JPH1152851A - Group computing device on elliptic curve - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce the number of multiplications and divisions and to increase the speed of the group computations on an elliptic curve by obtaining the inverse element of the element of the group on the curve using the means which computes a rational expression. SOLUTION: Affine coordinates (x,y) represent the element which is not a point at infinity 0 of the group on an elliptic curve E (GF(2<2n> )) on a finite field GF(2<2n> ). Then, employing an enquiry device 1a, the (x,y) of the input is provided to an adder 1b of the element of the finite field. Then, the adder 1b computes and returns a sum (x+y) on GF(2<wd> ) of the inputs x and y. The device 1a then outputs an inverse element (x, x+y) of the element of the group on the elliptic curve using the (x+y) obtained by the adder 1b. Then, the adder 1b of the element of the field used in an inverse element computer 1 of the element of the group on the curve performs the computations using the exclusive OR for every adding bit on the GF(2<wd> ).

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a group operation device on an elliptic curve, and more particularly, to a group operation on an elliptic curve.
The present invention relates to a group operation device on an elliptic curve for realizing an error correction code and information security technology represented by key distribution and authentication.

[0002]

2. Description of the Related Art An element of a group E (K) on an elliptic curve on a field K can be expressed by homogeneous coordinates consisting of three elements of K or affine coordinates consisting of two elements of K. it can. The addition of E (K) can be calculated using the four arithmetic operations on the body K in both the representation of homogeneous coordinates and affine coordinates.

In configuring a device for realizing group operations on an elliptic curve, a finite field GF (q) of order q can be selected as the field K. Among them, a finite field GF (2 ⁿ ) of characteristic 2 can be selected. Is often used because it can be implemented at high speed. Of the four arithmetic operations on a finite field, in the usual implementation method, the inverse of addition and addition can be implemented at very high speed, but the inverse of multiplication and multiplication (hereinafter, referred to as
Unless otherwise specified, simply describing an inverse element represents the inverse element of multiplication.) The operation takes a very long time. Therefore, the time required for adding the groups on the elliptic curve can be evaluated by the number of required multiplications and inverse operations on the constant field K.

The inverse operation of a finite field of characteristic 2 is
Conventionally, much more computation is required than multiplication. Therefore, in the conventional implementation of group operations on an elliptic curve, the number of multiplications is relatively large, but implementation using homogeneous coordinates that does not require inverse operations is the mainstream (for example, see [AJMenc
zes and SA Vanstone: "Ellipfic Carve Crypto sys
tems and Their Implementation, "Journal of Crytolo
gy, volume 6, pp.209-289) Springer-International, 1
993).

However, in recent years, a technique for implementing the inverse of a finite field of characteristic 2 at high speed has been developed, and a technique using affine coordinates for expressing an element of a group on an elliptic curve has been announced (for example, Reference [ED Win, A. Bosselaers, S. Vandenberghe,
PD Gersem, and J. Vandewalle: "A Fast Software
Implementation for Arithmetic Operations in GF (2
ⁿ ), "Advances in Cryptology-ASIACRYPT'96, pp.65-7
6, Lecture Notes in Computer Science 1163, Springer
-Verlag, 1996). Hereinafter, the method of this document is referred to as Win's method.

[0006]

An outline of a method of mounting a finite field by the Win method is as follows. When the basic operation bit number of the processor is w (for example, 8 or 16), the basic field is GF.
Using (2 ^w ), all the operations on the basic field are calculated in advance, and using the odd-order third-order irreducible expression x ^d + x ^t +1 (d> t) on GF (2),

[0007]

(Equation 4)

(For the meaning of mathematical formulas, for example, see the document “Shikichi Yanai, Satoshi Arima, and Yo Asaeda:“ Introduction to Detailed Algebra ”,“ Tokyo Tosho, 1990 ”.) Expressing the operation of GF (2 ^wd ) Using this, E (GF (2 ^wd )) is implemented. In Win's method, an extended Euclid algorithm on GF (2 ^w ), which is a general inverse algorithm, is used for the inverse operation of a finite field. Requires multiplication and division.

The present invention has been made in view of the above points, and by reducing the number of times of multiplication and division, a group operation device on an elliptic curve which can achieve higher speed as compared with the Win method.

It is an object to provide an arrangement.

The first invention is a finite field G
When an element that is not an infinity point の of a group on an elliptic curve E (GF (2 ²ⁿ )) on F (2 ²ⁿ ) is represented by affine coordinates (x, y), the inverse element (i, j) of the group becomes , X, y Grouping device on elliptic curve having inverse calculation means for calculating the inverse of the element of the group on the elliptic curve using rational expression means for calculating a rational expression using rational expression means It is.

