KR19990053158A - How to calculate constant multiples on elliptic curves using Provenius map - Google Patents

Abstract

The present invention relates to a method of calculating a constant multiple on an elliptic curve using a Provenius map.

In the case of constant elliptic curves, the binary method is used. In this case, a maximum of 2n operations are required, and the addition-subtraction method, which has improved the method, requires a maximum of 3n / 2 operations. In addition, even when using memory, the number of elliptic curve addition operations required cannot be reduced to less than n. When using the method of connecting elliptic curve operations with operations on the substrate, the speed is faster than n elliptic curve addition operations even if the memory usage is allowed. There is a problem that does not have. On the other hand, there is a method of performing constant multiple operations on n or n / 2 operations by applying the constant multiple operation method on an elliptic curve using the Provenance map, but this is a special method defined in a finite position having 2 elements. There is a problem that can be applied only to two elliptic curves.

In order to solve this problem, in the present invention, the constant multiplex operation of the point on the elliptic curve is replaced with the operation of the corresponding Provenence map, and the constant multiplex operation process on the elliptic curve is reduced by the reduction procedure and the provenant map. A method of calculating a constant on an elliptic curve using a Provenius map which can improve the calculation speed by performing the procedure and the step-by-step procedure of a constant on the elliptic curve is presented.

Description

How to calculate constant multiples on elliptic curves using Provenius map

The present invention relates to a method of calculating a constant multiple on an elliptic curve using a Provenian map. In particular, a program capable of improving the calculation speed by changing a constant multiple operation of a point on an elliptic curve to a corresponding Provenian map operation. A method of calculating a constant multiple on an elliptic curve using a veneer map.

Generally, Meier-Staffelbach requires a maximum of n elliptic curve addition operations when using a special elliptic curve, given that the number of binary sequence bits of a given constant is n for a non-supersinfular elliptic curve. And Solinas' method that refines this method and requires up to n / 2 elliptic curve additions. However, these methods use the Provenian map but apply only to the two special elliptic curves defined on the finite field GF (2) with the number of elements 2. Anomalous elliptic curves and twisted elliptic curves. . That is, an elliptic curve capable of performing constant multiple operations with only an elliptic curve addition operation of 1/2 of the binary sequence bits of a given constant is an anomalous elliptic curve defined above GF (2) and a twisted elliptic curve. It is limited to the case.

On the other hand, the binary method is used for constant multiple operations on general elliptic curves that are not Anomalous elliptic curves and supersingular elliptic curves. When using binary methods, a maximum of 2n operations are required. In addition, the addition-subtraction method, which improves the binary method, requires a maximum of 3n / 2 operations. If the memory is used, the number of elliptic curve addition operations required can be reduced. However, if the memory of a realistic capacity is used, the number of elliptic curve addition operations required even though the memory is used cannot be reduced to n or less. Another method of constant multiplication on elliptic curves is to combine the elliptic curve addition operation with the operation on the substrate to improve the operation speed. In this case, even if the memory is allowed, There is a problem that can not get fast speed. That is, the constant multiplication operation used for a general elliptic curve requires an elliptic curve operation equal to or greater than the number of binary sequence bits of a given constant, which causes a problem in that the calculation speed is lowered.

Accordingly, the present invention replaces the constant multiplication operation of the point on the elliptic curve with the operation of the corresponding Provenius map, and the process of the constant multiplication operation on the elliptic curve, the reduction procedure, the unfolding procedure by the Provenian map, and the elliptic curve. The purpose of this paper is to provide a constant multiplication method on an elliptic curve using the Provenian map which can improve the computation speed by dividing into three steps of the constant multiplication procedure of the point of.

In order to achieve the above object, the constant multiplication operation method on an elliptic curve using the Provenian map according to the present invention reduces the constant m for performing the constant multiplication operation to obtain X + Yα having a small number of terms when developing a Provenius map. Using the reduction procedure and X + Yα obtained in the reduction procedure as inputs, the magnitude of the coefficient of the expansion equation is less than the upper limit q of the finite field, and the total number of terms is less than or equal to log _q m + 3. The expansion procedure using the Provenance map, which is available for all q, and the constant multiple operation procedure that directly calculates m points of arbitrary points on the curve using the expansion formula obtained from the above development process by the Provenance map. It is characterized by comprising.

