JP2017067859A - Scalar multiplication device and scalar multiplication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a scalar multiplication device that performs a scalar multiplication process strong against side channel attack and high in security and that has a relatively simple configuration.SOLUTION: If a bit value dof a digit part of a scalar value d is "1," a scalar multiplication device performs steps SP11-SP13 and thereby conducts an operational expression 1 of {Q←2Q+P}. Step SP11 is a two-multiplication process, and steps SP12 and SP13 are addition processes (first and second addition processes). On the other hand, if the bit value dof the digit part of the scalar value d is "0," the scalar multiplication device performs steps SP01-SP03 and thereby conducts an operational expression 2 of {Q←2Q}. Step SP01 is a two-multiplication process, and steps SP02 and SP03 are addition processes (the first and second addition processes).SELECTED DRAWING: Figure 1

Description

  The present invention relates to a scalar multiplication apparatus and a scalar multiplication method for obtaining a scalar multiplication value by scalar multiplication of input coordinate points.

  The scalar multiplication process, which is the main operation of elliptic curve cryptography, is an arithmetic process for obtaining the scalar multiplication value dP (scalar multiple point) by multiplying the rational point P and the scalar (multiple) value d. The elliptic curve cryptosystem is based on the fact that it is difficult to obtain the scalar value d from the scalar multiplication value dP (discrete logarithm problem (ECDLP) on the elliptic curve).

  The computation of rational points on an elliptic curve forms a module with the infinity point as the zero element. In general, two types of addition and addition using a straight line are defined. In these operations, a scalar multiplication process is realized by bit-expanding a scalar (multiple) value d by an addition chain algorithm such as a binary method, and adding and doubling by the value of each bit. However, since the processing time changes depending on the scalar value d (timing leak occurs), there is a problem that the scalar value d leaks. As a measure for avoiding the timing leak, it is conceivable to perform a dummy operation even when the bit value of the scalar value d is “0”. The possibility of leakage is pointed out. Various countermeasures against side channel attacks have been proposed in Patent Documents 1 to 6, but it is necessary to perform mapping and conversion on various input data (scalar value d, rational point P). Since an arithmetic unit and a control mechanism used other than the multiplication processing are necessary, the mounting cost is increased.

Japanese Patent No. 4783061 Japanese Patent No. 4284320 Japanese Patent No. 4668931 Japanese Patent No. 5233473 Japanese Patent No. 5488718 Japanese Patent No. 5573964

Takeshi Sugawara, Daisuke Suzuki, “ECDSA Safe Error Attack Using Special Treatment of Infinity Points in Elliptical Group Operations” (SCIS2015)

  As described above, the conventional scalar multiplication apparatus that has taken the measure of avoiding the timing leak by the dummy calculation has a problem that it is vulnerable to a safe error attack due to fault insertion. In addition, the scalar multiplication apparatus in which various arithmetic processes other than the scalar multiplication process are additionally executed as a countermeasure against the side channel attack has a problem that the mounting cost becomes high.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to obtain a scalar multiplication apparatus that executes a scalar multiplication operation process that is resistant to side channel attacks and has high security with a relatively simple configuration. .

  The scalar multiplication apparatus according to claim 1 is a scalar multiplication apparatus that receives an input coordinate point and an input scalar value and obtains a scalar multiplication value of the input coordinate point, and adds two input values. An addition operation unit that performs an operation, a doubling operation unit that performs a doubling operation of one input value, and an input scalar value or a conversion scalar value obtained by converting the input scalar value A scalar multiplication operation mechanism that obtains the scalar multiplication value by performing a scalar multiplication process on the calculation scalar value and the input coordinate point as a calculation target, and the calculation scalar value includes a plurality of digits. And each of the plurality of digits has an information amount of at least one bit, and the scalar multiplication process is performed corresponding to the plurality of digits, and each of the digits obtains a digit calculation result. Department By executing the plurality of digit part calculation processes, the digit part calculation results are sequentially obtained from the highest order to the lowest order while propagating the digit part calculation results from the upper part to the lower part between adjacent digit parts. The digit part operation result obtained from the least significant digit part is used as the scalar multiplication value, and the plurality of digit part arithmetic processes are respectively executed using the addition arithmetic part and the doubling arithmetic part. If the value of the part is “0”, the zero calculation process is executed to obtain the digit calculation result, and if it is not “0”, the non-zero calculation process having a different calculation content from the zero calculation process is executed. Part calculation results are obtained, and both the zero calculation process and the non-zero calculation process are performed in the order of a doubling process, a first addition process, and a second addition process. The result is a digit calculation result.

  The scalar multiplication apparatus according to claim 1 of the present invention has the above-described feature, so that the common arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing (double arithmetic processing, first and second addition processing) is performed. The digit calculation result is obtained for the first time after execution. For this reason, there is no change in the calculation processing time depending on whether the value of the digit part of the calculation scalar value is “0” or non- “0”. Therefore, it is possible to reliably avoid timing leaks based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing.

  Further, the doubling process and the first and second addition processes executed between the zero calculation process and the non-zero calculation process are all necessary for obtaining the digit part calculation result, and the calculation result is not used. It is not a dummy calculation process. Therefore, the safe error attack for the dummy calculation process is not executed.

  In addition, since the side channel attack calculation processing other than the scalar multiplication processing is not particularly performed, it can be realized with a relatively simple configuration.

  As a result, it is possible to obtain a scalar multiplication device that executes a scalar multiplication process that is highly resistant to side channel attacks including timing leak detection and safe error attacks and has high security.

It is explanatory drawing which shows the outline | summary of the scalar multiplication algorithm of the scalar multiplication apparatus of this invention. It is a block diagram which shows the structure of the scalar multiplication apparatus of Embodiment 1 (to 4). 4 is an explanatory diagram schematically showing a scalar multiplication algorithm according to Embodiment 1. FIG. 6 is an explanatory diagram schematically illustrating an execution example of a scalar multiplication algorithm according to Embodiment 1. FIG. It is explanatory drawing which shows typically the conversion algorithm in Window method. It is explanatory drawing which shows typically the conventional prior calculation algorithm in Window method. It is explanatory drawing which shows typically the conventional this calculation algorithm in Window method. FIG. 10 is an explanatory diagram schematically showing a pre-calculation algorithm according to the second embodiment. FIG. 10 is an explanatory diagram schematically showing the present calculation algorithm of the second embodiment. FIG. 10 is an explanatory diagram schematically illustrating an execution example of the present calculation algorithm according to the second embodiment. It is explanatory drawing which shows typically the conversion algorithm in a NAF method. It is explanatory drawing which shows typically this conventional calculation algorithm in NAF method. FIG. 10 is an explanatory diagram schematically showing the present calculation algorithm of the third embodiment. FIG. 10 is an explanatory diagram schematically illustrating an execution example of the present calculation algorithm according to the third embodiment. It is explanatory drawing which shows typically the conventional conversion algorithm in wNAF method. It is explanatory drawing which shows the conventional prior calculation algorithm in a wNAF method typically. It is explanatory drawing which shows typically this conventional calculation algorithm in wNAF method. FIG. 10 is an explanatory diagram schematically showing a conversion algorithm according to a fourth embodiment. FIG. 10 is an explanatory diagram schematically showing a pre-calculation algorithm of a fourth embodiment. FIG. 10 is an explanatory diagram schematically showing the present calculation algorithm of the fourth embodiment. FIG. 16 is an explanatory diagram (part 1) schematically showing an execution example of the present calculation algorithm of the fourth embodiment. FIG. 20 is an explanatory diagram (part 2) schematically illustrating an execution example of the present calculation algorithm of the fourth embodiment. It is explanatory drawing which shows an elliptic curve. It is explanatory drawing which shows the algorithm of the conventional binary method. It is explanatory drawing which shows the algorithm of the conventional binary method which performs a dummy calculation process.

<Principle of the invention>
(About elliptic curve cryptography)
As public key cryptography, RSA cryptography is prevalent, but in recent years, elliptic curve cryptography that can achieve the same security with a shorter key length has become widespread, and it has been adopted for digital home appliance authentication and copyright protection. ing. Another notable point of elliptic curve cryptography is that it can be extended to pairing cryptography using bilinear mapping called pairing on elliptic curves. Research on cryptographic protocols using pairing is active, and examples of such ciphers include ID-based ciphers, time-release ciphers, attribute-based ciphers, searchable ciphers, and functional ciphers.

(Definition of elliptic curve)
FIG. 23 is an explanatory diagram showing an elliptic curve. In this specification, the case of an elliptic curve on a finite field F _p of characteristic p> 3 given by Weierstrass standard form E: {y ² = x ³ + ax + b} will be described. For any two points P and QεE included in the elliptic curve E, the third point represented as {P + Q} is geometrical using a straight line L passing through P and Q as shown in FIG. And E forms a group by this operation {+}.

(Addition of rational points on an elliptic curve (defined by a straight line))
An important property of elliptic curves is that a third point {P + Q} ∈E (F) can be defined geometrically with respect to P and Q∈E (F), and a module with an infinite point O as a zero element It is to make. F is when the finite field _{F p} is, E _{(F p)} becomes finite group is denoted the quantile and #E _{(F p).}

This geometric addition can be described using point coordinates. When P = (x ₁ , y ₁ ) and Q = (x ₂ , y ₂ ), P + Q = (x ₃ , y ₃ ) is given by the following formulas (1) to (3).

  The formula of equation (2) is called addition when P ≠ Q and doubling when P = Q. Hereinafter, in the pseudo language diagram representing the algorithm, addition is expressed in a functional form of ECADD (P, Q), and doubling is expressed in a function format of ECDBL (P).

(Scalar multiplication)
By repeating the addition described above, {dP = P + P +... + P} is defined as the scalar multiple dP for the rational points and integers on the elliptic curve, which is the sum of d scalar values.

  Such an operation is called scalar multiplication, and elliptic curve cryptography is based on the fact that it is difficult to obtain P from the scalar multiplication value dP (discrete logarithm problem (ECDLP) on the elliptic curve).

  In order to actually determine the scalar multiplication value dP, it is common to use an addition chain algorithm.

  FIG. 24 is an explanatory diagram showing a conventional Left to Right binary algorithm, which is a typical addition chain algorithm. In the scalar multiplication algorithm AR51 shown in FIG. 24, 1 :, 2 :,... 7: indicate execution step positions. Hereinafter, the steps ST1 to ST7 are referred to based on the execution step position.

In the scalar multiplication algorithm AR51 shown in FIG. 24, the scalar value d is represented by an s-bit binary number {d _s−1 , d _s−2 ,..., D ₁ , d ₀ }. That is, the scalar value d is represented by s digits each having a 1-bit information amount.