The second invention is based on the fact that the infinite point 楕 円 of the group on the elliptic curve E (GF (2 ²ⁿ )) on the finite field GF (2 ²ⁿ ) is not
Coordinates are defined as affine coordinates (x ₁ , y ₁ ), (x ₂ , y ₂ )
When expressed in, x _3, y ₃ of the sum _{(x 3, y 3) =} (x 1, y 1) + (x 2, y 2) _{is, (x 1, y 1)} ≠ (x 2, y ₂ ) and (x ₁ , y ₁ ) ≠
− (X ₂ , y ₂ ), the rational expression of x ₁ , y ₁ , x ₂ , y ₂ can be used to express the rational expression on the elliptic curve using the rational expression calculating means for calculating the rational expression. This is a group operation device on an elliptic curve having addition calculation means for obtaining the sum of the group elements.

According to a third aspect of the present invention, an element which is not an infinity point の of a group on an elliptic curve E (GF (2 ²ⁿ )) on a finite field GF (2 ²ⁿ ) is represented by affine coordinates (x, y). , Twice (x ₃ ,
y ₃ ) = 2 (x, y), x ₃ and y ₃ are (x, y) ≠ −
When (x, y), the rational expression of x, y can be used to calculate the rational expression.
This is a group operation device on an elliptic curve having a doubling calculation means for obtaining twice the element of the group on the elliptic curve.

According to a fourth aspect of the present invention, an element which is not an infinity point の of a group on an elliptic curve E (GF (2 ²ⁿ )) on a finite field GF (2 ²ⁿ ) is represented by affine coordinates (x, y). , a natural number n times _{(x 3, y 3) =} n (x, y) x 3, y 3 of the inverse calculation unit, adding calculation means, utilizing the fact can be calculated by combining the double calculating means Further, the present invention is a group operation device on an elliptic curve having natural number multiplication calculating means for calculating a natural number multiple of the group on the elliptic curve by using a rational expression calculating means for calculating a rational expression.

According to a fifth aspect of the present invention, in the first to fourth aspects, the rational expression calculating means includes a polynomial p, q∈GF (2 ²ⁿ )
GF appearing during the calculation of [X ₁ , X ₂ ,..., X _r ]
Multiplication on (2 ²ⁿ )

[0015]

(Equation 5)

## EQU1 ## The inverse element q ^-1 of GF on GF (2 ²ⁿ ) is calculated by the following equation.

[0017]

(Equation 6)

By calculating p × q ⁻¹ by repeating the above multiplication equation in the same manner as when calculating p and q, the rational expression

[0019]

(Equation 7)

Means for calculating The present invention is based on Aoki's method (K, Aoki and K. Ohta: "Operations in
F ₂ ⁿ by Software Implementation, "Proceedings of 19
97 Symposium on Cryptography and Information Secur
ity, SCIS'97-14A "), when n is more than 2 (for example, 16 times or more), the inverse method on the finite field GF (2 ⁿ ) is more efficiently obtained by the Win method. The operation of the group on the elliptic curve is realized by utilizing what can be done.

Aoki's method is that the finite field GF (2 ²ⁿ )

[0022]

(Equation 8)

Where α is x^Two+ X + a = 0
GF (2²ⁿ) To GF (2 ⁿ)
The basis when considered as the vector space is [α α + 1].
Is calculated as follows. Multiplication: (x₁α + y₁(Α + 1)) × (x_Twoα + y_Two(Α + 1)) = (x₁x_Two+ A (x₁+ Y₁) (X_Two+ Y_s)) Α + (y₁y_Two+ A (x₁+ Y₁) (X_Two+ Y_Two)) (Α + 1) (1) Square: (xα + y (α + 1))^Two= (X^Two+ A (x^Two+ Y^Two)) Α + (y^Two+ A (x^Two+ Y^Two)) (Α + 1) (2) Inverse: (xα + y (α + 1))^-1= (A (x + y)^Two+ Xy)^-1(Yα + x (α + 1)) (3)

[0024]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS When an appropriate field K is determined, a group E (K) on an elliptic curve is expressed as follows: E (K) = {(x, y)} K ² | f (x, y) = 0}
You can write ｛Ο｝ Here, f (x, y) ∈K [x, y] (however, f (x, y) cannot be arbitrarily selected and has some restrictions). P _i ∈E (K) (i = 1, 2, 2,
3), the operation of the group on the elliptic curve is P _i ≠ Ο
Assuming that P ₃ = P ₁ + P ₂ holds in the case of (i = 1, 2, 3), an appropriate polynomial p (x ₁ , x ₂ , y
₁ , y ₂ ), q (x ₁ , x ₂ , y ₁ , y ₂ ), r
(X ₁ , x ₂ , y ₁ , y ₂ ), s (x ₁ , x ₂ , y ₁ ,
y ₂ ) ∈K [x ₁ , x ₂ , y ₁ , y ₂ ]

[0025]

(Equation 9)

## EQU2 ## Here, when the elliptic curve E (K) is fixed, p, q, r, and s are constant, but P ₁
= P ₂ and P ₁ ≠ P ₂ , the polynomials p,
Note that q, r, and s are different. From the above, it is understood that the operation of the group on the elliptic curve can be constituted by the four arithmetic operations of the field K.

