JP5246796B2 - Scalar multiplication arithmetic unit and power multiplication arithmetic unit - Google Patents

Description

  The present invention provides a scalar multiplication operation device that speeds up the operation of scalar multiplication by at least t-1 expansion of n of scalar n multiplication of rational point Q, and at least n of n multiplication of element A ( The present invention relates to an arithmetic device for power multiplication that speeds up the power of multiplication by performing q-r advance.

  In recent years, information network technology using telecommunications lines such as the Internet has been developed to provide various services such as Internet banking and electronic application to government agencies. Has been.

  When using such a service, authentication processing is required to confirm that the user of the service is an appropriate user, not impersonation or a fictitious person. As a method, an electronic authentication technique based on public key cryptography using a public key and a secret key is often used.

  However, in the electronic authentication of the public key cryptosystem, when the public key or the private key is leaked, it is necessary to change the public key and the private key immediately, and the public key and the private key must be managed carefully. Because of the complexity of creating and registering new public and private keys as needed, recently, electronic authentication is performed using user-specific IDs such as user names and email addresses. ID-based encryption is often used.

  In addition, when user authentication is performed by an authentication device that performs electronic authentication, a history for each user is accumulated in the authentication device, and this history information itself is personal information of the user, Recently, it has been pointed out that personal information may be leaked due to leakage of history information.

  Therefore, the authentication device does not authenticate using the user's personal information, but uses multiple users as a group and uses a group signature indicating that they belong to this group. A group signature technique has been proposed in which authentication is performed without specifying a person, thereby enabling authentication without accumulating personal information in an authentication apparatus.

A method called pairing that uses a bilinear mapping of rational points on an elliptic curve is used for the necessary operation in such ID-based encryption and group signature. Pairing means, for example, that P is a rational point on the prime field F _q , Q is a rational point on the k-th order extension field F _q ^k , and P and Q are input to obtain an element z of the extension field F ^* _q ^k When a times P and b times Q are input, z is ab output. Here, “k” is referred to as an embedding degree, and “F ^* _q ^k ” is correctly displayed as follows, but “F ^* _q ^k ” is displayed due to display limitations.

  The encryption / decryption process in the ID-based encryption and the authentication process in the group signature are required to be performed in as short a time as possible. In particular, in a cryptographic method based on pairing and the like, many scalar multiplications and power multiplications are executed, and it is required to execute these operations at high speed.

  For this reason, conventionally, scalar multiplication and power multiplication have been speeded up using a binary method, a window method, or the like.

Further, in the case of calculating the power A ⁿ of the original A∈F _q ^k of the expansion body, Frobenius mapping phi _q: is also made to increase the speed by reducing the number of operations by using the A → A ^q ing.

  Also in scalar multiplication, a method has been proposed in which the number of computations is reduced by using mapping to increase the speed (see, for example, Patent Document 1 and Patent Document 2).

Japanese Patent Laid-Open No. 2004-271792 JP 2007-41461 A

However, known speed-up means for speeding up using a map is very effective when the scalar n in scalar multiplication or the multiplier n in exponentiation is much higher than the order q (n >> q). For scalar n and multiplier n that do not exceed the order _q of the finite field F _q , compared with the case where scalar multiplication and power multiplication are directly executed without using a high-speed means. However, no remarkable effect was found.

In particular, in an encryption or decryption process in ID-based encryption or an authentication process in a group signature, scalar multiplication or multiplication using a scalar n or multiplication using a multiplier n is necessary. In many cases, the order _q is not much higher than the order _q of the finite field F _q , and an effective speedup cannot be expected even if a known speedup means is used.

In view of such a current situation, the present inventors are able to perform scalar multiplication or power multiplication at high speed even when the scalar n or the multiplier n does not exceed the order _q of the finite field Fq. The research and development of the method has been carried out to arrive at the present invention.

In the arithmetic unit for scalar multiplication of the present invention,
The elliptic curve ^{_{E / F q = x 3 +}} ax + b-y 2 = 0, and a∈F _q, and b∈F _q,
An additive group formed by rational points of an elliptic curve defined by a finite field F _q for E (F _q ),
E (F _q ^k ) is an additive group formed by a rational point of an elliptic curve defined by the extension field F _q ^k of the finite field F _q ,
Frobenius endomorphism of rational point φ _q on the finite field F _q,
trace t of Frobenius self-homogeneous map φ _q ,
r is the order of E (F _q ) #E (F _q ) = the prime order that divides q + 1−t,
E [r] is a set of rational points whose order is a prime number r,
a map that j times the rational point [j],
G is G = E [r] ∩Ker (φ _q − [q])
As a set of rational points included in E (F _q ^k ) that satisfies
In an arithmetic unit for scalar multiplication in which a scalar n multiplication of a rational point Q of G for a non-negative integer n is computed by an electronic computer equipped with storage means,
Input means for inputting and storing the value of the non-negative integer n, the value of the trace t, and the value of the rational point Q represented by QεG⊂E (F _q ^k ) in the storage means;
Initialization means for initializing the storage means for storing the calculation result Z;
For rational point Q of G,
φ _q (Q) = [q] Q = [t−1] Q
By the fact that
As s = t−1, based on the following equation in which n is expanded in s,

Substitution operations represented by c [i] ← n% s and n ← (nc [i]) / s are repeated a predetermined number of times from i = 0, and the values of each coefficient c [i] and non-negative integer n are stored in the memory Expansion means for storing in the means;
The rational point Q and the coefficient c [i] are read from the storage means, and an operation represented by Q [i] = c [i] Q is repeatedly performed a predetermined number of times from i = 0 to obtain each Q [i]. Arithmetic means for storing values in the storage means;
Based on the scalar multiplication nQ of the following equation expressed using the Frobenius automorphism map φ _q for the rational point instead of t−1:

From said storage means reads out Q [i] and the computation result _{Z, Z ← Z + φ q} i (Q [i]) by the calculation result of the scalar multiplication by repeating predetermined times assignment operation from i = 0 represented Combining means for storing Z in the storage means;
It is what has.

Furthermore, in the arithmetic unit for scalar multiplication of the present invention,
The order _q of the elliptic curve finite field F _q , the prime order r that divides #E (F _q ), and the trace t of the Frobenius self-homogeneous map φ _q are represented by q (χ), When given by r (χ), t (χ),
Auxiliary input means for inputting the values of q (χ), r (χ), t (χ) and storing them in the storage means;
Based on the following equation, the values of r (χ) and t (χ) are read from the storage means, and s (χ) = t (χ) −1, and r (χ) is s (χ) -expanded. ,

D _i (χ) ← r (χ)% s (χ) and r (χ) ← (r (χ) −D _i (χ)) / s (χ) <Auxiliary expansion means for repeatedly performing until “degr (χ) / degs (χ)” and storing the values of the coefficients D _i (χ) and r (χ) in the storage means;
Auxiliary extraction means for extracting the largest coefficient deg (D _i (χ)) among the stored coefficients D _i (χ) as D _dmax (χ) and storing it in the storage means;
Read the values of D _dmax (χ), D _i (χ), Q from the storage means,
φ _q ^dmax ([D _dmax (χ)] Q) = Σφ _q ⁱ ([D _i (χ)] Q) −φ _q ^dmax ([D _dmax (χ)] Q)
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ)
[D _dmax (χ)] Q = [f (φ _q , χ) φ _q ^−dmax ] Q = [h (φ _q , χ)] Q
An auxiliary specifying means for polynomial h (φ _q, χ) identifies and stores the polynomial h (φ _q, χ) a value of said storage means becomes,
The s-adic expansion of the replaced chi = a as _{s = D dmax (a) D} dmax (a) adic expansion consisting the D wherein instead of _dmax (a) the polynomial h (φ _q, a) means for using , Has.

Moreover, in the scalar multiplication arithmetic device of the present invention,
When there are a plurality of coefficients D _i (χ) having the highest order dmax in the coefficient D _i (χ),
The auxiliary input means further includes means for inputting a value of m (χ) that satisfies r (χ) | m (χ) and storing the value in the storage means,
The coefficient D _i (χ) is read out from the storage means as the coefficient of χ ^dmax that is the term of the highest order dmax of deg (D _i (χ)) as T _dmax (φ _q ), and T (φ _q , χ) and U (φ _q , χ) are assigned with an initial value of 0, and T (φ _q , χ) ← T (φ _q , χ) + D when deg (D _i (χ)) = dmax _i (χ) φ _q ⁱ , otherwise U (φ _q , χ) ← U (φ _q , χ) + D _i (χ) φ _q ⁱ is assigned from i = 0 to i <“ degr (χ) / degs (χ) ”, and the values of T (φ _q , χ) and U (φ _q , χ) are stored in the storage means, and the highest order coefficient T _dmax (φ _q ) is _calculated. A second auxiliary specifying means for specifying;
The values of m (χ) and R (χ) are read from the storage means, and V (φ _q ) | m (φ is obtained using a polynomial m (χ) of the minimum order satisfying r (χ) | m (χ). _q ), gcd (T _dmax (φ _q ), V (φ _q )) = 1
Substituting V (φ _q ) that satisfies W (φ _q ) ← gcd (T _dmax (φ _q ), m (φ _q )) and V (φ _q ) ← W (φ _q ) Third auxiliary specifying means for specifying and storing the value of V (φ _q ) in the storage means;
Read the values of V (φ _q ) and m (φ _q ) from the storage means,
g (φ _q ) V (φ _q ) ≡v (mod m (φ _q ))
An integer scalar v and g (φ _q ) satisfying the above by an extended Euclidean algorithm, and a fourth auxiliary specifying means for storing the values of the scalars v and g (φ _q ) in the storage means;
In place of the auxiliary specifying means, T _dmax (φ _q ), χ ^dmax , D _i (χ), Q values are read from the storage means,
[T _dmax (φ _q ) χ ^dmax ] Q = Σφ _q ⁱ ([D _i (χ)] Q) − [T _dmax (φ _q ) χ ^dmax ] Q
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ) and g (φ _q ),
[vχ ^dmax ] Q = [g (φ _q ) f (φ _q , χ)] Q = [h (φ _q , χ)] Q
And polynomial h (φ _q, χ) to identify, the polynomial h (φ _q, χ) a fifth auxiliary specifying means for storing in said memory means the value of a,
Read the value of h (φ _q , χ) from the storage means,
The h (φ _q, χ) of phi _q about constant term h (0, χ) is,
[vχ ^dmax −h (0, χ)] Q = [h (φ _q , χ) −h (0, χ)] Q
With satisfying
With χ = a, s ′ = va ^dmax −h (0, a) and h ′ (φ _q ) = h (φ _q , a) −h (0, a) storing the value of h ′ (φ _q ) in the storage means;
said n that t-1 binary expand va ^dmax -h (0, a) adic expansion in Kawari to D _dmax (a) adic ^{expansion, va dmax -h (0, a} ) in place to h (φ _q, a) -h (0, a).