Then, after the doubling function ECDBL (Q) in step ST3 from the most significant digit (s-1) to the least significant digit 0, the value d _i (i = (s− 1) to 0)) is a digit part in which the presence / absence of execution of the addition function ECADD (P, Q) in step ST4 is divided based on whether or not “1” is “1”. The calculation process is executed, and finally the value Q (digit calculation result) obtained by the digit calculation process of d ₀ of the least significant digit 0 is obtained as the scalar multiplication value dP.

As described above, the Left to Right binary method has a feature that whether or not the addition process of step ST4 is performed depends on the value d _i of each digit part (bit) when the scalar value d is expressed in binary notation.

(Task)
The calculation of an elliptic curve is generally defined by the addition of rational points and addition by doubling by a straight line passing through points on the elliptic curve, and the addition (ECADD ( P, Q)) and doubling (ECDBL (Q)) are expanded to realize scalar multiplication processing.

However, the binary algorithm generates a timing leak that changes the processing time depending on each bit value d _i of the scalar (multiple) value d serving as a secret key, so that the scalar value d may be leaked.

  FIG. 25 is an explanatory diagram showing an algorithm of a conventional Left to Right binary method in which dummy calculation processing is inserted. In the scalar multiplication algorithm AR52 shown in FIG. 25, 1 :, 2 :,... 8: indicate execution step positions. Hereinafter, steps ST1 to ST8 are referred to with the execution step position as a reference.

As shown in scalar multiplication algorithm AR52 in FIG. 25, as a general measure, regardless of the bit value _{d i} of the scalar value d by inserting dummy operation (addition function ECADD (Q, P)) shown at step ST5 The processing time is kept constant.

The variable D obtained by the dummy calculation in step ST5 is discarded after the calculation. By inserting a dummy operation, "0" bit value d _i of the scalar value d "1" (or is zero, which is either a non-zero) timing leak since the processing time is the same without depending on It can be avoided.

  However, when there is such a dummy operation, as disclosed in Non-Patent Document 1, a scalar multiple value is utilized by utilizing the fact that an error does not propagate only when an intermediate result enters the infinite point O by fault insertion. There is a problem that it is vulnerable to safe error attacks.

  Hereinafter, an example of a safe error attack will be described. In step ST4 or step ST5 of the scalar multiplication algorithm AR52, a fault such as {Q + P → O} is inserted (for example, Q = −P).

Then, in step ST3 to be executed next (assuming i = n−1), if 2Q → O, d _n = 1, otherwise d _n = 0 can be estimated. Hereinafter, this point will be described in detail.

If a fault is inserted so that {Q + P → O} is satisfied in step ST4, it is determined in step ST3 to be executed that the point at infinity O is obtained when "0" is multiplied, and exception processing is executed. , D _n = 1.

On the other hand, even if a fault is inserted so that {Q + P → O} in step 5, D (dummy calculation result) is discarded, so that it is infinite when multiplying “0” in step ST3 to be executed next. It can be predicted that d _n = 0 because point O is not reached and exception processing is not executed.

Thus, even if a dummy operation is inserted and the addition function ECADD (P, Q) is executed regardless of d _i = “0”, “1”, a scalar value is generated by a safe error attack due to fault insertion. There is a problem that the problem of d leaking cannot be avoided.

  The scalar multiplication apparatus of the present invention described in the following first to fourth embodiments is an apparatus for solving the problem of avoiding the problem of leakage of the scalar value d due to a safe error attack due to fault insertion.

(Summary of Invention)
In the scalar multiplication apparatus of the present invention, a combination of additive formulas is used as a countermeasure against a safe error attack using the avoidance of timing leak depending on the scalar (multiple) value d and the special treatment of the infinity point O. A combination of operations that achieves a scalar multiplication algorithm typified by the Left to Right binary method (hereinafter simply abbreviated as “binary method”) while keeping the processing time constant regardless of the bit value of the scalar value. Propose.

  FIG. 1 is an explanatory diagram showing an outline of a scalar multiplication algorithm of the scalar multiplication apparatus of the present invention. The scalar value d is composed of a plurality of digits each having a 1-bit information amount.

24 and as indicated by the scalar multiplication algorithm AR51 and AR52 shown in FIG. 25, the binary method, when the bit value _{d i} of the digits of the scalar value d is "1", arithmetic expressions {Q ← 2Q + P} for 1 according girder processing (non-zero processing), if the bit value d _i of the digits of the scalar value d is "0", {Q ← 2Q } girder arithmetic processing by the arithmetic equation 2 (zero operation It is necessary to obtain the digit calculation result for each.

  As described above, the scalar multiplication algorithm represented by the binary method is executed when the value of the digit part is “0” and when it is “1” (when it is other than “0”). The content of arithmetic processing is different from non-zero arithmetic processing.

Therefore, in the present invention, when the bit value d _i of the digit part of the scalar value d is “1”, as shown in FIG. 1A, by executing steps SP11 to SP13, {Q ← 2Q + P} Formula 1 is realized. Step SP11 is a doubling process, and steps SP12 and SP13 are addition processes (first and second addition processes).

On the other hand, when the bit value d _i of the digit part of the scalar value d is “0”, as shown in FIG. 1 (b), by executing steps SP01 to SP03, the equation 2 of {Q ← 2Q} is obtained. Realized. Step SP01 is a doubling process, and steps SP02 and SP03 are addition processes (first and second addition processes). Note that step SP03 and step SP13 are also included in the addition process of {B ← (−P)}.

  Thus, both the zero calculation process (steps SP01 to SP03) and the non-zero calculation process (steps SP11 to SP13) are doubled using a multiplier (SP01, SP11), mainly using the addition calculation unit 5. The first addition process (SP02, SP12) and the second addition process (SP03, SP13) mainly using the addition calculation unit 5 are performed in this order, and the calculation result of the second addition process (in steps SP03 and SP13) The obtained Q) is the digit part calculation result finally obtained.

  Here, in steps SP12 and SP13 and steps SP02 and SP03, when “Q = A” or “Q = B”, the doubling process is exceptionally performed instead of the addition process. It is considered that a timing leak occurs because the algorithm to be executed fluctuates. However, since it is not caused by the digit value of the scalar value d, the leakage of the scalar value d is not affected. In addition, although the processing of steps SP01 to SP03 is redundant, it is composed only of the arithmetic processing necessary for establishing the above-described arithmetic expression 2, and therefore the influence of the safe error attack by the fault insertion using the infinity point O. I don't get it either.

  As described above, the scalar multiplication apparatus of the present invention adopting the zero calculation process (steps SP01 to SP03) and the non-zero calculation process (steps SP11 to SP13) shown in FIG. It is possible to prevent two types of side channel attacks ("scalar value leakage due to timing leak" and "safe error attack due to fault insertion") against the value d.

<Embodiment 1>
FIG. 2 is a block diagram showing the configuration of the scalar multiplication apparatus of the first embodiment. As shown in the figure, the scalar multiplication apparatus has a scalar multiplication calculation unit 1, a conversion scalar value generation unit 3, an addition calculation unit 5, a double calculation calculation unit 6, and a storage unit 8 as main components. ing.

  An addition operation unit (ECADD operation unit) 5 performs an addition operation based on addition using a straight line, an addition sequencer, a finite field adder, a finite field subtractor and a finite field multiplier (hereinafter collectively referred to as “finite field”). And a selection unit of the above-mentioned finite field arithmetic unit, and the addition operation result of two input values (I1, I2) is executed (I1 + I2). )

  A doubling operation unit (ECADD operation unit) 6 performs a doubling operation based on addition by a straight line, a doubling sequencer, a finite field adder, a finite field subtractor, a finite field multiplier, and the above-described finite field multiplier. It includes a selection unit of a field calculator and executes a doubling operation of one input value (I) to obtain a doubling operation result (2I).

  The scalar multiplication calculation unit 1 uses the addition unit selection function to selectively use the addition calculation unit 5 and the doubling calculation unit 6 to switch calculation contents in the elliptic curve addition algorithm.

  The conversion scalar value generation unit 3 receives the scalar value d from the arithmetic unit 1 for scalar multiplication, performs a scalar value conversion process on the scalar value d, and converts the conversion scalar value such as the conversion scalar value b and the conversion scalar value a to the scalar multiplication. Output to the arithmetic operation unit 1. In the first embodiment, the scalar value d is directly used as a calculation target without using the selection value generation unit 3.

  The arithmetic unit for scalar multiplication 1 receives an input coordinate point P (x, y) and a scalar value d, and further executes a scalar multiplication process for calculating a finite field according to a scalar multiplication algorithm AR1 described later. , To obtain a scalar multiplication value (scalar multiple point). When the scalar multiplication algorithm AR1 is executed, the scalar multiplication arithmetic unit 1 selectively uses the addition arithmetic unit 5 or the double arithmetic unit 6 by the arithmetic unit selection function when performing the doubling process and the adding process. Then, calculation result information obtained from the addition calculation unit 5 or the doubling calculation unit 6 is output to the storage unit 8. Then, the scalar multiplication calculation unit 1 acquires the calculation result information from the storage unit 8.

  The storage unit 8 includes, in addition to the calculation result information from the addition calculation unit 5 or the doubling calculation unit 6 described above, an input coordinate point P, a scalar value d, and converted scalar values b and a, and a later-described multiple table and digit. Various information necessary for scalar multiplication processing such as partial operation results (Q, A) is further stored.

  In the first embodiment, only the scalar multiplication operation unit 1 described above performs a scalar multiplication operation process using the scalar value d as the operation scalar value, and the operation scalar value and the input coordinate point P as the operation targets. A scalar multiplication operation mechanism for obtaining the multiplication value dP is configured.

  FIG. 3 is an explanatory diagram schematically showing a scalar multiplication algorithm AR1 executed by the scalar multiplication apparatus of the first embodiment. In the scalar multiplication algorithm AR1 shown in FIG. 3, 1 :, 2 :,... 9: indicate execution step positions. Hereinafter, the execution step positions are referred to as steps ST1 to ST9.

  In FIG. 3, the doubling function ECDBL (Q) in step ST3 indicates that Q doubling processing is performed. Therefore, specifically, in step ST3, the scalar multiplication operation unit 1 uses the operation unit selection function to input one input value Q to the doubling operation unit 6 using the doubling function ECDBL (Q) as operation input information. (Calculation input information) is given, and the doubling calculation result 2Q of Q obtained from the doubling calculation unit 6 is stored in the storage unit 8 as calculation result information, and the doubling calculation result 2Q stored in the storage unit 8 is stored. Is obtained by the scalar multiplication operation unit 1.

  Further, in FIG. 3, the addition function ECADD (Q, A (B)) in steps ST4 to ST6 indicates that the addition process of two input values Q and A (B) is performed. Therefore, in steps ST4 and ST5 (ST6), specifically, the scalar multiplication operation unit 1 is based on the addition function ECADD (Q, A) (or ECADD (Q, B)) by the operation unit selection function. Two input values Q and A (B) (calculation input information) are given to the addition calculation unit 5, and the addition calculation result (Q + A) of Q and A or the addition calculation result of Q and B obtained by the addition calculation unit 5 ( Q + B) is stored in the storage unit 8 as calculation result information. Then, the arithmetic unit for scalar multiplication 1 acquires the addition operation result (A + B) or (Q + B) stored in the storage unit 8.

