JPH0619393A - Request calculating device - Google Patents

Abstract

PURPOSE:To secure high safety and shorten the time required for arithmetic by making a value that an auxiliary device calculates not depend upon secret information that a main device holds. CONSTITUTION:The request calculating device performs power remainder calculation M<d>modn. the main device 1 has a power exponent (d) as the characteristic secret information and holds all coefficients di obtained by expanding the power exponent by (b)-array notation d=SIGMAdib<i> based upon a positive integer b larger than 2 as a cardinal number, and the auxiliary device 2 calculates plural values by raising M as a specific base to beta th power repeatedly and obtaining a remainder with (n) as a specific divisor as conversion which depends upon a specific integer beta exactly dividing the cardinal number and also depends on neither (d) nor the coefficients di. Then the calculation results are sent to the main device 1, which obtains a power residue calculation result by conversion which depends upon the coefficients di and (n) held in its device 1 by using the calculation values. The secrecy regarding the (d) never slips out of the main device 1.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a requested calculation apparatus which can request a highly secure calculation and only request an operation which does not depend on a secret to an auxiliary apparatus.

[0002]

2. Description of the Related Art In general, public key cryptography has been actively studied in order to ensure the security of communication information processing systems. RSA
Many public key ciphers including ciphers are configured with a modular exponentiation calculation as a basic operation as shown in the following equation (1).

C = M ^d mod n (1) Here, in order to secure the strength as a cipher, usually, each variable C, M, n, d uses a value having a size of about 512 bits or more. Therefore, the number of processing steps becomes very large, and it takes a lot of processing time to calculate this with a device having a relatively low processing speed.

Further, in the decryption conversion of RSA encryption, (1)
Since the exponent d in the formula must be kept secret, special care must be taken in handling the exponent when performing the operation. It is safe and convenient to carry if the encryption keys d and n are stored in a storage medium having an access control function such as an IC card. However, if a device other than the IC card performs exponentiation, the IC card transfers the key d,
Since n must be sent, there is a possibility that d will leak to a third party. In addition, the central processing unit (C
Although it is possible to perform power calculation with PU), it is difficult to achieve a practical processing time because the numerical calculation capability of the CPU of the IC card is not so large in general.

Therefore, conventionally, as a method for realizing both speeding up of processing and securing of the secret of an exponent, there has been proposed a method of safely requesting calculation to an auxiliary device, which is called a requested calculation method. ing. Normally, the request calculation is executed by a device including three parts, a client, a server, and a communication line connecting the two. Among them, the client is a device having secret information related to the target processing, and its computing power is relatively inferior to the server. Further, the server executes the processing content requested by the client and returns the result to the client via the communication line. In such processing, the request calculation is to reduce the entire processing time with the assistance of the server without leaking the confidential information of the client to the third party. By the way, when constructing the request calculation method for the decryption conversion of the RSA encryption, the secret information of the client is the power exponent d of the equation (1).

As an example of a concrete protocol for request calculation for exponentiation that has been proposed so far, the method of Matsumoto et al. (Reference: Matsumoto et al., "Speeding, up, secr
et, computations, with, insecure, auxiliary, devices ",,
Proc., Of, Crypto'88,, Springer, Lecture, Notes, in, Comp
uter, Science, 403,, pp.497-506, (1988)) and its improved and modified versions (literature: C.-S., Laih, et al .: "Two, efficient, serv
er-aided, secret, computation, protocols ",, ASIACRYPT '
91 Abstracts, 1991, scheduled to be published in 1992).
However, in these two protocols, the operation of the server is not completely independent of the value of the secret exponent d, and therefore the security is deteriorated as compared with the case where the calculation is performed by the client alone. On the other hand, Quisquater et al. Have proposed a method in which the processing of the server is configured not to depend on the value of the secret exponent d as a method that can prevent the decrease in security that occurs in these methods (Reference: JJQuisquater). , Others: "Speeding, up, smar
t, card, RSA, computations, with, insecure, coprocessor
s ",, SMART, CARD, 2000 Proceedings, 1989 10
Month). However, the method of Quisquater et al. Requires a large amount of communication and processing of the client / server, and thus a more efficient method has been desired.

Various methods have been proposed so far as a method for realizing a general exponentiation calculation with a small number of multiplications without making the assumption that the exponent is kept secret. However, unlike the request calculation, those methods do not aim at sharing the exponentiation between the server and the client, and not leaking the exponent to other clients. Therefore, it is difficult to use these methods as they are to achieve the purpose of request calculation.

[0008]

As described above, in the conventional request calculation device, the method of Matsumoto et al. Is poor in security and may be decrypted by a third party, and the method of Quisquater et al. However, there was a drawback that many calculations required a long time.

The present invention has been made to solve such a conventional problem, and an object of the present invention is to provide a request calculation device capable of ensuring high safety and shortening the time required for calculation. To provide.

