JP4423900B2 - Scalar multiplication calculation method, apparatus and program for elliptic curve cryptography - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to security technology, and more particularly to a message processing method using elliptic curve calculation.
[0002]
[Prior art]
Elliptic curve cryptography is a kind of public key cryptography proposed by N. Koblitz, V. S. Miller. Public key cryptography includes information that can be disclosed to the public called a public key, and secret information that must be kept secret, called a private key. A public key is used for encryption of a given message and signature verification, and a secret key is used for decryption of a given message and creation of a signature.
[0003]
The secret key in elliptic curve cryptography is a scalar value. The security of elliptic curve cryptography comes from the difficulty of solving discrete logarithm problems on elliptic curves. The discrete logarithm problem on an elliptic curve is a problem of obtaining a scalar value d when a certain point P on the elliptic curve and a point dP that is a scalar multiple thereof are given.
[0004]
The point on the elliptic curve is a set of numbers that satisfy the definition equation of the elliptic curve. The entire point on the elliptic curve is calculated based on a virtual point called an infinite point, that is, on the elliptic curve. Addition (or addition) is defined. The addition on the elliptic curve by the same points is particularly called doubling on the elliptic curve.
[0005]
The addition of two points on an elliptic curve is calculated as follows: When you draw a straight line that passes through two points, the straight line intersects the elliptic curve at another point. The point that is symmetric with respect to the intersecting point and the x-axis is the result of the addition. For example, in the case of a Weierstrass-type elliptic curve, the point (x₁, y₁) And point (x₂, y₂) Addition
(x_Three, y_Three) = (x₁, y₁) + (X₂, y₂)
x_Three= ((y₂-y₁) / (x₂-x₁))²-x₁-x₂          (Formula 1)
y_Three= ((y₂-y₁) / (x₂-x₁)) (x₁-x_Three) -y₁      (Formula 2)
Is obtained by calculating. Here, the defining formula of the Weierstrass-form elliptic curve is
y²= x^Three+ Ax + B (Formula 3)
Given in. That is, each of x and y in Equation 3 is x_i, y_i When substituting (i = 1,2,3), the equation of Equation 3 holds.
[0006]
The doubling of points on the elliptic curve is calculated as follows. When a tangent at a point on the elliptic curve is drawn, the tangent intersects at another point on the elliptic curve. The intersected point and a point that is symmetric with respect to the x-coordinate are taken as the result of doubling. For example, in the case of a Weierstrass-type elliptic curve, the point (x₁, y₁)
(x_Three, y_Three) = 2 (x₁, y₁) = (x₁, y₁) + (X₁, y₁)
x_Three= ((3x₁ ²+ A) / (2y₁))²-2x₁            (Formula 4)
y_Three= ((3x₁ ²+ A) / (2y₁)) (x₁-x_Three) -y₁      (Formula 5)
Is obtained by calculating.
[0007]
Adding a certain number of times to a certain point is called scalar multiplication, the result is called a scalar multiple, and the number of times is called a scalar value.
[0008]
While the difficulty of solving the discrete logarithm problem on an elliptic curve has been theoretically established, information related to secret information such as a secret key (calculation time, power consumption, etc.) is encrypted in an actual implementation. An attack method called a side channel attack has been proposed in which there is a case of leaking in processing, and secret information is restored based on the leaked information.
[0009]
A non-patent document 1 describes a side channel attack against elliptic curve cryptography.
[0010]
In elliptic curve cryptography, encryption, decryption, signature generation or verification of a given message must be performed using elliptic curve computation. In particular, calculation of scalar multiplication on an elliptic curve is used in cryptographic processing using a scalar value that is secret information.
[0011]
A non-patent document 2 describes a defense method against side channel attacks against elliptic curve cryptography.
[0012]
[Non-Patent Document 1]
J. Coron, Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems: Proceedings of CHES'99, LNCS 1717, Springer-Verlag, (1999) pp.292-302.
[Non-Patent Document 2]
K.Okeya, T.Takagi, The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks, RSA conference cryptographer's track (CT-RSA 2003), LNCS 2612, Springer-Verlag, (2003), pp.328-341.
[0013]
[Problems to be solved by the invention]
Cryptographic technology has become an indispensable element for concealing and authenticating electronic information with the development of information and communication networks. In addition to security, requirements imposed on cryptographic technology include processing speed and low memory usage, but generally there is a trade-off relationship between security, processing speed, and memory usage. It is difficult to meet all requirements. On the other hand, since the discrete logarithm problem on the elliptic curve is very difficult, the elliptic curve cryptosystem can make the key length relatively short compared to the cipher that uses the difficulty of prime factorization as the basis of security. . For this reason, encryption processing can be performed even if resources such as calculation capacity and memory capacity are relatively small. However, in a smart card (also referred to as an IC card) or the like, there are few resources that can be used, and cryptographic processing that can customize processing speed and memory usage is required so as to perform optimal cryptographic processing within the limited resources.
[0014]
Although the above technique is effective as a method for preventing side channel attacks, it does not take into consideration the point of customizing the processing speed and memory usage.
[0015]
[Means for Solving the Problems]
The present invention provides an elliptic curve calculation method capable of preventing side channel attacks and customizing the processing speed and memory usage.
[0016]
The present invention further provides an encryption processing method, a decryption processing method, a signature creation method, a signature verification method, and a data sharing method using the above elliptic curve calculation method.
[0017]
The present invention provides a scalar multiple calculation method for calculating a scalar multiple from a scalar value and a point on an elliptic curve in an elliptic curve calculation, the step of encoding the scalar value into a numerical sequence, and a point on the elliptic curve And a step of calculating a scalar multiple from the encoded numerical sequence and the pre-calculation table, wherein the pre-calculation table includes randomly selected elements.
[0018]
In the present invention, the encoding step may include a step of selecting a remainder of the scalar value.
[0019]
In the present invention, the encoding step includes a step of selecting one of a first residue and a second residue with respect to the scalar value, and the step of selecting the residue includes the first residue. When the size of the remainder is smaller than a predetermined size, the step of selecting the first residue or the second residue with a predetermined probability, and the size of the first residue is equal to or larger than the size In this case, it may be configured to include a step of determining whether or not a point on the elliptic curve associated with the first remainder exists in the previous calculation table.
[0020]
In the present invention, the step of calculating the scalar multiple includes a step of executing the first operation a predetermined number of times and a step of executing a second operation different from the first operation. You may comprise as follows.
[0021]
The present invention is also a scalar multiple calculation method for calculating a scalar multiple from a scalar value and a point on an elliptic curve in an elliptic curve calculation, and a step of creating a pre-calculation table from the point on the elliptic curve; Calculating a scalar multiple from the scalar value and the pre-calculation table, and the pre-calculation table may be configured to include randomly selected elements.
[0022]
As described above, according to the scalar multiplication calculation method of the present invention, since the selection range of the number of points to be stored in the pre-calculation table is wide and the elements of the pre-calculation table are randomly selected, side channel attacks can be prevented. A scalar multiplication method capable of customizing processing speed and memory usage becomes available.
[0023]
DETAILED DESCRIPTION OF THE INVENTION
Embodiments of the present invention will be described below with reference to the drawings.
[0024]
FIG. 1 shows a system configuration in which a computer A 101 and a computer B 121 to which an elliptic curve calculation method according to the present invention connected by a network 142 is applied are connected by a network 142.
[0025]
To encrypt a message with the computer A101 in the cryptographic communication system of FIG.
P_mTo calculate and output + k (aQ) and kQ, and decrypt the ciphertext with the computer B121,
Calculate -a (kQ) from secret key a and kQ,
(P_m+ K (aQ))-a (kQ) (Equation 6)
Can be calculated and output. Where P_mIs a message, k is a random number, a is a constant indicating a secret key, Q is a fixed point, and aQ is a point indicating a public key.
[0026]
Network 142 has P_mOnly + k (aQ), kQ is sent and message P_mIn order to restore, it is necessary to calculate kaQ, that is, a times kQ. However, since the private key a is not transmitted to the network 142, only the one holding the private key a_mCan be restored.
[0027]
In FIG. 1, a computer A101 is equipped with an arithmetic device such as a CPU 113 and a coprocessor 114, a storage device such as a RAM 103, a ROM 106 and an external storage device 107, and an input / output interface 110 for performing data input / output with the outside of the computer. A display 108, a keyboard 109, and a removable portable storage medium read / write device for operating the computer A101 by the user are connected to the outside.
