JP2017126024A - Encryption device, encryption method and encryption program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encryption device that improves calculation efficiency of encryption using isogenies of L≥3.SOLUTION: An encryption device 10 outputs an output value without backtracking in a graph having an identical category of a supersingular elliptic curve as an apex set and L-isogenies of L≥3 between the elliptic curves as a set of a side. In this instance, the encryption device 10 is configured to calculate an X-coordinate βof a backtracking point using an expression expressing the X-coordinate βof the backtracking point with respect to a vertex Eof a movement destination by the X-coordinate of a vertex Eof a movement source; resolve a cubic equation to calculate an x-coordinate αof the vertex Eof the movement destination; calculate curve information on the elliptic curve serving as the vertex Eof the movement destination; and calculate the output value using the calculated curve information.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an anti-quantum computer encryption.

  As one of anti-quantum computer ciphers, Jao et al. Proposed a cipher that uses the same kind of mapping on an elliptic curve (Non-Patent Documents 1 to 3). The homogeneous map has a parameter L, and Yoshida et al. Have proposed a speed-up method in the case of L = 2 (Non-Patent Document 4).

L. De Feo, D.D. Jao and J.H. Plut, “Towards quantum-resistant cryptosystems from the superficial elliptic curves”, J. Am. Math. Cryptology, 8 (1), pp. 1-29, 2014 D. Jao and R.J. Venkatesan, “Use of genesis for design of cryptosystems”, US Patent, 7499544, March 3, 2009. D. Jao, P.A. L. Montgomery, R.A. Venkatesan and V. Boyko, “Systems and methods for generation and validation of isogeny-based signatures”, US Patent, 76173397, November 10, 2009. R. Yoshida and K.K. Takashima, “Computing a sequence of 2-isogenes on supersonic elliptic curves”, IEICE Transactions on Fundamentals, 96-A (1): pp. 158-165, 2013 D. X. Charles, E.M. Z. Goren and K. E. Lauter, “Cryptographic hash functions from expander graphs”, J. Am. Cryptology, vol. 22, no. 1 pp. 93-113. J. et al. Velu, “Isogenies entre courses ellipiques”, C.I. R. Acad. Sc. Paris, Series A, vol. 273, pp. 238-241, 1971.

In the encryption of Jao et al., The calculation for L = 3 is also used, but this calculation was slow.
An object of the present invention is to improve the calculation efficiency of a homogeneous map in the case of L ≧ 3 and improve the calculation efficiency of a cipher using the homogeneous map of L ≧ 3.

The encryption device according to the present invention provides:
In a graph in which the isomorphism of a super singular elliptic curve is a vertex set, and the L-homogeneous mapping with L ≧ 3 between the elliptic curves is a set of edges, the output value is calculated by moving between the vertices without going back. An encryption device,
As inputs the x coordinate alpha ^x _i of the source vertex E _i, wherein by utilization of the x coordinate beta ^{x i} _{+ 1} of the backtracking point for the destination vertex E _{i + 1} in the x-coordinate of the source vertex E _i Formula after having calculated the x coordinate beta ^{x i} _{+ 1} of the backtracking point, the destination by solving a cubic equation vertex E _{i + 1} by calculating the x-coordinate alpha ^{x i} _{+ 1,} the elliptic curve said a destination vertex E _{i + 1} A curve calculation unit for calculating curve information;
An output value calculation unit that calculates the output value using the curve information calculated by the curve calculation unit.

In the present invention, the x-coordinate β ^x _{i + 1} of the rearward return point is calculated using an expression in which the x-coordinate β ^x _{i + 1} of the rearward return point is represented by the x coordinate of the vertex E _i as the movement source, and then the cubic equation is solved. As a result, the x-coordinate β ^x _{i + 1} of the backward return point can be calculated with a small amount of calculation, and the calculation efficiency of the homogeneous mapping can be improved.

1 is a configuration diagram of a cryptographic device 10 according to a first embodiment. Explanatory drawing of the graph G and walk which concern on Embodiment 1. FIG. 3 is a flowchart of 3-kind mapping sequence calculation processing according to the first embodiment. FIG. 3 is a diagram showing an IsogSeq algorithm according to the first embodiment. 3 is a flowchart of 3-kind mapping calculation processing according to the first embodiment. FIG. 3 is a diagram showing an Isog algorithm according to the first embodiment. The block diagram of the encryption apparatus 10 which concerns on a modification.

Embodiment 1 FIG.
*** Assumptions ***
The cipher in Embodiment 1 includes not only a narrowly-defined cipher that conceals information from a third party, but also includes a signature that is used to prevent information from being spoofed and information being tampered with. In addition, the encryption in the first embodiment includes calculating a hash value used in processes such as encryption and signature in a narrow sense.
In the first embodiment, a process for calculating a hash value will be described as a specific example of the encryption process. However, by applying the processing described in the first embodiment, it is possible to realize key sharing, narrowly defined encryption, and signature described in documents such as Non-Patent Documents 1 to 3.