[0010]

According to a first aspect of the present invention, there is provided a request calculation device comprising a main unit having a calculation unit and one or a plurality of auxiliary devices having the calculation unit. Is a modular exponentiation calculation: M ^d mod n is performed, the main device has an exponent d that should be unique secret information, and the main device has the exponent d as a radix b greater than 2 Retaining all the coefficients d _i developed by b = adic Σ d _i b ⁱ , the auxiliary device divides the radix b by M, which is a predetermined base, and n, which is a predetermined modulus. Β for M as a transformation that depends on a predetermined integer β and does not depend on either d or the coefficient d _i
The power is repeated to calculate a plurality of values with the remainder taken by n, and these calculation results are transmitted to the main device, and the main device receives the plurality of calculated values received from the auxiliary device and the plurality of the values stored in the own device. It is characterized in that a power-residue calculation result is obtained in the main unit by a conversion depending on the coefficient d _i and the n.

According to a second aspect of the present invention, in a request calculation device comprising a main device having a calculation means and one or a plurality of auxiliary devices having the calculation means, the main device has unique secret information. However, the secret calculation is performed depending on the secret information, the main device has a random number generating means, and at the time when the secret calculation is not executed,
A plurality of random numbers is generated by the random number generation means, random number dependent data obtained by predetermined conversion from the plurality of random numbers is calculated, and the random number and the random number dependent data are stored. A first conversion value obtained by executing a predetermined conversion that does not depend on the secret information is transmitted to the main device, and the main device executes a predetermined conversion that causes the random number to act on the first conversion value. The second conversion value obtained by transmitting the second conversion value to the auxiliary device, the auxiliary device transmits a third conversion value obtained by a predetermined conversion to the main device, the main device is the third conversion value and the It is characterized in that a predetermined conversion depending on the random number dependent data is executed to obtain the execution result of the secret calculation in the own device.

[0012] According to a third aspect of the invention, b-adic representation has a large positive integer b the power exponent d according paragraph 1 than 2 and radix: d = sigma d _i b ⁱ all coefficients developed by d _i On the other hand, two sets of integers are defined, and all of the coefficients d _i are the product of one element of the first set of the sets and one element of the second set of the sets. It has a congruent relation modulo radix b, and the main unit holds the elements of the first set and the elements of the second set corresponding to the individual coefficients d _i in pairs,
The auxiliary device has a predetermined base M and a predetermined modulus n,
A predetermined integer β that divides the radix b and a plurality of modular exponentiation calculations depending on the individual elements of the second set are executed, the calculation results are transmitted to the main device, and the main device is
The calculation result received from the auxiliary device, each element of the first set corresponding to the plurality of coefficients d _i held in the own device, and the conversion depending on n are used to obtain the power-residue calculation result in the main device. It is characterized by obtaining.

[0013]

With the above arrangement, the value calculated by the auxiliary device does not depend on the secret information d held by the main device, so that the secret regarding d will not leak out of the main device. This holds for all of the inventions.

In the first aspect of the present invention, the part executed by the auxiliary device is M <b ⁱ mod n (i = 0,1,2, ..., 1-1) (where 1 is the exponent d in b-ary representation). Size). Confidential information d
Whatever the value of? Is, almost all of the results of these operations performed by the auxiliary device are used for subsequent calculations in the main device. That is, the number of data calculated and transmitted by the auxiliary device is the minimum necessary. As a result, both the communication time and the calculation time of the auxiliary device are shortened, and the time until obtaining the modular exponentiation result is shortened.

In the second aspect of the present invention, the random number is generated during the idle time of the main device. Even data that depends on the secret information d can be converted to data that does not depend on d by applying a random number generated in advance. That is, by applying a random number, a predetermined calculation depending on d can be requested to the auxiliary device so that the secret is not leaked. This expands the calculation part that can be requested to the auxiliary device, and shortens the calculation time as a whole.

In the third invention of the present application, each coefficient d _{i obtained} by expanding a power exponent d into a b-ary number is represented by a product of two integers. However, two integers are included in each of two predetermined sets. The auxiliary device executes the calculation that depends on all the elements of one set, and the main device executes the other part. Not all of the data calculated by the auxiliary device is necessary for the operation of the main device. However, since it is represented by the product of two known sets, the ratio of unnecessary data is smaller than that represented by the sum of the elements of the known set, and the amount of calculation required for the auxiliary device and the amount of communication required Is reduced.

[0017]

Embodiments of the present invention will be described below with reference to the drawings.

Prior to the description of the calculation procedure, as a case where the application of the present invention is most effective, an IC card system will be taken as an example and a typical hardware configuration thereof will be described with reference to FIG.

In the figure, the IC card 203 is a CP
It is a business card-sized plastic card that has a communication terminal for U, memory, and the outside. The secret index d and the modulus n are recorded in the memory of the IC card 203. In particular, d is access-controlled so as not to leak outside the card.