[0028]
Further, the computer A101 realizes the storage unit 102 by a storage device such as the RAM 103, the ROM 106, and the external storage device 107, and the arithmetic device such as the CPU 113 and the coprocessor 114 executes the program stored in the storage unit 102. The data processing unit 112, the scalar multiplication calculation unit 115, and the processing units included therein are realized.
[0029]
In the present embodiment, the data processing unit 112 functions as the encryption processing unit 112 and encrypts the input message.
[0030]
The scalar multiplication calculation unit 115 calculates parameters necessary for the encryption processing unit 112 to perform encryption. The storage unit 102 stores a constant 104 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 105 (for example, a secret key), and the like.
[0031]
The computer B121 has the same hardware configuration as the computer A101.
[0032]
Further, the computer B121 realizes the storage unit 122 by a storage device such as the RAM 123, the ROM 126, and the external storage device 107, and the arithmetic device such as the CPU 133 or the coprocessor 134 executes the program stored in the storage unit 122. The data processing unit 132, the scalar multiplication calculation unit 135, and the processing units included therein are realized.
[0033]
In the present embodiment, the data processing unit 132 functions as the decryption processing unit 132 and decrypts the ciphertext 141 that is an encrypted message.
[0034]
The scalar multiplication calculation unit 135 calculates parameters necessary for the decoding processing unit 132 to perform decoding. The storage unit 122 stores a constant 124 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 125 (for example, a secret key), and the like.
[0035]
Each of the above programs may be stored in advance in a storage unit in the computer, or when necessary, from another device via a medium that can be used by the input / output interface 110 and the computer 721. It may be introduced into the storage unit. The medium refers to, for example, a storage medium that is detachable from the input / output interface 110, or a communication medium (that is, a network or a carrier wave that propagates through the network).
[0036]
FIG. 2 shows how information is transferred by each processing unit of the computer A101 and the computer B121.
[0037]
Next, an operation when the computer A101 in FIG. 1 encrypts an input message will be described. The message may be any digitized data, and may be any text, image, video, or sound.
[0038]
When receiving the plaintext message (input message 204 in FIG. 2) via the input / output interface 110, the encryption processing unit 112 determines whether or not the bit length of the input plaintext message is a predetermined bit length. When the bit length is longer than a predetermined bit length, the plaintext message is divided so as to have a predetermined bit length. Hereinafter, a partial message (also simply referred to as a message) divided into a predetermined bit length will be described.
[0039]
Next, the encryption processing unit 112 converts the numerical value represented by the bit string of the message into the x coordinate (x₁) Point P on the elliptic curve_mY coordinate value (y₁).
[0040]
For example, the Weierstrass-form elliptic curve has constants A and B, respectively.
y₁ ²= X₁ ^Three+ Ax₁+ B (Formula 7)
Therefore, the y-coordinate value can be obtained from this.
[0041]
Next, the encryption processing unit 112 generates a random number k. Then, the public key aQ and the x coordinate of Q read out from the constant 104 stored in the storage unit 102 (205 in FIG. 2), the obtained y coordinate value, and the random number k are sent to the scalar multiplication unit 115 ( 206 in FIG.
[0042]
The scalar multiplication calculator 115 calculates the x-coordinate of Q, the value of the y-coordinate, and the scalar multiple (x_d1, y_d1) = kQ, x-coordinate of public key aQ, y-coordinate value, scalar multiple (x_d2, y_d2) = k (aQ) and sends the calculated scalar multiple to the encryption processing unit 112 (207 in FIG. 2).
[0043]
The encryption processing unit 112 performs encryption processing using the sent scalar multiple. For example, for the Weierstrass elliptic curve, P_mCalculate + k (aQ) and kQ. That is,
x_e1= ((y_d1-y₁) / (x_d1-x₁))²-x₁-x_d1, (Equation 8)
x_e2= x_d2                              (Formula 9)
Calculate the encrypted message x_e1, x_e2Get.
[0044]
The computer A101 assembles an encrypted output message from the one or more partial messages encrypted by the encryption processing unit 112 (208 in FIG. 2).
[0045]
The computer A101 outputs the encrypted output message as data 141 from the input / output interface 110, and transfers it to the computer B121 via the network 142.
[0046]
Note that the information read from the storage unit 102 in FIG. 2 may be performed before the input message is received as long as the information is transmitted to the scalar calculation unit 115.
[0047]
Next, the operation when the computer B 121 decrypts the encrypted message 141 will be described with reference to FIG.
[0048]
When the encrypted data 141 (input message 204 in FIG. 2) is input via the input / output interface 110, the decryption processing unit 132 (data processing unit 112 in FIG. 2) receives the input encrypted data. It is determined whether the bit length of the data 141 is a predetermined bit length. When the bit length is longer than the predetermined bit length, the encrypted data is divided so as to have the predetermined bit length. Hereinafter, partial data (also simply referred to as data) divided into a predetermined bit length will be described.
[0049]
The value of the y coordinate on the elliptic curve having the numerical value represented by the bit string of the data 141 at the x coordinate is calculated.
[0050]
The encrypted message is x_e1, x_e2For a Weierstrass-type elliptic curve, the y-coordinate value (y_e1)
y_e1 ²= x_e1 ^Three+ Ax_e1+ B (Formula 10)
(However, A and B are constants)
Can be obtained from
[0051]
The decryption processing unit 132 (205 in FIG. 2) read from the secret information 125 stored in the storage unit 122 (102 in FIG. 2) and the values of the x and y coordinates (x_e1, y_e1) Is sent to the scalar multiplication unit 135 (115 in FIG. 2) (206 in FIG. 2).
[0052]
The scalar multiplication unit 135 calculates the scalar multiple (x_d3, y_d3) = a (x_e2, y_e2). The scalar multiplication calculation unit 135 sends the calculated scalar multiples to the decoding processing unit 132 (207 in FIG. 2). The decoding processing unit 132 performs a decoding process using the sent scalar multiple.
[0053]
For example, if the encrypted message is x_e1, x_e2In the case of a Weierstrass-type elliptic curve,
(P_m+ K (aQ))-a (kQ) = (x_e1, y_e1)-(x_d3, y_d3)
This is achieved by calculating That is,
x_f1= ((y_e1+ Y_d3) / (x_e1-x_d3))²-x_e1-x_d3        (Formula 11)
Calculate the partial message x before being encrypted₁X corresponding to_f1Get.
[0054]
The computer B 121 assembles a plaintext message from the partial message decrypted by the decryption processing unit 132 (208 in FIG. 2), and outputs it from the display 108 or the like via the input / output interface 110.
[0055]
Next, the process of the scalar multiplication unit 135 when the computer B121 performs the decoding process will be described in detail.
[0056]
In the first embodiment, the functional block of the scalar multiplication calculator shown in FIG. 3 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes an encoding unit 302, a previous calculation unit 303, and an actual calculation unit 304. The encoding unit 302 includes a residue acquisition unit 321, an index set generation unit 322, a residue selection unit 323, a repetition determination unit 324, and a storage unit 325. The pre-calculation unit 303 includes an addition unit 331, a doubling unit 332, and a repetition determination unit 333. The actual calculation unit 304 includes a bit value determination unit 341, an addition unit 342, a doubling unit 343, and a repetition determination unit 344.
[0057]
A first calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described.
[0058]
When the scalar multiplication calculation unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 302 converts the input scalar value d into a numerical sequence d._wEncode to [j]. That is,
d = d_w[n + w₀-1] 2^{n + w0-1}+ D_w[n + w₀-2] 2^{n + w0-2}+ ... + d_w[j] 2^j+ ... + d_w[0]
(Formula 12)
-2^w0-1≦ d_w[j] ≦ 2^w0-1 or d_w[j] ∈B (Formula 13)
D_wConvert the scalar value d to [j]. Here, n is the bit length when the scalar value d is expressed in binary, and w is a predetermined small positive rational number called the window width. w₀Is a positive integer and w₀= ceil (w) is satisfied. However, ceil (w) represents the smallest integer greater than or equal to w. B is a randomly selected index set,
B = {± b₁, ± b₂, ..., ± b_m}. However, m different b₁, b₂, ..., b_mIs
{2^w0-1+1,2^w0-1+3, ..., 2^w0-1}.
