JP2015135363A - Information processing device, information processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To further speed up scalar multiplication.SOLUTION: Provided is an information processing device 10 having an arithmetic unit 11 for executing, for each combination of bit values that a bit string of a set length can assume, with respect to each set point P on an elliptic curve, scalar multiplication on the point P on the elliptic curve corresponding to the combination of bit values, and a storage unit 12 for storing the result of scalar multiplication. The arithmetic unit 11 executes scalar multiplication on the basis of addition arithmetic in which a first point Pand a second point Pon the elliptic curve, to which one of Jacobian coordinates is common, are added together.

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program.

  In recent years, cryptographic processing has been used in various situations. For example, encryption processing is used when encryption, decryption, or digital signature processing is performed on data flowing over a network, electronic money information stored in a smart card, content data recorded on a recording medium, or the like. . Ciphers are broadly divided into common key ciphers and public key ciphers. The common key encryption uses the same key for encryption and decryption. On the other hand, public key cryptography uses different keys for encryption and decryption. Examples of public key cryptosystems include RSA cryptography and elliptic curve cryptography.

  The RSA cipher is a cipher whose safety is based on the difficulty of prime factorization. On the other hand, the elliptic curve cryptography is a cipher whose safety is based on the difficulty of the discrete logarithm problem of the additive group defined on the elliptic curve (elliptic curve discrete logarithm problem). The encryption and decryption processing related to elliptic curve cryptography includes an operation called elliptic curve scalar multiplication (hereinafter referred to as scalar multiplication). Scalar multiplication is an operation for outputting “d × P = P + P +... + P” by inputting a point P on an elliptic curve and a scalar value d (d is a natural number).

  Elliptic curve cryptography can ensure the same security with a shorter key length than RSA cryptography. Therefore, processing related to elliptic curve cryptography can be executed with lower processing capability than RSA cryptography, and implementation in small embedded devices and the like has been widely studied. In addition, some research results have been reported regarding further efficiency improvement of processing related to elliptic curve cryptography. For example, a method of performing scalar multiplication after converting a point on an elliptic curve into Jacobian coordinates has been proposed. A method of adding points on the elliptic curve having the same Z-coordinate of Jacobian coordinates has been proposed.

H. Cohen, A. Miyaji, and T. Ono, “Efficient Elliptic Curve Exponentiation Using Mixed Coordinates”, Asiacrypt 1998, Lecture Notes in Computer Science vol.1514, pp.51-65, Springer-Verlag, 1998. N. Meloni, “New Point Addition Formulae for ECC Applications”, WAIFI 2007, LNCS 4547, pp.189-201, 2007.

  By applying the above method, scalar multiplication is accelerated compared to before application. However, if further acceleration of scalar multiplication is achieved, it is expected that the number of devices that can implement the mechanism of elliptic curve cryptography will increase and the spread of elliptic curve cryptography will further expand.

  Therefore, according to one aspect, an object of the present invention is to provide an information processing apparatus, an information processing method, and a program capable of further speeding up scalar multiplication.

  According to one aspect of the present disclosure, with respect to a point on a set elliptic curve, for each bit value combination that a bit string of a set length can take, a point on the elliptic curve corresponding to the combination of bit values An arithmetic unit that performs scalar multiplication; and a storage unit that stores a result of the scalar multiplication. The arithmetic unit includes a first point and a second point on an elliptic curve in which one of the Jacobian coordinates is common. There is provided an information processing apparatus that performs scalar multiplication based on an addition operation for adding.

  In addition, according to another aspect of the present disclosure, for each combination of bit values that can be taken by a bit string having a set length, the computer having the storage unit can set a bit value for a point on the set elliptic curve. In the information processing method for executing the scalar multiplication for the points on the elliptic curve according to the combination of, and the processing for storing the result of the scalar multiplication in the storage unit, in the process of executing the scalar multiplication, There is provided an information processing method in which a computer performs scalar multiplication based on an addition operation for adding a first point and a second point on an elliptic curve having one common Jacobian coordinate.

  In addition, according to another aspect of the present disclosure, a bit value for each combination of bit values that can be taken by a bit string having a set length with respect to a point on a set elliptic curve in a computer having a storage unit. Is a program for executing scalar multiplication on points on an elliptic curve according to the combination of the above, and processing for storing the result of scalar multiplication in the storage unit. There is provided a program for performing scalar multiplication based on an addition operation for adding a first point and a second point on an elliptic curve having one common Jacobian coordinate.

  According to the present invention, it is possible to further increase the speed of scalar multiplication.

It is the figure which showed an example of the information processing apparatus which concerns on 1st Embodiment. It is the figure which showed an example of the system which concerns on 2nd Embodiment. It is a figure for demonstrating the application example (elliptic curve ElGamal encryption system) of elliptic curve encryption. It is the figure which showed the example of the hardware which can implement | achieve the function of the transmitter which concerns on 2nd Embodiment. It is a figure for demonstrating the definition of elliptic curve addition ECADD. It is a figure for demonstrating the definition of elliptic curve doubling ECDBL. It is a flowchart for demonstrating the calculation method of elliptic curve addition ECADD in a Jacobian coordinate. It is a flowchart for demonstrating the calculation method of elliptic curve doubling ECDBL in a Jacobian coordinate. It is a flowchart for demonstrating the calculation of the scalar multiplication by a binary method. It is a 1st flowchart for demonstrating the calculation (window method) of scalar multiplication. It is a 2nd flowchart for demonstrating the calculation (window method) of scalar multiplication. It is the block diagram which showed the example of the function which the transmitter which concerns on 2nd Embodiment has. It is a 1st flowchart for demonstrating the calculation of the scalar multiplication which concerns on 2nd Embodiment. It is a 2nd flowchart for demonstrating the calculation of the scalar multiplication which concerns on 2nd Embodiment. It is a 3rd flowchart for demonstrating the calculation of the scalar multiplication which concerns on 2nd Embodiment. It is the block diagram which showed the example of the function which the receiver which concerns on 2nd Embodiment has.

  Embodiments of the present invention will be described below with reference to the accompanying drawings. In addition, about the element which has the substantially same function in this specification and drawing, duplication description may be abbreviate | omitted by attaching | subjecting the same code | symbol.

<1. First Embodiment>
The first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of an information processing apparatus according to the first embodiment.

As illustrated in FIG. 1, the information processing apparatus 10 includes a calculation unit 11 and a storage unit 12. The information processing apparatus 10 is an example of an information processing apparatus according to the first embodiment.
The arithmetic unit 11 is a processor such as a CPU (Central Processing Unit) or a DSP (Digital Signal Processor). However, the calculation unit 11 may be an electronic circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). The storage unit 12 is a volatile storage device such as a RAM (Random Access Memory) or a nonvolatile storage device such as an HDD (Hard Disk Drive) or a flash memory. For example, the calculation unit 11 executes a program stored in the storage unit 12 or another memory.

The arithmetic unit 11 performs scalar multiplication on the point P on the elliptic curve corresponding to the bit value combination for each bit value combination that can be taken by the bit string having the set length for the point P on the set elliptic curve. Execute. The storage unit 12 stores the result of scalar multiplication. However, the calculation unit 11 performs scalar multiplication based on an addition calculation that adds the first point P ₁ and the second point P ₂ on the elliptic curve having one common Jacobian coordinate. When one of the Jacobian coordinates is common, the amount of addition is reduced, so that the scalar multiplication is accelerated.

  In the example of FIG. 1, the length of the bit string is set to 2 bits. In this case, the calculation unit 11 refers to the bit value of the bit string in order from the first bit. Note that the arithmetic unit 11 may refer to the bit values of the bit string in order from the last bit of the bit string. First, the calculation unit 11 sets the infinity point ∞ as the temporary variable T. Next, the calculation unit 11 refers to the bit value of the first bit, and does not change the temporary variable T when the bit value is 0, and sets the point P to the temporary variable T when the bit value is 1. Add (ellipse curve addition “+”).

  Next, the computing unit 11 refers to the bit value of the second bit and doubles the temporary variable T (elliptic curve doubling “× 2”). Next, the calculation unit 11 refers to the bit value of the second bit, and when the bit value is 0, does not change the temporary variable T, and when the bit value is 1, sets the point P to the temporary variable T. to add. Then, the calculation unit 11 stores the finally obtained temporary variable T in the storage unit 12.

  For example, when the bit string is “00”, the temporary variable T is ∞, and thus the calculation unit 11 stores ∞ in the storage unit 12 as the result of scalar multiplication W [0] corresponding to the bit string “00”. When the bit string is “01”, since the temporary variable T is P, the calculation unit 11 stores P in the storage unit 12 as a result of scalar multiplication W [1] corresponding to the bit string “01”.

