JP4783061B2 - Scalar multiplication unit for elliptic curve cryptography - Google Patents

Description

  The present invention relates to a security technique, and more particularly to a message processing technique using an elliptic curve calculation.

  Elliptic curve cryptography is a kind of public key cryptography proposed by N. Koblitz, V. S. Miller. Public key cryptography includes information that can be opened to the public called a public key and secret information that must be kept secret called a private key. A public key is used for encrypting a given message and verifying a signature, and a secret key is used for decrypting a given message and generating a signature.

  The secret key in elliptic curve cryptography is a scalar value. The security of elliptic curve cryptography is derived from the difficulty of solving the discrete logarithm problem on the elliptic curve. The discrete logarithm problem on an elliptic curve is a problem of obtaining a scalar value d when a certain point P on the elliptic curve and a point dP that is a scalar multiple thereof are given. A point on the elliptic curve is a set of numbers that satisfy the definition equation of the elliptic curve. The entire point on the elliptic curve is calculated based on a virtual point called an infinity point, that is, on the elliptic curve. Addition (or addition) is defined.

The addition on the elliptic curve by the same points is particularly called doubling on the elliptic curve. The addition of two points on the elliptic curve is calculated as follows. When a straight line passing through two points is drawn, the straight line intersects the elliptic curve at another point. The intersecting point and a point that is symmetric with respect to the x-axis are taken as points resulting from the addition. For example, in the case of a Kobritz curve, the addition (x ₃ , y ₃ ) = (x ₁ , y ₁ ) + (x ₂ , y ₂ ) of the point (x ₁ , y ₁ ) and the point (x ₂ , y ₂ ) ) Is obtained by calculating (Equation 1) to (Equation 3) below.

x ₃ = λ ² + λ + x ₁ + x ₂ + a (Formula 1)
y ₃ = (x ₁ + x ₃ ) λ + x ₃ + y ₁ (Expression 2)
λ = (y ₁ + y ₂ ) / (x ₁ + x ₂ ) (Formula 3)
Here, the definition equation of the Kobritz curve is given by the following (formula 4).

y ² + xy = x ³ + ax ² +1, (a = 0 or 1) (Formula 4)
That is, when x _i and y _i (i = 1, 2, 3) are substituted for x and y in (Equation 4), the equation of (Equation 4) holds.

The doubling of the points on the elliptic curve is calculated as follows. When a tangent line at a point on the elliptic curve is drawn, the tangent line intersects at another point on the elliptic curve. The intersecting point and a point that is symmetric with respect to the x-coordinate are taken as the result of doubling. For example, in the case of Koblitz curve, the point _(x 1, _{y 1)} of the doubling _{(x 3, y 3) =} 2 (x 1, y 1) = (x 1, y 1) + (x 1, y ₁ ) is obtained by calculating (Expression 1), (Expression 2), and (Expression 5) below.

λ = (y ₁ / x ₁ ) + x ₁ (Formula 5)
In addition, an operation called τ multiplication (tau multiplication) can be performed on points on the Kobritz curve. The τ multiplication for the point (x ₁ , y ₁ ) is to calculate the following (formula 6).

(X ₃ , y ₃ ) = τ (x ₁ , y ₁ ) = (x ₁ ² , y ₁ ² ) (Expression 6)
Further, it is known that the following (formula 7) and (formula 8) hold, and τ can be considered as a complex number satisfying the following (formula 9) due to the property of (formula 7).

(X ⁴ , x ⁴ ) +2 (x, y) = μ (x ² , y ² ) (Expression 7)
μ = (− 1) ^a (Expression 8)
τ ² + 2 = μτ (Equation 9)
Adding a certain number of times on an elliptic curve a specific number of times is called scalar multiplication, the result is called a scalar multiple, and the number of times is called a scalar value.

  The elliptic curve recommended by the standardization body in elliptic curve cryptography is a random characteristic 2 elliptic curve, a Kobritz curve, and an elliptic curve on a prime field with a large characteristic.

  While the difficulty of solving the discrete logarithm problem on an elliptic curve has been theoretically established, in an actual implementation, information related to secret information such as a secret key, such as calculation time and power consumption, is encrypted. An attack method called a side channel attack has been proposed in which there is a case of leak in processing, and secret information is restored based on the leaked information.

  Non-patent document 1 describes, for example, an elliptic curve recommended by a standardization organization for elliptic curve cryptography.

  Non-Patent Document 2 describes a side channel attack against elliptic curve cryptography.

  In elliptic curve cryptography, encryption, decryption, signature generation, and verification of a given message must be performed using elliptic curve computation. In particular, calculation of scalar multiplication on an elliptic curve is used in cryptographic processing using a scalar value that is secret information.

  Non-patent document 3 describes a side channel attack defense method against elliptic curve cryptography.

Non-patent document 4 describes a high-speed calculation method for scalar multiplication in a Kobritz curve. Further, the normal basis is described in Non-Patent Document 4, for example.
D. Johnson, A. Menezes, “The Elliptic Curve Digital Signature Algorithm (ECDSA)”, Technial Report CORR 99-34, Dept. of C & O, University of Waterloo, Canada. [Search February 1, 2005], <URL> http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-34.pdf J. Coron, Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems: Proceedings of CHES'99, LNCS 1717, Springer-Verlag, (1999), pp.292-302. K.Okeya, T.Takagi, The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks, RSA conference cryptographer's track (CT-RSA 2003), LNCS 2612, Springer-Verlag, (2003), pp.328-343. JASolinas, “Efficient Arithmetic on Koblitz Curves”, Designs, Codes and Cryptography, 19, (2000), pp.195-249.

  With the progress of information communication networks, encryption technology for secrecy and authentication of electronic information has become an indispensable element. In addition to security, requirements imposed on cryptographic technology include processing speed and low memory usage, but generally there is a trade-off relationship between security, processing speed, and memory usage. It is difficult to meet all requirements. On the other hand, the discrete logarithm problem on the elliptic curve is very difficult, so that the key length can be made relatively short in the elliptic curve cryptosystem compared to the cipher that uses the difficulty of prime factorization as the basis of security. .

  For this reason, elliptic curve cryptography can perform cryptographic processing even when resources such as calculation capacity and memory capacity are relatively small. However, in a smart card (also referred to as an IC card) or the like, there are few resources that can be used, and it is necessary to optimize cryptographic processing within limited resources. As described in Non-Patent Document 4 and the like, in the Kobritz curve, it is known that high-speed calculation is possible by using τ multiplication for scalar multiplication of points. It is effective for.

  The technique of Non-Patent Document 3 is effective as a method for preventing a side channel attack and can be applied to a Kobritz curve, but cannot be applied in a form using τ multiplication.

  Further, although the technique of Non-Patent Document 4 is effective as a high-speed calculation method using a Kobritz curve, it does not consider the point of preventing a side channel attack.

  The present invention has been made in view of the above problems, and its object is to apply to a Kobritz curve, to prevent a side channel attack, and to have an elliptical shape with excellent memory usage and processing speed. An object of the present invention is to provide a technique for calculating a scalar multiplication in curve cryptography.

  Of the inventions disclosed in the present application, the outline of typical ones will be briefly described as follows. In order to achieve the above object, the technique for calculating the scalar multiplication in the elliptic curve cryptography of the present invention comprises the following technical means.

  The scalar multiplication method of the present invention is an elliptic curve having an addition on the elliptic curve (first calculation) and a second calculation different from the addition, and the scalar multiplication from the scalar value and the point on the elliptic curve. A method of calculating a scalar multiplication in elliptic curve cryptography for calculating a point, wherein the scalar value is independent of the scalar value from the point on the elliptic curve by using a computer resource to encode the scalar value into a numerical sequence. A step of creating a pre-calculation table (information in which a value calculated in advance for use in a subsequent calculation) is stored, and from the encoded result numeric string and the pre-calculation table, the elliptic curve By performing the above addition and the second operation in a fixed order independent of the scalar value, a process including the step of calculating the scalar multiple is performed.

In the scalar multiplication method of the present invention, the encoding step includes a step of calculating a value of a Ψ function in the scalar value, and the Ψ function is calculated with respect to the scalar value d = x _R + x _T τ. , Ψ _w (d) = (x _R + x _T * t _{w + 1} mod 2 ^{w + 1} ) −2 ^w . Here, w is a positive integer called a window width, x _R and x _T are integers, and t _{w + 1} is an integer determined by w when the operation τ on the Kobritz curve is regarded as a complex number. Details of these symbols are also described in Non-Patent Document 4.

  Further, another scalar multiplication method of the present invention is a method of calculating a scalar multiple from a scalar value and a point on an elliptic curve in an elliptic curve calculation, and uses a computer resource to calculate the point on the elliptic curve. A process including the step of creating the pre-calculation table from the above and the step of calculating a scalar multiple from the scalar value and the pre-calculation table is performed.

  The scalar multiplication calculation method in elliptic curve cryptography that can be applied to the Kobritz curve by the above means, can prevent side channel attacks, has excellent memory usage, is capable of high-speed calculation, and is excellent in processing speed. Make available. In addition, data generation processing for data sharing such as encryption processing, decryption processing, signature generation processing, signature verification processing, and key exchange using the scalar multiplication method can be used. The present invention also provides an apparatus that includes computer resources such as an arithmetic device and a storage device, performs these processes, and a program that causes the computer to execute these processes.

  Specifically, the method, apparatus and program of the present invention have the following features.

  (1) A scalar multiplication calculation method in elliptic curve cryptography, wherein a scalar multiple is calculated from a scalar value and a point on the elliptic curve in an elliptic curve having addition on the elliptic curve and a second operation different from the addition. The step of encoding the scalar value into a numerical sequence, the step of creating a pre-calculation table independently of the scalar value from the points on the elliptic curve, and the numerical sequence and the pre-calculation table, And a step of calculating the scalar multiple by performing addition on the elliptic curve and a second operation in a fixed order independently of the scalar value.

  (2) A scalar multiplication calculation method in elliptic curve cryptography for calculating a scalar multiple from a scalar value and a point on the elliptic curve in an elliptic curve having addition on the elliptic curve and a second operation different from the addition. A step of creating a pre-calculation table independently of the scalar value from a point on the elliptic curve, and addition and second operation on the elliptic curve from the pre-calculation table, the scalar value and And a step of calculating the scalar multiple by independently executing in a certain order.

  (3) In an elliptic curve having addition on the elliptic curve and a second operation different from the addition, an elliptic that calculates a scalar multiple from a pre-encoded scalar value, a window width, and a point on the elliptic curve A method of scalar multiplication in curve cryptography, comprising the steps of creating a pre-calculation table independently from the scalar value from points on the elliptic curve, adding from the pre-calculation table on the elliptic curve and a second And a step of calculating the scalar multiplication point by executing an operation according to the window width in a fixed order independently of the scalar value.

  (4) The scalar multiplication method, wherein the elliptic curve is a Kobritz curve.

  (5) A scalar multiplication calculation method, wherein the second operation is τ multiplication.

  (6) The step of calculating the scalar multiple by executing in a fixed order independently of the scalar value is such that when the second operation on the elliptic curve is τ, the second operation τ is set in advance. A scalar multiplication calculation comprising: a first step for executing a predetermined number of times; and a second step for executing addition on the elliptic curve, wherein the first and second steps are repeated. Method.

(7) Furthermore, the step of encoding the scalar value into a numerical sequence includes a step of calculating a value of a Ψ function in the scalar value, and the Ψ function is Ψ _w ( d) = (x _R + x _T * t _{w + 1} mod 2 ^{w + 1} ) −2 ^w is given by the scalar multiplication calculation method.

(8) The pre-calculation table uses {P, 3P, 5P,..., (2 ^w −1) P for P that is a point on the elliptic curve and w that is a predetermined positive integer. } A scalar multiplication calculation method characterized by comprising:

(9) The pre-calculation table includes P ± τP ± for P which is a point on the elliptic curve, w which is a predetermined positive integer, and τ which is the second calculation on the elliptic curve. A scalar multiplication calculation method comprising τ ² P ± …… ± τ ^w−1 P.

  (10) The step of calculating the scalar multiple by executing in a fixed order independently of the scalar value includes a step of shifting the point read from the pre-calculation table. Method of calculation.

  (11) The step of calculating the scalar multiple by executing in a certain order independent of the scalar value, deriving intermediate data from a point on the elliptic curve, and shifting the intermediate data And a scalar multiplication calculation method.

  (12) The step of creating the pre-calculation table includes generating data to be stored in the pre-calculation table, randomizing the generated data, and storing the randomized data in the pre-calculation table And a step of calculating the scalar multiplication.

  (13) The step of calculating the scalar multiple by executing in a fixed order independent of the scalar value is a step of reading a point stored in the pre-calculation table; And a step of writing the randomized points to the pre-calculation table.

  (14) A signature generation method for generating digital signature data from data, comprising a step of calculating a scalar multiple using the scalar multiplication method.

  (15) A signature generation method for generating digital signature data from data, comprising a processing step by a random number multiplication unit, wherein the processing step by the random number multiplication unit creates a pre-calculation table from points on an elliptic curve A step of randomly selecting a predetermined number of bits, generating an integer from the randomly selected bits, and adding the second arithmetic on the elliptic curve and the second operation from the generated integer, A random number between a random number and a point on the elliptic curve by executing in a certain order independent of the integer, generating the integer, repeating the executing step, and repeating the step And a step of outputting a double point.

  (16) A decryption method for generating decrypted data from encrypted data, comprising the step of calculating a scalar multiple using the scalar multiplication method.

  (17) A data generation method for generating shared data from data, comprising the step of calculating a scalar multiplication using the scalar multiplication method.

  (18) A scalar multiplication calculator in elliptic curve cryptography that calculates a scalar multiple from a scalar value and a point on an elliptic curve in an elliptic curve having addition on the elliptic curve and a second operation τ different from the addition. An encoding unit that encodes the scalar value into a numerical sequence, a pre-calculation unit that creates a pre-calculation table independently of the scalar value from a point on the elliptic curve, the numerical sequence and the pre-calculation table And an actual calculation unit for calculating the scalar multiple by performing addition on the elliptic curve and the second operation τ in a certain order independent of the scalar value. A scalar multiplication calculator.

  (19) A scalar multiplication apparatus in elliptic curve cryptography for calculating a scalar multiple from a scalar value and a point on an elliptic curve in an elliptic curve having addition on the elliptic curve and a second operation τ different from the addition. A pre-calculation unit that creates a pre-calculation table independently from the scalar value from a point on the elliptic curve, an addition on the elliptic curve and a second operation τ from the pre-calculation table, and the scalar A scalar multiplication calculation device comprising: an actual calculation unit that calculates the scalar multiple by executing in a fixed order independently of a value.

  (20) In an elliptic curve having an addition on the elliptic curve and a second operation τ different from the addition, a scalar multiple is calculated from a pre-encoded scalar value, a window width, and a point on the elliptic curve. A scalar multiplication calculation apparatus in elliptic curve cryptography, a pre-calculation unit that creates a pre-calculation table independently of the scalar value from a point on the elliptic curve, and addition on the elliptic curve from the pre-calculation table; A scalar multiplication unit, comprising: an actual calculation unit that calculates the scalar multiplication point by executing a second operation τ in a fixed order independent of the scalar value in accordance with the window width. Computing device.

  (21) A signature generation apparatus including a signature generation processing unit that generates digital signature data from data, and a scalar multiplication calculation unit that is requested by the signature generation processing unit to calculate a scalar multiplication, the scalar multiplication calculation unit Performs a process including a step of calculating a scalar multiplication using the scalar multiplication calculation method.

  (22) A signature generation device for generating digital signature data from data, comprising a random number multiplication calculation unit, wherein the random number multiplication calculation unit creates a pre-calculation table from points on an elliptic curve; Randomly selecting a predetermined number of bits, generating an integer from the randomly selected bits, adding from the generated integer to an elliptic curve, and performing a second operation, Independently executing in a fixed order, generating the integer, repeating the executing step, and repeating the step, a random multiple of a random number and a point on the elliptic curve is obtained. And a real calculation unit that performs processing including an output step.

  (23) A decryption device including a decryption processing unit that generates decrypted data from encrypted data, and a scalar multiplication calculation unit that is requested by the decryption processing unit and calculates a scalar multiplication. The decoding apparatus is characterized in that the scalar multiplication calculation unit performs a process including a step of calculating a scalar multiplication using the scalar multiplication calculation method.

  (24) A data generation device including a data generation processing unit that generates shared data from data, and a scalar multiplication calculation unit that is requested by the data generation processing unit to calculate a scalar multiplication, and the data generation processing unit includes: A data generation apparatus performing a process including a step of calculating a scalar multiplication using the scalar multiplication calculation method.

  (25) A program for causing a computer to execute processing according to the scalar multiplication calculation method.

  (26) A program for causing a computer to execute processing according to the signature generation method.

  (27) A program that causes a computer to execute the process according to the decoding method.