Where m = w₁2^w0-2, w₁= w- (w₀-1). If priority is given to calculation time, set w to a large value. Set w to a small value to reduce memory usage. The window width w is determined so that m is an integer. Positive integer w₀Is fixed and the window width w is moved, the integer m is 0 to 2^w0-2Can take values up to.
[0059]
The pre-calculation unit 303 creates a pre-calculation table from the input point P on the elliptic curve using the index set B. The pre-calculation table is P, 3P, ..., (2^w0-1-1) P and b_jIt is composed of P, j = 1, ..., m.
[0060]
The actual calculation unit 304 calculates a scalar multiple dP from the encoded scalar value and the point P on the elliptic curve using the pre-calculation table.
[0061]
Next, each process performed by the encoding unit 302, the previous calculation unit 303, and the actual calculation unit 304 will be described in detail.
[0062]
First, a method in which the encoding unit 302 encodes the scalar value d will be described with reference to FIG.
[0063]
Substitute the scalar value d for the variable d '. w₀Ceil (w), w₁W- (w₀-1) is assigned (401).
[0064]
The index set generation unit 322 sets m = w₁2^w0-2And m different
b₁, b₂, ..., b_m{2^w0-1+1,2^w0-1+3, ..., 2^w0-1} at random, and index set B is B = {± b₁, ± b₂, ..., ± b_m}. Numerical value P indicating probability_wTo w₁Is assigned (402).
[0065]
The initial value 0 is assigned to the variable r, and the initial value 0 is assigned to the variable i (403).
[0066]
The repetition determination unit 324 determines whether the variable d ′ is greater than 1.
[0067]
If d 'is greater than 1, go to step 411. If it is less than 1, go to step 431 (404).
[0068]
If d 'is greater than 1 in step 404,
The remainder acquisition unit 321 calculates the scalar value d ′ to 2^{w0 + 1}2 from the remainder by^w0X [i] after subtracting 2 from the scalar value d '^w02 from the remainder by^w0-1Each value obtained by subtracting is stored in y [i] (411).
[0069]
The remainder selection unit 323 determines | x [i] | <2^w0-1It is determined whether or not. Here, | x [i] | represents the absolute value of x [i]. | x [i] | <2^w0-1If so, go to Step 413. | x [i] | ≧ 2^w0-1If so, go to Step 421 (412).
[0070]
In step 412 | x [i] | <2^w0-1 in the case of,
The remainder selection unit 323 has a probability P_wAt r_iTo w₀And u [i] store x [i] respectively, and the probability 1-P_wAt r_iTo w₀−1 and y [i] are stored in u [i], respectively, and the process goes to Step 414 (413).
[0071]
In step 412 | x [i] | ≧ 2^w0-1in the case of,
The remainder selection unit 323 determines whether x [i] belongs to the set B. If x [i] belongs to B, go to step 422. If x [i] does not belong to B, go to step 423 (421).
[0072]
If x [i] belongs to B in step 421,
The remainder selection unit 323 is r_iTo w₀, X [i] is stored in u [i], and the process goes to step 414 (422).
[0073]
If x [i] does not belong to B in step 421,
The remainder selection unit 323 is r_iTo w₀-1 and u [i] are stored in y [i], respectively, and the process goes to Step 414 (423).
[0074]
The remainder acquisition unit 321 calculates (d'-u [i]) / 2^riAnd set it as a new d ′ (414).
[0075]
The storage unit 325 is d_w[r + r_i-1], d_w[r + r_i-2], ..., d_w[r] stores 0, 0,..., 0, u [i], respectively (415).
[0076]
Variable r to r_iThe variable i is incremented by 1, and the variable i is incremented by 1. The process returns to step 404 (416).
[0077]
If d 'is 1 or less in step 404,
The storage unit 325 is d_w[n + w₀-1], ..., d_w[r + 1], d_w[r] stores 0,..., 0, 1 respectively (431).
[0078]
The encoding unit 302 is d_w[n + w₀-1], ..., d_w[0] and B are output to the actual calculation unit 304 (432).
[0079]
Next, a method in which the pre-calculation unit 303 creates a pre-calculation table using the index set B from points on the elliptic curve will be described with reference to FIG.
[0080]
The point P is doubled by ECDBL, and the result is stored in 2P (501).
[0081]
The initial value 1 is assigned to the variable j (502).
[0082]
The repeat determination unit 333 causes j to be 2^w0-1Determine if less than. j is 2^w0-1If smaller, go to step 504. j is 2^w0-1In the above case, go to Step 511 (503).
[0083]
J is 2 in step 503^w0-1If less than
The points jP and 2P are added by ECADD, and the result is stored in (j + 2) P (504).
[0084]
The variable j is incremented by 2, and the process returns to step 503 (505).
[0085]
J is 2 in step 503^w0-1If this is the case,
Dot (2^w0-1-1) Add P and point P by ECADD, and add 2^w0-1Store in P (511).
[0086]
Assign 1 to variable j (512).
[0087]
The iterative determination unit 333 determines whether j is less than or equal to m. If j is less than or equal to m, go to step 514. If j is greater than m, go to step 521 (513).
[0088]
If j is less than or equal to m in step 513,
Point 2^w0-1P and dot (b_j-2^w0-1) P is added by ECADD and the result is b_jStore in P (514).
[0089]
The variable j is incremented by 1, and the process returns to step 513 (515).
[0090]
If j is greater than m in step 513,
P, 3P, ..., (2^w0-1-1) P and b_jP, j = 1,..., M are output as a pre-calculation table (521).
[0091]
However, ECADD and ECDBL represent addition and doubling on an elliptic curve, respectively. Addition is calculated using equations 1 and 2, and doubling is calculated using equations 4 and 5, respectively. There are calculation formulas in projective coordinates and Jacobian coordinates in addition to using Equations 1, 2 and Equations 4 and 5 for addition and doubling calculations.
Non-Patent Document 3: Cohen, H., Miyaji, A., Ono, T., Efficient Elliptic Curve Exponentiation Using Mixed Coordinates, Advances in Cryptology-ASIACRYPT 1998, LNCS 1514, Springer-Verlag, (1998), pp.51- 65.
It is described in.
[0092]
Also, for the point Q = (x, y) on the elliptic curve, the inverse element point -Q related to the elliptic curve addition is expressed as -Q = (x, -y), so the coordinate of the point Q is It can be easily calculated if given. for that reason,
Point P, 3P, ..., (2^w0-1-1) P and b_jOnly P, j = 1, ..., m are stored as a pre-calculation table. Necessary for subsequent calculations performed by the actual calculation unit 304
Dots -P, -3P, ...,-(2^w0-1-1) P and -b_jP, j = 1,..., M may be derived from them, and need not be stored in the pre-calculation table.
[0093]
Note that the points -P, -3P, ...,-(2^w-1) P and -b_jIn order to omit the derivation of P, j = 1,..., M, only the y-coordinate values of those points may be stored in the pre-calculation table.
[0094]
The pre-calculation table creation process performed by the pre-calculation unit 303 is as follows.
Point P, 3P, ..., (2^w0-1-1) P and b_jP, j = 1,..., M may be calculated. Therefore, the speed may be increased by using the Montgomery trick to share the calculation of the inverse element calculation required for the elliptic curve calculation.
[0095]
Montgomery tricks to share inverse operations
Non-Patent Document 4: Cohen, H., A course in computational algebraic number theory, GTM138, Springer-Verlag, (1993).
Page 481.
[0096]
Further, when the point P is a fixed point, in the creation process of the pre-calculation table performed by the pre-calculation unit 303,
Point P, 3P, ..., (2^w0-1-1) The calculation of P, that is, the processing from step 501 to step 511 may be performed only once. because,
Point P, 3P, ..., (2^w0-1-1) P does not depend on the index set B. Therefore, once
Point P, 3P, ..., (2^w0-1-1) If P is calculated, the subsequent scalar multiplication is
Point P, 3P, ..., (2^w0-1-1) It is not necessary to recalculate P, and only the part depending on the index set B needs to be recalculated.
[0097]
Finally, a method for calculating a scalar multiple point in an elliptic curve from the encoded scalar value and a point on the elliptic curve will be described with reference to FIG.
[0098]
Initial value n + w for variable c₀Substitute -1 (601).
[0099]
d_wDetermine whether [c] is 0 or 0.
[0100]
d_wIf [c] is 0, go to Step 603. If not 0, go to step 611 (602).
[0101]
The variable c is decreased by 1, and the process returns to step 602 (603).
[0102]
D in step 602_wIf [c] is not 0, d at point Q_w[c] Substitute P (611).