  However, when Q = A or Q = B in the addition function ECADD (Q, A (B)), the operation unit selection function is exceptionally given one input value Q to the doubling operation unit 6 and multiplied by The doubling calculation result 2Q obtained from the calculation calculation unit 6 is calculation result information.

  As shown in FIG. 3, in the scalar multiplication algorithm AR1, step SP11 (or step SP01) in FIG. 1 is executed in step ST3, step SP12 in FIG. 1 is executed in step ST4, and step SP02 in FIG. 1 is executed in step ST5. In step ST6, step SP13 (or step SP03) in FIG. 1 is executed.

  FIG. 4 is an explanatory view schematically showing an execution example of the scalar multiplication algorithm AR1 by the scalar multiplication apparatus of the first embodiment. The outline of the scalar multiplication algorithm AR1 executed by the scalar multiplication operation unit 1 will be described below with reference to FIGS.

  (1) The input coordinate point P and the scalar value d are input to the scalar multiplication device, and the input coordinate point P is taken into the scalar multiplication operation unit 1 and stored in the storage unit 8 as required (FIG. 3). Input: Equivalent to ...

  (2) In the case of the above process (1), since the calculation is performed by the algorithm of the Left to Right binary method, the s digits of the scalar value d are each represented by 1-bit information.

Therefore, as shown in FIG. 3, it is represented by a scalar value d = {d _s−1 , d _s−2 ,..., D ₁ , d ₀ } ₂ . For example, as shown in FIG. 4A, s = 12, and a scalar value d “101001111011” ₂ (= (2683) ₁₀ ), d _{11 to} d ₀ are scalar multiplication operation units 1. And stored in the storage unit 8 as necessary.

  (3) Calculate the doubling value (double point) 2Q of the digit part calculation result Q (initial value is infinity point O) in the upper digit part and store it in the storage unit 8 (step of FIG. 3) Equivalent to ST3).

For example, MSB in the arithmetic processing P1 to the value _{d 11} of the column portions of the (topmost (s-1)), since the initial value of the girder operation result Q is a point at infinity O, 2 multiplication function ECDBL (Q) The result of the calculation is also an infinite point O, which is substantially the same as when step ST3 is not executed (not shown in FIG. 4).

Further, MSB-1 (= s- 2) In the processing P2 (1 line) for the values _{d 10} digit portion of, for girder operation result Q of the arithmetic processing P1 digit portion of one upper was P , P doubling value 2P (= P × 2) is obtained.

(4) When d _i (any of i = (s−1) to 0) is “1”, addition processing (Q + A) (first addition processing) is executed with A = 2P (corresponding to step ST4). ), When d _i is “0”, the addition process (Q + A) (first addition process) is executed with A = P (corresponding to step ST5 in FIG. 3).

For example, in the calculation process P3 (second row) performed on d ₉ (= “1”), an addition process of Q (= 4P) + 2P is executed, and the calculation performed on d ₈ (= “0”) In the process P4 (second line), an addition process of Q (= 10P) + P is executed.

(5) Addition processing (second addition processing) is executed with B = −P, and a digit portion calculation result Q of the i-digit digit portion (d _i ) is obtained (corresponding to step ST6).

For example, in the calculation process P3 (third line) performed for d ₉ (= “1”), an addition process of Q (= 6P) + (− P) is executed.

  (6) After decrementing the number of digits i by “1” (corresponding to step ST7), the above processes (3) to (5) are repeated.

Then, the scalar multiplication calculation unit 1 finally calculates the LSB (lowest order “0”) obtained by the second addition process (process (5)) of the calculation process P12 for d ₀ when i = 0. The digit part calculation result Q = 2683P of the digit part becomes the scalar multiplication value dP.

Thus, among the operation processing P1 to P12, with the exception of the first arithmetic processing P1, "0" of the value of _{d i,} regardless of "1", doubling the processing (step ST3 in FIG. 3) → first Since the processing is executed 11 times in the order of 1 addition processing (step ST4 or ST5 in FIG. 3) → second addition processing (step ST6 in FIG. 3), the processing time can be made constant without performing dummy calculation. .

(Effects etc.)
As described above, in the scalar multiplication apparatus of the first embodiment, the scalar multiplication operation performed by the scalar multiplication operation unit 1 is executed corresponding to a plurality of digit parts constituting the scalar value d. A plurality of digit part calculation processes (corresponding to the calculation processes P1 to P12 in FIG. 4B) for obtaining a digit part calculation result are included. Then, by executing a plurality of digit part arithmetic processes, the digit part calculation result Q is propagated from the upper part to the lower part between the adjacent digit parts via the storage unit 8, while the highest order (n−1) to the lowest order (0 ) To obtain the digit part calculation result Q sequentially for each digit part, and the digit part calculation result Q obtained from the digit part calculation process corresponding to the lowest digit part (corresponding to the calculation process P12 in FIG. 4B). Obtained as a scalar multiplication value dP.

Each of the plurality of column portions arithmetic processing described above is performed using the addition operation unit 5 and the doubling calculation unit 6, the zero processing in the case of d _i of the girder is "0" (Step of Fig. 2 SP01～ SP03) is executed to obtain the digit part calculation result Q. If “1” (other than “0”), the non-zero calculation process (steps SP11 to SP13 in FIG. 2) is different from the zero calculation process. ) To obtain the digit calculation result Q.

  The scalar multiplication apparatus according to the first embodiment performs both the zero calculation process and the non-zero calculation process in the order of the doubling process, the first addition process, and the second addition process. The result of the addition processing is the digit part calculation result.

  The scalar multiplication apparatus according to the first embodiment has the above-described characteristics, so that after the execution of the common arithmetic processing (double arithmetic processing, first and second addition processing) between the zero arithmetic processing and the non-zero arithmetic processing Since the digit part calculation result is obtained for the first time, the arithmetic processing time does not change depending on whether the digit part value of the scalar value d (scalar value for calculation) is “0” or non- “0”. Therefore, it is possible to reliably avoid timing leaks based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing.

  Further, in the first embodiment, the doubling process and the first and second addition processes executed between the zero calculation process and the non-zero calculation process are all the calculation processes necessary for obtaining the digit part calculation result Q. Yes, it is not a dummy calculation process in which the calculation result is not used. Therefore, the safe error attack for the dummy calculation process is not executed.

  In addition, since the arithmetic processing for side channel attack other than the scalar multiplication processing is not particularly required, the scalar multiplication apparatus of the first embodiment can be realized with a relatively simple configuration.

  As a result, it is possible to obtain the scalar multiplication apparatus according to the first embodiment that performs scalar multiplication processing that is resistant to side channel attacks including timing leak detection and safe error attacks and has high security with a relatively simple configuration. .

  The scalar multiplication apparatus according to the first embodiment uses a scalar value d (input scalar value) input from the outside for an operation target for the scalar multiplication operation unit 1 to perform a scalar multiplication process. Used as a scalar value. Therefore, each of the plurality of digits constituting the arithmetic scalar value (scalar value d) has an information amount of 1 bit. Further, the doubling process executed as step SP01 or step SP11 in FIG. 1 is a process for obtaining a doubling value once by using the doubling operation unit 6 once.

  As described above, the scalar multiplication apparatus according to the first embodiment can execute the scalar multiplication operation using the binary method using the scalar value d (input scalar value) as it is as the scalar value for calculation with improved security. There is an effect that can be done.

<Embodiment 2>
The second embodiment is a scalar multiplication apparatus that employs the Window method. The Window method is a kind of addition chain algorithm that performs a scalar multiplication process using a converted scalar value obtained by converting a scalar multiple value into an M-bit window format as an arithmetic scalar value. The Window method has the advantage that the elliptic curve calculation can be performed faster than the binary method.

(Outline of the window method)
The scalar multiplication processing in the algorithm of the Window method is classified into three processes: “Window conversion” (scalar value conversion processing), “pre-calculation” (table creation processing), and “main calculation” (scalar multiplication main processing). Is done.

  FIG. 5 is an explanatory view schematically showing a (Window) conversion algorithm AR61 of scalar value conversion processing in the Window method. In the conversion algorithm AR61 shown in FIG. 5, 1 :, 2 :,... 12: indicate execution step positions. Hereinafter, the steps ST1 to ST12 are referred to based on the execution step position.

  In step ST3 of FIG. 5, c [w-1: 0] means the least significant w bits in the variable c.

  By executing the conversion algorithm AR61 shown in FIG. 5, a conversion scalar value b having a plurality of digits each having an information amount of M bits (= w ≧ 2) can be obtained from the scalar value d.

For example, when the scalar value d is “101001111011” ₂ (= (2683) and M = w = 4, the scalar value conversion process is executed to convert the scalar value d into a 4-bit unit for window conversion. A scalar value b (data b ₂ = “1010”, data b ₁ = “0111”), data b ₀ = “1011”) can be obtained. That is, the conversion scalar value b is composed of three digits having data b ₂ to data b ₀ .

  FIG. 6 is an explanatory diagram schematically showing a pre-calculation algorithm AR62 which is a conventional table creation process in the Window method. In the pre-calculation algorithm AR62 shown in FIG. 6, 1 :, 2 :,... 5: indicate execution step positions. Hereinafter, steps ST1 to ST5 are referred to with the execution step position as a reference.

By executing the pre-calculation algorithm AR62 shown in FIG. 6, a plurality of types of integer multiple coordinate points obtained by multiplying the input coordinate point P by an integer are calculated and stored in the storage unit 8 as {table T _{1 to} T _β }. Is done.

  FIG. 7 is an explanatory view schematically showing a main calculation algorithm AR63 which is a conventional scalar multiplication main process in the Window method. In the calculation algorithm AR63 shown in FIG. 7, 1 :, 2 :,... 11: indicate execution step positions. Hereinafter, the steps ST1 to ST11 are referred to based on the execution step position.

  As described above, the conventional window method executes the scalar multiplication process including the conversion algorithm AR61, the pre-calculation algorithm AR62, and the main calculation algorithm AR63.

As shown in FIG. 7, in the conventional scalar multiplication main process, when the digit b _i of the converted scalar value b is non- “0”, steps ST7 and ST8 are executed, and the value b _i is “0”. In this case, steps ST7 and ST8 are not executed.

Therefore, the side channel attacks against traditional Window method, the processing when the value of the girder non as the (Window value) b _i is "0", "0" is branched, fully timing leak There was a problem that could not be concealed.

(Constitution)
The scalar multiplication apparatus of the second embodiment adopts the window method while solving the above problems.