The IC card 203 is connected to the terminal 201 via a read / write interface device, that is, a reader / writer 202. The terminal 201 has a CPU with high computing capability that can perform exponentiation at high speed, and assists exponentiation calculation of the IC card 203. The IC card 203 corresponds to the “client” in the following description, and the terminal corresponds to the “server”. A transmission line of information exchanged between the IC card 203 including the reader / writer 202 and the terminal 201 corresponds to a “communication line”.

FIG. 1 is a block diagram showing a typical configuration of a request calculation device to which the present invention is applied. The figure is not necessarily limited to the IC card system. As a representative functional block of the client 1, a control unit 11 that controls the operation of the client and a remainder multiplication processing unit 12 that multiplies two integer values and divides the result by a modulus value to obtain a remainder.
And an exponent register 13 for storing a secret exponent
There are a memory 14 for storing intermediate results and the like, a communication processing unit 16 for communicating with the outside, and an internal bus 15 for realizing data exchange between these. The client 1 can exchange data with the server 2 via the communication line 3. A typical configuration block of the server is the control unit 21.
, Remainder multiplication processing unit 22, memory 23, and internal bus 2
4 and the communication processing unit 25. Generally, the exponentiation processing capability of the server is considerably higher than that of the client.

Next, a first embodiment according to the present invention will be described based on the flowchart shown in FIG. The purpose of the processing of the client is to finally obtain C = M ^d mod n while keeping the power exponent d secret. In each flow chart shown below, the right side of the one-dot chain line in the figure shows the processing on the server side, and the left side shows the processing on the client side.

[0023]

[Outer 1] When the number of bits of m is m, the number of bits of d is usually about m.

[0024]

[Equation 1] However, 0 ≦ d _j ≦ 2 ^k −1. This exponent d is secret except for the client. In the following description, the symbol "a
"← b" represents substituting the value b for the variable a. Also,
2 ^{kj in the} equation (2) is b (j) shown in the claims.
Is. Then, the client and the server proceed according to the following steps. The processing step numbers in the figure correspond to those in the following procedure.

Step ST1: The client sends M, n to the server.

Step ST2: The server executes the following (a)-
The process of (c) is performed.

(A) Initial setting.

Y ₀ ← M

[Outside 2] y _j ← y _j-1 ∧ 2 ^k mod n (Note: the symbol a ∧ b is b of a
Represents the square)

[Outside 3] Next, the clients are sent sequentially from the server, y
_j (j = 1, 2, ...,

[Outside 4] Multiply and go.

Step ST3: Subscripts i = 1, 2, ...,
Initialize for 2 ^k -1.

Z (i) ← 1

[Outside 5] However, y ₀ = M is set, and y _j is not multiplied when d _j = 0.

Z (d _j ) ← {z (d _j ) · y _j } mod n Then, the client performs the following processing.

Step ST5: Subscript i = 2 ^k −2,2
z (i) ← {z (i) · z (i + 1)} mod n is calculated in this order for ^k− 3, ..., 2,1.

Step ST6: Step ST5 is repeated once again.

Step ST7: The result of the contents of the memory z (1) is obtained.

The reason why C = M ^d mod n is obtained in z (1) by the above procedure is as follows. First, y _j is expressed as follows from the definition.

Y _j = {M∧2 ^kj } mod n (3) As a result of steps ST3 and ST4, d _j = i for z (i)
Y _j having an arbitrary subscript j that satisfies is accumulated.
When expressed by a formula, the following formula (4) is obtained.

[0037]

[Equation 2] here,

[Equation 3] By substituting (4) into the order of terms and arranging the exponents of M in descending order of the subscript j, it can be seen that the exponent whose base is M in Eq. (5) is equal to d. That is, C = M ^d mod n can be calculated by the equations (4) and (5). By the way

[Outside 6] I'm calculating. Therefore, the client can obtain the desired calculation result by the above procedure.

Now, let us consider the performance of request calculation by such a procedure.

Concealment of exponent: According to the above procedure, the information flowing through the communication line and the processing of the server do not depend on the value of the secret exponent d. Therefore, the information regarding d will not be leaked outside the client by the above procedure.

Processing amount of server 0 Among the processing of the server, the most troublesome part is the modular exponentiation calculation part of the normal step ST2 (b). In step ST2 (b), (m-
k) requires modular multiplication.

Processing amount of the client: Among the processings of the client, the most troublesome one is the modular multiplication of steps ST4 and ST5, ST6. In those steps

[Outside 7] Communication volume: The messages exchanged between the server and the client are counted in units of m-bit blocks.
Communication between step ST1 and step ST2 (c)

[Outside 8] Memory amount: When the memory amount related to the operation is roughly estimated in units of m-bit blocks, the server has three blocks of y _i and M, n, and the client has M, y _j , z (i), n, and (2 ^k +3) blocks.