  (28) A program that causes a computer to execute processing according to the data generation method.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows. According to the present invention, it is possible to perform message processing by elliptic curve calculation, which can be applied to a Kobritz curve, can prevent a side channel attack, is safe, and has excellent memory usage and processing speed.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted. 1-16 is a figure for demonstrating each embodiment of this invention.

<System configuration>
FIG. 1 shows the configuration of a computer A 101 and a computer B 121 that are scalar multiplication apparatuses according to an embodiment of the present invention, and an information processing system that includes these. The configuration shown in FIG. 1 is basically common to each embodiment. A scalar multiplication calculation apparatus according to an embodiment of the present invention executes a process including a scalar multiplication calculation process according to a scalar multiplication calculation method according to an embodiment of the present invention, and performs encryption using scalar multiplication calculation. Execute processing. Each computer (101, 121) performs processing including scalar multiplication processing by executing the program according to the embodiment of the present invention. This information processing system shows an encryption communication system in which a computer A 101 and a computer B 121 to which a scalar multiplication method is applied are connected via a network 142 and exchange data and information via the network 142.

In order to encrypt a message by the computer A101 in this cryptographic communication system, P _m + k (dQ) and kQ are calculated and output. Then, in order to decrypt the ciphertext by the computer B121 that has input the ciphertext, -d (kQ) is calculated from the secret key d and the kQ, and the following (formula 10) is calculated for the input ciphertext. Can be calculated and output.

_{(P m + k (dQ)} ) - d (kQ) ··· ( Equation 10)
Here, P _m is a message, k is a random number, d is a constant indicating a secret key (corresponding to a scalar value), Q is a fixed point, and dQ is a point indicating a public key (corresponding to a scalar multiple). The computer A101 holds information such as a secret key d, a fixed point Q, and a public key dQ. The computer B101 holds information such as a secret key d.

Data 141 is transmitted from computer A101 to computer B121. The data 143 is transmitted from the computer B121 to the computer A101. Only P _m + k (dQ), kQ is transmitted as data to the network 142. In order to restore (decode) the message P _m , it is necessary to calculate kdQ, that is, d times kQ. However, the private key d is for the network 142 is not sent, only those holding the secret key d is becomes possible to recover the message P _m.

  The computer A101 is equipped with an arithmetic device such as a CPU 113 and a coprocessor 114, a storage device such as a RAM 103, a ROM 106 and an external storage device 107, and an input / output interface 110 for inputting / outputting data to / from the outside of the computer. A display 108 as an output device, a keyboard 109 as an input device, and other removable portable storage medium read / write devices (not shown) are connected to allow the user to operate A101.

  Further, the computer A101 realizes the storage unit 102 by a storage device such as the RAM 103, the ROM 106, and the external storage device 107. When the arithmetic unit such as the CPU 113 or the coprocessor 114 executes the program of the present embodiment stored in the storage unit 102, the data processing unit 112, the scalar multiplication calculation unit 115, and the processing unit 111 are included in them. Each processing unit is realized. The program according to the present embodiment describes an instruction for performing processing according to the scalar multiplication method. The data processing unit 112 performs message processing according to each embodiment. For example, in the first embodiment, the data processing unit 112 functions as the encryption processing unit 112 and encrypts an input message.

  The CPU 113 controls the entire computer A101. The coprocessor 114 particularly performs numerical calculations in cooperation with the CPU 113. In each embodiment, these two arithmetic devices are used to perform a target process including a scalar multiplication process, that is, an encryption process. The hardware configuration is not limited to this, and it is of course possible to perform a target process with a configuration having one processor, for example. In addition, a configuration in which the program of the embodiment of the present invention is executed on a general-purpose computer such as a PC to perform a target process together with other processes, or a computer configuration in which the target process is executed exclusively is possible. is there. The purpose processing is scalar multiplication processing, data generation for data sharing such as encryption processing, decryption processing, signature generation processing, signature verification processing, and key exchange performed using scalar multiplication processing. This refers to processing and the like, which will be described in an embodiment described later.

  The scalar multiplication calculation unit 115 performs processing including scalar multiplication calculation processing in accordance with a request from the data processing unit 112. In the first embodiment, the scalar multiplication calculation unit 115 calculates parameters necessary for the encryption processing unit 112 to perform encryption.

  The storage unit 102 stores a constant 104, secret information 105, and the like. The constant 104 is, for example, an elliptic curve definition formula or a fixed point on the elliptic curve. The secret information 105 is information that must be concealed, for example, secret key information.

  The computer B121 has the same hardware configuration as the computer A101. The computer B121 includes a CPU 133, a coprocessor 134, a RAM 123, a ROM 126, an external storage device 127, an input / output interface 130, and the like, and a display 128, a keyboard 129, and the like are connected to the outside. Note that the information processing system can be configured with the computer B121 different from the computer A101.

  Further, the computer B121 realizes the storage unit 122 by a storage device such as the RAM 123, the ROM 126, and the external storage device 127. When the arithmetic device such as the CPU 133 or the coprocessor 134 executes the program of the present embodiment stored in the storage unit 122, the data processing unit 132 and the scalar multiplication calculation unit 135 are included as the processing unit 131. Each processing unit is realized. The data processing unit 132 performs message processing according to each embodiment. In the first embodiment, the data processing unit 132 functions as the decryption processing unit 132, and the ciphertext (corresponding to the data 141) that is an encrypted message. )).

  The scalar multiplication calculation unit 135 performs processing including scalar multiplication calculation processing in accordance with a request from the data processing unit 132. In the first embodiment and the like, the scalar multiplication calculation unit 135 calculates parameters necessary for the decoding processing unit 132 to perform decoding. The storage unit 122 stores a constant 124 (for example, an elliptic curve definition formula or a fixed point on the elliptic curve), secret information 125 (for example, secret key information), and the like.

  Each program may be stored in advance in the storage unit (102, 122) in the computer (101, 121), or when necessary, the input / output interface (110, 130) and the computer. (101, 121) may be introduced into the storage unit (102, 122) from another device via a usable medium. The usable medium refers to, for example, a storage medium that can be attached / detached to / from the input / output interface (110, 130), or a communication medium (that is, a network or a carrier wave that propagates through the network).

<Encryption sequence>
FIG. 2 is a sequence diagram showing how information is transferred between the processing units of the computer A 101 and the computer B 121. First, the operation when the computer A101 in FIG. 1 encrypts an input message will be described with reference to FIG. The message to be processed may be any digitized data, and may be any type of text, image, video, sound, or the like.

  In the computer A101, first, when the data processing unit (that is, the encryption processing unit) 112 receives the plaintext message corresponding to the input message (step S204) via the input / output interface 110, the bit length of the input plaintext message. Is determined to be a predetermined bit length. When it is longer than the predetermined bit length, the plaintext message is divided so as to have a predetermined bit length.

Hereinafter, a partial message (also simply referred to as a message) divided into a predetermined bit length will be described. The encryption processing unit 112 calculates the value (y _m ) of the y coordinate of the point P _m on the elliptic curve having the numerical value represented by the bit string of the message at the x coordinate (x _m ). Since the Kobritz curve is expressed by (Equation 4), the value of the y coordinate can be obtained from this.

Next, the encryption processing unit 112 generates a random number k. Then, the public key dQ read from the constant 104 stored in the storage unit 102, the x coordinate of the point Q (S205), the obtained y coordinate value, and the generated random number k are sent to the scalar multiplication unit 115. (S206). The scalar multiplication calculator 115 calculates the x-coordinate and y-coordinate values of the point Q, and the scalar multiple (x _d1 , y _d1 ) = kQ based on the random number k, the x-coordinate and y-coordinate values of the public key dQ, and the random The scalar multiple by k (x _d2 , y _d2 ) = k (dQ) is calculated, and the calculated scalar multiple is sent to the encryption processing unit 112 (S207).

The encryption processing unit 112 performs encryption processing using the scalar multiple sent from the scalar multiplication calculation unit 115. For example, in the Kobritz curve, kQ and P _m + k (dQ) are calculated. That is, the following (formula 11) to (formula 13) are calculated to obtain encrypted messages x _e1 and x _e2 .

x _e1 = x _d1 (Expression 11)
x _e2 = λ ² + λ + x ₁ + x _d2 + a (Formula 12)
λ = (y ₁ + y _d2 ) / (x ₁ + x _d2 ) (Expression 13)
The computer A101 assembles an encrypted output message (corresponding to S208) from one or more partial messages encrypted by the encryption processing unit 112.

  The computer A 101 outputs the encrypted output message from the input / output interface 110 as the data 141 in FIG. 1 and transfers it to the computer B 121 via the network 142.

  Note that the timing of reading information (S205) from the storage unit 102 to the data processing unit 112 in FIG. 2 is before the input message (S204) is received before the information is sent to the scalar multiplication unit 115. Also good.

<Decoding sequence>
Next, the operation when the computer B 121 decrypts the encrypted message (data 141) will be described with reference to FIG.

  In the computer B121, first, when the encrypted data 141 is input via the input / output interface 130 to the decryption processing unit 132 (S204), the bit length of the input encrypted data 141 is It is determined whether or not the bit length is predetermined. If it is longer than the predetermined bit length, the encrypted data 141 is divided so as to have a predetermined bit length.

Hereinafter, partial data (also simply referred to as data) divided into a predetermined bit length will be described. The value of the y coordinate on the elliptic curve having the numerical value represented by the bit string of the data 141 at the x coordinate is calculated. The encrypted message is a bit string of x _e1 and x _e2 , and the y-coordinate values y _e1 and y _{e2 in} the Kobritz curve can be obtained from the following (formula 14) and (formula 15).

y _e1 ² + x _e1 y _e1 = x _e1 ³ + ax _e1 ² +1, a = 0 or 1 (Equation 14)
y _e2 ² + x _e2 y _e2 = x _e2 ³ + ax _e2 ² +1, a = 0 or 1 (Equation 15)
The decryption processing unit 132 obtains the secret key d read from the secret information 125 stored in the storage unit 122 (102 in FIG. 2) and the values (x _e1 , y _e1 ) of the x coordinate and the y coordinate. Then, it is sent to the scalar multiplication calculator 135 (115 in FIG. 2) (S206). The scalar multiplication calculator 135 calculates a scalar multiplication point (x _d3 , y _d3 ) = d (x _e1 , y _e1 ) from the x-coordinate and y-coordinate values and the secret key d. The scalar multiplication calculation unit 135 sends the calculated scalar multiple (x _d3 , y _d3 ) to the decoding processing unit 132 (S207).

The decoding processing unit 132 performs a decoding process using the scalar multiple (x _d3 , y _d3 ) sent from the scalar multiplication calculating unit 135. For example, the encrypted message is a bit string of x _e1 and x _e2 , and in the Kobritz curve, (P _m + k (dQ)) − d (kQ) = (x _e2 , y _e2 ) − (x _d3 , y _{This is} achieved by calculating _d3 ). That is, the following (Expression 16) and (Expression 17) are calculated, and x _f1 corresponding to the partial message x _m before being encrypted is obtained.

x _f1 = λ ² + λ + x _e2 + x _d3 + a (Expression 16)
λ = (y _e2 + y _d3 ) / (x _e2 + x _d3 ) (Expression 17)
The computer B 121 assembles a plaintext message from the partial message decrypted by the decryption processing unit 132 and outputs it as an output message (S 208) from the display 128 or the like via the input / output interface 130.

  Next, the process of the scalar multiplication calculation unit 135 when the computer B121 performs the decoding process will be described in detail in each embodiment shown below. In each embodiment, the computer B121 functioning as the decoding device in the embodiment of the present invention performs a decoding process according to the decoding method in the embodiment of the present invention.

(Embodiment 1)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 1 of the present invention will be described with reference to FIGS.

  FIG. 3 shows a functional block configuration of the scalar multiplication unit 115 used in the first embodiment. A scalar multiplication calculation unit 115 (corresponding to the scalar multiplication calculation unit 135 of the computer B121 in FIG. 1) includes an encoding unit 302, a previous calculation unit 303, and an actual calculation unit 304. The encoding unit 302 includes a residue acquisition unit 321, a residue conversion unit 322, an iterative determination unit 323, a δ residue conversion unit 324, a Ψ function calculation unit 325, and a storage unit 326. The pre-calculation unit 303 includes an addition unit 331, a multiplication unit 332, and a repetition determination unit 333. The actual calculation unit 304 includes a bit value determination unit 341, an addition unit 342, a τ multiplication unit 343, and a repetition determination 344.

As a scalar multiplication calculation method used in the first embodiment, a first calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. When the scalar multiplication unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 302 encodes the input scalar value d into a numeric string d _w [j].

This is equivalent to converting the scalar value d into d _w [j] satisfying the following (Expression 19) and (Expression 20) with respect to the integer d ′ satisfying the following (Expression 18).

dP = d′ P (Equation 18)
d ′ = d _w [2n] τ ²ⁿ + d _w [2n−1] τ ²ⁿ⁻¹ +... + d _w [j] τ ^j +. + d _w [0] (Equation 19)
−2 ^w <d _w [j] <2 ^w (Equation 20)
Here, n is a bit length when the scalar value d is expressed in binary, and w is a predetermined positive integer, which is called a window width. When giving priority to the calculation time (processing speed), w is set to a large value. To reduce the memory usage, w is set to a small value.

The pre-calculation unit 303 creates a pre-calculation table from the input point P on the elliptic curve. The pre-calculation table is composed of {P, 3P, 5P,..., (2 ^w −1) P}.

The actual calculation unit 304 calculates a scalar multiple dP from the scalar value encoded in the numerical sequence d _w [j] and the point P on the elliptic curve using the pre-calculation table.

  Next, each process performed by the encoding unit 302, the pre-calculation unit 303, and the actual calculation unit 304 will be described in detail. First, a method in which the encoding unit 302 encodes the scalar value d will be described with reference to FIG. FIG. 4 is a flowchart showing the encoding process in the encoding unit 302.

First, the δ residue conversion unit 324 substitutes d mod δ for the variable d ′ (step S401). However, Non-Patent Document 4 describes a method for calculating d mod δ with respect to δ and the scalar value d. d ′ = d mod δ is represented by the following (formula 21). Here, d ₀ and d ₁ are both integers.

d ′ = d ₀ + d ₁ τ (Expression 21)
Next, the variable i is initialized with 0 (S402). Repetition determining unit 323 'to, | rpart (d' variable d) | ^{<2 w} and determines whether Tpart (d ') = 0 ( S403). Here, with respect to the scalar value d ′ = d ₀ + d ₁ τ, the real part Rpart (d ′) and the τ part Tpart (d ′) of d ′ are given by the following (Expression 22) and (Expression 23). Is an integer.

Rpart (d ′) = d ₀ (Formula 22)
Tpart (d ′) = d ₁ (Equation 23)
If the two conditions are both satisfied in step S403 (TRUE), the process proceeds to step S421. If any of the above conditions is not satisfied (FALSE), the process proceeds to step S411.

In the step S411, [psi function calculating unit 325, the scalar value d 'solid portions of rpart (d') of the remainder by 2 w ^{+ 1} to x _R, the scalar value d 'tau portion Tpart (d') of, 2 the remainder by ^{w + 1} to _{x T,} the values are.

  The Ψ function calculation unit 325 calculates (Equation 24) below and stores it in the variable u (S412). The symbol * represents multiplication.

Ψ _w (d ′) = (x _R + x _T * t _{w + 1} mod 2 ^{w + 1} ) −2 ^w (Equation 24)
Here, _{tw + 1} is an integer given by (Expression 25) below, and U _{w + 1} in (Expression 25) is an integer determined by (Expression 26) below.

t _{w + 1} = 2U _w U _{w + 1} ⁻¹ mod 2 ^{w + 1} (Equation 25)
U ₀ = 0, U ₁ = 1, U _{w + 1} = μU _w −2U _w−1 (Equation 26)
Next, the storage unit 326 stores u, 0, 0,..., 0 in d _w [i], d _w [i + 1],..., D _w [i + w−1], respectively. (S413). Then, [psi function calculating unit 325, (d'-u) / τ w is calculated, and stores the result in the d '(S414). Next, the variable i is increased by w, and the process returns to step S403 (S415).

On the other hand, in step S421, the storage unit _{326, d w [i], d} w [i + 1], ......, a _{d w [n + w + a} + 2], respectively, Rpart (d '), 0 , 0,..., 0 are stored. Next, the encoding unit 302 outputs d _w [n + w + a + 2],..., D _w [0] to the actual calculation unit 304 (S422).