  The apparatus configuration is the same as that of the first embodiment shown in FIG. 2, except that the conversion scalar value generation unit 3 performs the above-described scalar value conversion processing and obtains the conversion scalar value b from the scalar value d. For scalar multiplication The difference is that the calculation unit 1 performs a table creation process and a scalar multiplication main process, which will be described later, using the converted scalar value b as a calculation scalar value.

  In the second embodiment, the scalar multiplication calculation unit 1 and the conversion scalar value generation unit 3 set the conversion scalar value b as the calculation scalar value, and the calculation scalar value and the input coordinate point P as calculation targets. A scalar multiplication operation mechanism that performs a scalar multiplication operation process to obtain a scalar multiplication value dP is configured.

  The conversion scalar value generation unit 3 receives the scalar value d, and executes the scalar value conversion processing by the conversion algorithm AR11 (same as the conversion algorithm AR61 shown in FIG. 5) based on the scalar value d to obtain the conversion scalar value b. The obtained converted scalar value b is output to the scalar multiplication operation unit 1.

  The scalar multiplication calculation unit 1 creates a multiple table having a plurality of types of integer multiple coordinate points obtained by executing table creation processing to be described later and multiplying the input coordinate point P by an integer, and stores it in the storage unit 8.

  Then, the scalar multiplication calculation unit 1 receives the conversion scalar value b from the conversion scalar value generation unit 3 and executes a scalar multiplication main process, which will be described later, with the conversion scalar value b and the input coordinate point P as calculation targets. A multiplication value dP is obtained. The converted scalar value b and the input coordinate point P are stored in the storage unit 8 as necessary.

(algorithm)
FIG. 8 is an explanatory diagram schematically showing a pre-calculation algorithm AR12 that is a table creation process according to the second embodiment in the Window method. In the pre-calculation algorithm AR12 shown in FIG. 8, 1 :, 2 :,... 5: indicate execution step positions. Hereinafter, steps ST1 to ST5 are referred to with the execution step position as a reference.

By executing the pre-calculation algorithm AR12 shown in FIG. 8, a plurality of integer multiple coordinate points obtained by multiplying the input coordinate point P by an integer is calculated and stored in the storage unit 8 as a multiple table {T _{2 to} T _β }. Stored.

  FIG. 9 is an explanatory view schematically showing the present calculation algorithm AR13 which is the scalar multiplication main process of the second embodiment in the Window method. In this calculation algorithm AR13 shown in FIG. 9, 1 :, 2 :,... 13: indicate execution step positions. Hereinafter, steps ST1 to ST13 are referred to with reference to the execution step position.

  FIG. 10 is an explanatory diagram schematically showing an execution example of the calculation algorithm AR13 by the scalar multiplication apparatus of the second embodiment. Hereinafter, an outline of the calculation algorithm AR13 executed by the scalar multiplication operation unit 1 will be described with reference to FIGS. In the example shown in FIG. 10, the number of bits of each digit part having the window width M is 4 bits.

  (1) Input coordinate point P and scalar value d (input scalar value) are input to the scalar multiplication device, and the input coordinate point P is taken into the scalar multiplication operation unit 1 and stored in the storage unit 8 as necessary. To do. On the other hand, the conversion scalar value generation unit 3 executes a scalar value conversion process employing the conversion algorithm AR11, thereby converting the scalar value d into the conversion scalar value b, and converting the conversion scalar value b into the scalar multiplication operation unit 1. Output (corresponding to Input: in FIG. 9).

  (2) At the time of the above process (1), since calculation is performed by the algorithm of the Window method, the n digits of the converted scalar value b are each represented by 4-bit (M-bit) information.

As shown in FIG. 9, the conversion scalar value is represented by b = {b _n−1 ,..., B ₀ }. For example, as shown in FIG. 10 (a), b ₂ to b having values of conversion scalar value b (data b ₂ = 10, data b ₁ = 7, data b ₀ = 11), where n = 3. ₀ .

(3) a 2 ^{w A} a 2 ^w multiplied point of the girder operation result A (initial value "infinity point O ') (w Kaibai calculated value) in the girder of one higher calculated, in the storage unit 8 Store (corresponding to steps ST2 to ST4 in FIG. 9).

For example, MSB in the arithmetic processing P1 for the value _{b 2} of the column portions of the (topmost (n-1)), since the initial value of the girder operation result A is infinity point O, 2 multiplication function ECDBL (A) The result of the calculation is also an infinite point O, which is substantially the same as when steps ST2 to ST4 are not executed (not shown in FIG. 10).

Further, MSB-1 (= n- 2) In the processing P2 (1 to 4 line) for the values _{b 1} digit of the digit portion the operation result A of the arithmetic processing P1 digit portion of one upper is at 10P Therefore, a multiplication value 160P (= 10P × 2 × 2 × 2 × 2), which is a four-fold multiplication value obtained by repeating P doubling 4 (= M = w) times, is obtained.

(4) When b _i (any one of i = (n−1) to 0) is non- “0”, B = eP is determined (corresponding to steps ST5 and ST6 in FIG. 9), and then addition processing (A + B ) (First addition process) is executed (corresponding to step ST10 in FIG. 9).

Note that e means a multiple value of the input coordinate point P selected by the value of b _i , and e = (b _i +1). That is, when b _i is non- “0”, a value that matches T _bi−1 is selected from the multiple tables {tables T _{2 to} T _β } obtained by the table creation process according to the pre-calculation algorithm AR12. The Thus, the first addition process is performed using the multiple table when the non-zero calculation process is executed.

For example, in the calculation process P2 (5th line) performed for b ₁ (= “7”), e = b ₁ + 1 = 8, and an addition process of A (= 160P) + 8P is executed.

On the other hand, if _{b i} is "0", step B = after determined as P (corresponding to Step ST7 and ST8 in FIG. 9), to perform the addition processing (A + B) (first addition processing) (FIG. 9 Equivalent to ST10).

(5) An addition process (second addition process) using -P is executed to obtain a digit part calculation result A of the _i- digit part (b _i ) (corresponding to step ST11 in FIG. 9).

For example, the arithmetic processing P2 (6 line) performed on _{b 1, A (= 168P)} + - addition processing (P) is executed.

  (6) After decrementing the number of digits i by “1” (corresponding to steps ST1 and ST12), the above processes (3) to (5) are repeated.

Then, the scalar multiplication operation unit 1 finally obtains the LSB (least significant “0”) digit obtained by the second addition process (process (5)) of the operation process P3 for b ₀ when i = 0. The digit part arithmetic result A = 2683P of the part is output as a scalar multiplication value dP (corresponding to step ST13 in FIG. 9).

  As described above, the scalar multiplication apparatus according to the second embodiment employs the scalar value conversion process employing the conversion algorithm AR11, the table creation process employing the pre-calculation algorithm AR12, and the present calculation algorithm AR13 as the scalar multiplication process. Scalar multiplication main processing is executed.

Accordingly, as shown in FIG. 10 (b), of the arithmetic processing P1 to P3, except the first processing P1, "0" of the value of _{b i,} regardless of the non "0", M (= w ) Repeated doubling process (steps ST2 to ST4 in FIG. 9) → first addition process (steps ST5, ST6 and ST10, or ST7, ST8 and ST10 in FIG. 9) → second addition process (FIG. 9) Since the processing is executed twice in the order of step ST11), the processing time can be made constant without performing dummy calculations.

(Effects etc.)
As described above, in the scalar multiplication apparatus of the second embodiment, the scalar multiplication operation performed by the scalar multiplication operation unit 1 is executed corresponding to a plurality of digit parts constituting the converted scalar value b, and each of them is executed. A plurality of digit part calculation processes (corresponding to the calculation processes P1 to P3 in FIG. 10B) for obtaining a digit part calculation result are included. Then, by executing a plurality of digit part calculation processes, the digit part calculation result A is propagated through the storage unit 8 from the upper part to the lower part between adjacent digit parts, and from the highest (n−1) to the lowest (0 ) To obtain the digit part calculation result A sequentially for each digit part, and the digit part calculation result A obtained by the digit part calculation process corresponding to the lowest digit part (corresponding to the calculation process P3 in FIG. 10B). Obtained as a scalar multiplication value dP.

The plurality of digit part arithmetic processes described above are respectively executed using the addition arithmetic part 5 and the doubling arithmetic part 6, and when the digit b _i is “0”, the zero arithmetic process (step ST8 in FIG. 9 is performed). Execute the processing to be unique execution) to obtain the digit part operation result A. If it is non- “0”, the non-zero arithmetic processing having different operation content from the zero arithmetic processing (step ST6 in FIG. 9 is inherently executed) The digit part calculation result A is acquired.

  Then, the scalar multiplication apparatus according to the second embodiment is similar to the first embodiment in that the zero calculation process and the non-zero calculation process are both performed twice (repeated M (= w) times). The first addition processing and the second addition processing are performed in this order, and the calculation result of the second addition processing is used as the digit portion calculation result.

  Since the scalar multiplication apparatus of the second embodiment has the above-described feature, it can reliably avoid the timing leak based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing as in the first embodiment. Can do.

  Further, in the second embodiment, the doubling process and the first and second addition processes that are repeated M (= w) times executed between the zero calculation process and the non-zero calculation process are all performed by the digit part calculation result A. Is not a dummy calculation process in which the calculation result is not used. Therefore, the safe error attack for the dummy calculation process is not executed.

  In addition, since the arithmetic processing for side channel attack other than the scalar multiplication processing is not particularly required, the scalar multiplication apparatus of the second embodiment can be realized with a relatively simple configuration.

  As a result, it is possible to obtain the scalar multiplication apparatus according to the second embodiment that executes scalar multiplication processing that is resistant to side channel attacks and has high security.

  Note that the scalar multiplication apparatus according to the second embodiment uses the scalar value d (input scalar value) input from the outside as the scalar value conversion process and converts the converted scalar value b into the calculation target of the scalar multiplication process. It is used as a scalar value. Therefore, each of the plurality of digits constituting the arithmetic scalar value (conversion scalar value b) has an information amount of M (= w) bits. Further, the doubling process executed as steps ST2 to ST4 of FIG. 9 is a process of obtaining the M times multiplied value by using the doubling operation unit 6 M times.

The first addition process is performed using the multiple table {T _{2 to} T _β } created by the table creation process when the non-zero calculation process is executed.

  As described above, the scalar multiplication apparatus according to the second embodiment has an effect that the scalar multiplication operation employing the window method using the converted scalar value b as the operation scalar value can be executed with improved security.

  Furthermore, the scalar multiplication apparatus of the second embodiment also has an effect that the processing speed can be increased by reducing the number of addition processes compared to the first embodiment employing the binary method.

