JPH06308882A - Open key enciphering system based on elliptic curve, its key generating device and ciphering device and its deciphering device - Google Patents

Abstract

PURPOSE:To further enhance safety by eliminating the limination on parameter prime numbers. CONSTITUTION:Devices 22 and 23 generate an order table which shows the correspondence between an identifier which shows the relationship between the order of an elliptic curve Ep(a, 0): y<2>=x<3>+ax (modp) for arbitrary prime numbers p and q and 'a' and the order. Integers 'e', which are prime for each order, are selected, inverse element of 'e' is calculated taking modulo each order, deciphering keys are obtained and deciphering key tables, which show the correspondence between identifiers that allow ap and aq of elliptic curves Ep(ap, 0) and Eq(aq, 0) used for finding the deciphering key to be related to deciphering keys, are generated. Furthermore, 'e' and n(=p.q) are registered in an open file device 12 for each deciphering device (subscriber) 16. A transmitter obtains a receiver's open keys 'e' and 'n' from the device 12, a computer 28 calculates parameters aM of En(aM, 0) from plain sentence sets M=(mx, my), a multiplier 29 calculates a point C by multiplying the result by 'e' on an elliptic curve En(aM, 0) of M and the result is transmitted to a receiver as sets of cryptographs.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a public key encryption system for encrypting a digitized document based on an elliptic curve using a public key, and a device for generating a key used in the public key encryption system.
The present invention relates to a device for encrypting plaintext and a device for decrypting ciphertext into plaintext.

[0002]

2. Description of the Related Art First, symbols relating to elliptic curves will be described. Y ² ≡x ³ + ax for prime p and parameters a and b
A set obtained by adding the point at infinity P ₀ to the set of points satisfying + b (mod p) is called an elliptic curve E _p (a, b). Elliptic curve E
Writing _p the (a, b) the number of points in the #E _p (a, b) and.
For prime numbers p and q (5 or more respectively), their product n (= pq) and parameters a and b, y ² ≡x ³ + ax + b (mod
The set obtained by adding the point at infinity P ₀ to the set of points satisfying n) is written as an elliptic curve E _n (a, b).

In 1991, public key cryptography based on elliptic curves (KMOV method) was proposed by Koyama et al. (K. Ko).
Yama, U .; M. Maurer, T .; Okamoto
and S. A. Vanstone, “New pu
blic-key schemes based on
elliptic curves over the
ring Z _n ", Lecture Note in
ComputerScience vol. 576
pp. 252-266 (1991), Japanese Patent Application No. 4-482.
No. 85). In this method, safety is based on the difficulty of factorizing the parameter n (= pq). KMOV
The method is such that the prime numbers p and q of the parameters are p≡q≡2 (mod
3) or p ≡ q ≡ 3 (mod4).

KMOV in the case of p≡q≡2 (mod3)
The method will be briefly described. Select prime numbers p and q, and multiply their product by n
And Let ψ be the least common multiple of p + 1 and q + 1._nAnd So
Ψ _nAnd a value e that is relatively prime to
Ψ_n) Is calculated. e and n are public keys,
d is a secret key. The sender sets the plaintext set M to an elliptic curve E._n
(0, b): y²≡ x³Point C multiplied by e on + b (mod n)
Is transmitted as a set of ciphertexts. Recipient sets C to elliptic curve E
_n(0, b): y²≡ x³Point multiplied by d on + b (mod n)
Get M as a set of plaintexts.

The KMOV method for p≡q≡3 (mod 4) will be briefly described. Select prime numbers p and q, and let the product be n. Let ψ _n be the least common multiple of p + 1 and q + 1. That Ψ
A value e that is relatively prime to _n is selected, and d that satisfies e · d≡1 (mod Ψ _n ) is calculated. e and n are public keys, and d is a secret key. The sender sends a set M of plaintexts to an elliptic curve E _n (a,
0): The point C multiplied by e on y ² ≡x ³ + ax (mod n) is transmitted as a ciphertext set. Recipient sets C to elliptic curve E
_n (a, 0): y ² ≡x ³ + ax (mod n) A point M multiplied by d is obtained as a set of plaintexts.

[0006]

The prior art KMOV method is based on the security of the difficulty of factorizing the parameter n. However, in the KMOV method, the values of p and q which are the prime factors of the parameter n are p≡q≡2 (mod
3) or p≡q≡3 (mod4), the prime factorization of the parameter n may be facilitated and the safety is low.