In the following, consider the case where K = GF (2 ⁿ ) and n is much divided by 2 (for example, n = 2 ¹²⁸ ). A first aspect of the present invention is an apparatus for calculating the inverse of an element of a group on an elliptic curve using the principle of the first aspect. A second invention is an apparatus for calculating the sum of the elements of a group of elliptic curves using the principle of the first invention.

A third aspect of the present invention is an apparatus for calculating the doubling of an element on an elliptic curve using the principle of the first aspect. 4th
The present invention is an apparatus for obtaining a natural number multiple of a group on an elliptic curve using the principles of the first, second, and third inventions. The fifth invention is

[0029]

(Equation 10)

This is a device for calculating the rational expressions p and q by the calculation based on the expression (1) and calculating q ^{-1 by} the calculation based on the expression (3).

[0031]

Embodiments of the present invention will be described below with reference to the drawings. The elliptic curve on GF (2 ^wd ) is the parameter a ₂ , a ₆ ∈GF
When (2 ^wd ) (a ₆ ≠ 0) is used to write in affine coordinates, consider the case where it is defined as follows. ^{E (GF (2 wd))} = {(x, y) ∈GF (2 wd) 2 | y 2 + xy = x 3 + a 2 x 2 + a 6} ∪ {O} the addition on the elliptic curve in this case, P _i = (x _i , y _i ) ∈E (GF (2 ^wd )) (i =
1,2), when −P ₁ ≠ P ₂ , (x ₃ ,
y ₃ ) = P ₁ + P ₂

[0032]

[Equation 11]

[0033] Further, the inverse element of the elliptic _{curve, - (x 1, y 1} ) = (x 1, x 1 + y 1) can be expressed by (6) (calculation of the group on an elliptic curve over characteristic 2 of the body For details, for example, the document "AJMenezes:
"ELLIPTIC CURVE PUBLIC KEY CRYPTOSYSTEMS," KLUWER
ACADEMIC PUBLISHERS, pp.21-23, 1993 ”).

An element on the finite field GF (2 ^wd ) is represented by a bit string of wd digits, and a point on the elliptic curve can be represented by two elements on the finite field. It can be represented by a bit string of 2wd digits. Hereinafter, it is assumed that the points P _i on the elliptic curve are represented as described above. Where O
For ∈E (GF (2 ^wd ))

[0035]

(Equation 12)

Therefore, it is formally represented by O = (0, 0). First Embodiment [Inverse of Group Element on Elliptic Curve] In the first embodiment, the inverse of a group element on an elliptic curve is determined. FIG. 2 shows the first embodiment of the present invention.
11 shows a configuration of an inverse element calculation device of a group on an elliptic curve according to the embodiment of FIG. This will be described below with reference to FIG.

This device is based on the fact that the inverse of the group element on the elliptic curve can be calculated by equation (6). Step 101) Using the inquiry device 1a, the input (x, y) is passed to the original addition device 1b of the finite field. Step 102) The finite field element adder 1b calculates the sum x + y of inputs x and y on GF (2 ^wd ) and returns it.

Step 103) Inquiry device 1a
Outputs the inverse (x, x + y) of the element of the group on the elliptic curve, using x + y obtained using the element addition device 1b having a finite field. The finite field element adder 1b used in the group inverse element calculator 1 on the elliptic curve has a GF (2 ^wd )
Utilizing that the above addition can be calculated using exclusive OR for each bit, it is configured as shown in FIG.

FIG. 3 shows the configuration of the finite field element addition calculation apparatus according to the first embodiment of the present invention. Hereinafter, the operation of FIG. 3 will be described. Step 201) The inquiry device 2a receives the input x, y
To the wd-bit exclusive-OR calculator 2b. Step 202) wd-bit exclusive OR calculator 2
b computes the exclusive OR x + y of inputs x and y and returns it.

Step 203) Inquiring device 2a
Outputs the exclusive OR x + y obtained by using the wd-bit exclusive OR calculator 2b. Second Embodiment [Addition of Group Elements on Elliptic Curve] In the second embodiment, addition of group elements on an elliptic curve is performed.

FIG. 4 shows the configuration of an apparatus for calculating the original addition of a group on an elliptic curve according to a second embodiment of the present invention. This will be described below with reference to FIG. Step 301) querying device 3a uses the original comparator 3c group on an elliptic curve, and if true Q = P ₂ examines P ₁ = O, the process proceeds to step 308. Step 302) querying device 3a uses the original comparator 3c group on an elliptic curve, examined P ₂ = O, and if true Q = P _1, the process proceeds to step 308.

Step 303) Inquiring device 3a
Is input to the original inverse calculation unit 3b of the group on the elliptic curve P ₁
give. Step 304) the original inverse calculation unit 3b of the group on an elliptic curve, calculates the inverse -P ₁ input P _1, return it. Step 305) querying device 3a passes the output -P ₁ and of itself input P ₂ of the original inverse calculation unit 3b of the group on the elliptic curve based on the comparison device 3C of the group on the elliptic curve.

