing unit 21-0 to 21-m a predetermined number of times in advance for initialization. If at least m operations are not performed, all of the cell calculators 21-0 to 21-m cannot be operated simultaneously. Also, in order to ensure the confidentiality of the initial value s0 of the secret key s, it may be necessary to perform the calculation several times as many times as m and to discard the stream in between.

  The stream output (C0, C1,..., Cm) according to the second embodiment is not a random number in a strict sense. The secret key s is secret, and the work key Y is calculated by the group operation of each of the cell calculators 21-0 to 21-m. However, since it is difficult to know the discrete logarithm, the secret key s is easily known. The new stream output (C0, C1,..., Cm) is generated according to a certain rule due to the action such as shielding the work key Y because the agitation function has one direction. But it just doesn't look like that from the outside. In particular, the group calculation employed by each of the cell calculators 21-0 to 21-m is a calculation of a quadratic hyperbola group HC having a common order k, and only the curve parameters are different. However, when the group operation is different, the method of limiting the remainder ring Z / pZ is different, so that the appearing elements and their order are completely different. Therefore, when the cell outputs C0 to Cm of the cell calculators 21-0 to 21-m are combined, the combined stream outputs (C0, C1,..., Cm) are apparently independent collections of outputs. Output.

  The stream output (C0, C1,..., Cm) according to the second embodiment is output depending on the calculation time of each of the cell calculators 21-0 to 21-m. Since each of the cell computing units 21-0 to 21-m can perform computation simultaneously, a stream output (C0, C1,..., Cm) having a bit number obtained by multiplying the number of bits used for the computation by m + 1 is obtained. , And can be output in the calculation time. This means that the stream output (C0, C1,..., Cm) is speeded up. For example, when the 17 cell calculators 21-0 to 21-16 are operated with 16 bits, the cell outputs C0 to C16 are 15 bits, so that the 255-bit stream output (C0, C1,..., C16) is obtained at a time substantially in the time of 16-bit operation of the cell calculators 21-0 to 21-16. In general, if n cell arithmetic units 21-0 to 21- (n-1) are used, the stream output (C0, C1,..., C (n-1)) is increased n times. be able to. In the group operation of the quadratic hyperbola group HC, it is known that the load of the inverse operation is heavy. However, the use of an “inverse element post-rotation method” described later can significantly improve the calculation speed.

  When the cell outputs C0 to Cm are simply combined to form a stream output (C0, C1,..., Cm), the cell outputs C0 to Cm are directly visible to the outside. is there. Therefore, adjacent stream outputs (Cm | C0, C0 | C1, C1 | C2,..., Cm-1 | Cm) (operation | is a bit exclusive OR (EOR) operation). Means for concealing the cell output by cell output synthesis or bit synthesis, such as combining the cell outputs C0, C1,. When adjacent cell outputs C0, C1,... Are synthesized by bit EOR operation, in the case of the 16-bit operation, the cell outputs C0 to Cm are 15 bits, so a 255-bit stream output (Cm | C0, C0 | C1,... Is obtained at a time. Generally, cell output composition or the like may result in a configuration in which the number of bits of stream output (Cm | C0, C0 | C1,...) Is sacrificed (decreased).

  In the secret key variable stream cipher generation device 20 according to the second embodiment, m + 1 cell computing units 21-0 to 21-m are cascade-connected via the secret key s. When the same secret key s is transferred, the stream output (Cm | C0, C0 | C1,...) Is periodically output, and the characteristic as a pseudo random number is lost. As a method for preventing this, there is a method of determining a secret key s to be transferred to the next cell calculator as an internal state function of the m + 1 cell calculators 21-0 to 21-m. In this method, even if the same secret key s as before is delivered by any cell computing unit, the subsequent streams are different, and periodic output can be avoided. As a simple configuration example, a secret key s (i) = f (Yx (i-1), Yx (i + 1)) or s (i) = f (Yx (i-1), Yx (i-2)) As described above, there can be considered a method of changing all or part of the calculated original secret key as a function of the work key Y of the preceding and succeeding cell computing units.

  If the size (mod q) of the secret key s value is small to some extent or 0, the calculated cryptanalysis may be improved. Therefore, there is a case where it is effective to detect a high-order bit of the secret key s value as 0 by a gate, set a predetermined bit, and add a constant value.

  Here, a specific configuration example of the secret key variable stream cipher generation device 20 according to the second embodiment will be given.

In this example 1,
p = 97177, q = 48589, c = 12345, a = 23459, d = 34568, b = 45679, x = 56791
The secondary hyperbola group HC to be used is specified, but since p = 97177, this corresponds to the 17-bit cell computing unit 21-0. Therefore, the stream cipher generation device 20 having three (m = 2) 17-bit cell computing units 21-0. Since this is an easy-to-understand configuration example, methods such as covering the stream output (C0, C1,..., Cm) and determining the secret key s depending on the internal state are not employed.

The first cell computing unit 21-0 uses the secondary hyperbolic group HC, and the cell output C0 and the secret key s1 to be passed to the next cell computing unit 21-1 from the work key Y as follows. calculate.
C0 = Yx (5-bit right cyclic shift)
s1 = Yx (10-bit right cyclic shift) ¥ 4

  In the calculation of the secret key s1, the operator \ is an integer division, and the division by 4 is because the number of bits is matched so that the order is q or less. These operations correspond to the agitation function, but for the sake of simplicity, the same configuration is adopted in the second and third cell computing units 21-1, 21-2.

Next, according to the first embodiment, the other two cell calculators 21-1 and 21-2 are configured according to the flow of FIG. For the secondary hyperbola group HC, use subscript 0,
p = 97177, q = 48589, c0 = 12345, a0 = 23459, d0 = 34568, b0 = 45679, x0 = 56791
And change it.

Now, assuming that c1 = 1346 and c2 = 1347, calculation according to step S2 and subsequent steps in FIG.
p = 97177, q = 48589, c1 = 12346, a1 = 23458, d1 = 34570, b1 = 45680, x1 = 56780
p = 97177, q = 48589, c2 = 12347, a2 = 23462, d2 = 34569, b2 = 45680, x2 = 56781
Two quadratic hyperbolic groups HC can be obtained. These three quadratic hyperbolic groups HC have the same order q, but have different group operations + due to different curve parameters, and as a result, appearing elements and their order are completely different. become.

  In elliptic curve cryptography, it is necessary to repeat the prime order determination work by using random numbers as curve parameters in order to obtain prime orders, and it is quite difficult to prepare multiple curve parameters having at least the same order. Conceivable. However, as described above, in hyperbolic cryptography, it is easy to determine a plurality or a large number of secondary hyperbolic groups HC having the same order. Compared to elliptic curve cryptography, it can be said that key generation is simpler for cryptography.

  It is easy to implement the secret key variable stream cipher generation device 20 according to the second embodiment with hardware. Each of the cell calculators 21-0 to 21-m can be realized by a coprocessor, a dedicated residue calculator, a dedicated power residue calculator, or the like. The curve parameter and the initial value s0 of the secret key s are placed in the register, and the number of calculation bits is fixed, but different quadratic hyperbolic groups HC can be handled by common hardware.

  5A is a diagram showing a calculation example (m = 2) of the secret key variation type stream cipher generation device 20 in FIG. 4, and FIG. 5B is a secret key variation type stream cipher generation device 20 in FIG. It is a figure which shows the example of a stream output (m = 2).

Starting from the initial value s0 = 201098 of the secret key s, when the working key Y is obtained from the base point P0 (56791) of the cell computing unit 21-0 by Y = s0P0 (56791), the x component thereof is Yx = 88327. However, the group operation + (0) used for calculating the work key Y is
c0 = 12345, a0 = 23459, d0 = 34568, b0 = 45679
The operation specified by Yx is 10101100100000111 (88327) in binary notation. Therefore, according to the agitation function, Yx is cyclically shifted by 5 bits to obtain cell output C0 = 00111101011001000 (31432). Further, when Yx is cyclically shifted by 10 bits to obtain 01000001111010110 and then an integer operation is performed by dividing by 4, s1 = 010000011110101 (8437) is obtained. When similar processing is performed by the cascaded cell computing units 21-1 and 21-2, cell output in the first cycle (00111101011001000) (00111101011101010) (01101100111000101)
Can be obtained. That is, a stream output of 17 bits X3 = 51 bits could be obtained at a time in one calculation time of the 16-bit cell computing units 21-0 to 21-2.

  In this specific example, the secret key s = 391 and a relatively small value appear in the third cycle (3_3). If the size (mod q) of the secret key s value is small to some extent or 0, the calculated cryptanalysis may be improved. Therefore, there is a case where it is effective to detect a high-order bit of the secret key s value as 0 by a gate, set a predetermined bit, and add a constant value. However, this example does not take that into consideration.

  FIG. 6 is a schematic configuration diagram of a communication system that performs transmission and reception of data by performing encryption and decryption by the secret key variation stream cipher generation device of FIG. 6 discloses a method of encryption and decryption by the secret key variable stream cipher generation device 20 of FIG.

  In the communication system of FIG. 6, the IPv6 (IP version 6) packet of the encrypted data ED1 generated by the stream cipher generation device 20-1 and the exclusive OR gate (hereinafter referred to as “EOR gate”) 23-1 on the transmission side. 24-1 is sent to the receiving side via the IP network 25, and the IPv6 packet 24-2 sent on the receiving side is received and decrypted by the stream cipher generation device 20-2 and the EOR gate 23-2. It has become.

  For example, for the input data Din such as a secret video file, the stream cipher generator 20-1 on the transmission side supplies the cipher stream CS1, and the exclusive OR of both is taken by the EOR gate 23-1, and IPv6 The encrypted data ED1 is stored in the data area of the packet 24-1. In the IPv6 header of the IPv6 packet 24-1, in addition to data such as the payload length, synchronization information SI1 related to stream cipher generation is stored in the extension header (encrypted header). The synchronization information SI1 is information necessary for decryption, such as the number of cycles until the initialization of the stream cipher generation device 20-1, the number of start cycles and the number of end cycles of the encrypted stream CS1 stored in the payload. After the sender transmits the IPv6 packet 24-1 and the receiver receives the IPv6 packet 24-2 via the IP network 25, the synchronization information SI2 stored in the extension header of the IP header is extracted and received. Side stream cipher generation apparatus 20-2. Further, after the encrypted data ED2 is extracted from the data area of the IPv6 packet 24-2, the exclusive OR with the encrypted stream CS2 output corresponding to the synchronization information SI2 is acquired by the EOR gate 23-2, The output data Dout is restored.

  In this encryption and decryption method, the initial value s0 of the secret key s is shared on the transmission / reception side, and the encrypted stream CS1 is also output from the stream cipher generation device 20-1 in a predetermined order. A method of sharing the secret key s0 is not disclosed. Usually, it depends only on a predetermined encryption protocol. In IPsec (IP security protocol), a protocol for exchanging encryption keys called “IKE (Internet Key Exchange)” is prepared. In the method according to the second embodiment, if a part of the IPv6 packet 24-1 is lost in the IP network 25, correct decoding cannot be performed thereafter. In this case, the lost packet is requested to be transmitted again.

  As means for further improving this encryption and decryption method, curve parameter information relating to the cell computing units 21-0 to 21-m constituting the stream cipher generation device 20 is obtained from the IPv6 packets 24-1 and 24-2. A method of placing in the IPv6 header or data area is conceivable. Since the curve parameter determines the group operation, it can be secret information. However, even if the curve parameter is known, the encrypted stream CS2 cannot be decrypted unless the secret key s is known. This improved method has the effect of ensuring the versatility of the cell computing units 21-0 to 21-m having the same hardware, and is a method for improving the safety by changing the group operation at every predetermined time. Can be adopted.

FIG. 7 is a flowchart showing a key generation method (in the case of n = p ₁ p ₂ ) of the extended quadratic hyperbola group according to the third embodiment of the present invention, and is a flowchart of FIG. 1 (B) showing the first embodiment. It corresponds.

  The flowchart in FIG. 7 shows a curve parameter setting method performed in the curve parameter setting unit 12 in FIG. 1A, and (6) in the extended quadratic hyperbola group EHC is obtained by the processing in steps S11 to S15. -1) Curve parameters a, b, c, d, and x are set.

  Before describing the flowchart of FIG. 7, basic techniques such as the extended quadratic hyperbolic group EHC in the third embodiment will be described.

  In the third embodiment, when the modulus n is a composite number, the quadratic hyperbola group HC in the first example is expanded to form an extended quadratic hyperbola group EHC, and the hyperbolic cryptography using the extended quadratic hyperbola group EHC is used. A key generation method is disclosed, and a new prime factorization method is disclosed as an application problem.