Further, in the power multiplication arithmetic device of the present invention,
F _q ^k is a k-th order extension of a finite field F _q of order _q ,
H is a partial multiplicative group of prime order r of F _q ^k ,
Let φ _{q be the} original Frobenius automorphism map for the finite field F _q ,
In an arithmetic unit for calculating a multiplication to perform n multiplication of an element A of H with respect to a non-negative integer n by an electronic computer provided with storage means,
The value of the non-negative integer n, the value of the order q, the value of the prime order r of the F _q ^k , and the value of the element A represented by A∈H⊂F _q ^k are input and stored in the storage means. Input means to
Initialization means for initializing the storage means for storing the calculation result Z;
The order q and the value of the element A are read from the storage means, the difference between the q and r is s = q−r, and the substitution operation represented by T [j] ← A and A ← A * A Is repeatedly performed from j = 0 to j <“log ₂ s”, and the first calculating means for storing the values of T [j] and A in the storage means,
Based on the following equation that reads out the values of the n and the difference s from the storage means and develops the difference s,

The substitution operation represented by c [i] ← n% s and n ← (nc [i]) / s is repeated a predetermined number of times from i = 0, and the values of each coefficient c [i] and non-negative integer n are Expansion means for storing in the storage means;
When c [i] and the value of n are read from the storage means, A [i] = 1 is initialized based on A [i] = A ^{c [i]} , and c [i] & 1 A [i] ← A [i] * T [j], c [i] ← c [i] / 2, the substitution operation represented by i = 0 is repeated a predetermined number of times, and A [ second calculating means for storing values of i] and c [i];
Read each A [i] from the storage means, based on the following equation:

And a synthesizing unit that repeats a power calculation represented by Z ← Z * φ _q ⁱ (A [i]) a predetermined number of times from i = 0 and stores the result as a calculation result Z in the storage unit. .

Furthermore, in the arithmetic unit for power multiplication according to the present invention,
X ^ {Y} represents ^XY ,
When the order q, the prime order r, and the s are given by q (χ), r (χ), and s (χ), respectively, using an integer variable χ,
Auxiliary input means for inputting the values of q (χ), r (χ), and s (χ) and storing them in the storage means;
Based on the following equation, r (χ) and s (χ) are read from the storage means, and r (χ) is expanded in s (χ) using the s (χ).

D _i (χ) ← r (χ)% s (χ) and r (χ) ← (r (χ) −D _i (χ)) / s (χ) i <“degr (χ) / degs (χ)” repeatedly, and auxiliary expansion means for storing the coefficients D _i (χ) and r (χ) in the storage means,
Auxiliary extraction means for extracting the largest coefficient deg (D _i (χ)) among the stored coefficients D _i (χ) as D _dmax (χ) and storing it in the storage means;
Read the values of D _dmax (χ), D _i (χ), q from the storage means,
(A ^ {D _dmax (χ)}) ^ {q ^dmax } = A ^ {Σ _{i ≠ dmax} −D _i (χ) q ⁱ } = A ^ {f (q, χ)}
A ^ {D _dmax (χ)} = A ^ { _{Σi ≠ dmax} −D _i (χ) q ⁱ −q based on φ _q ^k (A) = A ^dmax } = A ^ {h (q, χ)}
An auxiliary specifying means for specifying the polynomial h (q, χ) to be and storing the value of the polynomial h (q, χ) in the storage means;
Said n that the s-adic expansion, replaced with chi = a as s = D _dmax (a) consisting of D _dmax (a) adic expansion, the D _dmax (a) instead of by the polynomial h (q, a) Means to use.

Moreover, in the arithmetic unit for power multiplication according to the present invention,
When there are a plurality of coefficients D _i (χ) having the highest order dmax in the coefficient D _i (χ),
The auxiliary storage means further includes means for inputting a value of m (χ) that satisfies r (χ) | m (χ) and storing the value in the storage means,
The coefficient D _i (χ) is read out from the storage means with the coefficient of χ ^dmax being the term of the maximum degree dmax of deg (D _i (χ)) as T _dmax (q), and T (q, χ ) And U (q, χ) are assigned with an initial value of 0, and T (q, χ) ← T (q, χ) + D _i (χ) q when deg (D _i (χ)) = dmax ⁱ , in other cases, the substitution operation represented by U (q, χ) ← U (q, χ) + D _i (χ) q ⁱ is changed from i = 0 to i <“degr (χ) / degs (χ) And the second auxiliary specifying means for storing the values of T (q, χ) and U (q, χ) in the storage means and specifying the highest order coefficient T _dmax (q);
The values of m (χ) and R (χ) are read from the storage means, and the minimum order polynomial m (χ) satisfying r (χ) | m (χ) is used, and V (q) | m (q) , gcd (T _dmax (q), V (q)) = 1
V (q) satisfying W (q) ← gcd (T _dmax (q), m (q)) and V (q) ← W (q) is specified by performing an operation represented by the above V (q a third auxiliary specifying means for storing the value of q) in the storage means;
Read the values of V (q) and m (q) from the storage means,
g (q) V (q) ≡v (mod m (q))
A fourth auxiliary specifying means for specifying integer scalars v and g (q) satisfying an extended Euclidean algorithm and storing the values of the scalars v and g (q) in the storage means;
Instead of the auxiliary specifying means, each value of T _dmax (q), χ ^dmax , D _i (χ), Q is read from the storage means,
A ^ {T _dmax (q) χ ^dmax } = A ^ {ΣD _i (χ) q ⁱ −T _dmax (q) χ ^dmax }
= A ^ {f (q, χ)}
Based on φ _q ^k (A) = A, using the polynomial f (q, χ) and g (q)
A ^ {vχ ^dmax } = A ^ {g (q) f (q, χ)} = A ^ {h (q, χ)}
A fifth auxiliary specifying means for specifying the polynomial h (q, χ) to be and storing the value of the polynomial h (q, χ) in the storage means;
Read the value of h (q, χ) from the storage means,
The constant term h (0, χ) for q of h (q, χ) is
A ^ {vχ ^dmax −h (0, χ)} = A ^ {h (q, χ) −h (0, χ)}
With satisfying
With χ = a, s ′ = va ^dmax −h (0, a) and h ′ (q) = h (q, a) −h (0, a) are performed and s ′, h ′ The value of (q) is stored in the storage means, and instead of expanding n in s-advanced manner in D _dmax (a), it is expanded in va ^dmax −h (0, a) and va ^dmax −h (0 , a) instead of h (q, a) -h (0, a).

The present invention uses the Frobenius automorphism map φ _q to reduce the number of operations. In particular, in the case of scalar multiplication, for the rational point Q of G,
φ _q (Q) = [q] Q = [t−1] Q
And in the case of power multiplication, the difference between q and r is s = q−r, and for a non-zero element A of H,
φ _q (A) = A ^q = A ^s
Is satisfied, the scalar n is expanded in the t-1 base, or the power n is expanded in the s base, and the Frobenius self-homogeneous map φ _q for the rational point is used instead of the t-1, or the original is replaced with the s. By using the Frobenius self-homogeneous map φ _q with respect to, even when the scalar n in scalar multiplication or the multiplier n in power multiplication does not greatly exceed the order q, the number of operations can be reduced and the calculation speed is improved. be able to.

In particular, in ID-based encryption based on pairing, group signatures, etc., an elliptic curve that can be used for pairing called a pairing friendly curve is used, and when using this pairing friendly curve, an integer variable χ is set. In the case of scalar multiplication, the order q (χ), prime order r (χ) that divides #E (F _q ), and the trace t (χ) of the Frobenius self-homogeneous map φ _q are given in advance. the, with r the (chi) to t (chi) deployment -1 binary, the t (chi) coefficients were introduced during the -1 binary deployment D _i highly most of order coefficient among the (chi) D _i ( χ) is _set to D _dmax (χ), and D _dmax (χ) is replaced with a polynomial h (φ _q , χ) to further reduce the number of operations. In the case of power multiplication, r (χ) is s (χ) = q (χ) −r (χ), and the coefficient D _i (χ) introduced during the s (χ) advance The highest order coefficient D _i (χ) is D _dmax (χ), and this d _dmax (χ) is replaced with a polynomial h (φ _q , χ) to further reduce the number of computations. Can be improved.

In addition, when there are a plurality of D _i (χ) having the highest order dmax, V (q) | m (q using a minimum order polynomial m (χ) satisfying r (χ) | m (χ). ), gcd (T _dmax (q), V (q)) = 1
V (q) that satisfies
g (q) V (q) ≡v (mod m (q))
In the case of scalar multiplication, in the case of scalar multiplication, the scalar n expanded by t−1 is expanded by vχ ^dmax −h (0, χ) instead of by D _dmax (χ). By using h (q, χ) -h (0, χ) instead of vχ ^dmax -h (0, χ), the number of operations should be further reduced. The number n is expanded by vχ ^dmax −h (0, χ) instead of D _dmax (χ), and h (q, χ) −h (0,0) instead of vχ ^dmax −h (0, χ). By using χ), the number of computations can be further reduced and the computation speed can be improved.

Explanatory drawing of the electronic computer provided with the arithmetic program of scalar multiplication, and the arithmetic program of power multiplication. It is a flowchart of the arithmetic program of scalar multiplication. It is a flowchart of the arithmetic program of scalar multiplication. It is a flowchart of the auxiliary program which calculates | requires Ddmax (χ) and the polynomial h (φq, χ). It is a flowchart of the arithmetic program of scalar multiplication. It is a flowchart of the auxiliary | assistant program which calculates | requires the polynomial h ((phi) q, (chi)) and v (chi) dmax-h (0, chi). 5 is a flowchart of a power multiplication operation program. 5 is a flowchart of a power multiplication operation program. It is a flowchart of the auxiliary program which calculates | requires Ddmax (χ) and polynomial h (q, χ). 5 is a flowchart of a power multiplication operation program. It is a flowchart of the auxiliary | assistant program which calculates | requires the polynomial h (q, χ) and vχdmax-h (0, χ).

  The present invention aims at speeding up the operation of scalar multiplication and speeding up the operation of power multiplication, and the operations themselves are different, such as scalar multiplication and power multiplication. It is the same, and the number of operations is reduced in the same way, so that the operation speed can be increased. First, scalar multiplication will be described, and then power multiplication will be described.