The above is summarized in Table 1 together with the characteristics of other systems. Further, since the typical number of bits of the modulus n used in the cryptographic system is 512 bits, Table 2 summarizes the specific performance in that case. The comparison with other methods will be summarized later.

Note that when performing exponentiation calculation of RSA encryption, the modulus n is the product of two prime numbers p and q whose number of digits is about half of n, and the client usually knows the value. Due to the property of number theory, one modular multiplication with modulo n can also be realized by performing modular multiplication once with modulo p and q once and synthesizing the result with the Chinese modular theorem. Utilizing this fact, it is possible to divide the modular multiplication performed by the client into modulo p and modulo q and execute them. In that case, the advantage is that the modulus p and the modulus q are
Considering the above, the length of the exponent is about half compared to the case where the power is modulo n, so the number of y _j sent to the client by the server is about half the number shown in the first embodiment. is there. Therefore, it is possible to reduce the communication amount and the calculation amount of the server. In the following embodiments as well, by dividing the modular multiplication of the client into modulo p and modulo q, it is possible to achieve the same reduction of the communication amount and the calculation amount of the server as in the first embodiment.

Next, a second embodiment according to the present invention will be described based on the flowchart shown in FIG. First, it is assumed that the power exponent d is an m-bit binary number, and its bit position is defined as a bit position 0 in order from the least significant bit and a bit position next to it is a bit position 1. And

[Outside 9] Issued and only the client remembers it.

Block cutting is performed as follows. The exponent represented in binary is scanned from the least significant bit to the most significant bit, and the scanning is continued until the bit "1" appears.
When the bit “1” appears, the k bits including the bit are moved from the bit to the upper bit in the first block u.
Cut out as ₁ . Further, the bit position of the bit “1” is represented by w (1). Similarly, the bits that have not yet been cut out are scanned up to the most significant bit, and a block is cut out every time a bit "1" appears. At this time, d is represented by the following equation (6).

[0046]

[Equation 4] U _r is an odd number and 1 ≦ u _r ≦ depending on how the block is cut out
2 ^k −1 is satisfied. Since

[Outside 10] is there.

Step ST11: Client is M, n
To the server.

Step ST12: The server executes the following (a)
~ (C) Processing is performed.

(A) Initial setting.

Y ₀ ← M (b) The square calculation is repeated for the subscripts j = 1, 2, ..., M.

Send y _j ← (y _j-1 ∧ 2) mod n (c) y ₁ , y ₂ , ..., Y _m to the client.

Next, the clients are sequentially sent from the server, y _j (j = 1, 2, ...,

[Outside 11] The memory z (i) (i = 1, 2, ..., 2 ^k-1 ) is cumulatively multiplied as follows. However, y ₀ = M.

Step ST13: Subscripts i = 1, 2,
..., initialization is performed for ^2k-1 .

Z (i) ← 1

[Outside 12] z ((u _r +1) / 2) ← {z ((u _r +1) / 2) ・
y _{w (r)} } mod n Then, the client performs the following processing.

Step ST15: Subscript i = 2 ^k-1 −
Calculate z (i) ← z (i) · z (i + 1) mod n in this order for ^1, 2, ^k−1 −2, ..., 2, 1.

Step ST16: w ← z (1) Step ST17: The process of step ST15 is repeated.

Step ST18: z (1) ← w · z (1) ² mod n Step ST19: The result of the contents of the memory z (1) is obtained.

The reason why C = M ^d mod n can be obtained in z (1) by the above procedure can be explained almost in the same way as in the first embodiment, but in this embodiment the block u _r obtained by decomposing the exponent is Utilizing that all are odd, steps ST15 to S
Since the process of T18 is performed, when the same k is used, the required number of z (i) is half that in the first embodiment, and the steps ST15 to ST18 are also approximately half the number. ing. The performance is also shown in Table 1 for the second embodiment.
2 shows. The characteristics of the second embodiment will be clarified later in the section of system comparison.

Next, a third embodiment according to the present invention will be described based on the flowchart shown in FIG.

[Outside 13] And only the client knows the value of each block.

Step ST21: Client is M, n
To the server.

Next, the server performs the following processing.

Step ST22: Initialization is performed.

R ← 1, y ₀ (1) ← M, w ← M Step ST23: Modulo multiplication is performed for the subscripts i = 1, 2, ..., 2 ^k -1. y _i (r) ← {y _i-1 (r) · M} mod n Step ST24: r, y ₁ (r), y ₂ (r), ...,
Send the contents of y- (2 ^k -1) to the client. Here, y− _x represents that the subscript is x.

[0064]

[Outside 14] Step ST28: r ← r + 1 Step ST29: Reset y ₀ (r) as follows and return to step ST23.

W ← (w∧2 ^k ) mod n y ₀ (r) ← w Then, the process of the client is as follows.