The object of the present invention is to prime the parameters p, q.
(EN) Provided is a public key cryptosystem based on an elliptic curve in which security is further improved by eliminating restrictions on the selection of.

[0008]

According to the invention of claim 1, the encryption keys e and n corresponding to the arbitrarily selected prime numbers p and q are registered in the public file device for each recipient, and each p is registered. ，
For each set of q and e, the elliptic curve E _p (a _p , 0): y ² ≡
x ³ + a _p x (mod p) and elliptic curve E _q (a _q , 0): y
² ≡x ³ + a _q x parameter a _p of (mod q), the decryption key table for associating the decryption key identifier associates the decryption key a _q generated, the decryption key table and the corresponding p , Q
There are stored, in the encryption device, the public key e of transmission was obtained from a public file system partner, using n plaintext set M = (m _x,
m _y ) to elliptic curve E _n (a _M , 0): y ² ≡x ³ + a
The parameter a _M of _M x (mod n) is calculated, and the point C multiplied by e on the elliptic curve E _n (a _M , 0) of _M is transmitted as a ciphertext set, and the decryption device sets the ciphertext set. C to elliptic curve E _p
(A _p , 0): y ² ≡x ³ + a _p x (mod p) and elliptic curve E _q (a _q , 0): y ² ≡x ³ + a _q x (mod q) parameters a _p , a _q is calculated, an identifier is obtained from these a _p and a _q , the decryption keys d _p and d _q are obtained by referring to the decryption key table by this identifier, and C is elliptic curve E _p ( _ap ,
0) The point M _p multiplied by d _p above and C on the elliptic curve E
obtains a d _q multiplied by the point M _q on at _q (a _q, 0), to obtain a set M of plaintext using these M _p, from M _q Chinese Remainder Theorem.

To simplify the expression, the calculation of the greatest common divisor of x and y is written as gcd (x, y), and the elliptic curve E _p (a, b): y ² = x ³ + ax + b (mod The operation on p) will be written as over E _P (a, b). The operation procedure of each of the key generation device, the encryption device, and the decryption device according to the present invention will be described below.

(1) Operation Procedure of Key Generation Device The key generation device is composed of a sequence table generation device and a decryption key table generation device. (1.1) Operation procedure of the order table generator The order table shows the order for each identifier, and the order is elliptic curve E _p (a, 0): y ² ≡x ³ + ax (mod
p) is the order, and the identifier indicates the relationship between this order and the parameter a. 1. The input is a prime number p. 2. If p≡3 (mod 4), the order table is Then, this is output, and the operation of the order table generation device ends. 3. If p≡3 (mod 4) is not satisfied, s and t satisfying p = s ² + t ² are calculated. However, s is a positive odd number and t is a positive even number. 4. If s≡1 (mod 4), then N _p0 = p + 1-2s, N _p2 = p + 1 + 2s, otherwise N _p0 = p + 1 + 2s, N _p2 = p + 1-2s. 5. Generate a random number and find the square non-residue h in it. 6. A point R on the elliptic curve E _p (h, 0) is randomly selected. 7. If k _t = gcd (p + 1-2t, p + 1 + 2t) and the following formula is not satisfied, that is, k _t · R is E _p
When it becomes the point at infinity of (h, 0), 6. Return to.

K _t · R ≠ P ₀ over E _p (h, 0) 8. The value obtained by multiplying R by k _t on E _p (h, 0) is the point P at infinity.
₀ , if (p + 1-2t) · R = P ₀ over
If E _p (h, 0), that is, the value obtained by multiplying R by (p + 1-2t) on E _p (h, 0) becomes the point at infinity P ₀ , N _p1 = p + 1-2t, N _p3 = P + 1 + 2t Otherwise, _let N _p1 = p + 1 + 2t, N _p3 = p + 1-2t. 9. τ _p1 = h ^{(p-1) / 4} mod p is calculated (τ _p1 ≠ ±
1). 10. τ _p0 = 1, τ _p2 −1, τ _p3 ＝ −τ _p1 Then, this is output, and the operation of the order table generation device ends.

Similarly, the order table for the prime number q To generate.

(1.2) Operation Procedure of Decryption Key Table Generating Device A decryption key is generated using the order table and prime numbers p and q generated as described above. 1) p≡
In the case of q≡3 (mod 4), (2) p≡3 (mod3), q≡
Different procedures are taken as follows depending on the case of 1 (mod 4) and the case of (3) p≡q≡1 (mod 4).