  Further, when the bit string is “10”, the temporary variable T is 2 × P ((∞ + P) × 2 = 2 × P), so that the arithmetic unit 11 performs the result of the scalar multiplication corresponding to the bit string “10”. 2 × P is stored in the storage unit 12 as W [2]. Further, when the bit string is “11”, the temporary variable T is 3 × P ((∞ + P) × 2 + P = 3 × P), so that the calculation unit 11 performs the result of the scalar multiplication corresponding to the bit string “11”. 3 × P is stored in the storage unit 12 as W [3].

However, when the arithmetic unit 11 executes the elliptic curve addition “+” for adding the first point P ₁ and the second point P ₂ , one of the first Jacobian coordinates (Z coordinate) is common. The third point P ₃ is calculated by the elliptic curve addition ECADD _coZ between the point P ₁ and the second point P ₂ . Further, the calculation unit 11 calculates the coordinates of the first point P ₁ that is common to the _third point P ₃ and one of the Jacobian coordinates (Z ₃ ) when executing the elliptic curve addition ECADD _coZ .

As described above, the first point P ₁ and the third point P ₃ having one common Jacobian coordinate (Z ₃ ) are obtained by executing the elliptic curve addition ECADD _coZ . Therefore, when the elliptic curve addition “+” is performed between the first point P ₁ and the third point P ₃ , the elliptic curve addition ECADD _coZ can be applied. As a result, the elliptic curve addition “+” is speeded up.

In addition, when the calculation unit 11 calculates the fourth point P ₄ by executing elliptic curve doubling “× 2” (ECDBL _coZ ) that doubles the first point P ₁ , the fourth point P ₄ is calculated. _The coordinates of the first point P ₁ where ₄ and one of the Jacobian coordinates (Z ₄ ) are common are calculated. One of Jacobian coordinates during execution of the elliptic curve doubling _ECDBL coZ (Z ₄₎ first point P ₁ and the fourth point P ₄ is obtained in common is the first point P ₁ and the fourth Elliptic curve addition ECADD _coZ can be applied when the elliptic curve addition “+” of the point P ₄ is performed. As a result, the elliptic curve addition “+” is speeded up.

  When calculating the scalar multiplication of the set scalar value d and the set point P on the elliptic curve, the calculation unit 11 converts the bit string indicating the scalar value d into a plurality of bit strings having the set length. Divide. Then, the calculation unit 11 calculates the scalar multiplication of the set scalar value d and the set point P on the elliptic curve using the result of the scalar multiplication stored in the storage unit 12.

  In the example of FIG. 1, the scalar value d is set to 23. In this case, the scalar value d is expressed as a bit string 010111. The calculation unit 11 divides this bit string into three bit strings “01”, “01”, and “11” having a length of 2 bits, and calculates scalar multiplication. The result of scalar multiplication W [1] (P) for the bit string “01” is stored in the storage unit 12. Further, the result W [3] (3 × P) of the scalar multiplication for the bit string “11” is stored in the storage unit 12. Therefore, the calculation unit 11 performs scalar multiplication to obtain a scalar multiple d × P using W [1] and W [3].

As described above, scalar multiplication is calculated for a short bit string in advance, and scalar multiplication is calculated for a long bit string using the calculation result, so that the calculation result can be reused. Arithmetic can be performed efficiently. Further, when the scalar multiplication is calculated for a short bit string, the above-described elliptic curve addition ECADD _coZ can be used effectively, thereby reducing the amount of calculation. By applying the above-described scalar multiplication calculation method to the encryption processing and decryption processing of elliptic curve cryptography, the processing related to elliptic curve cryptography can be speeded up.

The first embodiment has been described above.
<2. Second Embodiment>
Next, a second embodiment will be described. The second embodiment relates to a technique for improving the efficiency of scalar multiplication executed in the encryption processing and decryption processing related to elliptic curve cryptography.

[2-1. About Elliptic Curve Cryptography]
The elliptic curve cryptosystem will be described. Elliptic curve cryptosystem is a general term for cryptosystems whose safety is based on the difficulty of solving the problem of obtaining a scalar value d from a base point P on an elliptic curve and a scalar multiple d × P (elliptic curve discrete logarithm problem). is there.

(System example)
In the following description, the system illustrated in FIG. 2 is assumed for the sake of simplicity. FIG. 2 is a diagram illustrating an example of a system according to the second embodiment. However, the scope of application of the technology according to the second embodiment is not limited to this, and can be applied to any system that employs an elliptic curve cryptosystem. For example, the present invention can be applied to a system that uses elliptic curve cryptography to conceal data recorded on a recording medium.

  As illustrated in FIG. 2, the system according to the second embodiment includes a transmission device 100 and a reception device 200. The transmission device 100 is connected to the reception device 200 via the network NW. The transmission device 100 encrypts a message described in plain text to generate a ciphertext, and transmits the ciphertext to the reception device 200. On the other hand, the receiving device 200 decrypts the ciphertext received from the transmitting device 100 and restores a message described in plaintext. The transmission device 100 is an example of an encryption device. The receiving device 200 is an example of a decoding device.

(Application example of elliptic curve cryptography: Elliptic curve Elgamal cryptosystem)
Here, the operations of the transmission device 100 and the reception device 200 will be described with reference to FIG. 3 by taking the case of the elliptic curve ElGamal encryption method as an example. FIG. 3 is a diagram for explaining an application example of elliptic curve cryptography (elliptic curve Elgamal cryptosystem).

  In the example of FIG. 3, the elliptic curve is E, the base point on the elliptic curve E is P, the public key is S, the secret key is s, the randomly generated scalar (random number) is r, and the plaintext that is the message is M. It is written. However, the public key S is defined by scalar multiplication (S = s × P) of the secret key s and the base point P. The plain text M is expressed by points on the elliptic curve E. The transmission device 100 holds information on the base point P and the public key S. The receiving device 200 holds information on the secret key s. Consider a case in which plaintext M is transmitted from the transmission apparatus 100 to the reception apparatus 200 in this situation.

  The transmission device 100 randomly generates a scalar r (S11). Next, the transmitting apparatus 100 executes scalar multiplication of the scalar r and the base point P, and calculates the result R (R = r × P) of the scalar multiplication (S12). Next, the transmitting apparatus 100 performs scalar multiplication of the scalar r and the public key S, and adds the plaintext M to the result of the scalar multiplication to calculate a ciphertext C (C = r × S + M) (S13). ). Then, the transmission device 100 transmits R and C to the reception device 200 (S14).

  Receiving device 200 that has received R and C performs scalar multiplication of secret keys s and R to calculate s × R (S15). Next, the receiving apparatus 200 calculates (C−s × R) by subtracting s × R from C (S16). According to the following equation (1), (C−s × R) is equal to plaintext M. That is, the receiving apparatus 200 obtains the plaintext M from the ciphertext C. In the elliptic curve Elgamal cryptosystem, plaintext M is transmitted and received by the algorithm illustrated in FIG. It should be noted that the encryption and decryption logic shown here can be modified and applied to a digital signature system or the like.

C−s × R = (r × S + M) −s × R
= (R * s * P + M) -s * r * P
= M
... (1)
The elliptic curve cryptosystem has been described above.

[2-2. hardware]
The function of the transmission apparatus 100 as described above can be realized using, for example, the hardware illustrated in FIG. That is, the functions of the transmission apparatus 100 are realized by controlling the hardware shown in FIG. 4 using a computer program. FIG. 4 is a diagram illustrating an example of hardware capable of realizing the function of the transmission apparatus according to the second embodiment.

  As shown in FIG. 4, this hardware mainly includes a CPU 902, a ROM (Read Only Memory) 904, a RAM 906, a host bus 908, and a bridge 910. Further, this hardware includes an external bus 912, an interface 914, an input unit 916, an output unit 918, a storage unit 920, a drive 922, a connection port 924, and a communication unit 926.

  The CPU 902 functions as, for example, an arithmetic processing unit or a control unit, and controls the overall operation of each component or a part thereof based on various programs recorded in the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928. . The ROM 904 is an example of a storage device that stores a program read by the CPU 902, data used for calculation, and the like. The RAM 906 temporarily or permanently stores, for example, a program read by the CPU 902 and various parameters that change when the program is executed.

  These elements are connected to each other via, for example, a host bus 908 capable of high-speed data transmission. On the other hand, the host bus 908 is connected to an external bus 912 having a relatively low data transmission speed via a bridge 910, for example. As the input unit 916, for example, a mouse, a keyboard, a touch panel, a touch pad, a button, a switch, a lever, or the like is used. Furthermore, as the input unit 916, a remote controller capable of transmitting a control signal using infrared rays or other radio waves may be used.