  In order to perform division by τ in step S414, the following may be performed. When d ′ is input, the division result d ′ / τ by τ is given by the following (formula 27).

d ′ / τ = Tpart (d ′) + Rpart (d ′) (μ−τ) / 2 (Equation 27)
The reason why the upper limit of the variable i is n + w + a + 2 is as follows. Non-Patent Document 3 describes that when the scalar value d ′ is converted as shown in (Equation 19), the variable i is n + a + 3 or less. The number of digits after conversion of this scalar value d ′ must be a multiple of w. Therefore, if w numeric strings d _w [i], d _w [i + 1],..., D _w [i + w−1] are paired, the number of upper digits can be less than w. There is a possibility that only the n + a + 3rd digit remains in the smallest case. Therefore, when the scalar value d ′ is converted as shown in (Equation 19), the upper limit of the value of the variable i is n + w + a + 2.

  Next, a method in which the pre-calculation unit 303 creates a pre-calculation table from points on the elliptic curve will be described with reference to FIG. FIG. 5 is a flowchart showing a pre-calculation table creation process in the pre-calculation unit 303.

First, the doubling unit 332 doubles the point P and stores the result in 2P (S501). Note that doubling is represented by the function ECDBL. Next, the initial value 1 is substituted into the variable j (S502). Next, the repetition determining unit 333, j is determined whether ^{2 w} less (S503). In the case of j ^{<2 w} moves to the (TRUE), step S504. In the case of j ≧ ^{2 w} moves to the (FALSE), step S511.

  In step S504, the adding unit 331 adds the point jP and the point 2P, and stores the result in (j + 2) P. Note that the addition is represented by the function ECADD. Next, the variable j is incremented by 2, and the process returns to step S503 (S505).

On the other hand, in step S511, {P, 3P,..., (2 ^w −1) P} is output as a pre-calculation table.

  In the above processing, addition is calculated using (Expression 1) to (Expression 3), and doubling is calculated using (Expression 1), (Expression 2), and (Expression 5). In addition to the calculation of addition and doubling, a calculation formula in projective coordinates or Jacobian coordinates, which is a known technique, can be used.

Further, in contrast to the point Q = (x, y) on the elliptic curve, the inverse point -Q relating to the addition on the elliptic curve is expressed as -Q = (x, x + y) in the case of the Kobritz curve. If the coordinates of the point Q are given, it can be easily calculated. Therefore, only the points {P, 3P,..., (2 ^w −1) P} are stored as the pre-calculation table. Since the points {−P, −3P,..., − (2 ^w −1) P} necessary for the subsequent calculation performed by the actual calculation unit 304 may be derived from the stored points, There is no need to store it in the table. In order to omit the derivation of the points {−P, −3P,..., − (2 ^w −1) P}, only the y-coordinate values of these points may be stored in the pre-calculation table. .

Note that the pre-calculation table creation process performed by the pre-calculation unit 303 only needs to calculate the points {P, 3P,..., (2 ^w −1) P}. Therefore, using the non-patent literature Cohen, H., A course in computational algebraic number theory, GTM138, Springer-Verlag, (1993), page 481, Montgomeric's inverse element commonization method is used. The speed may be increased by sharing the calculation of the inverse element calculation required for the elliptic curve calculation.

When the point P is a fixed point, the pre-calculation table creation process performed by the pre-calculation unit 303 only needs to be performed once. Therefore, once the point ^{{P, 3P, ......, (} 2 w -1) P} be calculated and the subsequent scalar multiplication, the point ^{{P, 3P, ......, (} 2 w -1) P } Need not be recalculated.

  Finally, a method in which the actual calculation unit 304 calculates the scalar multiple in the elliptic curve from the encoded scalar value, the point on the elliptic curve, and the previous calculation table will be described with reference to FIG. FIG. 6 is a flowchart showing a scalar multiple calculation process in the actual calculation unit 304.

First, the actual calculation unit 304 substitutes the initial value n + w + a + 2 for the variable c (S601). Next, the repetition determining unit 344 determines whether d _w [c] is 0 or non-zero (S602). If d _w [c] is 0, the process proceeds to step S603. If d _w [c] is not 0, the process proceeds to step S611.

  In step S603, the variable c is decreased by 1, and the process returns to step S602.

On the other hand, in step S611, d _w [c] P is substituted for the point Q. Next, the initial value c-1 is substituted into the variable j (S612). Next, the repetition determination unit 344 determines whether j is smaller than zero. If j is smaller than 0, the process proceeds to step S621. When j is 0 or more, the process proceeds to step S614 (S613).

In step S614, the τ multiplication unit 343 multiplies the point Q by τ and stores it again at the point Q. Next, the repetition determining unit 344 determines whether d _w [j] is 0 or non-zero (S615). If d _w [j] is 0, the process proceeds to step S617. If d _w [j] is not 0, the process proceeds to step S616.

In step S616, the adding unit 342 adds the point Q and d _w [j] P. However, when d _w [j] is negative, addition is performed using the inverted y coordinate of (−d _w [j]) P. Then, the result of addition is stored at point Q, and the process proceeds to step S617.

When d _w [j] is not 0, d _w [j] is an odd number that satisfies (Equation 20). Therefore, either d _w [j] P or (−d _w [j]) P always exists in the pre-calculation table.

  In step S617, the variable j is decreased by 1, and the process returns to step S613. On the other hand, in step S621, the point Q is output. This is the end of the process.

In the above processing, the numerical sequence d _w [j] output by the processing performed by the encoding unit 302 satisfies (Equation 18) to (Equation 20). The reason is as follows.

  In step S401 of FIG. 4, d mod δ is substituted for d ′. Therefore, d ′ = d + kδ can be expressed using an appropriate number k. On the other hand, it is known that δP is a point at infinity on the Kobritz curve, so (Equation 18) holds.

  In the loop from step S403 to step S415, the j'th d 'value is set to d' [j], and the u value is set to u [j]. That is, in step S414, the following (formula 28) is calculated.

d ′ [j + 1] = (d ′ [j] −u [j]) / τ ^w (Equation 28)
In the 0th loop, the following (formula 29) is obtained. In the first loop, the following (Equation 30) is obtained. Similarly, in the j-th loop, the following (formula 31) is obtained.

d ′ = d ′ [0] (Equation 29)
d ′ = d ′ [1] τ ^w + u [0] (Equation 30)
d ′ = (…… (d ′ [j] τ ^w + u [j]) τ ^w + …… + u [1]) τ ^w + u [0] (Equation 31)
If it is noted that d _w [i] other than d _w [jw] is assigned 0, it can be seen that d ′ satisfies (Equation 19).

  It can be easily understood that u [j] calculated in step S412 falls within the following range (formula 32).

-2 ^w <u [j] <2 ^w (Expression 32)
Accordingly, u [j] is assigned to d _w [i] other than 0. Therefore, (Equation 20) is satisfied.

  Further, u [j] calculated in the process performed by the encoding unit 302 is all odd except for j = 0. The reason is as follows.

If Rpart (d ′ [j]) is an odd number in step S411, tw _{+ 1} is an even number, and u [j] is an odd number. On the other hand, in step S414, d '[j + 1 ] = (d' [j] -u [j]) / τ w is calculated. Since the following (formula 33) holds, Rpart (d ′ [j + 1]) is an odd number.

d ′ [j] − ((d ′ [j] mod τ ^w ) −τ ^w ) mod τ ^{w + 1} = τ ^w (Expression 33)
Therefore, except for j = 0, u [j] are all odd numbers.

  In order to make u [0] odd, the real part Rpart (d) of the scalar value d may be odd. For this purpose, when the real part Rpart (d) of the input scalar value d is an even number, d + 1 is re-encoded as the scalar value n. That is, d is converted to an odd number. Then, a scalar multiple nP is calculated. Since the following (formula 34) holds, the point P is subtracted from nP, and the value may be output as the scalar multiple dP.

nP = (d + 1) P = dP + P (Formula 34)
When the real part Rpart (d) of the input d is an odd number, d + τ may be encoded again as a scalar value n, and the scalar multiple dP may be obtained using the following (Equation 35). In this case, there is an advantage that the processing to be performed is the same in any case of d.

nP = (d + τ) P = dP + τP (Equation 35)
Further, the point Q output from the actual calculation unit 304 is equal to the scalar multiple dP. The reason is as follows.

In step S613 of FIG. 6, the point Q is represented by the following (formula 35). Here, c is the maximum i that satisfies d _w [i] ≠ 0.

(D _w [c] τ ^c−j−1 + d _w [c−1] τ ^c−j−2 +... + D _w [j + 1]) P (Expression 36)
At this time, it will be shown below that the point Q satisfies (Equation 36) also when it comes to step S613 next time. The point Q is multiplied by τ in step S614, and d _w [j] P is added in step S616 if d _w [j] is not zero. Therefore, immediately after step S616, the value of the point Q is as follows (Formula 37).

(D _w [c] τ ^c−j + d _w [c−1] τ ^c−j−1 +... + D _w [j + 1] τ + d _w [j]) P (Expression 37)
Therefore, the point Q satisfies (Expression 37) immediately before step S617, including when d _w [j] = 0. Since j decreases by 1 in step S617, substituting j + 1 for j in (Expression 37) yields (Expression 36). That is, the point Q satisfies (Equation 36) when it comes to step S613 next time.

Since the value of d _w [j] for j> c is 0, the value of the point Q output in step S621 is equal to the following (formula 38).

(D _w [c] τ ^c + d _w [c−1] τ ^c−1 +... + D _w [1] τ + d _w [0]) P (Equation 38)
Since the scalar value input to the actual calculation unit 304 is d _w [j] encoded by the encoding unit 302, the d _w [j] satisfies (Equation 20). Therefore, Q = dP.

  The scalar multiplication method is also effective for a defense method against side channel attacks. The reason is as follows.

The encoding unit 302 encodes the scalar value d into a numerical string d _w [i]. A numerical sequence d _w [n + w + a + 2] …… d _w [0] in which d _w [i] is arranged from left to right from i = n + w + a + 2 to i = 0 is as shown in the following (formula 39). It is represented by a pattern.

| 0 …… 0x | 0 …… 0x | …… | 0 …… 0x | (Formula 39)
Here, each x is a non-zero value and corresponds to the above u [j]. The symbol | indicates a block delimiter in the pattern. The block | 0... 0x | is w values and “0... 0” indicates that w−1 values are continuous.

  When the real calculation unit 304 calculates the scalar multiple, in the iterative process of steps S613 to S617, the elliptic curve calculation corresponding to the block | 0... 0x | is | T. A after T. However, T represents τ multiplication and A represents ECADD (addition on an elliptic curve). Therefore, the elliptic curve calculation to be executed for all scalar values is fixed as shown in (Equation 40) below.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 40)
Therefore, information relating to the scalar value d cannot be extracted from (Equation 40) alone. That is, it has protection against side channel attacks.

  In addition, with respect to the first embodiment, in order to perform scalar multiplication calculation using the randomized projection coordinates described in Non-Patent Document 2 together (processing 1) and to perform scalar multiplication calculation at high speed, Performing scalar multiplication by increasing the size of the table (referred to as processing 2), and re-randomizing and writing to the previous calculation table each time a point stored in the previous calculation table is read (processing) 3) may be performed. The storage data for the pre-calculation table is randomized by the process using the randomization.

  As described above, the first calculation method can be applied to the Kobritz curve and does not give useful information for the side channel attack, so it is resistant to the side channel attack, and the memory usage and processing speed are improved. There is a feature and an effect that it is excellent.

(Embodiment 2)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 2 of the present invention will be described with reference to FIGS. 1 to 3, 7, and 8. In the second embodiment, the functional block configuration of the scalar multiplication calculator 115 shown in FIG. 3 is used. The scalar multiplication calculation unit 115 (corresponding to the scalar multiplication calculation unit 135 in FIG. 1) in the second embodiment is configured to include a processing unit similar to that in the first embodiment. However, in the second embodiment, the pre-calculation unit 303 includes the τ multiplication unit 332 instead of the doubling unit 332.

  As a scalar multiplication calculation method used in the second embodiment, a second calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The second calculation method is characterized in that a pre-calculation table can be created using addition and τ multiplication without using doubling. Therefore, the pre-calculation unit 303 does not need to include a doubling unit.

When the scalar multiplication unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 702 encodes the input scalar value d into a numerical string d _w [j]. However, in Embodiment 2, d _w [j] satisfies the following (Expression 41) instead of (Expression 19). However, each symbol in (Expression 41) represents all combinations (that is, either positive or negative may be taken).

d _w [j] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 (Formula 41)
The pre-calculation unit 303 creates a pre-calculation table from the input point P on the elliptic curve. The pre-calculation table is composed of P ± τP ± Pτ ² ± …… ± τ ^w−1 P.

  The actual calculation unit 304 calculates a scalar multiple dP from the encoded scalar value and the point P on the elliptic curve using the pre-calculation table.

  Next, each process performed by the encoding unit 302, the pre-calculation unit 303, and the actual calculation unit 304 will be described in detail. First, a method in which the encoding unit 302 encodes the scalar value d will be described with reference to FIG. FIG. 7 is a flowchart showing the encoding process in the encoding unit 302.

First, the variable i is initialized with 0 (S701). Next, the δ residue conversion unit 324 substitutes d mod δ for the variable d ′, substitutes Rpart (d ′) for the variable c _0, and Tpart (d ′) for the variable c ₁ (S 702).

The repetition determining unit 323 determines whether or not the condition {c ₀ ² + μc ₀ c ₁ + 2c ₁ ² ≧ 4/7 * 2 ^w } is satisfied (S703). This determines whether the quotient is 0 when the number c ₀ + c ₁ τ is divided by the number τ ^w . If the above condition is satisfied in this determination (TRUE), the process proceeds to step S704. If the above condition is not satisfied (FALSE), the process proceeds to step S711.

In step S704, the Ψ function calculation unit 325 calculates Ψ _w (c ₀ + c ₁ τ) and stores the result in u. Further, u is substituted for d _w [i], sign (u) is substituted for s, | u | is substituted for u, and variable i is incremented by one. Here, sign (u) is the sign of u.

Then, _{c 0} to _{c 0 -s * b 0 [(} u-1) / 2] a, _c 1 -s * _{b 1} to _{c 1} a [(u-1) / 2 ], the values are (S705 ). Here, b ₀ and b ₁ are integers that satisfy the following conditions, respectively. Each β _j = 1 + (− 1) ^{j (1)} τ + (− 1) ^{j (2)} τ ² +... + (− 1) ^{j (w−1)} τ ^w−1 {j = (j (w− 1)... J (0)) ₂ , j (i) = 0 or 1}, β _j is determined by using the appropriate numbers b _{0, j} , b _{1, j} and β _j = b _{0, j} + B _{1, j} τ. If u _j = Ψ _w (β _j ), and u _j > 0, there is _j satisfying u = (u _j −1) / 2, so that b ₀ = b _{0, j} , B ₁ = b _{1, j} . If u _j <0, there exists j satisfying u = (− u _j −1) / 2, so that b ₀ = −b _{0, j} , b ₁ = −b _{1, j} deep.

  The repetition determination unit 323 determines whether j ≦ w is satisfied (S706). If j ≦ w (TRUE), the process proceeds to step S707. If j> w (FALSE), the process returns to step S703.

At step S707, the a _{c 1} + _{μc 0/2} to a variable _{c 0,} a _-c 0/2 to the variable _{c 1,} the values are.

In step S711, Ψ _w (c ₀ + c ₁ τ) calculated in step S704 is stored in d _w [i] each time the loop of steps S703 to S707 is repeated.

In step S712, the encoding unit 302 outputs {d _w [c],..., D _w [0]}. Here, c is the maximum j that satisfies d _w [j] ≠ 0.

  The reason why the upper limit of the value of variable i is i + w−1 is the same as in the first embodiment.

  Next, a method in which the pre-calculation unit 303 creates a pre-calculation table from points on the elliptic curve will be described with reference to FIG. FIG. 8 is a flowchart showing pre-calculation table creation processing in the pre-calculation unit 303.

  The pre-calculation unit 303 first substitutes the point P on the elliptic curve for the variable R (S801). Next, the initial value 1 is substituted for the variable i, and the empty set {} is substituted for the set S (S802). Next, the repetition determination unit 333 determines whether i is smaller than w (S803). If this condition is satisfied, the process moves to step S804. If the condition is not satisfied, the process proceeds to step S811.

  In step S804, P ± τQ is calculated by the adder 331 and the τ multiplier 332 for all points Q of R, and the set S and the two points P ± τQ are substituted into the set S. Next, S is stored in R (S805). Next, the variable i is incremented by 1 (S806), and the process returns to step S803.

  On the other hand, in step S811, the repetition determination unit 333 outputs a set R of points on the elliptic curve as a pre-calculation table when i is greater than or equal to w in step S803.

  The operations performed by the scalar multiplication calculation unit 115 are only τ multiplication and addition, and a pre-calculation table can be created without using relatively heavy doubling.

Further, the reason why the point −P ± τP ± Pτ ² ±... ± τ ^w−1 P need not be stored in the pre-calculation table is the same as in the first embodiment, and the point −P ± τP ± Pτ ² ±. ...... In order to omit the derivation of ± τ ^w−1 P, only the y coordinate values of those points may be stored in the pre-calculation table.