First, the elliptic curve ^{_{E / F q = x 3 +}} ax + b-y 2 = 0, a∈F q, and B∈F _q,
E (F _q ): Additive group formed by rational points of elliptic curve defined by finite field F _q E (F _q ^k ): Rational points of elliptic curve defined by extension field F _q ^k of finite field F _q additive group forms φ _q: Frobenius endomorphism t of rational points on the finite field F _q: Frobenius trace of the endomorphism φ _q r: of order #E (F _q) of _{E (F q) = q +} 1-t Prime order E [r]: set of rational points whose order is prime r
[j]: Map that multiplies rational points by j G: G = E [r] ∩ defined as a set of rational points included in E (F _q ^k ) that satisfies Ker (φ _q − [q]).

  Then, the scalar n multiplication of the rational point Q of G with respect to the non-negative integer n, that is, nQ is calculated. Note that the scalar multiplication assumed in the present embodiment is performed at the time of pairing calculation, and in general, the scalar n does not greatly exceed the order r.

  Since r = q + 1−t, 0≡q + 1−t (mod r).

Here, if the scalar n is expanded by t−1, since the scalar n does not greatly exceed the order r,
n = C ₁ (t−1) + C ₀
Or
n = (t−1) ² + C ₁ (t−1) + C ₀
It becomes.

Since φ _q (Q) = [q] Q = [t−1] Q, when n = C ₁ (t−1) + C ₀ , nQ is as follows.
nQ = [C ₁ (t−1) + C ₀ ] Q
= [C ₁ q] Q + [C ₀ ] Q
= Φ _q ([C ₁ ] Q) + [C ₀ ] Q

When n = (t−1) ² + C ₁ (t−1) + C ₀ , nQ is as follows.
nQ = [(t−1) ² + C ₁ (t−1) + C ₀ ] Q
= [Q] [q] Q + [C ₁ q] Q + [C ₀ ] Q
= Φ _q (φ _q (Q)) + φ _q ([C ₁ ] Q) + [C ₀ ] Q

Here, C ₁ and C ₀ are approximately equal to or smaller than t−1, and the Frobenius self-homogeneous mapping of rational points can be used, thereby reducing the number of operations. Therefore, the scalar multiplication can be speeded up.

In general, when performing pairing calculation, a known pairing-friendly curve is used. In particular, prime numbers that divide orders q (χ) and #E (F _q ) using an integer variable χ. of order r (χ), it is often the Frobenius endomorphism φ _q of trace t (χ) is given in advance.

Here, taking into account that [r] Q = [q + 1−t] Q = O, the remainder of r (χ) is taken by t (χ) −1, that is, r (χ) is
[r (χ)] Q = Σ [D _i (χ) (t (χ) −1) ⁱ ] Q = Σφ _q ⁱ ([D _i (χ)] Q)
And t (χ) −1 base expansion, and D _dmax (χ) is the highest order of D _i (χ).

And
φ _q ^dmax ([D _dmax (χ)] Q) = Σφ _q ⁱ ([D _i (χ)] Q) −φ _q ^dmax ([D _dmax (χ)] Q)
= [F (φ _q , χ)] Q
A two-variable polynomial f (φ _q , χ) with φ _q and χ as variables is introduced.

Furthermore, based on φ _q ^k Q = Q,
[D _dmax (χ)] Q = [f (φ _q , χ) φ _q ^−dmax ] Q = [h (φ _q , χ)] Q
A two-variable polynomial h (φ _q , χ) with φ _q and χ as variables is introduced. That is, this polynomial h (φ _q , χ) can replace D _dmax (χ) of the highest order of D _i (χ) with a polynomial h (φ _q , χ) with φ _q and χ as variables. In particular, when χ = a, the scalar n expanded in t−1 is further converted into D _dmax (a) advance. By expanding and using h (φ _q , a) instead of D _dmax (a), the number of operations can be greatly reduced, and the scalar multiplication can be speeded up.

Further, when there are a plurality of the highest orders among D _i (χ), the highest order is represented by dmax, and the coefficient of χ ^dmax which is a term of the highest order dmax is expressed as T _dmax (φ _q ). Using the minimum degree polynomial m (χ) satisfying r (χ) | m (χ), V (φ _q ) | m (φ _q ), gcd (T _dmax (φ _q ), V (φ _q ) ) = 1
V (φ _q ) that satisfies the condition is specified. Here, a circumferential equalization polynomial or the like can be used as the polynomial m (χ).

And using the extended Euclidean algorithm,
g (φ _q ) V (φ _q ) ≡v (mod m (φ _q ))
Identify integer scalars v and g (φ _q ) that satisfy
[T _dmax (φ _q ) χ ^dmax ] Q = Σφ _q ⁱ ([D _i (χ)] Q) − [T _dmax (φ _q ) χ ^dmax ] Q
= [F (φ _q , χ)] Q
A two-variable polynomial f (φ _q , χ) with φ _q and χ as variables is introduced.

Furthermore, using g (φ _q ) and based on φ _q ^k Q = Q,
[vχ ^dmax ] Q = [g (φ _q ) f (φ _q , χ)] Q = [h (φ _q , χ)] Q
A two-variable polynomial h (φ _q , χ) with φ _q and χ as variables is introduced.

Then, the h (φ _q, χ) of phi _q about constant term h (0, χ) is,
[vχ ^dmax −h (0, χ)] Q = [h (φ _q , χ) −h (0, χ)] Q
S ′ = va ^dmax −h (0, a) and h ′ (φ _q ) = h (φ _q , a) −h (0, a), and t− A scalar n that has been unfolded _{linearly is} expanded in {va ^dmax −h (0, a)} instead of being expanded in D _dmax (a), and h (φ _q , instead of va ^dmax −h (0, a) Since the number of operations can be reduced by using a) −h (0, a), the scalar multiplication can be speeded up. Here, h ′ (φ _q ) indicates that it is a single variable of φ _q by setting χ = a in a polynomial h of two variables of φ _q and χ (φ _q , χ). .

So far we have explained scalar multiplication, but in case of power multiplication,
F _q ^k : k-th order extension field of finite field F _q of order _q H: partial multiplicative group of prime order r of F _q ^k φ _q : defined as the original Frobenius self-homogeneous map with respect to finite field F _q The non-negative integer n is multiplied by n of the element A of H, and the difference between q and r is set to s = q−r, and this s is replaced with t−1 in scalar multiplication, and the above-described exponentiation is performed. The detailed description is omitted. Even in the case of power multiplication, the number of operations can be reduced and the speed of power multiplication can be increased by replacing the operation of the highest order part with the operation of a lower order.

  Hereinafter, specific examples will be described using a known pairing-friendly curve.

As a pairing-friendly curve of embedded degree 8, a prime number r (χ) that divides #E (F _q ) and a trace t (χ) of the Frobenius self-homogeneous map φ _q
r (χ) = χ ⁴ -8χ ² +25
t (χ) = (2χ ³ -11χ + 15) / 15
And what is given is known.

In this case, by expanding r (χ) to t (χ) -1 base and using the Frobenius homomorphism map φ _q ,
2r (χ) = (15χ) φ _q + (− 5χ ² +50)
0≡ (15χ) φ _q + (− 5χ ² +50) (mod r (χ))
It becomes.

Therefore, D _i (χ) is
D ₀ (χ) = − 5χ ² +50
D ₁ (χ) = 15χ
It becomes.

Of these, D ₀ (χ) has the highest degree, so by moving other than D ₀ (χ) to the right side,
-5χ ² + 50 = 15χφ _q
And by organizing the formula,
χ ² −10 = 3χφ _q
Is obtained.

Therefore, when performing a scalar n multiplication of a rational point Q of G for a non-negative integer n, or a multiplication that should cause n multiplication of an element A of H for a non-negative integer n, n is set to t− By performing the linear expansion, further expanding the χ ² −10 decimal, and using 15 χφ _q instead of χ ² -10, the scalar n multiplication of the rational point of G or the n multiplication of the element A of H can be performed as a rational point. The Frobenius self-homogeneous map φ _q can be used for computation, and the number of computations can be reduced to speed up multiplication.

As a pairing-friendly curve of embedding degree 8 of another concrete body, a prime number r (χ) that divides #E (F _q ) and a trace t (χ) of the Frobenius self-homogeneous map φ _q is r (χ) = χ ⁸ -Χ ⁴ +1
t (χ) = χ ⁵ −χ + 1
Then, r (χ) is expanded to t (χ) -1 base and Frobenius homomorphism map φ _q is used,
r (χ) = χ ³ φ _q +1
0≡3φ _q +1 (mod r (χ))
It becomes.

Therefore, D _i (χ) is
D ₀ (χ) = − 1
D ₁ (χ) = χ ³
It becomes.

Of these, D ₁ (χ) has the highest degree, so by moving other than D ₁ (χ) φ _q to the right side,
χ ³ φ _q = -1
By multiplying both sides by φ ⁻¹ χ ³ = −φ _q ⁻¹
Is obtained.

Therefore, when performing a scalar n multiplication of a rational point Q of G for a non-negative integer n, or a multiplication that should cause n multiplication of an element A of H for a non-negative integer n, n is set to t− 1 binary expand and further chi ³ binary deployment, by using -.phi _q ^-1 in place of chi ^3, the n multiplication of the original a scalar n multiplication or H of rational points G, for rational point Calculations can be performed using the Frobenius self-homogeneous map φ _q, and the number of calculations can be reduced to speed up multiplication.

In the case of a pairing-friendly curve of embedding degree 10, the prime number r (χ) that divides #E (F _q ) and the trace t (χ) of the Frobenius self-homogeneous map φ _q are
r (χ) = 25χ ⁴ + 25χ ³ + 15χ ² + 5χ + 1
t (χ) = 10χ ² + 5χ + 3
And what is given is known.

In this case, by expanding r (χ) to t (χ) -1 base and using the Frobenius homomorphism map φ _q ,
8r (χ) = 2φ _q ² −φ _q + (5χ + 2)
0≡2φ _q ² −φ _q + (5χ + 2) (mod r (χ))
It becomes.

Therefore, D _i (χ) is
D ₀ (χ) = 5χ + 2
D ₁ (χ) = − 1
D ₂ (χ) = 2
It becomes.

Among these, since D ₀ (χ) has the highest degree, 5χ + 2 = −2φ _q ² + φ _{q is} obtained by moving other than D ₀ (χ) to the right side.
Is obtained.

Therefore, when performing a scalar n multiplication of a rational point Q of G for a non-negative integer n, or a multiplication that should cause n multiplication of an element A of H for a non-negative integer n, n is set to t− By using -2φ _q ² + φ _q instead of 5χ + 2 and unfolding 5χ + 2 in binary, the scalar n multiplication of the rational point of G or the n multiplication of the element A of H is Frobenius for the rational point. Calculations can be performed using the auto-homogeneous mapping φ _q, and the number of calculations can be reduced to speed up multiplication.