Step 306) The original comparing device 3c of the group on the elliptic curve compares the inputs -P ₁ , P ₂ and returns T (true) if they match, otherwise returns F (false). Step 307) The query device 3a sets Q = O when the output of the original comparison device 3c of the group on the elliptic curve is true,
Otherwise, P ₁ and P ₂ are passed to the original special addition calculator 3d of the group on the elliptic curve, and the result Q = P ₁ + P ₂ is obtained.

Step 308) Inquiry device 3a
Outputs Q (= P ₁ + P ₂ ). The comparison device 3c of the group on the elliptic curve used in the device for calculating the addition of the group on the elliptic curve is configured as shown in FIG. FIG.
FIG. 9 is a configuration diagram of an original comparison device of a group on an elliptic curve according to a second embodiment of the present invention.

The operation of FIG. 5 will be described below. Step 401) querying device 4a, respectively inputs _{P 1 = (x 1, y} 1), P 2 = (x 2, y 2) bit sequence _{x 1, y 1, x 2} , y 2 bit sequence x ₁ that combines the ‖
y ₁ , x ₂ ‖y ₂ are passed to the 2wd bit string comparator 4b. Step 402) The 2wd bit string comparison device 4b compares the inputs x ₁ ‖y ₁ and x ₂ ‖y ₂ and if they match, T
(True), otherwise return F (false).

Step 403) Inquiring device 4a
Outputs a boolean value obtained from the 2wd bit string comparison device 4b. Elementary special addition calculator 3 for groups on elliptic curves used in elementary addition calculator for groups on elliptic curves
d is configured as shown in FIG. FIG. 6 shows a configuration of a special addition calculation device of a group on an elliptic curve according to a second embodiment of the present invention. In FIG. 6, devices 5a, 5c, 5 abbreviated as add
f, 5g, 5h, 5i, 5k, 5l are finite field element addition calculation devices, and device 5b, abbreviated as inv, is finite field element inverse element calculation device, abbreviated as mul. Device 5
d and 5j are finite field element multiplication calculators, and apparatus 5e abbreviated as sqr is finite field element square calculator. Hereinafter, the operation of FIG. 6 will be described.

Step 501) The add device 5a is
Force x₁, X_TwoSum of t₁(= X₁+ X _Two), And in
Output to the v device 5b. Step 502) The inv device 5b receives the input t₁Inverse of
t_Two(= (X₁+ X_Two)^-1) Is calculated and the mul device 5d
Output to Step 503) The add device 5c receives the input y₁, Y_Two
Sum of t_Three(= Y₁+ Y _Two) To the mul device 5d
Output.

Step 504) The mul device 5d outputs the product of the inputs t ₂ and t ₃

[0049]

(Equation 13)

The sqr device 5e and the add device 5
f, output to the mul device 5j. Step 505) The sqr device 5e calculates the square t of the input λ.
₄ (= λ ² ) is calculated and output to the add device 5f. Step 506) add device 5f is input lambda, the sum t ₅ of ^{_{t 4 (= λ 2 + λ}} ) is calculated, and output to the add unit 5g.

Step 507) The add device 5g calculates the sum t ₆ (= λ ² + λ + x ₁ + x ₂ ) of the inputs t ₁ and t ₅ and outputs it to the add device 5h. Step 508) The add device 5h calculates the sum x ₃ (= λ ² + λ + x ₁ + x ₂ + a ₂ ) of the input t ₆ and the constant a ₂ and outputs the sum to the add devices 5i and 5k.
The output of the device 5 is also used.

Step 509) The add device 5i is turned on.
Force x₁, X_ThreeSum of t₇(= X₁+ X _Three), And mu
1 output to the device 5j. Step 510) The mul device 5j receives the input λ, t₇of
Product t₈(= Λ (x₁+ X_Three)) And calculate the add device 5
Output to k. Step 511) The add device 5k receives the input t₈, X_Three
Sum of t₉(= Λ (x₁+ X_Three) + X_Three) Is calculated and ad
Output to the d device 51.

[0053] Step 512) the add device 5l, the sum y ₃ inputs _{y 1, t 9 (= λ} (x 1 + x 3) + x 3 + y
₁ ) is calculated and used as the output of the device 5. The finite field element multiplication calculation apparatus described by mul used in the group element special addition calculation apparatus on the elliptic curve is configured as shown in FIG. FIG. 7 shows the configuration of a multiplication device of the finite field element according to the second embodiment of the present invention, and realizes the expression (1). The device 6 shown in FIG. 6 ^converts the multiplication of GF (2 ²ⁿ ) into the addition calculation devices 6a, 6b, 6g, 6 of GF (2 ⁿ ).
h, is realized using the multiplication calculation devices 6c, 6d, 6e, 6f. GF (2 ⁿ ) addition calculators 6a, 6b, 6
g, 6h and the multiplication calculation devices 6c, 6d, 6e, 6f are realized by devices similar to the GF (2 ²ⁿ ) device in which the number of bits is halved.