Note that the pre-calculation table creation process performed by the pre-calculation unit 303 only needs to calculate the points P ± τP ± Pτ ² ±... ± τ ^w−1 P. For this reason, it is possible to increase the speed by using the inverse element calculation commonization method by Montgomeric to share the calculation of the inverse element calculation required for the elliptic curve calculation.

Further, when the point P is a fixed point, the reason why the point P ± τP ± Pτ ² ±... ± τ ^w−1 P need not be recalculated is the same as in the first embodiment. Similar to the first calculation method, the pre-calculation table creation process may be speeded up by using Montgomery trick to share the calculation of the inverse element calculation required for the elliptic curve calculation. It is.

  Finally, a method will be described in which the actual calculation unit 304 calculates a scalar multiple in the elliptic curve from the encoded scalar value and the point on the elliptic curve. The process performed by the actual calculation unit 304 is the same process as in the first embodiment.

D _w [j] output by the process performed by the encoding unit 302 satisfies (Expression 18), (Expression 20), and (Expression 41). The reason why (Equation 18) is satisfied is the same as in the first embodiment. In the loop of steps S703 to S707, the value output for the i-th time is c _{0, i} + c _{1, i} τ. With respect to the output values c _{0, i} + c _{1, i} τ, the following (formula 42) is set, and the values of b ₀ , b ₁ are respectively set to b _{0, i} , b _{1 in} the loop of steps S706 to S707. _{, I} , and u [i] = [Psi] _w (b0, _i + b1 _{, i} [tau]) and s [i] = sign (u [i]). Here, sign (u [i]) represents the sign of u [i].

Ψ _w (c _{0, i} + c _{1, i} τ) = d _w [i + 1] (Formula 42)
In the loop of steps S706 to S707, the following (formula 43) is calculated. When (Equation 43) is modified, the following (Equation 44) is established.

c _{0, i + 1} + c _{1, i + 1} τ = {(c _{0, i} + c _{1, i} τ) −s [i] ((| u [i] | −1) / 2) * (b _{0, i} + b _{1, i} τ)} / τ ^w (Equation 43)
(C _{0, i} + c _{1, i} τ) τ ^w = (c _{0, i + 1} + c _{1, i + 1} τ) −s [i] ((| u [i] | −1) / 2) * (b _{0, i} + B _{1, i} τ) (Formula 44)
Using (Expression 42) and (Expression 44), it can be seen that d ′ satisfies (Expression 18).

In step S711, Ψ _w (c ₀ + c ₁ τ) is substituted for d _w [i], and Ψ _w (c ₀ + c ₁ τ) = (c ₀ + c ₁ * t _{w + 1} mod 2 ^{w + 1} ) −2 ^w is , | C ₀ + c ₁ * t _{w + 1} mod 2 ^{w + 1} | <2 ^{w + 1} , d _w [i] satisfies (Equation 41).

  The point Q output from the actual calculation unit 304 is equal to the scalar multiple dP. The reason is as follows. The same processing as that performed by the actual calculation unit 304 of the first embodiment is performed.

  In step S613, it is assumed that the point Q is expressed as (Equation 45) below.

(D _w [c] τ ^c−j−1 + d _w [c−1] τ ^c−j−2 +... + D _w [j + 1]) P (Equation 45)
At this time, it will be shown below that the point Q satisfies (Equation 45) also when it comes to step S613 next time. The point Q is multiplied by τ in step S614, and d _w [j] P is added in step S616 unless d _w [j] is 0. Therefore, immediately after step S616, the value of the point Q is as follows (formula 46).

(D _w [c] τ ^c−j + d _w [c−1] τ ^c−j−1 +... + D _w [j + 1] τ + d _w [j]) P (Expression 46)
Therefore, the point Q satisfies (Equation 46) immediately before step S617, including when d _w [j] = 0. Since j decreases by 1 in step S617, substituting j + 1 for j in (Expression 46) yields (Expression 45). That is, the point Q satisfies (Equation 45) the next time it comes to step S613. Since the value of d _w [j] for j> c is 0, the value of the point Q output in step S621 is equal to the following (formula 47).

(D _w [c] τ ^c + d _w [c−1] τ ^c−j +... + D _w [1] τ + d _w [0]) P (Equation 47)
Since the scalar value input to the actual calculation unit 304 is d _w [j] encoded by the encoding unit 302, the d _w [j] satisfies (Equation 41). Therefore, Q = dP.

The second calculation method is also effective for a defense method against side channel attacks. The reason is as follows. The encoding unit 302 encodes the scalar value d into a numerical string d _w [i]. This numerical sequence d _w [i] satisfies d _w [i] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 .

Then, when the actual calculation unit 304 calculates a scalar multiple, the elliptic curve calculation corresponding to the iterative processing of steps S613 to S617 is | T... TA |, that is, A after w-1 times T. Become. However, T represents τ multiplication and A represents ECADD. This follows that d _w [i] satisfies d _w [j] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 .

  Therefore, the elliptic curve calculation to be executed is fixed to the following (formula 48) as in the first embodiment for all scalar values. Therefore, information relating to the scalar value d cannot be extracted from (Equation 48) alone.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 48)
In the second embodiment, the processes 1 to 3 may be used as in the first embodiment.

  As described above, the second calculation method can be applied to the Kobritz curve and does not give useful information for the side channel attack, so it is resistant to the side channel attack, and the memory usage and processing speed are improved. It is characterized by being excellent.

(Embodiment 3)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 3 of the present invention will be described with reference to FIGS. 1, 2, 9, and 10. FIG. In the third embodiment, the functional block configuration of the scalar multiplication calculator 115 shown in FIG. 9 is used. The scalar multiplication calculation unit 115 (corresponding to the scalar multiplication calculation unit 135 in FIG. 1) in the third embodiment includes a previous calculation unit 902 and an actual calculation unit 903. The pre-calculation unit 902 includes an addition unit 921, a τ multiplication unit 922, and a repetition determination unit 923. The actual calculation unit 903 includes a residue acquisition unit 931, a residue conversion unit 932, an iterative determination unit 933, a δ residue conversion unit 934, a Ψ function calculation unit 935, a bit value determination unit 936, an addition unit 937, and a τ multiplication unit 938. .

As a scalar multiplication calculation method used in the third embodiment, a third calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. The third calculation method is characterized in that scalar multiplication can be directly calculated without storing a value obtained by encoding a scalar value. If the point P = (x, y) on the elliptic curve is expressed in advance by using a normal basis, x, y is the point τ (P) multiplied by τ, and the linear representation of the point P is left by one bit. The shifted value, τ ⁻¹ times the point τ ⁻¹ (P), is a value obtained by shifting the linear representation of the point P to the right by one bit.

From this, in order to calculate the point τ ^jw (d _w [i] P), first, the point d _w [i] P is called from the previous calculation table, and the x and y coordinates of the point d _w [i] P are calculated. Is shifted to the left by iw bits. Accordingly, by initializing the point Q at the infinity point O, adding the point τ ^jw (d _w [i] P) to the point Q, and substituting the value into the point Q, the operation of FIG. Scalar multiplication can be directly calculated without storing values in a storage unit such as the storage unit 326. Thus, when calculating the scalar multiple dP in the elliptic curve from the scalar value d and the point P on the elliptic curve, it is possible to save the memory for storing the encoding result. Therefore, the actual calculation unit 903 does not need to include a storage unit.

When the scalar multiplication calculation unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the actual calculation unit 903 calculates a numerical sequence d _w [i]. This d _w [i] is equal to d _w [i] defined in the second embodiment.

  Next, each process performed by the pre-calculation unit 902 and the actual calculation unit 903 will be described in detail. The method for creating the pre-calculation table from the points on the elliptic curve by the pre-calculation unit 902 is the same as in the second embodiment.

  Next, a method in which the actual calculation unit 903 calculates a scalar multiple in an elliptic curve using a pre-calculation table from a scalar value and a point on the elliptic curve will be described with reference to FIG. FIG. 10 is a flowchart showing a scalar multiple calculation process in the actual calculation unit 903.

First, the actual calculation unit 903 initializes the variable i with 0, and substitutes the infinity point O for Q (S1001). Next, the Ψ function calculation unit 935 substitutes d mod δ for the variable d ′, the real part Rpart (d ′) of d ′ in c _0, and the τ part Tpart (d ′) of d ′ in c _1. Each is substituted (S1002).

Next, the repetition determination unit 933 determines whether or not the condition {c ₀ ² + μc ₀ c ₁ + 2c ₁ ² ≧ 4/7 * 2 ^w }. If the condition is satisfied (TRUE), the process proceeds to step S1004. If the condition is not satisfied (FALSE), the process proceeds to step S1011 (S1003).

In step S1004, the remainder conversion unit 932 stores Ψ _w (c ₀ + c ₁ τ) in d _w [i]. Further, the adding unit 937 and the τ multiplying unit 938 calculate Q + τ ^iw (d _w [i] P), set the value to Q, sign (d _w [i]) to s, | d _w [i] | Is substituted for d _w [i], and the variable i is incremented by one. Next, (c ₀ −s * b ₀ [(d _w [i] −1) / 2], c ₁ −s * b ₁ [(d _w [i] −1) / 2]) ₀ , c ₁ ) (S1005).

  Next, the repetition determination unit 933 determines whether j ≦ w is satisfied (S1006). If j ≦ w (TRUE), the process proceeds to step S1007. If j> w (FALSE), the process proceeds to step S1003.

In step _{S1007, c 1 + μc 0/} 2, substituting _-c 0/2 to _c 0, _{c 1,} respectively, the flow returns to S1006.

  On the other hand, in step S1011, the actual calculation unit 903 outputs the point Q = dP.

The reason why the upper limit of the value of variable i is i + w−1 is the same as in the first and second embodiments. The reason why d _w [i] calculated by the processing performed by the actual calculation unit 903 satisfies (Expression 18), (Expression 19), and (Expression 41) is the same as that of the second embodiment.

  Further, the point Q output from the actual calculation unit 903 is equal to the scalar multiple dP. The reason is as follows.

  In step S1004, the point Q is represented by the following (formula 49).

(D _w [0] τ ⁱ + d _w [1] τ ^{i + 1} +... + D _w [i] τ ²ⁱ ) P (Equation 49)
At this time, it will be shown below that the point Q satisfies (Equation 49) also when it comes to step S1004 next time. In the loop of steps S1003 to S1007, immediately after the i-th time, the point Q satisfies (Equation 49). In step S1003, i + 1 is substituted for i.

  Therefore, the value of the point Q output immediately after step S1004 is the following (formula 50).

(D _w [0] + d _w [1] τ +... + D _w [i] τ ⁱ ) P + (d _w [i + 1] τ ^{i + 1} ) P (Equation 50)
(D _w [0] + d _w [1] τ +... + D _w [i] τ ^{i + 1} ) P (Equation 51)
Therefore, the point Q also satisfies (Equation 49) when it comes to step S1004 for the (i + 1) th time.

  Let c 'be the value of i when exiting the loop of steps S1003 to S1007. At this time, the value of the point Q satisfies the following (formula 52).

(D _w [0] + d _w [1] τ +... + D _w [i] τ ^{c ′} ) P (Formula 52)
On the other hand, the loop of steps S703 to S707 in FIG. 7 showing the encoding of the scalar value in the second embodiment performs the same operations as the operations from steps S1003 to S1007 in the third embodiment. Therefore, the following (Formula 53) holds.

c ′ = c (Formula 53)
Thus, the point Q output in the third embodiment is equal to the value output from the actual calculation unit 304 of the second embodiment. Therefore, Q = dP.

  The third calculation method is also effective for a defense against a side channel attack. The reason is as follows.

The actual calculation unit 903 calculates a numerical sequence d _w [i] from the scalar value d. This numerical sequence d _w [i] satisfies d _w [i] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 . Further, when the real calculation unit 903 calculates a scalar multiple, the elliptic curve calculation corresponding to the repetition processing of steps S1003 to S1007 is | T... TA |, that is, A after iw-1 times T. . However, T represents τ multiplication and A represents ECADD. This follows from the fact that d _w [i] satisfies d _w [i] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 .

  Therefore, the elliptic curve calculation to be executed for all scalar values is fixed as the following (formula 54) as in the first and second embodiments. Therefore, information relating to the scalar value d cannot be extracted from (Equation 54) alone.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 54)
In the third embodiment, the processes 1 to 3 may be used as in the first and second embodiments.

  As described above, the third calculation method can be applied to the Kobritz curve and does not give useful information to the side channel attack, so it is resistant to the side channel attack, and the memory usage and processing speed are improved. It is characterized by being excellent.

(Embodiment 4)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 4 of the present invention will be described with reference to FIGS. 1, 2, 9, and 11. FIG.

  In the fourth embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 9 is used. The configuration of scalar multiplication calculator 115 (corresponding to scalar multiplication calculator 135 in FIG. 1) in the fourth embodiment is the same as that in the third embodiment.

As a scalar multiplication calculation method used in the fourth embodiment, a fourth calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. Similar to the third calculation method, the fourth calculation method has a feature that scalar multiplication can be directly calculated without storing a value obtained by encoding a scalar value. In order to calculate the point τ ^−iw (Q), if the values of the x-coordinate and y-coordinate of the point Q are expressed in advance using a normal basis, the value of each coordinate of the point Q is ^shifted to the right by w bits. What is necessary is just to shift.

Therefore, point Q is initialized at infinity point O, point d _w [i] P is called from the previous calculation table, point d _w [i] P is added to point τ ^−iw (Q), and the value is By continuing the operation of substituting for Q, scalar multiplication can be directly calculated without storing the value in the storage unit. Thus, when calculating the scalar multiple dP in the elliptic curve from the scalar value d and the point P on the elliptic curve, it is possible to save the memory for storing the encoding result. Therefore, the actual calculation unit 902 does not need to include a storage unit.

  The differences between the third embodiment and the fourth embodiment are as follows. In the third embodiment, the value of each coordinate of the point read from the previous calculation table is shifted by iw bits, whereas in the fourth embodiment, the point Q (corresponding to intermediate data) in the work memory. It is sufficient to shift the value of each coordinate by w bits. Thereby, the frequency | count of shifting can be saved.

  Next, each process performed by the pre-calculation unit 902 and the actual calculation unit 903 will be described in detail. The method in which the pre-calculation unit 902 creates the pre-calculation table from the points on the elliptic curve is the same as in the second and third embodiments.

  Next, a method in which the real calculation unit 903 calculates a scalar multiple point in an elliptic curve from a scalar value and a point on the elliptic curve using a pre-calculation table will be described with reference to FIG. FIG. 11 is a flowchart showing a scalar multiple calculation process in the actual calculation unit 903.

First, the actual calculation unit 903 initializes the variable i with 0, and substitutes the infinity point O for Q (S1101). Next, the Ψ function calculation unit 935 substitutes d mod δ for the variable d ′, the real part Rpart (d ′) of d ′ in c _0, and the τ part Tpart (d ′) of d ′ in c _1. Each is substituted (S1102).

Next, it is determined whether or not the condition {c ₀ ² + μc ₀ c ₁ + 2c ₁ ² ≧ 4/7 * 2 ^w } is satisfied by the repetition determination unit 933 (S1103). If the condition is satisfied (TRUE), the process proceeds to step S1104. If the condition is not satisfied (FALSE), the process proceeds to step S1111.

In step S1104, the Ψ function calculation unit 935 stores Ψ _w (c ₀ + c ₁ τ) in d _w [i]. Further, the adding unit 937 and the τ multiplying unit 938 calculate τ ^−w (Q) + d _w [i] P, set the value to Q, sign (d _w [i]) to s, | d _w [ i] | is substituted for d _w [i], and the variable i is incremented by one. Next, (c ₀ , c ₁ ) is changed to (c ₀ −s * b ₀ [(d _w [i] −1) / 2], c ₁ −s * b ₁ [(d _w [i] −1). ) / 2]) is substituted (S1105).

  Next, the repetition determining unit 933 determines whether j ≦ w is satisfied (S1106). If j ≦ w (TRUE), the process proceeds to step S1107. If j> w (FALSE), the process proceeds to step S1103.

In step S1107, substituted in _{(c 1 + μc 0/2} , -c 0/2) and _(c 0, c _1), the flow returns to S1106.

  On the other hand, in step S <b> 1111, the actual calculation unit 903 outputs a point Q = dP.

The reason why the upper limit of the value of the variable i is i + w−1 is the same as in the third embodiment. The reason why d _w [i] output by the process performed by the actual calculation unit 903 satisfies (Equation 18), (Equation 19), and (Equation 41) is the same as in Embodiments 2 and 3.

  Further, the point Q output from the actual calculation unit 903 is equal to the scalar multiple dP. The reason is as follows.

  In step S1104, the point Q is represented by the following (formula 55).