The quadratic hyperbola group HC in Example 1 is defined by Equation (13-1), and is defined by the term “square non-residue”. However, for example, the condition that (x ² + cx−a) is a non-square residue is that using the Legendre symbol,

The natural extension of the quadratic hyperbolic group HC is to impose exactly the same conditions for each prime factor p _i .

Here, it is possible to introduce the Jacobi symbol, which is an extension of the Legendre symbol.
For an integer m where n is an odd number greater than 1 and (m, n) = 1,

The left side is called the Jacobi symbol, and the right side is the Legendre symbol. Here, in order to determine the Legendre symbol on the right side, the prime factor of n must be known in advance. The conventional Euler criterion can be used as it is when calculating the equation (31-3).

Based on the above assumptions, the extended quadratic hyperbolic group EHC is defined.
Extended quadratic hyperbolic group EHC,

It was configured as follows. This definition uses only the Legendre symbol, not the Jacobi symbol. This is because, as will be described later, it is known that the group structure cannot be maintained if the Jacobi symbol is introduced.

Here, _first , the structure of the extended quadratic hyperbola group EHC when the modulus n is the composite number and n = p ₁ p ₂ will be clarified. The order k of the extended quadratic hyperbola group EHC can be calculated by the number of x values satisfying the equation (31-2). Since the prime factors p ₁ and p ₂ are different from each other (p ₁ ≠ p ₂ ) and x values satisfying the expression (31-2) can be determined independently, the x values generated by different combinations of these numbers are the order Determine k. The order k here is the total number of different elements P (x) of the extended quadratic hyperbolic group EHC, and the generated group (cyclic group) Q (x) having the P (x) as a base point. It is not the order kg or its maximum value kq. That is, the order k of the extended quadratic hyperbola group EHC is given by the product of the order (19-1) given by a prime factor of 1 in principle.

  In the quadratic hyperbola group HC, the order k and the maximum value kq of the generated group order coincide with each other, but in the extended quadratic hyperbola group EHC, they may not match.

  It is newly known that the maximum order kq of the generation group (cyclic group) Q (x) depends on the attribute of the discriminant D, as will be described later. The attribute of discriminant D is

And (k ₁ , k ₂ ) = 1, in principle, is given by the equation (32-1). Here, since the cycle of the cycle becomes a problem, there is something common to both prime factors, and when (k ₁ , k ₂ ) = h ≠ 1, the difference between the prime factors of each order is We think that "combination" is unique and becomes a target of the cycle. That is, it is considered that a combination including a common prime factor h that cannot be distinguished from which order is included does not appear. Speaking of a set of prime factors, “union” is applicable. This means that the least common multiple (LCM) of both orders is the maximum order kq.

According to non-patent literature (Hiroshi Miyagawa, et al. “Code Theory”, 1973, Shosodo, P. 204), a generator polynomial G composed of a plurality of minimum polynomials Mi is ^{expressed as} a remainder class of polynomials (modulo x ⁿ − It is described that, when considered in 1), the least common multiple of the period ni of the minimum polynomial Mi is the period t of the generator polynomial G. The same applies to the extended quadratic hyperbola group, which is a kind of cyclic group. Here, between the quadratic hyperbola group and the remainder class ring of the polynomial, modulo n (composite number)> modulus x ⁿ −1
Base point P (x)> Generator polynomial G (x)
Maximum order of generation group (= period) kq> period t of generator polynomial G (x)
Individual order ki> period ni of minimum polynomial Mi (x)
Correspond to each. The reason why the elements in the quadratic hyperbola group HC are simpler is that the operations in the polynomial class remainder class are limited to multiplication, whereas the group operations in the quadratic hyperbola group HC are in a discrete logarithmic relationship. .

Therefore, when the modulus n is a composite number, the order k of the extended quadratic hyperbola group EHC and the maximum order kq of the generation group Q (x) are always composite numbers. This fact means that the extended quadratic hyperbola group EHC having prime order does not exist, and the use of the cipher and the like is also somewhat restricted. This is because the criterion of how the base point P (x) of the generating group Q (x) having the maximum order kq should be derived is not yet completely known.

Here are some numerical examples. For example, the order k of the extended quadratic hyperbola group EHC with p ₁ = 17, p ₂ = 23, and n = 391 is k ₁ = (p ₁ −1) / 2 + 1 and the order k ₂ = (p ₂ −1 ) / 2 + 1, and k = k ₁ k ₂ = 108. The maximum order kq of the generator group Q (x) is the minimum of the order k ₁ = (p ₁ −1) / 2 + 1 and the order k ₂ = (p ₂ −1) / 2 + 1 given by a prime factor of 1. Given in common multiples,
kq = LCM (k ₁ , k ₂ ) = LCM (9,12) = 36
It is.

Next, the key generation method (in the case of n = p ₁ p ₂ ) of the extended quadratic hyperbola group shown in the flowchart of FIG. 7 will be described.
Number-theoretic function y

The curve parameters a, b, c, d, and x are set by the following steps S11 to S15 by selection / calculation processing using a hardware circuit or by selection / calculation processing using a processor such as a CPU. Is done.

When the process of FIG. 7 is started (started), prime factors p ₁ and p ₂ , order k and the like are determined in a first step S11. In order to increase the amount of calculation at the time of cryptanalysis, these values must be selected as large numbers. In the extended quadratic hyperbolic group EHC, the order k is given by equation (32-1), and the maximum order kq of the generated group is given by equation (32-3), so the prime factors p ₁ and p ₂ are determined. This means that the order k of the extended quadratic hyperbola group EHC is designated at the same time. Since the maximum order kq is a composite number, some trial and error is required when determining the base point P (x) having the maximum order kq in step S15. However, since the number of base points P (x) having the normal maximum order is the largest, it can be said that there is a high possibility of hitting the base point P (x) having the maximum order in several trials.

In the second step S12, parameters a and c are determined. Actually, since only the discriminant D is restricted, any parameter can be arbitrarily determined. Discriminant D / 4 = c ² + 4a
Attribute (D / p ₁ ) = − 1; (D / p ₂ ) = − 1;
Set to be

In the third step S13, the parameter b is determined. The parameter b is ((b (b + c) −a) / p ₁ ) = − 1; ((b (b + c) −a) / p ₂ ) = − 1 to prevent the occurrence of an equivalence pair.
However, it can be chosen arbitrarily as long as it allows for equivalence pairs. Therefore, the condition in step S13 can be omitted.

In the fourth step S14, the parameter d, ie the zero element P (d), is determined. That is, ((d (d + c) −a) / p ₁ ) = − 1; ((d (d + c) −a) / p ₂ ) = − 1; b ≠ d
Set to be

In the fifth step S15, an x value, that is, a base point P (x) is determined. That means
((X (x + c) −a) / p ₁ ) = − 1; ((x (x + c) −a) / p ₂ ) = − 1; x ≠ d
Set to be

  Since Steps S13, S14, and S15 have the same conditions, those parameters can be obtained by one calculation and assigned to each parameter. However, if an x value satisfying the above condition is arbitrarily selected, a generation group Q (x) having a divisor of the maximum order kq may appear. Therefore, the base point P (x) having the maximum order kq may not be selected.

  In the first trial and error method, P (x) satisfying ktP (x) ≠ O with respect to the trial base point P (x) at the order kt having the next magnitude of the maximum order kq. It is to look for. That is, if kP (x) = O and ktP (x) ≠ O (kt <k), the order of the generated group Q (x) by the P (x) has the probability of having the maximum order kq. Is considered high. For this purpose, the order obtained by dividing the maximum order kq by the smallest prime factor (referred to as the minimum prime factor) is set as the trial order kt. In the extended quadratic hyperbolic group EHC, the maximum order kq is given by the equation (32-3). Therefore, if one of the prime factors is a 4m + 3 type prime number, the minimum prime factor 2 is provided.

Here, this method is tried using the calculation example of the extended quadratic hyperbola group EHC. Since the maximum order kq = 28 and the minimum prime factor is 2, kt = kq / 2 = 14. Therefore, when the x value satisfying the equation (31-2) is tried for each prime factor from the smaller one,
ktP (0) = O; ktP (2) = O; ktP (6) = P (28) ≠ O;
Therefore, P (6) is considered to have a high possibility of a base point having the maximum order kq, and actually has the maximum order kq. However, this method is not effective when both prime factors are 4m + 1 type prime numbers and do not have small prime factors. In the calculation of ktP, a high-speed exponent calculation can be used by expanding the kt value in binary.

The second method of trial and error is to confirm the establishment of the distribution law. Distribution law m (P + R) = mP + mR
Is generally established only when both P and R belong to the generation group Q having the maximum order kq, and is not established in other cases. In particular, if the m value is selected such that kt ≦ m ≦ kq with respect to the trial order kt, the probability of failure is increased. In selection of elements P and R that satisfy the above conditions,
R (y) = qP (x); (q, k) = 1
A trial R is selected that has an y value such that When the generation group Q (x) having the base point P (x) has the maximum order kq, the generation group Q (y) having the base point R (y) also has the maximum order kq. Because we know.

A specific calculation example of the extended quadratic hyperbola group EHC will be given.
FIG. 8 is a diagram illustrating a structure of an extended quadratic hyperbola group (generation group Q (x)) with modulus n = 91 and order k = 28 according to the third embodiment of the present invention. FIG. 8 discloses that when the common factor h = 1, the number of generation groups Q (x) having> order kg is φ (kg).

In the system given by equation (31-2), when r = 7, s = 13, and therefore n = 91, the maximum order kq of the extended quadratic hyperbolic group EHC given by equation (31-4) is ( From the equation 32-3), kq = 28. For discriminant D / 4 = c ² + 4a, parameters c = 1 and a = 8 are determined so that (D / r) = − 1 and (D / s) = − 1, and τ (d) / τ (d) is selected so that r) = − 1 and (τ (d) / s) = − 1, and the zero point is selected as d = 2. The base point is selected by selecting an x value such that τ (x) / r) = − 1 and (τ (x) / s) = − 1.

The extended quadratic hyperbola group EHC specified by the curve parameters a, b, c, d, x as described above has a generation group (subgroup) Q (x) as the base point P (x). Generate. That is,
Generation group of order kg = 1: φ (1) = 1 piece {Q (2)}
Generation group of order kg = 2: φ (2) = 1 piece {Q (28)}
Generation group of order kg = 4: φ (4) = 2 pieces {Q (41), Q (67)}
Generation group of order kg = 7: φ (7) = 6 {Q (23), Q (37), Q (51), Q (58), Q (65), Q (79)}
Generation group of order kg = 14: φ (14) = 6 {Q (0), Q (14), Q (49), Q (63), Q (77), Q (84)}
Generation group of order kg = 28: φ (28) = 12
{Q (6), Q (11), Q (13), Q (25), Q (27), Q (32), Q (39), Q (53), Q (62), Q (76) , Q (88), Q (90)}
It has the structure. This structure is determined depending only on the values of the orders k ₁ and k ₂ of the quadratic hyperbola group. Therefore, from these relationships, as with the quadratic hyperbolic group HC,

The following relational expression holds. The definition of the generation group is the same as above,
Q (x) = {mP (x) | P (x) εEHC, kgP (x) = O, 1 ≦ m ≦ kg, kg is a divisor of the maximum order kq}
.... (34-2)
Can be defined as For example, in the case of Q (6) above, the order kg = 28,
Q (6) = {1P = (6,0); 2P = (49,76); 3P = (11,36); 4P = (65,30); 5P = (90,35); 6P = (14 , 55);
7P = (67,15); 8P = (58,65); 9P = (62,63); 10P = (63,62); 11P = (39,43); 12P = (51,9); 13P = (27,42); 14P = (28,41); 15P = (32,78); 16P = (23,37); 17P = (76,49); 18P = (0,69); 19P = (25 20P = (79,16); 21P = (41,28); 22P = (84,13); 23P = (88,50); 24P = (37,23); 25P = (13,56) 26P = (77,48); 27P = (53,29); 28P = (2,2);
It is. The total number of generation groups Q (x) matches the order k of the extended quadratic hyperbola group. This is shown in FIG.