<Embodiment 3>
The third embodiment is a scalar multiplication apparatus that employs the NAF method. The NAF method is a kind of algorithm for performing scalar multiplication processing using a conversion scalar value obtained by converting a scalar value d into NAF (signed non-adjacent format) as a calculation scalar value. The NAF method has an advantage that the calculation of the addition chain is likely to be performed faster than the binary method.

(Outline of the NAF method)
The scalar multiplication process in the NAF algorithm is classified into two processes: “NAF conversion” (scalar value conversion process) and “main calculation” (scalar multiplication main process).

  FIG. 11 is an explanatory view schematically showing a (NAF) conversion algorithm AR71 of scalar value conversion processing in the NAF method. In the conversion algorithm AR71 shown in FIG. 11, 1 :, 2 :,... 16: indicate execution step positions. Hereinafter, steps ST1 to ST16 are referred to with reference to the execution step position.

  In step ST3 of FIG. 11, c [0] indicates the least significant bit of the variable c, and in step ST4, c [1: 0] indicates the least significant 2 bits of the variable c.

By executing the conversion algorithm AR71 shown in FIG. 11, a conversion scalar value a having a plurality of digits each having an information amount of 1 bit can be obtained from the scalar value d. However, the values a _i of the plurality of digits constituting the conversion scalar value a include positive and negative information. The positive / negative determination process of the value a _i is performed in the processes of steps ST4 to ST7 in FIG.

For example, when the scalar value d is “101001111011” ₂ (= (2683)), the scalar value conversion process adopting the conversion algorithm AR71 is executed to NAF-convert the scalar value d in 1-bit units, thereby converting the conversion scalar. The value a = “101010000 (−1) 0 (−1)” can be obtained. That is, the conversion scalar value a is composed of 12 digits having data a ₁₁ to data a ₀ .

  FIG. 12 is an explanatory diagram schematically showing the present calculation algorithm AR73, which is a conventional scalar multiplication main process in the NAF method. In this calculation algorithm AR73 shown in FIG. 12, 1 :, 2 :,... 10: indicate execution step positions. Hereinafter, steps ST1 to ST10 are referred to with reference to the execution step position.

  As described above, the conventional NAF method executes the scalar multiplication process including the conversion algorithm AR71 and the present calculation algorithm AR73.

As shown in FIG. 12, in the conventional scalar multiplication main processing, when the digit _ai of the converted scalar value a is non- “0”, step ST5 or step ST7 is executed. That is, when a _i = “1”, step ST5 is executed, and when a _i = “− 1”, step ST7 is executed. As described above, the NAF method has two different non-zero arithmetic processes (first and second non-zero arithmetic processes) as non-zero arithmetic processes.

On the other hand, when the value a _i is “0”, both steps ST5 and ST7 are not executed.

Therefore, for the side channel attack against the conventional NAF method, the process branches when the digit _ai is “0” and non- “0”, so that the timing leak can be completely hidden. There was a problem that could not be done.

(Constitution)
The scalar multiplication apparatus of the third embodiment adopts the NAF method while solving the above problems.

  The apparatus configuration is the same as that of the first embodiment shown in FIG. 2, except that the conversion scalar value generation unit 3 performs the above-described scalar value conversion processing to obtain the conversion scalar value a from the scalar value d, and for scalar multiplication. The difference is that the calculation unit 1 performs a scalar multiplication main process, which will be described later, using the converted scalar value a as a calculation scalar value.

  In the third embodiment, the scalar multiplication operation unit 1 and the conversion scalar value generation unit 3 use the conversion scalar value a as the operation scalar value and the operation scalar value and the input coordinate point P as the operation objects. A scalar multiplication operation mechanism that performs a scalar multiplication operation process to obtain a scalar multiplication value dP is configured.

  The conversion scalar value generation unit 3 receives the scalar value d, and executes the scalar value conversion processing by the conversion algorithm AR21 (same as the conversion algorithm AR71 shown in FIG. 11) based on the scalar value d to obtain the conversion scalar value a. The converted scalar value a is output to the scalar multiplication operation unit 1.

  Then, the scalar multiplication calculation unit 1 executes a scalar multiplication main process, which will be described later, based on the conversion scalar value a acquired from the conversion scalar value generation unit 3 with the conversion scalar value a and the input coordinate point P as calculation targets. To obtain a scalar multiplication value dP. The converted scalar value a and the input coordinate point P are stored in the storage unit 8 as necessary.

(algorithm)
FIG. 13 is an explanatory view schematically showing the present calculation algorithm AR23 which is the scalar multiplication main process of the third embodiment in the NAF method. In this calculation algorithm AR23 shown in FIG. 13, 1 :, 2 :,... 14: indicate execution step positions. Hereinafter, the steps ST1 to ST14 are referred to based on the execution step position.

  FIG. 14 is an explanatory view schematically showing an execution example of the calculation algorithm AR23 by the scalar multiplication apparatus of the third embodiment. Hereinafter, an outline of the calculation algorithm AR23 executed by the scalar multiplication calculation unit 1 will be described with reference to FIGS.

  (1) Input coordinate point P and scalar value d (input scalar value) are input to the scalar multiplication device, and the input coordinate point P is taken into the scalar multiplication operation unit 1 and stored in the storage unit 8 as necessary. To do. On the other hand, the conversion scalar value generation unit 3 converts the scalar value d into the conversion scalar value a by executing a scalar value conversion process employing the conversion algorithm AR21, and converts the conversion scalar value a into the scalar multiplication operation unit 1. Output (corresponding to Input: in FIG. 13).

  (2) In the case of the above process (1), since calculation is performed using the NAF algorithm, it is assumed that n digits of the converted scalar value a each have 1-bit information including positive and negative.

As shown in FIG. 13, the conversion scalar value is represented by a = {a _n−1 ,..., A ₀ }. For example, as shown in FIG. 14 (a), the conversion scalar value a = “101010000 (−1) 0 (−1)”, where n = 12, has a value of a _{11 to} a ₀ for scalar multiplication. It is output to the calculation unit 1.

  (3) 2A which is a doubling point of the digit part calculation result A (initial value “0”) in the digit part one higher is calculated and stored in the storage unit 8 (corresponding to step ST3 in FIG. 13).

For example, the arithmetic processing P1 for the value _{a 11} digit portion of the MSB (most significant (n-1)), since the initial value of the girder operation result A is the point at infinity O ", 2 multiplication function ECDBL (A ) Also becomes an infinite point O, which is substantially the same as when step ST3 is not executed (not shown in FIG. 14).

Further, MSB-1 in (= n-2) operation to the value _{a 10} digit portion of P2 (1 line), since the girder operation result A of the arithmetic processing P1 digit portion of one upper was P , P is doubled to obtain a doubled value 2P (= P × 2).

(4) When a _i (any one of i = (n−1) to 0) is non- “0” and positive, it is set to {B = 2P, C = −P} (step ST5 in FIG. 13). If non- "0" and negative, {B = -2P, C = P} is set (step ST7 in FIG. 13), and then the addition process (A + B) (first addition process) is executed (in FIG. 13). Equivalent to step ST11). Further, thereafter, an addition process (A + C) (second addition process) is executed (corresponding to step ST12 in FIG. 13).

For example, in the calculation process P3 (second row) performed on a ₉ (= “1”), an addition process of A (= 4P) + B (= 2P) is executed as the first addition process, and the calculation process In P3 (third line), an addition process of A (= 6P) + B (= −P) is executed as the second addition process.

In addition, in the calculation process P10 (second line) performed for a ₂ (= “− 1”), an addition process of A (= 672P) + B (= −2P) is executed as the first addition process, In the calculation process P10 (third line), an addition process of A (= 670P) + B (= P) is executed as the second addition process.

On the other hand, when a _i is “0”, {B = P, C = −P} is set (step ST9 in FIG. 13), and then addition processing (A + B) (first addition processing) is executed (FIG. 13). 13 (corresponding to step ST11 in FIG. 13). Thereafter, addition processing (A + C) (second addition processing) is executed (corresponding to step ST12 in FIG. 13).

For example, in the calculation process P2 (second row) performed on a ₁₀ (= “0”), an addition process of A (= 2P) + B (= P) is executed as the first addition process, and the calculation process In P2 (third line), an addition process of A (= 3P) + B (= −P) is executed as the second addition process.

After executing the above-described second addition processing (corresponding to step ST11 in FIG. 13), the digit portion calculation result A of the i-digit digit portion (a _i ) can be obtained. The digit calculation result A is stored in the storage unit 8 as appropriate.

  (5) After decrementing the number of digits i by “1” (corresponding to steps ST2 and ST13), the above processes (3) to (4) are repeated.

Then, the scalar multiplication operation unit 1 finally obtains the LSB (lowest order “0”) digit obtained by the second addition process (process (4)) of the operation process P12 for a ₀ when i = 0. Digit part calculation result A = 2683P is output as a scalar multiplication value dP (corresponding to step ST14 in FIG. 13).

  As described above, the scalar multiplication apparatus according to the third embodiment executes the scalar value conversion process using the conversion algorithm AR21 and the scalar multiplication main process using the calculation algorithm AR23 as the scalar multiplication process. .

Therefore, of the arithmetic processes P1 to P12, except for the first arithmetic process P1, the doubling process (step of FIG. 13) is performed regardless of the value of a _i being “0” or non- “0” (positive or negative). ST3) → first addition process (steps ST5 and ST11, ST7 and ST11 or ST9 and ST11 in FIG. 13) → second addition process (steps ST5 and ST12, ST7 and ST12 or ST9 and ST12 in FIG. 13) Since the process is executed 11 times, the processing time can be made constant without performing a dummy calculation.

(Effects etc.)
As described above, in the scalar multiplication apparatus of the third embodiment, the scalar multiplication operation performed by the scalar multiplication operation unit 1 is executed corresponding to the plurality of digit parts constituting the converted scalar value a, and each of them is executed. A plurality of digit part calculation processes (corresponding to the calculation processes P1 to P12 in FIG. 14B) for obtaining a digit part calculation result are included. Then, by executing a plurality of digit part calculation processes, the digit part calculation result A is propagated through the storage unit 8 from the upper part to the lower part between adjacent digit parts, and from the highest (n−1) to the lowest (0 ), The digit part calculation result A is sequentially obtained for each digit part, and the digit part calculation result A obtained by the digit part calculation process corresponding to the least significant digit part (corresponding to the calculation process P12 in FIG. 14B) is obtained. Obtained as a scalar multiplication value dP.

The plurality of digit part arithmetic processes described above are respectively executed using the addition arithmetic part 5 and the doubling arithmetic part 6, and the scalar multiplication arithmetic part 1 is zero when the digit a _i is “0”. Arithmetic processing (processing in which step ST9 in FIG. 13 is inherently executed) is executed to obtain the digit part arithmetic result A. If non- “0”, non-zero arithmetic processing (which is different from the zero arithmetic processing described above) The digit calculation result A is acquired by executing step ST5 or ST7 in FIG.