(1.2.1) Operation Procedure of Decryption Key Table Generation Device (1) 1. The inputs are p, q and their order table. In this case, since p≡q≡3 (mod 4), the order table shown in 2 of (1.1) is used. 2. gcd (e, p + 1) = gcd (e, q + 1) = 1
Then, e is set to be random. That is, all orders p
Select an integer e that is relatively prime to +1 and q + 1. 3. Calculate d _p0 and d _q0 satisfying the following formula. That is p
The inverse element of e is calculated modulo +1 and q + 1.

E · d _p0 ≡1 (mod p + 1), e · d _q0 ≡1 (mod q + 1) 4. In this case, since p≡q≡3 (mod 4),
As shown in 2 of (1.1) of the operation procedure of the order table generating device, the identifier τ _p = τ _q = 0, and the decryption key table is And 5. The encryption keys e, n (= p · q) and the decryption key table are output, and the operation of the decryption key table generation device (1) is completed.

(1.2.2) Operation Procedure of Decryption Key Table Generation Device (2) 1. The inputs are p, q and their order table. p≡q≡3
Since it is not (mod 4), the order table of 10 in (1.1) above is used. 2. gcd (e, N _p0 ) = gcd (e, N _p1 ) = gcd
(E, N _p2 ) = gcd (e, N _p3 ) = gcd (e, q +
1) Randomly set e such that 1 = 1. In other words, choose all orders and prime integer e. 3. Calculate d _pi (i = 0 to 3) and d _q0 satisfying the following formula.

E · d _pi ≡1 (mod N _pi ) (i = 0 to
3), e · d _{qo ≡1} (mod q + 1) 4. The decryption key table is And 5. The encryption keys e and n and the decryption key table are output, and the operation of the decryption key table generation device (2) ends.

(1.2.3) Decryption Key Table Generation Device (3)
Operation procedure of 1. The inputs are p, q and their order table. 2. gcd (e, N _pi ) = gcd (e, N _qi ) = 1 (i
= 0 to 3) is randomly set. 3. Calculate d _pi and d _qi (i = 0 to 3) that satisfy the following equation.

E · d _pi ≡1 (mod N _pi ), e · d _qi ≡1
(Mod N _qi ) (i = 0 to 3) 4. The decryption key table is And 5. The encryption keys e and n and the decryption key table are output, and the operation of the decryption key table generation device (3) ends.

(2) Operation procedure of encryption device 1. Input is e, the set of n and the plaintext _{M = (m x, m y} ). _{However, 0 <m x <n,} 0 <m y <n and gcd
_{(M x, n) = gcd} (m y, n) = 1 to. 2. ^{_{(M y 2 -m x 3)}} / m a _x mod n is calculated, and the calculation result as a _M. 3. e · M over E _n (a _M , 0) is calculated, that is, M is multiplied by e on E _n (a _M , 0), and the calculation result is set as C. 4. C = (c _x , c _y ) is output as a set of ciphertexts, and the operation of the encryption device is terminated.

(3) Operation procedure of decoding device 1. The input is a ciphertext set C = (c_x, C_y). this
The device stores p, q, and a decryption key table. 2. (C_y ²-C_x ³) / C_xmod p and (c_y ²-C_x
³) / C_xmod q is calculated and each calculation result is a_p, A
_qAnd 3. If p≡q≡3 (mod 4), the identifier is τ_p
= 0, τ_q= 0. Go to 4. If p≡q≡3 (mod 4) and not p≡1 (mo
If d 4) and q≡3 (mod 4), then a_p ^{(p-1) / 4}compute mod p
Then, determine the identifier according to the calculation result, that is, calculate
If the result is 1, then τ_p0And τ_p1If the value of is τ_p1And -1
Then τ_p2And −τ_p1Then τ_p3And further τ_q= 0
6. Go to 5. If p≡1 (mod 4) and q≡3 (mod 4), a
_p ^{(p-1) / 4}mod p and a_q ^{(q-1) / 4}calculate mod q,
From the calculation result of the identifier τ_p, Τ_qTo decide. 6. Identifier τ determined in this way_p, Τ_qCorrespond with
Decryption key d_p, D_qFrom the decryption key table. 7. Searched decryption key d_p, D_qAnd ciphertext set C
Wait d_p・ C over E_p(A_p, 0) and d_q・ C
over E_q(A_q, 0), and each calculation result
To M_p, M_qAnd 8. M using the Chinese Remainder Theorem_p, M_qCalculate M from
It 9. Output M as a set of plaintexts and end the operation of the decryption device.
Finish.