*** Explanation of configuration ***
With reference to FIG. 1, the structure of the encryption apparatus 10 which concerns on Embodiment 1 is demonstrated.
The encryption device 10 is a computer that executes encryption processing.
The encryption device 10 includes a processor 11, a storage device 12, and an interface 13. The processor 11 is connected to other hardware via a signal line, and controls these other hardware.

  The processor 11 is an IC (Integrated Circuit) that performs processing. Specifically, the processor 11 is a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).

  The storage device 12 includes a memory 121 and a storage 122. Specifically, the memory 121 is a RAM (Random Access Memory). Specifically, the storage 122 is an HDD (Hard Disk Drive). Further, the storage 122 may be a portable storage medium such as an SD (Secure Digital) memory card, a CF (CompactFlash), a NAND flash, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD.

  The interface 13 is an interface for receiving data input from the outside of the encryption device 10 and outputting the data to the outside. Specifically, the interface 13 is a connector such as USB (Universal Serial Bus), PS / 2, or HDIM (High-Definition Multimedia Interface) that connects an input device such as a keyboard and an output device such as a display. Specifically, the interface 13 may be a NIC (Network Interface Card) that transmits and receives data transmitted from the outside via a network.

The encryption device 10 includes a reception unit 21, a curve calculation unit 22, and an output value calculation unit 23 as functional components. The functions of the reception unit 21, the curve calculation unit 22, and the output value calculation unit 23 are realized by software.
The storage 122 of the storage device 12 stores programs that realize the functions of the respective units of the encryption device 10. This program is read into the memory 121 by the processor 11 and executed by the processor 11. Thereby, the function of each part of the encryption device 10 is realized.

  Information, data, signal values, and variable values indicating the results of processing of the functions of the respective units realized by the processor 11 are stored in the memory 121, or a register or cache memory in the processor 11. In the following description, it is assumed that information, data, signal values, and variable values indicating the processing results of the functions of the respective units realized by the processor 11 are stored in the memory 121.

  It is assumed that a program for realizing each function realized by the processor 11 is stored in the storage device 12. However, this program may be stored in a portable storage medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD.

  In FIG. 1, only one processor 11 is shown. However, a plurality of processors 11 may be provided, and a plurality of processors 11 may execute programs that realize each function in cooperation with each other.

*** Explanation of operation ***
With reference to FIGS. 2 to 6, the operation of the cryptographic apparatus 10 according to the first embodiment will be described.
The operation of the cryptographic apparatus 10 according to the first embodiment corresponds to the cryptographic method according to the first embodiment. The operation of the cryptographic apparatus 10 according to the first embodiment corresponds to the processing of the cryptographic program according to the first embodiment.
Here, after describing (1) the Pizer graph and the hash function, and (2) the same kind of mapping on the elliptic curve, (3) the operation of the encryption device 10 will be described.

** (1) Pizer graph and hash function **
Here, (1-1) an expander graph, (1-2) a Pizer graph, (1-3) a walk that does not return, and (1-4) the security of a hash function will be described.

* (1-1) Expander graph *
Let G = (V, ε) be a graph having a vertex set V and an edge set ε. For any subset U 集合 V satisfying # U ≧ # V / 2, when the boundary set Γ (U) of U satisfies # Γ (U) ≧ c # U, the graph G has an expansion rate c> 0 It is said to be an expander graph. Here, Γ (U): = {vεV | ∃uεU, {u, v} εε}. #U is the number of U's. Similarly, #V and # Γ are the number of V and the number of Γ, respectively.
Any expander graph is a complete graph. The random walk on the expander graph has a stirrability. The distribution of end points after a random walk of O (log # V) steps approximates a uniform distribution on the graph.

* (1-2) Pizer graph *
The Pizer graph G = (V, ε) has an isomorphic class of super singular elliptic curves on the field F _p2 in the vertex set V. p2 is that of ^{p 2,} p is a prime number. Each vertex is represented by j-invariant or representative E. The edge set ε is a set of L-homogeneous mappings between vertices. In this graph, each vertex has L + 1 edges. When the vertex is represented by an elliptic curve E, the side that emerges from the elliptic curve E that is the vertex corresponds to L + 1 L equally divided points of the elliptic curve E that is the vertex. For the end points of each of the L + 1 sides that emerge from the elliptic curve E that is the vertex, a point that is different from the elliptic curve E that is the vertex is represented by E / C using a subgroup C⊂E [L] of order L.
The graph G is known to have a rapid stirring property. In particular, this is called the Ramanujan graph, a special kind of expander graph. Details are described in Non-Patent Document 5 and the like.