(Τ ^−iw (d _w [0]) + τ ^{− (i−1) w} (d _w [1]) + …… + τ ^−w (d _w [i−1]) + d _w [i]) P (Formula 55)
At this time, it will be shown below that the point Q satisfies (Equation 55) also when it comes to step S1104 next time. In the loop of steps S1103 to S1107, the point Q satisfies (Expression 55) immediately after the i-th time. In step S1103, i + 1 is substituted for i.

  In step S1104, i + 1 is substituted for i. Therefore, the value of the point Q output immediately after step S1104 is the following (formula 56), and (formula 57) is obtained by arranging (formula 56). Therefore, the point Q satisfies (Expression 55) even when it comes to step S1104 for the (i + 1) th time.

τ ^−w (τ ^−iw (d _w [0]) + τ ^{− (i−1) w} (d _w [1]) + …… + τ ^−w (d _w [i−1]) + d _w [i]) P + (d _w [i + 1]) P (Formula 56)
^{(Τ - (i + 1)} w (d w [0]) + τ -iw (d w [1]) + ...... + τ -w (d w [i]) + d w [i + 1]) P ··· ( Equation 57 )
Let c ′ be the value of i when exiting the loop of steps S1103 to S1107. At this time, the value of the point Q satisfies the following (formula 58).

(Τ ^−cw (d _w [0]) + τ ^{− (c−1) w} (d _w [1]) +... + Τ ^−w (d _w [c−1]) + d _w [c]) P (Formula 58)
On the other hand, the loop of steps S703 to S707 in FIG. 7 showing the encoding of the scalar value in the second embodiment performs the same operation as in the fourth embodiment. Therefore, the following (formula 59) holds.

c ′ = c (Formula 59)
Thus, the point Q output in the fourth embodiment is equal to the value output from the actual calculation unit 304 of the second embodiment. Therefore, Q = dP.

  The fourth calculation method is also effective for a defense against a side channel attack. The reason is as follows.

The actual calculation unit 903 calculates a numerical sequence d _w [i] from the scalar value d. This numerical sequence d _w [i] satisfies d _w [i] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 . Further, when the real calculation unit 903 calculates a scalar multiple, the elliptic curve calculation corresponding to the repetition processing of steps S1103 to S1107 is | T... TA |, that is, A after w-1 times T. . However, T represents τ multiplication and A represents ECADD. This follows from the fact that d _w [i] satisfies d _w [i] = ± 1 ± τ ± τ ² ± …… ± τ ^w−1 .

  Therefore, the elliptic curve calculation to be executed for all scalar values is fixed as (Equation 60) below, as in the first and second embodiments. Therefore, information relating to the scalar value d cannot be extracted from (Equation 60) alone.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 60)
In the fourth embodiment, the processes 1 to 3 may be used as in the first, second, and third embodiments.

  As described above, the fourth calculation method can be applied to the Kobritz curve and does not give useful information for the side channel attack, so it is resistant to the side channel attack, and the memory usage and the processing speed are improved. It is characterized by being excellent.

(Embodiment 5)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 5 of the present invention will be described with reference to FIGS.

  In the fifth embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 3 is used. The configuration of scalar multiplication calculator 115 (corresponding to scalar multiplication calculator 135 in FIG. 1) in the fifth embodiment is the same as in the first and second embodiments.

  As a scalar multiplication calculation method used in the fifth embodiment, a fifth calculation method in which the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d and the point P on the elliptic curve will be described. In the fifth calculation method, a scalar multiplication method for elliptic curves other than the Kobritz curve, which is effective as a defense against side channel attacks, will be described.

  As an example of the elliptic curve as described above, an elliptic curve having the following definition formula (Formula 61) is considered.

y ² = x ³ −b (b ≠ 0) (Formula 61)
An operation called Frobenius map τ can be performed on the points on the elliptic curve. The Frobenius map τ for the point (x ₁ , y ₁ ) is to calculate the following (formula 62). τ can be considered as a complex number having a positive imaginary part that satisfies the following (Equation 63).

(X ₃ , y ₃ ) = τ (x ₁ , y ₁ ) = (x ₁ ⁷ , y ₁ ⁷ ) (Expression 62)
τ ² −tτ + 7 = 0 (Expression 63)
Here, the imaginary part of the complex number a + bi (where i is an imaginary unit) is a real number b, and t is an integer called a trace in an elliptic curve. However, _{tw + 1} is an integer given by (Expression 64) below, and U _{w + 1} is an integer determined by (Expression 65) below.

t _{w + 1} = 7 U _w U _{w + 1} ⁻¹ mod 7 ^{w + 1} (Formula 64)
U ₀ = 0, U ₁ = 1, U _{w + 1} = tU _w −7U _w−1 (Expression 65)
In the first embodiment, the operation of encoding the scalar value d into the numerical sequence d _w [i] corresponds to continuing to divide the scalar value d by τ ^w until a remainder is obtained. Therefore, if it is possible to scalar value d performs division by tau ^w, thus being able to constitute a protection method against side channel attacks in the scalar multiplication of an elliptic curve other than Koblitz curve.

When the scalar multiplication unit 115 receives the scalar value d and the point P on the elliptic curve from the decoding processing unit 132, the encoding unit 302 encodes the input scalar value d into a numeric string d _w [i]. This is equivalent to converting the scalar value d into d _w [i] satisfying the following (Expression 67) and (Expression 68) with respect to the integer d ′ satisfying the following (Expression 66).

dP = d′ P (Formula 66)
d ′ = d _w [2n] τ ²ⁿ + d _w [2n−1] τ ²ⁿ⁻¹ +... + d _w [i] τ ⁱ +... + d _w [0] (Expression 67)
−7 ^w <d _w [i] <7 ^w (Formula 68)
The pre-calculation unit 303 creates a pre-calculation table from the input point P on the elliptic curve. The pre-calculation table is composed of {P, 2P,..., (7 ^w −1) P}. However, the point kP (k = 7, 7 ² ,..., 7 ^w−1 ) is not included in the previous calculation table.

  The actual calculation unit 304 calculates a scalar multiple dP from the encoded scalar value and the point P on the elliptic curve using the pre-calculation table.

  Next, each process performed by the encoding unit 302, the pre-calculation unit 303, and the actual calculation unit 304 will be described in detail.

  The encoding unit 302 encodes the scalar value d in the same manner as in the first embodiment. However, in step S401, δ is a number that satisfies the following (formula 69), where m is an integer called an expansion order.

δ = (τ ^m −1) / (τ−1) (Equation 69)
The calculation method of d mod δ is as follows. δ can be transformed to the following (Equation 70) by using (Equation 69). Here, δ ₀ and δ ₁ are integers.

δ = δ ₀ + δ ₁ τ (Expression 70)
The scalar value d can be written as (Equation 71) below. Here, d ₀ and d ₁ are integers.

d = d ₀ + d ₁ τ (Expression 71)
At this time, dmod δ is a number satisfying the following (formula 72).

d mod δ = r ₀ + r ₁ τ (Expression 72)
However, r ₀ and r ₁ are integers satisfying the following (Expression 73) and (Expression 74), respectively, and q ₀ and q ₁ are numbers satisfying the following (Expression 75) and (Expression 76).

r ₀ = d ₀ −δ ₀ q ₀ + 7δ ₁ q ₁ (Expression 73)
r ₁ = d ₁ −δ ₁ q ₀ −δ ₀ q ₁ −tδ ₁ q ₁ (Expression 74)
q ₀ = Round (λ ₀ ) (Expression 75)
q ₁ = Round (λ ₁ ) (Formula 76)
Here, λ ₀ and λ ₁ are numbers (rational numbers) satisfying λ ₀ = g ₀ / N and λ ₁ = g ₁ / N, and Round (λ) exceeds λ + 1/2 with respect to the number λ. There is no maximum integer. G ₀ , g ₁ , and N are integers given by the following (formula 77), (formula 78), and (formula 79), respectively.

g ₀ = d ₀ δ ₀ + td ₀ δ ₁ + 7d ₁ δ ₁ (Expression 77)
g ₁ = d ₁ δ ₀ -d ₀ δ ₁ (Formula 78)
N = δ ₀ ² + tδ ₀ δ ₁ + 7δ ₁ ² (Equation 79)
The branch condition of the step S403 is, | Rpart (d ') | <2 w and Tpart (d') = instead 0, | Rpart (d ') | <7 w and Tpart (d') = 0 is there. Step S411 is, Rpart (d ') substituting mod 2 ^{w + 1} to _{x R,} and Tpart (d') rather than substitutes mod 2 ^{w + 1} to _{x T,} Rpart (d ') substituting the mod 7 ^{w + 1} to _{x R,} Tpart (d ') the mod 7 ^{w + 1} is substituted for _{x T.} In step _{S412, (x R + x T} * t w + 1 mod 2 w + 1) and -2 ^w rather than substituted into _u, substituting _{(x R + x T * t} w + 1 mod 7 w + 1) -7 w to u.

Here, _{tw + 1} is an integer given by (Expression 80) below, and U _{w + 1} is an integer determined by (Expression 81) below.

t _{w + 1} = 7 U _w U _{w + 1} ⁻¹ mod 7 ^{w + 1} (Equation 80)
U ₀ = 0, U ₁ = 1, U _{w + 1} = tU _w −7U _w−1 (Equation 81)
The method by which the pre-calculation unit 303 creates the pre-calculation table from the points on the elliptic curve is the same as in the first embodiment. However, the branch condition in step S503 is not j <2 ^w but j <7 ^w .

The method in which the actual calculation unit S304 calculates the scalar multiple in the elliptic curve from the encoded scalar value, the point on the elliptic curve, and the previous calculation table is the same as in the first embodiment. However, τ of the τ multiplication unit 343 in the fifth embodiment satisfies (Expression 63) instead of (Expression 9). The d _w [i] output by the processing performed by the encoding unit 302 satisfies (Expression 66), (Expression 67), and (Expression 68). The reason why (Expression 66) and (Expression 67) are satisfied is the same as in the first embodiment.

It can be easily understood that u [j] calculated in step S412 falls within the following range (formula 82). Accordingly, u [j] is assigned to d _w [i] other than 0. Therefore, (Equation 68) is satisfied.

−7 ^w <u [j] <7 ^w (Expression 82)
U [j] calculated by the processing performed by the encoding unit 302 is a multiple of 7 except for j = 0, and the point Q output from the actual calculation unit 304 is equal to the scalar multiple dP. The reason for this is the same as in the first embodiment. The fifth calculation method is also effective for a defense against a side channel attack. The reason for this is the same as in the first embodiment.

  In the fifth embodiment, the processes 1 to 3 may be used as in the first to fourth embodiments.

  Examples of elliptic curves other than the above (formula 61) are given. Elliptic curve E is a non-patent document, RP Gallant, JL Lambert, and SA Vanstone “Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms”, In J. Kilian, editor, Advances in Cryptology-Proceedings of CRYPTO 2001, volume 2139 Assuming that the elliptic curve is described in of Lecture Notes in Computer Science, 190-200. Springer, 2001., it is known that the scalar multiplication dP for the point P and the scalar value d may be calculated by the following (formula 83). ing.

dP = k ₁ P + k ₂ ΨP (Expression 83)
Here, k ₁ and k ₂ are positive integers in the range from 0 to √n, Ψ is a self-homogeneous map of E, and n is the order of the point P. By repeatedly performing the operation of (Expression 83) on the integers k ₁ and k ₂ , the scalar value d can be converted into the form described in any one of the first to fourth embodiments. At this time, the elliptic curve calculation to be executed for all scalar values is fixed as (Equation 84) below. Where Ψ represents a self-homogeneous operation. Therefore, information relating to the scalar value d cannot be extracted from (Equation 84) alone.

| Ψ …… ΨA | Ψ …… ΨA | …… | Ψ …… ΨA | (formula 84)
As described above, the fifth calculation method is not resistant to side channel attacks because it does not give useful information for side channel attacks, and can be applied to elliptic curves other than Kobritz curves. It is characterized by excellent amount and high processing speed.

(Embodiment 6)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 6 of the present invention will be described with reference to FIGS. 1, 2, 9, and 12. FIG.

  In the sixth embodiment, the functional block of the scalar multiplication calculator 115 shown in FIG. 9 is used. The configuration of scalar multiplication calculation section 115 (corresponding to scalar multiplication calculation section 135 in FIG. 1) in the sixth embodiment is the same as in the third and fourth embodiments. However, in the sixth embodiment, it is assumed that the doubling unit 922 is provided instead of the τ multiplication unit 922 of the previous calculation unit 902 in FIG.

  As a scalar multiplication calculation method used in the sixth embodiment, the scalar multiplication calculation unit 115 calculates the scalar multiplication point dP in the elliptic curve from the scalar value d, the point P on the elliptic curve, and the window width w. A method will be described. In the sixth calculation method, it is assumed that the scalar value d is stored in binary τ-adic representation. Here, the binary τ-adic expression of the scalar value d is an expression of the following (Expression 85) and (Expression 86).

d = d _w [n + a−1] τ ^{n + a−1} + d _w [n + a−2] τ ^{n + a−2} + …… + d _w [i] τ ⁱ + …… + d _w [0] (Expression 85)
d _w [i] = 0 or d _w [i] = 1 (Expression 86)
At this time, the binary representation of the scalar value d is characterized in that it can be easily stored in a memory and the scalar value d can be easily converted into another representation, like the normal binary representation. Further, it is possible to change the window width w every time the scalar multiple dP is calculated.

  Since there is a trade-off relationship between processing speed and memory usage, it is possible to select a window width according to the situation.

  Further, in the scalar multiplication on the elliptic curve in the sixth embodiment, the scalar value d is stored in binary τ-adic representation, so the processing from the most significant bit to the least significant bit (left-to-right) is performed. Make it possible to do.

  Next, each process performed by the pre-calculation unit 902 and the actual calculation unit 903 will be described in detail. The method by which the pre-calculation unit 902 creates the pre-calculation table from the point P on the elliptic curve is the same as in the first and fifth embodiments.

  Using FIG. 12, the real calculation unit 903 calculates a scalar multiple in an elliptic curve from a scalar value stored in binary τ-adic representation, a point on the elliptic curve, a previous calculation table, and a window width w. Will be explained. FIG. 12 is a flowchart showing the scalar multiple calculation process of the actual calculation unit 903.

  First, the actual calculation unit 903 initializes the point Q with the infinity point O of the elliptic curve E and the variable i with m + a−1 (S1201). Next, the repetition determining unit 933 determines whether i> w is satisfied (S1202). If i> w (TRUE), the process proceeds to step S1203. If i ≦ w (FALSE), the process proceeds to step S1221.

  In step S1203, the initial value 1 is substituted into the variable j. Next, the repetition determination unit 933 determines whether j ≦ w is satisfied (S1204). If j ≦ w (TRUE), the process proceeds to step S1205. If j> w (FALSE), the process proceeds to step S1211. In step S1205, the τ multiplication unit 938 multiplies the point Q by τ and stores it at the point Q.

In step S1211, (1 + Σd _{i−w + j} (t _{w + 1} U _j −2U _j−1 )) mod 2 ^{w + 1} −2 ^w is substituted for u _i .

Next, the repetition determination unit 933 determines whether u _i > 0 (S1212). If u _i > 0 (TRUE), the process proceeds to step S1213. If u _i ≦ 0 (FALSE), the process proceeds to step S1214.

In step S1213, the adding unit 937 adds the point Q and the point u _i P on the previous calculation table, and stores the result in the point Q. On the other hand, in step S <b> 1213, the adding unit 937 subtracts the point −u _i P on the previous calculation table from the point Q, and stores it at the point Q. Next, i-w is substituted into i in step S1215d.

  On the other hand, in step S1211, the repetition determination unit 933 determines whether j ≦ i. If j ≦ i (TRUE), the process proceeds to step S1222. If j> i (FALSE), the process proceeds to step S1231. In step S1222, the τ multiplication unit 938 multiplies the point Q by τ and stores it at the point Q.

In step S1231, (1 + Σd _i (t _{i + 1} U _j −2U _j−1 )) mod 2 ^{i + 1} −2 ⁱ is substituted for u ₀ . Next, the repetition determination unit 933 determines whether u ₀ > 0 is satisfied (S1232). If u ₀ > 0 (TRUE), the process proceeds to step S1233. If u ₀ ≦ 0 (FALSE), the process proceeds to step S1234.

In step S1233, the addition unit 937 adds the point Q and the point u ₀ P on the previous calculation table, and stores the result in the point Q. On the other hand, in step S <b> 1234, the adding unit 937 subtracts the point −u ₀ P on the previous calculation table from the point Q and stores it at the point Q.

Next, the repetition determining unit 933 determines whether d ₀ = 0 (S1235). If d ₀ = 0 (TRUE), the process proceeds to step S1236. If d ₀ ≠ 0 (FALSE), the process proceeds to step S1237.

  In step S1236, the adding unit 937 adds the point Q and the point -P and stores the result in the point Q. On the other hand, in step S <b> 1237, the adding unit 937 adds the point Q and the point −τP and stores it at the point Q. In step S1241, the actual calculation unit 903 outputs the point Q.