Step ST25: Step Step ST
Y _i (r) (i = 0, sent from the server at 24)
The values 1, 2, ..., 2 ^k −1) are cumulatively multiplied according to the following rules. However, when d _r = 0, no multiplication operation is performed.

Z ← (z · yd _r (r)) mod n Step ST26: If r = 1, the process proceeds to step ST27.

Step ST27: The result of the contents of the memory z is obtained.

It is clear that this procedure yields C = M ^d mod n.

Next, a fourth embodiment according to the present invention will be described with reference to the flow charts shown in FIGS.

[Outside 15] Stored in the client.

First, the client performs the following preprocessing prior to power calculation.

Step ST31: (2 ^k -1) less than n
A random number r _i (i = 1, 2, ..., 2 ^k −1) is generated.

Step ST32: R defined by the following equation (7) is calculated.

[0074]

[Equation 5] Step 33: Compute the reciprocal R ⁻¹ of modulo n of R.
From the definition, R and R ^-1 satisfy the following expression (8).

(R · R ⁻¹ ) mod n = 1 (8) Step ST34: The client sends M and n to the server.

Then, the server performs the following processing.

Step ST35: Initial setting.

Y ₀ ← M

[Outside 16] y _j ← y _j-1 ∧ 2 ^k mod n (Note: the symbol a ∧ b is b of a
Represents the square)

[Outside 17] Then the clients are sent in sequence from the server,
y _j (j = 1, 2, ...

[Outside 18] Multiply and multiply. However, y ₀ = M, and d _j = 0
Y _j is not applied to.

Step ST38: Subscripts i = 1, 2,
.., 2 ^k −1 is initialized.

Z (i) ← r _i

[Outside 19] .

Z (d _j ) ← {z (d _j ) · y _j } mod n Step ST40: z (i) (i = 1, 2, ..., 2 ^k −)
1) is sent to the server.

After that, the server copies the value of z (i) sent to the memory w (i) and performs the following processing.

Step ST41: Subscript i = 2 ^k −2,
W (i) ← {w (i) · w (i + 1)} mod n is calculated in this order for 2 ^k -3, ..., 2, 1.

Step ST42: The step ST41 is repeated once again.

Step ST43: The contents of w (1) are sent to the client.

Step ST44: The client copies the value of w (1) received from the server to z (1), calculates z (1) ← {z (1) · R ⁻¹ } mod n, and outputs the final result. get z (1) (step ST4)
5).

This procedure is based on the first embodiment. The difference between the two is that the processes of steps ST5 and ST6 performed by the client in the first embodiment are performed by the server in steps ST41 to ST43 in the present embodiment. However, a random number is multiplied in the initialization in step ST38 so that information regarding the exponent from the value of z (i) does not leak to the server. In addition, step ST43
The value received by the client at the end of is the R times the final result. To correct this, step ST44
Then, the reception result is multiplied by the reciprocal R ⁻¹ . Step S
Since the reciprocal R ⁻¹ of R is calculated in advance at T33, the process of step ST44 is completed with one labor of modular multiplication.

Incidentally, steps ST31 to ST of the present embodiment.
Since 33 can be done before M is decided, CP of the client
It can be calculated in advance using the free time of U. Therefore,
Comparing the number of multiplications performed by the client after step ST34, which cannot be performed in advance, with the number of multiplications performed by the client of the first embodiment, the calculation amount of the present embodiment is smaller.
This embodiment can reduce the processing time more than the first embodiment under the assumption that the communication time is ignored and the server is sufficiently fast.

Now, a fifth embodiment of the present invention will be described with reference to the flow charts shown in FIGS. The present embodiment is based on the second embodiment, and has the same modifications as the fourth embodiment. According to this embodiment, the calculation amount of the client can be reduced most among the four embodiments. It should be noted that the calculation amount of steps ST51 to ST53 is not included in the comparison.

[0090]

[Outside 20] Issued and only the client remembers it.

First, the client performs the following preprocessing prior to power calculation.

[0092] Step ST51: 2 ^k-1 random numbers less than _{n r i (i = 1,2,} ..., 2 k-1) to generate a.

Step ST52: R defined by the following equation is calculated.

[0094]

[Equation 6] Step ST53: R satisfying (R · R ⁻¹ ) mod n = 1
^-1 is asked.

Step ST54: The client is M, n
To the server.

Next, the server performs the following processing.

Step ST55: Initial setting.

Y ₀ ← M Step ST56: The square calculation is repeated for the subscripts j = 1, 2, ..., M.

Y _j ← (y _j-1 ∧ 2) mod n Step ST57: y ₁ , y ₂ , ..., Y _m are sent to the client.

Then, the clients are sequentially sent from the server, y _j (j = 1, 2, ...).

[Outside 21] z (i) (i = 1, 2, ..., 2 ^k-1 ) is cumulatively multiplied as follows. However, y ₀ = M.