1 is a flowchart illustrating a reduction procedure in a method of concatenating constant constants on an elliptic curve using a Provenance map according to the present invention.

Figure 2 is a flow chart illustrating the development procedure of the constant multiple association method on the elliptic curve using the Provenance map according to the present invention.

3 is a flowchart illustrating a constant multiplication operation procedure of the constant multiple association method on an elliptic curve using the Provenance map according to the present invention.

Hereinafter, with reference to the accompanying drawings will be described in detail the present invention.

In the present invention, mP is calculated by m times an arbitrary point P of E (GF (q ⁿ )) when an elliptic curve equation E having an element of GF (q) and GF (q) as a coefficient and an integer m is given. The algorithm consists of three algorithms. The input of the present invention is the finite body of the water q, elliptic curve E, the constant m, the element P of the E (GF (q ⁿ )), the elliptic curve group E (GF (q)) of the number N ₁ and the elliptic curve group E ( GF (q ⁿ )) is N _n and the output is mP, which is a point on the elliptic curve. Given q and E, N ₁ can be found by the Schof algorithm, and N _n can be found by simple calculation from N ₁ . Any point of E (GF (q _n )) in performing the calculations of the present invention consists of an ordered pair of two elements of GF (q ⁿ ) and each element is represented using a normal basis. The addition of any two points of E (GF (q ⁿ )) is also performed by the well-known existing elliptic curve addition operation using the coefficients of the equation of the elliptic curve E.

1 is a flowchart illustrating a reduction procedure in a method of associating constants on an elliptic curve using a Provenian map according to the present invention, and includes a finite field power q, an integer m, and an elliptic curve group E (GF (q). It shows the process of outputting X + Yα (X, Y is an integer) by reducing m by inputting the power level N ₁ of)) and the power level N _n of the elliptic curve group E (GF (q ⁿ )). .

The number of finite bodies q, the constant m, the number N ₁ of the elliptic curve group E (GF (q)) and the number N _n of the elliptic curve group E (GF (q ⁿ )) are input (101). Then, the elliptic curve E (GF (q)) is fixed and the number N ₁ of the E (GF (q)) minus q + 1 is called t. I.e., t is the q + _1-N 1. Α is the root of the integer equation x ² -tx + q = 0 and D is (102) α becomes (t + Di) / 2, where i = (103). Then complex Calculate and place the real part of it as a and the imaginary part as b (104). originally N _n = | α ⁿ -1 | ² ego Since a + b _i = m / (α ⁿ -1) and m is (α ⁿ -1) (a + bi) Becomes After that, a-tb / D is rounded to x and 2b / D is rounded to y (105). In this case, x + yα the remaining X + Yα divided by m to obtain, since the quotient obtained by dividing the m by α ⁿ -1 to the ⁿ α -1 is the m- (x + yα) (α n -1). Therefore, X = m + x and Y = yα ⁿ + xα ^n-1 -y are output (106).

FIG. 2 is a flowchart illustrating an unfolding procedure in a method of associating constants on an elliptic curve using a Provenian map according to the present invention. FIG. Take t as input X + Yα = Coefficients c (0), c (1), c (2),. , c (n + 2).

First, after inputting the integers X, Y, and q and t (201), k is set to 0 (202), and the remainder obtained by dividing the integer X by the number q of the finite body is u (203). Then, if u is 0 or 2X + tY is greater than or equal to 2u-q (204) and the condition is satisfied, (X, Y) is (t (Xu) / q + Y,-(Xu) / q) U is replaced by uq (205) and c (k) is replaced by u (206). If u is not equal to 0 or 2X + tY is greater than or equal to 2u-q (204) and the condition is not satisfied, i.e. u is not 0 and 2X + tY is less than 2u-q, then (X, Y) t (Xu) / q + Y + t,-(Xu) / q-1) (207) and c (k) is set to u (206). Then, if X and Y are both zero (208), if X and Y are not both zero at the same time, the value of k is increased by one (209) and it is repeated from step 203 to calculate u. This cycle ends within n + 3 times. That is, in k below n + 2, both X and Y become zero. If both X and Y are 0, then the value of k and c (0), c (1), c (2), ..., c (k) are output (210). Where X + Yα = The m-fold operation for any point P on the elliptic curve is mP = using the prominence map φ: (x, y) → (x ^ q, y ^ q) on GF (q). Is displayed as:

3 is a flowchart shown for explaining the present invention pro beanie elliptical constant multiple associative method constant times the operation procedure of the above curve using the Earth map according to, greater than log ₂ q, or at least of the integer r and 2, such as The output k, c (0), c (1), c (2), ..., c (k) are input and Q = mP is output.

First, the integers r and k, c (0), c (1), c (2), ..., c (k) are input (301), which is a set of integers for the integer i with 1≤i <q. S (i) = {j | c (j) = i, 0≤j≤k} and S` (i) = {j | c (j) = − i, 0 ≦ j ≦ k} is obtained (302). Then, the points Q, Q (1), Q (2), ..., Q (r) on the r elliptic curves are all set to O, which is the identity of the elliptic curve group, and i is set to 1 (303). For j belonging to S (i) φ ^j (P) In terms of all the sums, for j belonging to S '(i) φ ^j (P) Subtract all the points (304). That is, R is Becomes At this time φ ^j (P) The x- and y-coordinates of P point are expressed using a normal basis, and each coordinate is left-turned by jq bits. Subsequently, h is set to 1 (305), and if the h-th bit of i is 1 (306), if the h-th bit of i is not 1, h is incremented by 1 (307) and the h-th of i Repeat step 306 to check if the bit is one. If the h-th bit of i is 1, R is added to Q (h) (307). Thereafter, if h is not r (309) and if h is not r, the step of checking whether the h-th bit of i is 1 while repeating h by 1 (307) is repeated, and the step of resetting Q (h) is repeated. That is, R is added to Q (h) for every place h where 1 appears when i is expanded in binary. At the end of this process, check 310 if i is equal to q, if it is not equal, increase i by 311 and proceed to step 304 to obtain R for a new i. This process, i.e., the process of finding R for the new i, is performed repeatedly while i is less than q, and r points Q (1), Q (2), ..., Q (r) on the elliptic curve are determined. do. For convenience, R (i) Releasing mP Since Q (h) is the point where all the R (i) points are added to i with the h bit of i equal to 1, Becomes From step 310 of checking whether i is equal to q, if i is equal to q, h is set to r-1 (312), and 2Q + Q (h) is input to Q (313). Thereafter, if h is not 0, 314 is checked, and if h is not 0, the step 313 of resetting the Q value while decreasing the value of h by 315 is repeated until h is 0. Thereafter, when h becomes 0, Q is output (316). The output Q is Becomes equal to mP.

As described above, according to the present invention, in the case of an elliptic curve cryptographic system in which the speed of the system depends on the constant multiple operation of the elliptic curve, the speed of the elliptic curve cryptographic system can be improved without using a memory, such as a smart card or the like. It is easy to use for cryptographic systems that are limited and require high speed. In addition, in the case of using the constant multiple operation method on the elliptic curve according to the present invention, the calculation is particularly easy when the coefficient of the elliptic curve equation belongs to a small finite body, and in this case, the elliptic curve which is difficult to construct an elliptic curve cryptographic system. This solves the problem of finding the power of, which makes the elliptic curve cryptosystem easy to implement.