[0022]

FIG. 1 shows an embodiment of the invention of claim 1. Public file device 12 provided in center 11 and sender 1
The system is configured with an encryption device 14 provided in No. 3 and a decryption device 16 and a key generation device 17 provided in the receiving side 15 as main components. In the public file device 12, each decrypting device 16, that is, each receiving subscriber A, B,
Each public key (n _A, e _A ), (n
_B, e _B ), (n _C, e _C ), ... Are registered.

The public keys n and e are decrypted by the key generation device 17.
Generated with the key table. That is, the key generation device 17 is shown in FIG.
As shown in, the prime number generator 21 generates an arbitrary prime number p of 5 or more.
And q are generated, and their prime numbers p and q are order tables
It is supplied to the forming devices 22 and 23. In the order table generator 22
Was mentioned earlier (1_.1) Follow the operation procedure of the order table generator
Each identifier is 0, τ_p0~ Τ_p3The order p + 1, N_p0
~ N_p3To obtain a table of orders. Similarly, the order table generator
In step 23, each identifier 0, τ is followed by the same procedure. _q0~ Τ_q3
Order q + 1, N_q0~ N_q3Generate a table of orders for
To do.

The generated bidecimal number table and the prime numbers p and q are input to the decryption key table generator 24 to generate the public key e and the decryption key table, and the public key n as well. To generate. That is, the public key e is generated in accordance with the operation procedure of the (1.2) decryption key table generating device, and the public key e and each identifier 0, τ _p0 are generated.
~ Τ _p3 , τ _{q0 to} τ _q3 and the corresponding decryption keys d _p0 , d _q0 , d
_{p0 to} d _p3 and d _{q0 to} d _q3 are obtained, and a decryption key table showing the correspondence between the identifiers and the decryption keys is generated from these. N = p
-Calculate q to generate public key n.

The public keys e, n generated in this way
Is transmitted to the center 11 by the transmitter 25 on the receiving side 15 (FIG. 1).
And register it in the public file device 12. Generate again
Decrypt the generated prime numbers p and q and the decryption key table as a secret key
It is stored in the storage unit 26 in the device 16. Sender 13
If the plaintext set M is encrypted and transmitted, the transmission phase
The public keys n and e of the hand subscriber are sent using the transmitter / receiver 27.
By receiving and encrypting data by communicating with the encryption device 14
Encrypt the plaintext set M with. The encryption device 14 is shown in FIG. 2B.
As shown in (2), follow the operation procedure of the encryption device.
A from the input plaintext set M and the public key n_MTo calculator 28
Than (m_y ²-M_x ³) / M_xmod n = a_MAnd calculate
This a_MInput M, e, and n into the elliptic curve multiplier 29.
Press E_n(A _M, 0) and multiply M by e, and
Output as a ciphertext set C. Transmit the ciphertext set C to transmitter 3
1 (FIG. 1) to the receiving side 15.

The reception side 15 transmits the darkness transmitted from the transmission side 13.
The set C of the sentence is received by the receiver 32, and is decoded by the decoding device 16.
Issue The decoding device 16 has the configuration shown in FIG.
According to the operation procedure of the decoding device (3) above.
It That is, the ciphertext set C and p and q from the storage unit 26 are
Each a_pCalculator 33, a_qInput to calculator 34
, (C_y ²-C_x ³) / C_xmod p = a_p, (C_y ²
-C_x ³) / C_xmod q = a _pIs calculated. These a
_p, A_qAnd p and q are τ_pCalculator 35, τ_qTotal
It is input to the calculator 36, and τ is calculated according to its p and q._p= 0, τ
_q= 0, or a_p ^{(p-1) / 4}mod p = τ_p, A
_q ^{(q-1) / 4}mod q = τ_pIs calculated. These identifiers τ
_p, Τ_qIn the decryption key table search unit 37,
Search the decryption key table to find the corresponding decryption key d_p, D_qSeeking
Meru.

In the elliptic curve multiplier 38, C, a _p , d _p , p
By inputting, and a value M obtained by multiplying C by d _p on E _p (a _p , 0)
_p is calculated, and the elliptic curve multiplier 39 uses C, a _q , d _q , q
By inputting, and a value M obtained by multiplying C by d _q on E _q (a _q , 0)
Calculate _q . Input p, q, M _p and M _q to the Chinese remainder theorem calculator 41 to calculate M using the Chinese remainder theorem,
The result is output as a set M of plaintexts.