  As the output unit 918, for example, a display device such as a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), a PDP (Plasma Display Panel), or an ELD (Electro-Luminescence Display) is used. As the output unit 918, an audio output device such as a speaker or headphones, or a printer may be used. In other words, the output unit 918 is a device that can output information visually or audibly.

  The storage unit 920 is a device for storing various data. As the storage unit 920, for example, a magnetic storage device such as an HDD is used. Further, as the storage unit 920, a semiconductor storage device such as an SSD (Solid State Drive) or a RAM disk, an optical storage device, a magneto-optical storage device, or the like may be used.

  The drive 922 is a device that reads information recorded on a removable recording medium 928 that is a removable recording medium or writes information on the removable recording medium 928. As the removable recording medium 928, for example, a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory is used.

  The connection port 924 is a port for connecting an external connection device 930 such as a USB (Universal Serial Bus) port, an IEEE 1394 port, a SCSI (Small Computer System Interface), an RS-232C port, or an optical audio terminal. For example, a printer or the like is used as the external connection device 930.

  The communication unit 926 is a communication device for connecting to the network 932. As the communication unit 926, for example, a communication circuit for wired or wireless LAN (Local Area Network), a communication circuit for WUSB (Wireless USB), a communication circuit or router for optical communication, an ADSL (Asymmetric Digital Subscriber Line) Communication circuits, routers, communication circuits for mobile phone networks, and the like are used. A network 932 connected to the communication unit 926 is a wired or wireless network, and includes, for example, the Internet, a LAN, a broadcast network, a satellite communication line, and the like.

  The hardware capable of realizing the function of the transmission device 100 has been described above. Note that the function of the receiving apparatus 200 can be realized by using the hardware shown in FIG. Therefore, description of hardware capable of realizing the function of the receiving device 200 is omitted.

[2-3. About the calculation method of scalar multiplication]
Next, a calculation method for scalar multiplication will be described. As already described, scalar multiplication is used for encryption processing and decryption processing according to the elliptic curve cryptosystem. Hereinafter, the elliptic curve addition ECADD and the elliptic curve doubling ECDBL will be described, and further, a scalar multiplication calculation method called a binary method and a window method will be described.

(Elliptic curve E and inverse element -P)
Elliptic curve E used in the elliptic curve addition ECADD and an elliptic curve doubling ECDBL is 5 or more prime p, when integer of 1 or more m, on the finite field GF number of elements p ^m (p ^m) It is defined as a set obtained by adding an infinite point ∞ to a set of points (x, y) satisfying the following expression (2). Note that coefficients a and b included in the following equation (2) are elements of a finite field GF (p ^m ).

E: y ² = x ³ + a × x + b
... (2)
For the point P on the elliptic curve E, the inverse element -P of the point P is defined by the following equations (3) and (4).

If P = ∞ -P = ∞
... (3)
If P = (x, y) ≠ ∞ -P = (x, -y)
... (4)
(Addition law)
Consider an operation of adding points P ₁ and P ₂ on an elliptic curve E. The sum P ₃ (P ₃ = P ₁ + P ₂ ) of the points P ₁ and P ₂ is defined by the following equations (5) to (8). However, P ₁ = (x ₁ , y ₁ ), P ₂ = (x ₂ , y ₂ ), and P ₃ = (x ₃ , y ₃ ). However, λ and ν included in the following formula (8) are defined by the following formula (9) when P ₁ ≠ P ₂ , and are defined by the following formula (10) when P ₁ = P _2. .

If P ₁ = ∞ then P ₃ = P ₂
... (5)
If P ₂ = ∞, P ₃ = P ₁
(6)
If P ₁ = -P ₂ then P ₃ = ∞
... (7)
If P ₁ ≠ −P ₂ , x ₃ = λ ² −x ₁ −x ₂ , y ₃ = −λ × x ₃ −ν
... (8)
When P ₁ ≠ P ₂ λ = (y ₂ −y ₁ ) / (x ₂ −x ₁ )
ν = (y ₁ × x ₂ −y ₂ × x ₁ ) / (x ₂ −x ₁ )
... (9)
When P ₁ = P ₂ λ = (3 × x ₁ ² + a) / (2 × y ₁ )
ν = (− x ₁ ³ + a × x ₁ + 2 × b) / (2 × y ₁ )
(10)
Elliptic curve addition ECADD refers to an arithmetic process for calculating P ₁ + P ₂ when P ₁ ≠ P ₂ . Elliptic curve doubling ECDBL is an arithmetic process for calculating P ₁ + P ₂ (= 2 × P ₁ ) when P ₁ = P ₂ . Elliptic curve addition ECADD and elliptic curve doubling ECDBL are combinations of addition, subtraction, multiplication, division, squaring, and inverse element calculation on a finite field GF (p ^m ).

As shown in FIG. 5, the elliptic curve addition ECADD is a point at which the point where the straight line L ₁ connecting the point P ₁ and the point P ₂ on the elliptic curve E intersects the elliptic curve E is folded around the x axis. it is a process for obtaining the P _3. On the other hand, as shown in FIG. 6, the elliptic curve doubling ECDBL has a point P ₃ at a position where the point at which the tangent L ₃ of the point P ₁ on the elliptic curve E intersects the elliptic curve E is turned back along the x axis. This is the processing that is required.

FIG. 5 is a diagram for explaining the definition of elliptic curve addition ECADD. The example of FIG. 5 is a case where a = −1 and b = 0. Linear L ₂ is a straight line parallel to the y-axis. FIG. 6 is a diagram for explaining the definition of elliptic curve doubling ECDBL. The example of FIG. 6 is a case where a = −1 and b = 0. The straight line L ₄ is a straight line parallel to the y axis.

By the way, the calculation time of elliptic curve addition ECADD, elliptic curve doubling ECDBL, and scalar multiplication is often estimated by the sum of the calculation times of multiplication, squaring, and inverse element calculation in a finite field GF (p ^m ). . This is because the calculation time for addition and subtraction on the finite field GF (p ^m ) is so short as to be negligible compared to the calculation time for other operations. The inverse element calculation on the finite field GF (p ^m ) takes longer time than multiplication and squaring. Therefore, in the second embodiment, a method is adopted in which points on the elliptic curve E are expressed by Jacobian coordinates, and the calculation time is reduced by reducing the number of inverse element calculations.

(Jacvian coordinates)
In the Jacobian coordinates, the point (x, y) of the elliptic curve E in the finite field GF (p ^m ) is expressed by coordinates (X: Y: Z) combining three elements. However, for the element r of the finite field GF (p ^m ) where r ≠ 0, (X: Y: Z) and (r ² × X: r ³ × Y: r × Z) represent the same point. Further, x = X / Z ² and y = Y / Z ³ . When this relationship is substituted into the above equation (2), an elliptic curve E expressed in Jacobian coordinates is expressed as the following equation (11). The infinite point ∞ is ∞ = (0: 1: 0).

E: Y ² × Z = X ³ + a × X × Z ⁴ + b × Z ⁶
... (11)
Here, a method of calculating the elliptic curve addition ECADD in the Jacobian coordinates will be described with reference to FIG. FIG. 7 is a flowchart for explaining a calculation method of elliptic curve addition ECADD in Jacobian coordinates. For convenience of explanation, the case where the transmission apparatus 100 executes the elliptic curve addition ECADD will be described, but the same applies to the case where the reception apparatus 200 executes the elliptic curve addition ECADD.

Consider an elliptic curve addition ECADD that adds points P ₁ and P ₂ (P ₁ ≠ P ₂ ) on the elliptic curve E to obtain a point P 3. However, P ₁ = (X ₁ : Y ₁ : Z ₁ ), P ₂ = (X ₂ : Y ₂ : Z ₂ ), P ₃ = (X ₃ : Y ₃ : Z ₃ ).

As shown in FIG. 7, the transmitting apparatus 100 calculates X ₁ × Z ₂ ² and sets it as a temporary variable U ₁ , and calculates X ₂ × Z ₁ ² and sets it as a temporary variable U ₂ (S21). . Next, the transmitting apparatus 100 calculates Y ₁ × Z ₂ ³ and sets it as a temporary variable V ₁ , and calculates Y ₂ × Z ₁ ³ and sets it as a temporary variable V ₂ (S22). The processes of S21 and S22 can be interchanged. Next, the transmitting apparatus 100 subtracts U ₁ from U ₂ and sets it as a temporary variable H, and subtracts V ₁ from V ₂ and sets it as a temporary variable Q (S23).