Claims (4)

A reduction procedure for reducing the constant m that performs a constant multiple operation to find X + Yα having a small number of terms when developing a Provenius map; By using X + Yα obtained in the reduction procedure as the input, the magnitude of the coefficient of the expansion equation is less than q of the finite field, and the total number of terms is less than or equal to log _q m + 3. The deployment procedure with the Provenence map, A constant on an elliptic curve using the Provenian map, comprising a constant multiplication operation procedure for directly m-folding an arbitrary point on the curve using a development formula obtained in the development process by the Provenance map. Pear operation method. 2. The method of claim 1, wherein the reduction procedure is based on the order of magnitude of the finite body, the integer m, the order of magnitude N ₁ of the elliptic curve group E (GF (q)) and the order of magnitude N _n of the elliptic curve group E (GF (q ⁿ )). Receiving input, Fixing the elliptic curve E (GF (q)) and subtracting q + 1 from the number N ₁ of E (GF (q)) is t, and one root of the integer equation x2-tx + q = 0 is α. Setting D to [Equation 1], Obtaining α, which is one root of the integer equation, using Equation 2, Calculating [Equation 3] to set the real part of the calculation result to a and the imaginary part to b, Using a and b obtained from the result of Equation 3, rounding a-tb / D to x and setting 2b / D to y, Outputting X = m + x and Y = yα ⁿ + xα ^{n -1} -y using x and y . At this time, The method of claim 1, wherein the expansion procedure using the Provenian map is obtained by subtracting q + 1 from the integer X, Y, the upper limit q of the finite body, and the upper limit N ₁ of E (GF (q)) obtained in the reduction procedure. receiving t, setting k to 0 and the remainder of integer X divided by the order of magnitude of the finite field to u, Checking whether u is zero or 2X + tY is greater than or equal to 2u-q; If u is 0 or 2X + tY is greater than or equal to 2u-q, and if u is 0 or 2X + tY is greater than or equal to 2u-q, then (X, Y) is equal to (t (Xu) / q + Y,-(Xu) / q), replacing u with uq and setting c (k) to u, If u is 0 or 2X + tY is greater than or equal to 2u-q, and if u is not 0 and 2X + tY is less than 2u-q, then (X, Y) is (t (Xu) / q + Y + t,-(Xu) / q-1), Checking whether both X and Y are zero, Checking that both X and Y are zero, and if both X and Y are not 0 at the same time, increasing the value of k by 1 and calculating u; If x and Y are both zero as a result of checking whether X and Y are both zero, k value and c (0), c (1), c (2), ..., c (k) are outputted. Method for calculating a constant multiple on an elliptic curve using the Provenance map, characterized in that it comprises a step. The method of claim 1, wherein the constant multiple operation procedure is Receiving an integer r, k, c (0), c (1), c (2), ..., c (k) obtained by the expansion procedure by the Provenian map, For an integer i with 1 ≦ i <q, S (i) = {j | c (j) = i, 0≤j≤k} and S` (i) = {j | obtaining c (j) = − i, 0 ≦ j ≦ k}; setting the points Q, Q (1), Q (2), ..., Q (r) on r elliptic curves to O, which is the identity of the elliptic curve group, and setting i to 1, For j belonging to the set S (i) φ ^j (P) In terms of all the sums, for j belonging to S '(i) φ ^j (P) Obtaining R as represented by Equation 4 by subtracting all of the points and setting h to 1 and checking if the h th bit of i is 1, If the h-th bit of i is 1, if the h-th bit of i is not 1, then increasing h by 1 and checking whether the h-th bit of i is 1; Checking that the h-th bit of i is 1 and adding R to Q (h) when the h-th bit of i is 1; Checking whether h is r, If the result of checking whether h is r, and if h is not r, repeating the step of checking whether the h th bit of i is 1 while increasing h by 1 and resetting Q (h); if h and r are equal, then checking if i is equal to q, and If i is not equal to q, and i is not equal to q, r is increased by 1 and the process for obtaining R for a new i is performed. R points on the elliptic curve Q (1), Q (2) ), ..., Q (r) is determined, and for R (i) represented by Equation 4, mP is [Equation 5], and R (i MP is expressed by [Equation 6] for the point Q (h) plus all points; Checking that i is equal to q, if i is equal to q, setting h to r-1 and inputting 2Q + Q (h) into Q; Checking whether h is 0, and If it is determined that h is 0, and if h is not 0, repeating the step of resetting the Q value while decreasing the h value by 1 until h is 0; The result of checking whether h is 0, when h becomes 0, is represented by [Equation 7] and outputs a Q such as mP. Operation method. At this time,