GF (2) when n ≦ w²ⁿ) Multiplier
The arithmetic unit is realized by the original multiplication arithmetic unit of the finite field shown in FIG.
I do. FIG. 7 shows a finite field power of the second embodiment of the present invention.
1 shows a configuration of a calculation device. The multiplication calculator shown in FIG.
The operation of the device will be described. Step 601) The add device 6a receives the input x₁, Y₁
Sum of t₁(= X₁+ Y ₁) To the mul device 6c
Output.

Step 602) The add device 6b is turned on.
Force x_Two, Y_TwoSum of t_Two(= X_Two+ Y _Two), And mu
1 output to the device 6c. Step 603) The mul device 6c receives the input t₁, T_Two
Product of_Three(= (X₁+ Y₁) × (x_Two+ Y_Two))
Then, the data is output to the mul device 6d. Step 604) The mul device 6d receives the input t_ThreeAnd fixed
Product t with number a_Four(= A × (x₁+ Y₁) (X_Two+
y_Two)) Is calculated and output to the add devices 6g and 6h.

Step 605) The mul device 6e
Force x₁, X_TwoProduct of_Five(= X₁× x _Two) Is calculated and ad
d Output to the device 6g. Step 606) The mul device 6f receives the input y₁, Y_Two
Product of₆(= Y₁× y _Two) To the add device 6h
Output. Step 607) The add device 6g receives the input t_Four, T_Five
Sum x_Three(= X₁x_Two+ A (x₁+ Y₁) (X_Two+
y_Two)) Is calculated and used as the output of the device 6.

Step 608) The add device 6h outputs the sum y ₃ (= y ₁ y ₂ + a (x ₁ + y ₁ )) of the inputs t ₄ and t _6.
(X ₂ + y ₂ )) is calculated and used as the output of the device 6. In the finite field element multiplication calculation device 6, when the finite field element multiplication calculation devices 6c, 6d, 6e, and 6f perform multiplication of w bits or less, the finite field element multiplication calculation device 7 shown in FIG. It is realized using. Hereinafter, the operation of the multiplication calculation device of FIG. 8 will be described.

Step 701) Inquiry device 7a
Obtains the corresponding m ₃ from the multiplication table 7b using the inputs m ₁ and m ₂ as indices. Step 702) The inquiry device 7a determines m ₁ , m ₂
The product m ₃ is output. The finite field element square calculator denoted by sqr used in the element special addition calculation unit of the group on the elliptic curve is a finite field element multiplier (FIG. 7).
However, the use of a special device for squaring can be implemented at a higher speed.

FIG. 9 shows the configuration of a device for calculating the original square of a finite field according to the second embodiment of the present invention, which is a special device. The configuration shown in FIG. It has been realized. The device 8 in the figure ^calculates the square of GF (2 ²ⁿ ) as GF
(2 ⁿ ) square calculators 8a and 8b, adder calculator 8
c, 8e, 8f and the multiplication calculation device 8d. The GF (2 ⁿ ) square calculation device, the addition calculation device, and the multiplication calculation device are realized by the same device as the GF (2 ²ⁿ ) device in which the number of bits is reduced to half. GF when n ≦ w
The (2 ²ⁿ ) multiplication calculation device is realized by the original multiplication calculation device of a finite field shown in FIG. Similarly, G when n ≦ w
The F (2 ²ⁿ ) square calculator is realized by giving the same two inputs to the original multiplication calculator of the finite field shown in FIG.

The operation of the square calculator shown in FIG. 9 will be described below. Step 801) The sqr device 8a calculates the square t of the input x.
₁ (= x ² ) is calculated and output to the add devices 8c and 8e. Step 802) The sqr device 8b calculates the square t of the input y.
₂ (= y ² ) is calculated and output to the add devices 8c and 8f.

Step 803) The add device 8c is turned on.
Force t₁, T_TwoSum of t_Three(= X^Two+ Y ^Two), And mu
1 output to the device 8d. Step 804) The mul device 8d receives the input t_ThreeAnd constants
product t with a_Four(= A × (x^Two+ Y^Two)) And calculate ad
d Output to devices 8e and 8f. Step 805) The add device 8e receives the input t₁, T_Four
Sum x_Three(= X^Two+ A (x^Two+ Y^Two)) Calculate and equipment
8 output.

Step 806) The add device 8f calculates the sum y ₃ (= y ₂ + a (x ² + y ² )) of the inputs t ₂ and t ₄ and sets the sum as the output of the device 8. An inverse element calculation device for a finite field element denoted by inv used in the special addition calculation device for the group on the elliptic curve is configured as shown in FIG. FIG. 10 shows the configuration of a finite field element inverse element calculation apparatus according to the second embodiment of the present invention, and realizes Expression (3). 9 shown in the figure, GF multiplication calculation device 9a in the inverse element of ^{(2 2n) GF (2 n} ), 9d, 9g, 9
h, the addition calculation devices 9b and 9e, the square calculation device 9c, and the inverse calculation device 9f. GF multiplication computing device or (2 ^n), and addition computation unit and square computing device, inverse calculation device is realized with the same equipment and apparatus GF (2 ²ⁿ⁾ which halves the number of bits. GF (2 ²ⁿ ) when n ≦ w
The multiplication calculation device and the square calculation device are the same as the realization method described with reference to FIG. Hereinafter, the operation of FIG. 10 will be described.