  Then, the scalar multiplication apparatus according to the third embodiment is similar to the first embodiment in that the zero calculation process and the non-zero calculation process are both doubled, first addition, and second addition. The calculation result of the second addition process is used as the digit part calculation result.

Furthermore, the scalar multiplication apparatus according to the third embodiment performs the first non-zero operation process (steps ST3, ST5, ST11 and FIG. 13) executed when the digit value a _i is positive as the non-zero operation process. And a second non-zero calculation process (corresponding to steps ST3, ST7, ST11 and ST12 in FIG. 13) executed when the digit value a _i is negative.

  The scalar multiplication apparatus according to the third embodiment performs the above-described first non-zero calculation process and second non-zero calculation process together with a doubling process, a first addition process, and a second addition process. The calculation result of the second addition processing is used as the digit part calculation result. For this reason, there is no timing leak based on the difference in the arithmetic processing between the first non-zero arithmetic processing and the second non-zero arithmetic processing, and no dummy arithmetic processing is included.

  Since the scalar multiplication apparatus according to the third embodiment has the above-described feature, the timing leak based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing, as in the first and second embodiments. It can be avoided reliably.

  Further, in the third embodiment, the doubling process, the first and second addition processes executed between the zero calculation process and the non-zero calculation process (including the first and second non-zero calculation processes) are all performed. This is a calculation process necessary for obtaining the digit part calculation result A, and is not a dummy calculation process in which the calculation result is not used. Therefore, the safe error attack for the dummy calculation process is not executed.

  In addition, since the arithmetic processing for side channel attack other than the scalar multiplication processing is not particularly required, the scalar multiplication apparatus of the third embodiment can be realized with a relatively simple configuration.

  As a result, it is possible to obtain the scalar multiplication apparatus according to the third embodiment that executes scalar multiplication processing that is resistant to side channel attacks and has high security.

  The scalar multiplication apparatus according to the third embodiment uses the converted scalar value a obtained by converting the scalar value d (input scalar value) input from the outside by the scalar value conversion process as the scalar value for the operation of the scalar multiplication process. Used. Therefore, each of the plurality of digits constituting the arithmetic scalar value (conversion scalar value a) has a 1-bit information amount including positive and negative information. Further, the doubling process executed as step SP01 or step SP11 in FIG. 1 is a process for obtaining a doubling value once by using the doubling operation unit 6 once.

  As described above, the scalar multiplication apparatus according to the third embodiment has an effect that the scalar multiplication operation employing the NAF method using the converted scalar value a as the operation scalar value can be executed with improved security.

<Embodiment 4>
The fourth embodiment is a scalar multiplication apparatus that employs the w (Window) NAF method. The wNAF method is an algorithm that performs calculation by converting a scalar value d into wNAF (signed window format). The wNAF method has an advantage that the calculation of the addition chain can be performed faster than the binary method.

(Outline of wNAF method)
The scalar multiplication processing in the wNAF algorithm is classified into three processes: “wNAF conversion” (scalar value conversion processing), “pre-calculation” (table creation processing), and “main calculation” (scalar multiplication main processing). Is done.

  FIG. 15 is an explanatory view schematically showing a (wNAF) conversion algorithm AR81 of a conventional scalar value conversion process in the wNAF method. In the conversion algorithm AR81 shown in FIG. 15, 1 :, 2 :,... 16: indicate execution step positions. Hereinafter, steps ST1 to ST16 are referred to with reference to the execution step position.

  In step ST3 of FIG. 15, c [0] indicates the least significant bit of the variable c, and in step ST4, c [w: 0] indicates the least significant (w + 1) bit in the variable c.

By executing the conversion algorithm AR81 shown in FIG. 15, a conversion scalar value b having a plurality of digits of information amount of K bits each of M (= w + 1) bits or less can be obtained from the scalar value d. However, the values b _i of the plurality of digits constituting the conversion scalar value b include positive and negative information. Negative determination process value _{b i} is performed by the processing of step ST4~ST7 in FIG.

For example, when the scalar value d is “101001111011” ₂ (= (2683)), the scalar value conversion process adopting the conversion algorithm AR81 is executed, so that the scalar value d is converted into wNAF in 1-bit units, and the conversion scalar is obtained. The value b (= 1000000000 (−5)) can be obtained. That is, the conversion scalar value b is composed of 12 digits having data b ₁₁ to data b ₀ .

  FIG. 16 is an explanatory diagram schematically showing a pre-calculation algorithm AR82 which is a conventional table creation process in the wNAF method. In the pre-calculation algorithm AR82 shown in FIG. 16, 1 :, 2 :,... 5: indicate execution step positions. Hereinafter, steps ST1 to ST5 are referred to with the execution step position as a reference.

By executing the pre-calculation algorithm AR82 shown in FIG. 16, a plurality of odd multiple coordinate points obtained by odd multiples of the input coordinate points P are calculated and stored in the storage unit 8 as {table T _{1 to} T _β }. Is done.

  FIG. 17 is an explanatory diagram schematically showing the present calculation algorithm AR83, which is a conventional scalar multiplication main process in the wNAF method. In the calculation algorithm AR83 shown in FIG. 17, 1 :, 2 :,... 10: indicate execution step positions. Hereinafter, steps ST1 to ST10 are referred to with reference to the execution step position.

  In this way, the conventional wNAF method executes the scalar multiplication process including the conversion algorithm AR81, the pre-calculation algorithm AR82, and the main calculation algorithm AR83.

As shown in FIG. 17, in the conventional scalar multiplication main processing employing the wNAF method, when the digit value b _i of the converted scalar value b is non- “0”, step ST5 or step ST7 is executed. That is, when b _i is positive, step ST5 is executed, and when b _i is negative, step ST7 is executed. As described above, the wNAF method has two different non-zero arithmetic processes (first and second non-zero arithmetic processes) as non-zero arithmetic processes.

On the other hand, when the value b _i is “0”, all of steps ST5 and ST7 are not executed.

Therefore, for the side channel attack against the conventional wNAF method, since the processing is branched when the digit b _i is “0” and non- “0”, the timing leak is completely hidden. There was a problem that could not be.

(Constitution)
The scalar multiplication apparatus of the fourth embodiment adopts the wNAF method while solving the above problems.

  The apparatus configuration is the same as that of the first embodiment shown in FIG. 2, except that the conversion scalar value generation unit 3 performs a scalar value conversion process to be described later to obtain a conversion scalar value b from the scalar value d. For scalar multiplication The difference is that the calculation unit 1 performs the scalar multiplication main processing described later using the converted scalar value b as the calculation scalar value.

  In the fourth embodiment, the scalar multiplication calculation unit 1 and the conversion scalar value generation unit 3 set the conversion scalar value b as the calculation scalar value, and the calculation scalar value and the input coordinate point P as calculation targets. A scalar multiplication operation mechanism that performs a scalar multiplication operation process to obtain a scalar multiplication value dP is configured.

(algorithm)
FIG. 18 is an explanatory diagram schematically showing the (wNAF) conversion algorithm AR31 of the scalar value conversion process according to the fourth embodiment in the wNAF method. In the conversion algorithm AR31 shown in FIG. 18, 1 :, 2 :,... 21: indicate execution step positions. Hereinafter, the steps ST1 to ST21 are referred to based on the execution step position.

  In step ST3 of FIG. 18, c [0] indicates the least significant bit of the variable c, and in step ST4, c [w: 0] indicates the least significant (w + 1) bit in the variable c.

By executing the conversion algorithm AR31 shown in FIG. 18, a conversion scalar value b having a plurality of digits each having an information amount of K bits (any of K = 1 to M (= w + 1)) from the scalar value d. Can be obtained. However, the values b _i of the plurality of digits constituting the conversion scalar value b include positive and negative information. Negative determination process value _{b i} is performed by the processing of step ST5~ST8 in FIG.

For example, when the scalar value d is “101001111011” ₂ (= (2683)), the scalar value conversion process adopting the conversion algorithm AR31 is executed, so that the scalar value d is wNAF converted and the converted scalar value b (data b ₃ = "1" (K = 1 bit information amount), data b ₂ = "5" (K = 4 bit information amount), data b ₁ = "0" (K = 3 bit information amount), data b ₀ = “− 5” (K = 4 bits information amount)). That is, the conversion scalar value b is composed of four digits having data b ₃ to data b ₀ .

Also, len _i (Window width), which is the number of bits K when b _i is non- “0”, is the maximum M = w + 1 (bits) (processing of steps ST9 to ST11 in FIG. 18), and b _i is “0”. The len _{i, which} is the number of bits K in the case of “,” is any one of 1 to M bits (processing of steps ST14 to ST16 in FIG. 18).

For example, when the scalar value d is “101001111011” ₂ , corresponding to {1, 5, ₀ , −5} of b _{3 to} b ₀ len ₃ to len ₀ = {4, 4, ₃ , 4} Become.

The conversion scalar value generation unit 3 receives the scalar value d, executes a scalar value conversion process by the conversion algorithm AR31 based on the scalar value d, acquires the conversion scalar value b, and then uses the conversion scalar value b for scalar multiplication. Output to the calculation unit 1. At this time, len _i indicating the bit number K of b _i is also output to the arithmetic unit 1 for scalar multiplication.

The scalar multiplication Arabic arithmetic unit 1 receives len _i indicating a b _i and the number of bits K of conversion scalar value b from the conversion scalar value generation unit 3, described later converted scalar value b and the input coordinate point P as a calculation target The scalar multiplication main process is executed to obtain a scalar multiplication value dP. The conversion scalar value b, the input coordinate point, and len _i indicating the bit number K are stored in the storage unit 8 as necessary.

  FIG. 19 is an explanatory diagram schematically showing a pre-calculation algorithm AR32 that is a table creation process according to the fourth embodiment in the wNAF method. In the pre-calculation algorithm AR32 shown in FIG. 19, 1 :, 2 :,... 5: indicate execution step positions. Hereinafter, steps ST1 to ST5 are referred to with the execution step position as a reference.

By executing the pre-calculation algorithm AR32 shown in FIG. 19, a plurality of even multiple coordinate points obtained by multiplying the input coordinate point P by an even number are calculated, and the storage unit 8 is stored as {table T ₂ , T _{4 to} T _β }. Stored in At this time, the value of T _i (i = 2 to β satisfying an even number) is i × P.

  FIG. 20 is an explanatory view schematically showing the present calculation algorithm AR33 which is the scalar multiplication main process of the fourth embodiment in the wNAF method. In the calculation algorithm AR33 shown in FIG. 20, 1 :, 2 :,... 18: indicate execution step positions. Hereinafter, steps ST1 to ST18 are referred to with the execution step position as a reference.