In the case of a pairing-friendly curve of embedding degree 12, the prime number r (χ) that divides #E (F _q ) and the trace t (χ) of the Frobenius self-homogeneous map φ _q are
r (χ) = 36χ ⁴ −36χ ³ + 18χ ² −6χ + 1
t (χ) = 6χ ² +1
And what is given is known.

In this case, by expanding r (χ) to t (χ) -1 base and using the Frobenius homomorphism map φ _q ,
r (χ) = φ _q ² + (− 6χ + 3) φ _q + (− 6χ + 1)
0≡φ _q ² + (− 6χ + 3) φ _q + (− 6χ + 1) (mod r (χ))
It becomes.

Therefore, D _i (χ) is
D ₀ (χ) = − 6χ + 1
D ₁ (χ) = − 6χ + 3
D ₂ (χ) = 1
It becomes.

Here, since both D ₀ (χ) and D ₁ (χ) have the highest order, by shifting the terms other than χ that give the highest order of D ₀ (χ) and D ₁ (χ) φ _q to the right side ,
6χ (φ _q +1) = φ _q ² + 3φ _q +1
It becomes.

Here, when g (φ _q ) = φ _q ⁴ −φ _q ² +1, gcd (φ _q +1, g (φ _q )) = 1 is satisfied, and from the extended Euclidean mutual division method
(φ _q +1) ⁻¹ ≡φ _q ² (1-φ _q ) (mod g (φ _q ))
Is obtained.

Therefore, by multiplying both sides by φ _q ² (1-φ _q ),
6χ = φ _q ² (1-φ _q ) (φ _q ² + 3φ _q +1)
Is obtained.

Therefore, when performing a scalar n multiplication of a rational point Q of G for a non-negative integer n, or a multiplication that should cause n multiplication of an element A of H for a non-negative integer n, n is set to t− By expanding 1 hex, further 6 χ, and using φ _q ² (1-φ _q ) (φ _q ² + 3φ _q +1) instead of 6χ, scalar n multiplication of rational points of G or H The n multiplication of the element A can be performed using the Frobenius self-homogeneous map φ _q with respect to the rational point, and the number of operations should be reduced to speed up the multiplication.

As a more specific example, χ = 825 (10 bits). At this time,
r = 16656811746301 (44 bits)
t = 40883751 (22 bits)
It is.

in this case,
6χ = 4950 (13 bits) = φ _q ² (1−φ _q ) (φ _q ² + 3φ _q +1)
Therefore, when performing scalar n multiplication of rational points of G or n multiplication of elements A of H, scalar multiplication or power multiplication of about 13 bits using the Frobenius automorphism map φ _q for the rational points Since the calculation is performed after conversion to, the number of calculations can be greatly reduced.

In the case of a pairing-friendly curve with an embedding degree of 18, the prime number r (χ) that divides #E (F _q ) and the trace t (χ) of the Frobenius self-homogeneous map φ _q are
r (χ) = χ ⁶ + 37χ ³ +343
t (χ) = (χ ⁴ + 16χ + 7) / 7
And what is given is known.

In this case, by expanding r (χ) to t (χ) -1 base and using the Frobenius homomorphism map φ _q ,
r (χ) = (7χ ² ) φ _q + (21χ ³ +343)
0≡ (7χ ² ) φ _q + (21χ ³ +343) (mod r (χ))
It becomes.

Therefore, D _i (χ) is
D ₀ (χ) = 21χ ³ −343
D ₁ (χ) = 7χ ²
It becomes.

Of these, D ₀ (χ) has the highest degree, so by moving other than D ₀ (χ) to the right side,
21χ ³ −343 = 7χ ² φ _q
And by organizing the formula,
χ ³ −49 = χ ² φ _q
Is obtained.

Therefore, when performing a scalar n multiplication of a rational point Q of G for a non-negative integer n, or a multiplication that should cause n multiplication of an element A of H for a non-negative integer n, n is set to t− 1 binary expand, expand further chi ³ -49 binary, by using in place of χ ³ -49 χ ² φ _q, a n multiplication of the original a scalar n multiplication or H of rational points G, Calculations can be performed using the Frobenius automorphism map φ _q for rational points, and the number of calculations can be reduced to speed up multiplications that should be performed.

  Finally, a scalar multiplication operation program and a power multiplication operation program will be described in detail. In this embodiment, the scalar multiplication operation program and the power multiplication operation program are executed as one of the subroutines when the ID-based encryption, the group signature, or the like is executed on the electronic computer. is there.

  As shown in FIG. 1, an electronic computer 10 that executes an arithmetic program for scalar multiplication and an arithmetic program for exponentiation includes a CPU 11 that executes arithmetic processing, and a storage device 12 such as a hard disk that stores necessary programs and data. The memory device 13 includes a RAM or the like that expands and executes a required program and temporarily stores data generated in accordance with the calculation. In FIG. 1, 14 is a bus. In the present embodiment, the storage device 12 stores various programs such as a main routine program, a scalar multiplication calculation program, and a power multiplication calculation program, and data used by these programs.

  For example, when the electronic computer 10 functions as an authentication device for a group signature, the signature of the group signature transmitted from the client device 30 connected to the telecommunication line 20 such as the Internet and connected to the telecommunication line 20 is used. Data is received, temporarily stored in the memory device 13, and authentication processing is performed by determining the validity of the signature data based on the group signature program. In FIG. 1, reference numeral 15 denotes an input / output control unit of the electronic computer 10.

  A number of scalar multiplication operation programs and power multiplication operation programs are executed when performing processing for determining the validity of signature data. In the following, a scalar multiplication operation program and power multiplication are performed. Only the calculation program will be described. Note that the scalar multiplication operation program and the exponentiation operation program are not used in group signature processing, but are used for a variety of purposes, and can be stored in the storage device 12. Not only the case, but also a configuration in which a so-called hardware is implemented by configuring as a semiconductor circuit.

  First, scalar multiplication nQ by t-1 base expansion will be described.

As shown in FIG. 2, when the arithmetic program for scalar multiplication is executed to make the electronic computer function as a scalar multiplier, first, as shown in FIG. 2, the trace t of the Frobenius self-homogeneous map of scalar n and E (F _q ) Then, the rational point QεG⊂E (F _q ^k ) is input (step S101). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the operation result (Z ← O) (step S102). Then, functions as first calculating means, on the input Q, advance calculation of 2 ^j Q (step S103).

In step S103, T [j] = 2 ^j Q, and the electronic computer executes the following algorithm.
(1) for (j = 0; J <"log ₂ s"; j ++)
(2) T [j] ← Q
(3) Q ← Q + Q
(4) End for
Here, strictly speaking, “log ₂ s” in (1) is

However, “” is used due to the limitation of notation. In the following, “” in the algorithm is used in the same meaning.

  Next, assuming that t−1 = s, the electronic computer functions as a developing unit, and scalar n is

And s-advance expansion (step S104). Here, the size of i is determined by the size of n.

In step S104, the electronic computer executes the following algorithm as an arithmetic operation of s-adic expansion.
(1) for (i = 0; i <“log _s n”; i ++)
(2) c [i] ← n% s
(3) n ← (nc [i]) / s
(4) End for
Here, “%” indicates that the remainder is taken.

  Next, in the present embodiment, the electronic computer functions as a second calculation unit, and calculates Q [i] = c [i] Q (step S105).

In step S105, the binary method is used, and the electronic computer executes the following algorithm.
(1) for (i = 0; i <“log _s n”; i ++)
(2) Q [i] ← O
(3) for (j = 0; c [i]! = 0; i ++)
(4) if (c [i] & 1)
(5) Q [i] ← Q [i] + T [j]
(6) End if
(7) c [i] ← c [i] / 2
(8) End for
(9) End for

  Next, the electronic calculator functions as a synthesis unit, and uses Q [i] calculated in step S105 to calculate the scalar multiplication nQ,

(Step S106).

In step S106, the electronic computer executes the following algorithm.
(1) for (i = 0; i <“log _s n”; i ++)
(2) Z ← Z + φ _q ⁱ (Q [i])
(3) End for

  Then, the electronic computer functions as output means, outputs Z as the execution result of the scalar multiplication operation program (step S107), and ends the scalar multiplication operation program.

Also, the order _q of the elliptic curve finite field F _q , the prime order r that divides #E (F _q ), and the trace t of the Frobenius self-homogeneous map φ _q are respectively represented by q (χ) using the integer variable χ. , R (χ) and t (χ) are specified in advance by expanding r (χ) to t (χ) -1 base
[r (χ)] Q = Σ [D _i (χ) (t (χ) −1) ⁱ ] Q = Σφ _q ⁱ ([D _i (χ)] Q)
D _dmax (χ) is the highest order among D _i (χ) expressed as
φ _q ^dmax ([D _dmax (χ)] Q) = Σφ _q ⁱ ([D _i (χ)] Q) −φ _q ^dmax ([D _dmax (χ)] Q)
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ)
[D _dmax (χ)] Q = [f (φ _q , χ) φ _q ^−dmax ] Q = [h (φ _q , χ)] Q
The scalar multiplication nQ can be further speeded up by using the polynomial h (φ _q , χ) and D _dmax (χ).

That is, when D _dmax (χ) and the polynomial h (φ _q , χ) are specified, scalar n is expanded in D _dmax (a) with χ = a, and replaced with D _dmax (a). By using h (φ _q , a), the number of computations is reduced.

In scalar multiplication nQ when D _dmax (χ) and polynomial h (φ _q , χ) are specified, when an arithmetic program for scalar multiplication is executed and the electronic computer functions as a scalar multiplier, As shown in FIG. 3, first, scalar n, χ = a, s = D _dmax (a) and h ′ (φ _q ) = h (φ _q , a), rational point Q∈G⊂E (F _q ^k ) is input (step S201). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the operation result (Z ← O) (step S202). Then, functions as first calculating means, on the input Q, advance calculation of 2 ^j Q (step S203). Since the calculation in step S203 is the same as the calculation in step S103, description thereof is omitted.

  Next, the electronic computer functions as the first expansion means, and the scalar n is

And s-advance expansion (step S204). Since the algorithm for the s-adic expansion in step S204 is the same as that for the s-adic expansion in step S104, description thereof is omitted.

Next, the electronic computer functions as a second expansion means, and uses scalar n as h ′ (φ _q ) and c [i],

And phi _q proceeds to deploy (step S205).