In the quadratic hyperbolic group HC, the number of generation groups Q (x) having an order of kg is given by φ (kg). The number ψ (kg) of the generation group Q (x) having the order kg in the extended quadratic hyperbola group EHC of the composite order is that the two factors d1 and d2 of the composite order k ₁ and k ₂ are k _1, respectively. , K ₂ , and the relationship (k ₁ , k ₂ ) = 1, the number φ of generated groups in the quadratic hyperbola group HC whose factors d ₁ and d ₂ are in order. It is considered that the product sum of (d ₁ ) and φ (d ₂ ) is obtained. Therefore, as long as the relationship of (k ₁ , k ₂ ) = 1 is maintained, using the factors d ₁ and d ₂ of the orders k ₁ and k ₂ ,

It can be expressed as. Since (d ₁ , d ₂ ) = 1 when (k ₁ , k ₂ ) = 1, φ (d ₁ ) φ (d ₂ ) = φ (d ₁ ) due to the multiplicative nature of the Euler function φ d ₂ ) = φ (kg) holds and there are only one combination,
ψ (k _g ) = f (k _g ) (34-4)
Is established. That is, in the case of (k ₁ , k ₂ ) = 1, the number of generation groups Q (x) having the order kg is equal to the secondary hyperbola group HC of prime order even in the extended secondary hyperbola group EHC of composite order. It can be obtained with the same expression. However, when (k ₁ , k ₂ ) = h ≠ 1, it is not clear how to handle the common factor h.

In the specific calculation example, the orders k ₁ and k ₂ constituted only by the prime factors do not have a common prime factor and have a relationship of (k ₁ , k ₂ ) = 1. On the other hand, when the orders k ₁ and k ₂ have a common prime factor, it will be clarified here what the structure is.

  FIG. 9 is a diagram illustrating a structure of an extended quadratic hyperbola group (generation group Q (x)) with modulus n = 391 and order k = 108 according to the third embodiment of the present invention. FIG. 9 discloses that when the common factor h ≠ 1, the number of generation groups Q (x) having> order kg is ψ (kg).

As a specific example, when r = 17, s = 23, and therefore n = 391, the order k of the extended quadratic hyperbola group EHC given by the equation (32-3) is kq = LCM (k ₁ , k ₂ ). = (9,12) = 36
become. For discriminant D / 4 = c ² + 4a, parameters c = 1 and a = 1 are determined so that (D / r) = − 1 and (D / s) = − 1, and τ (d) / τ (d) is selected so that r) = − 1 and (τ (d) / s) = − 1, and the zero point is selected as d = 3. The base point is selected by selecting an x value such that τ (x) / r) = − 1 and (τ (x) / s) = − 1.

The extended quadratic hyperbola group EHC identified at this time generates a generation group (subgroup) Q (x) when its base point is P (x). That is,
Generation group of order kg = 1: ψ (1) = 1 piece {Q (3)}
Generation group of order kg = 2: ψ (2) = 1 piece {Q (105)}
Generation group of order kg = 3: ψ (3) = 8 {Q (20), Q (95), Q (104), Q (112), Q (173), Q (265), Q (325 ), Q (342)}
Generation group of order kg = 4: ψ (4) = 2 pieces {Q (71), Q (207)}
Generation group of order kg = 6: ψ (6) = 8 {Q (36), Q (87), Q (156), Q (197), Q (206), Q (248), Q (275 ), Q (367)}
Generation group of order kg = 9: ψ (9) = 18 {Q (81), Q (127), Q (141), Q (150), Q (158), Q (164), Q (181 ), Q (210), Q (227), Q (302), Q (311), Q (319), Q (334), Q (348), Q (365), Q (371), Q (380) ), Q (388)}
Generation group of order kg = 12: ψ (12) = 16 {Q (2), Q (10), Q (19), Q (27), Q (78), Q (88), Q (138 ), Q (163), Q (180), Q (240), Q (257), Q (299), Q (308), Q (309), Q (326), Q (377)
Generation group of order kg = 18: ψ (18) = 18 {Q (13), Q (22), Q (45), Q (59), Q (64), Q (82), Q (91 ), Q (110), Q (133), Q (183), Q (229), Q (243), Q (252), Q (266), Q (294), Q (312), Q (317) ), Q (363)}
Generation group of order kg = 36: ψ (36) = 36 {Q (23), Q (25), Q (42), Q (48), Q (56), Q (71), Q (73 ), Q (79), Q (96), Q (115), Q (124), Q (125), Q (142), Q (147), Q (161), Q (184), Q (193) ), Q (209), Q (217), Q (226), Q (232), Q (234), Q (249), Q (263), Q (278), Q (280), Q (285) ), Q (286), Q (295), Q (303), Q (331), Q (345), Q (354), Q (368), Q (370), Q (387)}
It is. A total of 108 generation groups are created. This is shown in FIG.

When (k ₁ , k ₂ ) = h ≠ 1, it cannot be easily estimated by what relational expression the number ψ (kg) of the generated group Q (x) having the order kg. Therefore, the actual example will be searched from (k ₁ , k ₂ ) = h ≠ 1.

The maximum order kq is kq = LCM (k1, k2) = LCM (9,12) = 36. Since the prime factor h = 3 is a common element, the number ψ (kg) of generation groups giving the order kg of each generation group is as described above and in FIG. Looking at this numerical relationship, for example, ψ (18) + ψ (9) + ψ (6) + ψ (3) + ψ (2) + ψ (1) = 18 + 18 + 8 + 8 + 1 + 1 = 54 per sum related to a divisor d | kg of kg = 18 = 3k _g
Is established. The factor h = 3 corresponds to the common factor (k ₁ , k ₂ ) = h ≠ 1. This means that the sum total of the number of generation groups of order kg or less has increased to a multiple of the order kg. The common factor h does not contribute to an increase in the maximum order kq of the generation group of the quadratic hyperbola group HC, but contributes to the total number of generation groups. This is the reason why the group order k is different from the maximum order kq of the generation group in the extended quadratic hyperbolic group EHC. So generally

Is expected to hold. That is, the sum of the number of generation groups Q (x) of order kg or less becomes a multiple of the order kg, particularly a common factor h. There is no proof. The common factor h is not fixed but depends on the value of kg. That is, generally, using the greatest common divisor (GCD), h = GCD (kg, k ₁ , k ₂ ), or simply h = (kg, k ₁ , k ₂ ). (35-2)
It has become.

As a special case of equation (35-1), considering the case of kg = kq = LCM (k ₁ , k ₂ ), in number theory,
k ₁ k ₂ = LCM (k ₁ , k ₂ ) GCD (k ₁ , k ₂ ) and GCD (LCM (k ₁ , k ₂ ), k ₁ , k ₂ ) = GCD (k ₁ , k ₂ )
Since the relationship of

It becomes. This expression (35-3) corresponds to an extension of the expression (34-1).
According to Mobius's inversion formula for number theory,

And the reversal formula is established. However, μ (d) is called a Möbius function, and when there is a prime factor of the value d that is greater than or equal to its square, μ (d) = 0, and when all are the first power, the number is m Then, μ (d) = (− 1) ^m and μ (1) = 1.

Here, the Mobius function μ (d) is considered to have two meanings per cyclic group.
The first is the value

だけが基本周期で、それ以外の値ｄの素因数でそのべき乗部が２乗以上のものは周期に成り得ないことを示している。ｄ＝ｎである場合の基本周期d₀は、この巡回群の全ての固有周期を決める基礎に成っている。別の見方をして見る。値 If it is that that of the square or in prime values _{d 0 = p 1 p 2 ...} p m values other than d have been eliminated. This is the value

Only the basic period, and other prime factors having a value d that is a power of 2 or more cannot be a period. The fundamental period d ₀ when d = n is the basis for determining all the natural periods of this cyclic group. Take a different view. value

The relationship between the value d ₀ = p ₁ p ₂ … p _m is

So

This means that there exists a structure in which the structure related to the basic period d ₀ is repeated n / d ₀ times under the period n.

Second, if a fundamental period _{d 0 = p 1 p 2 ...} p m, the Mebyiusu function (+1) when m is an even number, the Mebyiusu function if m is an odd number (-1) However, this means that, for example, when calculating the number of cyclic groups, redundant calculation is eliminated. First, μ (d) = 1 is defined as an even number prime factor (+1) and an odd number prime factor (−1). From n cyclic groups having period 1, The number of cyclic groups having an apparent period n and a period of a divisor d of n values is subtracted alternately. The reason for subtracting alternately is as follows.

First, a set whose elements are prime factors related to the basic period d ₀ is considered, and in the set, certain periods p ₁ and p ₂ are arranged inside the product period p ₁ p ₂ . In this case, for example, a structure in which the odd-numbered prime factors p ₁ or p ₂ are arranged inside the set having the even-numbered prime factors p ₁ p ₂ , and the opposite structure is also established. +1) or (-1) can be assigned to each set, and a set of divisors can be placed inside a second set of multiples.

At this time, considering obtaining the number of cyclic groups φ (n) whose natural period is only the period n, it is possible to exclude periods other than the basic period d ₀ by the Moebius function first. Next, when the period d = 1, n corresponds to the outermost set, the product set of prime factors related to the basic period d ₀ . Next, when considering the inner set, this is a divisor of the basic period d ₀ , and the prime factor is decreased by one. Therefore, the opposite sign is assigned by the Moebius function, and the number of cyclic groups having the divisor as a period is subtracted from the n cyclic groups. However, when there is another set inside the set, by continuing this operation, only the number of natural periods related to the divisor is subtracted. Considering the period n, the number of cyclic groups having the period d related to the divisor is n / d.

Thus, the number of cyclic groups φ (n) having only the period n as the natural period can be obtained. After all, when the period n has the basic period d ₀ , it only contributes to the increase in the number of cyclic groups having the basic period d _{0 in the} form of n / d in the above equation.

  Now, when the expressions (35-1) and (35-2) are compared with the expressions (35-4) and inverted to obtain the expression (35-5),

Then, the number ψ (kg) of the production group Q (x) having the order kg, which was the original purpose, could be obtained in an explicit form. Here, when k ₁ = k, k ₂ = 1 and reduced to a non-expanded quadratic hyperbola group HC, since (kg / d, k, 1) = 1, the equation (35-6) Is

To return to. According to the number theory, the right side of the equation (35-7) is Euler's function φ (kg) itself. According to the equation (35-7), ψ (kg) = φ (kg), so the equation (34-4) was confirmed again. Since the function ψ (kg) given by the expression (35-6) is an extended form of Euler's function, it will be called “extended Euler function (extended totient function)”. In the quadratic hyperbola group HC, the number of generation groups having the order kg is φ (kg), whereas in the extended quadratic hyperbola group EHC, the number of generation groups having the order kg is ψ (kg). .

Although there is no direct proof about (35-6), it is interpreted as follows. First, when (k ₁ , k ₂ ) = h ≠ 1, the common factor h always appears in the form of the square of the constituent factor or more, so the basic period is not affected by the nature of the Mobius function. Therefore, the number of terms in the expression (35-6) does not substantially increase, and only affects the number kg / d of cyclic groups having the basic period. Here, considering the structure of order k = k ₁ k ₂ ,

Thus, it is considered that there is a structure in which a structure having no common part is repeated h times.
Since the common part of the value kg / d of the number of cyclic groups having a basic period is (kg / d, k ₁ , k ₂ ), the number of cyclic groups having the basic period is kg / d according to the above discussion. To (kg / d) (kg / d, k ₁ , k ₂ ).

In order to understand the power of the extended Euler function (35-6), a specific example of trial values is given here by means of an extended quadratic hyperbola group EHC having a more complex common factor h.
When r = 29, s = 59, n = 1711 and a = 9, c = 1, and d = 7 are selected,
Generation group of order kg = 1: ψ (1) = 1 generation group of order kg = 2: ψ (2) = 1 generation group of order kg = 3: ψ (3) = 8 Generation group of kg = 5: ψ (5) = 24 generation group of order kg = 6: ψ (6) = 8 generation group of order kg = 10: ψ (10) = 24 order kg = 15 production groups: ψ (15) = 192 production groups with order kg = 30: ψ (30) = 192. This extended quadratic hyperbola group EHC is composed of the order k ₁ = 15, k ₂ = 30 of a single quadratic hyperbola group HC, and the common factor is GCD (k ₁ , k ₂ ) = 15. The maximum order kq is kq = LCM (k ₁ , k ₂ ) = LCM (15,30) = 30. A generation group of order kg = 9,25 does not appear. This is because these orders are not divisors of the maximum order kq.
For example, when kg = 6, from the equation (35-6),

Thus, it matches the number of generation groups actually counted by trial calculation. If the equation (35-6) is used, it is possible to know in advance the number of generation groups having the order kg in the extended quadratic hyperbola group EHC composed of the orders k ₁ and k ₂ of a single quadratic hyperbola group HC. Can do.