  The sixth calculation method is also effective for a defense against a side channel attack. The reason is as follows.

In step S1211, the _{u i (1 + Σd i-} w + j (t w + 1 U j -2U j-1)) by substituting mod 2 ^w + 1 -2 ^w, at step S1231, the _{u 0 (1 + Σd j (} t i + 1 U j - 2U _j-1 )) mod 2 ^{i + 1} -2 ⁱ is substituted.

A numerical sequence u _{m + a−1} ... u ₀ in which u _i is arranged from left to right from i = m + a−1 to i = ₀ is represented by the following pattern (formula 87).

｜ 0 …… 0x | 0 …… 0x | …… | 0 …… 0x | (Expression 87)
Here, each x is a non-zero value and corresponds to the above u [j]. Here, “0... 0” continues for w−1 when j ≠ 0, and continues for w−1 at most when j = 0.

  When the real calculation unit 903 calculates a scalar multiple, in the iterative processing of steps S1204 to S1215, the elliptic curve calculation corresponding to the block | 0... 0x | is | T. A after T. However, T represents τ multiplication and A represents ECADD.

  Therefore, the elliptic curve calculation to be executed for all scalar values is fixed as in the following (Equation 88) as in the first and second embodiments. Therefore, information relating to the scalar value d cannot be extracted from (Equation 88) alone.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 88)
In the sixth embodiment, the processes 1 to 3 may be used as in the first to third embodiments.

  As described above, the sixth calculation method can be applied to the Kobritz curve and does not give useful information for the side channel attack. It is characterized by being excellent.

(Embodiment 7)
A scalar multiplication calculation method, scalar multiplication calculation apparatus, and program according to Embodiment 7 of the present invention will be described with reference to FIGS. 3, 13 to 15, 21, and 22.

  In the seventh embodiment, the functional block of the scalar multiplication unit 115 shown in FIG. 3 is used. The configuration of scalar multiplication unit 115 (corresponding to scalar multiplication unit 135 in FIG. 1) in the seventh embodiment is the same as in the first, second, and fifth embodiments.

As a scalar multiplication calculation method used in the seventh embodiment, a seventh calculation method in which the scalar multiplication calculator 115 calculates a scalar value d, a point P on the elliptic curve, and a scalar multiple dP in the elliptic curve from the window width w will be described. To do. In the seventh calculation method, the scalar value d is encoded so as to satisfy (Expression 85) with respect to d _w [i] that satisfies the following (Expression 89).

d _w [i] = 1 or d _w [i] = − 1 (formula 89)
At that time, the pre-calculation unit 303 calculates a point represented by the following (formula 90) from the fixed point P.

τ ^w-1 P ± τ ^w-2 P ± …… ± τP ± P (Equation 90)
The actual calculation unit 304 includes scalar values d satisfying (Expression 85) and (Expression 89) and a pre-calculation table {τ ^w−1 P ± τ ^w−2 P ±... ± τP ± satisfying (Expression 90). A scalar multiple dP is calculated from P}.

Differences between the sixth embodiment and the seventh embodiment are as follows. In the sixth embodiment, when a scalar value is encoded, each d _w [i] in (Expression 85) satisfies (Expression 86), whereas in the seventh embodiment, when a scalar value is encoded, In (Expression 85), each d _w [i] satisfies (Expression 89).

  The sixth embodiment and the seventh embodiment are different in that they are stored in the pre-calculation table, and the pre-calculation table in the seventh embodiment can be created faster than the sixth embodiment. Further, it is possible to further speed up the scalar multiplication.

  Next, each process performed by the encoding unit 302, the pre-calculation unit 303, and the actual calculation unit 304 will be described in detail.

  First, a method in which the encoding unit 302 encodes the scalar value d so as to satisfy (Expression 85) and (Expression 89) will be described with reference to FIG.

The encoding unit 302 inputs d (S1301). Next, the δ residue conversion unit 324 calculates d mod δ and substitutes the real part of d mod δ for c ₀ and the τ part of d mod δ for c ₁ (S1302). Next, 0 is substituted for i (S1303).

Next, in step S1304, the repetition determination unit 323 determines whether | c ₀ | ≠ 1 or c ₁ ≠ 0. When the condition is satisfied (TRUE), the process proceeds to step S1311. If the condition is not satisfied (FALSE), the process proceeds to step S1321.

In step S1311, the remainder acquisition unit 321 calculates (c ₀ +2 μc ₁ mod 4) −2 and substitutes it for u. Next, u is substituted into d ₁ [i], and i + 1 is substituted into i (S1312). Next, c ₀ -u is substituted for c ₀ (S1313). Then, the _{c 0} to t, the _{c 1} + _{μc 0/2} to _{c 0,} a -t / 2 to _{c 1,} substituting respectively, returns to the step S1304 (S1314).

On the other hand, in step S1321, substitutes _{c 0} to _{d 1 [i] (S1321)} . Next, the encoding unit 302 outputs d ₁ [i],..., D ₁ [0] (S1322).

  Next, an outline in which the pre-calculation unit 303 creates a pre-calculation table from points on the elliptic curve will be described with reference to FIG. However, in the present embodiment, it is assumed that the 332 includes not a doubling unit but a τ multiplying unit.

In step S1401, P is substituted for R ₁ [0]. When w = 1, the process ends here.

In step S1402, the _{τR 1 [0] + R 1} [0] to _{R 2} [1], the _{τR 1 [0] -R 1 [} 0] to _{R 2} [0], the values are. When w = 2, the process ends here. At this time, R ₂ [1] = τP + P and R ₂ [0] = τP−P.

In step _{S1403, R 3 [1 || u} 0] to _{^{τ 2 R 1 [0] +}} R 2 a _{[u 0], R 3 [} 0 || ~ u 0] to _{^{τ 2 R 1 [0] -R}} 2 [u ₀ ] is substituted for each. Note that the symbol X with a superscript bar in FIG. 14 is represented by the symbol “˜X” in the text. When w = 3, the process ends here. When the value of w is general, the above calculation method is continued until w. Steps S1404 and S1405 indicate cases where w = 4 and 5, and are calculated in the same manner. The symbol “||” represents a combination of bit strings. Also, a symbol with a superscript bar, for example, u ₀ with a superscript bar represents bit inversion of u ₀ . Here, u ₀ , l ₀ , l _1, etc. are each 1-bit values and take values of 0 and 1. For example, in the case of R3 [0 || ˜u ₀ ] in S1403, for u ₀ = 0 and 1, R ₃ [01] and R ₃ [00] are represented, respectively, and the values of u ₀ = Values obtained by substituting 0 and 1 are stored in R ₃ [01] and R ₃ [00].

  Next, a method in which the pre-calculation unit 303 creates a pre-calculation table from points on an elliptic curve will be described with reference to FIGS.

The pre-calculation unit 303 inputs the point P on the elliptic curve and the window width w (S2101). In step S2103, P is substituted into R ₁ [0] (S2102). Next, the repetition determination unit 323 determines whether or not w = 1. If the condition is met (TRUE), the process proceeds to step S2104. If the condition is not satisfied (FALSE), the process proceeds to step S2111.

In step S2104, the pre-calculation unit 303 outputs the point R ₁ [0] (S2104).

In step S2111, the addition unit 331 and the τ multiplication unit 332 calculate τR ₁ [0] + R ₁ [0], and substitute the result into R ₂ [1]. Further, the adding unit 331 and the τ multiplication unit 332 calculate τR ₁ [0] −R ₁ [0], and substitute the result into R ₂ [0]. In the following steps S2122, S2113, S2202 to S2206, S2212 to S2219, etc., calculation is performed by the adder 331 and the τ multiplier 332.

  Next, the repetition determining unit 323 determines whether w = 2 (S2112). When the condition is satisfied (TRUE), the process proceeds to step S2113. If the condition is not satisfied (FALSE), the process proceeds to step S2121.

In step S2113, the pre-calculation unit 303 outputs points R ₂ [0] and R ₂ [1].

  On the other hand, in step S <b> 2121, the repetition determination unit 323 determines whether w = 3 or 5 is satisfied. When the condition is satisfied (TRUE), the process proceeds to step S2122. If the condition is not satisfied (FALSE-A), the process proceeds to step S2201 in FIG.

In step S2122, the adding unit 331 and the τ multiplication unit 332 calculate τ ² R ₁ [0] + R ₂ [0], and substitute the result into R ₃ [10]. Further, τ ² R ₁ [0] −R ₂ [0] is calculated, and the result is substituted into R ₃ [01]. Next, similarly, τ ² R ₁ [0] + R ₂ [1] is calculated, and the result is substituted into R ₃ [11]. Also, τ ² R ₁ [0] −R ₂ [1] is calculated, and the result is substituted into R ₃ [00] (S2123).

  Next, the repetition determining unit 323 determines whether w = 3 (S2124). When the condition is satisfied (TRUE), the process proceeds to step S2125. If the condition is not satisfied (FALSE-A), the process proceeds to step 2201 in FIG.

In step S2125, the pre-calculation unit 303 outputs the points R ₃ [11], R ₃ [00], R ₃ [10], R ₃ [01] and ends.

  In S2201 of FIG. 22, the repetition determination unit 323 determines whether w = 4. If the condition is met (TRUE), the process proceeds to step S2202. If the condition is not satisfied (FALSE), the process proceeds to step S2211.

In S2202, the addition unit 331 and the τ multiplication unit 332 calculate τ ² R ₂ [1] + R ₂ [0], and substitute the result into R ₄ [110]. Further, τ ² R ₂ [1] −R ₂ [0] is calculated, and the result is substituted into R ₄ [101]. Next, τ ² R ₂ [1] + R ₂ [1] is calculated and the result is substituted into R ₄ [111], and τ ² R ₂ [1] −R ₂ [1] is calculated. The result is substituted into R ₄ [100] (S2203). Next, τ ² R ₂ [0] + R ₂ [0] is calculated and the result is substituted into R ₄ [010], and τ ² R ₂ [0] −R ₂ [0] is calculated. The result is substituted into R ₄ [001] (S2204). Next, τ ² R ₂ [0] + R ₂ [1] is calculated and the result is substituted into R ₄ [011], and τ ² R ₂ [0] −R ₂ [1] is calculated. The result is substituted into R ₄ [000] (S2205).

Next, the pre-calculation unit 303 calculates points R ₄ [000], R ₄ [001], R ₄ [010], R ₄ [011], R ₄ [100], R ₄ [101], R ₄ [110]. ], R ₄ [111] are output and the process ends (S2206).

  On the other hand, in step S2211, the repetition determination unit 323 determines whether w = 5. When the condition is satisfied (TRUE), the process proceeds to step S2212. If the condition is not satisfied (FALSE), the process ends.

In step S2212, the adding unit 331 and the τ multiplication unit 332 calculate τ ³ R ₂ [1] + R ₃ [11], and substitute the result into R ₅ [1111]. Also, τ ³ R ₂ [1] −R ₃ [11] is calculated, and the result is substituted into R ₅ [1000]. Next, τ ³ R ₂ [1] + R ₃ [10] is calculated and the result is substituted into R ₅ [1110], and τ ³ R ₂ [1] −R ₃ [10] is calculated. The result is substituted into R ₅ [1001] (S2213). Next, τ ³ R ₂ [1] + R ₃ [01] is calculated and the result is substituted into R ₅ [1101], and τ ³ R ₂ [1] −R ₃ [01] is calculated. The result is substituted into R ₅ [1010] (S2214). Next, τ ³ R ₂ [1] + R ₃ [01] is calculated and the result is substituted into R ₅ [1101], and τ ³ R ₂ [1] −R ₃ [01] is calculated. The result is substituted into R ₅ [1010] (S2215). Next, τ ³ R ₂ [0] + R ₃ [11] is calculated and the result is substituted into R ₅ [0111], and τ ³ R ₂ [0] −R ₃ [11] is calculated. The result is substituted into R ₅ [0000] (S2216). Next, τ ³ R ₂ [0] + R ₃ [10] is calculated and the result is substituted into R ₅ [0110], and τ ³ R ₂ [0] −R ₃ [10] is calculated. The result is substituted into R ₅ [0001] (S2217). Next, τ ³ R ₂ [0] + R ₃ [01] is calculated and the result is substituted into R ₅ [0101], and τ ³ R ₂ [0] −R ₃ [01] is calculated. The result is substituted into R ₅ [0010] (S2218). Next, τ ³ R ₂ [0] + R ₃ [00] is calculated and the result is substituted into R ₅ [0100], and τ ³ R ₂ [0] −R ₃ [00] is calculated. The result is substituted into R ₅ [0011] (S2219).

Next, the pre-calculation unit 303 calculates points {R ₅ [0000], R ₅ [0001], R ₅ [0010], R ₅ [0011], R ₅ [0100], R ₅ [0101], R ₅ [ 0110], R ₅ [0111], R ₅ [1000], R ₅ [1001], R ₅ [1010], R ₅ [1011], R ₅ [1100], R ₅ [1101], R ₅ [1110] , R ₅ [1111]} is output and the process ends (S2120).

  Finally, a method in which the actual calculation unit 304 calculates a scalar multiple in the elliptic curve from the encoded scalar value and a point on the elliptic curve will be described with reference to FIG.

First, the actual calculation unit 304 inputs d ₁ [i], ..., d ₁ [0], w, P, R _w [0], ..., R _w [2 ^w-1 -1] ( S1501). Next, an infinite point O is substituted for Q, and i is substituted for j (S1502). Next, the repetition determination unit 344 determines whether j> w−1 (S1503). When the condition is satisfied (TRUE), the process proceeds to step S1511. If the condition is not satisfied (FALSE), the process proceeds to step S1515.

In step S1511, u is changed to (1/2) * (1-(-1) ^{s * d1 [j-1]} ) 2 ^w-2 + (1/2) * (1-(-1) ^{s * d1. [j-2]} ) 2 ^w-3 +... + (1/2) * (1-(-1) ^{s * d1 [j-w + 1]} ) 2 ⁰ is substituted.

Next, the adding unit 342 and the τ multiplication unit 343 calculate τ ^w Q + d ₁ [j] * R _w [u], and substitute the result into Q (S1512). Next, j-w is substituted for j, and the process returns to step S1503 (S1513).

  On the other hand, in step S1515, the repetition determining unit 344 determines whether j ≧ 0. If the condition is met (TRUE), the process proceeds to step S1521. If the condition is not satisfied (FALSE), the process proceeds to step S1531.

In step S1521, the adding unit 342 and the τ multiplication unit 343 calculate τQ + d ₁ [j] * P and substitute the result into Q. Next, j-1 is substituted for j, and the process returns to step S1515 (S1522). In step S1531, the actual calculation unit 304 outputs Q and ends.

In the encoding method, each digit d ₁ [i] satisfies (Equation 89). The reason for this is as follows. In elliptic curve cryptography, an odd number is used as the secret key d. In the loop of steps S1304～S1314, explaining that integer _{c 0} is always odd.

Integer a, with respect to b, "a + Bitau is divisible by tau" ⇔ is "a is an even number", it is "a + Bitau is divisible by tau ^2" ⇔ "A≡2b mod 4" is, in Non-Patent Document 4 Are listed. Here, “⇔” is a symbol representing an equivalence relationship.

In step S1311, u = (c ₀ +2 μc ₁ mod 4) −2 is calculated, and c ₀ −u is substituted for c ₀ in step S1313. Here, if a = (c ₀ +2 μc ₁ mod 4) −2 and b = c ₁ , a mod 4 ≡−2 μc ₁ +2 mod 4. However, −2 μc ₁ +2 mod 4 ≡ 2c ₁ mod 4 does not hold. From this, it is understood that a mod 4 ≡ 2b mod 4 does not hold. Therefore, with respect to c ₀ and c ₁ after the end of step S1313, it can be seen that c ₀ + c ₁ τ is divisible by τ, but is not divisible by τ ² . It can also be seen that (c ₀ +2 μc ₁ mod 4) = 1 or 3. Since u = (c ₀ +2 μc ₁ mod 4) −2, each digit d ₁ [i] in (Expression 85) is 1 or −1. From the above, each digit d ₁ [i] in (Expression 85) satisfies (Expression 89).

  The pre-calculation table creation method can be executed faster than the sixth embodiment. The reason is as follows.

  In the sixth embodiment, the pre-calculation unit 902 in FIG. 9 includes a doubling unit 922 instead of the τ multiplication unit 922, whereas in the seventh embodiment, the pre-calculation unit 303 in FIG. Includes a τ multiplication unit 332, and τ multiplication on an elliptic curve can be calculated faster than doubling on an elliptic curve. Also, ellipse addition and ellipse subtraction for two points on the elliptic curve are calculated simultaneously. Therefore, the pre-calculation table creation method can be executed at high speed as compared with the sixth embodiment.