In step S205, the electronic computer executes the following algorithm as an operation of _φq- adic expansion.
(1) T (φ _q ) ← 1
(2) for (i = 0; i <“log _s n”; i ++)
(3) d [i] ← c [i]
(4) if (d [i] ≧ s)
(5) for (j = 0; j <"log _s d [i]"; j ++)
(6) e [j] ← d [i]% s
(7) d [i] ← (d [i] -e [j])% s
(8) End for
(9) U (φ _q ) ← 1
(10) for (j = 0; j <"log _s d [i]"; j ++)
(11) U (φ _q ) ← {U (φ _q ) * e [j] * h ′ (φ _q ) ^j }% (φ _q ^k −1)
(12) End for
(13) T (φ _q ) ← {T (φ _q ) + U (φ _q ) * h '(φ _q ) ⁱ }% (φ _q ^k -1)
(14) End if
(15) else
(16) T (φ _q ) ← {T (φ _q ) + d [i] * h '(φ _q ) ⁱ }% (φ _q ^k -1)
(17) End else
(18) End for

In the case where a scalar n and phi _q-adic expansion, coefficient of phi _q-adic expansion is sometimes larger than s. Thus, if the coefficient of phi _q-adic expansion is larger than s: (step S206 NO), by taking the remainder of s with respect to coefficient of phi _q-adic expansion, coefficient of phi _q-adic expansion is s The adjustment is made to be smaller (step S207). In this case, the electronic computer functions as a comparison unit in step S206 and functions as an adjustment unit in step S207.

In step S207, the electronic computer executes the following algorithm.
(1) until ( ^∀ d [i] <s)
(2) for (i = 0; i <k-1; i ++)
(3) d [i] ← the i-th coefficient of T (φ _q )
(4) if (d [i] ≧ s)
(5) the i-th coefficient of T (φ _q ) ← 0
(6) for (j = 0; j <"log _s d [i]"; j ++)
(7) e [j] ← d [i]% s
(8) d [i] ← (d [i] -e [j])% s
(9) End for
(10) U (φ _q ) ← 1
(11) for (j = 0; j <"log _s d [i]"; j ++)
(12) U (φ _q ) ← {U (φ _q ) * e [j] * h '(φ _q ) ^j }% (φ _q ^k -1)
(13) End for
(14) T (φ _q ) ← {T (φ _q ) + U (φ _q ) * φ _q ⁱ }% (φ _q ^k -1)
(15) End if
(16) End for
(17) End until

  Next, the electronic calculator functions as a second calculation means, and calculates Q [i] = d [i] Q (step S208).

Also in step S208, the binary method is used, and the electronic computer executes the following algorithm.
(1) for (i = 0; i <k; i ++)
(2) Q [i] ← O
(3) for (j = 0; d [i]! = 0; i ++)
(4) if (d [i] & 1)
(5) Q [i] ← Q [i] + T [j]
(6) End if
(7) d [i] ← d [i] / 2
(8) End for
(9) End for

  Next, the electronic calculator functions as a synthesis unit, and uses Q [i] calculated in step S208 to calculate scalar multiplication nQ,

(Step S209).

In step S209, the electronic computer executes the following algorithm.
(1) for (i = 0; i <k; i ++)
(2) Z ← Z + φ _q ⁱ (Q [i])
(3) End for

  The electronic computer functions as output means, outputs Z as the execution result of the scalar multiplication operation program (step S210), and ends the scalar multiplication operation program.

D _dmax (χ) and polynomial h (φ _q, χ), the order of the finite field F _q of an elliptic curve q (χ), # E ( F q) number element divides the digit number r (χ), Frobenius self quasi Since the trace t (χ) of the isomorphism map φ _q is given in advance, it can be specified in advance, and together with q (χ), r (χ) and t (χ), D _dmax (χ) and the polynomial h (φ _q , χ) may be incorporated into the arithmetic program for scalar multiplication, or D _dmax (χ) and polynomial h (φ _q , χ) are obtained by the following auxiliary program using r (χ) and t (χ). May be.

  When the computer starts the auxiliary program, as shown in FIG. 4, it first functions as input means, and r (χ) and t (χ) are input (step S221).

  Next, the electronic computer functions as expansion means, and uses the input t (χ) to set r (χ) as t (χ) −1 = s (χ),

And s (χ) advance development (step S222). Here, the magnitude of i is automatically determined from r (χ) and s (χ). In step S222, the electronic computer executes the following algorithm as an operation of s (χ) -adic expansion.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) D _i (χ) ← r (χ)% s (χ)
(3) r (χ) ← (r (χ) -D _i (χ)) / s (χ)
(4) End for

Next, the electronic computer functions as extraction means, extracts the one having the largest deg (D _i (χ)), and outputs it as D _dmax (χ) (step S223).

  Next, the electronic computer functions as a computing means,

The polynomial h (φ _q , χ) is specified by performing the above calculation and output (step S224). In this way, the electronic computer can obtain D _dmax (χ) and the polynomial h (φ _q , χ) using the auxiliary program.

Also, the order _q of the elliptic curve finite field F _q , the prime order r that divides #E (F _q ), and the trace t of the Frobenius self-homogeneous map φ _q are respectively represented by q (χ) using the integer variable χ. , R (χ) and t (χ) are specified in advance, and r (χ) is expanded by t (χ) -1 base
[r (χ)] Q = Σ [D _i (χ) (t (χ) −1) ⁱ ] Q = Σφ _q ⁱ ([D _i (χ)] Q)
In the case where there are a plurality of D _i (χ) having the highest order dmax in D _i (χ) expressed as, the coefficient of χ ^dmax that is the term of the highest order dmax is defined as T _dmax (φ _q ) and V (φ _q ) | m (φ _q ), gcd (T _dmax (φ _q ), V (φ _q )) = 1 using a polynomial m (χ) of the minimum order satisfying χ) | m (χ)
V (φ _q ) that satisfies
g (φ _q ) V (φ _q ) ≡v (mod m (φ _q ))
Specify integer scalars v and g (φ _q ) satisfying the above by the extended Euclidean algorithm,
[T _dmax (φ _q ) χ ^dmax ] Q = Σφ _q ⁱ ([D _i (χ)] Q) − [T _dmax (φ _q ) χ ^dmax ] Q
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ) and g (φ _q )
[vχ ^dmax ] Q = [g (φ _q ) f (φ _q , χ)] Q = [h (φ _q , χ)] Q
The polynomial h (φ _q , χ) is identified as follows, and the constant term h (0, χ) relating to φ _q of h (φ _q , χ) is
[vχ ^dmax −h (0, χ)] Q = [h (φ _q , χ) −h (0, χ)] Q
By using the above, scalar multiplication nQ can be further speeded up.

That is, χ = a, s ′ = va ^dmax −h (0, a) and h ′ (φ _q ) = h (φ _q , a) −h (0, a), and the scalar n is D _dmax (a ) By using va ^dmax -h (0, a) instead of ^varic expansion and using h (φ _q , a) -h (0, a) instead of va ^dmax -h (0, a) The number of operations has been reduced.

For scalar multiplication nQ where s ′ = va ^dmax −h (0, a) and h ′ (φ _q ) = h (φ _q , a) −h (0, a) are specified, scalar multiplication As shown in FIG. 5, first, a scalar n and a scalar s ′ = va ^dmax −h (0, a) are ^set as the scalar n and χ = a. And h ′ (φ _q ) = h (φ _q , a) −h (0, a) and a rational point Q∈G⊂E (F _q ^k ) are input (step S301). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the operation result (Z ← O) (step S302). Then, functions as first calculating means, on the input Q, advance calculation of 2 ^j Q (step S303). Since the calculation in step S303 is the same as the calculation in step S103, the description thereof is omitted.

  Next, the electronic computer functions as the first expansion means, and the scalar n is

And s' advance (step S304). Since the algorithm for the s'-adic expansion in step S304 is the same as that for the s-adic expansion in step S204, description thereof is omitted.

Next, the electronic computer functions as a second expansion means, and uses scalar n as h ′ (φ _q ) and c [i],

And phi _q proceeds to deploy (step S305). The phi _q-adic expansion in step S305, the scalar ^{s' (= va dmax -h (} 0, a)) is, in addition differs from the scalar _{s (= D dmax (a)} ) in step S205, the step S205 Since the s-adic expansion and the algorithm are the same, detailed description is omitted.

In phi _q-adic expansion in step S305, it may coefficient phi _q-adic expansion becomes larger than s'. As described above, when the coefficient for _φq- adic expansion is larger than s ′ (step S306: NO), the coefficient for _φq- adic expansion is obtained by taking the remainder of s ′ with respect to the coefficient for _φq- adic expansion. Is adjusted to be smaller than s ′ (step S307). The calculation in step S307 is the same as that in step S207 except that the scalar s ′ (= va ^dmax −h (0, a)) is different from the scalar s (= D _dmax (a)) in step S207. Since the calculation and the algorithm are the same, detailed description is omitted. In this case, the electronic computer functions as a comparison unit in step S306 and functions as an adjustment unit in step S307.

  Next, the electronic calculator functions as a second calculation means, and calculates Q [i] = d [i] Q (step S308). Even in step S308, the binary method is used, and the calculation in step S308 is the same as the calculation in step S208, and the description thereof will be omitted.

  Next, the electronic calculator functions as a synthesis unit, and uses Q [i] calculated in step S308 to calculate the scalar multiplication nQ,

(Step S309). Since the calculation in step S309 is the same as the algorithm in step S209, the description thereof is omitted.

  The electronic computer functions as output means, outputs Z as the execution result of the scalar multiplication operation program (step S310), and ends the scalar multiplication operation program.

Polynomial h (φ _q, χ) and vχ ^dmax -h (0, χ), the order of the finite field F _q of an elliptic curve q (χ), # E ( F q) number element divides the digit number r (χ) Since the trace t (χ) of the Frobenius self-homogeneous map φ _q is given in advance, it can be specified in advance, so that together with q (χ), r (χ) and t (χ), the polynomial h (φ _q , χ) and vχ ^dmax −h (0, χ) may be incorporated into the arithmetic program for scalar multiplication, or the polynomial h (φ _q , χ by the following auxiliary program using r (χ) and t (χ) ) And vχ ^dmax −h (0, χ) may be obtained.

  When the electronic computer is activated, as shown in FIG. 6, the electronic computer first functions as input means, and r (χ), t (χ), and m (χ) are inputted (step S321). Here, m (χ) is a polynomial of the minimum order that satisfies r (χ) | m (χ), and generally a circumferential equality polynomial is used.

  Next, the electronic computer functions as expansion means, and uses the input t (χ) to set r (χ) as t (χ) −1 = s (χ),

And s (χ) advance development (step S322). Here, the magnitude of i is automatically determined from r (χ) and s (χ). In step S322, the electronic computer executes the following algorithm as the calculation of s (χ) -adic expansion.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) D _i (χ) ← r (χ)% s (χ)
(3) r (χ) ← (r (χ) -D _i (χ)) / s (χ)
(4) End for

Next, the electronic computer functions as a first specifying means, extracts a coefficient of χ ^dmax that is a term of the maximum degree dmax of deg (D _i (χ)), and calculates the sum of the extracted coefficients as T ( φ _q , χ), and the other sum is U (φ _q , χ) (step S323). In step S323, the electronic computer specifically executes the following algorithm.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) T (φ _q , χ) ← 0, U (φ _q , χ) ← 0
(3) if (deg (D _i (χ)) = dmax)
(4) T (φ _q , χ) ← T (φ _q , χ) + D _i (χ) φ _q ⁱ
(5) End if
(6) else
(7) U (φ _q , χ) ← U (φ _q , χ) + D _i (χ) φ _q ⁱ
(8) End else
(9) End for

Next, the electronic computer functions as a second specifying unit, and specifies the highest order coefficient T _dmax (φ _q ) of T (φ _q , χ) specified in step S323 (step S324).