* (1-3) Walk that does not return *
The input value to the hash function is used as a route to walk without going backward in the graph G. The end point of the walk is set as the output value of the hash function. Since the graph G is (L + 1) -regular graph, the number of edges connected to each vertex is L + 1. Therefore, at each point excluding the start point, there are L candidates for the next vertex, excluding the vertex that is to be returned.

* (1-4) Security of hash function *
There are two types of hash functions using an expander graph: a case where a Caley graph is used and a case where a Pizer graph is used. The hash function using the Cayley graph includes a Zemor hash function and an LPS hash function, but most of them have already found attack methods and are not secure. However, no attack method has yet been found for the hash function using the Pizer graph.
The security of the hash function is ensured by two properties: collision difficulty and original image calculation difficulty. Collision difficulty is that it is difficult to find two different inputs with the same hash value. Original image calculation difficulty means that it is difficult to find an input having a given hash value.

The security of the hash function in the Pizer graph is guaranteed by the difficulty of the following three problems.
Problem 1. The body _{F p2} on supersingular elliptic curve E1, E2, different isogenies of intervening orders ^{L n f1: E1 → E2,} f2: configuring the E1 → E2.
Problem 2. When a super singular elliptic curve E on the field F _p2 is given, a self-homogeneous map f: E → E (f is not an ^Ln- fold map) of order L ²ⁿ is formed.
Problem 3. When Supersingular on the body _{F p2} elliptic curve E1, E2 is given, isogenies f of order ^{L n:} configuring the E1 → E2.
If the hash function collision can be calculated, Problem 1 and Problem 2 are solved. Further, if the original image of the hash function can be calculated, the problem 3 can be solved.
The homogeneous mapping problem is classified into a homogeneous mapping problem between elliptic curves and a homogeneous mapping problem between hypersingular elliptic curves. The computational complexity of the most efficient attack currently known is O ( ⁴ √p) and O (√p), respectively, when using a classical computer, and L _p when using a quantum computer, respectively. [1/2, (√3) / 2 ] is, O ⁽⁴ √p).

** (2) Homogeneous map on elliptic curve **
Here, (2-1) elliptic curve and (2-2) Velu formula will be described.

ｊ−不変量ｊ（Ｅ）＝ｊ∈Ｆ⁻ _ｐ（ｊ≠０，１７２８）となる楕円曲線Ｅは、数１２となる

* (2-1) Elliptic curve *
Let p be a prime number greater than 3. The elliptic curve E on the field F _p2 is given as Weierstrass standard form with y ² = x ³ + Ax + B, A, BεF _p2 , 4A ³ + 27B ² ≠ 0. The j-invariant j (E) of the elliptic curve E is calculated by Equation 11.

An elliptic curve E in which j-invariant j (E) = j∈F ⁻ _p (j ≠ 0, 1728) is expressed by Expression 12.

It is a necessary and sufficient condition that two elliptic curves have the same j-invariant that they are isomorphic. Of the elliptic curve E F ^- _p rational point group of _{^{E (F - p) = -}} | a _{{(x, y) ∈F p} 2 y 2 = x 3 + Ax + B} ∪ {O E}. Here, O _E represents a point at infinity of the elliptic curve E. For an integer n, the set of n equal points of the elliptic curve E is E [n] = {PεE (F ⁻ _p ) | [n] P = O _E }. For the two elliptic curves E1 and E2 on F ^- _p , the homomorphism φ: E1 → E2 is an algebraic curve that moves O _E1 to O _E2 . A non-zero homomorphism is called a homomorphism, and a separable homomorphism with a nuclear concentration of L is called an L-homogeneity map. An elliptic curve on F ^- _p where no point of order p exists on E (F ^- _p ) is said to be super singular. The j-invariant of the hypersingular elliptic curve is always included in F _p2 .

* (2-2) Velu's formula *
A calculation using the Velu formula (Non-Patent Document 6) of 2-homogeneous mapping and 3-homogeneous mapping will be described. The Velu formula is a formula that explicitly calculates the definition of the homogeneous map φ: E → E ′ and E ′ when an elliptic curve E and C = ker φ are given. This formula holds for any order L.
Here, the case where L is 2 or 3 will be described. Let C be a subgroup of order 2 or 3 on the elliptic curve E. At this time, a homogeneous map φ: E → E ′ where C = kerφ exists uniquely. E ′ = E / C.

さらに、同種写像φ：Ｅ→Ｅ／Ｃは、数１４で与えられる。ここで、φ（Ｏ_Ｅ）＝Ｏ_Ｅ／Ｃ，φ（（α，０））＝Ｏ_Ｅ／Ｃである。

In the case of L = 2, if C = <(α, 0)> ⊂E [2] is a subgroup of order 2 on the elliptic curve E, the elliptic curve E / C is given by Equation 13.