Step ST58: Subscripts i = 1, 2,
..., z (i) is initialized for 2 ^k-1 .

Z (i) ← r _i

[Outside 22] z ((u _r +1) / 2) ← {z ((u _r +1) / 2) ・
yw _(r) } mod n Step ST60: Memory z (i) (i = 1, 2, ...,
2 ^k-1 ) value is sent to the server.

After that, the server stores the received value in the memory g.
(I) (i = 1, 2, ..., 2 ^k-1 ) is copied, and the following processing is performed.

Step ST61: Subscript i = 2 ^k-1 −
Calculate g (i) ← {g (i) · g (i + 1)} mod n in this order for ^1, 2, ^k−1 −2, ..., 2, 1.

Step ST62: v ← g (1) Step ST63: The processing of step ST61 is repeated.

Step ST64: g (1) ← (v · g
(1) ² ) mod n Step ST65: The value of g (1) is sent to the client.

Step ST66: The client copies the value of g (1) received from the server to Z (1), calculates z (1) ← {z (1) · R ⁻¹ } mod n, and outputs the final result. Get to z (1).

Next, Table 1 below shows a comparison between the processing amount and the memory amount in the first to seventh embodiments.
However, in Example 6 and Example 7, H = {1, -1, 2,
-2}, K = [b / 3] is taken up.

Next, a sixth embodiment according to the present invention will be described with reference to FIG.
This will be described based on the flowchart shown in FIG. In the present embodiment, the power index d is decomposed as follows.

[0110]

[Equation 7] However, h _j εH = {α ₁ , α ₂ , ..., α _t }, 0 ≦ k _j ≦
An integer k. That is, the individual _{d j d j = h j k} j mod
It is expressed as a product of h _j and k _j . An example of decomposition of such exponents is found in E. Brickell, et al .: "Fast Ex.
ponentiation with Precomputation ", Proc.of EUROCRIP
T'92, pp.193-201 ". Specifically, (1) H = {1, -1}, K =" (b-1) / 2 ". The symbol "a" represents a minimum integer of a or more.

(2) H = {1, -1,2, -2}, K = [b / 3], where
b is an odd number. The symbol [a] represents a maximum integer equal to or less than a.

Is an example of such a decomposition.

Step ST61: The transmission client of M, n is M.n. sends n to the server.

Step ST62: Computation of Server The server computes all y _ij (0≤i≤) represented by the following equation.
1-1, 1 ≤ j ≤ t) is calculated and the result is sent to the client.

Y _ij = {M> (α _j b ⁱ )} mod n (0 ≦
i ≦ 1-1, 1 ≦ j ≦ t) Step ST63: Calculation of Client The client sequentially sends y _ij (0 ≦ i
≦ 1-1,1 ≦ j ≦ t), M> (h _i b ⁱ ) mod n (0
Select the value ≤ i ≤ 1-1). The values selected are the same first
There is at most one out of t y _ij with a subscript i, and at most one at a total. For the first subscript i, write the selected value as y _{i *} .

Next, the following calculation is executed to obtain the desired value S.

[0117]

[Equation 8] However,

[Equation 9] Additional z (u) is k _i = a j y _{i *} all i (0 ≦ i
The results are cumulative for ≦ 1-1).

When the value of z (j) (1≤j≤k) is individually stored in the memory and then the power product is executed, step ST
63 is decomposed into the following steps.

(A) Cumulative memory z (j) (j = 1,2, ..., k) The client is the memory z for the subscript j = 1,2, ..., k.
(j) is set to 1, and cumulative multiplication is performed for subscripts i = 0, 1, 2, ..., I-1.

Z (k _i ) = {z (k _i ) .y _{i *} .mod n (b) The client uses the subscripts j = K-1, K-2, ... Calculate.

Z (j) = {z (j) z (j + 1)} mod n (C) The client repeats the calculation of (b) again. The result of the contents of the memory z (1) is obtained.

In the sixth embodiment, the amount of calculation and the amount of communication requested to the server are larger than those in the first and second embodiments and smaller than those in the third embodiment. On the contrary, the number of multiplications by the client is smaller than that in the first and second embodiments and larger than that in the third embodiment. Therefore, as compared with the first and second embodiments, the procedure of the sixth embodiment is effective when the processing capacity and communication speed of the server are larger and the processing capacity of the client is smaller.

Next, of the sixth embodiment, a seventh embodiment will be described in which the client requests the server to perform a power product calculation to be executed in step ST63. A flowchart is shown in FIG. It is assumed that the exponent of the client is decomposed as in the sixth embodiment.

Step ST71: Pre-Processing of Client First, the client generates K random numbers r _j (1 ≦ j ≦ k). However, the random number r _j is an integer less than n. further,
The values R and R ^-1 defined by the following expressions are obtained.