Next, the transmitting apparatus 100 calculates Q ² −H ³ −2U ₁ × H and sets it to X ₃ (S24). Next, the transmitting apparatus 100 calculates Q × (U ₁ × H ² −X ₃ ) −V ₁ × H ³ and sets it to Y ₃ (S25). Next, the transmitting apparatus 100 calculates Z ₁ × Z ₂ × H and sets it to Z ₃ (S26). The process of S26 can be replaced with the processes of S24 and S25. The process of S21 to S26, the coordinates X ₃ of the point P _3, Y _3, Z ₃ is obtained.

  Next, a method for calculating the elliptic curve doubling ECDBL in Jacobian coordinates will be described with reference to FIG. FIG. 8 is a flowchart for explaining a method of calculating elliptic curve doubling ECDBL in Jacobian coordinates. For convenience of explanation, a case where the transmitting apparatus 100 executes the elliptic curve doubling ECDBL will be described, but the same applies to the case where the receiving apparatus 200 executes the elliptic curve doubling ECDBL.

As shown in FIG. 8, the transmission device ^{_{100, 3 × X 1 2 + a}} × Z 1 4 Setting a temporary calculated variable Q (S31). Next, the transmitting apparatus 100 calculates 4 × X ₁ × Y ₁ ² and sets it to the temporary variable V (S32). The processes of S31 and S32 can be interchanged. Next, the transmitting apparatus 100 calculates −2 × V + Q ² and sets the temporary variable T (S33).

Next, the transmitting apparatus 100 sets the temporary variable T to X ₃ (S34). Then, the transmission device 100 sets the ^{_{-8 × Y 1 4 + Q ×}} (V-T) the calculated Y ₃ (S35). Next, the transmitting apparatus 100 calculates 2 × Y ₁ × Z ₁ and sets it to Z ₃ (S36). The processes of S34, S35, and S36 can be interchanged. The process of S31 to S36, the coordinates X ₃ of the point P _3, Y _3, Z ₃ is obtained.

When Jacobian coordinates are used as described above, the calculation time of elliptic curve addition ECADD is 12M + 2S. The calculation time of elliptic curve doubling ECDBL is 7M + 5S. However, 1M is the calculation time required to calculate one multiplication on the finite field GF (p ^m ) having the number of elements p ^m . Further, 1S is a calculation time required to calculate a square operation once on a finite field GF (p ^m ) having the number of elements p ^m . When the Z coordinate is 1, the calculation time of the elliptic curve addition ECADD is 8M + 3S.

(Calculation of scalar multiplication by binary method)
Next, calculation of scalar multiplication by the binary method will be described with reference to FIG. The binary method is one of methods for determining a combination of elliptic curve addition ECADD and elliptic curve doubling ECDBL included in scalar multiplication.

  FIG. 9 is a flowchart for explaining the calculation of scalar multiplication by the binary method. In FIG. 9, lowercase letters in the alphabet represent scalar values, and uppercase letters represent points on the elliptic curve E. For convenience of explanation, the case where the transmission apparatus 100 executes scalar multiplication will be described, but the same applies to the case where the reception apparatus 200 executes scalar multiplication.

  Consider an algorithm that calculates a scalar multiplication d × P for a point P on an elliptic curve E when an n-bit scalar value d is given. The scalar value d can be expressed using n bit values d [i] (lower i-th bit value) as shown in the following equation (12). The bit value d [i] is 0 or 1. Further, it is assumed that d [n−1] = 1.

d = d [n−1] × 2 ⁿ⁻¹ + d [n−2] × 2 ⁿ⁻² +... + d [0] × 2 ⁰
(12)
As shown in FIG. 9, the transmitting apparatus 100 sets a point P on the elliptic curve E as a temporary variable T (S41). Next, the transmitting apparatus 100 sets i to n-2 (S42). The processes of S41 and S42 can be interchanged. Next, the transmitting apparatus 100 determines whether i is smaller than 0 (S43). If i is smaller than 0, the process proceeds to S48. On the other hand, if i is not smaller than 0, the process proceeds to S44.

  When the process proceeds to S44, the transmitting apparatus 100 executes elliptic curve doubling ECDBL on the temporary variable T and sets the result to the temporary variable T (S44). Next, the transmitting apparatus 100 determines whether or not the bit value d [i] of the lower i-th bit is 1 (S45). If the bit value d [i] is 1, the process proceeds to S46. On the other hand, when the bit value d [i] is not 1 (when 0), the process proceeds to S47.

  When the process proceeds to S46, the transmitting apparatus 100 executes elliptic curve addition ECADD that adds the temporary variable T and the point P on the elliptic curve E, and sets the result to the temporary variable T (S46). When the process of S46 is completed, the process proceeds to S47. When the process proceeds to S47, the transmission device 100 decreases i by 1 (S47). When the process of S47 is completed, the process proceeds to S43.

  When the process proceeds to S48, the transmission device 100 outputs the temporary variable T as a result of scalar multiplication d × P (S48). When the process of S48 is completed, the series of processes shown in FIG.

(Example: When n = 5 and d = 21)
When n = 5 and d = 21, the scalar value d can be expressed as the following equation (13).
d = 21
= 16 + 4 + 1
= 1 × 2 ⁴ + 0 × 2 ³ + 1 × 2 ² + 0 × 2 ¹ + 1 × 2 ⁰
= (10101) Bit string (13)
In the process of S41, the point P on the elliptic curve E is set as the temporary variable T. Next, the processes of S44, S45, and S46 are executed for i = 3, 2, 1, 0. When i is 3, the transmitting apparatus 100 executes the elliptic curve doubling ECDBL of the temporary variable T, and sets the result to the temporary variable T (S44). After the process of S44, the temporary variable T becomes 2 × P. Next, the transmitting apparatus 100 determines whether or not the bit value d [3] is 1 (S45). Since d [3] = 0 as shown in the above equation (13), the transmitting apparatus 100 skips the processing of S46 and updates i to 2.

  Next, when i is 2, the transmitting apparatus 100 executes elliptic curve doubling ECDBL of the temporary variable T, and sets the result to the temporary variable T (S44). After the process of S44, the temporary variable T becomes 4 × P. Next, the transmitting device 100 determines whether or not the bit value d [2] is 1 (S45).

  Since d [2] = 1 as shown in the above equation (13), the transmitting apparatus 100 executes elliptic curve addition ECADD that adds the temporary variable T and the point P on the elliptic curve E, and The result is set in a temporary variable T (S46). After the process of S46, the temporary variable T becomes 5 × P. Then, the transmission device 100 updates i to 1.

  Next, when i is 1, the transmitting apparatus 100 executes elliptic curve doubling ECDBL of the temporary variable T, and sets the result to the temporary variable T (S44). After the process of S44, the temporary variable T becomes 10 × P. Next, the transmitting apparatus 100 determines whether or not the bit value d [1] is 1 (S45). Since d [1] = 0 as shown in the above equation (13), the transmitting apparatus 100 skips the processing of S46 and updates i to 0.

  Next, when i is 0, the transmitting apparatus 100 executes elliptic curve doubling ECDBL of the temporary variable T, and sets the result as the temporary variable T (S44). After the process of S44, the temporary variable T becomes 20 × P. Next, the transmitting apparatus 100 determines whether or not the bit value d [0] is 1 (S45).

  Since d [0] = 1 as shown in the above equation (13), the transmitting apparatus 100 executes elliptic curve addition ECADD that adds the temporary variable T and the point P on the elliptic curve E, and The result is set in a temporary variable T (S46). After the process of S46, the temporary variable T becomes 21 × P. This temporary variable T is output as the result of scalar multiplication.

  Thus, in the binary method, scalar multiplication is calculated by a combination of elliptic curve addition ECADD and elliptic curve doubling ECDBL. Elliptic curve doubling ECDBL is executed for each bit, and when the bit value d [i] is 1, elliptic curve addition ECADD is further executed.

  If the scalar value d is given randomly, the probability that d [i] = 1 is 0.5. Therefore, the calculation time TimePerBit per bit required for calculating the scalar multiplication is given by the following equation (14). However, Time (ECDBL) is a calculation time required to calculate the elliptic curve doubling ECDBL once. Time (ECADD) is a calculation time required to calculate the elliptic curve addition ECADD once.

TimePerBit = Time (ECDBL) + 0.5 × Time (ECADD)
... (14)
When Jacobian coordinates are used, Time (ECADD) = 12M + 2S and Time (ECDBL) = 5M + 2S. Therefore, TimePerBit is 11M + 3S. In the case of 1S = 0.8M, TimePerBit is 13.4M. For example, when the scalar value d is 160 bits, the processing after S44 is executed 159 times. Therefore, the average calculation time Time (Ave) of scalar multiplication is 159 × 13.4M = 2130.6M.