[0028]

As described above, even in the cryptosystem of the present invention, the number of digits of the prime numbers p and q is determined in consideration of the difficulty of factoring the product n (= pq), and the security is secured by this difficulty. However, as described in (1) Operation procedure of the key generation device, since prime numbers other than p≡3 (mod 4), that is, arbitrary prime numbers can be used, the size of the prime numbers p and q can be calculated. It is safer than the KMOV method when the same is used. This is because there are no restrictions on the prime factors p and q of the modulus n, and the factorization of the prime factors becomes more difficult. In order to eliminate the limitation of the prime number of the parameter as described above, in the present invention, a plurality of decryption keys are prepared and the decryption key is selected according to the ciphertext.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration example of a public key cryptosystem according to the invention of claim 1.

FIG. 2 is a block diagram showing a configuration example of a key generation device according to a second aspect of the invention, and B is a block diagram showing a configuration example of an encryption device according to the third aspect of the invention.

FIG. 3 is a block diagram showing a configuration example of a key generation device according to a fourth aspect of the invention.

Claims (4)

[Claims] 1. A prime number p, q arbitrarily selected for each recipient.
The public file device in which the encryption keys e and n corresponding to are registered, and the elliptic curve E _p ( _ap ,
0): y ² ≡x ³ + _ap x (mod p) and elliptic curve E
_q (a _q , 0): y ² ≡x ³ + a _q Generate a decryption key table that associates the above-mentioned decryption key with an identifier that associates the parameters a _p and a _q of x (mod q) with the decryption key. Then, means for storing the decryption key table and the corresponding p, q, and the public key e, n of the transmission partner obtained from the public file device.
With, the plaintext set _{M = (m x, m y} ) from the elliptic curve E
_n (a _M , 0): y ² ≡x ³ + a _M x (mod n) parameter a _M is calculated, and the point C multiplied by e on the elliptic curve E _n (a _M , 0) of _M is encrypted. , And an elliptic curve E _p ( _ap , 0): y ² ≡x from the ciphertext set C
³ + a _p x (mod p) and elliptic curve E _q (a _q , 0): y
² ≡x ³ + a _q The parameters a _p and a _q of x (mod q) are calculated, an identifier is obtained from these a _p and a _q , and the decryption key d _p is referred to by referring to the above decryption key table with this identifier. , d _q look, a C elliptic curve E _p (a _p, 0) and M _p points to d _p times over, the C elliptic curve E _q (a _q, 0) points to d _q times on M _q And a decryption device that obtains a set M of plaintexts from these M _p and M _q using the Chinese Remainder Theorem, and an elliptic curve-based public key cryptosystem. 2. An elliptic curve E _p (a,
0): y ² ≡x ³ + ax (mod p) order and parameter a
Means for generating a rank table showing the correspondence between the identifier showing the relation with and the above-mentioned order, means for calculating the product n of the prime numbers p and q, and all orders in the above-mentioned order table A means for selecting a prime integer e, a means for computing each inverse element of e modulo each order in the above orders, and using the respective calculation results as a decryption key, the decryption key and the order table And a means for generating a decryption key table showing the correspondence with the identifier of. 3. A plaintext set M = (m _x , m _y ) and a public key n.
And the elliptic curve E _n (a _M , 0): y ² ≡x ³ + a _M (m
od n) means for calculating the parameter a _M , the plaintext set M, the public keys n and e, and the parameter a _M
And a means for multiplying M by e on the elliptic curve E _n (a _M , 0) to obtain C as a set of ciphertexts. 4. An elliptic curve E _p from a ciphertext set C and a prime number _p
(A _p , 0): means for calculating the parameter a _p of y ² ≡x ³ + _ap x (mod p), and an elliptic curve E _q (a _q , from the set C and the prime number q of the above ciphertext.
0): y ² ≡x ³ + a _q x (mod q) a parameter a _q is calculated, _ap and the parameter p are used to calculate the identifier τ _p , and the parameters a _q and q are used to determine the identifier τ. means for calculating _q , means for retrieving the respective decryption keys d _p , d _q for the above identifiers τ _p , τ _q from the decryption key table, and the above C on the elliptic curve E _p (a _p , 0) d _p times M _p
And the above C is multiplied by d _q on the elliptic curve E _q (a _q , 0) to obtain M _q
And a means for obtaining the plaintext M from the above M _p , M _q , p, q using the Chinese Remainder Theorem.