  The above scalar multiplication calculation method is effective as a defense method against a side channel attack. The reason is as follows.

  In the repetitive processing of steps S1503 to S1513, the elliptic curve calculation to be executed is fixed as (Equation 91) below. Here, T is continuous by w−1.

｜ T …… TA | T …… TA | …… | T …… TA | (Formula 91)
In the repetition processing of steps S1515 to S1522, the elliptic curve calculation to be executed is fixed as the following (formula 92). However, in (Equation 92), T is continuous at most w−1.

｜ T …… TA | (Formula 92)
Accordingly, since the elliptic curve calculation to be executed for all scalar values in the actual calculation unit 304 is fixed as (Equation 93) below, information on the scalar value is extracted from only (Equation 93). I can't. That is, it has a defense method against side channel attacks. However, in (Equation 93), T continues for w blocks other than the lowest block, and T continues for at most w-2 in the lowest block.

｜ T …… TA | T …… T | …… | T …… TA | T …… TA |
As described above, the seventh calculation method can be applied to the Kobritz curve and does not give useful information for the side channel attack, so it is resistant to the side channel attack, and the memory usage and processing speed are improved. It is characterized by being excellent.

<Signature verification system (1)>
Next, an embodiment in which the present invention is applied to a signature verification system will be described. First, a signature generation method, signature generation apparatus, and program according to Embodiment 8 of the present invention will be described with reference to FIGS. FIG. 16 shows the configuration of the signature verification system (1) according to the eighth embodiment. This signature verification system includes a signature generation apparatus that performs a signature generation process according to the signature generation method according to the embodiment of the present invention, and a signature. And a signature verification device that performs verification processing. Each apparatus includes a scalar multiplication calculator that performs processing according to the scalar multiplication apparatus according to any one of the first to seventh embodiments. In particular, the signature verification system shown in FIG. 16 includes a smart card 1601 that is a signature generation apparatus according to an embodiment of the present invention, and a computer 1621 that is a signature verification apparatus. The computer 1621 performs signature verification processing by executing a program. The smart card 1601 performs signature generation processing corresponding to signature verification processing in the computer 1621 by executing a program. Data and information are exchanged between the computer 1621 and the smart card 1601.

  The smart card 1601 includes a CPU 1613, a coprocessor 1614, a RAM 1603, a ROM 1606, and an input / output interface 1610. Similar to the first embodiment, the RAM 1603 stores a constant 1604 and secret information 1605.

  The computer 1621 includes a CPU 1633, a coprocessor 1634, a RAM 1623, a ROM 1626, an external storage device 1627, and an input / output interface 1630. As in the first embodiment, the RAM 1623 stores a constant 1624 and secret information 1625.

  Here, the smart card refers to a portable card-shaped device on which an IC (integrated circuit) including a processor is mounted. In this example, the smart card 1601 is a device that includes a CPU 1613 and a coprocessor 1614 as processors, and a RAM 1603 and a ROM 1606 as memories.

  The smart card 1601 has a configuration similar to that of the computer A101 shown in FIG. 1, and an arithmetic device such as the CPU 1613 and the coprocessor 1614 executes a program stored in the storage unit 1602, thereby obtaining a processing unit 1611. The signature generation processing unit 1612 is realized instead of the data processing unit 112. However, as shown in FIG. 13, the smart card 1601 may not include the external storage device 107, the display 108, the keyboard 109, and the like shown in FIG.

  The computer 1621 has the same configuration as the computer A101, and the CPU 1613 executes the program stored in the storage unit 1622, thereby realizing the signature verification processing unit 1632 instead of the data processing unit 112 as the processing unit 1631. The scalar multiplication calculators 1615 and 1635 have the same functions as the scalar multiplication calculators 115 and 135 shown in FIG. The signature generation processing unit 1612 and the signature verification processing unit 1632 perform corresponding processing.

  Note that in this embodiment, each program in the computer 1621 may be stored in advance in the storage unit 1622 in the computer 1621 or may be stored via a medium that can be used by the computer 1621 when necessary. May be introduced into the storage unit 1622. Further, each program in the smart card 1601 may be stored in advance in the storage unit 1602 in the smart card 1601, or when necessary, a computer connected via the input / output interface 1610, or the computer It may be introduced into the storage unit 1602 via an available medium. The usable medium refers to, for example, a storage medium removable from the computer or a communication medium (that is, a network or a carrier wave propagating through the network).

  Operations of signature generation and signature verification in the signature verification system shown in FIG. 16 will be described with reference to FIG. The data processing unit 112 in FIG. 2 corresponds to the signature generation processing unit 1612 and the signature verification processing unit 1632. Similarly, the scalar multiplication calculator 115 corresponds to each of the scalar multiplication calculators 1615 and 1635, and the storage unit 102 corresponds to each of the storage units 1602 and 1622.

  In FIG. 16, processing based on a predetermined digital signature algorithm is performed between a computer 1621 and a smart card 1601. There is a signature method called an elliptic curve digital signature algorithm (ECDSA) that configures a digital signature method based on a discrete logarithm problem in correspondence with a method based on a discrete logarithm problem on an elliptic curve. The ECDSA signature using this method is described in Non-Patent Document 1, for example.

  First, the computer 1621 outputs a randomly selected numerical value as a challenge code 1642 from the input / output interface 1630 and transfers it to the smart card 1601 via the interface.

  Smart card 1601 receives challenge code 1642 via input / output interface 1610. The signature generation processing unit 1612 (112 in FIG. 2) receives the challenge code 1642, takes the hash value of the received challenge code 1642, and converts it into a numerical value f having a predetermined bit length.

  The signature generation processing unit 1612 generates a random number u, and together with the fixed point Q (S205) on the elliptic curve read from the constant 1604 stored in the storage unit 1602 (102 in FIG. 2), the scalar multiplication calculation unit 1615. (115 in FIG. 2) (S206).

The scalar multiplication unit 1615, a fixed point Q, scalar by the random number u multiplied point uQ _{= (x} u, _{y u)} was calculated, and sends the calculated scalar-multiplied point uQ to the signature generation processing unit 1612 (S207).

  Then, the signature generation processing unit 1612 generates a signature (digital signature data) using the sent scalar multiple uQ. For example, if processing according to the ECDSA signature is performed, a signature (s, t) corresponding to the challenge code 1642 is obtained by calculating the following (formula 94) and (formula 95) (S208).

s = x _u mod q (Equation 94)
t = u ⁻¹ (f + ds) mod q (Equation 95)
Here, q is the order of the fixed point Q, that is, the q point qQ of the fixed point Q is an infinite point, and the m times point mQ of the fixed point Q for a numerical value m smaller than q is not an infinite point. It is a serious number.

  The smart card 1601 outputs the signature 1641 generated by the signature generation processing unit 1612 from the input / output interface 1610 and transfers it to the computer 1621 via the interface.

  When the signature 1641 is input to the signature verification processing unit 1632 (112 in FIG. 2) of the computer 1621 (S204), the numerical values s and t of the signature 1641 are within an appropriate range, that is, 1 ≦ s <q, 1 ≦ t < Check if q.

  If the numerical values s and t are not within the above range, “invalid” is output as the verification result for the signature 1641 for the challenge code 1642 and the smart card 1601 is rejected. If the numerical values s and t are within the above ranges, the signature verification processing unit 1632 calculates the following (Expression 96), (Expression 97), and (Expression 98).

h = t ⁻¹ mod q (Equation 96)
h ₁ = fh mod q (formula 97)
h ₂ = sh mod q (formula 98)
Then, the signature verification processing unit 1632 converts the public key dQ and fixed point Q read from the constant 1624 stored in the storage unit 1622 (102 in FIG. 2) (S205) and the calculated h ₁ and h ₂ into a scalar. The result is sent to the multiplication unit 1635 (115 in FIG. 2) (S206).

The scalar multiplication calculator 1635 calculates the scalar multiple h ₁ Q based on the fixed points Q and h ₁ and the scalar multiple h ₂ dQ based on the public keys dQ and h ₂ , and the calculated scalar multiple is the signature verification processing unit. 1632 (S207).

The signature verification processing unit 1632 performs signature verification processing using the sent scalar multiple. For example, if the signature verification of ECDSA signature, compute the point R expressed by the following (Equation 99), when the x-coordinate was _{x R,} compute the s' represented by the following equation (100).

R = h ₁ Q + h ₂ dQ (Formula 99)
s ′ = x _R mod q (Equation 100)
If s ′ = s, “valid” is output as the verification result of the signature 1641 for the challenge code 1643, and the smart card 1601 is authenticated and accepted (S208). If s ′ = s is not satisfied, “invalid” is output as the verification result, and the smart card 1601 is rejected (S208).

  In signature generation and signature verification, scalar multiplication of points on an elliptic curve is calculated. Therefore, in the present embodiment, when generating a signature, it is possible to use any of the first to seventh calculation methods or the scalar multiplication apparatus of the first to seventh embodiments.

  Next, scalar multiplication calculation when the signature generation processing unit 1612 generates a signature will be described in detail.

In the case of signature generation, the scalar multiple calculation unit 1615 calculates a scalar multiple uQ = (x _u , y _u ) based on the fixed point Q and the random number u, and sends the calculated scalar multiple to the signature generation processing unit 1612. At this time, in the calculation of the scalar multiple uQ using the fixed point Q and the random number u, first, the random number u is generated, u is encoded, and then the scalar multiple of the fixed point Q is calculated.

  The following ninth and tenth embodiments (signature verification systems (2) and (3)) show the signature generation processing performed by the signature generation processing unit 1612. The random number generation and the calculation of the random number multiple uQ are performed simultaneously. Do. Therefore, there is no need to perform encoding processing of the random number u.

<Signature verification system (2)>
Next, a signature generation method, a signature generation apparatus, and a program according to another embodiment 9 of the present invention will be described with reference to FIGS. 16 to 18 and FIG. In the signature verification system (2) of the ninth embodiment, the configuration of the smart card 1601, which is the signature generation device in the configuration of the signature verification system shown in FIG. 16, and the functional block of the signature generation processing unit 1612 shown in FIG. Use. In the signature verification system (2), the smart card 1601, which is the signature generation apparatus of the present embodiment, performs signature generation processing by executing a program. The smart card 1601 has a configuration in which a random number generation unit and a scalar multiplication unit are combined, and performs random number generation and calculation of random number multiple points at the same time. Therefore, it is not necessary to include the scalar multiplication unit 1615 shown in FIG. FIG. 18 is a flowchart showing calculation processing in the signature generation processing unit 1612. FIG. 20 is used instead of FIG. 2 as a sequence diagram of signature generation and signature verification operations in the signature verification system (2).

  In FIG. 17, the signature generation processing unit 1612 includes a random number multiplication calculation unit 1701. The random number multiplication calculation unit 1701 includes a pre-calculation unit 1702 and an actual calculation unit 1703. The pre-calculation unit 1702 includes an adder 1721, a doubling unit 1722, and a repeat determination unit 1723. The actual calculation unit 1703 includes a residue acquisition unit 1731, a residue conversion unit 1732, a repetition determination unit 1733, a storage unit 1734, a random bit generation unit 1735, a Ψ function calculation unit 1736, a bit value determination unit 1737, an addition unit 1738, and τ multiplication. Part 1739.

  In FIG. 20, the signature generation processing unit 1612 of the smart card 1601 receives the challenge code 1642 from the computer 1621 (S2004). The signature generation processing unit 1612 reads a fixed point on the elliptic curve from the storage unit 1602 (S2005), and passes the point on the elliptic curve to the random number multiplication unit 1701 (S2006). The random number multiplication unit 1701 calculates a random number and a random number multiple point, and passes them to the signature generation processing unit 1612 (S2007). The signature generation processing unit 1612 generates a signature 1641 based on the random number and the random number multiple and sends it to the computer 1621.

  In the present embodiment, a calculation method for calculating a signature (s, t) from a point Q on an elliptic curve called a base point will be described.

  The precalculation unit 1702 creates a precalculation table from the input point Q on the elliptic curve. The method by which the precalculation unit 1702 creates the precalculation table from the points on the elliptic curve is the same as in the first, fifth, and sixth embodiments.

  The actual calculation unit 1703 and the signature generation processing unit 1612 calculate a random number k and a scalar multiple kQ from a point Q on an elliptic curve called a base point. The signature generation processing unit 1612 generates a signature (s, t) from the random number k and the scalar multiple kG. However, in the present embodiment, the random number k is not directly generated, and after the random number is generated, the scalar k kQ of the base point Q is directly calculated without encoding or storing the random number k. Can do.

  Next, each process performed by the signature generation processing unit 1612 will be described in detail. A method of calculating the random number k and the point kQ on the elliptic curve from the base point Q on the elliptic curve will be described with reference to FIG.

The signature generation processing unit 1612 first substitutes Q for infinity point O on the elliptic curve, ₀ for c ₀ and c ₁ , and m + a−1 for i (S 1801). Next, it is determined by the repetition determination unit 1733 whether i> w is satisfied (S1802). If i> w (TRUE), the process proceeds to step S1803. If i ≦ w (FALSE), the process proceeds to step S1821.

In step S1803, the random bit generation unit 1735 causes the w random integers d _i , d _i−1 ,..., D _i belonging to the set {± 1, ± 3,... ± (2 ^w −1)}. Select _{-w + 1} . Next, (1 + Σd _{i−w + j} (t _{w + 1} U _j −2U _j−1 )) mod 2 ^{w + 1} −2 ^w is substituted for u _i (S1804). Next, 1 is substituted into j (S1805).

  Next, it is determined by the repetition determination unit 1733 whether j ≦ w is satisfied (S1806). If j ≦ w (TRUE), the process proceeds to step S1811. If j> w (FALSE), the process proceeds to step S1812.

In step S1811, τQ is substituted for Q, and (−2c ₁ , c ₀ + μc ₁ ) is substituted for (c ₀ , c ₁ ).

In step S1812, the repetition determination unit 1733 determines whether u _i > 0. When u _i > 0 (TRUE), the process proceeds to step S1813. If u _i ≦ 0, the process proceeds to step S1814.

In step S1813, the addition unit 1738 substitutes Q + u _i P for Q. In step S1814, the addition unit 1738 substitutes Q − (− u _i P) for Q. Next, in step S1815, i-w were respectively substituted into _c 0 _{+ u} 0, i to _{c 0,} the process returns to step S1802.

On the other hand, in step S1821, the random bit generation unit 1735 causes the i + 1 random integers d _i , d _i-1 , ..., belonging to the set {± 1, ± 3,... ± (2 ^w −1)}. Select d ₁ and d ₀ . Next, (1 + Σd _j (t _{i + 1} U _j −2U _j−1 )) mod 2 ^{i + 1} −2 ⁱ is substituted for u ₀ (S1822). Next, 1 is substituted into j (S1823).

  Next, it is determined whether or not j ≦ i by the repetition determination unit 1733 (S1824). If j ≦ i (TRUE), the process proceeds to step S1825. If j> i, the process moves to step S1831.

In step S1825, τQ is substituted for Q, and (−2c ₁ , c ₀ + μc ₁ ) is substituted for (c ₀ , c ₁ ).

In step S1831, the repetition determination unit 1733 determines whether u ₀ > 0. If u ₀ > 0 (TRUE), the process proceeds to step S1832. If u ₀ ≦ 0 (FALSE), the process moves to step S1833.

In step S1832, the adding unit 1438 substitutes Q + u ₀ P for Q. In step S1833, the adding unit 1438 substitutes Q − (− u ₀ P) for Q. Next, c ₀ + u ₀ is substituted for c ₀ in step S1534.

Next, it is determined whether or not d ₀ = 0 by the repetition determination unit 1733 (S1834). If d ₀ = 0 (TRUE), the process moves to step S1836. If d ₀ ≠ 0 (FALSE), the process moves to step S1837.

In step S1836, if the values are the _c 0 -1 to Q-P, _{c 0} to Q. In step S1837, if the values are the _c 1 -1 _Q-τP, the _{c 1} to Q. Next, in step S1838, (c ₀ + c ₁ τ) mod #E is substituted for k. Here, #E is the total number of points on the elliptic curve E.

  In step S1841, the actual calculation unit 1703 outputs the random number k and the point Q.

  Since the random number multiplication unit 1701 in this embodiment has the same function as the scalar multiplication unit 115 or 135 in FIG. 1, a side channel attack can be prevented and the processing speed and memory usage can be customized. A scalar multiplication calculation can be performed. Therefore, when the smart card 1601 performs signature generation processing and when the computer 1621 performs signature verification processing, a side channel attack can be prevented.