(Calculation of scalar multiplication by window method)
Next, calculation of scalar multiplication by the window method will be described with reference to FIGS.

  FIG. 10 is a first flowchart for explaining the scalar multiplication calculation (window method). FIG. 11 is a second flowchart for explaining the scalar multiplication calculation (window method). In FIGS. 10 and 11, lowercase letters in the alphabet represent scalar values, and uppercase letters represent points on the elliptic curve E. For convenience of explanation, the case where the transmission apparatus 100 executes scalar multiplication will be described, but the same applies to the case where the reception apparatus 200 executes scalar multiplication.

  FIG. 10 and FIG. 11 illustrate processing for calculating scalar multiplication of the scalar value d and the base point P when the scalar value d is 21 and the window width is 4 bits. Further, it is assumed that the length of the bit string representing the scalar value d is adjusted to an integral multiple of the window width (8 bits in this example) by the transmission device 100 as shown in the following equation (15). Hereinafter, the length of the adjusted bit string is expressed as n (n = 8 in this example).

d = 21
= 0x2 ⁷ + 0x2 ⁶ + 0x2 ⁵ + 1x2 ⁴
+ 0x2 ³ + 1x2 ² + 0x2 ¹ + 1x2 ⁰
= (00010101) bit string (15)
As shown in FIG. 10, the transmitting apparatus 100 sets the infinity point ∞ to W [0] (S51). The process of S51 corresponds to a process of executing scalar multiplication of the scalar value indicated by the 4-bit bit string (window) whose base bit values are 0 and the base point P, and setting the result to W [0]. To do. However, since it is known in advance that the result of this scalar multiplication is ∞, the transmitting apparatus 100 directly sets ∞ to W [0] in the process of S51.

  Next, the transmitting apparatus 100 sets the base point P to W [1] (S52). The processing of S52 executes scalar multiplication of the scalar value indicated by the 4-bit bit string (window) in which the bit value of the lower first bit is 1 and all other bit values are 0 and the base point P. This corresponds to the process of setting the result to W [1]. However, since it is known in advance that the result of this scalar multiplication is P, the transmitting apparatus 100 directly sets P to W [1] in the process of S52.

  Next, the transmitting apparatus 100 sets i to 2 (S53). Next, the transmitting apparatus 100 determines whether i is greater than 14 (S54). If i is greater than 14 (i> 14), the process proceeds to S58 of FIG. On the other hand, if i is not greater than 14 (i ≦ 14), the process proceeds to S55.

  When the process proceeds to S55, the transmission device 100 executes elliptic curve doubling ECDBL for W [i / 2] and sets the result to W [i] (S55). Next, the transmitting apparatus 100 executes elliptic curve addition ECADD that adds W [i] and the base point P, and sets the result to W [i + 1] (S56). Next, the transmitting apparatus 100 adds 2 to i (S57). When the process of S57 is completed, the process proceeds to S54.

  When the process proceeds to S58 of FIG. 11, the transmitting apparatus 100 sets W [d [n−1, n−4]] to the temporary variable T (S58). However, d [n−1, n−4] is a bit string in which four bit values d [n−1], d [n−2], d [n−3], and d [n−4] are arranged. Represent. 10 and 11, W [d [7,4]] = W [0001] = P is set as the temporary variable T.

  Next, the transmitting apparatus 100 sets i to n-5 (S59). Next, the transmitting apparatus 100 determines whether i is smaller than 3 (S60). If i is smaller than 3 (i <3), the process proceeds to S67. On the other hand, if i is not smaller than 3 (i ≧ 3), the process proceeds to S61.

When the process proceeds to S61, the transmission device 100 executes the elliptic curve doubling ECDBL for the temporary variable T, and sets the result to the temporary variable T (S61). The transmitting apparatus 100 executes elliptic curve doubling ECDBL for the temporary variable T, and sets the result to the temporary variable T (S62). Furthermore, the transmitting apparatus 100 executes elliptic curve doubling ECDBL for the temporary variable T, and sets the result to the temporary variable T (S63). Then, the transmitting apparatus 100 executes the elliptic curve doubling ECDBL for the temporary variable T, and sets the result to the temporary variable T (S64).

Next, the transmitting apparatus 100 executes elliptic curve addition ECADD that adds the temporary variable T and W [d [i, i-3]], and sets the result to the temporary variable T (S65). However, d [i, i-3] represents a bit string in which four bit values d [i], d [i-1], d [i-2], and d [i-3] are arranged. When i = 3, W [d [3,0]] = W [0101] = 5P. Next, the transmitting apparatus 100 subtracts 4 from i (S66). When the process of S66 is completed, the process proceeds to S60.

  When the process proceeds to S67, the transmission device 100 outputs a temporary variable T as a result of the scalar multiplication of the scalar value d and the base point P (S67). When the process of S67 is completed, the series of processes shown in FIGS. 10 and 11 ends.

  As described above, the scalar multiplication of the scalar value d and the base point P can be efficiently executed by using the result W [i] of the scalar multiplication previously calculated for each window. The processing shown in FIG. 10 (hereinafter referred to as preprocessing) includes elliptic curve addition ECADD seven times and elliptic curve doubling ECDBL seven times. Therefore, the calculation time TimePre for the preprocessing is expressed by the following equation (16).

TimePre = 7 × Time (ECDBL) + 7 × Time (ECADD)
= 7 × (4M + 6S) + 7 × (8M + 3S)
= 84M + 63S
= 134.4M
... (16)
However, TimePre shown in the above equation (16) is a calculation time when using Jacobian coordinates and setting 1M = 0.8S. Similarly, when the window width is N bits, the preprocessing includes (2 ^N −2) / 2 elliptic curve doubling ECDBL and (2 ^N −2) / 2 elliptic curve addition ECADD. . Therefore, the calculation time TimePre required for the preprocessing is expressed by the following equation (17).

TimePre = (2 ^N −2) / 2 × (4M + 6S)
+ (2 ^N −2) / 2 × (8M + 3S)
= (2 ^N -2) / 2 × (12M + 9S)
= 9.6 × (2 ^N −2) M
... (17)
Further, the calculation of the process shown in FIG. 11 (hereinafter, post-process) includes four elliptic curve doubling ECDBL and one elliptic curve addition ECADD per calculation of S61 to S66. In addition, since the calculations of S61 to S66 are executed (n-4) / 4 times, the post-processing calculation time TimeMain is set to 1M = 0.8S, and the following equation (18) is obtained. Therefore, when the scalar value d is 160 bits, the average calculation time Time of the entire scalar multiplication is given by the following equation (19).

TimeMain = ((4M + 6S) × 4 + (12M + 4S)) × (n−4) / 4
= 12.6M x (n-4)
... (18)
Time = TimePre + TimeMain
= 134.4M + 12.6M × 156
= 2100M
... (19)
The calculation method for scalar multiplication has been described above. Although the algorithm using the binary method and the window method has been introduced here, the transmitting apparatus 100 (and the receiving apparatus 200) according to the second embodiment uses a new algorithm that can further reduce the calculation time described above, and performs scalar multiplication. Calculate the arithmetic.

[2-4. Function of transmitting apparatus 100]
Hereinafter, functions of the transmission apparatus 100 according to a new algorithm capable of reducing the calculation time of scalar multiplication will be described.

(Function block)
First, the function of the transmission apparatus 100 will be described with reference to FIG. FIG. 12 is a block diagram illustrating an example of functions of the transmission apparatus according to the second embodiment.

  As illustrated in FIG. 12, the transmission device 100 includes a communication unit 101, a storage unit 102, and a calculation unit 103. The function of the communication unit 101 can be realized by using the connection port 924, the communication unit 926, or the like described above. The function of the storage unit 102 can be realized using the above-described RAM 906, the storage unit 920, or the like. The function of the calculation unit 103 can be realized using the above-described CPU 902 or the like.

  The communication unit 101 is an element that communicates with the receiving device 200 via the network NW. For example, the communication unit 101 transmits the result R and the ciphertext C of the scalar multiplication between the randomly generated scalar value r and the base point P to the receiving device 200. The storage unit 102 stores a base point P, a public key S, and plaintext M (message). Further, the storage unit 102 stores a result of scalar multiplication W [i] (i = 0, 1,...) Calculated for each window, which will be described later.

  The calculation unit 103 encrypts the plaintext M by the elliptic curve cryptosystem based on the base point P and the public key S to generate a ciphertext C. The calculation unit 103 includes a preprocessing unit 131 and a postprocessing unit 132.