It has been found that the introduction of the Jacobi symbol in the definition of the extended quadratic hyperbolic group EHC does not maintain the group composition. Consider the case of limiting the remainder ring Z / nZ by Jacobi's symbol with respect to the domain and closedness of group operations that became a problem in the quadratic hyperbolic group HC.
Expanded quadratic hyperbolic group EHC using Jacobi symbol,

Let's define it. In this case, it is known that the structure of the traveling group is destroyed.
Formally, the closeness of the group operation and the elimination of the undefined region can be achieved in the case of the modulus n as well as the case where the modulus is p. That is, when a group operation of R (x3) = P (x1) + Q (x2) is performed,

So

become. Note that the denominator of the equation (36-2) is a square remainder even under the modulus n. This is because the relational expression of the group operation is established regardless of the remainder operation. Furthermore, in the undefined state where the denominator of the equation (36-2) is 0,

Since the relationship of

Therefore, by eliminating one value from the set, it is possible to eliminate the undefined area of the group operation.

  However, considering the realization of equation (36-3) with the Legendre symbol, the square remainder is handled. For example, consider how the extended quadratic hyperbolic group EHC should be constructed when the modulus n is a composite number given by the product of prime factors r and s. In this case, the equation (36-3)

Can be realized. This combination is determined so that the calculation result given by the expression (36-2) maintains the same attribute attribute according to the expressions (36-5) and (36-6). Here, since the zero element P (x) (x = d) is also one of the x values, the x value and the d value are τ (x) = x ² + cx−a value and τ (d) = d ^2. The + cd-a values are chosen to be the same attribute. This means that the determination of the zero element P (d) at the beginning has selected either of the systems (36-5) and (36-6).

  The biggest problem when the system of either (36-5) or (36-6) is selected is that a large number of values having no inverse element are generated in the middle of the group operation. When modulo n = rs, since rs = 0 (mod n), all multiples of prime factors r and s do not have an inverse element. For example, if an inverse element (mod n) of a certain number x is y, both xy = 1 (mod r) and xy = 1 (mod s) must be established. However, if the number x is a multiple of the prime factors r and s, at least one of them is not satisfied. Therefore, all the multiples of prime factors r and s have no inverse element. Further, the group operation has an undefined area, and the group structure cannot be maintained. This is because

As a result, the attribute related to the prime factor in the expression (36-7) in the expression (36-4) is equal to the exclusive pair. As a result, a zero percent state appears for the prime factor.

  However, as will be described later, there is a method of performing group operations without performing the inverse operation until the end (reverse method of inverse element calculation). At this time, the apparent group structure is maintained, and the apparent order can be obtained. Mathematically, it is a semigroup, especially a unit semigroup with unit elements. From the viewpoint of the half group, the definition of the extended quadratic hyperbola group given by the equation (36-1) is restored. This half group will be referred to as an “extended quadratic hyperbolic half group”. Also, as an easy-to-understand expression, here, it will be widely referred to as a “group image”, including cases where attribute changes are accepted. Therefore, a specific calculation example of the group image is introduced.

  FIGS. 10A to 10C are specific examples of the extended quadratic hyperbolic semigroup with r = 13, s = 17, and n = 221, and a generator group Q (x that gives the order kg for each attribute. ). Among these, FIG. 10 (A) is a diagram showing the number of generation groups that give order kg (attribute matching of τ (d)) and τ (x)), and FIG. 10 (B) is a generation group that gives order kg. FIG. 10C shows the attribute mismatch between discriminant D and τ (x), and τ (d) and τ (x FIG.

  In FIG. 10A, the zero element attributes (τ (d) / r) and (τ (d) / s) are made to coincide with the base point P (x) in the calculation of each generation group. Looking at this result, the number of generation groups having each attribute is not equal and is not divided into four equal parts, just to be close to the value of n / 4. This is because when the function is a function such as τ (x), the number of possible values is biased due to the limitation of the function value.

  In FIG. 10B, an attempt is made to make the zero element attributes (τ (d) / r) and (τ (d) / s) not coincide with the base point P (x) in the calculation of each generation group. In this case, the zero element does not appear, but the coincidence corresponding to the zero element can be obtained from the inverse element calculation post-rotation calculation method. According to this, the order kg is twice that in the case of the upper figure, and the number is the same. According to the equation (36-4), when two group operations are continuously executed, the attribute is restored. Therefore, when the operation of executing the calculations of the expressions (37-3) and (37-4) twice is regarded as a group operation, it is appropriate. That is, when the zero-source attribute is not matched with the attribute of the base point P (x), only the group operation is changed and the order is matched. To put it another way, an extended quadratic hyperbola semigroup whose attributes of τ (x) and τ (d) do not match is isomorphic with an extended quadratic hyperbola group whose attributes match, and the group operation is It is only different.

  In FIG. 10C, in calculating each generation group, the order kg and its number are obtained under the condition that the discriminant D and the attribute τ (x) do not match and the attribute τ (d) and τ (x) match. ing. According to this, depending on the attribute of the discriminant D, the structure of the extended quadratic hyperbolic semigroup changes greatly. Since the discriminant D originally determines the characteristics of the quadratic function, it is considered to be more basic than the attributes of τ (x) and τ (d) that are the quadratic functions. As clarified in the previous patent application, the number of x values in which τ (x) is a square remainder or a square non-residue depending on the attribute of the discriminant D is (p−1) / 2 or (p + 1) / Become two. Therefore, the number of generation groups Q (x) giving the order kg, particularly the maximum order kq, is not the expression (32-3).

Given in. This result has important implications. That is, by changing the attribute of the discriminant D, the structure of the extended quadratic hyperbolic semigroup can be greatly changed, and since it is known in advance how to change the extended quadratic hyperbolic semigroup, It can be used as a “tool” that contributes to the advancement of cryptography and mathematical theory. In the fourth embodiment, this characteristic of the extended quadratic hyperbolic semigroup is used for the problem of prime factorization.

The maximum order kq in the calculation example of FIG. 10C is confirmed from the equation (36-8).
r = 13, s = 17, (D / r) =-1, (D / s) =-1, kq = LCM ((r + 1) / 2, (s + 1) / 2) = LCM (7,9) = 63;
(D / r) =-1, (D / s) = + 1, kq = LCM ((r + 1) / 2, (s-1) / 2) = LCM (7,8) = 56;
(D / r) = + 1, (D / s) = − 1, kq = LCM ((r−1) / 2, (s + 1) / 2) = LCM (6,9) = 18;
(D / r) = + 1, (D / s) = + 1, kq = LCM ((r−1) / 2, (s−1) / 2) = LCM (6,8) = 24;
It can be calculated as expected, and it matches the value actually counted in the trial calculation.

  The structure of the extended quadratic hyperbolic semigroup is still not fully understood and is still under study.

Here, a high-speed calculation of the quadratic hyperbola group HC (reverse method of inverse element calculation) will be described.
If the calculation of the quadratic hyperbola group HC is performed as usual, the burden of the inverse element calculation is heavy, and when the modulus p is large, there is a possibility that the application of the stream cipher becomes difficult. Therefore, in order to save the calculation amount, a method of performing the inverse element calculation only once at the end (inverse element calculation post-rotation method) without performing the inverse element calculation until the end can be considered. This method performs the numerator and denominator calculations separately.
When the group operation + is calculated as R (x ₃ ) = P (x ₁ ) + Q (x ₂ ),

Change the notation as follows. Similarly, let x ₁ = (x ₁₁ , x ₁₂ ) and x ₂ = (x ₂₁ , x ₂₂ ). Substituting this into the equation (37-1) gives

Therefore,
x ₃₁ = (d + c) x ₁₁ x ₂₁ + (-a) (x ₁₁ x ₂₂ + x ₂₁ x ₁₂ ) + adx ₁₂ x ₂₂ (37-3)
x ₃₂ = −x ₁₁ x ₂₁ + d (x ₁₁ x ₂₂ + x ₂₁ x ₁₂ ) + (dc−a) x ₁₂ x ₂₂ ... (37-4)
And the numerator and denominator can be calculated in distinct form. Note that x ₁ = (x ₁ , 1) and x ₂ = (x ₂ , 1) are used as initial values.

The element of the extended quadratic hyperbolic semigroup is expressed by P (x ₁₁ , x ₁₂ ) or y value by using the value x _{11 which} is a numerator and the value x ₁₂ which is a denominator, and P (x ₁₁ , x ₁₂ , y ₁₁ , y ₁₂ ). In the equation (36-2), when x ₁ = d, since the attribute of x ₂ is maintained as it is and is transmitted to x ₃ , the zero element P (d, 1) of the extended quadratic hyperbolic semigroup is expanded. Equivalent to the zero element of the quadratic hyperbola group.

In this calculation, it is necessary to perform the remainder product 9 times per group operation. If the inverse element calculation is performed only once at the last time and only the order k value is known, the inverse element calculation is not required. In the case of calculation of order k, if mP (x) = P (d) in the calculation of mP, x ₃₁ = d · x ₃₂ , so it can be known that m = k has been reached. Also, the match between elements can be determined by the match of the product of the numerator and denominator brought together. In general, in the inverse element calculation, a method of obtaining the inverse element of the x value by ^{xφ (n) −1} (mod n) is normal. However, if only the n value is known, if the φ (n) value cannot be calculated at high speed, there is a disadvantage that the inverse element calculation cannot be executed at high speed. The post-inverse calculation method is an effective method for calculating the “group image” and can be used for problems such as prime factorization. In addition, it exhibits a remarkable effect in high-speed calculation of stream ciphers.

FIG. 11 is a flowchart showing a key generation method for obtaining a prime factor of a modulus n (n = p ₁ p ₂ ) using an extended quadratic hyperbola group or the like according to the fourth embodiment of the present invention. 7 corresponds to the flowchart of FIG.

  In the flowchart of FIG. 11, a prime parameter of the modulus n (n = p1p2) is obtained using a curve parameter setting method (ie, an extended quadratic hyperbola group or the like) performed in the curve parameter setting unit 12 in FIG. The method is shown, and is executed by the processing of steps S21 to S31.

Before explaining the flowchart of FIG. 11, when the extended quadratic hyperbolic group EHC disclosed in the third embodiment is used and a certain number n is composed of two prime factors (n = p ₁ p ₂ ), the value Consider methods (1) to (3) for determining n and knowing its prime factor.

(1) Direct calculation method The direct calculation method is a method of directly substituting the variable p 1 from ₁ as a prime factor value and sequentially increasing the number.
Now, if the number n is displayed in binary, n = 2 ^L + ..., and p ₂ = 2 ^M + ..., substituting p ₁ = 2 ^{L−M + 1} to p ₁ = 2 ^L−M , You can see if the product matches the value n. The amount of calculation is a product of 2 ^L−M times, and if only an odd number is substituted, a product of 2 ^L−M−1 times is sufficient. Therefore, the total calculation amount is

become.
(2) Method of using extended quadratic hyperbola group As a method of using extended quadratic hyperbola group, the order k of extended quadratic hyperbola group EHC is obtained and its prime factor is calculated from equation (31-2). is there. The order kq = LCM (k ₁ , k ₂ ), which is smaller than the product k ₁ k _2, larger than the greatest common divisor GCD (k ₁ , k ₂ ), and GCD (k ₁ , k ₂ ) When = 1, it corresponds to the product k ₁ k ₂ . Therefore,

It can be seen that the order k has an upper limit of about n / 4 when the modulus n is large.
The order kq = LCM (k ₁ , k ₂ ), which is MAX (k ₁ , k ₂ ) ≦ k, and k ₁ k ₂ ≦ k ² ,
√k ₁ √k ₂ ≦ k (38-4)
Means. From equation (38-3):

When curve parameters and base points are appropriately determined and the order is calculated, the calculation amount of the group operation is the same as the direct calculation method. However, since the greatest common divisor usually has a small prime factor, the small prime factor can be easily known by the method using the extended quadratic hyperbolic group EHC. However, it should be noted that the prime factor found is for the maximum order kq, not the prime factor of modulus n. It is not possible to know p ₁ and p ₂ directly.

In special cases, in the case of German prime numbers or Sophie-German prime numbers, if the order of one is prime, a group image with the apparent value of the other value (p ± 1) / 2 is generated. I know. This is because (k ₁ , k ₂ ) = 1 holds because k ₁ or k ₂ is a prime number in the equation (32-3). In this case, one of the divisors of the maximum order kq of the extended quadratic hyperbola group EHC is about a value (p ± 1) / 2, so that the base point reaching the zero element can be found by about √n group operations. The calculation time is relatively short. Further, using the obtained order kg, p = 2 kg ± 1, and the prime factor of the direct modulus n can be obtained.

(3) Method using the image of the extended quadratic hyperbola group The method using the image of the extended quadratic hyperbola group is not to use the extended quadratic hyperbola group EHC, but is aware that the group structure is destroyed. This is a method of handling "group images" using parameters that give. This method is automatically executed when the number of trials used for parameters is mistakenly adopted. Typically,
(A) If the attribute of the discriminant D, which relates to any of the prime factors of modulus n, is a quadratic residue, zero division occurs during the group operation.
(B) When τ (x) is a non-square residue but the d value is a quadratic residue, that is, when there is an attribute mismatch between the zero element and the base point, zero division occurs during the group operation. In this case, the structure of the cyclic group is broken and an image such as a pseudo zero element appears.