[0125]

[Equation 10] R · R ⁻¹ = 1 mod n The above processing is performed before the power calculation M ^d mod n is executed. For example, this process is performed by using the idle time of the CPU in the client, and some results are saved in the memory in the client.

Step ST72: Transmission of M, n The client sends M, n to the server.

Step ST73: Computation of Server The server computes all y _ij (0≤i≤) represented by the following equation.
1-1, 1 ≤ j ≤ t) is calculated and the result is sent to the client.

Y _ij = {M> (α _j b ⁱ )} mod n (0 ≦ i
≤1-1, 1 ≤ j ≤ t) In the transmission of (1 * t) pieces of data y _ij , the transmission order is defined so that the client can identify the data.

Step ST74: Cumulative multiplication by the client The client sequentially sends y _ij (0 ≦ i) from the server.
≦ 1-1, 1 ≦ j ≦ t), M> (h _i b ⁱ ) mod n (0 ≦
The value of i ≦ 1-1) is extracted. The value to be extracted is at most one from t y _ij having the same first subscript i,
The total is at most one. For the first subscript i, write the selected value as y _{i *} .

The client sets the memory z (j) to r _j for the subscript j = 1,2, ..., K, and further subscripts i = 0,1,2,
The following cumulative multiplications are performed for 1-1.

Z (k _i ) = z (k _i ) y _{i *} mod n z (j) (1≤j≤k) obtained by the above is sent to the server.

Step ST75: Power Product Calculation by Server The server obtains the following w and sends it to the client.

[0133]

[Equation 11] Step ST76: Post-Processing by Client The client obtains a desired value S by the following calculation.

S = (wR ^-1 ) mod n

[Table 1] However, in Table 1, it is defined as follows.

(Preprocessing 1) = (2 ^k-1 random number generation) +
(Modulo multiplication (2 ^{k + 1} −4 times) + (reciprocal number calculation once) (preprocessing 2) = (2 ^k−1 random number generation) + (modulo multiplication (2 ^k ) times) + (reciprocal number calculation 1) (Pre-processing 3) = ([b / 3] random number generation) + (residual multiplication (2 [b / 3] -2) times) + (one reciprocal calculation) Symbol [a] is a or greater than a Represents the smallest integer.

The definitions of the symbols used in this table are summarized. m is the size of the exponent d. That is, m =
It is [log ₂ d] +1. In the first to fifth embodiments, k is a block size (number of bits) obtained by dividing the exponent of binary representation.
Is. B in Examples 6 and 7 is a radix for dividing the power exponent d (d is expressed in b-ary number), and l is the number of digits of d when expressed in b-ary number. That is, l = L
og _b d] +1. Furthermore, Exp in Examples 6 and 7
(b) represents the number of modulo multiplications required to calculate the modulo b.
Represents a conversion value obtained by dividing the processing time required for the reciprocal calculation by the processing time required for one modular multiplication.

Then, in Table 1, the number of multiplications varies slightly according to the bit pattern of d, but here the worst value is shown.

Table 2 shows the concrete calculation amount when m = 512.
A memory amount comparison is shown. Here, for the sake of simplicity, calculation was performed with k = 5.

Assuming that the proposed method is used for the secret conversion of RSA encryption, m = 512 is often used.
It is necessary to optimally select the parameters k and b of each method,
Here, for simplification, Table 2 shows specific values when k = 5 and b = 33. However, in Examples 6 and 7, Exp (b)
= 6 and Inv = 10.

[0140]

[Table 2] However, in Table 2, it is defined as follows.

(Preprocessing 1) = (31 random number generation) + (modulo multiplication 60 times) + (reciprocal calculation 1 time) (preprocessing 2) = (16 random number generation) + (modulo multiplication 32 times)
+ (Reciprocal calculation 1 time) (Pre-processing 3) = (11 random number generation) + (Remainder multiplication 20 times)
+ (1 reciprocal calculation) In the above embodiment, the client calculates the calculation result C = M ^d mod.
It has been described that n is not output to the outside. And
At that time, the above request calculation procedure has not leaked any information about d except the client. However, since the above procedure alone does not check whether the result obtained by the client is correct or not, it is helpless for an illegal server to return a value other than the predetermined value to the client and interfere with the operation. is there. It is convenient to be able to confirm that the calculation result is correct by some means. Fortunately, for the RSA encryption conversion, the parameters can be selected so that the inverse conversion of C = M ^d mod n can be performed easily, so if the result C is inversely converted and returned to the original M after executing the requested calculation, Can be confirmed to be correct. Such confirmation calculation is called verification.
As a concrete verification formula that can be used in RSA encryption (11)
There is a formula.

M = C ^e mod n (11) What is important here is that the exponent e can be set to be sufficiently smaller than d, so that the formula (11) can be calculated in a short time.