[0103]
The initial value c-1 is assigned to the variable j (612).
[0104]
Determine if j is less than 0. If j is smaller than 0, go to Step 621. If it is greater than 0, go to step 614 (613).
[0105]
The point Q is doubled by ECDBL and stored again at the point Q (614).
[0106]
d_wDetermine whether [j] is 0 or not 0.
[0107]
d_wIf [j] is 0, go to Step 617. If not 0, go to step 616 (615).
[0108]
D in step 615_wIf [j] is not 0,
Points Q and d_w[j] P and ECADD are added. Where d_wIf [j] is negative (-d_w[j]) Addition is performed using the inverted y coordinate of P. The result is stored at point Q and the process goes to step 617 (616).
D_wIf [j] is not 0, d_w[j] is an odd number that satisfies Equation 13. Therefore, d_w[j] P or (-d_w[j]) P is always present in the previous calculation table.
[0109]
The variable j is decreased by 1, and the process returns to step 613 (617).
[0110]
If j is smaller than 0 in step 613, a point Q is output (621).
[0111]
D output by processing performed by the encoding unit 302_w[j] satisfies Equations 12 and 13. The reason is as follows.
In the loop from step 404 to step 416, the value of d 'for the i-th time is set to d' [i]. That is, in step 414
d '[i + 1] = (d' [i] -u [i]) / 2^ri        (Formula 14)
Is calculated. In the 0th loop
d = d '[0] (Formula 15)
It becomes. In the first loop
d = d '[1] 2^r0+ U [0] (Formula 16)
It becomes. Similarly, in the i-th loop,
d = (... (d '[i] 2^ri+ U [i]) 2^ri-1+ ... + u [1]) 2^r0+ U [0] (Formula 48)
It becomes. The calculation in step 414 is d '[i] <2^{ri + 1}When,
d '-((d'mod 2^{ri + 1}) -2^ri) = 2^ri        (Formula 17)
Therefore, d ′ [i + 1] = 1. In step 415, d_wIf we note that 0 is assigned in addition to [r], we can see that d satisfies Equation 12.
Y [i] calculated in step 411 is
-2^w0-1≦ y [i] ≦ 2^w0-1                (Formula 18)
It is easy to see that
x [i]
-2^w0-1≦ x [i] ≦ 2^w0-1                (Formula 19)
If it is in the range, there is no problem.
If x [i] is outside the range of Expression 19, the process proceeds to Step 421 based on the determination result of Step 412. In step 421, when x [i] εB, the process goes to step 422 and x [i] is selected. That is,
x [i] ∈B (Equation 20)
Meet. u [i] is assigned either x [i] or y [i], and d other than 0_w[r] is assigned u [i].
Therefore, Equation 13 is satisfied.
[0112]
U [i] calculated in the process performed by the encoding unit 302 is all odd except for i = 0. The reason is as follows. In step 411, if d ′ [i] is an odd number, x [i], y [i] are an odd number. Therefore, when d ′ [i] is an odd number, u [i] is an odd number. On the other hand, in step 414, d '[i + 1] = (d' [i] -u [i]) / 2^riIs calculated.
d '[i]-((d' [i] mod 2^{ri + 1}) -2^rimod 2^{ri + 1} = 2^ri     (Formula 21)
Therefore, d ′ [i + 1] is an odd number. Therefore, except for i = 0, u [i] are all odd numbers.
[0113]
In order to make u [0] odd, the scalar value d may be an odd number. For this purpose, when the input scalar value d is an even number, d + 1 is re-encoded as the scalar value d ′. That is, d is converted to an odd number. Then, a scalar multiple d′ P is calculated.
d'P = (d + 1) P = dP + P (Formula 22)
Therefore, the point P is subtracted from d′ P and the value is output as the scalar multiple dP.
[0114]
When the input d is an odd number, d + 2 is encoded again as a scalar value d ′,
d'P = (d + 2) P = dP + 2P (Formula 23)
The scalar multiple dP may be obtained using In this case, there is an advantage that the processing to be performed is the same regardless of whether d is an odd number or an even number.
[0115]
The point Q output from the actual calculation unit 304 is equal to the scalar multiple dP. The reason is as follows.
[0116]
In step 613, point Q is
(d_w[c] 2^{c- (j + 1)}+ D_w[c-1] 2^{(c-1)-(j + 1)}+ ... + d_w[j + 1] 2^{(j + 1)-(j + 1)}) P
(Formula 24)
It is assumed that At this time, the point Q also indicates that the expression 24 is satisfied when the next step 613 is reached.
[0117]
Point Q is doubled at step 614 and d_wIf [j] is not 0, d in step 616_w[j] P is added. So immediately after step 616, the value of point Q is
(d_w[c] 2^cj+ D_w[c-1] 2^{(c-1) -j}+ ... + d_w[j + 1] 2^{(j + 1) -j}+ D_w[j] 2^jj) P
(Formula 25)
It becomes. Therefore d_wThe point Q satisfies Equation 25 just before step 617, including when [j] = 0. Since j is decreased by 1 in step 617, substituting j + 1 for j in equation 25 yields equation 24. That is, the next time when the step 613 is reached, the point Q satisfies the equation 24.
[0118]
d for j> c_wSince the value of [j] is 0, the value of point Q output in step 621 is
(d_w[n] 2ⁿ+ D_w[n-1] 2^n-1+ ... + d_w[0]) P (Formula 26)
be equivalent to. The scalar value input to the actual calculation unit 304 is d encoded by the encoding unit 302._w[j] so that d_w[j] satisfies Equation 12. Therefore, Q = dP.
[0119]
The memory usage in the scalar multiplication is determined by the size of the pre-calculation table of the pre-calculation unit 303. In the above scalar multiplication method, the pre-calculation table is
P, 3P, ..., (2^w0-1-1) P and b_jIt consists of P, j = 1, ..., m. That is, the number of points to store is (2^w0-2+ M). Positive integer w₀Is fixed and the window width w is moved, the integer m is 0 to 2^w0-2Can take values up to. Therefore, the number of points to be stored can be set to an arbitrary value by appropriately selecting the window width w. On the other hand, in the method of Non-Patent Document 2, the number of points to be stored in the pre-calculation table can only be selected as 1, 2, 4, 8,. Therefore, the scalar multiplication calculation method has a wider selection range of the number of points stored in the previous calculation table than the method of Non-Patent Document 2, and the processing speed and memory usage can be customized.
[0120]
The scalar multiplication method is also effective for a defense method against side channel attacks. The reason is as follows.
[0121]
The encoding unit 302 converts the scalar value d into a numeric string d._wEncoded to [j]. This numeric column d_w[j] is the pattern
| 0 ... 0x | 0 ... 0x | ... | 0 ... 0x | (Equation 27)
It has. Here, each x is a non-zero value and corresponds to u [i]. Where 0 ... 0 is r_iPieces, ie w₀-1 or w₀-Two consecutive. When the real calculation unit 304 calculates a scalar multiple, in the iterative processing of steps 613-617, the elliptic curve operation corresponding to the block of | 0 ... 0x | is | D ... DA |, that is, w₀Times or w₀-1 after D However, D represents ECDBL, and A represents ECADD. R_iIs the probability P_wIn w₀And probability 1-P_wIn w₀+1.
Because | x [i] | <2^w0-1In step 413, the probability P_wAt r_i= w₀, Probability 1-P_wAt r_i= w₀+1.
| X [i] | ≧ 2^w0-1Then the probability that x [i] ∈B is
(Number of elements in B) / (2^w0-1≦ | k | <2^w0(Number of odd-numbered k)₁So P_wIt becomes. in this case,
r when x [i] ∈B_i= w₀Otherwise, r_i= w₀-1. Therefore, in either case, r_iIs the probability P_wIn w₀And probability 1-P_wIn w₀-1. Probability P_wIs public information₁Rely on only, not on confidential information. As a result, for all scalar values, the elliptic curve operation to perform is
| D ... DA | D ... DA | ... | D ... DA | (Equation 28)
And the number of consecutive D's is r_iBut this value is public information w₁It depends only on, and not on confidential information. In particular, information relating to the scalar value d cannot be derived from only the expression 28.
[0122]
Note that the scalar multiplication calculation may be performed using the randomized projection coordinates of Non-Patent Document 1. Then, even if the same point P is input, it is converted into a different value every time execution is performed, and the scalar multiplication is performed, so that the attacker cannot predict the intermediate value.