Further, the homogeneous map φ: E → E / C is given by Equation 14. Here, φ (O _E ) = O _{E / C} and φ ((α, 0)) = O _{E / C.}

さらに、同種写像φ：Ｅ∋（ｘ，ｙ）→（Ｘ，Ｙ）∈Ｅ／Ｃは、数１６で与えられる。ここで、φ（Ｏ_Ｅ）＝Ｏ_Ｅ／Ｃ，φ（（α_ｘ，α_ｙ））＝Ｏ_Ｅ／Ｃである。

In the case of L = 3, if C = <(α _x , α _y )> ⊂E [3] is a subgroup of order 3 on the elliptic curve E, the elliptic curve E / C is given by Equation 15.

Further, the homogeneous map φ: E∋ (x, y) → (X, Y) εE / C is given by the following equation (16). Here, φ (O _E ) = O _{E / C} and φ ((α _x , α _y )) = O _{E / C.}

In both L = 2 and 3, E / C is also defined on F _p2 if the elliptic curve E is super singular. Obviously, the homogeneous map φ is also defined on F _p2 for the hypersingular elliptic curve E.

** (3) Operation of the cryptographic device **
The cryptographic device 10 uses the input value to the hash function as a route to walk without going backward in the graph G, and uses the end point of the walk as the output value of the hash function. In the first embodiment, a case where L = 3 will be described. That is, in the first embodiment, a case will be described where, in the graph G, an edge that emerges from the elliptic curve E that is a vertex corresponds to four bisectors of the elliptic curve E that is a vertex.
In the following description, the graph G refers to the _hypermorphic elliptic curve isomorphism on the field F _p2 described in (1-2) as the vertex set V, and the L-homogeneous mapping between the vertices as the edge set ε. It is a Ramanujan graph of Pizer.

Here, (3-1) the selector function used when walking the graph G according to the input value is defined, and (3-3) the notation regarding the bisector and (3-3) the bisector are established. Explain the nature. Then, based on (3-1) to (3-3), a calculation method of (3-4) 3-same mapping sequence will be described.
The cryptographic apparatus 10 according to the first embodiment calculates a hash value corresponding to the input value by calculating a 3-homogeneous mapping sequence.

* (3-1) Selector function *
As described above, since the graph G is (L + 1) -regular graph, the number of sides connected to each vertex is L + 1. Therefore, as shown in FIG. 2, when L = 3, the graph G is a 4-regular graph, so the number of sides connected to each vertex is four. Therefore, at each point E _i (i = 1,..., N−1) excluding the start point E ₀ , there are three excluding the back-turning point where the next vertex candidate is back-turned.
The encryption device 10 has i = 1,. . . , N−1, the value bε {0, 1, 2} is assigned to the three sides connected to the three vertices that are candidates to proceed from the vertex E _i for each integer. Then, the cryptographic apparatus 10 uses the order of F _p2 for the three vertices λ ₀ , λ ₁ , λ ₂ ∈ F _p2 and the value b ∈ {0, 1, 2} that are candidates to proceed next. , The selector function select ⁽³⁾ is defined as in Equation 17, and the walk data ω = b ₀ b ₁ . . . b _n−1 ε {0, 1, 2} ⁿ and selector function select ⁽³⁾ determine the next vertex E _{i + 1} to move to. _Here, the order of the _{F p2, F p2 = F p} [τ] 2 = F p τ + F p = ~ (F p) to secure the origin tau as a _^2, natural dictionary in _(F ^{p) 2} Use a formula permutation.

At the start point E ₀ , a trisection point can be arbitrarily selected. Therefore, the encryption device 10 determines the x coordinate α ^x ₀ of the start point E ₀ and the x coordinate β ^x ₀ of the return point of the start point E ₀ using the selector function select ₀ ⁽³⁾ shown in Equation 18. Note that four roots of ψ ₃ (x) = 3x ⁴ + 6A ₀ x ² + 12B ₀ x−A ₀ ² = 0 are represented by λ ₀ , λ ₁ , λ ₂ , λ ₃ ∈ F _p2 (λ ₀ ≦ λ ₁ ≦ λ ₂ ≦ λ ₃ ).

* (3-2) Notation concerning the trisection point *
Walk data ω = b ₀ b ₁ . . . b _n−1 ε {0, 1, 2} Corresponding to ⁿ , the notation of four trisection points on the vertex E _i is fixed as follows.
(Α ^x _i , α ^y _i ) is a point related to the i-th homogeneous map φ _i . (Β ^x _i , β ^y _i ) is the i-th backtracking point. (Γ ^x _i , γ ^y _i ) and (δ ^x _i , δ ^y _i ) are the remaining two points.