Next, the electronic computer functions as third specifying means, and uses the highest order coefficient T _dmax (φ _q ) specified in step S324,
V (φ _q ) | m (φ _q ), gcd (T _dmax (φ _q ), V (φ _q )) = 1
V (φ _q ) that satisfies the condition is specified (step S325). In step S325, the electronic computer specifically executes the following algorithm.
(1) W (φ _q ) ← gcd (T _dmax (φ _q ), m (φ _q ))
(2) V (φ _q ) ← W (φ _q )

Next, the electronic computer functions as a fourth specifying unit, and uses V (φ _q ) specified in step S325,
g (φ _q ) V (φ _q ) ≡v (mod m (φ _q ))
Scalars v and g (φ _q ) satisfying the above are specified by the extended Euclidean algorithm (step S326). This extended Euclidean algorithm is executed based on a known program prepared in a general library, and in particular, the coefficient of g (φ _q ) and the scalar v should be made small. Is desirable.

Next, the electronic computer uses g (φ _q ) specified in step S326,

The polynomial h (φ _q , χ) is specified by performing the above operation (step S327), and the polynomial h (φ _q , χ) and vχ ^dmax −h (0, χ) are output (step S328). In this way, in the electronic computer, the polynomial h (φ _q , χ) and vχ ^dmax −h (0, χ) can be obtained using the auxiliary program. In this case, the electronic computer functions as a calculation unit in step S327 and functions as an output unit in step S328.

Hereinafter, an arithmetic program for power multiplication will be described. First, a description will be given multiplier A ⁿ should by t-1 binary expansion.

When an arithmetic program for power multiplication is executed to cause the electronic computer to function as power multiplication, first, as shown in FIG. 7, the difference s between the power n and the prime order r of the order q and F _q ^k Then, the element AεH⊂F _q ^k is input (step S401). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the calculation result (Z ← 1) (step S402). Then, it functions as a first calculation means, and X ^ {Y} represents ^XY , and A ^ {2 ^j } is calculated in advance for the input element A (step S403).

In step S403, T [j] = A ^ {2 ^j }, and the electronic computer executes the following algorithm.
(1) for (j = 0; J <"log ₂ s"; j ++)
(2) T [j] ← A
(3) A ← A * A
(4) End for

  Next, the electronic computer functions as a developing means, and the power number n is calculated by the difference s.

And s-advance expansion (step S404). Here, the size of i is determined by the size of n.

In step S404, the electronic computer executes the following algorithm as an arithmetic operation for s-adic expansion.
(1) for (i = 0; i <“log _s n”; i ++)
(2) c [i] ← n% s
(3) n ← (nc [i]) / s
(4) End for
Here, “%” indicates that the remainder is taken.

Next, in the present embodiment, the electronic computer functions as a second calculation unit, and calculates A [i] = A ^{c [i]} (step S405).

In step S405, the binary method is used, and the electronic computer executes the following algorithm.
(1) for (i = 0; i <“log _s n”; i ++)
(2) A [i] ← 1
(3) for (j = 0; c [i]! = 0; i ++)
(4) if (c [i] & 1)
(5) A [i] ← A [i] * T [j]
(6) End if
(7) c [i] ← c [i] / 2
(8) End for
(9) End for

Next, the electronic computer functions as a synthesis unit, and uses A [i] calculated in step S405 to calculate power multiplication ^An .

(Step S406).

In step S406, the electronic computer executes the following algorithm.
(1) for (i = 0; i <“log _s n”; i ++)
(2) Z ← Z * φ _q ⁱ (A [i])
(3) End for

  The electronic computer functions as output means, outputs Z as the execution result of the power multiplication operation program (step S407), and ends the power multiplication operation program.

In addition, when the order q, the prime order r, and the difference s are respectively given by q (χ), r (χ), and s (χ) using the integer variable χ, r (χ) is By expanding s (χ), A ^ {r (χ)} = ΠA ^ {D _i (χ) s (χ) ⁱ } = A ^ {ΣD _i (χ) q ⁱ }
D _dmax (χ) is the highest order among D _i (χ) expressed as
(A ^ {D _dmax (χ)}) ^ {q ^dmax } = A ^ {Σ _{i ≠ dmax} −D _i (χ) q ⁱ } = A ^ {f (q, χ)}
Based on φ _q ^k (A) = A, using a polynomial f (φ _q , χ)
A ^ {D _dmax (χ)} = A ^ { _{Σi ≠ dmax} −D _i (χ) q ⁱ −q ^dmax } = A ^ {h (q, χ)}
The scalar multiplication nQ can be further speeded up by using the polynomial h (φ _q , χ) and D _dmax (χ).

That is, when D _dmax (χ) and the polynomial h (φ _q , χ) are specified, a power number n is expanded in D _dmax (a) with χ = a and replaced with D _dmax (a). By using h (φ _q , a), the number of calculations is reduced.

In the case of exponentiation nQ when D _dmax (χ) and the polynomial h (φ _q , χ) are specified, when an arithmetic program for exponentiation is executed and the electronic computer functions as an exponential multiplier, FIG. As shown, first, a power number n, χ = a, s = D _dmax (a) and h ′ (q) = h (q, a), and an element A∈H⊂F _q ^k are input ( Step S501). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the operation result (Z ← 1) (step S502). Then, as a first calculation function, A ^ {2 ^j } is calculated in advance for the inputted A (step S503). Since the calculation in step S503 is the same as the calculation in step S403, the description thereof is omitted.

  Next, the electronic computer functions as the first expansion means, and calculates the power number n,

And s-advance expansion (step S504). Since the algorithm for the s-adic expansion in step S504 is the same as that for the s-adic expansion in step S404, description thereof is omitted.

  Next, the electronic computer functions as a second expansion means, and uses the power n as h ′ (q) and c [i],

And q-advance expansion (step S505).

In step S505, the electronic computer executes the following algorithm as an operation of q-adic expansion.
(1) T (q) ← 1
(2) for (i = 0; i <“log _s n”; i ++)
(3) d [i] ← c [i]
(4) if (d [i] ≧ s)
(5) for (j = 0; j <"log _s d [i]"; j ++)
(6) e [j] ← d [i]% s
(7) d [i] ← (d [i] -e [j])% s
(8) End for
(9) U (q) ← 1
(10) for (j = 0; j <"log _s d [i]"; j ++)
(11) U (q) ← {U (q) * e [j] * h '(q) ^j }% (q ^k -1)
(12) End for
(13) T (q) ← {T (q) + U (q) * h '(q) ⁱ }% (q ^k -1)
(14) End if
(15) else
(16) T (q) ← {T (q) + d [i] * h '(q) ⁱ }% (q ^k -1)
(17) End else
(18) End for

  When the exponent n is expanded in q-adic, the coefficient for q-adic expansion may be larger than s. Thus, when the coefficient of q-adic expansion is larger than s (step S506: NO), the coefficient of q-adic expansion is smaller than s by taking the remainder of s with respect to the coefficient of q-adic expansion. It adjusts so that it may become (Step S507). In this case, the electronic computer functions as a comparison unit in step S506 and functions as an adjustment unit in step S507.

In step S507, the electronic computer executes the following algorithm.
(1) until ( ^∀ d [i] <s)
(2) for (i = 0; i <k-1; i ++)
(3) d [i] ← the i-th coefficient of T (q)
(4) if (d [i] ≧ s)
(5) the i-th coefficient of T (q) ← 0
(6) for (j = 0; j <"log _s d [i]"; j ++)
(7) e [j] ← d [i]% s
(8) d [i] ← (d [i] -e [j])% s
(9) End for
(10) U (q) ← 1
(11) for (j = 0; j <"log _s d [i]"; j ++)
(12) U (q) ← {U (q) * e [j] * h '(q) ^j }% (q ^k -1)
(13) End for
(14) T (q) ← {T (q) + U (q) * q ⁱ }% (q ^k -1)
(15) End if
(16) End for
(17) End until

Next, the electronic calculator functions as a second calculation means, and calculates A [i] = ^{Ad [i]} (step S508).

Even in step S508, the binary method is used, and the electronic computer executes the following algorithm.
(1) for (i = 0; i <k; i ++)
(2) A [i] ← O
(3) for (j = 0; d [i]! = 0; i ++)
(4) if (d [i] & 1)
(5) A [i] ← A [i] * T [j]
(6) End if
(7) d [i] ← d [i] / 2
(8) End for
(9) End for

Next, the electronic computer functions as a synthesis unit, and uses A [i] calculated in step S508 to calculate the power multiplication ^An .

(Step S509).

In step S509, the electronic computer executes the following algorithm.
(1) for (i = 0; i <k; i ++)
(2) Z ← Z * φ _q ⁱ (A [i])
(3) End for

  The electronic computer functions as output means, outputs Z as the execution result of the power multiplication operation program (step S510), and ends the power multiplication operation program.

D _dmax (χ) and the polynomial h (q, χ) can be specified in advance because q (χ), r (χ) and s (χ) are given in advance, and q (χ), r (χ ) And s (χ), D _dmax (χ) and the polynomial h (q, χ) may be incorporated into an arithmetic program for power multiplication, or by using the following auxiliary program using r (χ) and s (χ) , D _dmax (χ) and the polynomial h (q, χ) may be obtained.

  When the computer starts the auxiliary program, as shown in FIG. 9, it first functions as input means, and r (χ) and s (χ) are input (step S521).

  Next, the electronic computer functions as expansion means, and using the input s (χ), r (χ) is

And s (χ) advance development (step S522). Here, the magnitude of i is automatically determined from r (χ) and s (χ). In step S522, the electronic computer executes the following algorithm as a calculation of s (χ) -adic expansion.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) D _i (χ) ← r (χ)% s (χ)
(3) r (χ) ← (r (χ) -D _i (χ)) / s (χ)
(4) End for

Next, the electronic computer functions as an extraction unit, extracts the one having the maximum deg (D _i (χ)), and outputs it as D _dmax (χ) (step S523).

  Next, the electronic computer functions as a computing means,

The polynomial h (q, χ) is identified and output by performing the above calculation (step S524). In this way, the electronic computer can determine D _dmax (χ) and the polynomial h (q, χ) using the auxiliary program.