[0123]
Alternatively, each time a point stored in the precalculation table is read, it may be randomized again and written to the precalculation table. In this case, since the same data is not reused, the resistance to side channel attacks is further increased.
[0124]
Further, the pre-calculation table referred to during the calculation may be recreated once or more during one scalar multiplication calculation. By doing so, the values quoted from the table will be changed more frequently, further increasing resistance to side channel attacks.
[0125]
Further, the same pre-calculation table may be reused in any number of scalar multiplication calculations. By doing so, the time required for the process for creating the pre-calculation table can be reduced, so that the calculation time can be shortened.
[0126]
In addition, for each scalar multiplication, the size of the pre-calculation table may be changed according to the situation such as the required calculation speed and the priority of other applications used at the same time.
[0127]
More specifically, the available work area may be examined, a pre-calculation table size corresponding to the work area may be selected, and the scalar multiplication may be calculated. By doing so, customization according to an individual situation can be performed more delicately.
[0128]
Alternatively, in order to preferentially allocate a work area to processing of modules other than scalar multiplication, the size of the pre-calculation table may be reduced to perform scalar multiplication calculation.
[0129]
Alternatively, in order to perform the scalar multiplication at high speed, the size of the pre-calculation table may be increased and the scalar multiplication may be performed.
[0130]
As described above, the above calculation method does not give useful information for the side channel attack, and is resistant to the side channel attack. In addition, since the selection range of the number of points to be stored in the pre-calculation table is wide, the processing speed and memory usage can be customized.
[0131]
In the first calculation method, the Weierstrass-type elliptic curve was used as the elliptic curve, but the elliptic curve defined on the characteristic 2 finite field or the ellipse defined on the OEF (Optimal Extension Field) A curve or a Montgomery-type elliptic curve may be used. About OEF
Non-Patent Document 5: D.V.Bailey, C. Paar, Optimal Extension Fields for Fast Arithmetic in Public-Key Algorithms, Advances in Cryptology Crypto '98, LNCS 1462, (1998), 472-485.
It is described in.
[0132]
In the second embodiment, the functional block of the scalar multiplication calculator shown in FIG. 7 is used. The scalar multiplication calculation unit 115 (135 in FIG. 1) includes a pre-calculation unit 703 and an actual calculation unit 704. The pre-calculation unit 703 includes an addition unit 331, a doubling unit 332, a repetition determination unit 333, and an index set generation unit 734. The actual calculation unit 304 includes an addition unit 342, a doubling unit 343, a repetition determination unit 344, a scalar value expression conversion unit 745, and a window width selection unit 746.
[0133]
A second calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The second calculation method is characterized in that a scalar multiple is calculated without encoding the scalar value d into a numerical string.
[0134]
When the scalar multiplication calculation unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the pre-calculation unit 703 generates an index set B, and the input point P and index on the elliptic curve Create a pre-calculation table using set B. The pre-calculation table is
P, 3P, ..., (2^w0-1-1) P and b_jIt is the same as the first calculation method that P, j = 1,. Index set B is
B = {± b₁, ± b₂, ..., ± b_m} And m different b₁, b₂, ..., b_mIs
{2^w0-1+1,2^w0-1+3, ..., 2^w0-1} is selected in the same manner as in the first calculation method.
[0135]
The actual calculation unit 304 calculates a scalar multiple dP from the input scalar value d and the point P on the elliptic curve using the index set and the pre-calculation table.
[0136]
Next, each process performed by the pre-calculation unit 703 and the actual calculation unit 704 will be described in detail.
[0137]
First, a method in which the pre-calculation unit 703 creates a pre-calculation table and an index set B from points on an elliptic curve will be described using FIG.
[0138]
The point P is doubled by ECDBL, and the result is stored in 2P (801).
[0139]
The initial value 1 is assigned to the variable j (802).
[0140]
J is 2 by the repeat determination unit 733^w0-1Determine if less than. j is 2^w0-1If it is smaller, go to Step 804. j is 2^w0-1In the above case, go to Step 811 (803).
[0141]
J is 2 in step 803^w0-1If less than
The points jP and 2P are added by ECADD, and the result is stored in (j + 2) P (804).
[0142]
The variable j is incremented by 2 and the process returns to step 803 (805).
[0143]
J is 2 in step 803^w0-1If this is the case,
Dot (2^w0-1-1) Add P and point P by ECADD, and add 2^w0-1Store in P (811).
[0144]
An empty set is assigned as an initial value to index set B, and 1 is assigned to variable j (812).
[0145]
The repeat determination unit 733 determines whether j is less than or equal to m. If j is less than or equal to m, go to step 814. If j is greater than m, go to step 821 (813).
[0146]
If j is less than or equal to m in step 813,
The index set generation unit 734 uses {2^w0-1+1,2^w0-1+3, ..., 2^w0-1} than the range b_jIs randomly selected (814).
[0147]
By the index set generation unit 734, b_jIs already included as an element of B. B_jIf is included as an element of B, return to step 814, b_jIf is not included as an element of B, go to step 816 (815).
[0148]
Point 2^w0-1P and dot (b_j-2^w0-1) P is added by ECADD and the result is b_jStore in P (816).
[0149]
The index set generation unit 734 sets the index set B to b_jIs added as an element (817).
[0150]
The variable j is incremented by 1, and the process returns to Step 813 (818).
[0151]
If j is greater than m in step 813,
P, 3P, ..., (2^w0-1-1) P and b_jP, j = 1, ..., m are output as a pre-calculation table. The index set B is output (821).
[0152]
Also, the points P, 3P, ..., (2^w-1) Store only P as pre-calculation table,
Dots -P, -3P, ...,-(2^w-1) As in the first calculation method, it is not necessary to store P in the previous calculation table.
[0153]
Note that the points -P, -3P, ...,-(2^w-1) P and -b_jSimilarly to the first calculation method, in order to omit the derivation of P, j = 1, ..., m, only the y-coordinate values of those points may be stored in the pre-calculation table. .
[0154]
When the point P is a fixed point, in the process of creating the pre-calculation table performed by the pre-calculation unit 303,
Point P, 3P, ..., (2^w0-1-1) Similar to the first calculation method, the calculation of P, that is, the processing from step 801 to step 811 only needs to be performed once.
[0155]
The pre-calculation table creation process performed by the pre-calculation unit 703 is as follows.
Point P, 3P, ..., (2^w-1) P may be calculated. Therefore, as in the first calculation method, the speed can be increased by using Montgomery trick to share the calculation of the inverse element calculation necessary for the elliptic curve calculation.
[0156]
Next, using Fig. 9 and Fig. 10, the actual calculation unit 704 calculates the scalar multiple in the elliptic curve from the scalar value d and the point P on the elliptic curve using the index set B and the previous calculation table. How to do it.
[0157]
The point at infinity is assigned to the point Q (901).
[0158]
The scalar value expression conversion unit 745 converts the scalar value d into d ~ expressed by 1, -1 (902). That is, d ~ is equal to d as an integer, and
d ~ = d_n-1~ 2^n-1+ D_n-2~ 2^n-2+ ... + d₀~, d_i~ = 1 or -1 (Formula 29)
It is expressed. To achieve this transformation, the scalar value d is
d = d_n-12^n-1+ D_n-22^n-2+ ... + d₀, d_i= 0 or 1 (Equation 30)
When
d_n-1~ = 1 (Formula 31)
d_i~ = 1 if d_{i + 1} = 1 for i = 0, ..., n-2 (Formula 32)
d_i~ = -1 if d_{i + 1} = 0 for i = 0, ..., n-2 (Formula 33)
When converted by the following equation 29 is satisfied. Note that d can be converted only when d is an odd number.
[0159]
An initial value n is substituted for variable i (903).
[0160]
The repeat determination unit 733 determines that i is w₀Determine if greater than -1. i is w₀If it is larger than -1, go to step 911. w₀If it is less than -1, go to Step 1001 (904).
[0161]
I in step 904₀If greater than -1,
The window width selector 746 sets the integer MSB to the variable x._w0(d ~) is stored (911). However, MSB_w0(d ~) is the top w of d ~₀Represents a numeric value composed of bits.
[0162]
The window width selection unit 746 stores 1 in b when the value of the variable x is included as an element of the index set B. Otherwise, 0 is stored in b (912).
[0163]
The window width selection unit 746 has a probability P_wStores 1 in p with probability 1-P_wThen p is stored (913).