The preprocessing unit 131 performs scalar multiplication on the base point P for each scalar value for all scalar values that can be taken by a bit string (window) having a preset length. At this time, the pre-processing unit 131 can efficiently apply the elliptic curve addition ECADD _coZ that adds points on the elliptic curve E having the same Z-coordinate of the Jacobian coordinates and the elliptic curve addition ECADD _coZ. Use multiplication ECDBL _coZ . Then, the preprocessing unit 131 stores the scalar multiplication result W [i] (i = 0, 1,...) Calculated for each window in the storage unit 102.

  The post-processing unit 132 uses the scalar multiplication result W [i] (i = 0, 1,...) Stored in the storage unit 102 to perform scalar multiplication on the base point P that appears when the ciphertext C is generated. Run. For example, the post-processing unit 132 divides the scalar value d into a plurality of bit strings having the same length as the window width, and executes the scalar multiplication of the scalar value d and the base point P by combining the results of the scalar multiplication for each bit string. To do. At this time, the post-processing unit 132 uses W [i] (i = 0, 1,...) As a result of scalar multiplication for each bit.

(About elliptic curve doubling _{ECDBL coZ} )
Here, the elliptic curve doubling _{ECDBL coZ} will be described with reference to FIG. FIG. 13 is a first flowchart for explaining the calculation of scalar multiplication according to the second embodiment. The example of FIG. 13 shows the algorithm of elliptic curve doubling _ECDBL coZ for the point P1 on the elliptic curve E.

As shown in FIG. 13, the preprocessing unit 131 calculates 4 × X ₁ × Y ₁ ² and sets the result to the temporary variable Q (S131). Then, the preprocessing unit ^{_{131, 3 × X 1 2 + Q}} × calculates the Z ₁ ^4, sets the result in temporary variable U (S132). Next, the preprocessing unit 131 calculates −2 × Q + U ² and sets the result to X ₃ (S133). Then, the pre-processing unit 131, a ^{_{-8 × Y 1 4 + U ×}} (Q-X 3) is calculated and set the result to Y ₃ (S134). Next, the preprocessing unit 131 calculates 2 × Y ₁ × Z ₁ and sets the result to Z ₃ (S135).

By the processing of S131 to S135, the coordinates (X ₃ : Y ₃ : Z ₃ ) of the point P ₃ corresponding to 2 × P ₁ obtained by doubling the point P ₁ on the elliptic curve E are obtained. In the elliptic curve doubling ECDBL _coZ algorithm, the processes of S136 and S137 are further executed. In the process of S136, the preprocessing unit 131 sets the temporary variable Q to X _1p (S136). Then, the pre-processing unit 131 calculates the 8 × Y ₁ ^4, sets the result to Y _1p (S137). A point P _1p having coordinates (X _1p : Y _1p : Z ₃ ) is the same point on the elliptic curve E as the point P ₁ .

As described above, the elliptic curve doubling ECDBL _coZ outputs the point P ₃ corresponding to 2 × P ₁ and the coordinates of the point P ₁ having the same Z coordinate as the point P ₃ . Therefore, after calculating the point P ₃ , when the point P ₃ and the point P ₁ are further added, it is possible to perform an operation using the coordinates of the two points P ₁ and P ₃ having the same Z coordinate. .

(About elliptic curve addition ECADD _coZ )
Next, the elliptic curve addition ECADD _coZ will be described with reference to FIG. FIG. 14 is a second flowchart for explaining the scalar multiplication calculation according to the second embodiment. The example of FIG. 14 shows an algorithm of elliptic curve addition ECADD _coZ that adds _two different points P ₁ and P ₂ on the elliptic curve E.

As shown in FIG. 14, the preprocessing unit 131 calculates (X ₂ −X ₁ ) ² and sets the result to the temporary variable Q (S141). Next, the preprocessing unit 131 calculates X ₁ × Q and sets the temporary variable U (S142). Next, the preprocessing unit 131 calculates X ₂ × Q and sets the result to the temporary variable V (S143). Next, the preprocessing unit 131 calculates (Y ₂ −Y ₁ ) ² and sets the result as a temporary variable J (S144). Note that the order of the processes of S142 and S143 can be changed. In addition, the order of the process of S144 and the processes of S141 to S143 can be switched.

Then, the pre-processing unit 131 calculates the J-U-V, to set the result in X ₃ (S145). Next, the preprocessing unit 131 calculates (Y ₂ −Y ₁ ) × (U−X ₃ ) −Y ₁ × (V−U) and sets it to Y ₃ (S 146). Next, the preprocessing unit 131 calculates Z ₁ × (X ₂ −X ₁ ), and sets the result to Z ₃ (S147).

By the processing of S141 to S147, the coordinates (X ₃ : Y ₃ : Z ₃ ) of the point P ₃ obtained by adding _two different points P ₁ and P ₂ on the elliptic curve E are obtained. In the elliptic curve addition ECADD _coZ algorithm, the processes of S148 and S149 are further executed. In the process of S136, the preprocessing unit 131 sets the temporary variable U to X _1p (S148). Next, the preprocessing unit 131 calculates Y ₁ × (V−U) and sets the result to Y _1p (S149). A point P _1p having coordinates (X _1p : Y _1p : Z ₃ ) is the same point on the elliptic curve E as the point P ₁ .

As described above, the elliptic curve addition ECADD _coZ outputs the point P ₃ corresponding to P ₁ + P ₂ and the coordinates of the point P ₁ having the same Z coordinate as the point P ₃ . Therefore, after calculating the point P ₃ , when the point P ₃ and the point P ₁ are further added, it is possible to perform an operation using the coordinates of the two points P ₁ and P ₃ having the same Z coordinate. . Further, the above addition operation having the same Z coordinate can be executed at a higher speed than the elliptic curve addition ECADD already described.

Therefore, scalar multiplication is accelerated by using the elliptic curve addition ECADD _coZ . As described below, by effectively using the elliptic curve addition ECADD _Coz utilizing elliptic curve doubling ECDBL _Coz, it is possible to speed up scalar multiplication.

(Scalar multiplication based on ECDBL _coZ and ECADD _coZ )
Here, the calculation of scalar multiplication based on elliptic curve doubling _{ECDBL coZ} and elliptic curve addition ECADD _coZ will be described with reference to FIG. FIG. 15 is a third flowchart for explaining the scalar multiplication calculation according to the second embodiment. In the example of FIG. 15, assuming that the window width is 4 bits, 0 × P, 1 × P, 2 × P,..., 15 × P are calculated for the point P on the elliptic curve E by scalar multiplication. This is a preprocessing method.

  The preprocessing unit 131 that has started the preprocessing sets the infinity point ∞ corresponding to 0 × P to W [0], and stores W [0] in the storage unit 102. Further, the preprocessing unit 131 sets P corresponding to 1 × P to W [1] and stores W [1] in the storage unit 102. Thereafter, the preprocessing unit 131 sequentially executes the processes shown in FIG.

As illustrated in FIG. 15, the preprocessing unit 131 executes elliptic curve doubling _{ECDBL coZ} (corresponding to P ₁ = P, P ₃ = 2 × P) for the point P (S151). By the operation of S151, 2 × P coordinates are obtained. Further, P coordinates having the same 2 × P and Z coordinates are obtained. The preprocessing unit 131 sets 2 × P coordinates obtained by elliptic curve doubling ECDBL _coZ to W [2], and stores W [2] in the storage unit 102. Further, the preprocessing unit 131 stores the coordinates of P having the same 2 × P and Z coordinates in the storage unit 102.

  Next, the preprocessing unit 131 executes a first processing group including the processes of S152 to S158 and a second processing group including the processes of S159 to S164. The first processing group is a set of processes for calculating an odd number × P of 3 or more. On the other hand, the second process group is a set of processes for calculating an even number × P of 4 or more. The execution order of the first processing group and the second processing group can be switched. Further, the second processing group and the second processing group can be executed in parallel. Here, a case where processing is executed in the order of the first processing group and the second processing group will be considered.