* (3-3) Properties that hold for the trisection point *
(Property 1)
^Let (α ^x _i , α ^y _i ), (β ^x _i , β ^y _i ), (γ ^x _i , γ ^y _i ), (δ ^x _i , δ ^y _i ) be the bisector of the elliptic curve E _i , Φ _i : E 3 → Similar mapping when E _i → E _i / C is C = <(α ^x _i , α ^y _i )>. At this time, φ _i (β ^x _i , β ^y _i ), φ _i (γ ^x _i , γ ^y _i ), and φ _i (δ ^x _i , δ ^y _i ) are backtracking points of E _{i + 1} .

(Property 2)
The x coordinate β ^x _{i + 1} of the return point on E _{i + 1} is given by β ^x _{i + 1} = −3α ^x _i .

* (3-4) 3-Homogeneous map sequence calculation process *
With reference to FIGS. 3 and 4, the 3-homogeneous mapping sequence calculation process will be described.
A 3-homogeneous mapping sequence is calculated by the IsogSeq algorithm shown in FIG.

In the input value reception process (see Input in FIG. 4) in step S1, the reception unit 21 receives the input value and the j invariant j ₀ of the start point E ₀ . The receiving unit 21 converts the received input value into the walk data ω = b ₀ b ₁ . . . b _n−1 (b _i ε {0, 1, 2}, i = 0,..., n−1).
Specifically, the accepting unit 21 accepts an input value from the outside via the interface 13. As a specific example, the receiving unit 21 receives an input value input by operating the input device by the user via the interface 13 or the receiving unit 21 receives the input value transmitted via the communication device. Accept through. In addition, the reception unit 21 reads the j invariant j ₀ of the initial elliptic curve E ₀ from the memory 121. Note that the j invariant j _{0 at} the start point E ₀ may be received from the outside together with the input value.
And the reception part 21 converts an input value into the walk data (omega) by expressing an input value with a ternary number. The accepting unit 21 sets the number of digits of the input value represented in ternary number to n, and converts the value of the digit from the upper digits of the input value represented in ternary number to value b ₀ , value b ₁ ,. . . , Value b _n−1 in this order. The receiving unit 21 may add a fixed bit string to the bit string representing the input value and convert it to a ternary number so that the input value becomes equal to or greater than the reference value.

In the initial processing of step S2 (see (1) in FIG. 4), the curve calculation unit 22 is input with j-invariant _{j 0} of the starting point _{E 0} received in step S1, the elliptic curve ^{y 2} is the starting point _{E 0} The curve information A ₀ and B ₀ at = x ³ + A ₀ x + B ₀ is calculated based on Equation 12. The calculation of the curve information A ₀ and B _{0 corresponds} to the calculation of the elliptic curve E ₀ .
Further, the curve calculation unit 22 receives the calculated curve information A ₀ and B ₀ and the value b ₀ included in the walk data ω converted from the input value in step S1, and receives the selector function select shown in Expression 18. the ₀ ^(3), to determine the x-coordinate alpha ^x ₀ of the starting point _{E 0,} and x-coordinate beta ^x ₀ of backtracking points of the starting point _{E 0.}
Curve calculation unit 22, the calculated _{A 0} and _{B 0,} and x-coordinate alpha ^x ₀ of the starting point _{E 0,} writes the x coordinate beta ^x ₀ of backtracking points of the starting point _{E 0} in the memory 121.

In the 3-homogeneous mapping calculation process of step S3 (see (2) to (4) in FIG. 4), the curve calculation unit 22 sets i = 0,. . . , Of n-2 in ascending order the integers i, with calculating a curve information _{A i + 1} and _{B i + 1} in the elliptic curve _{^{y 2 = x 3 + A i}} + 1 x + B i + 1 which is the destination of the vertex _{E i + 1,} the destination vertex _{E i + 1} of Determine the x-coordinate α ^x _{i + 1} .

With reference to FIGS. 5 and 6, the 3-homogeneous mapping calculation process in step S3 will be described.
In step S3, i = 0,. . . , N-2, in an ascending order with respect to the integer i, the Isog algorithm shown in FIG. 6 is called by inputting A _i and B _i , the x coordinate α ^x _i of the source vertex E _i , and the value b _{i + 1} . A _{i + 1} and B _{i + 1} and the x coordinate α ^x _{i + 1 of the} destination vertex E _{i + 1} are calculated.

In curve calculation processing in step S31 (see (1) in FIG. 6), the curve calculation unit 22, and the curve information _{A i} and _{B i} of the elliptic curve, which is the source vertex _{E i,} of the source vertex _{E i} Based on the x coordinate α ^x _i , the curve information A _{i + 1} and B _{i + 1} of the elliptic curve which is the vertex E _{i + 1} of the movement destination is calculated based on the ^{equation (} 15).
Specifically, the curve calculation unit 22 reads the curve information A _i and B _i and the x coordinate α ^x _{i of} the movement source vertex E _i from the memory 121. Then, the curve calculation unit 22 receives the read curve information A _i and B _i and the x coordinate α ^x _i of the vertex E _i of the movement source, and obtains the curve information A by the ^equation 19 obtained from the ^equation 15. _{i + 1} and B _{i + 1} are calculated. The curve calculation unit 22 writes the calculated curve information A _{i + 1} and B _{i + 1} in the memory 121.