By the way, when the client is an IC card in a specific device, it is considered that the calculation result C is often output from the IC card to the outside. Even in that case, the verification is quite effective to secure the safety of the exponent d. However, the effectiveness of verification is not 100% for the purpose of not leaking information regarding d to the outside of the client. Therefore, if you do a correct check and the result is not correct,
It is desirable to also use a method of counting and storing the number of times and sounding an alarm to notify the owner when an error is made a certain number of times or more.

Up to this point, the request calculation has been described with the RSA encryption decryption conversion in mind, but the application of the present invention is not necessarily limited to the RSA encryption, and for various applications where the exponent is desired to be concealed to other than the client. Applicable. As an application example other than the RSA encryption, the key agreement protocol proposed by Diffie and Helman can be considered. An IC card is a specific example of the client,
The application of the present invention is not necessarily limited to the IC card. The server and the communication line do not limit the specific implementation method as long as they are within the scope of the present invention.

[0145]

As described above, according to the present invention, the exponentiation calculation in which the exponent is kept secret can be efficiently calculated with the help of the auxiliary device and without leaking the exponent to the external device such as the auxiliary device. The effect is obtained.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a request calculation device to which the present invention is applied.

FIG. 2 is a configuration diagram showing an IC card utilization system.

FIG. 3 is a flowchart showing the operation of the first embodiment of the present invention.

FIG. 4 is a flowchart showing the operation of the second embodiment of the present invention.

FIG. 5 is a flowchart showing the operation of the third embodiment of the present invention.

FIG. 6 is a first partial diagram of a flowchart showing the operation of the fourth embodiment of the present invention.

FIG. 7 is a second branch diagram of the flowchart showing the operation of the fourth embodiment of the present invention.

FIG. 8 is a first partial diagram of the flowchart showing the operation of the fifth embodiment of the present invention.

FIG. 9 is a second branch diagram of the flowchart showing the operation of the fifth embodiment of the present invention.

FIG. 10 is a flowchart showing the operation of the sixth embodiment of the present invention.

FIG. 11 is a flowchart showing the operation of the seventh embodiment of the present invention.

[Explanation of symbols]

 1 Client 2 Server 3 Communication Circuit 201 Terminal 202 Reader / Writer 203 IC Card

Claims (3)

[Claims] 1. A request calculation device comprising a main unit having a calculation unit and one or a plurality of auxiliary devices having a calculation unit, wherein the request calculation unit executes a modular exponentiation calculation: M ^d mod n. And the main device has an index d which should be unique secret information,
The main unit b adic representation was large positive integer b radix than two exponent d the should: holds d = sigma d _i b ⁱ all the coefficients d _i that developed by the auxiliary device, a predetermined bottom Is M and n is a predetermined modulus
Then, as a conversion that depends on a predetermined integer β that divides the radix b, and that does not depend on any of the d and the coefficient d _i , multiple β values are repeated for M to calculate a plurality of values with a remainder n. , A calculation of the modular exponentiation by transmitting these calculation results to the main device, and the main device by the conversion depending on the plurality of calculated values received from the auxiliary device and the plurality of coefficients d _i and n held in the own device. A request calculation device characterized by obtaining a result in a main device. 2. A request calculation device comprising a main device having a calculating means and one or a plurality of auxiliary devices having a calculating means, wherein the main device has unique secret information,
In order to perform a secret calculation dependent on the secret information, the main device has a random number generation means, at the time when the secret calculation is not performed, generates a plurality of random numbers by the random number generation means, Random number dependent data obtained by predetermined conversion from the plurality of random numbers is calculated, the random number and the random number dependent data are stored, and when executing secret calculation, the auxiliary device performs predetermined conversion that does not depend on the secret information. The first conversion value obtained by transmitting the first conversion value to the main device, and the main device executes a predetermined conversion in which the random number acts on the first conversion value, and the second conversion value obtained by performing the predetermined conversion. The auxiliary device transmits a third conversion value obtained by a predetermined conversion to the main device, and the main device performs a predetermined conversion depending on the third conversion value and the random number dependent data. Secret calculation Requesting computing device, characterized in that to obtain a row results in the own device. 3. A b-ary number expression in which the power exponent d described in claim 1 is a base number based on a positive integer b greater than 2, and for all coefficients d _i expanded by d = Σ d _i b ⁱ , from a plurality of integers Two sets are defined, and the coefficient d
All _i have a congruent relation modulo radix b to the product of one element of the first set of the set and one element of the second set of the set, and The elements of the first set and the elements of the second set corresponding to d _i are respectively held in pairs, and the auxiliary device has a predetermined base M and a predetermined modulus n.
A predetermined integer β that divides the radix b and a plurality of modular exponentiation calculations depending on the individual elements of the second set are executed, and the calculation results are transmitted to the main device, the main device Obtaining a modular exponentiation calculation result in the main device by the calculation value received from the device, each element of the first set corresponding to the plurality of coefficients d _i held in the device itself, and the conversion depending on n. Request calculation device characterized by.