[0164]
The window width selection unit 746 sets the variable u to
1- | MSB₂(d ~) / 2 | is stored (914).
[0165]
The window width selection unit 746 sets the variable r to
w₀−1 + ((u∧p) ∨ ((1-u) ∧b)) is substituted (915).
[0166]
Substitute 1 for variable j (916).
[0167]
The point Q is doubled by ECDBL and stored again at the point Q (917).
[0168]
The repetition determination unit 733 determines whether j is greater than or equal to r. If j is greater than or equal to r, go to step 921. If it is smaller than r, go to step 919 (918).
[0169]
If j is greater than or equal to r in step 918, the variable j is incremented by 1, and the process returns to step 917 (919).
[0170]
If j is less than r in step 918, point Q and MSB_r(d ~) P and ECADD are added. However, MSB_rIf (d ~) is negative (-MSB_r(d ~)) Addition is performed using the inverted y coordinate of P. The result is stored at point Q. (921).
[0171]
The variable i is decreased by r, and the process returns to step 904 (922).
[0172]
I in step 904₀-1 or less,
The repetition determination unit 733 determines whether i is 0 or less. If i is 0 or less, go to Step 1007. If i is larger than 0, go to step 1002 (1001).
[0173]
If i is greater than 0 in step 1001,
Assign 1 to variable j (1002).
[0174]
The point Q is doubled by ECDBL and stored again at the point Q (1003).
[0175]
The repetition determination unit 733 determines whether j is i or more. If j is greater than or equal to i, go to step 1006. If it is smaller than i, go to Step 1005 (1005).
[0176]
If j is less than i in step 1004,
The variable j is incremented by 1, and the process returns to step 1003 (1005).
[0177]
If j is greater than or equal to i in step 1004, the points Q and d to P are added by ECADD. However, when d˜ is negative, addition is performed using the inverted y coordinate of (−d˜) P. The result is stored at point Q. (1006).
[0178]
The point Q is output (1007).
[0179]
The scalar multiple output by the processing performed by the actual calculation unit 704 matches dP. The reason is as follows.
In the loop from step 904 to step 922, the value of r in the k-th loop is set to r_kfar.
In step 901, the point at infinity is assigned to the point Q on the elliptic curve.
After the end of the first loop
Q = r₁P (Formula 34)
It becomes. After the end of the second loop
Q = (r₁2^r2+ R₂) P (Formula 35)
It becomes. Similarly, after the kth loop is completed,
Q = ((... (r₁2^r2+ R₂) 2^r3+ ... + r_k-1) 2^rk+ R_k) P (Formula 36)
It becomes. If it is noted that the processing from step 1002 to step 1006 is the same, it can be seen that the point Q in step 1007 satisfies Q = d˜P. Since d = d˜ as a numerical value, Q = dP.
[0180]
Point MSB used in ellipse addition in step 921 of the actual calculation unit 704_rFor (d ~) P, MSB_r(d ~) P or (-MSB_r(d ~)) P is always present in the previous calculation table. The reason is as follows. First,
MSB_r(d ~) mod 2 = 1, MSB_r(d ~) is an odd number. In step 915, set variable r to w₀-1, w₀One of the values is substituted. r = w₀If -1, the pre-calculation table is
P, 3P, ..., (2^w0-1-1) MSB because it contains P_r(d ~) P or (-MSB_r(d ~)) P is always present in the previous calculation table. Then r = w₀Consider the case. r = w₀To be (u∧p) = 1, or
((1-u) ∧b) = 1. When (u∧p) = 1, since u = 1, the sign of the most significant bit of d˜ and the sign of the second most significant bit are different. for that reason
-2^w0-1≦ MSB_w0(d ~) ≦ 2^w0-1              (Formula 37)
MSB_r(d ~) P or (-MSB_rAny of (d ~)) P exists in the previous calculation table.
((1-u) ∧b) = 1, b = 1, so MSB_w0(d ~) is an element of the index set B. Therefore, MSB_r(d ~) P or (-MSB_rAny of (d ~)) P exists in the previous calculation table. As a result, in either case, the MSB_r(d ~) P or (-MSB_r(d ~)) P is always present in the previous calculation table.
[0181]
In order to convert d to d˜, the scalar value d needs to be an odd number. For this purpose, when the input scalar value d is an even number, d + 1 is re-encoded as the scalar value d ′. That is, d is converted to an odd number. Then, a scalar multiple d′ P is calculated.
d'P = (d + 1) P = dP + P (Formula 38)
Therefore, the point P is subtracted from d′ P and the value is output as the scalar multiple dP.
[0182]
When the input d is an odd number, d + 2 is encoded again as a scalar value d ′,
d'P = (d + 2) P = dP + 2P (Formula 39)
The scalar multiple dP may be obtained using In this case, there is an advantage that the processing to be performed is the same regardless of whether d is an odd number or an even number.
[0183]
The memory usage in the scalar multiplication is determined by the size of the pre-calculation table of the pre-calculation unit 703. In the above scalar multiplication method, the pre-calculation table is
P, 3P, ..., (2^w0-1-1) P and b_jP, j = 1, ..., m, and the number of points to store is (2^w0-2+ M). Positive integer w₀Is fixed and the window width w is moved, the integer m is 0 to 2^w0-2Can take values up to. Therefore, the number of points to be stored can be set to an arbitrary value by appropriately selecting the window width w. On the other hand, in the conventional method disclosed in Non-Patent Document 2, the number of points to be stored in the pre-calculation table can only be selected as 1, 2, 4, 8,. Therefore, the scalar multiplication calculation method has a wider selection range of the number of points stored in the previous calculation table than the method of Non-Patent Document 2, and can be customized in consideration of high-speed processing performance and memory capacity.
[0184]
The scalar multiplication method is also effective for a defense method against side channel attacks. The reason is as follows.
[0185]
When the actual calculation unit 704 calculates a scalar multiple, the elliptic curve calculation executed in the repetitive processing of steps 904-921 is | D... DA | per loop. Ie w₀Times or w₀-1 after D However, D represents ECDBL, and A represents ECADD. R is the probability P_wIn w₀And probability 1-P_wIn w₀+1.
[0186]
For this reason, first consider the case of u = 1. The variable p is a probability P in step 913._wP = 1, probability 1-P_wP = 0 is assigned. Therefore, the probability P_wAt r = w₀, Probability 1-P_wAt r = w₀-1.
[0187]
Next, consider the case of u = 0. The variable b is assigned b = 1 when x is an element of B in the step and b = 0 when x is not an element of B.
| x | ≧ 2^w0-1Then the probability of x∈B is
(Number of elements in B) / (2^w0-1≦ | k | <2^w0(Number of odd-numbered k)₁So P_wIt becomes. Variable u in step 914
u = 1- | MSB₂(d ~) / 2 | is assigned. That is, u = 0 is | x | ≧ 2^w0-1Is equivalent to Therefore, if u = 0, the probability P_wAt r = w₀, Probability 1-P_wAt r = w₀-1.
[0188]
Thus, in any case, r is the probability P_wIn w₀And probability 1-P_wIn w₀-1. Probability P_wIs public information₁Rely on only, not on confidential information. As a result, for all scalar values, the elliptic curve operation to perform is
| D ... DA | D ... DA | ... | D ... DA | (Equation 40)
And the number of consecutive D's is w₀Or w₀-1, but which value is selected is public information w₁It depends only on, and not on confidential information. In particular, information relating to the scalar value d cannot be extracted from the expression 35 alone.
[0189]
Note that, in the second calculation method, similarly to the first calculation method, the scalar multiplication calculation may be performed using the randomized projection coordinates of Non-Patent Document 1 together. Then, even if the same point P is input, it is converted into a different value every time execution is performed, and the scalar multiplication is performed, so that the attacker cannot predict the intermediate value.
[0190]
Similarly to the first calculation method, each time a point stored in the previous calculation table is read, it may be randomized again and written to the previous calculation table. In this case, since the same data is not reused, the resistance to side channel attacks is further increased.
[0191]
As described above, the second calculation method is resistant to side channel attacks because it does not provide useful information for side channel attacks. In addition, since the selection range of the number of points to be stored in the pre-calculation table is wide, the processing speed and memory usage can be customized.
[0192]
In the second calculation method, the Weierstrass-type elliptic curve was used as the elliptic curve, but the elliptic curve defined on the characteristic 2 finite field or the ellipse defined on the OEF (Optimal Extension Field) A curve or a Montgomery-type elliptic curve may be used. OEF is described in Non-Patent Document 5.