  However, in any case, it is possible to avoid the zero division by the inverse method of the inverse element calculation and to construct the extended quadratic hyperbolic semigroup. When an attribute change of discriminant D is accepted and its apparent group structure is examined, images having various orders related to the prime factor of modulus n appear. Thus, if such an order is examined, it becomes a clue to obtain a prime factor of modulus n. In particular, when the prime factor of the modulus n cannot be obtained from the equation (32-3), a clue to obtain the prime factor of the modulus n may be obtained from the equation (36-8).

  The problem with the method of prime factorization using the extended quadratic hyperbola group EHC is that how to construct the extended quadratic hyperbola group EHC when the modulo n is known and the prime factor is not known. The question is whether to define parameters. For example, how should an x value satisfying equation (31-2) be obtained?

Here, it will be examined how the extended quadratic hyperbolic group EHC should be constructed when the modulus n is a composite number given by the product of the prime factors p ₁ and p ₂ .
In this case, in order to select a curve parameter or the like to be adopted, for example, two congruence equations for a value D with (D, p _i ) = 1.

The condition must be satisfied. The number of D values satisfying the expressions (39-1) and (39-2) is (D, n) = 1, and when a primitive root exists, φ (n) is accurately determined according to the attribute. It is known that the number is divided into four pieces. Therefore, if a method for knowing the n value and knowing which set the D value belongs to among the four divided values can be found, a D value satisfying the expressions (39-1) and (39-2) is obtained. It can be judged.

[Theorem 39-1]
When a modulus _{n =} p 1 _{p 2,} residue ring Z / nZ of the original, except for multiples of prime factors _{p 1} or _{p 2,} the attribute of the original _{x (x / p 1) =} ± 1, (x / p ₂ ) = ± 1, and is divided into four equal parts, the number of which is φ (n) / 4.

[Proof]
When the modulus n = p ₁ p ₂ , the original number that is not a multiple of the prime factor p ₁ or p ₂ is φ (n), and the multiple of the prime factor p ₁ or p ₂ is n−φ ( n) There are pieces. Now, from the multiplicative nature of the Euler function φ, φ (n) = φ (p ₁ ) φ (p ₂ ), which means that the structure of the prime factor p ₁ or p ₂ survives even under the modulus n. Is shown. That is, φ (n) elements of the remainder ring Z / nZ are φ (p ₁ ) elements of the remainder ring Z / p ₁ Z and φ (p ₂ ) elements of the remainder ring Z / p ₂ Z. The combination corresponds one-to-one to the element of the remainder ring Z / nZ. Now, assuming that the primitive root of the remainder ring Z / p ₁ Z is r and the primitive root of the remainder ring Z / p ₂ Z is s, the element x of the remainder ring Z / nZ is without the remainder relation,
x = r ^h s ^l ; (h = 0 ,,, p ₁ −1), (1 = 0 ,,, p ₂ −1) (1)
It is expressed. Here, the value r ^h is a quadratic residue with respect to the modulus p ₁ when the h value is an even number and a non-square residue when the h value is an odd number. Similarly, the value s ^l, when l value is an even number in the case to modulo p ₂ quadratic residues, odd is quadratic non-residue. Therefore,

In the expression (2), for one ^sl value, the (x / p ₁ ) attribute has the same number of values +1 and −1 and φ (p ₁ ) / 2. In addition, in the expression (3), for one ^rh value, regardless of the attribute, the (x / p ₂ ) attribute has the same number of +1 and −1, and φ (p ₂ ) / 2 respectively. It is. Therefore, considering as a whole, the value of the (x / p ₁ ) attribute is the same for both +1 and −1 regardless of the choice of the s ^l value, and φ (p ₂ ) xφ (p ₁ ) / 2 It is. (X / _{p 2)} also applies to the attribute, in the same number also choose how the ^{r h} value, total _{φ (p 1) xφ (p} 2) / is two. Here, when one s ^l value is selected in the equation (2), if (x / p ₂ ) attribute is (x / p ₂ ) = + 1 and φ (p ₁ ) / 2 are collected, The same number of combinations of (x / p ₂ ) = + 1 and (x / p ₁ ) = ± 1 can be obtained. Accordingly, when focusing on the attribute sets, the number of different sets is φ (p ₁ ) × φ (p ₂ ) / 4 = φ (n) / 4, which is half of this, and this is a combination of attributes (4 The number is the same regardless of (street).

[Qed]
In the case of a function such as D = τ (x), the number of the D values is only about n / 4 with respect to the possible x values due to the deviation of the function values. Unfortunately, this method has not yet been fully established. However, the clue has been found and will be disclosed below.
From the equations (39-1) and (39-2), in the Jacobi symbol, (D / n) = + 1. On the other hand, the reciprocal law of the square remainder that holds between positive odd numbers m and n

Can be used to calculate the Jacobi symbol value (D / n) of a D value that is a positive odd number, and when the value is (+1), at least the four divided sets Half of them can be eliminated. Accordingly, the possibility of the D value satisfying the expressions (39-1) and (39-2) is increased. Here, when the equations (39-1) and (39-2) are established, even if the Jacobi symbol value is (+1),
X ² = D (mod n) (39-4)
There is no solution that satisfies Therefore, theoretically, the remaining half of the four-divided set satisfying the equation (39-4) can be eliminated. However, if all X values that can be calculated by the calculation of this formula are substituted, the amount of calculation is large, and the tip falls. In the calculation of equation (39-3), if the m value is a composite number, then the (n / m) value cannot be specifically calculated unless the prime factor of m is known. Therefore, it is conceivable to try a m-value that is a prime number or odd composite number other than p ₁ and p ₂ and has a small value.

This is where the “Extended Euler Criteria” described below appears. Euler's criterion is to calculate D ^{(p−1) / 2} (mod p) for a value D with (D, p) = 1, and whether the D value is a quadratic remainder with respect to the modulus p or square Used to determine whether the number is a non-remainder number. Since the D value can be determined by simple calculation, this is an excellent method.

Here, when determining the D value that satisfies the equations (39-1) and (39-2) for determining the curve parameters, etc., a method that does not directly calculate the equation (39-4) is studied. View.
In the case of Jacobi's symbol (D / n) = + 1, two congruence equations

Is established. However, the integer h is a common power value of 2 of the factors (p ₁ −1) and (p ₂ −1). It is relatively easy to count how many prime factors the value n has. However, the integer h cannot be specified only from the n value. The reason why the prime factor of 2 is excluded is that this forces the Legendre symbol value of the value D to be +1. If the power is squared, half of the original information is lost. Therefore, classification must be performed with the information before being lost. Therefore,

Is established. This equation is a constantly value +1 is ^{φ (n) / 2 h +} 1 -th root of value D, the value D φ (n) / ^{2 m} th root (m> h + 1) at the value +1 other value (e.g., “1 to the 2 ^mth root” (mod n)) appears.
From the equation (39-4), the D value itself may be a square number. On the other hand, the D value satisfying the expressions (3-1) and (39-2) does not become a square number. Therefore, for a value D where (D, p _i ) = 1,

And these values depend on the values of the factors (p ₁ -1) and (p ₂ -1).
(1) When a prime factor of 2 remains in any of the factors (p ₁ -1) / 2 ^h and (p ₂ -1) / 2 ^h Further, the equations (40-6) and (40-7) Since both sides match after starting a square,

Thus, it can be distinguished from the case of (40-5). This equation is a constantly value +1 is φ (n) / ^{2 h} root of the value D, the value D φ (n) / ^{2 m} th root (m> h) the values +1 other values (e.g., “1 to the 2 ^mth root” (mod n)) appears.
(2) When no prime factor of 2 remains in any of the factors (p ₁ -1) / 2 ^h and (p ₂ -1) / 2 ^h Factors (p ₁ -1) / 2 ^h and (p _2- 1) / 2 Since ^h is an odd number,

Thus, it can be distinguished from the case of (38-5). This expression always has a value of −1 for the φ (n) / 2 ^{h + 1} root of the value D, and a value other than the value −1 for the φ (n) / 2 ^mth root of the value D (m> h + 1) ( for example, - it indicates that "1 of ^{2 m} root" (mod n)) appears. That is, the D value belonging to the set satisfying the expressions (39-1) and (39-2) can be selected in one of the four divided sets. Therefore, the requirement such as the equation (40-9) is referred to as “extended Euler criterion”. In the equation (40-9), when n = p and h = 0, it matches the conventional Euler criterion. In other words, the criteria for extended Euler are:

Satisfy each.
When the value of φ (n) is known in advance in the calculation of equation (40-9), high-speed exponent calculation can be used. If a high-speed calculation algorithm for the φ (n) value itself is established, the D value satisfying the expressions (39-1) and (39-2) can be selected by knowing the n value. However, if the value of φ (n) can be calculated at high speed for n values with a large number of bits, it is easy to find the prime factor, and there is no significance in using the extended quadratic hyperbola group EHC. That is, the expression (40-9) cannot be used when the value of φ (n) is not known in advance and the prime factor of the modulus n is not known. Here, only the remaining half of the four-divided set is separated, so that it is only meaningful for use after the application of the equation (39-3).

Here, numerical examples are given.
In experience, out of 14 odd prime numbers having a D value of 50 or less, at least about 3 (equivalent to 1/4) are D values satisfying the expressions (39-1) and (39-2), and the extended secondary It has been found that it can be used to specify the curve parameters of the hyperbolic group EHC. For example, when p ₁ = 11, p ₂ = 13, and n = 143, D = 3, 7, 19, 23, and 41 (D / n) = + 1. , try to ask for "1 of 2 ^m root" in the order from (40-10) by applying the formula, the larger of the exponential value.
D ^{(φ / 2)} = 1, 1, 1, 1, 1
D ^{(φ / 4)} = 1, 12, 12, 1, 12
Therefore, it can be seen that three of D = 7, 19, and 41 satisfy the expressions (39-1) and (39-2). This work also reveals that h = 1. In addition, even if the value D satisfying the equations (39-1) and (39-2) is known, the congruence equation τ (x) = x ² + cx−a = D for the modulus n is used to determine the base point and the like. (Mod n) ... (40-11)
To obtain the x value. Since this work is quite difficult, the application of equation (40-11) is avoided by the method of considering the x value first.

Next, a key generation method for obtaining a prime factor constituting the modulus n (n = p ₁ p ₂ ) using the extended quadratic hyperbola group shown in the flowchart of FIG. 11 will be described.

  First, the configuration of the extended quadratic hyperbolic group EHC is tried. Curve parameters are determined according to the following steps S21 to S31 by selection / calculation processing using a hardware circuit or by selection / calculation processing using a processor such as a CPU.

When the processing of FIG. 11 is started (started), in step S21, a value D that satisfies one (39-1) and (39-2) is obtained as small as possible. At this time, the D value is selected to be a small odd value satisfying (D / n) = + 1 so that the reciprocal law of the quadratic residue can be applied. Typically,
(A) If the attribute of the discriminant D, which relates to any of the prime factors of modulus n, is a quadratic residue, zero division occurs during the group operation.

In step S22, parameters a and c that determine the discriminant D / 4 = c ² + 4a are determined. As a rule of thumb, it has been found that the smallest odd prime number satisfying (D / n) = + 1 often satisfies the expressions (39-1) and (39-2). Therefore, in the case of the number n = 146611, since (τ (x) / n) = + 1 for D = 5, 7, 13, 29, 31, 41, the discriminant D / 4 = c ² D = 5 for + 4a. Next, according to D / 4 = c ² + 4a, those having the smallest possible value are designated as a and c. Note that discriminant D / 4 and discriminant D may be identified. This is because the value 4 is a square number. Therefore, for the curve parameters a and c, c = 1 and a = 1.

  In step S23, τ (x) is calculated for an appropriate x value. τ (x) is calculated by substituting values from x = 0 in ascending order.

  In step S24, x values satisfying (τ (x) / n) = + 1 are collected from those in which τ (x) is an odd number. That is, when τ (x) is an odd number, the value of (τ (x) / n) is obtained using the reciprocal law of the square remainder. Here, designation of the x value corresponds to designation of the base point P (x), and designation of the d value corresponds to designation of the zero element P (d). In the calculation, for x = 2, 5, 8, 11, 13, it has values of τ (x) = 5, 29, 71, 131, 181, all odd numbers, and (D / n) = + 1. It is. When (τ (x) / n) = + 1, the x value is recorded in a storage means such as a register.