Further, the order q, the prime order r, and the difference s are specified in advance as q (χ), r (χ), and s (χ), respectively, using an integer variable χ, and r (χ) is expressed as s By expanding (χ), A ^ {r (χ)} = ΠA ^ {D _i (χ) s (χ) ⁱ } = A ^ {ΣD _i (χ) q ⁱ }
In the case where there are a plurality of D _i (χ) having the highest order dmax in D _i (χ) expressed as follows, the coefficient of χ ^dmax that is a term of the highest order dmax is defined as T _dmax (q), and r (χ ) | M (χ) using the minimum degree polynomial m (χ) satisfying V (q) | m (q), gcd (T _dmax (q), V (q)) = 1
V (q) that satisfies
g (q) V (q) ≡v (mod m (q))
Specify integer scalars v and g (q) satisfying the above by the extended Euclidean algorithm,
A ^ {T _dmax (q) χ ^dmax } = A ^ {ΣD _i (χ) q ⁱ −T _dmax (q) χ ^dmax }
= A ^ {f (q, χ)}
Based on φ _q ^k (A) = A using the polynomial f (q, χ) and g (q)
A ^ {vχ ^dmax } = A ^ {g (q) f (q, χ)} = A ^ {h (q, χ)}
And a constant term h (0, χ) with respect to q of h (q, χ)
A ^ {vχ ^dmax −h (0, χ)} = A ^ {h (q, χ) −h (0, χ)}
Can be faster the multiplication A ⁿ by, it should be used to meet.

That is, χ = a, s ′ = va ^dmax −h (0, a) and h ′ (q) = h (q, a) −h (0, a), and the power n is D _dmax (a) An arithmetic operation is performed by using va ^dmax -h (0, a) instead of ^var- expanding and using h (q, a) -h (0, a) instead of va ^dmax- h (0, a). The number of times has been reduced.

^{s '= va dmax -h (0} , a) and h' (q) = h ( q, a) -h (0, a) the exponentiation A ⁿ when is specified, should multiply operation program As shown in FIG. 10, first, a power n and a scalar s ′ = va ^dmax −h (0, a) and h ′ are ^set as χ = a, as shown in FIG. (q) = h (q, a) −h (0, a) and the element A∈H⊂F _q ^k are input (step S601). In this case, the electronic computer functions as input means.

Next, the electronic computer functions as initialization means, and initializes the register Z for storing the calculation result (Z ← 1) (step S602). Then, it functions as a first calculation means, and A ^ {2 ^j } is calculated in advance for the input element A (step S603). Since the calculation in step S603 is the same as the algorithm in step S403, the description is omitted.

  Next, the electronic computer functions as the first expansion means, and the scalar n is

And s' advance (step S604). Since the algorithm for the s'-adic expansion at step S604 is the same as that of the s-adic expansion at step S404, description thereof is omitted.

  Next, the electronic computer functions as a second expansion means, and uses the power n as h ′ (q) and c [i],

And q-advance expansion (step S605). The q-adic expansion in step S605 is performed in step S505 except that the scalar s ′ (= va ^dmax −h (0, a)) is different from the scalar s (= D _dmax (a)) in step S505. Since the s-adic expansion and the algorithm are the same, detailed description is omitted.

Even in the q-adic expansion in step S605, the q-adic expansion coefficient may be larger than s ′. Thus, when the coefficient of q-adic expansion is larger than s ′ (step S606: NO), the coefficient of q-adic expansion is s ′ by taking a remainder of s ′ with respect to the coefficient of q-adic expansion. It adjusts so that it may become smaller than (step S607). The calculation in step S607 is the same as that in step S507 except that the scalar s ′ (= va ^dmax −h (0, a)) is different from the scalar s (= D _dmax (a)) in step S507. Since the calculation and the algorithm are the same, detailed description is omitted. Here, the electronic computer functions as a comparison unit in step S606 and functions as an adjustment unit in step S607.

Next, the electronic calculator functions as a second calculation means, and calculates A [i] = ^{Ad [i]} (step S608). Even in step S608, the binary method is used, and the calculation in step S608 is the same as the calculation in step S508, and thus the description thereof is omitted.

Next, the electronic computer functions as a synthesis unit, and uses A [i] calculated in step S608 to calculate the power multiplication ^An .

(Step S609). Since the calculation of step S609 is the same as the calculation of step S509, the description thereof is omitted.

  The electronic computer functions as output means, outputs Z as the execution result of the power multiplication operation program (step S610), and ends the power multiplication operation program.

The polynomials h (q, χ) and vχ ^dmax −h (0, χ) are specified in advance because the order q (χ), the prime order r (χ), and the difference s (χ) are given in advance. Therefore, the polynomials h (q, χ) and vχ ^dmax −h (0, χ) together with q (χ), r (χ) and s (χ) may be incorporated into an arithmetic program for power multiplication, or r ( The polynomials h (q, χ) and vχ ^dmax −h (0, χ) may be obtained by the following auxiliary program using χ) and s (χ).

  When the computer starts the auxiliary program, as shown in FIG. 11, it first functions as an input means, and r (χ), s (χ), and m (χ) are inputted (step S621). Here, m (χ) is a polynomial of the minimum order that satisfies r (χ) | m (χ), and generally a circumferential equality polynomial is used.

  Next, the electronic computer functions as expansion means, and using the input s (χ), r (χ) is

And s (χ) advance development (step S622). Here, the magnitude of i is automatically determined from r (χ) and s (χ). In step S622, the electronic computer executes the following algorithm as the calculation of s (χ) -adic expansion.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) D _i (χ) ← r (χ)% s (χ)
(3) r (χ) ← (r (χ) -D _i (χ)) / s (χ)
(4) End for

Next, the electronic computer functions as a first specifying means, extracts a coefficient of χ ^dmax that is a term of the maximum degree dmax of deg (D _i (χ)), and calculates the sum of the extracted coefficients as T ( q, χ), and the other sum is U (q, χ) (step S623). In step S623, the electronic computer specifically executes the following algorithm.
(1) for (i = 0; i <"degr (χ) / degs (χ)"; i ++)
(2) T (q, χ) ← 0, U (q, χ) ← 0
(3) if (deg (D _i (χ)) = dmax)
(4) T (q, χ) ← T (q, χ) + D _i (χ) q ⁱ
(5) End if
(6) else
(7) U (q, χ) ← U (q, χ) + D _i (χ) q ⁱ
(8) End else
(9) End for

Next, the electronic computer functions as a second specifying unit, and specifies the highest order coefficient T _dmax (q) of T (q, χ) specified in step S623 (step S624).

Next, the electronic computer functions as a third specifying unit, and uses the highest order coefficient T _dmax (q) specified in step S624,
V (q) | m (q), gcd (T _dmax (q), V (q)) = 1
V (q) that satisfies the condition is specified (step S625). In step S625, the electronic computer specifically executes the following algorithm.
(1) W (q) ← gcd (T _dmax (q), m (q))
(2) V (q) ← W (q)

Next, the electronic computer functions as a fourth specifying unit, and uses V (q) specified in step S625,
g (q) V (q) ≡v (mod m (q))
The scalars v and g (q) satisfying the above are specified by the extended Euclidean mutual division method (step S626). This extended Euclidean algorithm is executed based on a known program prepared in a general library. In particular, the coefficient of g (q) and the scalar v should be made small. desirable.

  Next, the electronic computer uses g (q) specified in step S626,

The polynomial h (q, χ) is specified by performing the above operation (step S627), and the polynomial h (q, χ) and vχ ^dmax −h (0, χ) are output (step S628). In this way, the electronic computer can obtain the polynomial h (q, χ) and vχ ^dmax −h (0, χ) using the auxiliary program. In this case, the electronic computer functions as a calculation unit in step S627 and functions as an output unit in step S628.

10 Electronic calculator
11 CPU
12 Storage device
13 Memory device
14 Bus
15 I / O controller
20 Telecommunications line
30 client devices

Claims (6)

The elliptic curve ^{_{E / F q = x 3 +}} ax + b-y 2 = 0, and a∈F _q, and b∈F _q,
An additive group formed by rational points of an elliptic curve defined by a finite field F _q for E (F _q ),
E (F _q ^k ) is an additive group formed by a rational point of an elliptic curve defined by the extension field F _q ^k of the finite field F _q ,
Frobenius endomorphism of rational point φ _q on the finite field F _q,
trace t of Frobenius self-homogeneous map φ _q ,
r is the order of E (F _q ) #E (F _q ) = the prime order that divides q + 1−t,
E [r] is a set of rational points whose order is a prime number r,
a map that j times the rational point [j],
G is G = E [r] ∩Ker (φ _q − [q])
As a set of rational points included in E (F _q ^k ) that satisfies
In an arithmetic unit for scalar multiplication in which a scalar n multiplication of a rational point Q of G for a non-negative integer n is computed by an electronic computer equipped with storage means,
Input means for inputting and storing the value of the non-negative integer n, the value of the trace t, and the value of the rational point Q represented by QεG⊂E (F _q ^k ) in the storage means;
Initialization means for initializing the storage means for storing the calculation result Z;
For rational point Q of G,
φ _q (Q) = [q] Q = [t−1] Q
By the fact that
As s = t−1, based on the following equation in which n is expanded in s,

Substitution operations represented by c [i] ← n% s and n ← (nc [i]) / s are repeated a predetermined number of times from i = 0, and the values of each coefficient c [i] and non-negative integer n are stored in the memory Expansion means for storing in the means;
The rational point Q and the coefficient c [i] are read from the storage means, and an operation represented by Q [i] = c [i] Q is repeatedly performed a predetermined number of times from i = 0 to obtain each Q [i]. Arithmetic means for storing values in the storage means;
Based on the scalar multiplication nQ of the following equation expressed using the Frobenius automorphism map φ _q for the rational point instead of t−1:

From said storage means reads out Q [i] and the computation result _{Z, Z ← Z + φ q} i (Q [i]) by the calculation result of the scalar multiplication by repeating predetermined times assignment operation from i = 0 represented Combining means for storing Z in the storage means;
A scalar multiplication arithmetic device characterized by comprising: The order _q of the elliptic curve finite field F _q , the prime order r that divides #E (F _q ), and the trace t of the Frobenius self-homogeneous map φ _q are represented by q (χ), When given by r (χ), t (χ),
Auxiliary input means for inputting the values of q (χ), r (χ), t (χ) and storing them in the storage means;
Based on the following equation, the values of r (χ) and t (χ) are read from the storage means, and s (χ) = t (χ) −1, and r (χ) is s (χ) -expanded. ,