Step 901) The product t ₁ (= x × y) of the inputs x and y is calculated using the mul device 9a and output to the add device 9e. Step 902) Input x, y using the add device 9b
, And outputs the sum t ₂ (= x + y) to the sqr device 9c. Step 903) Input t ₂ using the sqr device 9c.
Is calculated as t ₃ (= (x + y) ² , and the mul apparatus 9d
Output to

Step 904) The product t ₄ (= a × (x + y) ² ) of the input t ₃ and the constant a is calculated using the mul device 9d, and output to the add device 9e. Step 905) Using the add device 9e, input t ₁ ,
Calculate the sum t _{5 of} t ₄ (= xy + a (x + y) ² )
Output to the nv device 9f. Step 906) Calculate the inverse t ₆ (= (xy + a (x + y) ² ) ⁻¹ ) of the input t ₅ using the inv device 9f,
Output to the mul devices 9g and 9h.

Step 907) The product y ₃ of the input x and t ₆ using the mul device 9g (= xx × (xy + a (x + y))
² ) ^-1 ) is calculated and used as the output of the device 9. Step 908) Input y, t using the mul device 9h
₆ product _{x 3 (= y × (xy} + a (x + y) 2) ^-1 is calculated, and the output of the device 9 Third Embodiment. [Group of the original doubling on the elliptic curve] 11 11 shows a configuration of a device for doubling a group on an elliptic curve according to a third embodiment of the present invention, which will be described according to the device for doubling a group on an elliptic curve in FIG.

This device is based on the fact that it can be calculated by equation (5). Step 1001) The inquiry device 10a receives the input P
= (X, y), if x = 0, then Q = O, otherwise, the special doubling calculator 10b of the group on the elliptic curve
To obtain the result Q = 2P. Step 1002) The inquiry device 10a determines that Q (=
2P) is output.

Special doubling calculation device 1 for group element on elliptic curve used in device for doubling group on elliptic curve
0b is configured as shown in FIG. FIG. 12 shows a configuration of a special doubling calculation device for an original group on an elliptic curve according to the third embodiment of the present invention. Device 11 abbreviated as add in FIG.
d, 11f, 11g, 11h, and 11j are finite field element addition calculation devices, device 11b abbreviated as inv is finite field element inverse device, and device 11c abbreviated as mul. 11i is an original multiplication calculator of a finite field,
Devices 11a and 11e, abbreviated as sqr, are finite field element square calculators. Hereinafter, the operation of FIG. 12 will be described.

Step 1101) sqr device 11a
Calculates the square t ₁ (= x ² ) of the input x and outputs it to the add device 11j. Step 1102) The inv device 11b calculates an inverse element t ₂ (= x ⁻¹ ) of the input x and outputs the result to the mul device 11c. Step 1103) The mul device 11c receives the input y, t
The _second product ^{_{t 3 (= x -1 × y}} ) calculated, the add device 11d
Output to

Step 1104) add device 11d
Calculates the sum λ (= x + y / x) of inputs x and t ₃ ,
Output to the qr device 11e and the add device 11f. Step 1106) The add device 11f receives the input λ, t
Calculate the sum t ₅ (= λ ² + λ) of ₄ and add device 11g
Output to Step 1107) The add device 11g calculates the sum x ₃ (= λ ² + λ + a ₂ ) of the input t ₅ and the constant a ₂ and sets it as the output of the device 11.

Step 1108) add device 11h
Calculates the sum t ₆ (= λ + 1) of the input λ and the constant 1,
output to the mul device 11i. Step 1109) The mul device 11i outputs the input x ₃ ,
The product t ₇ (= (λ + 1) x ₃ ) of t ₆ is calculated and output to the add device 11j. Step 1110) The add device 11j receives the input t ₁ ,
the sum y ₃ of _{t 7 (= (λ + 1} ) x 3 + x 2 1) is calculated, and the output of the device 11.

Fourth embodiment: [Multiplication of element on natural number of elliptic curve] Natural number multiplication of element on elliptic curve can be realized by various methods. Method (for example, the document "DEKnuth (translated by Keisuke Nakagawa):" The quasi-numerical algorithm / arithmetic operation (THE ART OF COMPUTER)
The implementation using PROGRAMMING, 4th volume), “pp. 289-290, Algorithm A, Science Inc., 1986”) will be described with reference to FIG.

FIG. 13 shows a configuration of a natural number multiplication calculation device for a group on an elliptic curve according to a fourth embodiment of the present invention. Step 1201) The control device 12a sets the internal variables Q,
Initialize R as Q = OR = P.

Step 1202) The controller 12a
The value of n is checked, and if it is equal to 0, the output of the device 12 is set to Q and the operation is stopped. Step 1203) The controller 12a checks the value of n. If the value is odd, the controller 12a sets n ← n−1, and sets the values of Q and R to the values of the original comparison device 12 of the group on the elliptic curve.
b, and when they match, the original doubling calculation device 12d of the group on the elliptic curve is used.
Using the original adder 12c of the group on the elliptic curve, Q ← Q + R is calculated.