In step S25, from the recorded x values, the one in which τ (x) is expected to satisfy the equations (39-1) and (39-2) is selected. Typically,
(B) When τ (x) is a non-square residue but the d value is a quadratic residue, that is, when there is an attribute mismatch between the zero element and the base point, zero division occurs during the group operation. In this case, the structure of the cyclic group is broken and an image such as a pseudo zero element appears. If this selection is bad, the calculation is terminated halfway, and another trial number is adopted as the x value or d value.

  In steps S26 and S27, the order of the extended quadratic hyperbola group or the like is calculated. From the equation (36-2), the maximum order kq of the extended quadratic hyperbola group has an upper limit value of about n / 4, but mP (x) is calculated, and m value at which mP = O is obtained. It should be noted that generally, the m value is a divisor of several kilograms of the maximum order kq. However, since the number of generation groups giving the maximum order is generally the largest, it can be said that there is a high possibility of selecting the x value giving the maximum order even if it is arbitrarily selected. If the base point that gives the maximum order kq is selected from the beginning because the parameter is selected most correctly, it will not reach zero unless the group calculation is performed about n / 4 times, so the calculation time is long. Become. In addition, in the calculation of the group image, a reverse method after the inverse element calculation is used.

  In step S28, when an m value satisfying mP = O is obtained by calculation, the m value is recorded in a storage means such as a register. In general, since the m value is a divisor of several kilograms of the maximum order kq, it may not be a major factor of the maximum order kq.

  In steps S29 and S30, if the number of group operations exceeds √n, there is a high possibility that the x value giving the maximum order kq has been selected, so the selected x value is reselected. When the x value to be reselected is exhausted, the obtained data is analyzed.

In step S31, the largest one of the obtained order kg is selected, or the least common multiple is calculated. From these, the maximum order kq is determined, and the prime factors p ₁ and p ₂ are calculated by the equation (32-3). In special cases, this calculation is easy in the case of German prime numbers and Sophie-German prime numbers, but in the general case, the maximum common divisor is taken into consideration.

  Now, assuming that the unknown number n = 146611 has two prime factors, the prime factor is actually obtained from only the value n.

In the calculation, for x = 2, 5, 8, 11, 13, it has values of τ (x) = 5, 29, 71, 131, 181, all odd numbers, and (D / n) = + 1. Therefore, the parameters of the extended quadratic hyperbola group so as to satisfy both the equations (39-1) and (39-2) are as follows: c = 5, a = 1, b = 131, d = 71; Set to. When the upper limit value of the group operation was set to 1000 times, the order kg = 542 was finally obtained in the 13th trial (x = 40), not finally being censored. This value is a multiple of the prime factor p ₁ = 271. Although the extended quadratic hyperbolic group EHC was correctly constructed, it took time to determine the prime factors constituting the modulus n because base points with kg> 1000 were consecutive.

Next, the selection of the x value or the like that destroys the configuration of the extended quadratic hyperbola group EHC is tried.
(1) and (2) are the same, but in (3),
<3> Substituting values from x = 0 in ascending order to calculate τ (x), and when the value is an odd number, the value of (τ (x) / n) is calculated using the reciprocal law of square remainder. Ask. In the calculation, for x = 3, 4, 9, 10, 21 there are values of τ (x) = 11, 19, 89, 109, 461, all odd numbers, and (D / n) = −. 1. When (τ (x) / n) = − 1, the x value is recorded in storage means such as a register.

  <4> Select τ (x) from the recorded x values. When the base point that gives the maximum order kq of the extended quadratic hyperbolic group EHC is selected, the calculation time is long, and therefore the calculation is aborted midway when the root operation is not reached even in the group operation of √n times. In other words, the expected order kg is kg ≦ √n. Search for other group images that maintain the structure of the traveling group, and determine their order kg.

Since the curve parameters are determined as a = 1, c = 1, d = 11, and x = 8 by the curve parameter determination methods <3> and <4>, the extended quadratic hyperbola group EHC can be determined. The order k is calculated based on Since √n≈383, if the number does not reach zero, the calculation is terminated and the next x value is tried. As a result of the calculation, for an x value such that (τ (x) / n) = − 1,
x1 = 5 (x1 * (x1 + c) −a) = 29: order k = 270
x1 = 8 (x1 * (x1 + c) −a) = 71: Order k = 270
x1 = 11 (x1 * (x1 + c) −a) = 131: Order k = 1
x1 = 13 (x1 * (x1 + c) -a) = 181: order k = 270
x1 = 14 (x1 * (x1 + c) -a) = 209: Order k = 135
Could get. The calculated order is kg = 270. Therefore, p ₁ = 541 can be obtained by substituting the obtained order for p ₁ = 2 kg + 1. Since the modulus n = 146611, another prime factor p ₂ can be calculated as p ₂ = 271.

In the above example, there was a special case where the prime factors of modulus n are in the relationship of Germann prime numbers. Now, assuming that the unknown number n = 147489, which is increased by one digit, has two prime factors, the prime factor is actually obtained from only the value n.
(1) In the calculation using the quadratic reciprocal law, since D = 5, 9, 11, 17, 23 are all odd numbers and (D / n) = + 1, the smallest odd prime number D = 5 and the parameters were selected as a = 1 and c = 1.
(2) Calculate several τ (x) under the above parameters and select an odd number. Collect x values such that (τ (x) / n) = + 1. In the calculation using the reciprocal law of the quadratic remainder, τ (x) = 5, 11, 29, 71, 89 for x = 2, 3, 5, 8, 9 and all are odd and (D / n) = + 1.
(3) From the collected x values, the base point P (x) and the zero element O = P (d) are appropriately allocated, and the order is calculated.
(4) An m value that satisfies mP = O is obtained, and if the zero element O is not reached even after √n≈1214 group operations, the order calculation is terminated.
(5) When the x value was a trial value and the d value was d = 3, the following results could be obtained.
n = 1474289, c = 1, a = 1, d = 3;
x = 2 censoring x = 3 Completion: Order kg = 1
x = 5 censored x = 8 censored x = 9 censored This result indicates that the target order kg ≦ √n could not be obtained because the base points giving the maximum order kq were consecutive. .
(6) This time, the attribute of the discriminant D is changed. In the calculation using the reciprocal law of the quadratic residue, since D = 3, 7, 13, 15, and 19 are all odd numbers and (D / n) = − 1, D = 13 is designated. The parameters were selected as a = 3 and c = 1.
(7) Several τ (x) are calculated under the above parameters, and an odd number is selected. Collect x values such that (τ (x) / n) = + 1. In the calculation using the reciprocal law of the quadratic residue, τ (x) = 9, 17, 179, 269 with respect to x = 3,4,13,16, all odd numbers and (D / n) = + 1 Met.
(8) When the x value was a trial value and the d value was d = 3, the following results could be obtained.
n = 1474289, c = 1, a = 3, d = 3;
x = 3 Completion: Order kg = 1
x = 4 Completion: Order kg = 585
x = 13 Censoring x = 16 Censoring As a result, one target order kg ≦ √n can be obtained, which indicates that kg = 585.
(9) Since the attribute of the discriminant D value is (D / n) = − 1, the maximum order kq is given by the expression (36-8). When the provisional prime factor related to the modulus n is q, q = 2 kg ± 1 = 1170 ± 1. Therefore, when the modulus n was actually divided by this q value, it was divisible by q = 1171, and it was determined that p ₁ = 1171, p ₂ = 1259.

The above results are summarized.
As a result of calculating the order with the processor by appropriately setting parameters with the extended quadratic hyperbola group EHC, the base point giving the maximum order kq continues, and the truncation continues, and the generation group having the desired order cannot be found. It was. Therefore, the attribute of the discriminant D value is changed, and this time, as a result of calculating the order by appropriately setting parameters in the extended quadratic hyperbolic semigroup, a generation group having the required order can be found, and (36− The correct prime factor of the modulus n can be determined by the equation (8). Again, the effectiveness of the extended quadratic hyperbolic semigroup was confirmed.

The RSA cipher is so-called that when two prime numbers p and q are unknown and only the product n = pq is known, it is difficult to know the prime factors p and q even if the n value is known. It is said to be based on the mathematical difficulty of prime factorization. A natural number e smaller than φ (n) is selected which is relatively prime to φ (n), and a natural number d such that de = 1 (mod φ (n)) is selected. At this time, it is possible to configure a public key encryption scheme in which the public key is a set of (n, e) and the secret key is d. For plaintext m, the ciphertext c = m ^e (mod n) is calculated using the public key and sent to the other party. Its counterpart can decrypt the plaintext using the private key by ^{m = c d (mod n)} .

  Since the RSA cipher uses the product n = pq of two prime numbers, the prime factor can be obtained by the method using the extended quadratic hyperbolic group EHC according to the present embodiment. If the prime factors p and q are known, φ (n) = (p−1) (q−1) can be calculated. Therefore, the secret key d can be obtained from the public key e by inverse element calculation, and the decryption thereof is easy. is there. However, since the calculation amount of the method according to the present embodiment requires about √n group operations, it cannot always be obtained at high speed. In practice, the amount of calculation will be proportional to log n. The study of the quadratic hyperbola group has only just begun, and it seems that there is enough room to reduce the amount of calculation.

  If the modulus n is composed of three or more prime factors, it will be of little value on the cryptographic theory, even though interest in the mathematical theory remains. So here's a quick touch. However, it is assumed that the plurality of prime factors are different from each other.

  When the modulus n is composed of three or more prime factors, it is possible to predict to some extent what the extended quadratic hyperbolic group EHC will be, but it is best to estimate while confirming by trial numerical calculation Think. From the equation (32-3), in the general case, the maximum order of the generator group Q (x) is

It is expected to be. There is no proof.
Here, the case where the modulus n is composed of three prime factors is exemplified in the trial numerical calculation.
x such that (x / r) =-1, (x / s) =-1, and (x / t) =-1 in the case of r = 7, s = 11, t = 13, and n = 1001. Since the values are x = 6, 19, and 24, it is assumed that D = 24 and the parameters are selected as c = 2 and a = 5. An element having an x value such that (τ (x) / r) = − 1, (τ (x) / s) = − 1, and (τ (x) / t) = − 1 under this parameter. An m value such that mP = O is obtained with P (x) as a base point. This m value gives the order kg of the generation group Q (x). In this trial calculation, the maximum value kq of kg was kq = 84. This is the same as the equation (45-1) when n = 3. That is, the expected value is kq = LCM (k1, k2, k3)
= LCM ((r + 1) / 2, (s + 1) / 2, (t + 1) / 2) = LCM ((7 + 1) / 2, (11 + 1) / 2, (13 + 1) / 2) = LCM (4,6,7 ) = 84
Which matches the trial calculation.

  The number of generation groups Q (x) is ψ (kg) = 48, 36, 24 for kg = 84, 42, 28, 21, 14, 12, 7, 6, 6, 3, 2, 1, respectively. , 12, 18, 8, 6, 6, 4, 2, 3, 1.

Next, the sum Σ _{d | kg} ψ (d) = about 168, 84, 56, 21, 28, 24, 7, 12, 8, 8, 3, 4, ₁ for the divisor _{d | kg}
This is the sum Σ _{d | kg} ψ (d) = 2 * 84, 2 * 42, 2 * 28, 1 * 21, 2 * 14, 2 * 12, 1 * 7, 2 * 12, 2 * 4 , 1 * 3, 1 * 1
It can be expressed. Therefore,
Sum Σ _{d | kg} ψ (d) = hkg (h = 1 or 2)
Is established. However, when h = 1, the order kg does not include a common factor. When h = 2, the order kg includes a common factor h = 2. Here, the common factor h is h = (kg, k1, k2), and the order k3 is not involved. It is a partial common factor. It is not yet known what selection is made when there is a common factor that spans multiple orders. However, from the symmetry of the individual orders, the sum Σ _{d | kg} ψ (d) = h1h2h3kg (45-2)
h1 = (kg, k1, k2), h2 = (kg, k2, k3), h3 = (kg, k3, k1)
Is expected to be established. In the above example, h1 = h, h2 = 1, and h3 = 1.

In order to confirm this expectation, a trial calculation in the case of r = 7, s = 11, t = 17, and n = 1309 will be examined.
Since the x values such that the attributes are (x / r) =-1, (x / s) =-1, (x / t) =-1 were x = 6, 10, 24, D = 24 Suppose the parameters are c = 2 and a = 5. Under this parameter, (τ (x) / r) = − 1, (τ (x) / s) = − 1, (τ (x) / t) = − 1
An m-value such that mP = O is obtained with an element P (x) having an x-value such as This m value gives the order kg of the generation group Q (x). In this trial calculation, the maximum value kq of kg was kq = 36. Expected values are: kq = LCM ((r + 1) / 2, (s + 1) / 2, (t + 1) / 2) = LCM ((7 + 1) / 2, (11 + 1) / 2, (17 + 1) / 2) = LCM (4 , 6, 9) = 36
And agreed with the trial calculation value.