[0193]
The operation of the scalar multiplication calculation unit 135 when the computer B121 decrypts the encrypted data 141 has been described above, but the same applies to the case where the computer A101 encrypts the input message.
[0194]
In that case, the scalar multiplication calculation unit 115 of the computer A101 outputs the already-explained point Q on the elliptic curve, the scalar multiplication point kQ by the random number k, and the scalar multiplication point k (aQ) by the public key aQ and the random number k. To do. At this time, the scalar value d described in the above calculation method is a random number k, the point P on the elliptic curve is the point Q on the elliptic curve, and the same processing is performed to obtain the respective scalar multiples. Can do.
[0195]
Next, an embodiment in which the present invention is applied to a signature verification system will be described with reference to FIG. 11 and FIG.
[0196]
The signature verification system in FIG. 11 includes a smart card 1101 and a computer 1121 that performs signature verification processing.
[0197]
The smart card 1101 has a configuration similar to that of the computer A101 of FIG. 1, and an arithmetic device such as the CPU 113 and the coprocessor 114 executes a program stored in the storage unit 102, thereby not the data processing unit 112, A signature generation processing unit 1112 is realized. However, the external storage device 107, the display 108, and the keyboard 109 shown in FIG.
[0198]
The computer 1121 has the same configuration as the computer A101, and the signature verification processing unit 1132 is realized instead of the data processing unit 112 when the CPU 113 executes the program.
[0199]
The scalar multiplication calculators 1115 and 1135 have the same functions as the scalar multiplication calculator 115 or 135 shown in FIG.
[0200]
In the present embodiment, each program in the computer 1121 may be stored in advance in a storage unit in the computer, or may be stored in another device via a medium that can be used by the computer 1121 when necessary. To the storage unit.
[0201]
Furthermore, each program in the smart card 1101 may be stored in advance in the storage unit in the smart card 1101, or when necessary, a computer connected via the input / output interface or used by the computer. The storage unit may be introduced via a possible medium.
[0202]
The medium refers to, for example, a storage medium removable from the computer or a communication medium (that is, a network or a carrier wave propagating through the network).
[0203]
A signature creation and signature verification operation in the signature verification system of FIG. 11 will be described with reference to FIG.
[0204]
The computer 1121 transfers the randomly selected numerical value as the challenge code 1143 to the smart card 1101 via the interface 1142.
[0205]
The signature generation processing unit 1112 (112 in FIG. 2) receives the challenge code 1143, takes a hash value of the challenge code 1143, and converts it into a numerical value f having a predetermined bit length.
[0206]
The signature generation processing unit 1112 generates a random number u, and reads out from the constant 1104 stored in the storage unit 1102 (102 in FIG. 2) (205 in FIG. 2) together with the fixed point Q on the elliptic curve, the scalar multiplication calculation unit 1115 (115 in FIG. 2) (206 in FIG. 2).
[0207]
The scalar multiplication calculator 1115 is a scalar multiple (x_u, y_u) And sends the calculated scalar multiple to the signature generation processing unit 1112 (207 in FIG. 2).
[0208]
The signature generation processing unit 1112 generates a signature using the sent scalar multiple. For example, if it is an ECDSA signature,
s = x_u mod q (Formula 41)
t = u^-1(f + ds) mod q (Formula 42)
To obtain a signature (s, t) corresponding to the challenge code 1143 (208 in FIG. 2).
[0209]
Where q is the order of the fixed point Q, that is, the q-fold point qQ of the fixed point Q is the infinity point, and the m-fold point mQ of the fixed point Q for a numerical value m smaller than q is not the infinity point. It is a numerical value.
[0210]
For ECDSA signatures, for example:
Non-Patent Document 6: ANSI X9.62 Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), (1998)
It is described in.
[0211]
The smart card 1101 outputs the signature 1141 created by the signature generation processing unit 1112 from the input / output interface 1110 and transfers it to the computer 1121 via the interface 1142.
[0212]
When the signature 1141 is input (204 in FIG. 2), the signature verification processing unit 1132 (112 in FIG. 2) of the computer 1121 has the numerical values s and t of the signature 1141 within an appropriate range, that is, 1 ≦ s, t <q Find out if it is.
[0213]
If the numerical values s and t are not within the above range, “invalid” is output as the signature verification result for the challenge code 1143, and the smart card 1101 is rejected. If the numerical values s and t are within the above range, the signature verification processing unit 1132
h = t^-1 mod q (Formula 43)
h₁ = fh mod q (Formula 44)
h₂ = sh mod q (Formula 45)
Calculate Then, the public key aQ and fixed point Q calculated from the constant 1124 stored in the storage unit 1122 (102 in FIG. 2) (205 in FIG. 2) are calculated.₁, h₂To the scalar multiplication unit 1135 (115 in FIG. 2) (206 in FIG. 2).
[0214]
The scalar multiplication unit 1135 calculates the fixed points Q and h₁By scalar multiple h₁Q and public keys aQ and h₂By scalar multiple h₂aQ is calculated, and the calculated scalar multiple is sent to the signature verification processing unit 1132 (207 in FIG. 2).
[0215]
The signature verification processing unit 1132 performs signature verification processing using the sent scalar multiple. For example, for ECDSA signature verification, point R
R = h₁Q + h₂aQ (Formula 46)
And its x coordinate is x_RWhen
s' = x_R mod q (Formula 47)
If s ′ = s, “valid” is output as the signature verification result for the challenge code 1143, and the smart card 1101 is authenticated and accepted (208 in FIG. 2).
[0216]
If s ′ = s, “invalid” is output and the smart card is rejected (208 in FIG. 2).
[0217]
Since the scalar multiplication calculators 1115 and 1135 of the above embodiment have the same functions as the scalar multiplication calculator 115 or 135 of FIG. 1, side channel attacks can be prevented, and the processing speed and memory usage can be customized. A scalar multiplication calculation can be performed.
[0218]
Therefore, when the smart card 1101 performs a signature creation process, the computer 1121 can prevent a side channel attack when performing a signature verification process, and in addition, the processing speed and memory usage can be customized.
[0219]
Next, an embodiment in which the present invention is applied to a key exchange system will be described. In the present embodiment, the system configuration of FIG. 1 can be applied.
[0220]
The data processing units 112 and 132 in FIG. 1 function as the key exchange processing units 112 and 132, respectively, in this embodiment.
[0221]
The operation when the computer A101 of the key exchange system derives the shared information from the input data 143 will be described with reference to FIGS.
[0222]
The data processing unit 132 (112 in FIG. 2) of the computer B121 reads the secret key b from the constant 125 of the storage unit 122 (102 in FIG. 2) and calculates the public key bQ of the computer B121. Then, the public key bQ is transferred as data 143 to the computer A101 via the network 142.
[0223]
When the key exchange processing unit 112 (112 in FIG. 2) of the computer A101 receives the input of the public key bQ of the computer B121 (204 in FIG. 2), the key exchange processing unit 112 reads it from the storage unit 102 (FIG. 2). 205) The secret key a of the computer A101, which is the secret information 105, and the public key bQ of the computer B121 are sent to the scalar multiplication unit 115 (206 in FIG. 2).
[0224]
The scalar multiplication calculator 115 calculates a scalar multiple abQ based on the secret key a and the public key bQ, and sends the calculated scalar multiple to the key exchange processing unit 112 (207 in FIG. 2).
[0225]
The key exchange processing unit 112 derives shared information using the sent scalar multiple, and stores it as the secret information 105 in the storage unit 102. For example, the x coordinate of the scalar multiple point abQ is used as shared information.
[0226]
Next, an operation when the computer 121 derives shared information from the input data 141 will be described.
[0227]
The data processing unit 112 of the computer A101 reads the secret key a from the constant 105 of the storage unit 102 and calculates the public key aQ of the computer A101. Then, the public key aQ is transferred as data 141 to the computer B 121 via the network 142.
[0228]
When the key exchange processing unit 132 (112 in FIG. 2) of the computer B121 accepts the input of the public key aQ of the computer A101 (204 in FIG. 2), the key exchange processing unit 132 stores in the storage unit 122 (102 in FIG. 2). The private key b of the computer B121 and the public key aQ of the computer A101, which are the secret information 125, read from the constant 125 (205 in FIG. 2) are sent to the scalar multiplication unit 135 (115 in FIG. 2) (206 in FIG. 2). ).