In the cubic equation calculation process in step S32 (see (2) in FIG. 6), the curve calculation unit 22 solves the cubic equations λ ₁ and λ that are candidates for the x coordinate α ^x _{i + 1} of the destination vertex E _{i + 1. 2} and λ ₃ are calculated.

これに対して、曲線計算部２２は、数１５と、β^ｘ _ｉ＋１＝−３α^ｘ _ｉとを代入する。そして、曲線計算部２２は、ζを１の３乗根とした場合に、３次方程式の２つの３乗根ｕ，ｖがｖ＝−ζ／ｕとなることを利用して、３次方程式を解く。数２２に示すζ_１，ζ_２，ζ_３に対して数２２に示すｕ，ｖとすると、解λ_０，λ_１，λ_２は数２３になる。

Specifically, the curve calculation unit 22 reads A _i and B _i and the x coordinate α ^x _i of the vertex E _i of the movement source from the memory 121.
First, the curve calculation unit 22 uses the read x-coordinate α ^x _i as an input, and follows (3-3) the properties 1 and 2 described in the properties that hold for the bisector, and the destination vertex E _{i + 1.} The x coordinate β ^x _{i + 1} of the upper return point is calculated by β ^x _{i + 1} = −3α ^x _i .
Next, the curve calculation unit 22 solves the cubic equation x ³ + ux ² + vx + w = 0, and calculates the x coordinate of the trisection point other than (β ^x _{i + 1} , β ^y _{i + 1} ). Here, u = β ^x _{i + 1} , v = 2A _{i + 1} + (β ^x _{i + 1} ) ² , and ω = 4B _{i + 1} + 2A _{i + 1} β ^x _{i + 1} + (β ^x _{i + 1} ) ³ .
At this time, the curve calculation unit 22 solves the cubic equation using the Cardano formula. That is, the solution of x ² + x + 1 = 0 is set to ω ₀ . Then, if t ₁ , t ₂ , and t ₃ shown in Equation 20 are u and v shown in Equation 20, the solution to be obtained is Equation 21.

On the other hand, the curve calculation unit 22 substitutes Equation 15 and β ^x _{i + 1} = −3α ^x _i . Then, the curve calculation unit 22 uses the fact that two cube roots u and v of the cubic equation become v = −ζ / u when ζ is a cube root of 1. Solve. Assuming that u and v shown in Equation 22 with respect to ζ ₁ , ζ ₂ and ζ ₃ shown in Equation 22, the solutions λ ₀ , λ ₁ and λ ₂ become Equation 23.

In the coordinate determination process in step S33 (see (3) in FIG. 6), the curve calculation unit 22 converts the calculated solutions λ ₀ , λ ₁ and λ ₂ into the walk data ω converted from the input values in step S1. as inputs and the value _{b i + 1} contained by selector function select indicated in Formula 17 ^(3), to determine the x-coordinate alpha ^x _{i + 1} of the destination vertex _{E i + 1.} The curve calculation unit 22 writes the determined x coordinate α ^x _{i + 1} in the memory 121.

In end processing In step S4 (see (5) in FIG. 4), the curve calculation unit 22, the x-coordinate alpha ^x _n-1 of the vertices _{E n-1} determined in step S3, in the destination vertex _{E n} Curve information A _n and B _n in a certain elliptic curve y ² = x ³ + A _n x + B _n is calculated based on Equation 15.
Specifically, the curve calculation unit 22 reads the curve information A _n−1 and B _n−1 and the x coordinate α ^x _{n−1 of} the movement source vertex E _n−1 from the memory 121. Then, the curve calculation unit 22 receives the read curve information A _n−1 and B _n−1 and the x coordinate α ^x _{n−1 of} the movement source vertex E _n−1 as input, and is obtained from Equation 15. The curve information A _n and B _n is calculated by the equation 24 given below. The curve calculation unit 22 writes the calculated curve information _An and B _n in the memory 121.

In the output value calculation process in step S5 (see Output in FIG. 4), the output value calculation unit 23 reads the curve information _An and _Bn calculated in step S4 from the memory 121. Then, the output value calculation section 23 calculates based on the j-invariant j _n of the elliptic curve is a vertex E _n to the number 11. The output value calculation unit 23 outputs the calculated j invariant j _n as a hash value for the input value accepted in step S1.