D _i (χ) ← r (χ)% s (χ) and r (χ) ← (r (χ) −D _i (χ)) / s (χ) <Auxiliary expansion means for repeatedly performing until “degr (χ) / degs (χ)” and storing the values of the coefficients D _i (χ) and r (χ) in the storage means;
Auxiliary extraction means for extracting the largest coefficient deg (D _i (χ)) among the stored coefficients D _i (χ) as D _dmax (χ) and storing it in the storage means;
Read the values of D _dmax (χ), D _i (χ), Q from the storage means,
φ _q ^dmax ([D _dmax (χ)] Q) = Σφ _q ⁱ ([D _i (χ)] Q) −φ _q ^dmax ([D _dmax (χ)] Q)
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ)
[D _dmax (χ)] Q = [f (φ _q , χ) φ _q ^−dmax ] Q = [h (φ _q , χ)] Q
An auxiliary specifying means for polynomial h (φ _q, χ) identifies and stores the polynomial h (φ _q, χ) a value of said storage means becomes,
The s-adic expansion of the replaced chi = a as _{s = D dmax (a) D} dmax (a) adic expansion consisting the D wherein instead of _dmax (a) the polynomial h (φ _q, a) means for using The arithmetic unit for scalar multiplication according to claim 1, further comprising: When there are a plurality of coefficients D _i (χ) having the highest order dmax in the coefficient D _i (χ),
The auxiliary input means further includes means for inputting a value of m (χ) that satisfies r (χ) | m (χ) and storing the value in the storage means,
The coefficient D _i (χ) is read out from the storage means as the coefficient of χ ^dmax that is the term of the highest order dmax of deg (D _i (χ)) as T _dmax (φ _q ), and T (φ _q , χ) and U (φ _q , χ) are assigned with an initial value of 0, and T (φ _q , χ) ← T (φ _q , χ) + D when deg (D _i (χ)) = dmax _i (χ) φ _q ⁱ , otherwise U (φ _q , χ) ← U (φ _q , χ) + D _i (χ) φ _q ⁱ is assigned from i = 0 to i <“ degr (χ) / degs (χ) ”, and the values of T (φ _q , χ) and U (φ _q , χ) are stored in the storage means, and the highest order coefficient T _dmax (φ _q ) is _calculated. A second auxiliary specifying means for specifying;
The values of m (χ) and R (χ) are read from the storage means, and V (φ _q ) | m (φ is obtained using a polynomial m (χ) of the minimum order satisfying r (χ) | m (χ). _q ), gcd (T _dmax (φ _q ), V (φ _q )) = 1
Substituting V (φ _q ) that satisfies W (φ _q ) ← gcd (T _dmax (φ _q ), m (φ _q )) and V (φ _q ) ← W (φ _q ) Third auxiliary specifying means for specifying and storing the value of V (φ _q ) in the storage means;
Read the values of V (φ _q ) and m (φ _q ) from the storage means,
g (φ _q ) V (φ _q ) ≡v (mod m (φ _q ))
An integer scalar v and g (φ _q ) satisfying the above by an extended Euclidean algorithm, and a fourth auxiliary specifying means for storing the values of the scalars v and g (φ _q ) in the storage means;
In place of the auxiliary specifying means, T _dmax (φ _q ), χ ^dmax , D _i (χ), Q values are read from the storage means,
[T _dmax (φ _q ) χ ^dmax ] Q = Σφ _q ⁱ ([D _i (χ)] Q) − [T _dmax (φ _q ) χ ^dmax ] Q
= [F (φ _q , χ)] Q
Based on φ _q ^k Q = Q, using the polynomial f (φ _q , χ) and g (φ _q ),
[vχ ^dmax ] Q = [g (φ _q ) f (φ _q , χ)] Q = [h (φ _q , χ)] Q
And polynomial h (φ _q, χ) to identify, the polynomial h (φ _q, χ) a fifth auxiliary specifying means for storing in said memory means the value of a,
Read the value of h (φ _q , χ) from the storage means,
The h (φ _q, χ) of phi _q about constant term h (0, χ) is,
[vχ ^dmax −h (0, χ)] Q = [h (φ _q , χ) −h (0, χ)] Q
With satisfying
With χ = a, s ′ = va ^dmax −h (0, a) and h ′ (φ _q ) = h (φ _q , a) −h (0, a) storing the value of h ′ (φ _q ) in the storage means;
said n that t-1 binary expand va ^dmax -h (0, a) adic expansion in Kawari to D _dmax (a) adic ^{expansion, va dmax -h (0, a} ) in place to h (φ _q, The arithmetic unit for scalar multiplication according to claim 2, further comprising: a) means using h (0, a). F _q ^k is a k-th order extension of a finite field F _q of order _q ,
H is a partial multiplicative group of prime order r of F _q ^k ,
Let φ _{q be the} original Frobenius automorphism map for the finite field F _q ,
In an arithmetic unit for calculating a multiplication to perform n multiplication of an element A of H with respect to a non-negative integer n by an electronic computer provided with storage means,
The value of the non-negative integer n, the value of the order q, the value of the prime order r of the F _q ^k , and the value of the element A represented by A∈H⊂F _q ^k are input and stored in the storage means. Input means to
Initialization means for initializing the storage means for storing the calculation result Z;
The order q and the value of the element A are read from the storage means, the difference between the q and r is s = q−r, and the substitution operation represented by T [j] ← A and A ← A * A Is repeatedly performed from j = 0 to j <“log ₂ s”, and the first calculating means for storing the values of T [j] and A in the storage means,
Based on the following equation that reads out the values of the n and the difference s from the storage means and develops the difference s,

The substitution operation represented by c [i] ← n% s and n ← (nc [i]) / s is repeated a predetermined number of times from i = 0, and the values of each coefficient c [i] and non-negative integer n are Expansion means for storing in the storage means;
When c [i] and the value of n are read from the storage means, A [i] = 1 is initialized based on A [i] = A ^{c [i]} , and c [i] & 1 A [i] ← A [i] * T [j], c [i] ← c [i] / 2, the substitution operation represented by i = 0 is repeated a predetermined number of times, and A [ second calculating means for storing values of i] and c [i];
Read each A [i] from the storage means, based on the following equation:

And a combining means for repeatedly performing a multiplication operation represented by Z ← Z * φ _q ⁱ (A [i]) a predetermined number of times from i = 0 and storing the result as a calculation result Z in the storage means. Multiplication arithmetic unit to be X ^ {Y} represents ^XY ,
When the order q, the prime order r, and the s are given by q (χ), r (χ), and s (χ), respectively, using an integer variable χ,
Auxiliary input means for inputting the values of q (χ), r (χ), and s (χ) and storing them in the storage means;
Based on the following equation, r (χ) and s (χ) are read from the storage means, and r (χ) is expanded in s (χ) using the s (χ).

D _i (χ) ← r (χ)% s (χ) and r (χ) ← (r (χ) −D _i (χ)) / s (χ) i <“degr (χ) / degs (χ)” repeatedly, and auxiliary expansion means for storing the coefficients D _i (χ) and r (χ) in the storage means,
Auxiliary extraction means for extracting the largest coefficient deg (D _i (χ)) among the stored coefficients D _i (χ) as D _dmax (χ) and storing it in the storage means;
Read the values of D _dmax (χ), D _i (χ), q from the storage means,
(A ^ {D _dmax (χ)}) ^ {q ^dmax } = A ^ {Σ _{i ≠ dmax} −D _i (χ) q ⁱ } = A ^ {f (q, χ)}
A ^ {D _dmax (χ)} = A ^ { _{Σi ≠ dmax} −D _i (χ) q ⁱ −q based on φ _q ^k (A) = A ^dmax } = A ^ {h (q, χ)}
An auxiliary specifying means for specifying the polynomial h (q, χ) to be and storing the value of the polynomial h (q, χ) in the storage means;
Said n that the s-adic expansion, replaced with chi = a as s = D _dmax (a) consisting of D _dmax (a) adic expansion, the D _dmax (a) instead of by the polynomial h (q, a) The arithmetic unit for power multiplication according to claim 4, further comprising: means for use. When there are a plurality of coefficients D _i (χ) having the highest order dmax in the coefficient D _i (χ),
The auxiliary storage means further includes means for inputting a value of m (χ) that satisfies r (χ) | m (χ) and storing the value in the storage means,
The coefficient D _i (χ) is read out from the storage means with the coefficient of χ ^dmax being the term of the maximum degree dmax of deg (D _i (χ)) as T _dmax (q), and T (q, χ ) And U (q, χ) are assigned with an initial value of 0, and T (q, χ) ← T (q, χ) + D _i (χ) q when deg (D _i (χ)) = dmax ⁱ , in other cases, the substitution operation represented by U (q, χ) ← U (q, χ) + D _i (χ) q ⁱ is changed from i = 0 to i <“degr (χ) / degs (χ) And the second auxiliary specifying means for storing the values of T (q, χ) and U (q, χ) in the storage means and specifying the highest order coefficient T _dmax (q);
The values of m (χ) and R (χ) are read from the storage means, and the minimum order polynomial m (χ) satisfying r (χ) | m (χ) is used, and V (q) | m (q) , gcd (T _dmax (q), V (q)) = 1
V (q) satisfying W (q) ← gcd (T _dmax (q), m (q)) and V (q) ← W (q) is specified by performing an operation represented by the above V (q a third auxiliary specifying means for storing the value of q) in the storage means;
Read the values of V (q) and m (q) from the storage means,
g (q) V (q) ≡v (mod m (q))
A fourth auxiliary specifying means for specifying integer scalars v and g (q) satisfying an extended Euclidean algorithm and storing the values of the scalars v and g (q) in the storage means;
Instead of the auxiliary specifying means, each value of T _dmax (q), χ ^dmax , D _i (χ), Q is read from the storage means,
A ^ {T _dmax (q) χ ^dmax } = A ^ {ΣD _i (χ) q ⁱ −T _dmax (q) χ ^dmax }
= A ^ {f (q, χ)}
Based on φ _q ^k (A) = A, using the polynomial f (q, χ) and g (q)
A ^ {vχ ^dmax } = A ^ {g (q) f (q, χ)} = A ^ {h (q, χ)}
A fifth auxiliary specifying means for specifying the polynomial h (q, χ) to be and storing the value of the polynomial h (q, χ) in the storage means;
Read the value of h (q, χ) from the storage means,
The constant term h (0, χ) for q of h (q, χ) is
A ^ {vχ ^dmax −h (0, χ)} = A ^ {h (q, χ) −h (0, χ)}
With satisfying
With χ = a, s ′ = va ^dmax −h (0, a) and h ′ (q) = h (q, a) −h (0, a) are performed and s ′, h ′ The value of (q) is stored in the storage means, and instead of expanding n in s-advanced manner in D _dmax (a), it is expanded in va ^dmax −h (0, a) and va ^dmax −h (0 and a) using h (q, a) -h (0, a) in place of a, a).