The number of generation groups Q (x) is ψ (kg) = 72, 54, 32, respectively for kg = 36, 18, 12, 9, 6, 4, 3, 2, 1 in the trial calculation. 18, 24, 4, 8, 3, 1. Next, the sum for the divisor _{d | kg} is the sum Σ _{d | kg} ψ (d) = 216, 108, 72, 27, 36, 8, 9, 4, 1
This is the sum Σ _{d | kg} ψ (d) = 6 * 36, 6 * 18, 6 * 12, 3 * 9, 6 * 6, 2 * 4, 3 * 3, 2 * 2, 1 * 1
It is. Therefore,
Sum Σ _{d | kg} ψ (d) = hkg
And h = 6, 6, 6, 3, 6, 2, 3, 2, 1.

Here, when h = h1h2h3 and kg = 36,18,12,9,6,4,3,2,1, the expected value of h value is calculated, h = (kg, k1, k2) (Kg, k2, k3) (kg, k3, k1) to for kg = 36 h = (36, 4, 6) (36, 6, 9) (36, 9, 4) = 2 * 3 * 1 = 6
for kg = 18 h = (18, 4, 6) (18, 6, 9) (18, 9, 4) = 2 * 3 * 1 = 6
for kg = 12 h = (12,4,6) (12,6,9) (12,9,4) = 2 * 3 * 1 = 6
for kg = 9 h = (9,4,6) (9,6,9) (9,9,4) = 1 * 3 * 1 = 3
for kg = 6 h = (6, 4, 6) (6, 6, 9) (6, 9, 4) = 2 * 3 * 1 = 6
for kg = 4 h = (4,4,6) (4,6,9) (4,9,4) = 2 * 1 * 1 = 2
for kg = 3 h = (3,4,6) (3,6,9) (3,9,4) = 1 * 3 * 1 = 3
for kg = 2 h = (2, 4, 6) (2, 6, 9) (2, 9, 4) = 2 * 1 * 1 = 2
for kg = 1 h = (1, 4, 6) (1, 6, 9) (1, 9, 4) = 1 * 1 * 1 = 1
Thus, it also coincided with the trial calculation value.

  Therefore, if Moebius's inversion formula is applied to the equation (45-2), when the modulus n has 3 prime factors,

Thus, ψ (36) = 72, which coincided with the value actually counted in the trial calculation.
Now consider how it should be handled if the common factor h _c = (k1, k2, k3) ≠ 1.

In the equation (45-3), h = h1h2h3 and h _c ³ will appear. However, the order kg is originally kq = LCM (k1, k2, k3) and its sum only for the divisor. Therefore, it is considered that the contribution to the sum of the number of generation groups Q (x) of order kg or less is excessive.

Therefore, we try to estimate the correct theoretical formula again by trial numerical calculation.
An extended quadratic hyperbola group with modulus n = p ₁ p ₂ p ₃ with prime factors of p ₁ = 11, p ₂ = 17, p ₃ = 23, and parameters such that (D / p _i ) = − 1 Etc. (a = 14, c = 1, d = 6, b = 15) are set, and the order kg of the generator group Q (x) is obtained for the x value such that (x / p _i ) = − 1. As a result of trial numerical calculation, the following results were obtained.

That is, for the maximum order kq of the generation group Q (x), kq = LCM (k1, k2, k3) as in the conventional case.
= LCM ((p ₁ +1) / 2, (p ₂ +1) / 2, (p ₃ +1) / 2) = LCM ((11 + 1) / 2, (17 + 1) / 2, (23 + 1) / 2) = LCM (6, 9, 12) = 36
Which matches the trial calculation. Also, for kg = 36, 18, 12, 9, 6, 4, 3, 2, 1, ψ (kg) = 216, 162, 104, 54, 78, 4, 26, 3, 1, respectively. . Next, the sum for the divisor _{d | kg} is the sum Σ _{d | kg} ψ (d) = 648,324,216,81,108,8,27,4,1
This is the sum Σ _{d | kg} ψ (d) = 18 * 36, 18 * 18, 18 * 12, 9 * 9, 18 * 6, 2 * 4, 9 * 3, 2 * 2, 1 * 1
It is. Therefore, the sum Σ _{d | kg} ψ (d) = hkg holds, and h = 18, 18, 18, 9, 18, 2, 9, 2, 1. Comparing this result with the conventional estimation theoretical formula h = h1h2h3, it can be seen that there is an excess just by the common factor h _c = (kg, k1, k2, k3). Therefore,
h = (kg, k1, k2) (kg, k2, k3) (kg, k3, k1) / (kg, k1, k2, k3) (45-4)
Is assumed to be the original figure (theoretical formula). According to this, (45-3) is essentially

If k ₃ = 1 is set, it returns to the equation (35-6). Although there is no direct proof about (45-5), it is interpreted as follows. First, since the common factor always appears in the form of the square of the constituent factor or more, it does not affect the fundamental period due to the nature of the Moebius function. Therefore, the number of terms in the equation (45-5) does not substantially increase, and only affects the number kg / d of cyclic groups having the basic period. Next, when the order k = k ₁ k ₂ k ₃ , a set of prime factors is considered, and a superposition of three sets of k ₁ , k _2, and k ₃ is considered. The set k ₁ includes its own unique part k ₁₀ , a common part h ₄ of the three sets, a common part h _{12 of} only the set k _2, and a common part h _{31 of} only the set k ₃ . Set _{k 2} is composed of a common part _{h 23} Metropolitan the only intersection _{h 12} a set _{k 3} with only a set _{k 1} and intersection _{h 4} of its own inherent part _{k 20} and the three sets. Set _{k 3} are constructed from a common portion _{h 23} Metropolitan the only set _{k 2} and intersection _{h 31} with only a set _{k 1} and intersection _{h 4} of its own inherent part _{k 30} and the three sets. At this time,

There is a structure that is repeated times. Here, considering the number kg / d of the traveling group,

Can be associated with each other. From the above discussion, the number of cyclic groups having the basic period is from kg / d to (kg / d) (kg / d, k ₁ , k ₂ ) (kg / d, k ₂ , k ₃ ) (kg / d, k ₃ , k ₁ ) / (kg / d, k ₁ , k ₂ , k ₃ ).

Another trial calculation example is given for the equation (45-5).
In the extended quadratic hyperbolic group EHC with modulus n = p ₁ p ₂ p ₃ with prime factors p ₁ = 17, p ₂ = 23, p ₃ = 29, so that (D / p _i ) = − 1 Parameters (a = 9, c = 1, d = 4, b = 14) are set, and the order kg of the generator group Q (x) is set for x values such that (x / p _i ) = − 1. As a result of the trial numerical calculation to be obtained, the following results were obtained.

That is, for the maximum order kq of the generation group Q (x), kq = LCM (k1, k2, k3) = LCM ((p ₁ +1) / 2, (p ₂ +1) / 2, ( p ₃ +1) / 2)
= LCM ((17 + 1) / 2, (23 + 1) / 2, (29 + 1) / 2) = LCM (9,12,15) = 180
Which matches the trial calculation. or,
kg = 180, 90, 60, 45, 36, 30, 20, 18, 15, 12, 10, 9, 6, 5, 5, 4, 3, 2, 1
Ψ (kg) = 432, 216, 208, 216, 108, 104, 8, 54, 104, 52, 4, 54, 26, 4, 2, 26, 1, 1
Met. Then the sum for the divisor d | kg is
Sum Σ _{d | kg} ψ (d) = 1620, 810, 540, 405, 324, 270, 20, 162, 135, 108, 10, 81, 54, 5, 4, 27, 2, 1
This is the sum Σ _{d | kg} ψ (d) = 9 * 180, 9 * 90, 9 * 60, 9 * 45, 9 * 36, 9 * 30, 1 * 20, 9 * 18, 9 * 15 , 9 * 12, 1 * 10, 9 * 9,
9 * 6, 1 * 5, 1 * 4, 9 * 3, 1 * 2, 1 * 1
It is. Therefore,
Sum Σ _{d | kg} ψ (d) = hkg
Is established,
h = 9,9,9,9,9,9,1,9,9,9,1,9,9,1,1,9,1,1
It is. When this result is compared with the estimated theoretical value h = h1h2h3, the same factor h _c = (kg, k1, k2, k3) is overloaded, and the expressions (45-4) and (45-5) Was established. Therefore, it is generally considered that the expressions (45-4) and (45-5) are established. However, it is only an estimate and there is no proof.

Up to this point, the extended quadratic hyperbola group EHC when the modulus n is a composite number and n = p ₁ p ₂ (p ₁ ≠ p ₂ ) has been dealt with, but here the modulus n is the composite number and n = p ^h ( The case of p ≠ 2) will be described briefly.

When the law n is n = ^ph (p ≠ 2), non-patent literature (Takaharu Sadaharu "Primary Number Theory Lecture" 2nd Edition, Kyoritsu Shuppan (ISBN: 4-320-01001-9) P.112) There is the following theorem indicated by.

[Theorem 46-1]
When the prime powers ^{= p} h ^(p ≠ 2) the law, primitive root r exists. That, r is the number that φ ^{(p h)} th power becomes 1 congruent to first ^{p h} modulo therefore ^{1, r, r 2 ,,, r} φ-1; φ (p h) = p h- ¹ (p-1)
But to represent the irreducible kind of law p ^h.

[Proof omitted]
Therefore, it is possible to discuss the number of mates using this primitive root. However, the concept of mating is a concept that is valid only when the modulus is a prime number such as p. When the modulus is a composite number n, it cannot be directly expanded by the same argument. When the modulus is a composite number n, the extension is attempted based on the case where the modulus is a prime number p. In fact, according to Theorem 39-1, the structure of prime factor p ₁ or p ₂ survived even under modulus n. A primitive root is a multiplicative group of modulus n and an element whose order is φ (n). Therefore, n−φ (n) values n and non-prime elements are excluded, and they do not appear depending on the product of primitive roots.

A hint to understand the structure under modulo n is in Euler's function. In the case of ^{n = p h φ (p h} ) = p h-1 (p-1)
Is established, but this is φ ( ^ph ) = ^ph−1 φ (p)
Can be rewritten. This means that "there exists a structure in which the structure of the prime factor p is repeated ^ph-1 times".

Here are some numerical examples.
When h = 2, p = 3, and n = 9, (D / p) = + 1, for example, when a = 1 and rs = a, n = 9 and φ (n) = 6. , (R, n) ≠ 1 is n−φ (n) = 3, and r = 0, 3, and 6, respectively. Further, according to the conventional discussion, the number of mates under the modulo n is 4, specifically, (r, s) = (1, 1); (8, 8); (2, 5); (4 7). However, if the modulo is considered not by n but by modulo p, and it is assumed that it is constituted by repetition of φ (n) / φ (p) times, the configuration of mating is also different. At this time, there are only two mates: (r, s) = (1, 1); (2, 2). Then, φ (n) / φ (p) = 6/2 = repeated three times. That is, when (D / p) = + 1, the structure has two mates repeated three times, and a total of 6 mates appear.

  (D / p) =-1, for example, when a = 2 and rs = a, N = φ (n) / 2 = 3, specifically, (r, s) = (1, 2); (4, 5); (7, 8). However, if the modulo is considered not by n but by modulo p, and it is assumed that it is constituted by repetition of φ (n) / φ (p) times, the configuration of mating is also different. At this time, there is only one mate (r, s) = (1, 2). And it has a structure which repeats (phi) (n) / phi (p) = 6/2 = 3 times. That is, when (D / p) = − 1, one mating appears repeatedly three times, and a total of three mates appear.

Now it is counting the number N of law n = p under ^{h "τ (x) = x 2 +} cx-a is a quadratic residue" condition that x.

At this time, as in the conventional discussion, the number of mates varies depending on whether the discriminant D is a non-square residue or a square residue (D ≠ 0) under the modulus p. The number N of x satisfying the condition that “τ (x) is a square remainder” is determined. However, the discussion about the mating is valid only when the prime factor p is modulo and is calculated on the assumption that the structure of the prime factor p is repeated ^ph-1 times. That is, the number N of x satisfying the condition that “τ (x) is a quadratic residue” is, if the discriminant D is a non-square residue under the modulus p,
N = ^ph-1 ((p-1) / 2) (46-1)
If the discriminant D is a quadratic residue (D ≠ 0) under the modulus p,
N = ^ph−1 ((p + 1) / 2) (46-2)
It becomes each.