*** Effects of Embodiment 1 ***
As described above, the cryptographic apparatus 10 according to Embodiment 1 calculates a hash value for an input value by calculating a 3-kind mapping sequence. 3-When calculating the homogenous mapping sequence, the cryptographic apparatus 10 represents the x coordinate β ^x _{i + 1} of the backward return point with respect to the destination vertex E _{i + 1} as a variable only with the x coordinate α ^x _i of the source vertex E _i Using β ^x _{i + 1} = −3α ^x _i , the x-coordinate β ^x _{i + 1} of the return point was calculated. As a result, the amount of calculation of the x coordinate β ^x _{i + 1} of the backward return point can be reduced. As a result, the calculation efficiency of the homogeneous map can be improved.

  Also, the cryptographic apparatus 10 according to Embodiment 1 solved the cubic equation using the Cardano formula instead of the general polynomial solution algorithm when calculating the 3-homogeneous mapping sequence. Thereby, the calculation amount of the cubic equation can be reduced. As a result, the calculation efficiency of the homogeneous map can be improved.

  In addition, when the cryptographic apparatus 10 according to Embodiment 1 calculates a 3-homogeneous mapping sequence and ζ is a cube root of 1, the two cube roots u and v of the cubic equation are v = The cubic equation was solved by using -ζ / u. Thereby, the calculation of the cube root can be reduced once, and the calculation amount of the cubic equation can be reduced. As a result, the calculation efficiency of the homogeneous map can be improved.

*** Other configurations ***
In the first embodiment, the process of calculating a hash value has been described as a specific example of the encryption process. Therefore, the output value calculation unit 23 calculates a hash value as the output value.
However, by applying the processing described in the first embodiment, it is possible to realize key sharing, narrowly defined encryption, and signature described in documents such as Non-Patent Documents 1 to 3. When realizing key sharing and encryption in a narrow sense, the output value calculation unit 23 calculates a ciphertext as an output value. Further, when realizing a signature, the output value calculation unit 23 calculates an electronic signature as an output value.
That is, the output value calculation unit 23 calculates at least one of a hash value, a ciphertext, and a signature as an output value.

In the first embodiment, the case of L = 3 has been described. However, in the case of L> 3, similarly, the x of the backward return point is expressed by using the expression of the x coordinate β ^x _{i + 1} of the backward return point for the destination vertex E _{i + 1} with the x coordinate of the origin vertex E _i. by calculating the coordinates beta ^x _{i + 1,} it can be reduced calculation amount of x-coordinate beta ^x _{i + 1} of the turning back point. As a result, the calculation efficiency of the homogeneous map can be improved.

  In the first embodiment, the function of each unit of the cryptographic device 10 is realized by software. However, as a modification, the function of each unit of the encryption device 10 may be realized by hardware. This modification will be described with respect to differences from the first embodiment.

With reference to FIG. 7, the structure of the encryption apparatus 10 which concerns on a modification is demonstrated.
When the function of each unit is realized by hardware, the encryption device 10 includes a processing circuit 14 instead of the processor 11 and the storage device 12. The processing circuit 14 is a dedicated electronic circuit that realizes the functions of the respective units of the encryption device 10 and the functions of the storage device 12.

The processing circuit 14 is assumed to be a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array). Is done.
The function of each part may be realized by one processing circuit 14, or the function of each part may be distributed to a plurality of processing circuits 14.

  Also, some functions may be realized by hardware, and other functions may be realized by software. That is, some of the functions of the cryptographic device 10 may be realized by hardware, and other functions may be realized by software.

  The processor 11, the storage device 12, and the processing circuit 14 are collectively referred to as “processing circuitry”. That is, the function of each part is realized by a processing circuit.

  DESCRIPTION OF SYMBOLS 10 Encryption apparatus, 11 Processor, 12 Storage apparatus, 121 Memory, 122 Storage, 13 interface, 14 Processing circuit, 21 Reception part, 22 Curve calculation part, 23 Output value calculation part

Claims (12)

An encryption device that calculates an output value by moving between vertices without going back in a graph having an elliptic curve isomorphism as a vertex set and an L-homogeneous mapping with L ≧ 3 between the elliptic curves as an edge set. Yes,
As inputs the x coordinate alpha ^x _i of the source vertex E _i, wherein by utilization of the x coordinate beta ^{x i} _{+ 1} of the backtracking point for the destination vertex E _{i + 1} in the x-coordinate of the source vertex E _i Formula after having calculated the x coordinate beta ^{x i} _{+ 1} of the backtracking point, the destination by solving a cubic equation vertex E _{i + 1} by calculating the x-coordinate alpha ^{x i} _{+ 1,} the elliptic curve said a destination vertex E _{i + 1} A curve calculation unit for calculating curve information;
An encryption apparatus comprising: an output value calculation unit that calculates the output value using the curve information calculated by the curve calculation unit. The graph uses a 3-homogeneous mapping between elliptic curves as an edge set,
2. The encryption apparatus according to claim 1, wherein the curve calculation unit calculates an x coordinate β ^x _{i + 1} of a backward return point by using the x coordinate β ^x _{i + 1} being −3 times the x coordinate α ^x _i . The encryption apparatus according to claim 2, wherein the curve calculation unit solves the cubic equation using a Cardano formula. The curve calculation unit solves the cubic equation by using the fact that two cube roots u and v of the cubic equation are v = −ζ / u when ζ is a cube root of 1. The encryption device according to claim 3. The curve calculation unit inputs the _{A i} and _{B i} of the elliptic curve _{^{y 2 = x 3 + A i}} x + B i wherein a movement source vertex _{E i,} the x-coordinate alpha ^x _i of the moving source vertex _{E i} as a solving the cubic equation as shown in equation 1, solutions lambda _0, lambda _1, and calculates the lambda _2, the solutions lambda _0, lambda _1, select one solution from lambda _2, is selected The encryption apparatus according to claim 4, wherein the solution is determined as an x coordinate α ^x _{i + 1} of the vertex E _{i + 1} of the movement destination.