Step 1204) The controller 12a calculates n ← n / 2. Step 1205) The controller 12a uses the original doubling calculator 12d of the group on the elliptic curve, and R ← 2R Step 1206) The controller 12a changes the state to Step 1202.

Each of the above-described devices can be applied to encrypted communication, electronic money, and the like. Below, we used the elliptic curve
We explain the Diffie-Hellman key agreement method. In this example, the system parameter is set to an elliptic curve E (GF (2 ⁿ ))
And an element P∈E (GF (2 ⁿ )) having a large order. At this time, at the time of key generation, the user _U randomly generates a positive integer x _U and calculates Y _U = x _u P. In the above, x _U represents a secret key, Y _u is a public key.

Next, consider a situation in which users A and B share a key. Step 1301) A obtains B's public key Y _B by some method. Step 1302) A calculates K _{A, B} = x _A Y _B.

[0077] Step 1303) B similarly computes the _{K B, A = x B Y} A. As a result, the key K _{A, B} = K between A and B
_{B, A (= x A x} B P) are shared.

By applying to this, it is possible to increase the processing speed. Next, using the elliptic curve
The ElGamal encryption will be described. An elliptic curve E (GF (2 ⁿ )) is used as a system parameter.
Let と す る E (GF (2 ⁿ )). At the time of key generation, user U
Generates a positive integer x _U at random and calculates Y _U = x _UP . In the above, x _U is the secret key and Y _U
Is the public key.

Here, consider a situation in which plaintext M is encrypted and transmitted to user A. Step 1401) to obtain the public key Y _A in what the like of ways. Step 1402) Generate a positive integer random number r. Step 1403) The cipher text (C ₁ , C ₂ ) is calculated by the following equation. _{C 1 = rP C 2 = M} + rY A step 1404), where the recipient A is ciphertext (C
₁ , C ₂ ) is decrypted by the following equation to obtain a plaintext.

M = C ₂ −x _A C ₁ Next, an ElGamal signature using an elliptic curve will be described. Elliptic curve E (GF (2 ⁿ ))
When, and order of the large original ^{P∈E (GF (2 n))} , and of order ^# E elliptic curve (GF (2 ^n)), describing the one-way hash function as h.

At the time of key generation, the user U sets a positive integer to x _u
They were randomly generated, to calculate the Y _U = x _U P. Here, x _U is a secret key, and Y _U is a public key. Next, consider a situation in which the user A signs the data m. Step ^{1501) # E (GF (2} n)) randomly selects a positive integer k relatively prime with.

Step 1502) The signature (R, s) is calculated by the following equation. R = kP s = (m- x A h (r)) k -1 mod # E (GF
(2 ⁿ )) Next, the validity of the signature is verified by the following expression. _{mP = h (R) Y A} + R The present invention is not limited to the embodiments described above,
Various modifications and applications are possible within the scope of the claims.

[0083]

According to the present invention, a device for adding a group element on an elliptic curve according to the present invention, a device for doubling a group element on an elliptic curve, and a natural number for a group element on an elliptic curve Hy fold calculator
implemented as software on per SPARC / 125MHz CPU,
The following table shows a comparison with the Win method (Pentium / 133 MHz).

[0084]

[Table 1]

Although the measurement environment differs from the contents shown in the present invention in the Win method, since the word length of the CPU is the same and the clock frequency is almost the same, it is considered that the conditions for the mounting hardware are almost the same. Also, from the above Table 1, in the present invention, the size of the finite field used for the measurement is Win
Although the method according to the present invention is much faster than the size of the finite field used in the implementation of the method, the method according to the present invention is faster, and thus it can be determined that the method according to the present invention is superior.

[Brief description of the drawings]

FIG. 1 is a principle configuration diagram of the present invention.

FIG. 2 is a configuration diagram of a device for calculating an inverse element of a group on an elliptic curve according to the first embodiment of this invention;

FIG. 3 is a configuration diagram of a finite field element addition calculation apparatus according to the first embodiment of this invention;

FIG. 4 is a configuration diagram of an apparatus for calculating an original addition of a group on an elliptic curve according to a second embodiment of the present invention.

FIG. 5 is a configuration diagram of an original comparison device of a group on an elliptic curve according to a second embodiment of the present invention.

FIG. 6 is a configuration diagram of a device for special addition of a group on an elliptic curve according to a second embodiment of the present invention;

FIG. 7 is a configuration diagram of a finite field element multiplication calculation apparatus according to a second embodiment of this invention.

FIG. 8 is a configuration diagram of a finite field element multiplication calculation apparatus according to a second embodiment of this invention.

FIG. 9 is a configuration diagram of a device for calculating an original square of a finite field according to a second embodiment of the present invention;

FIG. 10 is a configuration diagram of a finite field element inverse element calculation apparatus according to a second embodiment of this invention.