(First processing group)
The preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = P, P ₃ = 3 × P) for adding P to 2 × P (S152). At this time, the pre-processing unit 131 executes elliptic curve addition ECADD _coZ using P coordinates and W [2] having the same 2 × P and Z coordinates. By the calculation of S152, 3 × P coordinates are obtained. Further, P coordinates having the same 3 × P and Z coordinates are obtained. The preprocessing unit 131 sets 3 × P coordinates obtained by elliptic curve addition ECADD _coZ to W [3], and stores W [3] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same 3 × P and Z coordinates in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 3 × P, P ₃ = 5 × P) that adds 2 × P to 3 × P. (S153). At this time, the pre-processing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [3] that have the same 3 × P and Z coordinates. By the calculation of S153, 5 × P coordinates are obtained. Further, 2 × P coordinates having the same 5 × P and Z coordinates are obtained. The preprocessing unit 131 sets 5 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [5], and stores W [5] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 5 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 5 × P, P ₃ = 7 × P) that adds 2 × P to 5 × P. (S154). At this time, the pre-processing unit 131 executes the elliptic curve addition ECADD _coZ using 2 × P coordinates and W [5] that have the same 5 × P and Z coordinates. The coordinates of 7 × P are obtained by the calculation of S154. Further, 2 × P coordinates having the same Z coordinate as 7 × P are obtained. The preprocessing unit 131 sets 7 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [7], and stores W [7] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 7 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 7 × P, P ₃ = 9 × P) that adds 2 × P to 7 × P. (S155). At this time, the pre-processing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [7], which have the same 7 × P and Z coordinates. 9 × P coordinates are obtained by the calculation of S155. Furthermore, 2 × P coordinates having the same 9 × P and Z coordinates are obtained. The preprocessing unit 131 sets 9 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [9], and stores W [9] in the storage unit 102. Further, the preprocessing unit 131 stores 2 × P coordinates in common with 9 × P and Z coordinates in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 9 × P, P ₃ = 11 × P) for adding 2 × P to 9 × P. (S156). At this time, the preprocessing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [9], which have the same 9 × P and Z coordinates. The coordinates of 11 × P are obtained by the calculation of S156. Further, 2 × P coordinates having the same 11 × P and Z coordinates are obtained. The preprocessing unit 131 sets 11 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [11], and stores W [11] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 11 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 11 × P, P ₃ = 13 × P) that adds 2 × P to 11 × P. (S157). At this time, the preprocessing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [11], which have the same 11 × P and Z coordinates. By the calculation of S157, 13 × P coordinates are obtained. Furthermore, 2 × P coordinates having the same 13 × P and Z coordinates are obtained. The preprocessing unit 131 sets the 13 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [13], and stores W [13] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 13 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 13 × P, P ₃ = 15 × P) that adds 2 × P to 13 × P. (S158). At this time, the preprocessing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [13], which have the same 13 × P and Z coordinates. The coordinates of 15 × P are obtained by the calculation of S158. The preprocessing unit 131 sets the 15 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [15], and stores W [15] in the storage unit 102. In the process of S158, it is not necessary to calculate 2 × P coordinates that have the same Z coordinate as 15 × P.

(Second treatment group)
The preprocessing unit 131 executes elliptic curve doubling ECDBL _coZ (corresponding to P ₁ = 2 × P, P ₃ = 4 × P) that _doubles 2 × P (S159). At this time, the preprocessing unit 131 performs elliptic curve doubling _{ECDBL coZ} using W [2]. By the operation of S159, 4 × P coordinates are obtained. Further, 2 × P coordinates having the same 4 × P and Z coordinates are obtained. The preprocessing unit 131 sets 4 × P coordinates obtained by elliptic curve doubling ECDBL _coZ to W [4], and stores W [4] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 4 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 4 × P, P ₃ = 6 × P) that adds 2 × P to 4 × P. (S160). At this time, the pre-processing unit 131 executes the elliptic curve addition ECADD _coZ using 2 × P coordinates and W [4], which have the same 4 × P and Z coordinates. The coordinates of 6 × P are obtained by the calculation of S160. Further, 2 × P coordinates having the same 6 × P and Z coordinates are obtained. The preprocessing unit 131 sets the 6 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [6], and stores W [6] in the storage unit 102. Further, the preprocessing unit 131 stores 2 × P coordinates having the same Z coordinate as 6 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 6 × P, P ₃ = 8 × P) for adding 2 × P to 6 × P. (S161). At this time, the preprocessing unit 131 executes elliptic curve addition ECADD _coZ using 2 × P coordinates and W [6], which have the same 6 × P and Z coordinates. By the operation of S161, 8 × P coordinates are obtained. Further, 2 × P coordinates having the same 8 × P and Z coordinates are obtained. The preprocessing unit 131 sets the 8 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [8] and stores W [8] in the storage unit 102. Further, the preprocessing unit 131 stores in the storage unit 102 the 2 × P coordinates that have the same 8 × P and Z coordinates.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 8 × P, P ₃ = 10 × P) that adds 2 × P to 8 × P. (S162). At this time, the preprocessing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [8], which have the same 8 × P and Z coordinates. The coordinates of 10 × P are obtained by the calculation of S162. Further, 2 × P coordinates having the same 10 × P and Z coordinates are obtained. The preprocessing unit 131 sets the 10 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [10], and stores W [10] in the storage unit 102. Further, the preprocessing unit 131 stores 2 × P coordinates having the same Z coordinate as 10 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 10 × P, P ₃ = 12 × P) that adds 2 × P to 10 × P. (S163). At this time, the pre-processing unit 131 executes the elliptic curve addition ECADD _coZ using 2 × P coordinates and W [10], which share the 10 × P and Z coordinates. The coordinates of 12 × P are obtained by the calculation of S163. Further, 2 × P coordinates having a common Z coordinate with 12 × P are obtained. The preprocessing unit 131 sets the 12 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [12] and stores W [12] in the storage unit 102. Further, the pre-processing unit 131 stores 2 × P coordinates having the same Z coordinate as 12 × P in the storage unit 102.

Next, the preprocessing unit 131 _executes elliptic curve addition ECADD _coZ (corresponding to P ₁ = 2 × P, P ₂ = 12 × P, P ₃ = 14 × P) that adds 2 × P to 12 × P. (S164). At this time, the preprocessing unit 131 executes the elliptic curve addition ECADD _coZ using the 2 × P coordinates and W [12], which have the same 12 × P and Z coordinates. The coordinates of 14 × P are obtained by the calculation of S164. The preprocessing unit 131 sets the 14 × P coordinates obtained by the elliptic curve addition ECADD _coZ to W [14], and stores W [14] in the storage unit 102. Note that in the process of S164, it is not necessary to calculate 2 × P coordinates having the same 14 × P and Z coordinates.

(Evaluation of computational complexity)
The calculation time of the elliptic curve doubling _{ECDBL coZ} described above is 4M + 6S. _Further , the calculation time of the above-described elliptic curve addition ECADD _coZ is 5M + 2S. The preprocessing illustrated in FIG. 15 includes elliptic curve doubling _{ECDBL coZ} twice and elliptic curve addition ECADD _coZ 12 times. Therefore, the calculation time TimePre required for the preprocessing is expressed by the following equation (20). Therefore, it can be seen that a speed increase of about 28% can be realized by applying the method illustrated in FIG. 15 compared with the calculation time of the preprocessing illustrated in FIG.

TimePre = 2 × (4M + 6S) + 12 × (5M + 2S)
= 96.8M
... (20)
When the window width is N bits, the preprocessing includes two elliptic curve doublings _{ECDBL coZ} and (2 ^N -4) elliptic curve addition ECADD _coZ . Accordingly, the calculation time TimePre is expressed by the following equation (21).

TimePre = 2 × (4M + 6S) + (2 ^N −4) × (5M + 2S)
= (5 × 2 ^N −12) M + (2 × 2 ^N +4) S
= (6.6 × 2 ^N −8.8) M
... (21)
When N = 2, the calculation time TimePre calculated by the above equation (21) is TimePre = 17.6M. Similarly, when N = 3, TimePre = 44.0M. When N = 4, TimePre = 96.8M. In addition, when N = 5, TimePre = 202.4M.

  Compared with the calculation time TimePre calculated by the above equation (17) (corresponding to the preprocessing shown in FIG. 10), it is 8.3% when N = 2, 23.6% when N = 3, It can be confirmed that 28.0% can be achieved when N = 4, and 29.7% when N = 5. That is, by applying the preprocessing method according to the second embodiment, it is possible to increase the speed of scalar multiplication, and thus to increase the speed of processing related to elliptic curve cryptography.

The function of the transmission device 100 has been described above.
[2-5. Function of receiving apparatus 200]
Next, the function of the receiving apparatus 200 related to a new algorithm capable of shortening the calculation time of scalar multiplication will be described with reference to FIG. FIG. 16 is a block diagram illustrating an example of functions that the receiving apparatus according to the second embodiment has.