The curve calculation unit includes a _{A i} and _{B i} of the elliptic curve _{^{y 2 = x 3 + A i}} x + B i wherein a movement source vertex _{E i,} as inputs and the x-coordinate alpha ^x _i, the vertices of the destination E _{i + + 1} in which the elliptic curve _{^{y 2 = x 3 a i +}} 1 x + B i + 1 curve information in _{a i + 1} and _{B i + 1} encryption device according to claim 5, calculated as shown in Expression 2 below.

The curve calculation unit, an elliptic curve _{^{y 2 = x 3 + A 0}} x + B curve information _{A 0} and _{B 0} in ₀ is the starting point _{E 0,} and x-coordinate alpha ^x ₀ of the starting point _{E 0,} walk data omega _{= b} 0 b ₁ . . . b _n−1 and k = 0,. . . , The ascending order for integer k n-2, with calculating the curve information _{A k + 1} and _{B k + 1} in the elliptic curve _{^{y 2 = x 3 + A k}} + 1 x + B k + 1 are the vertices _{E k + 1} of the destination, the destination vertex E _{k + 1} of determining the x-coordinate alpha ^x _{k + 1,} the curve information _{a n} in determined the x coordinate alpha from ^x _n-1 are the vertices _{E n} of the destination elliptic curve _{^{y 2 = x 3 + a n}} x + B n and _Bn is calculated,
The output value calculating unit, wherein said from the curve information calculated by the curve computing unit A _n and B _n, calculates the j-invariant j _n of the elliptic curve are the vertices E _n of the destination as the output value Item 7. The encryption device according to Item 6. The cryptographic apparatus according to claim 7, wherein the output value calculation unit calculates the j invariant j _n as a hash value for the walk data ω. In the graph, an L-homogeneous mapping of a plurality of integers L is an edge set,
The curve calculation unit solves the cubic equation by using the fact that the x coordinate β ^x _{i + 1} is −3 times the x coordinate α ^x _i when calculating the side movement of the 3-homogeneous map. The encryption device according to claim 1. The encryption apparatus according to claim 1, wherein the output value calculation unit calculates at least one of a hash value, a ciphertext, and a signature as the output value. An encryption method for calculating an output value by moving between vertices without going backwards in a graph in which an isomorphic class of elliptic curves is a vertex set and an L-homogeneous mapping with L ≧ 3 between the elliptic curves is an edge set. Yes,
Processor as inputs the x coordinate alpha ^x _i of the source vertex E _i, utilizing the x coordinate beta ^{x i} _{+ 1} of the backtracking point for the destination vertex E _{i + 1} in the x-coordinate of the source vertex E _i Formula to in terms of calculating the x-coordinate beta ^{x i} _{+ 1} of the backtracking point, by calculating the x-coordinate alpha ^{x i} _{+ 1} of the destination by solving a cubic equation vertex E _{i + 1,} is a vertex E _{i + 1} of the destination Calculate the curve information of the elliptic curve,
A cryptographic method in which a processor calculates the output value using the calculated curve information. An encryption program that calculates an output value by moving between vertices without going backwards in a graph having an elliptic curve isomorphism as a vertex set and an L-homogeneous mapping with L ≧ 3 between the elliptic curves as an edge set. Yes,
As inputs the x coordinate alpha ^x _i of the source vertex E _i, wherein by utilization of the x coordinate beta ^{x i} _{+ 1} of the backtracking point for the destination vertex E _{i + 1} in the x-coordinate of the source vertex E _i Formula after having calculated the x coordinate beta ^{x i} _{+ 1} of the backtracking point, the destination by solving a cubic equation vertex E _{i + 1} by calculating the x-coordinate alpha ^{x i} _{+ 1,} the elliptic curve said a destination vertex E _{i + 1} A curve calculation process for calculating curve information;
An encryption program for causing a computer to execute an output value calculation process for calculating the output value using the curve information calculated by the curve calculation process.

Images