  Here, how to handle the numerical value r (one of the mates) where (r, n) ≠ 1 will be described.

  All numerical values where (r, n) ≠ 1 are multiples of the modulus p. Therefore, it does not have an inverse element (Z / nZ). Since there is no inverse element, a mating such that rs = D cannot be constructed when D ≠ 0. Accordingly, τ (x) is not a square remainder for the x value related to the mating r. That is, τ (x) is a non-square residue number, and is counted as the number N_ of x satisfying the condition that “τ (x) is a non-square residue”. This means that the number N_ of the non-square residue number is N_ = n−N. When D = 0, all are square remainder numbers.

Thus, of order k of the extended secondary hyperbolic groups when the modulus n is n = p ^h is the discriminant D is as long as quadratic non-residue under the law p,
k = n−p ^h−1 ((p−1) / 2) = ^ph−1 (p + 1) / 2 (46-3)
If the discriminant D is a quadratic residue (D ≠ 0) under the modulus p, it becomes an extended quadratic hyperbolic semigroup, and its order k is k = n−p ^h−1 ((p + 1) / 2) = ph ^-1 (p-1) / 2 (46-4)
It becomes each. In addition, since there is no structure other than the prime factor p, the concept of the cyclic cycle of the least common multiple given by the equation (32-3) does not hold, and the maximum order kq of the generated group Q (x) is an extended quadratic order. It agrees with the order k of the hyperbolic group, and kq = k.

Here, numerical examples are given again.
In the case of an extended quadratic hyperbola group of h = 3, p = 7, n = 343 and (D / p) = − 1, the maximum position of the generator group Q (x) at D = 5, a = 1, and c = 1 The number k _q was k _q = 196. According to the above discussion, the number of x values for which τ (x) is a non-square residue N_ = n−p ^h−1 ((p−1) / 2) = 343−49 × 3 = 196
Therefore, the number N_ of x values in which τ (x) is a non-square residue coincides with the maximum order k _q of the generation group Q (x).

On the other hand, when (D / p) = + 1 at D = 9, a = 2, and c = 1, an extended quadratic hyperbolic semigroup is obtained, and the maximum order k _q of the generator group Q (x) is k _q = 147. Met. According to the above discussion, the number N_ of x values in which τ (x) is a non-square residue is N_ = n−p ^h−1 ((p + 1) / 2) = 343−49 × 4 = 147.
Therefore, the number N_ of x values in which τ (x) is a non-square residue coincides with the maximum order k _q of the generation group Q (x).

  In the first embodiment of the present invention, the HC-Elgamal encryption is disclosed as a specific encryption method, and the HC-Elgamal signature is disclosed as a specific digital signature method. However, the use of the quadratic hyperbola group of the present invention is not limited to these, and can be extended to all applications using a discrete logarithm such as a quadratic hyperbola group. In that case, it is possible to construct a cipher using the quadratic hyperbola group EHC with a simple configuration compared to elliptic curve cryptography, etc., and since the order relation is particularly simple, it is discrete for those who have elementary knowledge of number theory. The use of logarithmic cryptography is expected to spread. For cryptography and mathematicians, it can be used as a “tool” that contributes to the advancement of conventional cryptography and mathematical theory.

FIG. 12 is a diagram comparing the characteristics of elliptic curve cryptography and hyperbola cryptography.
As already disclosed, the mathematical basis of hyperbolic cryptography is based on the difficulty of obtaining discrete logarithms, which is similar to elliptic curve cryptography. However, in elliptic curve cryptography, it is necessary to repeat the prime order determination by changing the curve parameters in order to obtain prime orders. In this regard, hyperbolic cryptography that can specify prime order from the beginning is more advantageous. In addition, the specification of the curve parameter can be easily selected by the designer simply by satisfying a predetermined relational expression. It can be said that elliptic curve cryptography in which curve parameters are constrained due to prime order is disadvantageous.

  There is no difference between them in that public key cryptography and digital signature can be realized in the same way. However, since the order is constant in the hyperbolic cryptography, it is possible to configure a secret key variation or calculation variation type encryption. This suggests the possibility of use in quantum cryptography communication that requires stream ciphers and one-time disposable ciphers. Considering the most computational load, it is considered that the number of bits such as a secret key related to encryption cannot be increased even when the inverse element calculation post-rotation method is used.

It is a functional block diagram which shows schematic structure of the key generation apparatus of the quadratic hyperbola group which concerns on Example 1 of this invention. It is a flowchart which shows the key generation method of the quadratic hyperbola group which concerns on Example 1 of this invention. It is a conceptual diagram which shows the structure of the quadratic hyperbola group regarding group calculation. In a specific configuration example of the quadratic hyperbola group, the generation group Q (x) of the quadratic hyperbola group HC (d ≠ b) where p = 23, d = 6, a = 4, c = 1, and b = 7 It is a figure which shows a structure. It is a schematic block diagram which shows the secret key fluctuation | variation type stream cipher production | generation apparatus concerning Example 2 of this invention. FIG. 5 is a diagram illustrating a calculation example (m = 2) of the secret key variable stream cipher generation device in FIG. 4. FIG. 5 is a diagram illustrating a stream output example of the secret key variable stream cipher generation device of FIG. 4. FIG. 5 is a configuration diagram of a communication system that performs transmission and reception of data by performing encryption and decryption by the secret key fluctuation type stream cipher generation device of FIG. 4. It is a flowchart showing an extended secondary hyperbolic group key generation method (case of n = p ₁ p ₂₎ according to the third embodiment of the present invention. It is a figure which shows the structure of the extended quadratic hyperbola group (generation group Q (x)) of modulus n = 91 and order k = 28 which concerns on Example 3 of this invention. It is a figure which shows the structure of the expansion quadratic hyperbola group (generation group Q (x)) of modulus n = 391 and order k = 36 concerning Example 3 of this invention. This is a specific example of an extended quadratic hyperbolic semigroup with modulus n = 221, r = 13, and s = 17, and the number of generator groups giving the order Kg (τ (d)) and attribute coincidence of τ (x) ). This is a specific example of an extended quadratic hyperbolic semigroup with modulus n = 221, r = 13, and s = 17, and the number of generation groups (τ (d)) giving order Kg and attribute mismatch between τ (x) ). This is a specific example of an extended quadratic hyperbolic semigroup with modulo n = 221, r = 13, and s = 17, where the discriminants D and τ (x) do not match the attributes, and τ (d) and τ (x) It is a figure which shows attribute matching. Is a flowchart illustrating a key generation method for obtaining the prime factors of Example 4 law using the extended second hyperbola group or the like according to the _{n (n = p 1 p 2} ) of the present invention. It is the figure which compared the characteristic of the elliptic curve encryption and the hyperbola encryption.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Key generation apparatus 11 Key setting part 12 Curve parameter setting part 13 Key generation part 20, 20-1, 20-2 Stream encryption generation apparatus 21-0 to 21-m Cell computing unit

Claims (6)

(A) A set consisting of a set (x, y) of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function defined with a secret key that is a scalar coefficient Selecting an element of a finite commutative group formed by the first public key;
(B) A second public key obtained by multiplying the first public key by the secret key by performing at least one addition operation defined in the finite commutative group on the first public key. Generating
The number-theoretic function is a quadratic hyperbolic function composed of a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring,
In the addition operation of step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as a solution and the quadratic hyperbola A linear function having a solution of the third element and a predetermined fixed element of the finite commutative group when a third element excluding the first and second elements is determined among common solutions with the function; In a key generation method for hyperbolic cryptography for calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions with the quadratic hyperbolic function as the addition result,
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

If
In the first step, a prime number p that is a modulus n = p ^h (h: natural number) is determined,
In the second step, the curve parameters a and c are determined so that the discriminant D / 4 = c ² + 4a is a non-square residue with respect to the prime number p,
In a third step, d (d + c) −a is determined to be a non-square remainder with respect to the prime number p with respect to the parameter d giving the fixed element P (d),
In the fourth step, the hyperbolic cryptography is characterized in that x (x + c) −a is determined to be a non-square residue with respect to the prime number p with respect to the parameter x (x ≠ d) giving the base point P (x). Key generation method. (A) A set consisting of a set (x, y) of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function defined with a secret key that is a scalar coefficient Selecting an element of a finite commutative group formed by the first public key;
(B) A second public key obtained by multiplying the first public key by the secret key by performing at least one addition operation defined in the finite commutative group on the first public key. Generating
The number-theoretic function is a quadratic hyperbolic function composed of a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring,
In the addition operation of step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as a solution and the quadratic hyperbola A linear function having a solution of the third element and a predetermined fixed element of the finite commutative group when a third element excluding the first and second elements is determined among common solutions with the function; In the hyperbolic cryptography design method of calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions with the quadratic hyperbolic function as the addition result,
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

If
In the first step, the modulus n is defined as the product of prime numbers p ₁ and p ₂ ,
In a second step, the curve parameters a and c are determined so that the discriminant D / 4 = c ² + 4a is a non-square residue for any of the prime numbers,
In a third step, d (d + c) −a is determined to be a non-square residue for any of the prime numbers with respect to a new parameter d giving the fixed element P (d),
The fourth step is characterized in that x (x + c) −a is determined to be a non-square residue for any of the prime numbers with respect to the parameter x (x ≠ d) giving the base point P (x). Key generation method for hyperbolic cryptography. (A) A set consisting of a set (x, y) of a dependent variable y of an arithmetic function defined on a finite ring and an independent variable x of the arithmetic function defined with a secret key that is a scalar coefficient Selecting an element of a finite commutative group formed by the first public key;
(B) A second public key obtained by multiplying the first public key by the secret key by performing at least one addition operation defined in the finite commutative group on the first public key. Generating
The number-theoretic function is a quadratic hyperbolic function composed of a denominator of a second-order polynomial defined on the finite ring and a numerator of a first-order polynomial defined on the finite ring,
In the addition operation of step (b), when adding the first and second elements of the finite commutative group, a linear function having the first and second elements as a solution and the quadratic hyperbola A linear function having a solution of the third element and a predetermined fixed element of the finite commutative group when a third element excluding the first and second elements is determined among common solutions with the function; In a hyperbolic cryptography key generation method of calculating a fourth element excluding the third element and the predetermined fixed element among the common solutions with the quadratic hyperbolic function as the addition result,
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

If
A key generation method for hyperbolic cryptography characterized in that, when calculating the addition operation, the numerator operation and the denominator operation are distinguished from each other so that the inverse operation according to the modulus n is postponed. The key generation method for hyperbolic cryptography according to claim 3,
When determining whether or not the function value related to the addition operation matches a specific value, the product of the numerator of the function value and the denominator of the specific value, the denominator of the function value, and the specific value A key generation method for hyperbolic cryptography, characterized in that determination is made by matching a product of molecules. The hyperbolic cryptography key method according to claim 1 or 2,
The finite commutative group is a remainder ring Z / nZ, and the quadratic hyperbolic function is

If
In the first step, a prime number p with modulus n = ^ph (h; natural number) or modulus n is defined as the product of prime numbers p ₁ and p ₂ ,
In a second step, the curve parameters a and c are determined so that the discriminant D / 4 = c ² + 4a is a quadratic remainder for any or all of the prime numbers,
In a third step, d (d + c) −a is determined to be a non-square residue for any of the prime numbers with respect to a new parameter d giving the fixed element P (d),
In a fourth step, x (x + c) −a is determined to be a non-square residue for any of the prime numbers with respect to the parameter x (x ≠ d) giving the base point P (x),
A key generation method for hyperbolic cryptography, wherein the addition operation is performed by the key generation method according to claim 3. The key generation method for hyperbolic cryptography according to claim 2 or 5,
In the first step, according to the quadratic reciprocal law, collect D values that are odd and satisfying (D / n) = + 1 or (D / n) = − 1,
In the second step, the D value is assigned to the discriminant D / 4 = c ² + 4a, and the curve parameters a and c are determined.
In the third step, calculate (τ (x) / n) = + 1 from among those where τ (x) is odd by calculating τ (x) = x (x + c) −a for an appropriate x value. Collect x values to satisfy,
In a fourth step, a parameter d that gives the fixed element P (d) and a parameter x (x ≠ d) that gives a base point P (x) are selected from the x values,
In the fifth step, the order calculation of the extended quadratic hyperbola group or the extended quadratic hyperbola semigroup specified by the parameter by the key generation method according to claim 2 or 5 is performed,
In a sixth step, a prime factor of modulus n is obtained by determining the prime numbers p ₁ and p ₂ from the orders collected by the order calculation,
A hyperbolic cryptography key generation method, wherein a secret key is obtained from a public key of RSA cryptography using the prime factor.

Images