  FIG. 21 is an explanatory diagram (part 1) schematically illustrating an execution example of the present calculation algorithm AR33 by the scalar multiplication apparatus of the fourth embodiment. FIG. 22 is an explanatory diagram (part 2) schematically illustrating an execution example of the present calculation algorithm AR33 by the scalar multiplication apparatus of the fourth embodiment. Hereinafter, an outline of the present calculation algorithm AR33 executed by the scalar multiplication operation unit 1 will be described with reference to FIGS.

(1) An input coordinate point P and a scalar value d (input scalar value) are input to the scalar multiplication device, and the input coordinate point P is taken into the scalar multiplication operation unit 1 and stored in the storage unit 8 as necessary. Stored. Furthermore, the conversion scalar value b obtained by converting the scalar value d by the scalar value conversion process employing the conversion algorithm AR31 is obtained by the conversion scalar value generation unit 3 (corresponding to Input:... In FIG. 20). At this time, together with the conversion scalar value b, len _n−1 to len ₀ indicating the number of bits K of b _{n−1 to} b ₀ are output to the arithmetic unit 1 for scalar multiplication.

  (2) At the time of the above process (1), since the calculation is performed by the algorithm of the wNAF method, the n digits of the conversion scalar value b have M bits (= w + 1) bits or less including positive and negative information. Notation.

As shown in FIG. 20, the conversion scalar value is represented by b = {b _n−1 ,..., B ₀ }. For example, as shown in FIG. 21A, when n = 4, the conversion scalar value b = (b ₃ = "1", b ₂ = "5", b ₁ = "0", data b ₀ = " B _{3 to} b ₀ having a value of −5 ″) are output to the scalar multiplication operation unit 1 together with len ₃ to len ₀ and stored in the storage unit 8 as necessary.

(3) Double calculation point of digit part calculation result A (initial value “0”) in the upper digit part to 2 ^{w + 1} double calculation point 2A to 2 ^{w + 1} A (single multiplication value to M (= w + 1) multiplication value) is calculated and stored in the storage unit 8 (corresponding to steps ST2 to ST5 in FIG. 20).

For example, MSB in the arithmetic processing P1 for the value _{b 3} digits of the (topmost (n-1)), since the initial value of the girder operation result A is infinity point O, 2 multiplication function ECDBL (A) The result of the calculation is also an infinite point O, which is substantially the same as when steps ST2 to ST5 are not executed (not shown in FIG. 21). That is, only the addition / subtraction process AS3 of FIG. 22 is executed.

Further, MSB-1 (= n- 2) In the processing P2 (1 to 4 line) to the value _{b 2} of the girder, the girder of the calculation of the girder of one upper P1 (addition and subtraction AS3) Since the partial operation result A is P, the doubling of P is repeated 1 to 4 (M = w + 1) times, and the multiplication values 2P, 4P, 8P and 16P (= P × 2 × 2 × 2 × 2) Is obtained. At this time, as shown in FIG. 22, since len ₂ = 4 indicating the number of bits K, the multiplication value LS2 (corresponding to steps ST6 and ST7 in FIG. 20) is multiplied by 4 times (= K times multiplied value). 16P is selected.

_{(4) b i (i =} (n-1) either to 0) when the positive (non "0") is set to _{{B = T bi + 1,} C = -P} ( step ST9 of FIG. 20 In the negative case (non- “0”), {B = −T _1−bi , C = P} is set (step ST11 in FIG. 20). Thereafter, addition processing (A + B) (first addition processing) is executed (corresponding to step ST15 in FIG. 20), and thereafter, addition processing (A + C) (second addition processing) is executed (FIG. 20). Equivalent to step ST16).

For example, in the calculation process P2 (5th line) performed for b ₂ (= “5”), an addition process of A (= 16P) + B (= 6P = T ₆ ) is executed as the first addition process. In the calculation process P2 (line 6), the addition process of A (= 22P) + B (= −P) is executed as the second addition process. That is, a process of adding + 5P to A (= 16P) is executed as in the addition / subtraction process AS2 of FIG.

In addition, in the calculation process P4 (5th row) performed for b ₀ (= “− 5”), the first addition process is an addition process of A (= 2688P) + B (= −6P = −T ₆ ). In the calculation process P4 (line 6), an addition process of A (= 2682P) + B (= P) is executed as the second addition process. That is, as in the addition / subtraction process AS0 in FIG. 22, the process of adding −5P to A (= 2688P) (subtracting 5P) is executed.

On the other hand, if b _i is “0”, {B = P, C = −P} is set (step ST13 in FIG. 20), and then addition processing (A + B) (first addition processing) is executed (FIG. 20). 20 is equivalent to step ST15), and thereafter, addition processing (A + C) (second addition processing) is executed (corresponding to step ST16 in FIG. 20).

For example, in the calculation process P3 (5th row) performed on b ₁ (= “0”), an addition process of A (= 168P) + B (= P) is executed as the first addition process, and the calculation process In P3 (6th line), an addition process of A (= 169P) + B (= −P) is executed as the second addition process. That is, a process of adding + 0P (subtracting −0P) to A (= 168P) is executed as in the addition / subtraction process AS1 of FIG.

After executing the above-described second addition process (corresponding to step ST16 in FIG. 20), the digit part calculation result A of the i-digit digit part (b _i ) can be obtained.

  (5) After decrementing the number of digits i by “1” (corresponding to steps ST1 and ST17), the above processes (3) to (4) are repeated.

Then, the scalar multiplication operation unit 1 finally obtains the LSB (least significant “0”) digit obtained by the second addition process (process (4)) of the operation process P4 for b ₀ when i = 0. Digit part calculation result A = 2683P is output as a scalar multiplication value dP (corresponding to step ST18 in FIG. 20).

  As described above, the scalar multiplication apparatus according to the fourth embodiment employs the scalar value conversion process employing the conversion algorithm AR31, the table creation process employing the pre-calculation algorithm AR32, and the present calculation algorithm AR33 as the scalar multiplication process. Scalar multiplication main processing is executed.

Thus, scalar multiplication Arabic arithmetic unit 1, of the arithmetic processing P1 to P4, except for the first arithmetic processing P1, "0" of the value of _{b i,} a non "0" (positive, negative) regardless, A doubling process performed repeatedly M (= w + 1) times (steps ST2 to ST5 in FIG. 20) → first addition process (steps ST9 and ST15, ST11 and ST15 or ST13 and ST15 in FIG. 20) → second addition Since the processes (steps ST9 and ST16, ST11 and ST16 or ST13 and ST16 in FIG. 20) are executed three times in order, the processing time can be made constant without performing a dummy calculation.

Note that in the calculation process P3, since len ₁ = 3 indicating the number of bits K, the triple multiplication value (S ₂ ) obtained by repeating the doubling 3 (= w = M−1) times is selected. (Steps ST6 and ST7). That is, as shown in FIG. 22, among the 1-fold multiplication value (42P) to 4-fold multiplication value (336P) obtained by repeating the doubling 1 to 4 times, the multiplication is performed 3 times by the multiple selection process LS1. The doubling process result 168P which is a value (= K times multiplied value) is selected.

On the other hand, since both len ₂ = len ₀ = 4 indicating the number of bits K in the arithmetic processing P2 and the arithmetic processing P4, a four-fold multiplication value (S ₃ ) obtained by repeating the doubling four times (= w + 1 = M). ) Is selected (steps ST6 and ST7). That is, as shown in FIG. 22, the multiple selection processing LS2 among the 1-fold multiplication values (2P, 336P) to 4-fold multiplication values (16P, 2688P) obtained by repeating the doubling 1 to 4 times and The doubling process results 16P and 2688P, which are four times multiplied values (= K times multiplied values), are selected by LS0.

  However, the calculation process P3 also executes the doubling process (steps ST2 to ST5) repeated four times, like the calculation processes P2 and P4. That is, as shown in FIG. 22, a doubling process that is always repeated four times is executed prior to the multiple selection processes LS2 to LS0.

  Therefore, regardless of the number of bits K in the digit part, the doubling is always repeated four times, so that there is no timing leak between the doubling processes due to the difference in the number of bits K in the digit part.

(Effects etc.)
As described above, in the scalar multiplication apparatus according to the fourth embodiment, the scalar multiplication operation performed by the scalar multiplication operation unit 1 is executed corresponding to a plurality of digits constituting the converted scalar value b, and each of them is executed. A plurality of digit part calculation processes (corresponding to the calculation processes P1 to P4 in FIG. 21) for obtaining a digit part calculation result are included. Then, by executing a plurality of digit part calculation processes, the digit part calculation result A is propagated through the storage unit 8 from the upper part to the lower part between adjacent digit parts, and from the highest (n−1) to the lowest (0 ), The digit part calculation result A is sequentially obtained for each digit part, and the digit part calculation result A obtained by the digit part calculation process corresponding to the lowest digit part (corresponding to the calculation process P4 in FIG. 21) is scalar multiplied. Obtained as the value dP.

The plurality of digit part arithmetic processes described above are respectively executed using the addition arithmetic part 5 and the doubling arithmetic part 6, and the scalar multiplication arithmetic part 1 is zero when the digit b _i is “0”. Arithmetic processing (processing with step ST13 in FIG. 20 as a specific execution) is executed to obtain the digit part arithmetic result A. If it is non- “0”, non-zero arithmetic processing (which is different from the zero arithmetic processing described above) Step ST9 or ST11 in FIG. 20 is executed as a unique execution) to obtain the digit calculation result A.

  Then, the scalar multiplication apparatus of the fourth embodiment, like the first embodiment, performs both the zero calculation process and the non-zero calculation process (repeated M (= w + 1) times) The first addition processing and the second addition processing are performed in this order, and the calculation result of the second addition processing is used as the digit portion calculation result.

Furthermore, the scalar multiplication apparatus according to the fourth embodiment performs the first non-zero calculation process (steps ST2 to ST5 and ST9 in FIG. 20) executed when the digit value b _i is positive as the non-zero calculation process. ST15 and ST16) and a second non-zero calculation process (corresponding to steps ST2 to ST5, ST11, ST15 and ST16 in FIG. 20) executed when the digit value b _i is negative. Yes.

  The scalar multiplication apparatus according to the fourth embodiment includes both the first non-zero arithmetic process and the second non-zero arithmetic process (repeated M times), a double arithmetic process, a first addition process, and The second addition process is performed in this order, and the calculation result of the second addition process is used as the digit part calculation result. For this reason, there is no timing leak based on the difference in the arithmetic processing between the first non-zero arithmetic processing and the second non-zero arithmetic processing, and no dummy arithmetic processing is included.

  Since the scalar multiplication apparatus according to the fourth embodiment has the above-described feature, the timing leak based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing, as in the first to third embodiments. It can be avoided reliably.

  Further, in the fourth embodiment, a doubling process (repeated M times) executed between the zero calculation process and the non-zero calculation process (including the first and second non-zero calculation processes), The second addition processing is all computation processing necessary to obtain the digit part computation result A, and is not dummy computation processing in which the computation result is not used. Therefore, the safe error attack for the dummy calculation process is not executed.