[0229]
The scalar multiplication calculation unit 135 calculates a scalar multiplication point baQ using the secret key b and the public key aQ, and sends the calculated scalar multiplication point to the key exchange processing unit 132 (207 in FIG. 2).
[0230]
The key exchange processing unit 132 derives shared information using the sent scalar multiple and stores it as the secret information 125 in the storage unit 122. For example, the x coordinate of the scalar multiple baQ is used as shared information.
[0231]
Here, since the number ab and the number ba are the same as numerical values, the point abQ and the point baQ are the same point, and the same information is derived.
[0232]
A point aQ and a point bQ are transmitted to the network 142. To calculate the point abQ (or point baQ), the secret key a or the secret key b must be used. That is, the shared information cannot be obtained without knowing the secret key a or the secret key b. The shared information obtained in this way can be used as a secret key for common key cryptography.
[0233]
Also in the present embodiment, the scalar multiplication calculators 115 and 135 have the above-described features, so that a key exchange process that can prevent a side channel attack and customize the processing speed and the memory usage is also possible. It becomes possible.
[0234]
In addition, the encryption processing unit, the decryption processing unit, the signature creation unit, the signature verification unit, and the key exchange processing unit in each of the above embodiments may be performed using dedicated hardware. Further, the scalar multiplication calculation unit may be realized by a coprocessor or other dedicated hardware.
[0235]
Further, the data processing unit may be configured to perform any one or more of the encryption process, the decryption process, the signature creation process, the signature verification process, and the key exchange process.
[0236]
【The invention's effect】
According to the present invention, it is possible to perform message processing using elliptic curve calculation which is safe against side channel attacks and can customize processing speed and memory usage.
[Brief description of the drawings]
FIG. 1 is a system configuration diagram according to an embodiment.
FIG. 2 is a sequence diagram showing information delivery in each embodiment.
FIG. 3 is a configuration diagram of a scalar multiplication calculator in the first embodiment.
FIG. 4 is a flowchart showing an encoding method performed by an encoding unit in the first embodiment.
FIG. 5 is a flowchart showing a pre-calculation method performed by a pre-calculation unit in the first embodiment.
FIG. 6 is a flowchart showing an actual calculation method performed by an actual calculation unit in the first embodiment.
FIG. 7 is a configuration diagram of a scalar multiplication calculator in the second embodiment.
FIG. 8 is a flowchart showing a pre-calculation method performed by a pre-calculation unit in the second embodiment.
FIG. 9 is a flowchart showing an actual calculation method performed by an actual calculation unit in the second embodiment.
FIG. 10 is a flowchart showing an actual calculation method performed by an actual calculation unit in the second embodiment.
FIG. 11 is a configuration diagram of a signature verification system in the embodiment.
[Explanation of symbols]
101, 121, 1121: Computer, 1101: Smart card, 102, 122, 1102, 1122: Storage unit, 111, 131, 1111, 1131: Processing unit, 115, 135, 1115, 1135: Scalar multiplication calculation unit, 112, 132: Data processing unit, 1112: Signature generation processing unit, 1132: Signature verification processing unit, 104, 124, 1104, 1124: Constant, 105, 125, 1105, 1125: Confidential information, 110, 130, 1110, 1130: On Output interface, 108, 128, 1128: Display, 109, 129, 1129: Keyboard, 142: Network, 1142: Interface, 141, 143: Data, 302: Encoding unit, 303: Precalculation unit, 304: Actual calculation unit, 321: Remainder acquisition unit, 322: Index set generation unit, 323: Remainder selection unit, 324: Repetition determination unit, 325: Storage unit, 331: Adder, 332: Double multiplication unit, 333: Repetition determination unit, 341: Bit value determination unit, 342: addition unit, 343: doubling unit, 344: repetition determination unit, 703: previous calculation unit, 704: actual calculation unit 731: Addition unit, 732: Double calculation unit, 733: Repeat determination unit, 734: Index set generation unit, 742: Addition unit, 743: Double calculation unit, 744: Repeat determination unit, 745: Scalar value expression conversion unit 746: Window width selection part.

Claims (8)

A scalar multiplication device for calculating a scalar multiple from a point on an elliptic curve used for elliptic curve cryptography and a given scalar value,
An encoding unit for encoding the scalar value into a numeric string;
A pre-calculation unit that creates a pre-calculation table from points on the elliptic curve;
An actual calculation unit for calculating the scalar multiple from the encoded numeric sequence and the pre-calculation table;
Comprising
The encoding unit is
A predetermined number m (m = w ₁ 2 ^w0-2 , w ₀ is a positive integer, w ₁ = w- (w ₀ -1), and w is a predetermined positive rational number. Ri figures there) Tona, and ^{{2 w0-1 +1,2 w0-1 + 3,} ..., 2 w0 -1} index set generation unit that generates an index set comprising a number randomly selected from,
A first numerical value from the scalar value (the first numerical value is a value obtained by subtracting 2 ^w0 from the remainder of the scalar value by 2 ^{w0 + 1} ) and a second numerical value (the second numerical value is the A numerical value acquisition unit that generates a value obtained by subtracting 2 ^w0-1 from the remainder of the scalar value 2 ^w0 ,
If the size of the first numerical value is smaller than 2 ^w0-1 which is a predetermined size , select either the first numerical value or the second numerical value with a predetermined probability, The first numerical value is a case where the predetermined value is 2 ^w0-1 or more, and any one of the numerical values generated by the index set generation unit and the first numerical value is If they match, the first numerical value is selected, the size of the first numerical value is 2 ^w0-1 or more which is the predetermined size , and the index set generation unit If any of the generated numerical values does not match the first numerical value, a numerical value selection unit that selects the second numerical value ,
The pre-calculation unit creates the pre-calculation table using the numerical values constituting the index set,
The encoding unit generates the first numerical value and the second numerical value in the numerical value acquisition unit when the scalar value is encoded into the numerical value sequence, and the first numerical value in the numerical value selection unit. The process of selecting the numeric value of the second or the second numeric value, and the process of encoding the scalar value into the numeric string,
The encoding unit substitutes the numerical value selected by the numerical value selection unit for u [i] in the process for encoding the scalar value into the numerical value sequence using the selected numerical value, and { 0, 0, ..., 0, u [i]} is converted to a numeric string {dw [r + r _i -1], dw [r + r _i -2], ..., dw [r + 1], dw [r] } (r is a variable, r _i is w ₀ when u [i] is the first numerical value , and r _i is w ₀ −1 when u [i] is the second numerical value . i is a variable that increases by 1 each time the process is repeated)
The scalar multiplication apparatus according to claim 1, wherein the encoding unit outputs a numerical sequence obtained by repeating the processes to the actual calculation unit . A scalar multiplication unit according to claim 1 Symbol placement,
The pre-calculation unit creates a pre-calculation table using a randomized numerical value every time the pre-calculation table is read out . The scalar multiplication apparatus according to claim 1 , wherein
The pre-calculation unit re-creates a pre-calculation table to be referred to at least once during one scalar multiplication calculation. The scalar multiplication apparatus according to claim 1 , wherein
The scalar set calculation unit, wherein the index set generation unit determines the number of numerical values constituting the index set based on a window width set from the outside . The scalar multiplication apparatus according to claim 1 , wherein
As an elliptic curve, one of a Weierstrass type elliptic curve, a Montgomery type elliptic curve, an elliptic curve defined on a finite field of characteristic 2 and an elliptic curve defined on the OEF is used. A scalar multiplication calculator. A data generation device having a data conversion unit that generates second data from first data, and a scalar multiplication calculation unit that is requested by the data conversion unit to calculate a scalar multiplication,
The scalar multiplication unit calculates a scalar multiplication using the scalar multiplication apparatus according to claim 1.
A data generation apparatus characterized by that . A signature creation device having a signature unit that generates signature data from data, and a scalar multiplication calculation unit that is requested by the signature unit and calculates a scalar multiplication,
The scalar multiplication unit calculates a scalar multiplication using the scalar multiplication apparatus according to claim 1.
A signature creation device . A decryption device comprising: a decryption unit that generates decrypted data from encrypted data; and a scalar multiplication calculation unit that is requested by the decryption unit to calculate a scalar multiplication,
The scalar multiplication unit calculates a scalar multiplication using the scalar multiplication apparatus according to claim 1.
A decoding device characterized by the above .

Images