<Signature verification system (3)>
Next, a signature generation method, a signature generation apparatus, and a program according to another embodiment 10 of the present invention will be described with reference to FIGS. 4, 16, 17, and 19 to 22. Also in the signature verification system (3) of the tenth embodiment, the configuration of the smart card 1601 as the signature generation device in the configuration of the signature verification system shown in FIG. 16 and the functional block of the signature generation processing unit 1612 shown in FIG. Is used. Also in the signature verification system (3), the smart card 1601, which is a signature generation device, performs signature generation processing by executing a program. The smart card 1601 has a configuration in which a random number generation unit and a scalar multiplication unit are combined, and performs random number generation and calculation of random number multiple points at the same time. Therefore, it is not necessary to include the scalar multiplication unit 1615 shown in FIG. FIG. 19 is a flowchart showing calculation processing in the signature generation processing unit 1612. FIG. 20 is used instead of FIG. 2 as a sequence diagram of signature generation and signature verification operations in the signature verification system (3).

  Differences between the signature verification system (2) and the signature verification system (3) are as follows. The signature verification system (2) and the signature verification system (3) differ in that they are stored in the pre-calculation table, and the pre-calculation table in the signature verification system (3) is faster than the signature verification system (2). It is possible to further increase the speed of scalar multiplication by random numbers.

  A calculation method for calculating the signature (s, t) from the base point Q also in the signature verification system (3) will be described.

  The precalculation unit 1702 creates a precalculation table from the input point Q on the elliptic curve. The method by which the precalculation unit 1702 creates the precalculation table from the points on the elliptic curve is the same as in the seventh embodiment.

  The actual calculation unit 1703 and the signature generation processing unit 1612 calculate a random number d and a scalar multiple dQ from a point Q on an elliptic curve called a base point. The signature generation processing unit 1612 generates a signature (s, t) from the random number d and the scalar multiple dQ. However, even in the signature verification system (3), the random number dQ is not directly generated, and after the random number is generated, the random number d is directly encoded without being encoded or stored in the memory. Can be calculated. Next, each process performed by the signature generation processing unit 1612 will be described in detail. A method of calculating the random number d and the point dQ on the elliptic curve from the base point Q on the elliptic curve will be described with reference to FIG.

First, the actual calculation unit 1703 inputs P, R _w [0],..., R _w [2 ^w−1 −1] (S1901). Next, an infinite point O is substituted for Q and m + a-1 is substituted for j (S1902). Next, the repetition determination unit 1733 determines whether j> w−1 is satisfied (S1903). When the condition is satisfied (TRUE), the process proceeds to step S1911. If the condition is not satisfied (FALSE), the process proceeds to step S1941.

In step S1911, the random bit generation unit 1735 generates the random bits d ₁ [w−1], d ₁ [w-2],..., D ₁ [0], and substitutes w−1 for k. . Next, the repetition determination unit 1733 determines whether or not k ≧ 0 (S1912). When the condition is satisfied (TRUE), the process proceeds to step S1921. If the condition is not satisfied (FALSE), the process proceeds to step S1931.

In step S1921, the _{c 0} to t, -2c to _{c 0 1 - (- 1)} d1 to ^[k], the 2μ (t + _{c 1)} to _{c 1,} a k-1 to k, assigns each step S1912 Return to.

In step S1931, d ₁ [w−2] 2 ^w−2 +... + D ₁ [0] 2 ⁰ is substituted for u. Next, the adding unit 1738 and the τ multiplication unit 1739 calculate τ ^w Q + d ₁ [w−1] * R _w [u], and substitute the result into Q (S1932). Next, j-w is substituted for j, and the process returns to step S1903 (S1933).

  On the other hand, in step S1941, the repetition determination unit 1733 determines whether j ≧ 0. When the condition is satisfied (TRUE), the process proceeds to step S1942. If the condition is not satisfied (FALSE), the process proceeds to step S1951.

In step S1943, the random bit generator 1735 generates a random bit _{d 1.} Then, the _{c 0} to t, -2c ₁ + to _{c 0} - a (1) ^d1, the t + [mu] c ₁ to _{c 1,} the values are (S1943). Next, the addition unit 1738 and the τ multiplication unit 1739 calculate τQ + d ₁ * P and substitute the result into Q (S1944). Next, j-1 is substituted for j, and the process returns to step S1941 (S1945).

In step S1951, the actual calculation unit 1703 outputs a random number d = c ₀ + c ₁ τ mod q, a random number multiple point Q.

  The pre-calculation table creation method can be executed faster than the signature verification system (2). The reason is the same as in the seventh embodiment.

  Since the random number multiplication unit 1701 in the present embodiment has the same function as the scalar multiplication unit 115 or 135 of FIG. 1, it can prevent a side channel attack as in the above calculation method, Performs scalar multiplication that can customize memory usage. Therefore, when the smart card 1601 performs signature generation processing and when the computer 1621 performs signature verification processing, a side channel attack can be prevented.

<Key exchange system>
Next, an eleventh embodiment in which the present invention is applied to a key exchange system will be described. With reference to FIGS. 1 and 2, a data generation method, a data generation apparatus, and a program according to Embodiment 11 of the present invention will be described. In the eleventh embodiment, the information processing system configuration of FIG. 1 can be applied as a key exchange system configuration. The key exchange system is configured to include a computer A101 and a computer B121, which are data generation apparatuses according to the embodiment of the present invention. The computer A 101 and the computer B 121 execute data generation processing according to the data generation method in the embodiment of the present invention according to a program.

  The data processing units 112 and 132 in FIG. 1 function as the key exchange processing units 112 and 132, respectively, in the present embodiment. In addition to the functions as the key exchange processing units 112 and 132, functions such as encryption and decryption described above may be provided. An operation including a data generation process when the computer A101 of the key exchange system derives shared information with the computer B121 from the data 143 input from the computer B121 side will be described.

  The data processing unit 132 (corresponding to 112 in FIG. 2) of the computer B121 reads the secret key b from the secret information 125 of the storage unit 122 (corresponding to 102 in FIG. 2), and calculates the public key bQ of the computer B121. To do. Then, the public key bQ is transferred as data 143 to the computer A101 via the network 142.

  The key exchange processing unit 112 (corresponding to 112 in FIG. 2) of the computer A101 receives the input of the public key bQ of the computer B121 (S204). When the key exchange processing unit 112 receives the public key bQ of the computer B121, the secret key d of the computer A101, which is the secret information 105 read from the storage unit 102 (S205), and the public key bQ of the computer B121 are scalar multiplied. The data is sent to the calculation unit 115 (S206).

  The scalar multiplication calculation unit 115 calculates a scalar multiplication point dbQ based on the secret key d and the public key bQ, and sends the calculated scalar multiplication point dbQ to the key exchange processing unit 112 (S207).

  The key exchange processing unit 112 derives shared information using the sent scalar multiple dbQ, and stores it as the secret information 105 in the storage unit 102. For example, the x coordinate of the scalar multiple dbQ is used as shared information.

  Next, an operation including data generation processing when the computer B121 performs derivation of shared information with the computer A101 from the data 141 input from the computer A101 side will be described.

  The data processing unit 112 of the computer A101 reads the secret key d from the secret information 105 of the storage unit 102 and calculates the public key dQ of the computer A101. Then, the public key dQ is transferred as data 141 to the computer B 121 via the network 142.

  The key exchange processing unit 132 (112 in FIG. 2) of the computer B121 receives the input of the public key dQ of the computer A101 (S204). When the public key dQ of the computer A101 is input, the key exchange processing unit 132 receives the secret key b of the computer B121 read from the secret information 125 of the storage unit 122 (102 in FIG. 2) (S205), and the public key dQ of the computer A101. Are sent to the scalar multiplication unit 135 (115 in FIG. 2) (S206).

  The scalar multiplication unit 135 calculates a scalar multiple bdQ based on the secret key b and the public key dQ, and sends the calculated scalar multiple bdQ to the key exchange processing unit 132 (S207).

  The key exchange processing unit 132 derives shared information using the sent scalar multiple bdQ, and stores the shared information as the secret information 125 in the storage unit 122. For example, the x coordinate of the scalar multiple bdQ is used as shared information. Here, since the number db and the number bd are the same as numerical values, the point dbQ and the point bdQ are the same point, and the same information is derived by the computers A101 and B121.

  A point dQ and a point bQ are transmitted to the network 142. To calculate the point dbQ (or the point bdQ), the secret key d or the secret key b must be used. That is, the shared information cannot be obtained without knowing the secret key d or the secret key b.

  The shared information obtained in this way can be used as a secret key for common key cryptography. Also in the present embodiment, the scalar multiplication calculators 115 and 135 have the same characteristics by applying any one of the scalar multiplications of the first to seventh embodiments described above, and thus can prevent side channel attacks. .

  In addition, dedicated data is used for the data processing units in the above-described embodiments, that is, the encryption processing unit, the decryption processing unit, the signature generation processing unit, the signature verification processing unit, and the key exchange processing unit. It is good also as a form which configures and performs each process. The scalar multiplication calculation unit may be realized by a coprocessor or other dedicated hardware. The data processing unit may be configured to perform any one or more of the processes such as encryption, decryption, signature generation, signature verification, and data generation for key exchange. .

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  The present invention can be used for various security technologies such as encryption.

It is a figure which shows the structure of the information processing system comprised including the scalar multiplication apparatus in one embodiment of this invention. It is a sequence diagram which shows the mode of the delivery of the information between each process part in each embodiment of this invention. In Embodiment 1, 2, 5, and 7 of this invention, it is a figure which shows the functional block structure of a scalar multiplication calculation part. In Embodiment 1 and 5 of this invention, it is a flowchart which shows the encoding method which an encoding part performs. It is a flowchart which shows the pre-calculation table preparation process of the pre-calculation part in the signature generation apparatus in Embodiment 1,5,6 of this invention and one embodiment of this invention. In Embodiment 1, 2, and 5 of this invention, it is a flowchart which shows the calculation method of the scalar multiple of a real calculation part. In Embodiment 2 of this invention, it is a flowchart which shows the encoding method which an encoding part performs. In Embodiment 2, 3 and 4 of this invention, it is a flowchart which shows the pre-calculation table preparation process of a pre-calculation part. In Embodiment 3, 4, and 6 of this invention, it is a figure which shows the functional block structure of a scalar multiplication calculation part. In Embodiment 3 of this invention, it is a flowchart which shows the calculation method of the scalar multiple of a real calculation part. In Embodiment 4 of this invention, it is a flowchart which shows the calculation method of the scalar multiple of a real calculation part. In Embodiment 6 of this invention, it is a flowchart which shows the calculation method of the scalar multiple of a real calculation part. In Embodiment 7 of this invention, it is a flowchart which shows the encoding method which an encoding part performs. It is a schematic diagram which shows the pre-calculation table preparation process of the pre-calculation part in Embodiment 7 of this invention and the signature production | generation apparatus in one embodiment of this invention. In Embodiment 7 of this invention, it is a flowchart which shows the calculation method of the scalar multiple of a real calculation part. It is a figure which shows the structure of the signature verification system comprised using the signature production | generation apparatus in one embodiment of this invention. FIG. 3 is a diagram illustrating a functional block configuration of a random number multiplication unit in a signature generation processing unit in the signature generation device according to one embodiment of the present invention. It is a flowchart which shows the calculation method of the random number generation required for a signature, and the scalar multiplication by a random number in the signature generation apparatus in Embodiment 9 of this invention. It is a flowchart which shows the calculation method of the scalar multiplication by the random number generation required for a signature, and a random number in the signature generation apparatus in Embodiment 10 of this invention. It is a sequence diagram which shows delivery of the information between each process part in the signature verification system comprised using the signature production | generation apparatus in one embodiment of this invention. In Embodiment 7 of this invention, it is a flowchart (the 1) which shows the precomputation table creation process of the precomputation part. In Embodiment 7 of this invention, it is a flowchart (the 2) which shows the pre-calculation table preparation process of a pre-calculation part.

Explanation of symbols

  101, 121, 1621 ... computer, 1601 ... smart card, 102, 122, 1602, 1622 ... storage unit, 111, 131, 1611, 1631 ... processing unit, 115, 135, 1615, 1635 ... scalar multiplication unit, 112, 132 ... Data processing unit, 1612 ... Signature generation processing unit, 1632 ... Signature verification processing unit, 104, 124, 1604, 1624 ... Constant, 105, 125, 1605, 1625 ... Secret information, 110, 130, 1610, 1630 ... Input Output interface, 108, 128, 1628 ... display, 109, 129, 1629 ... keyboard, 142 ... network, 1642 ... challenge code, 141, 143 ... data, 302 ... encoding unit, 303 ... pre-calculation unit, 304 ... actual calculation unit , 321 ... residue acquisition unit, 22: residue conversion unit, 323 ... repetition determination unit, 324 ... delta residue conversion unit, 325 ... Ψ function calculation unit, 326 ... storage unit, 331 ... addition unit, 332 ... doubling unit, 333 ... repetition determination unit, 341 ... Bit value determination unit, 342 ... Addition unit, 343 ... τ multiplication unit, 344 ... Repetition determination unit, 902 ... Pre-calculation unit, 903 ... Real calculation unit, 921 ... Addition unit, 922 ... τ multiplication unit, 923 ... Iterative determination unit, 931 ... residue acquisition unit, 932 ... residue conversion unit, 933 ... repetition determination unit, 934 ... delta residue conversion unit, 935 ... Ψ function calculation unit, 936 ... bit value determination unit, 937 ... addition unit, 938 ... τ multiplication unit, 1701 ... random number multiplication calculation unit, 1702 ... previous calculation unit, 1703 ... real calculation unit, 1721 ... addition unit, 1722 ... doubling calculation unit, 1723 ... repetition determination unit, 1731 ... remainder acquisition unit, 1732 ... Remainder conversion , 1733... Repeat determination unit, 1734... Storage unit, 1735... Random bit generation unit, 1736... Ψ function calculation unit, 1737... Bit value determination unit, 1738.

Claims (1)

In an elliptic curve, a scalar multiple and a scalar multiple calculation device in elliptic curve cryptography that calculates a scalar multiple from an input point on the elliptic curve,
A memory unit, an addition unit, a subtraction unit, a τ multiplication unit, an encoding unit that encodes the scalar value into a numerical sequence, a pre-calculation unit that creates a pre-calculation table from the input points, and the encoded A real calculation unit for calculating the scalar multiple from the numerical sequence and the previous calculation table,
The addition unit adds two points on the elliptic curve,
The subtraction unit subtracts two points on the elliptic curve,
The τ multiplication unit performs a first calculation that outputs (x ² , y ² ) from a point (x, y) on the elliptic curve,
A first processing unit that performs the first calculation using the τ multiplication unit and stores the output of the first calculation in the memory unit;
A second processing unit that adds the points stored in the memory unit and the input points using the adding unit;
Using the subtraction unit, a point stored in the memory unit and a third processing unit for subtracting the input point;
The pre-calculation unit repeats the processes of the first processing unit, the second processing unit, and the third processing unit a predetermined number of times,
Using the τ multiplication unit, repeating the first calculation a predetermined number of times, and storing the output of the first calculation in the memory unit;
Read the numerical value of the encoded numerical sequence, select a point of the pre-calculation table from the read numerical value, and use the adding unit to store the point stored in the memory unit and the selected point A fifth processing unit to add,
The real calculation unit to repeat the fourth processing unit and the processing content of the processing of the fifth processing unit,
The encoding unit is
A dividing unit for dividing the scalar value into a first numerical value and a second numerical value;
From the first numerical value and the second numerical value, a Ψ function calculation unit for calculating a third numerical value,
An updating unit for updating the scalar value;
An encoding calculation unit that repeats the processing of the dividing unit, the Ψ function calculating unit, and the updating unit;
When the scalar value stored in the memory unit is d, the first numerical value is d ₀ , and the second numerical value is d ₁ , the dividing unit is configured to store the scalar value (d ) To be divided into the first numerical value (d ₀ ) and the second numerical value (d ₁ ) so as to satisfy d ′ = (d mod δ) = d ₀ + d ₁ τ ,
When w is a positive integer, x _R is an integer, x _T is an integer, and t _{w + 1} is an integer determined by w when the operation τ on the elliptic curve is regarded as a complex number, the Ψ function is numerical _{(d 0)} and the second numerical value input to _{(d 1)} and (where _{d = x R + x T τ} ), the third number output _{Ψ (d) = (d R} + d T t w + 1 mod 2 ^{w + 1} ) −2 ^w .
The calculation unit of the Ψ function adds a multiplication result of the second numerical value and a predetermined fourth numerical value and the first numerical value, and determines a predetermined fifth numerical value from the added numerical value. Subtract,
The updating unit divides the result of subtracting the third numerical value from the scalar value by a predetermined sixth numerical value,
The update unit subtracts the third numerical value from the scalar value stored in the memory unit using the subtraction unit as the subtraction, stores the calculation result in the memory unit, and As the division, the division unit is used to divide the scalar value stored in the memory unit by the subtraction unit into the first numerical value and the second numerical value, and the second numerical value and a predetermined predetermined value. And a sixth processing unit for storing a value obtained by shifting the multiplication result by 1 bit to the right in the memory unit , and repeating the processing for the processing of the sixth processing unit w times Computing device.

Images