  In addition, since the arithmetic processing for side channel attack other than the scalar multiplication processing is not particularly required, the scalar multiplication apparatus of the fourth embodiment can be realized with a relatively simple configuration.

  As a result, it is possible to obtain the scalar multiplication apparatus according to the fourth embodiment that executes scalar multiplication processing that is resistant to side channel attacks and has high security.

  The scalar multiplication apparatus according to the fourth embodiment uses the converted scalar value b obtained by converting the scalar value d (input scalar value) input from the outside by the scalar value conversion process as the scalar value for the operation of the scalar multiplication process. Used. Therefore, each of the plurality of digits constituting the arithmetic scalar value (conversion scalar value b) has an information amount of K bits of M (= w + 1) bits or less including positive and negative information. In addition, the doubling process executed as steps ST2 to ST5 in FIG. 20 uses the doubling operation unit 6 M times to obtain the 1-fold multiplication value to the M-fold multiplication value, and then the K-fold multiplication value. This is a process for selectively obtaining.

  As described above, the scalar multiplication apparatus of the fourth embodiment has an effect that the scalar multiplication operation employing the wNAF method using the converted scalar value b as the operation scalar value can be executed with improved security.

  Furthermore, the scalar multiplication apparatus of the fourth embodiment also has an effect that the processing speed can be increased by reducing the number of addition processes compared to the first embodiment employing the binary method.

<Scalar multiplication method>
A scalar multiplication method for obtaining the scalar multiplication value dP from the input coordinate point P and the scalar value d, which is performed using the scalar multiplication apparatus shown in the first to fourth embodiments, will be described.

  In the scalar multiplication method, even if the scalar value d (input scalar value) is used as it is as the scalar value for calculation as in the first embodiment, the scalar value d is converted as in the second to fourth embodiments. The converted scalar value b (a) obtained in this way may be used as the arithmetic scalar value.

  In the scalar multiplication method, the calculation scalar value and the input coordinate point P are calculated, and the calculation scalar value has a plurality of digits, and each of the plurality of digits has an information amount of at least one bit. Have.

  The scalar multiplication method is executed corresponding to a plurality of digit parts, and includes a plurality of digit part calculation methods each of which obtains a digit part calculation result. The digit calculation result is obtained sequentially from the highest to the lowest digit while the digit calculation result is propagated from upper to lower, and the scalar calculation is performed on the digit calculation result obtained from the lowest digit. Obtained as the value dP.

  A plurality of digit part calculation methods are realized by executing the following steps (a) and (b), respectively.

  (a) When the value of the digit part is “0”, zero calculation processing is executed to obtain the digit part calculation result.

  (b) When the value of the digit part is other than “0”, a non-zero calculation process having a calculation content different from that of the zero calculation process is executed to obtain the digit part calculation result.

  Then, both step (a) and step (b) are performed in the order of doubling processing, first addition processing, and second addition processing, and the calculation result of the second addition processing is calculated as a digit calculation. It is characterized by the results.

  As described above, the scalar multiplication method according to the present invention has the above-described characteristics, so that the common arithmetic processing (double multiplication processing, first and second addition processing) is performed between steps (a) and (b). Since the digit calculation result is obtained for the first time after execution, the calculation processing time varies between steps (a) and (b) depending on whether the digit value of the scalar value for calculation is “0” or non- “0”. Absent. Therefore, it is possible to reliably avoid timing leaks based on the difference in the arithmetic processing between the zero arithmetic processing and the non-zero arithmetic processing.

  Further, the doubling process and the first and second addition processes executed between the zero calculation process and the non-zero calculation process are all necessary for obtaining the digit part calculation result, and the calculation result is not used. It is not a dummy calculation process. Therefore, the safe error attack for the dummy calculation process is not executed.

  As a result, it is possible to obtain a scalar multiplication method that executes a scalar multiplication operation process that is resistant to side channel attacks and has high security.

<Others>
In the first to fourth embodiments described above, a combination of the scalar multiplication operation unit 1 and the converted scalar value generation unit 3 is used as the scalar multiplication operation mechanism (the first embodiment is only the scalar multiplication operation unit 1). Although shown, the function of the conversion scalar value generation unit 3 may be included in the scalar multiplication operation unit 1. Further, a configuration in which the functions of the addition operation unit 5 and the doubling operation unit 6 are included in the scalar multiplication operation unit 1 is also conceivable.

  Moreover, although the structure which has a finite field adder, a finite field subtraction part, and a finite field multiplication part in the addition calculation part 5 and the doubling calculation part 6 was demonstrated, between the addition calculation part 5 and the doubling calculation part 6, respectively. You may make it share a finite field adder, a finite field subtraction part, and a finite field multiplication part.

  Further, the scalar multiplication calculation unit 1, the conversion scalar value generation unit 3, the addition calculation unit 5 and the doubling calculation unit 6 shown in FIG. 2 are executed by program processing using a CPU based on software, for example. . The storage unit 8 includes an HDD, a DVD, a memory, and the like.

  It should be noted that the present invention can be freely combined with each other within the scope of the invention, and each embodiment can be appropriately modified or omitted.

DESCRIPTION OF SYMBOLS 1 Operation part for scalar multiplication 3 Conversion scalar value generation part 5 Addition operation part 6 Double calculation operation part 8 Storage part

Claims (6)

A scalar multiplication device that receives an input coordinate point and an input scalar value and obtains a scalar multiplication value of the input coordinate point,
An addition operation unit for performing an addition operation of two input values;
A doubling operation unit for executing a doubling operation of one input value;
The input scalar value or a conversion scalar value obtained by converting the input scalar value is set as a calculation scalar value, and the scalar multiplication processing is performed on the calculation scalar value and the input coordinate point as the calculation target. With a scalar multiplication operation mechanism that obtains arithmetic values,
The arithmetic scalar value has a plurality of digits, each of the digits has an information amount of at least 1 bit,
The scalar multiplication process includes a plurality of digit calculation processes that are executed corresponding to the plurality of digit parts, each of which obtains a digit calculation result, and the adjacent digit parts are obtained by executing the plurality of digit part calculation processes. The digit calculation result is obtained sequentially from the most significant digit to the lowest digit while the digit calculation result is obtained from the least significant digit. Calculated value
Each of the plurality of digit part arithmetic processes is executed using the addition arithmetic part and the doubling arithmetic part, and when the digit part value is “0”, zero arithmetic process is executed and the digit part arithmetic result is obtained. If it is not “0”, a non-zero calculation process having a calculation content different from the zero calculation process is executed to obtain a digit calculation result,
Both the zero calculation process and the non-zero calculation process are performed in the order of a doubling process, a first addition process, and a second addition process, and the calculation result of the second addition process is defined as a digit part calculation result. It is characterized by
Scalar multiplication device. The scalar multiplication device according to claim 1,
The arithmetic scalar value is the input scalar value, and each of the plurality of digits has an information amount of 1 bit,
The doubling process includes a process of obtaining a doubling value once using the doubling operation unit once.
Scalar multiplication device. The scalar multiplication device according to claim 1,
The arithmetic scalar value is the converted scalar value, and each of the plurality of digits has an information amount of M (M ≧ 2) bits,
The scalar multiplication process is
A scalar value conversion process for converting the input scalar value into the converted scalar value;
A table creation process for creating a multiple table having a plurality of types of integer multiple coordinate points obtained by multiplying the input coordinate points by an integer based on the input coordinate points;
A scalar multiplication main process that executes the plurality of digit part calculation processes after the scalar value conversion process and the table creation process,
The doubling process includes a process of obtaining a M-fold multiplication value by repeatedly using the doubling operation unit M times,
The first addition process is performed using the multiple table when the non-zero calculation process is executed.
Scalar multiplication device. The scalar multiplication device according to claim 1,
The arithmetic scalar value is the converted scalar value, and each of the plurality of digits has a 1-bit information amount including positive and negative, and the scalar multiplication process includes:
A scalar value conversion process for converting the input scalar value into the converted scalar value;
A scalar multiplication main process that executes the plurality of digit part arithmetic processes after the scalar value conversion process is performed,
The doubling process includes a process of obtaining a doubling value once using the doubling operation unit once,
The non-zero calculation process includes a first non-zero calculation process executed when the value of the digit part is positive and a second non-zero calculation process executed when the value of the digit part is negative. And the first and second non-zero computation processes are both performed in the order of the doubling process, the first addition process, and the second addition process, and the calculation result of the second addition process is obtained. As the digit part calculation result,
Scalar multiplication device. The scalar multiplication device according to claim 1,
The arithmetic scalar value is the converted scalar value, and each of the plurality of digits has an information amount of K (K = 1 to M) bits of M (M ≧ 2) bits or less,
The scalar multiplication process is
A scalar value conversion process for converting the input scalar value into the converted scalar value;
Based on the input coordinate point, a table creation process for creating a multiple table having multiple types of even multiple coordinate points by multiplying the input coordinate points by an even number;
A scalar multiplication main process that executes the plurality of digit part calculation processes after the scalar value conversion process and the table creation process,
The doubling process includes a process of selecting a K-fold multiplication value after obtaining a 1-fold multiplication value to an M-fold multiplication value by repeatedly using the doubling operation unit M times,
The non-zero calculation process includes a first non-zero calculation process executed when the value of the digit part is positive and a second non-zero calculation process executed when the value of the digit part is negative. And the first and second non-zero computation processes are both performed in the order of the doubling process, the first addition process, and the second addition process, and the calculation result of the second addition process is obtained. As the digit part calculation result,
Scalar multiplication device. A scalar multiplication method for receiving an input coordinate point and an input scalar value and obtaining a scalar multiplication value of the input coordinate point,
The input scalar value or a conversion scalar value obtained by converting the input scalar value is set as a calculation scalar value, the calculation scalar value and the input coordinate point are set as calculation targets, and the calculation scalar value includes a plurality of digits. Each of the plurality of digits has an information amount of at least 1 bit,
The scalar multiplication method is:
Executed in correspondence with the plurality of digit parts, each including a plurality of digit part calculation methods for obtaining a digit part calculation result, and by executing the plurality of digit part calculation methods, from the upper part to the lower order between adjacent digit parts Propagating the digit operation result, sequentially obtaining the digit operation result in digit units from the most significant to the least significant, the digit operation result obtained from the least significant digit as the scalar multiplication value,
Each of the plurality of digit part calculation methods is
(a) When the value of the digit part is “0”, the step of executing the zero calculation process to obtain the digit part calculation result,
(b) when the value of the digit part is other than “0”, performing a non-zero calculation process having a calculation content different from the zero calculation process to obtain a digit calculation result;
Steps (a) and (b) are both performed in the order of doubling processing, first addition processing, and second addition processing, and the calculation result of the second addition processing is referred to as the digit portion calculation result. It is characterized by
Scalar multiplication method.

Images