  As illustrated in FIG. 16, the reception device 200 includes a communication unit 201, a storage unit 202, and a calculation unit 203. The function of the communication unit 201 can be realized by using the connection port 924, the communication unit 926, or the like described above. The function of the storage unit 202 can be realized using the above-described RAM 906, storage unit 920, and the like. The function of the calculation unit 203 can be realized using the above-described CPU 902 or the like.

The communication unit 201 is an element that communicates with the transmission device 100 via the network NW. For example, the communication unit 201 receives the result R and the ciphertext C of the scalar multiplication of the randomly generated scalar value r and the base point P from the transmission device 100. The storage unit 202 stores the secret key s. Further, the storage unit 202 stores the result of scalar multiplication W _R [i] (i = 0, 1,...) Calculated for each window.

The calculation unit 203 restores the plaintext M from the ciphertext C using the R and the secret key s received from the transmission device 100. The calculation unit 203 includes a pre-processing unit 231 and a post-processing unit 232.
The pre-processing unit 231 performs scalar multiplication on the point R on the elliptic curve E for each scalar value for all scalar values that can be taken by a bit string (window) having a preset length. At this time, the preprocessing unit 231 can efficiently apply the elliptic curve addition ECADD _coZ that adds points on the elliptic curve E having the same Z coordinate of the Jacobian coordinates and the elliptic curve addition ECADD _coZ. Use multiplication ECDBL _coZ . The preprocessing unit 231 stores the result of scalar multiplication W _R [i] (i = 0, 1,...) Calculated for each window in the storage unit 202.

The post-processing unit 232 performs scalar multiplication on the point R on the elliptic curve E using the result of scalar multiplication W _R [i] (i = 0, 1,...) Stored in the storage unit 202. . For example, the post-processing unit 232 divides the scalar value d into a plurality of bit strings having the same length as the window width, and executes the scalar multiplication of the scalar value d and the point R by combining the results of the scalar multiplication for each bit string. . At this time, the post-processing unit 232 uses W _R [i] (i = 0, 1,...) As a result of bitwise scalar multiplication.

The pre-processing unit 231 and the post-processing unit 232 perform elliptic curve doubling _{ECDBL coZ,} elliptic curve addition ECADD _coZ , and the like, similar to the pre-processing unit 131 and the post-processing unit 132 included in the calculation unit 103 of the transmission apparatus 100. To perform preprocessing scalar multiplication. That is, the preprocessing unit 231 performs the same process as the preprocess illustrated in FIG. Further, the post-processing unit 232 executes the same processing as the post-processing exemplified in FIG.

The second embodiment has been described above.
<3. Addendum>
The following additional notes are disclosed with respect to the embodiment described above.

(Supplementary note 1) For each point on the set elliptic curve, for each bit value combination that can be taken by the bit string of the set length, scalar multiplication is performed on the point on the elliptic curve according to the bit value combination. An arithmetic unit to be executed;
A storage unit for storing the result of the scalar multiplication;
Have
The information processing apparatus performs the scalar multiplication based on an addition operation for adding a first point and a second point on the elliptic curve having one common Jacobian coordinate.

(Appendix 2) The calculation unit
When the first point and the second point are different points, a third point is calculated by adding an elliptic curve between the first point and the second point in the addition operation. And calculating the coordinates of the first point in common with the third point and one of the Jacobian coordinates,
When the first point and the second point are the same point, a fourth point is calculated by doubling the elliptic curve of the first point in the addition operation, and the fourth point The information processing apparatus according to appendix 1, wherein the coordinates of the first point where one of the points and the Jacobian coordinates are common are calculated.

(Supplementary note 3) When the arithmetic unit calculates a scalar multiplication of a set scalar value and a point on the set elliptic curve, a plurality of bit lengths indicating the scalar value are set to the set length. The scalar multiplication of the set scalar value and the set point on the elliptic curve is calculated using the result of the scalar multiplication stored in the storage unit. Information processing device.

(Appendix 4) A computer having a storage unit is
A process of performing scalar multiplication on the points on the elliptic curve according to the combination of the bit values for each combination of bit values that can be taken by the bit string of the set length for the points on the set elliptic curve, And an information processing method for executing a process of storing the result of the scalar multiplication in the storage unit,
In the process of executing the scalar multiplication, the computer executes the scalar multiplication based on an addition operation for adding the first point and the second point on the elliptic curve having one common Jacobian coordinate. Information processing method.

(Supplementary Note 5) In a computer having a storage unit,
A process of performing scalar multiplication on the points on the elliptic curve according to the combination of the bit values for each combination of bit values that can be taken by the bit string of the set length for the points on the set elliptic curve, And a program for executing processing for storing the result of the scalar multiplication in the storage unit,
In the process of executing the scalar multiplication, the computer executes the scalar multiplication based on an addition operation for adding the first point and the second point on the elliptic curve having one common Jacobian coordinate. Program.

(Supplementary note 6) An information processing device functioning as an encryption device or a cryptographic processing device, wherein the arithmetic unit executes the scalar multiplication in a process of encrypting a message based on an elliptic curve cryptosystem. 3. The information processing apparatus according to 3.

(Supplementary note 7) An information processing device functioning as a decryption device or a cryptographic processing device, wherein the arithmetic unit performs the scalar multiplication in a process of decrypting a ciphertext encrypted based on an elliptic curve cryptosystem. The information processing apparatus according to appendix 3.

(Supplementary Note 8) A computer-readable recording medium in which the program according to Supplementary Note 5 is stored.
(Supplementary Note 9) In the process of executing the scalar multiplication, the computer
When the first point and the second point are different points, a third point is calculated by adding an elliptic curve between the first point and the second point in the addition operation. And calculating the coordinates of the first point in common with the third point and one of the Jacobian coordinates,
When the first point and the second point are the same point, a fourth point is calculated by doubling the elliptic curve of the first point in the addition operation, and the fourth point The information processing method according to claim 4, wherein the coordinates of the first point in which one of the points and the Jacobian coordinates are common are calculated.

(Appendix 10) The computer
When calculating a scalar multiplication of a set scalar value and a point on the set elliptic curve, the bit string indicating the scalar value is divided into a plurality of bit strings of the set length, and the storage unit The information processing method according to claim 4 or 9, wherein a scalar multiplication between the set scalar value and the set point on the elliptic curve is calculated using the stored scalar multiplication result.

DESCRIPTION OF _SYMBOLS 10 Information processing apparatus 11 Calculation part 12 Storage part ECDBL _coZ elliptic curve _doubling ECADD _coZ elliptic curve addition P Point on set elliptic curve P ₁ 1st point P ₂ 2nd point P ₃ 3rd point P ₄ Fourth point d Scalar value

Claims (5)

For a point on the set elliptic curve, for each combination of bit values that can be taken by the bit string of the set length, an arithmetic unit that performs scalar multiplication on the points on the elliptic curve according to the combination of the bit values When,
A storage unit for storing the result of the scalar multiplication;
Have
The information processing apparatus performs the scalar multiplication based on an addition operation for adding a first point and a second point on the elliptic curve having one common Jacobian coordinate. The computing unit is
When the first point and the second point are different points, a third point is calculated by adding an elliptic curve between the first point and the second point in the addition operation. And calculating the coordinates of the first point in common with the third point and one of the Jacobian coordinates,
When the first point and the second point are the same point, a fourth point is calculated by doubling the elliptic curve of the first point in the addition operation, and the fourth point The information processing apparatus according to claim 1, wherein the coordinates of the first point in which one of the point and the Jacobian coordinate is common are calculated. The arithmetic unit, when calculating a scalar multiplication of the set scalar value and the point on the set elliptic curve, converts the bit string indicating the scalar value into a plurality of bit strings of the set length. The information according to claim 1, further comprising: calculating a scalar multiplication of the set scalar value and the point on the set elliptic curve using the result of the scalar multiplication stored in the storage unit. Processing equipment. A computer having a storage unit
A process of performing scalar multiplication on the points on the elliptic curve according to the combination of the bit values for each combination of bit values that can be taken by the bit string of the set length for the points on the set elliptic curve, And an information processing method for executing a process of storing the result of the scalar multiplication in the storage unit,
In the process of executing the scalar multiplication, the computer executes the scalar multiplication based on an addition operation for adding the first point and the second point on the elliptic curve having one common Jacobian coordinate. Information processing method. In a computer having a storage unit,
A process of performing scalar multiplication on the points on the elliptic curve according to the combination of the bit values for each combination of bit values that can be taken by the bit string of the set length for the points on the set elliptic curve, And a program for executing processing for storing the result of the scalar multiplication in the storage unit,
In the process of executing the scalar multiplication, the computer executes the scalar multiplication based on an addition operation for adding the first point and the second point on the elliptic curve having one common Jacobian coordinate. Program.

Images