FIG. 11 is a configuration diagram of a doubling calculation device for an element of a group on an elliptic curve according to a third embodiment of the present invention.

FIG. 12 is a configuration diagram of a special doubling calculation device of a group on an elliptic curve according to a third embodiment of the present invention.

FIG. 13 is a configuration diagram of a natural number multiplication calculation device of a group on an elliptic curve according to a third embodiment of the present invention.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 Inverse element calculation device 1b Finite formula calculation means, addition calculation device of finite field element 1a Inquiry device 2 Addition calculation device 2a Query device 2b wd bit exclusive-OR calculation device 3 Addition calculation device 3a Query device 3b On elliptic curve Group element inverse element calculation device 3c Group element comparison device on elliptic curve 3d Group element special addition calculation device on elliptic curve 4 Comparison device 4a Query device 4b 2wd bit string comparison device 5 Special addition calculation device 5a, 5c, 5f, 5g, 5h, 5i, 5k, 5l Finite element addition calculator 5b Inverse element calculator 5d, 5j Finite element multiplication calculator 5e Finite element square calculator 6a, 6b , 6g, 6h Addition calculation device 6c, 6d, 6e, 6f Multiplication calculation device 7 Original multiplication calculation device of finite field 7a Query device 7b Multiplication table 8 Yes Elemental square calculator 8a, 8b Square calculator 8c, 8e, 8f Addition calculator 8d Multiplication calculator 9 Inverse element calculator for finite field 9a, 9d, 9g, 9h Multiplication calculator 9b, 9c Addition Calculation device 9b, 9e Square calculation device 9c Square calculation device 9f Inverse element calculation device 10 Double calculation device 10a Inquiry device 10b Special double calculation device of group element on elliptic curve 11 Special double calculation device 11d, 11f, 11g, 11h, 11j Addition device for finite field element 11b Inversion element device for finite field element 11c, 11i Multiplication calculation device for finite field element 11a, 11e Element square calculation device for finite field 12 Natural Number Multiplication Unit 12a Controller 12b Group Element Comparison Unit on Elliptic Curve 12c Group Element Addition Unit on Elliptic Curve 12d Double Element Group Calculation Unit on Elliptic Curve

Claims (5)

[Claims] 1. An elliptic curve E (G) on a finite field GF (2 ²ⁿ )
F (2 ²ⁿ )), when an element that is not an infinity point Ο of a group is represented by affine coordinates (x, y), the inverse element (i, j) of the group is
using a rational expression for calculating a rational expression using a rational expression of x and y, comprising an inverse element calculating means for calculating an inverse element of an element of the group on the elliptic curve using a rational expression means Group operation device. 2. An elliptic curve E (G) on a finite field GF (2 ²ⁿ )
When two ^elements of the group on F (2 ²ⁿ )) that are not infinity point Ο are represented by affine coordinates (x ₁ , y ₁ ) and (x ₂ , y ₂ ), the sum (x ₃ , y ₃ ) = X ₃ and y ₃ of (x ₁ , y ₁ ) + (x ₂ , y ₂ ) are (x ₁ , y ₁ ) {(x ₂ , y ₂ ) and (x ₁ , y ₁ )}.
− (X ₂ , y ₂ ), the rational expression of x ₁ , y ₁ , x ₂ , y ₂ can be used to express the rational expression on the elliptic curve using the rational expression calculating means for calculating the rational expression. A group operation device on an elliptic curve, comprising an addition calculating means for obtaining a sum of group elements. 3. A finite field GF (2²ⁿ) On the elliptic curve E (G
F (2²ⁿ)) The affine constellation of the above group that is not at infinity point Ο
When represented by the standard (x, y), double (x_Three, Y _Three) = 2
X of (x, y)_Three, Y_ThreeIs (x, y) ≠ − (x, y)
And using the rational expression of x and y,
Using rational formula calculation means to calculate rational formulas,
It has a doubling calculation means for finding twice the original of the group of
A group operation device on the elliptic curve to be featured. 4. A finite field GF (2²ⁿ) On the elliptic curve E (G
F (2²ⁿ)) The affine constellation of the above group that is not at infinity point Ο
When represented by a standard (x, y), it is a natural number n times (x _Three, Y_Three)
= X of n (x, y)_Three, Y_ThreeMeans inverse element calculation means, adder
Calculation is possible by combining calculation means and double calculation means.
A rational expression that calculates the rational expression by using the ability
Using calculation means, find the natural number multiple of the group on the elliptic curve
4. The method according to claim 1, further comprising a natural number multiplying means.
Group operation device on elliptic curve. 5. The rational expression calculating means includes: a polynomial p, q∈GF (2 ²ⁿ ) [X ₁ , X ₂ ,..., X _r ]
The multiplication on GF (2 ²ⁿ ) that appears during the calculation of And the inverse element q ⁻¹ of q on GF (2 ²ⁿ ) is calculated by the following equation. As in the case of calculating p and q, by repeatedly applying the above-described multiplication formula, by calculating p × q ⁻¹ , the rational expression 5. The group operation device on an elliptic curve according to claim 1, further comprising: