WO2006103851A1 - Power value generation device - Google Patents

Power value generation device Download PDF

Info

Publication number
WO2006103851A1
WO2006103851A1 PCT/JP2006/303253 JP2006303253W WO2006103851A1 WO 2006103851 A1 WO2006103851 A1 WO 2006103851A1 JP 2006303253 W JP2006303253 W JP 2006303253W WO 2006103851 A1 WO2006103851 A1 WO 2006103851A1
Authority
WO
WIPO (PCT)
Prior art keywords
value
power
secret key
threshold value
candidate
Prior art date
Application number
PCT/JP2006/303253
Other languages
French (fr)
Japanese (ja)
Inventor
Yuichi Futa
Takatoshi Ono
Natsume Matsuzaki
Original Assignee
Matsushita Electric Industrial Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matsushita Electric Industrial Co., Ltd. filed Critical Matsushita Electric Industrial Co., Ltd.
Publication of WO2006103851A1 publication Critical patent/WO2006103851A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present invention relates to an attack method for analyzing a power value embedded in a module that executes a power residue calculation process by measuring power consumption when the power residue calculation process is executed.
  • the present invention relates to a safe threshold generation device.
  • a module that performs cryptographic processing (hereinafter referred to as a cryptographic module) implemented in software, and includes secondary information (hereinafter referred to as secondary information) when performing cryptographic processing.
  • secondary information secondary information
  • Various cryptanalysis methods have been devised to analyze cryptographic keys using the clue to "information”.
  • timing attack the time required for cryptographic processing by a cryptographic module varies slightly depending on the value of the cryptographic key used for cryptographic processing. Analyze. That is, in the timing attack, the encryption key is decrypted by using the sub-information called the processing time when performing the encryption process (for example, see Non-Patent Document 1).
  • step (S) is performed using the secret key d expressed by the following mathematical formula (1).
  • len indicates the number of bits of d
  • X indicates multiplication of integers
  • x y indicates x to the power of y.
  • step (S7) If “i ⁇ 0”, the value of variable z is output. Otherwise, return to step (S2) and repeat the process.
  • the simple power analysis attack can be performed by the following steps (S11) to (S13).
  • the simple power analysis attack described above utilizes the fact that the calculation processing is different between double multiplication and multiplication. Therefore, if the two multiplications are processed with the same value multiplication, the two multiplications cannot be distinguished from the multiplications, and the calculation order is insignificant, so the above simple power analysis attack cannot be performed. That is, the operation function of double multiplication with X as input and "X 2 mod n" as output is Sqr (x), x and y as input, and x Xy mod n as output is Mul (x, When y), Sqr (x) should be calculated as Mul (x, x).
  • Non-Patent Literature 1 Paul Kocher. Timing attacks on implementations of Di ffie— Hellman, RSA, DSS, and other systems. In Neal Koblitz, editor, CRYPTO '96, LNCS 1109, Springer-Verlag, 1996, pp. 104- 113 .
  • Non-Patent Document 2 P. Kocher, J. Ja_e, and B. Jun, “Di- erential Pow er Analysis,” Advances in Cryptology -CRYPTO '99, LNCS, 1
  • Non-patent literature 3 Tatsuaki Okamoto, Hiroshi Yamamoto, “Modern cryptography”, industrial books (1997)
  • Non-Patent Document 4 H. Cohen, "A Course in Computational Algebraic Number Theory", GTM 138, Springer -Verlag, 1996, p9
  • R SA cipher security is generally a force that depends on the computation time of the factoring of n n and if d is 10 24-bit, the calculation time is about the same as the computation time for searching a value from the search space size of 2 8 °. here, if, C (len, w (d )) is if falls below the 2 8 °, than the computation time of the prime factorization of n, the search time of the d is reduced, the safety of the RSA encryption is lowered by simple power analysis attack.
  • C (len, w (d)) may be less than 28Q . In this case, if safety is lowered, there is a problem. .
  • the present invention has been made in view of the above problems, and provides a threshold value generating apparatus that executes a power residue calculation process so that safety is not reduced by a simple power analysis attack. With the goal.
  • a threshold value generating apparatus is (a) a threshold value generating apparatus that generates a threshold value used for a power-residue calculation for positive integer c and modulus n. (Al) generating means for generating candidate values that are candidates for the threshold value; (a2) determining means for determining whether or not the hamming weight of the candidate value falls within a predetermined range; and (a3 And a setting unit configured to set the candidate value as the saddle value when it is determined by the determination unit to be within a predetermined range.
  • the search time is shortened and the safety is lowered.
  • a threshold value having a threshold value that is smaller than the predetermined range is not generated, so that it is possible to prevent the safety from being lowered.
  • the Hamming weight of the threshold value is leaked, it is possible to prevent the safety from being lowered.
  • the generating means calculates the power value d given in advance, the modulus n of the power-residue operation, the random number!:, And the Carmichael function (n) or the Euler function ⁇ (n).
  • d + r X ⁇ ( ⁇ ) or d + r X ⁇ ( ⁇ ) may be generated as the candidate value.
  • the determination means is determined on the basis of the safety against the brute force brute force attack with a combination of the number of bits of the modulus n and a predetermined positive integer as a first value
  • the predetermined positive integer determined under the condition that the first value exceeds the second value may be determined as the lower limit in the predetermined range.
  • the determination unit may determine a positive integer determined under a condition that the processing time of the power-residue calculation is shorter than a predetermined time as an upper limit in the predetermined range. .
  • the power generation unit may include power residue calculation means for performing the power residue calculation using the power value.
  • the threshold value generating apparatus includes threshold value storing means for storing the threshold value, and the power residue calculating means performs the power value every time the power residue calculation is executed. You may use the value stored in the storage means.
  • the setting means may update the power value every time the power-residue calculating means executes the power-residue calculating.
  • the present invention may be realized as the following (1) to (5) as well as being realized as a threshold value generating apparatus.
  • a method for controlling the threshold value generating apparatus (hereinafter referred to as a threshold value generating method), and a program for causing a computer system or the like to execute the threshold value generating method (hereinafter referred to as a threshold value generating program). ), A recording medium on which a threshold value generation program is recorded, an integrated circuit having the function of the threshold value generation device, or the like.
  • a key issuing device that has the same function as the threshold value generating device, uses the threshold value as a secret key, and generates a public key that is paired with the secret key, and a method for controlling the key issuing device (hereinafter referred to as ),
  • a program for causing a computer system or the like to execute the key issuing method hereinafter referred to as a key issuing program
  • a recording medium storing the key issuing program
  • a function of the key issuing device It may be realized as an integrated circuit or the like.
  • a decryption device that has the same function as the saddle value generation device, uses the saddle value as a secret key, performs a power-residue operation, and decrypts the ciphertext, and a method for controlling the decryption device (hereinafter, Called a decryption method), and a program for causing a computer system or the like to execute the decryption method (hereinafter referred to as a decryption method) This is called a decryption program. ), A recording medium in which a decoding program is recorded, an integrated circuit having a function of a decoding device, or the like.
  • a signature generation device that has the same function as the threshold value generation device, uses the threshold value as a secret key, performs a power-residue operation, and generates signature data, and a method for controlling the signature generation device (hereinafter referred to as ),
  • a program for causing a computer system or the like to execute the signature generation method hereinafter referred to as a signature generation program
  • a recording medium on which the signature generation program is recorded and a function of the signature generation apparatus. It may be realized as an integrated circuit provided.
  • An encryption system comprising a plurality of devices, at least one of the plurality of devices being a decryption device, a key issuing device, and a signature generation device, and a method for controlling the encryption system (hereinafter referred to as encryption) Called a system control method), a program for causing a plurality of computer systems to execute the cryptographic system control method (hereinafter referred to as a cryptographic system control program), a recording medium on which the cryptographic system control program is recorded, and the like. This is fine.
  • the present invention by limiting the Hamming weight of the saddle value to a predetermined range, a saddle value having a no-mining weight smaller than the predetermined range is not generated, so that safety is reduced. And can prevent. Furthermore, even if the threshold value or the ming weight is leaked, it is possible to prevent the safety from deteriorating. Its value is great.
  • FIG. 1 is a diagram showing an outline of calculation processing by a conventional binary method.
  • FIG. 2 is a diagram showing a configuration of a cryptographic system according to the first embodiment of the present invention.
  • FIG. 3 is a diagram showing a configuration of a key issuing server according to the first embodiment of the present invention.
  • FIG. 4 is a diagram showing a configuration of terminal apparatus A according to Embodiment 1 of the present invention.
  • FIG. 5 shows the calculation of the first power-residue calculating unit in Embodiment 1 according to the present invention.
  • FIG. 3 shows a flowchart of the method.
  • FIG. 6 is a diagram showing a flowchart of a calculation method of the second power-residue calculating unit in the first embodiment according to the present invention.
  • FIG. 7 is a diagram showing a configuration of terminal apparatus B in the first embodiment according to the present invention.
  • FIG. 8 is a diagram showing an operation at the time of key issuance of the cryptographic system according to the first embodiment of the present invention.
  • FIG. 9 is a diagram showing operations during cryptographic communication of the cryptographic system according to the first embodiment of the present invention.
  • FIG. 10 is a diagram showing a configuration of a cryptographic system according to the second embodiment of the present invention.
  • FIG. 11 is a diagram showing the configuration of the key issuing server in the second embodiment according to the present invention.
  • FIG. 12 is a diagram showing a configuration of terminal apparatus A in the second embodiment according to the present invention.
  • FIG. 13 is a diagram showing a configuration of terminal apparatus B in the second embodiment according to the present invention.
  • FIG. 14 is a flowchart showing an operation at the time of key issuance in the cryptographic system according to the second embodiment of the present invention.
  • FIG. 15 is a diagram showing an operation at the time of generating a first used secret key of the terminal device A in Embodiment 2 according to the present invention.
  • FIG. 16 is a diagram showing an operation at the time of generating a second used secret key of the terminal device B in the second embodiment according to the present invention.
  • FIG. 17 is a diagram showing an operation at the time of cryptographic communication of the cryptographic system according to the second embodiment of the present invention.
  • FIG. 18 is a diagram showing a conventional distribution of the number of multiplications.
  • FIG. 19 is a diagram showing a distribution of the number of multiplications in the present invention.
  • FIG. 20 is a diagram showing a distribution of appearance frequencies of the minimum number of multiplications in the present invention.
  • FIG. 21 is a diagram showing a configuration of a terminal device A in a modified example according to the present invention.
  • FIG. 22 is a diagram showing a configuration of a terminal device B in a modified example according to the present invention. Explanation of symbols
  • Hash calculator 13032 First power residue calculation unit
  • Embodiment 1 of the present invention will be described below with reference to the drawings.
  • the threshold value generating apparatus includes the following features (a) to (c).
  • a power generation device that generates power used for power-residue calculation for positive integer c and modulus n, and (al) generation that generates candidate values that are candidates for power A function, (a2) a judgment function that determines whether the hamming weight of the candidate value falls within a predetermined range, and (a3) a candidate value if the judgment function determines that it belongs to the predetermined range. And a setting function for setting as a threshold value.
  • the determination function uses a combination of the number of bits of modulus n and a predetermined positive integer as a first value, and determines a value determined based on the safety against brute force brute force attacks as a second value.
  • a predetermined positive integer determined under the condition that the first value exceeds the second value is within a predetermined range. The lower limit is determined.
  • the determination function determines a positive integer determined under the condition that the processing time of the power-residue calculation is smaller than the predetermined time as the upper limit in the predetermined range.
  • the threshold value generating device is a key issuing device that uses the threshold value as a secret key and generates a public key that is paired with the secret key.
  • FIG. 2 is a diagram showing a configuration of the cryptographic system in the present embodiment.
  • the cryptographic system 1000 includes a key issuing server 1100, a terminal device A1200, a terminal device B1300, and a communication path 1400.
  • the key issuing server 1100 is a value generating device, that is, a key issuing device having a public key generating function for generating a public key that is paired with a secret key by using the value as a secret key.
  • the cryptographic system 1000 generates a key pair including a secret key and a public key for the terminal device A1200 and the terminal device B1300 at the key issuing server 1100, and generates the key pair generated for each of the terminal device A1200 and the terminal device B1300. Is issued. Further, the terminal device A1200 encrypts the first message, generates a signature of the second message, and transmits it to the terminal device B1300 via the communication path 1400. The terminal device B1300 receives the ciphertext of the first message, the second message, and its signature data via the communication path 1400, decrypts the ciphertext, and obtains the decrypted text of the first message. To verify the signature data of the second message.
  • RSA encryption is described on pages 110 to 113 of Reference Document 1 below.
  • the RSA signature is described on pages 175 to 176 of this document. Here, the outline is explained.
  • ciphertext c is calculated by performing cryptographic operations on plaintext m using integer e and integer n, which are public keys.
  • decryption text m ' is calculated by performing decryption operation on ciphertext c using integer d that is a secret key.
  • the decrypted text m ′ matches the plain text m.
  • the key generation method is the same as that shown in (1) of the RSA encryption method.
  • the signature data S is calculated by using the integer d, which is a secret key, to multiply the dash value h by the d power.
  • FIG. 3 is a diagram showing a configuration of the key issuing server 1100 in the present embodiment.
  • the key issuing server 1100 includes a prime number generation unit 1101, a secret key generation unit 1102,
  • the prime number generation unit 1101 generates prime numbers p and q, which are secret information of RSA encryption. Note that prime generation is explained in Reference 2 below. Here, the explanation is omitted.
  • the secret key generation unit 1102 generates a secret key d in the RSA encryption method.
  • “L LCM (p—1, q—1),” and “d— 1 mod L” is an inverse element of d in mod.
  • the key setting unit 1104 stores the secret key d generated by the secret key generation unit 1102 in the secret key storage unit of the terminal device Al 200 or the terminal device B 1300. Further, n and e generated by the public key generation unit 1103 are stored as public keys in the public key storage unit of the terminal device A1200 or the terminal device B1300.
  • secret key generation section 1102 generates a threshold value used in the power-residue calculation for positive integer c and modulus n, and uses the generated threshold value as a secret key. .
  • a candidate value that is a candidate for the saddle value is generated, and it is determined whether or not the hamming weight of the candidate value is within a predetermined range.
  • a random number generation unit 11021 and a no-ming weight determination unit 11022 are provided.
  • the random number generation unit 11021 generates a random number k.
  • the mingming weight determination unit 11022 calculates the hamming weight of the random number k, and determines whether the hamming weight is equal to or greater than a predetermined value tl and less than th.
  • the ming weight is the number of bits whose bit value is 1 when the random number k is a bit string. For example, a Hamming weight of 5 is 2 because the 5 bit string is "101".
  • secret key generation section 1102 generates random number k in random number generation section 11021.
  • the ming weight determination unit 11022 it is determined whether the humming weight of the random number k is greater than or equal to tl and less than th. The Otherwise, the process returns to the random number generation unit 11021.
  • tl is determined based on the security level against the brute force attack of the secret key. Specifically, for example, when the number of bits of n is 1024, X that becomes “2 8Q C (1024, x)” may be tl.
  • C (x, y) is the number of combinations to select x power y, and is expressed by the following formula (14).
  • th is determined, for example, from the upper limit value of the processing time of a predetermined second power residue calculation unit 12032 (described later).
  • the number of multiplication Mul operations is “len ⁇ l + w (d)”.
  • the processing time of the second power residue calculation unit 12032 is “(len ⁇ l + w (d)) XTMul”. If TH is the upper limit of processing time, set th to a value satisfying "th ⁇ TH / TMul-len + 1" from "(len-l + th) XTMuKTH"!
  • FIG. 4 is a diagram showing a configuration of terminal apparatus A1200 in the present embodiment.
  • terminal device A1200 includes transmission unit 1201, encryption unit 1202, signature generation unit 1203, first secret key storage unit 1204, and first public key storage unit. 1205 and a second public key storage unit 1206 are provided.
  • Transmitting section 1201 transmits data to terminal apparatus B 1300 via communication path 1400.
  • Encryption unit 1202 encrypts first message ml using public key nB, eB of terminal device B1300 stored in second public key storage unit 1206 to generate ciphertext cl .
  • the signature generation unit 1203 stores the secret key dA of the terminal device A1200 stored in the first secret key storage unit 1204 and the first public key storage unit 1205.
  • Signature data S is generated using nA, which is a part of the public key of terminal device A1200 stored.
  • signature data S is generated based on the RSA signature method.
  • First secret key storage section 1204 stores secret key dA of terminal device A1200.
  • First public key storage section 1205 stores public keys nA and eA of terminal device A1200.
  • the second public key storage unit 1206 stores the public keys nB and eB of the terminal device B1300.
  • encryption key unit 1202 includes first power residue calculation unit 12021.
  • the first power-residue calculating unit 12021 has an input value x, e represented by the following mathematical formula (1-5), Calculate "x e mod n" for n and n.
  • len is the number of bits of d
  • X is an integer multiplication
  • x y is x to the power of y.
  • FIG. 5 shows a flowchart of the calculation method of the first power residue calculation unit 12021.
  • FIG. 5 is a diagram showing a flow chart of the calculation method of first power residue calculation unit 12021 in the present embodiment. As shown in FIG. 5, the first power-residue calculating unit 12021 performs the following steps (S101) to (S107).
  • Sqr (x) represents the result of performing x multiplication by two.
  • Mul (x, y) indicates the result of multiplying x and y.
  • the encryption key unit 1202 inputs the first message ml as x, inputs eB which is a part of the public key as e, and makes it public as n Input nB that is part of the key, calculate "ml eB mod nB", and use the result as ciphertext cl.
  • signature generation section 1203 includes hash calculation section 12031 and second power residue calculation section 12032.
  • the first hash calculator 12031 calculates a hash value h for the second message m2.
  • the Matth function to be used only needs to have one-way property that it is difficult to obtain the input value of the hash function corresponding to the Nosh value.
  • the SHA-1 hash function For example, the SHA-1 hash function.
  • the one-way hash function is described in detail on pages 189 to 195 of Reference 1 above.
  • Second power-residue calculating unit 12032 calculates “x d mod n” for input value x, d indicated by the following mathematical formula (1-6), and n.
  • FIG. 6 shows a flowchart of the calculation method of the second power residue calculation unit 12032.
  • FIG. 6 is a diagram showing a flow chart of a calculation method of second power residue calculation unit 12032 in the present embodiment. As shown in FIG. 6, the second power residue calculation unit 12032 performs the following steps (S 111) to (S 117).
  • step (S112) the square remainder of z may be calculated, but in Embodiment 1, the "multiplication" is explicitly performed so that the same number of multiplications are performed and the remainder is taken. use. This is because calculation is generally different between multiplication by two and multiplication is faster than multiplication by two. Here, the multiplication by the same number of multiplications by the calculation by two multiplications is realized. Means.
  • step (S114) multiplication is executed w (d) times for w (d) which is the Hamming weight of d.
  • step (S114) multiplication is executed w (d) times for w (d) which is the Hamming weight of d.
  • signature generation section 1203 calculates a no-shash value h for second message m 2 at noush calculation section 12031.
  • the hash value h is input as X
  • the secret key dA is input as d
  • nA that is a part of the public key is input as n, thereby calculating “h dA mod nA”.
  • the result is signature data S.
  • FIG. 7 is a diagram showing a configuration of terminal apparatus B1300 in the present embodiment.
  • the terminal device B 1300 includes a receiving unit 1301, a decrypting unit 1302, a signature verifying unit 1303, a second secret key storage unit 1304, and a second public key storage unit 1305. And a first public key storage unit 1306.
  • the receiving unit 1301 receives data from the terminal device A1200 via the communication path 1400.
  • the decryption key unit 1302 stores the secret key dB of the terminal device B 1300 stored in the second secret key storage unit 1304 and the public key stored in the second public key storage unit 1305. Using nB which is a part, decrypt ciphertext cl and generate decrypted text ml '.
  • the signature verification unit 1303 is the terminal device A120 stored in the first public key storage unit 1305.
  • Second secret key storage section 1304 stores secret key dB of terminal apparatus B 1300.
  • the second public key storage unit 1305 stores the public keys nB and eB of the terminal device B1300.
  • the first public key storage unit 1306 stores the public keys nA and eA of the terminal device A1200. [0145] Next, a detailed configuration of decryption unit 1302 in the present embodiment will be described.
  • decryption unit 1302 includes second power residue calculation unit 13021.
  • the second power residue calculation unit 13021 has the same function as the second power residue calculation unit 12032 included in the signature generation unit 1203 of the terminal device A1200, and thus description thereof is omitted.
  • the decryption unit 1302 inputs the ciphertext cl as x, the secret key dB as d, and nB which is a part of the public key as n in the second power residue calculation unit 13021.
  • cl dB mod nB is calculated, and the result is the decrypted text ml.
  • the RSA encryption method "(2) Processing for generating ciphertext" is used.
  • signature verification section 1303 includes hash calculation section 13031, first power residue calculation section 13032, and signature determination section 13033.
  • node calculation unit 13031 has the same function as the hash calculation unit 12031 included in the signature generation unit 1203 of the terminal device A1200, the description thereof is omitted.
  • First power residue calculation unit 13032 has the same function as first power residue calculation unit 12021 included in encryption unit 1202 of terminal apparatus A1200, and thus the description thereof is omitted.
  • the signature determination unit 13033 determines whether or not the hash value h calculated by the hash calculation unit 13031 and the verification value h ′ calculated by the first power residue calculation unit 13032 are equal.
  • signature verification section 1303 first calculates hash value h for second message m2 in node calculation section 13031.
  • the signature data S is input as X, eA which is a part of the public key as e, and nA which is a part of the public key as n, and “S eA mod nA "is calculated, and the result is used as the verification value.
  • the signature judgment unit 13033 it is confirmed whether or not the hush value h and the verification value h are equal. If they are equal, OK is output as a correct signature, and NG is output as an incorrect signature if they are not equal.
  • the operation of the cryptographic system 1000 is an operating force for "key issuance” for issuing a key and for "cipher communication” for performing cipher communication between the terminal device A1200 and the terminal device B1300.
  • the key issuing server 1100 At the time of “key issuance”, the key issuing server 1100 generates secret keys and public keys of the terminal device A1200 and the terminal device B1300, and stores them in the respective devices.
  • the ciphertext of the first message ml and the signature data of the second message m2 are received in the terminal device A1200 for the input first message ml and second message m2. Is transmitted to the terminal device B 1300 via the communication path 1400, received by the terminal device B 1300, decrypted and signed, and decrypted text ml 'and the signature verification result (OK or NG ) Is output.
  • Fig. 8 is a diagram showing an operation at the time of key issuance of the cryptographic system 1000 according to the present embodiment.
  • the key issuing server 1100 generates prime numbers pA and qA in the prime number generation unit 110 1 (S201).
  • the secret key generation unit 1102 generates a secret key dA (S202).
  • the key setting unit 1104 stores the secret key dA in the first secret key storage unit 1204 of the terminal device A 1200 (S204).
  • NA and eA are stored as public keys in the first public key storage unit 1205 of the terminal device A1200 (S205).
  • NA and eA are stored in the first public key storage unit 1306 of the terminal device B 1300 (S206).
  • the key issuing server 1100 generates prime numbers pB and qB in the prime number generation unit 1101 (S207).
  • the secret key generation unit 1102 generates a secret key dB (S208).
  • the secret key dB is stored in the second secret key storage unit 1304 of the terminal device B1300 (S210).
  • N B and eB are stored as public keys in the second public key storage unit 1305 of the terminal device B 1300 (S211).
  • NB and eB are stored in the second public key storage unit 12 06 of the terminal device A1200 (S212). And it ends.
  • Fig. 9 is a diagram showing an operation during cryptographic communication of the cryptographic system 1000 according to the present embodiment.
  • the terminal device A1200 uses the encryption key unit 120.
  • the ciphertext cl of the first message ml is generated (S301).
  • the signature generation unit 1203 generates the signature data S of the second message m2 (S302).
  • Transmitter 1201 transmits ciphertext cl, second message m2 and signature data S to terminal device B 1300 via communication path 1400 (S303).
  • terminal apparatus B1300 receives ciphertext cl, second message m2 and signature data S at receiving section 1301 (S304).
  • the ciphertext cl is decrypted to obtain the decrypted text ml ′ (S305).
  • the signature verification unit 1303 verifies the signature data S (S306). If the signature data S is correct and the signature of the second message (S306: S is correct), the signature verification result is OK (S307), and if it is not correct (S306: S is invalid), the signature verification result Is NG (S308).
  • terminal apparatus B 1300 outputs the decrypted text ml ′ and the signature verification result (S309).
  • the key issuing server 1100 generates the secret key dA, dB having a Hamming weight not less than tl and less than th and generated the secret key dA.
  • Is used by terminal device A1200, and secret key dB is used by terminal device B 1300.
  • Terminal device A1200 and terminal device B1300 perform power-residue calculation using secret keys dA and dB, respectively.
  • the power-residue calculation is executed by realizing the second multiplication by the same number of multiplications in the second power-residue calculation unit 12032.
  • the key issuing server 1100 generates the Hamming weight of the secret key dA, dB so that it is greater than or equal to tl, and tl is longer than the processing time required for factoring the prime factor of n. Therefore, the terminal devices A 1200 and B 1300 of the first embodiment are safe against an attack that narrows the search space for the secret power of the number of operations.
  • the threshold value generating apparatus includes the characteristics shown in the following (a) to (c).
  • the generation function has a given value d, a power-residue modulus n, a random number! And d + r X ⁇ ( ⁇ ) or d + r X ⁇ ( ⁇ ) are generated as candidate values using the Carmichael function (n) or Euler function ⁇ (n).
  • the power generation device has a power-residue calculation function for performing power-residue calculation using the power.
  • the threshold value generating apparatus has a threshold value storing function for storing a threshold value, and the power residue calculation function is stored in the threshold value storing function every time the power residue calculation is executed.
  • the threshold value generating apparatus uses the saddle value as a secret key, performs a power surplus operation, decrypts the ciphertext, and uses the saddle value as a secret key to perform a power surplus operation.
  • a signature generation device that generates signature data.
  • FIG. 10 is a diagram showing a configuration of the cryptographic system in the present embodiment.
  • the cryptographic system 2000 includes a key issuing server 2100, a terminal device A 2200, a terminal device B 2300, and a communication path 1400.
  • the terminal device A 2200 is a threshold value generating device that generates signature data by performing a power residue calculation using the threshold value as a secret key, that is, a signature generating device.
  • the terminal device B2300 is a threshold value generating device that decrypts a ciphertext by performing a power residue operation using the threshold value as a secret key, that is, a decryption device.
  • the cryptographic system 2000 generates a key pair consisting of a secret key and a public key for the terminal device A 2200 and the terminal device B 2300 using the key issuing server 2100, and generates the key pair generated for each of the terminal device A 2200 and the terminal device B 2300. Issue. Further, the terminal device A2200 encrypts the first message, generates a signature of the second message, and transmits it to the terminal device B2300 via the communication path 1400. The terminal device B2300 receives the ciphertext of the first message, the second message, and its signature data via the communication path 1400, decrypts the ciphertext, and obtains the decrypted text of the first message. To verify the signature data of the second message.
  • the RSA encryption method and the RSA signature method are used as in the first embodiment.
  • FIG. 11 is a diagram showing a configuration of the key issuing server 2100 in the present embodiment.
  • the key issuing server 2100 differs from the key issuing server 1100 in the following points (1) to (3).
  • a secret key generation unit 2102 is provided instead of the secret key generation unit 1102.
  • “L LCM (p— 1, q— 1)”
  • “e mod L” is the inverse element of e at mod L. Note that e is only 17 and for example, “2 It may be 16 + 1 ".
  • a public key generation unit 2103 is provided instead of the public key generation unit 1103.
  • a key setting unit 2104 is provided instead of the key setting unit 1104.
  • the key setting unit 2104 uses the primes p and q generated by the prime number generation unit 1101 and d generated by the secret key generation unit 2102 as a secret key in the secret key storage unit of the terminal device A2200 or the terminal device B2300.
  • n and e generated by the public key generation unit 2103 are stored as public keys in the public key storage unit of the terminal device A2200 or the terminal device B2300.
  • terminal apparatus A 2200 in the present embodiment will be described.
  • FIG. 12 is a diagram showing a configuration of terminal apparatus A2200 in the present embodiment. As shown in FIG. 12, the terminal device A2200 differs from the terminal device A1200 in the following points (1) to (4).
  • a signature generation unit 2203 is provided instead of the signature generation unit 1203.
  • the signature generation unit 2203 stores the used secret key dA stored in the first used secret key storage unit 2208 and the first public key storage unit 1205 for the second message m2.
  • the signature data S is generated using nA that is part of the public key.
  • the used secret key dA is a secret key generated from the secret key dA and used only within the terminal device A 2200 (hereinafter also referred to as a first used secret key).
  • a first secret key storage unit 2204 is provided instead of the first secret key storage unit 1204.
  • the first secret key storage unit 2204 stores the secret keys pA, qA, dA of the terminal device A2200. (3) A first use secret key generation unit 2207 is newly provided.
  • the first used secret key generation unit 2207 uses the secret keys pA, qA, dA stored in the first secret key storage unit 2204 to use the used secret key dA 'Is generated only once and stored in the first used secret key storage unit 2208.
  • a first use private key storage unit 2208 is newly provided.
  • the first used secret key storage unit 2208 stores the used secret key dA 'used in the power-residue calculation.
  • signature generation section 2203 includes hash calculation section 22031 and second power residue calculation section 22032.
  • the hash calculation unit 22031 has the same function as the hash calculation unit 12031 in the first embodiment, the description thereof is omitted.
  • Second power residue calculation unit 22032 has the same function as second power residue calculation unit 12032 in the first embodiment, and a description thereof will be omitted.
  • signature generation section 2203 first calculates hash value h for second message m 2 at node calculation section 22031.
  • X is a hash value h
  • d is a used secret key dA ′
  • n is a part of the public key n
  • Input A calculate “h dA 'mod nA”, and set the result as signature data S.
  • the first used secret key generation unit 2207 generates a threshold value used in the power-residue calculation for the positive integer c and modulus n, and generates the generated threshold value. Is used as the first used private key. At this time, a candidate value that is a candidate for the threshold value is generated, it is determined whether the hamming weight of the candidate value is within a predetermined range, and if it is within the predetermined range, the candidate value is set as the threshold value To do.
  • a random number generation unit 22071, a used secret key candidate generation unit 22072, and a ming weight determination unit 22073 are provided.
  • the random number generation unit 22071 generates a random number r that is a positive integer.
  • the number of bits of the random number is, for example, 32.
  • Use secret key candidate generation section 22072 generates use secret key candidate dA 'represented by the following equation (2-1) using random number r and secret keys pA, qA, dA.
  • ⁇ ( ⁇ ) shown in the above equations (2-1) and (2-2) is a Carmichael function.
  • the Euler function ⁇ ( ⁇ ) represented by the following equation (2-3) may be used.
  • the ming weight determination unit 22073 determines whether the ming weight of the used secret key candidate dA 'is equal to or greater than a predetermined value tl and less than th.
  • first use secret key generation section 2207 generates random number r in random number generation section 22071.
  • the used secret key candidate generation unit 22072 calculates a used secret key candidate dA, using the random number r and the secret keys pA, qA, dA.
  • the ming weight determination unit 22073 determines whether the ming weight of the used secret key candidate dA ′ is greater than or equal to tl and less than th. If it is greater than or equal to tl and less than th, the used secret key candidate dA ′ (candidate value) ) Is set as the first used secret key (value) and stored in the first used secret key storage unit 2208. Otherwise, the process returns to the random number generation unit 22071.
  • tl is determined based on the security level against the brute force attack of the secret key.
  • th is determined from, for example, a predetermined upper limit value of the processing time of the second power residue calculating unit 22032, which is determined in advance.
  • the number of operations of multiplication Mul is “le n ⁇ l + w (d)”.
  • the processing time of the second power residue calculation unit 22032 is “(len ⁇ l + w (d)) XTMul”. If TH is the upper limit of the processing time, set th to a value that satisfies "th> TH / TMul—len + 1" from "(len— 1 + th) XTMuKTH".
  • the signature data generated using the secret key dA is equal to the signature data generated using the used secret key dA ′ as in the present embodiment.
  • the signature can be generated without any problem even if the used secret key dA 'is used instead of the secret key dA without changing the public key.
  • FIG. 13 is a diagram showing a configuration of terminal apparatus B in the present embodiment. Shown in Figure 13 As described above, the terminal device B2300 differs from the terminal device B1300 in the following points (1) to (4).
  • a decoding key unit 2302 is provided instead of the decoding key unit 1302.
  • the decryption key unit 2302 includes the used secret key dB 'of the terminal device B2 300 stored in the second used secret key storage unit 2308 and the public key stored in the second public key storage unit 1305.
  • nB which is a part of the key
  • the ciphertext cl is decrypted to generate a decrypted text ml '.
  • the used secret key dB ′ is a secret key generated from the secret key dB and used only in the terminal apparatus B 2300 (hereinafter also referred to as a second used secret key).
  • a second secret key storage unit 2304 is provided instead of the second secret key storage unit 1304.
  • Second secret key storage section 2304 stores secret keys pB, qB, dB of terminal device B2300
  • a second use secret key generation unit 2307 is newly provided.
  • the second used secret key generation unit 2307 uses the secret key pB, qB, dB stored in the second secret key storage unit 2304 to use the used secret key dB used in the power-residue calculation dB 'Is generated only once and stored in the second used secret key storage unit 2308.
  • a second used secret key storage unit 2308 is newly provided.
  • the second used secret key storage unit 2308 stores the used secret key dB 'used in the power-residue calculation.
  • decryption unit 2302 includes second power residue calculation unit 23021.
  • the second power residue calculation unit 23021 has the same function as the second power residue calculation unit 13021 in Embodiment 1, and thus the description thereof is omitted.
  • the decryption unit 2302 inputs the ciphertext cl as x, the used secret key dB 'as x, and nB that is a part of the public key as n in the second power residue calculation unit 23021, "cl dB 'mod nB" is calculated, and the result is the decrypted text ml.
  • the second used secret key generation unit 2307 generates a threshold value used for the power-residue calculation for the positive integer c and modulus n, and the generated threshold value is the second value. Use as a private key.
  • a candidate value that is a candidate for the threshold value is generated, it is determined whether the hamming weight of the candidate value is within a predetermined range, and if it is within the predetermined range, the candidate value is set as the threshold value.
  • a random number generation unit 23071, a used secret key candidate generation unit 23072, and a half-ming weight half IJ definition 23073 are provided.
  • the random number generation unit 23071 generates a random number r that is a positive integer.
  • the number of bits of the random number is, for example, 32.
  • Use secret key candidate generation section 23072 generates use secret key candidate dB ′ represented by the following equation (2-7) using random number r and secret keys pB, qB, dB.
  • ⁇ ( ⁇ ) is the Carmichael function.
  • the Euler function ⁇ ( ⁇ ) represented by the following equation (2-9) may be used.
  • the ming weight determination section 23073 determines whether the hamming weight of the used secret key candidate dB 'is greater than or equal to a predetermined value tl and less than th.
  • second used secret key generation section 2307 generates random number r in random number generation section 23071.
  • the used secret key candidate generation unit 23072 calculates the used secret key candidate dB ′ using the random number r and the secret keys pB, qB, dB.
  • the ming weight determination unit 23073 it is determined whether the hamming weight power of the used secret key candidate dB ′ is 3 ⁇ 41 or more and less than th, and if it is tl or more and less than th, the used secret key candidate dB ′ (candidate value) is determined. Set it as the second private key (low value) Stored in the second used secret key storage unit 2308. Otherwise, the process returns to the random number generator 23071.
  • the decrypted text generated using the secret key dB is equal to the decrypted text generated using the used secret key dB ′ as in the present embodiment.
  • decryption can be performed without any problem even if the used private key dB ′ is used instead of the private key dB without changing the public key.
  • the operation of the cryptographic system 2000 is as follows: "When issuing a key” for issuing a key, "When generating a first used secret key” for generating a first used secret key in the terminal device A2200, In B2300, the operation power is “at the time of generating the second used secret key” for generating the second used secret key and “at the time of encrypted communication” for performing the encrypted communication between the terminal device A2 200 and the terminal device B2300.
  • the key issuing server 2100 uses the terminal device A2200 and the terminal device B2 300 private keys and public keys are generated and stored in each device.
  • the terminal device A2200 generates the first used secret key from the secret key of the terminal device A2200.
  • the terminal device B2300 generates the second used secret key from the secret key of the terminal device B2300.
  • the ciphertext of the first message ml and the signature data of the second message m2 are generated in the terminal device A2200 for the first message ml and the second message m2 that are input.
  • the data is transmitted to the terminal device B2300 via the communication path 1400, received by the terminal device B2300, decrypted and signed, and the decrypted text ml 'and the signature verification result (OK or NG) are output. To do.
  • Fig. 14 shows the flowchart for "when issuing a key”
  • Fig. 15 shows the flowchart for "when generating a first used secret key”
  • Fig. 16 shows the flowchart for "when generating a second used secret key”.
  • Fig. 17 shows the flowchart for "Cryptographic communication”.
  • FIG. 14 is a diagram showing an operation at the time of key issuance of the cryptographic system 2000 in the present embodiment.
  • the key issuing server 2100 generates prime numbers pA and qA in the prime number generation unit 1101 (S401).
  • the secret key generation unit 2102 generates a secret key dA (S402).
  • the secret keys pA, qA, dA are stored in the first secret key storage unit 2204 of the terminal device A2200 (S404).
  • NA and eA are stored as public keys in the first public key storage unit 1205 of the terminal device A2200 (S405).
  • NA and eA are stored in the first public key storage unit 1306 of the terminal device B2300 (S406).
  • the key issuing server 2100 generates prime numbers pB and qB in the prime number generation unit 1101 (S407).
  • the secret key generation unit 2102 generates a secret key dB (S408).
  • the key setting unit 2104 stores the secret keys pB, qB, and dB in the second secret key storage unit 2304 of the terminal device B2300 (S410).
  • NB and eB are stored as public keys in the second public key storage unit 1305 of the terminal device B2300 (S411).
  • NB and eB are stored in the second public key storage unit 1206 of the terminal device A2200 (S412). And it ends.
  • FIG. 15 shows the operation at the time of generating the first used secret key of terminal device A 2200 in the present embodiment. It is a figure which shows work.
  • the terminal device A 2200 when the first used secret key is generated, the terminal device A 2200 generates a random number r in the first used secret key generation unit 2207 (S421).
  • a secret key candidate dA ′ to be used is calculated (S422). If the nominating weight of the used secret key candidate dA, obtained by calculation is greater than or equal to tl and less than th (S423: Yes), the first used secret key is used as the first secret key used dA '.
  • FIG. 16 is a diagram showing an operation when the second used secret key is generated by terminal apparatus B2300 in the present embodiment.
  • the terminal device B 2300 when generating the second used secret key, the terminal device B 2300 generates a random number r in the second used secret key generation unit 2307 (S431), and the generated random number r and Using the secret keys pB, qB, dB stored in the second secret key storage unit 2304, a secret key candidate dB ′ is calculated (S432). If the value of the used secret key candidate dB 'obtained by calculation is greater than or equal to tl and less than th (S433: Yes), the second used secret key is used as the second used secret key.
  • FIG. 17 is a diagram showing an operation at the time of cryptographic communication of the cryptographic system 2000 in the present embodiment.
  • the terminal device A 2200 generates the ciphertext cl of the first message ml in the encryption unit 1202 (S501).
  • the signature generation unit 2203 generates the signature data S of the second message m2 (S502).
  • Transmitter 1201 transmits ciphertext cl, second message m2 and signature data S to terminal device B2300 via communication path 1400 (S503).
  • terminal apparatus B 2300 receives ciphertext cl, second message m 2 and signature data S at receiving section 1301 (S 504).
  • the ciphertext cl is decrypted to obtain the decrypted text ml ′ (S505).
  • the signature verification unit 1303 verifies the signature data S (S506). If the signature data S is correct and the signature of the second message (S506: S is correct), the signature verification result is OK (S507), and if the signature is incorrect (S506: S is invalid), and the signature verification result is NG (S508).
  • the terminal device B 2300 outputs the decrypted text ml ′ and the signature verification result (S509).
  • the used secret keys dA ′ and dB ′ having a hamming weight not less than tl and less than th are used.
  • the generated private key dA ′ is generated and used by the signature generation unit 2203 of the terminal device A2200, and the used private key dB ′ is used by the decryption unit 2302 of the terminal device B2300.
  • the terminal device A2200 and the terminal device B2300 perform the power-residue calculation using the used secret keys dA ′ and dB ′, respectively.
  • the power-residue calculation is executed by realizing the second multiplication by the same number of multiplications in the second power-residue calculating unit 22032 and the second power-residue calculating unit 23021.
  • the terminal device A2200 and the terminal device 2300 generate the ming weights of the used secret keys dA 'and dB' to be tl or more, and tl is the processing time required for the brute force attack of the secret key n Therefore, the terminal device A2200 and terminal device B2300 of the second embodiment are safe even against attacks that narrow the secret key search space from the number of computations. .
  • the threshold value used in the conventional power-residue calculation may be generated when the humming weight is small or large. If the weight is small, the safety is low. If the Hamming weight is large, the calculation time is long.
  • the power value used in the power-residue calculation of the present invention is generated so that the weighting weights are within a certain range. And since the Hamming weights fall within a certain range, it is safe and the calculation time is not prolonged.
  • the key issuing server 1100 in the first embodiment and the terminal device A2200, the terminal device B2300, etc. in the second embodiment ensure the security of the RSA encryption against a simple power analysis attack! RU
  • Fig. 20 is a graph plotting the frequency of occurrence of multiplication when such a used secret key d is generated. From this graph, after application of the present invention, it is multiplied about 20 times before application. It is shown that the number of times is reduced, and calculation time is about 3% faster.
  • the key issuing server sends the generated public key and secret key to the first secret key storage unit and the second secret key of the terminal device A and the terminal device B, respectively.
  • the private key storage unit, the first public key storage unit, and the second public key storage unit are directly stored and issued, but may be issued via a communication channel or a recording medium.
  • Embodiment 1 After determining the secret key d, e is determined. However, after e is determined as in Embodiment 2, d is determined. May be. In that case, the Hamming weighting force of the secret key d is 3 ⁇ 41 or more and less than th using the Carmichael function or the Euler function, as is done in the terminal device A2200 and the terminal device B2300 of the second embodiment. You can correct it to ⁇ . Also in the second embodiment, e may be determined after fixing the secret key d without fixing e.
  • the used secret keys dA ′ and dB ′ may be generated every time during encrypted communication. That is, the used secret key used for the power residue calculation instead of the secret key may be changed every time the power residue calculation is executed in the terminal device. At this time, the used secret key is generated using random numbers so that the Hamming weight of the used secret key falls within a certain range.
  • the signature generation unit 3203 includes a first used secret key generation unit 3207, and is used every time a modular exponentiation operation is performed. You can also use to generate the signature generation process.
  • the first used secret key generation unit 3207 generates the used secret key dA ′ every time the second power residue calculation unit 32032 executes the power residue calculation.
  • the secret key dA is used to generate a used secret key dA ′ having a hamming weight not less than tl and less than th.
  • Second power residue calculation unit 320 32 uses the used secret key dA ′ generated each time the power-residue calculation is executed, and performs the power-residue calculation in the same way as the second power-residue calculation unit 22032 in the second embodiment.
  • the decryption unit 3302 includes a second used secret key generation unit 3307, and uses the used secret key dB ′ that is updated each time a power-residue operation is performed. You may use it to perform the decryption process.
  • the second used secret key generating unit 3307 generates the used secret key dB ′ every time the second power residue calculating unit 33021 executes the power residue calculation.
  • the secret key dB is used to generate a used secret key dB ′ having a ming weight of less than tl and less than th.
  • the second power residue calculation unit 33021 uses the used secret key dA ′ generated each time the power residue calculation is performed, and is similar to the second power residue calculation unit 23021 in the second embodiment. Performs power-residue operation.
  • RSA encryption may be used as the encryption method, or an encryption method that performs a power-residue operation, for example, ElGamal encryption.
  • the secret key is a value x
  • the public key is "g x mod p" using the prime p given in advance in the whole system and g which is an integer from 1 to p—1. And get.
  • These secret keys and public keys are generated by the key issuing server.
  • the secret key generation unit 1102 of the first embodiment may use the random number k generated for the terminal device B 1300 as the secret key X of the ElGamal encryption.
  • the present invention may be a threshold value generating device that generates a threshold value so as to be a Hamming weight force 3 ⁇ 41 or more and less than th, and performs a power-residue calculation using the threshold value.
  • This threshold generator is D H (Diffie-Hellman) key agreement or DSA (Digital Signature Algorithm) signature method may be used.
  • each of the above devices is a microprocessor, a ROM (Read Only Memory), a RAM (Random Access Memory), a node disk unit, and a Tisf. It is a computer system that also includes power such as a ray unit, keyboard, and mouse.
  • a computer program is stored in the RAM or hard disk unit. Each device achieves its functions through the microprocessor's operation according to the computer program.
  • the computer program is configured by combining a plurality of instruction codes indicating instructions for the computer in order to achieve a predetermined function.
  • a part or all of the constituent elements constituting each of the above devices may be constituted by one system LSI (Large Scale Integration).
  • a system LSI is an ultra-multifunctional LSI that is manufactured by integrating multiple components on a single chip. Specifically, it is a computer system that includes a microprocessor, ROM, RAM, and so on. It is. A computer program is stored in the RAM. Microprocessor power The system LSI achieves its functions by operating according to the computer program.
  • a part or all of the components constituting each of the above devices may be configured as an IC card that can be attached to and detached from each device or a single module force.
  • An IC card or module is a computer system composed of a microprocessor, ROM, RAM, and so on.
  • the IC card or module may include the above-mentioned super multifunctional LSI.
  • the IC card or module achieves its functions by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.
  • the present invention may be the method described above. Also, it may be a computer program that realizes these methods by a computer, or it may be a digital signal that also serves as a computer program.
  • the present invention also provides a computer program or a digital signal stored in a computer.
  • a readable recording medium such as a flexible disk, hard disk, CD-RO
  • It may be recorded on M, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc), semiconductor memory, or the like. It may also be a digital signal recorded on these recording media! /.
  • the present invention may transmit a computer program or a digital signal via a telecommunication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like. .
  • the present invention may be a computer system including a microprocessor and a memory, wherein the memory stores a computer program, and the microprocessor operates according to the computer program.
  • the program or digital signal may be recorded on a recording medium and transferred, or the program or digital signal may be transferred via a network or the like by another independent computer system. You can do it.
  • the present invention can be used as an encryption device that is safe against an attack method that analyzes an encryption key embedded in an encryption module by measuring the power consumption when executing encryption processing. Can be used for IJ.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A secret key generation unit (1102) of a key issuing server (1100) generates a power value used in power-residue calculation for a positive integer c and a modulus n and uses the generated power value as a secret key. Here, a random number generation unit (11021) generates a candidate value as a candidate for the power value. A humming weight judgment unit (11022) judges whether the humming weight of the candidate value belongs to a predetermined range. If it belongs to the predetermined range, the candidate value is set as a power value.

Description

明 細 書  Specification
冪値生成装置  Price generator
技術分野  Technical field
[0001] 本発明は、冪乗剰余演算処理を実行する際の電力消費量を計測することで、冪乗 剰余演算処理を実行するモジュールに埋め込まれている冪値を解析する攻撃方法 に対して安全な冪値生成装置に関する。  [0001] The present invention relates to an attack method for analyzing a power value embedded in a module that executes a power residue calculation process by measuring power consumption when the power residue calculation process is executed. The present invention relates to a safe threshold generation device.
背景技術  Background art
[0002] 近年、ハードウェアある!/、はソフトウェアで実装された暗号処理を行うモジュール(以 下、暗号モジュールと呼称する。)が、暗号処理を行う際の副次的な情報 (以下、副 情報と呼称する。)を手がかりにして、暗号鍵の解析を行う解読法が各種考案されて いる。  [0002] In recent years, there is hardware! /, A module that performs cryptographic processing (hereinafter referred to as a cryptographic module) implemented in software, and includes secondary information (hereinafter referred to as secondary information) when performing cryptographic processing. Various cryptanalysis methods have been devised to analyze cryptographic keys using the clue to "information".
[0003] 例えば、タイミング攻撃と呼ばれる解析方法では、暗号モジュールが暗号処理に要 する時間が、暗号処理に用いている暗号鍵の値により、わずかではあるが異なること を利用して、暗号鍵の解析を行う。すなわち、タイミング攻撃においては、暗号処理を 行う際の処理時間という副情報を利用して、暗号鍵の解読を行っている(例えば、非 特許文献 1参照。)。  [0003] For example, in an analysis method called a timing attack, the time required for cryptographic processing by a cryptographic module varies slightly depending on the value of the cryptographic key used for cryptographic processing. Analyze. That is, in the timing attack, the encryption key is decrypted by using the sub-information called the processing time when performing the encryption process (for example, see Non-Patent Document 1).
[0004] さらに、このような解読法の中でも、 Simple Power Analysis (単純電力解析攻 撃)、 Differential Power Analysis (差分電力解析攻撃)などといった、暗号処理 を行う際の電力消費量を副情報として利用した解読法が考案されている (例えば、非 特許文献 2参照。)。  [0004] Furthermore, among these cryptanalysis methods, power consumption during cryptographic processing, such as Simple Power Analysis and Differential Power Analysis, is used as sub-information. Such cryptanalysis has been devised (see Non-Patent Document 2, for example).
[0005] そして、これらの解読法は、近年、高性能な計測機器が安価で手に入るようになつ た背景もあって、 ICカードのような暗号が実装された実際の製品に対しても解析が可 能であることが報告されている。以下の記述では、上記のような暗号処理時における 暗号モジュールの電力消費量の変化、すなわち、電力波形を手がかりにして、暗号 鍵を解析する解読方法を総称して、「電力解析攻撃」と呼ぶ。  [0005] These cryptanalysis methods have been used in recent years for high-performance measuring instruments at a low price, and even for actual products with encryption such as IC cards. It has been reported that analysis is possible. In the following description, the power consumption of the cryptographic module during the cryptographic processing as described above, that is, the decryption method for analyzing the cryptographic key using the power waveform as a clue is collectively referred to as the “power analysis attack”. .
[0006] ここでは、一例として、 RSA暗号への単純電力解析攻撃について説明する。 [0006] Here, as an example, a simple power analysis attack on an RSA cipher will be described.
[0007] RSA (Rivest— Shamir— Adelman)暗号の復号化処理において、素数 p, qの積 n、 n未満の正整数である暗号文 cと、正整数である秘密鍵 dに対し、 "cd mod n"の 計算を行う(例えば、非特許文献 3参照。 ) 0この計算方法として、例えば、バイナリ法 が知られている(例えば、非特許文献 4参照。 )0 [0007] In the decryption process of RSA (Rivest—Shamir—Adelman) cipher, the product of prime numbers p and q n, the ciphertext c is a positive integer less than n, to the secret key d is a positive integer, as the calculation of "c d mod n" (for example, see non-patent document 3.) 0 This calculation method, For example, a binary method is known (for example, non-Patent Document 4 reference.) 0
[0008] ノイナリ法では、下記の数式(1)で示される秘密鍵 dを利用して、下記のステップ(S[0008] In the noinari method, the following step (S) is performed using the secret key d expressed by the following mathematical formula (1).
1)〜(S7)の処理を行う。 Processes 1) to (S7) are performed.
[0009] [数 1] [0009] [Equation 1]
(1)
Figure imgf000004_0001
{ =0または l : i=0, l厂 -,len-l}(1)
Figure imgf000004_0001
{= 0 or l: i = 0, l 厂-, len-l}
Figure imgf000004_0002
Figure imgf000004_0002
[0010] ここで、 lenは dのビット数、 " X,,は整数の乗算、 "xy"は xの y乗を示して 、る。 Here, len indicates the number of bits of d, “X,” indicates multiplication of integers, and “x y ” indicates x to the power of y.
[0011] (SI) : "i len— 2, z^c"を行い、変数 iおよび変数 zを初期化する。 [0011] (SI): Execute “i len— 2, z ^ c” to initialize variable i and variable z.
[0012] (S2) : "z^z2 mod n"を行い、変数 zを更新する。 [0012] (S2): “z ^ z 2 mod n” is performed to update the variable z.
[0013] (S3): "d = 1"であるか否かを判定する。 (S3): It is determined whether or not “d = 1”.
[0014] (S4) :判定した結果、" d = l"である場合には、" z^z X c mod n"を行い、変数 z を更新する。  (S4): If the result of determination is “d = l”, “z ^ z X c mod n” is performed, and the variable z is updated.
[0015] (S5): "i^i- 1"を行い、変数 iを更新する。  [0015] (S5): Perform “i ^ i-1” to update variable i.
[0016] (S6): "i< 0"であるか否かを判定する。 (S6): It is determined whether or not “i <0”.
[0017] (S7) : "i< 0"である場合には、変数 zの値を出力する。それ以外は、ステップ (S2) に戻り、処理を繰り返す。  (S7): If “i <0”, the value of variable z is output. Otherwise, return to step (S2) and repeat the process.
[0018] 上記方法では、ステップ (S2)〜(S6)の処理をループとして繰り返し計算している。  [0018] In the above method, the processing of steps (S2) to (S6) is repeatedly calculated as a loop.
[0019] 図 1は、従来におけるバイナリ法による計算処理の概要を示す図である。図 1に示さ れるように、このループ内で、(1^= 1, 2, · ··, len— 1)に対して、 "d = l"である場合 には、 zの 2乗算と cによる乗算を行い、 "d =0"である場合には、 zの 2乗算のみを実 行する。 nは大きな数、例えば、 1024ビットの整数である。通常は、 2乗算は乗算より 、計算処理の効率ィ匕が図ることが可能なため、高速に処理可能になる。その場合、 2 乗算と乗算は処理が異なるため、電力波形が異なる。  FIG. 1 is a diagram showing an outline of calculation processing by a conventional binary method. As shown in Figure 1, within this loop, for (1 ^ = 1, 2, ..., len— 1), if "d = l" If "d = 0", perform only multiplication by z. n is a large number, for example, an integer of 1024 bits. Usually, the multiplication by 2 can be performed more quickly than the multiplication because the efficiency of the calculation process can be improved. In this case, the power waveform is different because 2 multiplication and multiplication are processed differently.
[0020] したがって、電力波形を計測することにより、 2乗算、乗算の演算の順序を解析する ことが可能になる。さらに、 dによりループ内の処理が異なることを利用して、その順 序から dの値が求められる。まとめると、下記のステップ(S11)〜(S13)の処理により 、単純電力解析攻撃が可能になる。 [0020] Therefore, by measuring the power waveform, it is possible to analyze the order of operations of multiplication and multiplication. Furthermore, using the fact that the processing in the loop differs depending on d, the order The value of d is obtained from the beginning. In summary, the simple power analysis attack can be performed by the following steps (S11) to (S13).
[0021] (S11):暗号文 cを復号化し、その処理における電力波形を計測する。 (S11): The ciphertext c is decrypted, and the power waveform in the processing is measured.
[0022] (S12):計測した電力波形より、 2乗算、乗算の演算の順序を特定する。 [0022] (S12): The order of the multiplication and multiplication operations is specified from the measured power waveform.
[0023] (S13):特定した順序より、ビット d (i= l, 2, · ··, len—l)を求める。 [0023] (S13): Bits d (i = l, 2,..., Len-l) are obtained from the specified order.
[0024] 上記の単純電力解析攻撃では、 2乗算と乗算との計算処理が異なることを利用して いる。そこで、 2乗算を同じ値の乗算で処理すれば、 2乗算と乗算を区別できず、演 算順序がわ力もないため、上記の単純電力解析攻撃はできなくなる。すなわち、 Xを 入力とし、" X2 mod n"を出力とする 2乗算の演算関数を Sqr (x)、x, yを入力とし、 x Xy mod nを出力とする演算関数を Mul(x, y)とするとき、 Sqr (x)を Mul (x, x) として計算すればよい。 [0024] The simple power analysis attack described above utilizes the fact that the calculation processing is different between double multiplication and multiplication. Therefore, if the two multiplications are processed with the same value multiplication, the two multiplications cannot be distinguished from the multiplications, and the calculation order is insignificant, so the above simple power analysis attack cannot be performed. That is, the operation function of double multiplication with X as input and "X 2 mod n" as output is Sqr (x), x and y as input, and x Xy mod n as output is Mul (x, When y), Sqr (x) should be calculated as Mul (x, x).
非特干文献 1: Paul Kocher. Timing attacks on implementations of Di ffie— Hellman, RSA, DSS, and other systems. In Neal Koblitz, editor, CRYPTO' 96, LNCS 1109, Springer -Verlag, 1996, pp . 104- 113.  Non-Patent Literature 1: Paul Kocher. Timing attacks on implementations of Di ffie— Hellman, RSA, DSS, and other systems. In Neal Koblitz, editor, CRYPTO '96, LNCS 1109, Springer-Verlag, 1996, pp. 104- 113 .
非特許文献 2 : P. Kocher, J. Ja_e, and B. Jun, "Di— erential Pow er Analysis, " Advances in Cryptology -CRYPTO ' 99, LNCS, 1 Non-Patent Document 2: P. Kocher, J. Ja_e, and B. Jun, "Di- erential Pow er Analysis," Advances in Cryptology -CRYPTO '99, LNCS, 1
666 , Springer— Verlag, 1999, pp. 388— 397. 666, Springer— Verlag, 1999, pp. 388— 397.
非特許文献 3 :岡本龍明、山本博資、「現代暗号」、産業図書 (1997年)  Non-patent literature 3: Tatsuaki Okamoto, Hiroshi Yamamoto, “Modern cryptography”, industrial books (1997)
非特許文献 4: H. Cohen, "A Course in Computational Algebraic Numb er Theory", GTM 138, Springer -Verlag, 1996, p9  Non-Patent Document 4: H. Cohen, "A Course in Computational Algebraic Number Theory", GTM 138, Springer -Verlag, 1996, p9
発明の開示  Disclosure of the invention
発明が解決しょうとする課題  Problems to be solved by the invention
[0025] 上述した RSA暗号の単純電力解析攻撃対策では、 2乗算と乗算は区別できないが 、 2乗算と乗算の合計の演算回数は解析できる。上記のバイナリ法では、必ず 2乗算 は len—l回実行する力 乗算は dのハミング重みである w(d)に対し、 w(d)回実行 する。したがって、演算回数は "len— l +w(d) "回となり、演算回数が解析できれば 、 dのハミング重みが求められる。 dの値によって、このハミング重みを利用して攻撃者 による dの探索が容易になる場合がある。 [0025] With the above-mentioned RSA encryption simple power analysis attack countermeasures, two multiplications and multiplications cannot be distinguished, but the total number of operations of two multiplications and multiplications can be analyzed. In the above binary method, the power of 2 multiplication is always executed len-l times. The multiplication is executed w (d) times for w (d) which is the Hamming weight of d. Therefore, the number of operations is “len−l + w (d)”, and if the number of operations can be analyzed, the Hamming weight of d is obtained. Depending on the value of d, the attacker uses this hamming weight. The search for d may be easier.
[0026] ノ、ミング重みにより、 dの探索空間は" C (len, w(d) ) =len! / ( (len-w(d) ) !  [0026] Due to the ming weight, the search space for d is "C (len, w (d)) = len! / ((Len-w (d))!
X w (d) ! ) "となる。ここで、 C (x, y)は X個の中力も y個を選ぶ組合せの数である。 R SA暗号の安全性は一般に nの素因数分解の計算時間に依存する力 n及び dが 10 24ビットの場合、この計算時間は 28°の大きさの探索空間から値を探索する計算時間 と同程度になる。ここで、もし、 C (len, w(d) )が 28°を下回れば、 nの素因数分解の計 算時間より、 dの探索時間が小さくなり、単純電力解析攻撃により RSA暗号の安全性 が低下することになる。 X w (d)! ) ", Where C (x, y) is the number of combinations of X and y to choose y. R SA cipher security is generally a force that depends on the computation time of the factoring of n n and if d is 10 24-bit, the calculation time is about the same as the computation time for searching a value from the search space size of 2 8 °. here, if, C (len, w (d )) is if falls below the 2 8 °, than the computation time of the prime factorization of n, the search time of the d is reduced, the safety of the RSA encryption is lowered by simple power analysis attack.
[0027] したがって、 dをランダムに選んでしまうと、 C (len, w(d) )が 28Qを下回る可能性があ り、その場合に安全性が低下してしまうと 、う問題がある。 [0027] Therefore, if d is selected at random, C (len, w (d)) may be less than 28Q . In this case, if safety is lowered, there is a problem. .
[0028] そこで、本発明は、前記問題に鑑みてなされたものであり、単純電力解析攻撃によ り安全性を低下しないよう冪乗剰余演算処理を実行する冪値生成装置を提供するこ とを目的とする。 Therefore, the present invention has been made in view of the above problems, and provides a threshold value generating apparatus that executes a power residue calculation process so that safety is not reduced by a simple power analysis attack. With the goal.
課題を解決するための手段  Means for solving the problem
[0029] 上記目的を達成するために、本発明に係わる冪値生成装置は、 (a)正整数 cと法 n とに対する冪乗剰余演算に使用される冪値を生成する冪値生成装置であって、 (al )前記冪値の候補となる候補値を生成する生成手段と、 (a2)前記候補値のハミング 重みが所定の範囲内に属するか否かを判定する判定手段と、(a3)前記判定手段で 所定の範囲内に属すると判定された場合は、前記候補値を前記冪値として設定する 設定手段とを備えることを特徴とする。  [0029] In order to achieve the above object, a threshold value generating apparatus according to the present invention is (a) a threshold value generating apparatus that generates a threshold value used for a power-residue calculation for positive integer c and modulus n. (Al) generating means for generating candidate values that are candidates for the threshold value; (a2) determining means for determining whether or not the hamming weight of the candidate value falls within a predetermined range; and (a3 And a setting unit configured to set the candidate value as the saddle value when it is determined by the determination unit to be within a predetermined range.
[0030] 例えば、単純電力解析攻撃に対して、ハミング重みが小さいと、探索時間が小さく なり、安全性が低下する。しかし、冪値のノ、ミング重みを所定の範囲に限定すること によって、ノ、ミング重みが所定の範囲よりも小さい冪値が生成されなくなるため、安全 性が低下することを防ぐことができる。さらに、冪値のハミング重みが漏洩していても、 安全性が低下することを防ぐことができる。  [0030] For example, for a simple power analysis attack, if the hamming weight is small, the search time is shortened and the safety is lowered. However, by limiting the threshold value and the ming weight to a predetermined range, a threshold value having a threshold value that is smaller than the predetermined range is not generated, so that it is possible to prevent the safety from being lowered. Furthermore, even if the Hamming weight of the threshold value is leaked, it is possible to prevent the safety from being lowered.
[0031] さらに、(b)前記生成手段は、予め与えられる冪値 d、前記冪乗剰余演算の法 n、乱 数!:、およびカーマイケル関数え(n)またはオイラー関数 φ (n)を用いて、 d+r X λ ( η)または d+r X φ (η)を前記候補値として生成するとしてもよい。 [0032] または、(c)前記判定手段は、前記法 nのビット数と所定の正整数との組合せを第 1 の値とし、前記冪値の総当り攻撃に対する安全性に基づいて決定された値を第 2の 値とした場合において、前記第 1の値が前記第 2の値を上回る条件で決定された前 記所定の正整数を前記所定の範囲における下限として判定するとしてもよい。 [0031] Further, (b) the generating means calculates the power value d given in advance, the modulus n of the power-residue operation, the random number!:, And the Carmichael function (n) or the Euler function φ (n). By using this, d + r X λ (η) or d + r X φ (η) may be generated as the candidate value. [0032] Alternatively, (c) the determination means is determined on the basis of the safety against the brute force brute force attack with a combination of the number of bits of the modulus n and a predetermined positive integer as a first value When the value is the second value, the predetermined positive integer determined under the condition that the first value exceeds the second value may be determined as the lower limit in the predetermined range.
[0033] または、(d)前記判定手段は、前記冪乗剰余演算の処理時間が所定の時間より小 さくなる条件で決定された正整数を前記所定の範囲における上限として判定するとし てもよい。  Alternatively, (d) the determination unit may determine a positive integer determined under a condition that the processing time of the power-residue calculation is shorter than a predetermined time as an upper limit in the predetermined range. .
[0034] または、(e)前記冪値生成装置は、前記冪値を使用して前記冪乗剰余演算を行う 冪乗剰余演算手段を備えるとしてもよい。  Alternatively, (e) the power generation unit may include power residue calculation means for performing the power residue calculation using the power value.
[0035] さらに、 (f)前記冪値生成装置は、前記冪値を格納する冪値格納手段を備え、前記 冪乗剰余演算手段は、前記冪乗剰余演算を実行するたびに、前記冪値格納手段に 格納されて ヽる前記冪値を使用するとしてもよ ヽ。  [0035] Further, (f) the threshold value generating apparatus includes threshold value storing means for storing the threshold value, and the power residue calculating means performs the power value every time the power residue calculation is executed. You may use the value stored in the storage means.
[0036] または、(g)前記設定手段は、前記冪乗剰余演算手段で前記冪乗剰余演算が実 行されるたびに、前記冪値を更新するとしてもよ 、。  Alternatively, (g) the setting means may update the power value every time the power-residue calculating means executes the power-residue calculating.
[0037] なお、本発明は、冪値生成装置として実現されるだけではなぐ下記(1)〜(5)のよ うに実現されるとしてもよい。  [0037] It should be noted that the present invention may be realized as the following (1) to (5) as well as being realized as a threshold value generating apparatus.
[0038] (1)冪値生成装置を制御する方法 (以下、冪値生成方法と呼称する。 )、冪値生成 方法をコンピュータシステムなどに実行させるプログラム(以下、冪値生成プログラム と呼称する。)、冪値生成プログラムを記録した記録媒体、冪値生成装置の機能を備 える集積回路などとして実現されるとしてもよい。  [0038] (1) A method for controlling the threshold value generating apparatus (hereinafter referred to as a threshold value generating method), and a program for causing a computer system or the like to execute the threshold value generating method (hereinafter referred to as a threshold value generating program). ), A recording medium on which a threshold value generation program is recorded, an integrated circuit having the function of the threshold value generation device, or the like.
[0039] (2)冪値生成装置と同一の機能を備え、冪値を秘密鍵として用い、秘密鍵と対をな す公開鍵を生成する鍵発行装置、鍵発行装置を制御する方法 (以下、鍵発行方法と 呼称する。)、鍵発行方法をコンピュータシステムなどに実行させるプログラム(以下、 鍵発行プログラムと呼称する。)、鍵発行プログラムを記録した記録媒体、鍵発行装 置の機能を備える集積回路などとして実現されるとしてもよい。  [0039] (2) A key issuing device that has the same function as the threshold value generating device, uses the threshold value as a secret key, and generates a public key that is paired with the secret key, and a method for controlling the key issuing device (hereinafter referred to as ), A program for causing a computer system or the like to execute the key issuing method (hereinafter referred to as a key issuing program), a recording medium storing the key issuing program, and a function of the key issuing device. It may be realized as an integrated circuit or the like.
[0040] (3)冪値生成装置と同一の機能を備え、冪値を秘密鍵として用い、冪乗剰余演算 を行って暗号文を復号化する復号装置、復号装置を制御する方法 (以下、復号方法 と呼称する。)、復号方法をコンピュータシステムなどに実行させるプログラム(以下、 復号プログラムと呼称する。)、復号プログラムを記録した記録媒体、復号装置の機能 を備える集積回路などとして実現されるとしてもよい。 [0040] (3) A decryption device that has the same function as the saddle value generation device, uses the saddle value as a secret key, performs a power-residue operation, and decrypts the ciphertext, and a method for controlling the decryption device (hereinafter, Called a decryption method), and a program for causing a computer system or the like to execute the decryption method (hereinafter referred to as a decryption method) This is called a decryption program. ), A recording medium in which a decoding program is recorded, an integrated circuit having a function of a decoding device, or the like.
[0041] (4)冪値生成装置と同一の機能を備え、冪値を秘密鍵として用い、冪乗剰余演算 を行って署名データを生成する署名生成装置、署名生成装置を制御する方法 (以下 、署名生成方法と呼称する。)、署名生成方法をコンピュータシステムなどに実行させ るプログラム(以下、署名生成プログラムと呼称する。)、署名生成プログラムを記録し た記録媒体、署名生成装置の機能を備える集積回路などとして実現されるとしてもよ い。  [0041] (4) A signature generation device that has the same function as the threshold value generation device, uses the threshold value as a secret key, performs a power-residue operation, and generates signature data, and a method for controlling the signature generation device (hereinafter referred to as ), A program for causing a computer system or the like to execute the signature generation method (hereinafter referred to as a signature generation program), a recording medium on which the signature generation program is recorded, and a function of the signature generation apparatus. It may be realized as an integrated circuit provided.
[0042] (5)複数の装置を備え、その複数の装置のうち少なくとも復号装置、鍵発行装置、 署名生成装置の 、ずれか一つを備える暗号システム、暗号システムを制御する方法 (以下、暗号システム制御方法と呼称する。)、暗号システム制御方法を複数のコンビ ユータシステムなどに実行させるプログラム(以下、暗号システム制御プログラムと呼 称する。)、暗号システム制御プログラムを記録した記録媒体などとして実現されると してちよい。  [0042] (5) An encryption system comprising a plurality of devices, at least one of the plurality of devices being a decryption device, a key issuing device, and a signature generation device, and a method for controlling the encryption system (hereinafter referred to as encryption) Called a system control method), a program for causing a plurality of computer systems to execute the cryptographic system control method (hereinafter referred to as a cryptographic system control program), a recording medium on which the cryptographic system control program is recorded, and the like. This is fine.
発明の効果  The invention's effect
[0043] 本発明によれば、冪値のハミング重みを所定の範囲に限定することによって、ノ、ミン グ重みが所定の範囲よりも小さい冪値が生成されなくなるため、安全性が低下するこ とを防ぐことができる。さらに、冪値のノ、ミング重みが漏洩していても、安全性が低下 することを防ぐことができる。その価値は大きい。  [0043] According to the present invention, by limiting the Hamming weight of the saddle value to a predetermined range, a saddle value having a no-mining weight smaller than the predetermined range is not generated, so that safety is reduced. And can prevent. Furthermore, even if the threshold value or the ming weight is leaked, it is possible to prevent the safety from deteriorating. Its value is great.
図面の簡単な説明  Brief Description of Drawings
[0044] [図 1]図 1は、従来のバイナリ法による計算処理の概要を示す図である。 [0044] FIG. 1 is a diagram showing an outline of calculation processing by a conventional binary method.
[図 2]図 2は、本発明に係わる実施の形態 1における暗号システムの構成を示す図で ある。  [FIG. 2] FIG. 2 is a diagram showing a configuration of a cryptographic system according to the first embodiment of the present invention.
[図 3]図 3は、本発明に係わる実施の形態 1における鍵発行サーバの構成を示す図 である。  FIG. 3 is a diagram showing a configuration of a key issuing server according to the first embodiment of the present invention.
[図 4]図 4は、本発明に係わる実施の形態 1における端末装置 Aの構成を示す図であ る。  FIG. 4 is a diagram showing a configuration of terminal apparatus A according to Embodiment 1 of the present invention.
[図 5]図 5は、本発明に係わる実施の形態 1における第 1のべき乗剰余演算部の計算 方法のフローチャートを示す図である。 [FIG. 5] FIG. 5 shows the calculation of the first power-residue calculating unit in Embodiment 1 according to the present invention. FIG. 3 shows a flowchart of the method.
[図 6]図 6は、本発明に係わる実施の形態 1における第 2のべき乗剰余演算部の計算 方法のフローチャートを示す図である。  [Fig. 6] Fig. 6 is a diagram showing a flowchart of a calculation method of the second power-residue calculating unit in the first embodiment according to the present invention.
[図 7]図 7は、本発明に係わる実施の形態 1における端末装置 Bの構成を示す図であ る。  FIG. 7 is a diagram showing a configuration of terminal apparatus B in the first embodiment according to the present invention.
[図 8]図 8は、本発明に係わる実施の形態 1における暗号システムの鍵発行時の動作 を示す図である。  [FIG. 8] FIG. 8 is a diagram showing an operation at the time of key issuance of the cryptographic system according to the first embodiment of the present invention.
[図 9]図 9は、本発明に係わる実施の形態 1における暗号システムの暗号通信時の動 作を示す図である。  [FIG. 9] FIG. 9 is a diagram showing operations during cryptographic communication of the cryptographic system according to the first embodiment of the present invention.
[図 10]図 10は、本発明に係わる実施の形態 2における暗号システムの構成を示す図 である。  FIG. 10 is a diagram showing a configuration of a cryptographic system according to the second embodiment of the present invention.
圆 11]図 11は、本発明に係わる実施の形態 2における鍵発行サーバの構成を示す 図である。 [11] FIG. 11 is a diagram showing the configuration of the key issuing server in the second embodiment according to the present invention.
[図 12]図 12は、本発明に係わる実施の形態 2における端末装置 Aの構成を示す図 である。  FIG. 12 is a diagram showing a configuration of terminal apparatus A in the second embodiment according to the present invention.
[図 13]図 13は、本発明に係わる実施の形態 2における端末装置 Bの構成を示す図で ある。  FIG. 13 is a diagram showing a configuration of terminal apparatus B in the second embodiment according to the present invention.
[図 14]図 14は、本発明に係わる実施の形態 2における暗号システムの鍵発行時の動 作を示すフローチャートを示す図である。  FIG. 14 is a flowchart showing an operation at the time of key issuance in the cryptographic system according to the second embodiment of the present invention.
[図 15]図 15は、本発明に係わる実施の形態 2における端末装置 Aの第 1の使用秘密 鍵生成時の動作を示す図である。  FIG. 15 is a diagram showing an operation at the time of generating a first used secret key of the terminal device A in Embodiment 2 according to the present invention.
[図 16]図 16は、本発明に係わる実施の形態 2における端末装置 Bの第 2の使用秘密 鍵生成時の動作を示す図である  FIG. 16 is a diagram showing an operation at the time of generating a second used secret key of the terminal device B in the second embodiment according to the present invention.
[図 17]図 17は、本発明に係わる実施の形態 2における暗号システムの暗号通信時の 動作を示す図である。  FIG. 17 is a diagram showing an operation at the time of cryptographic communication of the cryptographic system according to the second embodiment of the present invention.
[図 18]図 18は、従来における乗算回数の分布を示す図である。  FIG. 18 is a diagram showing a conventional distribution of the number of multiplications.
[図 19]図 19は、本発明における乗算回数の分布を示す図である。  FIG. 19 is a diagram showing a distribution of the number of multiplications in the present invention.
[図 20]図 20は、本発明における乗算回数の最小値の出現頻度の分布を示す図であ る。 FIG. 20 is a diagram showing a distribution of appearance frequencies of the minimum number of multiplications in the present invention. The
[図 21]図 21は、本発明に係わる変形例における端末装置 Aの構成を示す図である。  FIG. 21 is a diagram showing a configuration of a terminal device A in a modified example according to the present invention.
[図 22]図 22は、本発明に係わる変形例における端末装置 Bの構成を示す図である。 符号の説明 FIG. 22 is a diagram showing a configuration of a terminal device B in a modified example according to the present invention. Explanation of symbols
1000, 2000 暗号システム  1000, 2000 cryptosystem
1100, 2100 鍵発行サーノ  1100, 2100 Key issuing sano
1101 素数生成部  1101 Prime number generator
1102, 2102 秘密鍵生成部  1102, 2102 Secret key generator
11021 乱数生成部  11021 random number generator
11022 ハミング重み判定部  11022 Hamming weight judgment unit
1103, 2103 公開鍵生成部  1103, 2103 public key generator
1104, 2104 鍵設定部  1104, 2104 Key setting part
1200, 2200 端末装置 A  1200, 2200 terminal device A
1201 送信部  1201 Transmitter
1202 暗号化部  1202 Encryption section
12021 第 1のべき乗剰余演算部  12021 First power residue calculation unit
1203, 2203 署名生成部  1203, 2203 Signature generator
12031, 22031 ノ、ッシュ計算部  12031, 22031
12032, 22032 第 2のべき乗剰余演算部  12032, 22032 Second power residue calculation unit
1204, 2204 第 1の秘密鍵格納部  1204, 2204 First private key storage
1205 第 1の公開鍵格納部  1205 First public key storage
1206 第 2の公開鍵格納部  1206 Second public key storage
1300, 2300 端末装置 B  1300, 2300 Terminal device B
1301 受信部  1301 Receiver
1302, 2302 復号ィ匕部  1302, 2302 Decryption section
13021 第 2のべき乗剰余演算部  13021 Second power residue calculation unit
1303 署名検証部  1303 Signature Verification Department
13031 ハッシュ計算部 13032 第 1のべき乗剰余演算部 13031 Hash calculator 13032 First power residue calculation unit
13033 署名判定部  13033 Signature judgment part
1304, 2304 第 2の秘密鍵格納  1304, 2304 Second private key storage
1305 第 2の公開鍵格納部  1305 Second public key storage
1306 第 1の公開鍵格納部  1306 First public key storage
1400 通信路  1400 communication channel
2207 第 1の使用秘密鍵生成部  2207 First used secret key generator
22071 乱数生成部  22071 random number generator
22072 使用秘密鍵候補生成部  22072 Used secret key candidate generator
22073 ハミング重み判定部  22073 Hamming weight judgment part
2208 第 1の使用秘密鍵格納部  2208 First private key storage
2307 第 2の使用秘密鍵生成部  2307 Second used secret key generator
23071 乱数生成部  23071 Random number generator
23072 使用秘密鍵候補生成部  23072 Used secret key candidate generator
23073 ハミング重み判定部  23073 Hamming weight judgment part
2308 第 2の使用秘密鍵格納部  2308 Second private key storage
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0046] (実施の形態 1)  [Embodiment 1]
以下、本発明に係わる実施の形態 1について、図面を参照しながら説明する。  Embodiment 1 of the present invention will be described below with reference to the drawings.
[0047] 本実施の形態における冪値生成装置は、下記 (a)〜(c)に示される特徴を備える。  [0047] The threshold value generating apparatus according to the present embodiment includes the following features (a) to (c).
[0048] (a)正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成する冪値生成 装置であって、(al)冪値の候補となる候補値を生成する生成機能と、(a2)候補値の ハミング重みが所定の範囲内に属する力否かを判定する判定機能と、(a3)判定機 能で所定の範囲内に属すると判定された場合は、候補値を冪値として設定する設定 機能とを備えることを特徴とする。  [0048] (a) A power generation device that generates power used for power-residue calculation for positive integer c and modulus n, and (al) generation that generates candidate values that are candidates for power A function, (a2) a judgment function that determines whether the hamming weight of the candidate value falls within a predetermined range, and (a3) a candidate value if the judgment function determines that it belongs to the predetermined range. And a setting function for setting as a threshold value.
[0049] (b)判定機能は、法 nのビット数と所定の正整数との組合せを第 1の値とし、冪値の 総当り攻撃に対する安全性に基づいて決定された値を第 2の値とした場合において 、第 1の値が第 2の値を上回る条件で決定された所定の正整数を所定の範囲におけ る下限として判定する。 [0049] (b) The determination function uses a combination of the number of bits of modulus n and a predetermined positive integer as a first value, and determines a value determined based on the safety against brute force brute force attacks as a second value. In the case of a value, a predetermined positive integer determined under the condition that the first value exceeds the second value is within a predetermined range. The lower limit is determined.
[0050] (c)判定機能は、冪乗剰余演算の処理時間が所定の時間より小さくなる条件で決 定された正整数を所定の範囲における上限として判定する。  [0050] (c) The determination function determines a positive integer determined under the condition that the processing time of the power-residue calculation is smaller than the predetermined time as the upper limit in the predetermined range.
[0051] 以上の点を踏まえて本実施の形態における冪値生成装置について説明する。なお 、ここでは、冪値生成装置は、冪値を秘密鍵として用い、秘密鍵と対をなす公開鍵を 生成する鍵発行装置とする。  Based on the above points, the threshold value generating apparatus in the present embodiment will be described. Here, the threshold value generating device is a key issuing device that uses the threshold value as a secret key and generates a public key that is paired with the secret key.
[0052] 図 2は、本実施の形態における暗号システムの構成を示す図である。図 2に示され るように、暗号システム 1000は、鍵発行サーバ 1100と、端末装置 A1200と、端末装 置 B1300と、通信路 1400とカゝら構成される。ここで、鍵発行サーバ 1100は、冪値を 秘密鍵として用い、秘密鍵と対をなす公開鍵を生成する公開鍵生成機能を備える冪 値生成装置、すなわち、鍵発行装置である。  FIG. 2 is a diagram showing a configuration of the cryptographic system in the present embodiment. As shown in FIG. 2, the cryptographic system 1000 includes a key issuing server 1100, a terminal device A1200, a terminal device B1300, and a communication path 1400. Here, the key issuing server 1100 is a value generating device, that is, a key issuing device having a public key generating function for generating a public key that is paired with a secret key by using the value as a secret key.
[0053] 暗号システム 1000は、端末装置 A1200と端末装置 B1300用の秘密鍵及び公開 鍵からなる鍵対を鍵発行サーバ 1100で生成し、端末装置 A1200、端末装置 B130 0のそれぞれへ生成した鍵対を発行する。さら〖こ、端末装置 A1200では、第 1のメッ セージを暗号ィ匕し、また、第 2のメッセージの署名を生成し、端末装置 B1300へ通信 路 1400を介して送信する。端末装置 B1300では、通信路 1400を介して、第 1のメッ セージの暗号文、第 2のメッセージ及びその署名データを受信して、上記暗号文を 復号化し、第 1のメッセージの復号文を得て、第 2のメッセージの署名データを検証 する。  The cryptographic system 1000 generates a key pair including a secret key and a public key for the terminal device A1200 and the terminal device B1300 at the key issuing server 1100, and generates the key pair generated for each of the terminal device A1200 and the terminal device B1300. Is issued. Further, the terminal device A1200 encrypts the first message, generates a signature of the second message, and transmits it to the terminal device B1300 via the communication path 1400. The terminal device B1300 receives the ciphertext of the first message, the second message, and its signature data via the communication path 1400, decrypts the ciphertext, and obtains the decrypted text of the first message. To verify the signature data of the second message.
[0054] ここで、暗号システム 1000で使用される RSA (Rivest—Shamir—Adelman)喑 号方式および RSA署名方式について説明する。  Here, the RSA (Rivest-Shamir-Adelman) code system and RSA signature system used in the cryptographic system 1000 will be described.
[0055] なお、 RSA暗号については、下記の参考文献 1の 110〜113ページに説明されて いる。また、 RSA署名については、同文献の 175〜176ページに説明されている。こ こでは、概略について説明する。 [0055] RSA encryption is described on pages 110 to 113 of Reference Document 1 below. The RSA signature is described on pages 175 to 176 of this document. Here, the outline is explained.
[0056] [参考文献 1] [0056] [Reference 1]
岡本龍明、山本博資、「現代暗号」、産業図書 (1997年)  Tatsuaki Okamoto, Hiroshi Yamamoto, "Contemporary Cryptography", Industrial Books (1997)
まず、 RSA暗号方式では、下記(1)〜(3)を行う。  First, in the RSA encryption method, the following (1) to (3) are performed.
[0057] (1)鍵を生成する。 [0058] 下記 (a)〜(d)に示されるように、公開鍵および秘密鍵を計算する。 [0057] (1) Generate a key. [0058] As shown in the following (a) to (d), the public key and the secret key are calculated.
[0059] (a)ランダムに大きい素数 p, qを選択し、その積 "n = p X q"を計算する。 (A) Randomly large prime numbers p and q are selected, and the product “n = p X q” is calculated.
[0060] (b) "p— 1"及び" q— 1"の最小公倍数" L = LCM (p— 1, q— 1) "を計算する。 [0060] (b) The least common multiple of “p—1” and “q—1” “L = LCM (p—1, q—1)” is calculated.
[0061] (c) "l≤e≤L—l,,および" GCD (e, L) = 1"に示されるように、 Lと互いに素で L り小さい自然数 eをランダムに選ぶ。ここで、 GCD (e, L)は、 eと Lの最大公約数を示 している。 [0061] (c) As shown in "l≤e≤L—l," and "GCD (e, L) = 1," a natural number e that is relatively prime to L and smaller than L is chosen at random. GCD (e, L) indicates the greatest common divisor of e and L.
[0062] (d) "e X d= 1 mod L"を満たす dを計算する。なお、 "GCD (e, L) = 1"より、この ような dは必ず存在する。このようにして、得られた整数 e及び整数 nが、公開鍵である 。また、整数 dが、秘密鍵である。ここで、 "X mod y"は、 Xを yで割った余りを示す。  (D) Calculate d that satisfies “e X d = 1 mod L”. From "GCD (e, L) = 1", such d always exists. Thus, the obtained integer e and integer n are public keys. The integer d is a secret key. Here, “X mod y” indicates the remainder when X is divided by y.
[0063] (2)暗号文を生成する。  (2) Generate ciphertext.
[0064] 下記の数式(1 1)に示されるように、公開鍵である整数 eおよび整数 nを用いて、 平文 mに暗号演算を施して暗号文 cを計算する。  [0064] As shown in Equation (11) below, ciphertext c is calculated by performing cryptographic operations on plaintext m using integer e and integer n, which are public keys.
[0065] [数 2] [0065] [Equation 2]
(1-1) c=me mod n (1-1) c = m e mod n
[0066] (3)復号文を生成する。 (3) Generate a decrypted text.
[0067] 下記の数式(1 2)に示されるように、秘密鍵である整数 dを用いて、暗号文 cに復 号演算を施して復号文 m'を計算する。なお、復号文 m'は、平文 mと一致する。  [0067] As shown in the following formula (12), decryption text m 'is calculated by performing decryption operation on ciphertext c using integer d that is a secret key. The decrypted text m ′ matches the plain text m.
[0068] [数 3] [0068] [Equation 3]
(1-2) m'=cd mod n (1-2) m '= c d mod n
=(me)d mod n = (m e ) d mod n
= (me x d mod L) mod n = ( m exd mod L) mod n
=m1 mod n = m 1 mod n
=m mod n  = m mod n
[0069] RSA署名方式では、下記(1)〜(3)を行う。 [0069] In the RSA signature method, the following (1) to (3) are performed.
[0070] (1)鍵を生成する。 [0070] (1) Generate a key.
[0071] 鍵の生成方法については、 RSA暗号方式の(1)で示した内容と同様である。  The key generation method is the same as that shown in (1) of the RSA encryption method.
[0072] (2)署名を生成する。  (2) Generate a signature.
[0073] メッセージデータ Dに対して、下記 (a) , (b)に示されるように、署名データ Sを計算 する。 [0073] For message data D, calculate signature data S as shown in (a) and (b) below. To do.
[0074] (a)まず、ハッシュ関数 Hashを用いて、メッセージデータ Dのハッシュ値" h = Hash  [0074] (a) First, using the hash function Hash, the hash value of the message data D "h = Hash
(D) "を計算する。  (D) Calculate “.
[0075] (b)下記の数式(1 3)で示されるように、秘密鍵である整数 dを用いて、ノ、ッシュ値 hを d乗して、署名データ Sを計算する。  [0075] (b) As shown in the following formula (13), the signature data S is calculated by using the integer d, which is a secret key, to multiply the dash value h by the d power.
[0076] 画 [0076] painting
(1-3) S=hd mod n (1-3) S = h d mod n
[0077] (3)署名を検証する。 [0077] (3) The signature is verified.
[0078] 署名データ Sがメッセージデータ Dの正し 、署名であるかを、下記(a) , (b)に示さ れるように検証する。  [0078] Whether the signature data S is correct and the signature of the message data D is verified as shown in (a) and (b) below.
[0079] (a) Hash (D)と "Se mod n"が等しいか否かを確認する。 [0079] (a) Check whether Hash (D) and "S e mod n" are equal.
[0080] (b)等しい場合は、署名データ Sが正しい署名であるとして、受理する。等しくない 場合は、署名データ Sが正しくない署名であるとして、拒否する。 (B) If they are equal, the signature data S is accepted as a correct signature. If they are not equal, the signature data S is rejected as an incorrect signature.
[0081] 続いて、本実施の形態における鍵発行サーバ 1100の構成について説明する。 [0081] Next, the configuration of the key issuing server 1100 in the present embodiment will be described.
[0082] 図 3は、本実施の形態における鍵発行サーバ 1100の構成を示す図である。図 3に 示されるように、鍵発行サーバ 1100は、素数生成部 1101と、秘密鍵生成部 1102とFIG. 3 is a diagram showing a configuration of the key issuing server 1100 in the present embodiment. As shown in FIG. 3, the key issuing server 1100 includes a prime number generation unit 1101, a secret key generation unit 1102,
、公開鍵生成部 1103と、鍵設定部 1104と、を備える。 A public key generation unit 1103 and a key setting unit 1104.
[0083] 素数生成部 1101は、 RSA暗号の秘密情報である素数 p, qを生成する。なお、素 数生成については、下記の参考文献 2に説明されている。ここでは、説明を省略する The prime number generation unit 1101 generates prime numbers p and q, which are secret information of RSA encryption. Note that prime generation is explained in Reference 2 below. Here, the explanation is omitted.
[0084] [参考文献 2] [0084] [Reference 2]
特開 2003— 5644号公報  JP 2003-5644
秘密鍵生成部 1102は、 RSA暗号方式における秘密鍵 dを生成する。  The secret key generation unit 1102 generates a secret key d in the RSA encryption method.
[0085] 公開鍵生成部 1103は、素数 p, qの積 nを計算し、さらに、" e = d— 1 mod L"を計 算する。ここで、" L=LCM (p— 1, q— 1),,であり、" d— 1 mod L"は dの mod での 逆元である。 Public key generation section 1103 calculates product n of prime numbers p and q, and further calculates “e = d− 1 mod L”. Here, “L = LCM (p—1, q—1),” and “d— 1 mod L” is an inverse element of d in mod.
[0086] なお、逆元の計算方法については、下記の参考文献 3の 16〜19ページに説明さ れているため、ここでは、説明を省略する。 [0086] The calculation method of the inverse element is described on pages 16 to 19 in Reference 3 below. Therefore, the description is omitted here.
[0087] [参考文献 3]  [0087] [Reference 3]
H. Cohen, A Course in し omputational Algebraic Number Theory , GTM 138, Springer— Verlag, 1996, p9  H. Cohen, A Course in omputational Algebraic Number Theory, GTM 138, Springer— Verlag, 1996, p9
鍵設定部 1104は、秘密鍵生成部 1102で生成した秘密鍵 dを端末装置 Al 200も しくは端末装置 B 1300の秘密鍵格納部に格納する。さらに、公開鍵生成部 1103で 生成した nと eを公開鍵として、端末装置 A1200もしくは端末装置 B1300の公開鍵 格納部に格納する。  The key setting unit 1104 stores the secret key d generated by the secret key generation unit 1102 in the secret key storage unit of the terminal device Al 200 or the terminal device B 1300. Further, n and e generated by the public key generation unit 1103 are stored as public keys in the public key storage unit of the terminal device A1200 or the terminal device B1300.
[0088] 続いて、本実施の形態における秘密鍵生成部 1102の詳細構成について説明する  [0088] Next, a detailed configuration of secret key generation section 1102 in the present embodiment will be described.
[0089] 図 3に示されるように、秘密鍵生成部 1102は、正整数 cと法 nとに対する冪乗剰余 演算に使用される冪値を生成し、生成した冪値を秘密鍵として使用する。このとき、 冪値の候補となる候補値を生成し、候補値のハミング重みが所定の範囲内に属する か否かを判定し、所定の範囲内に属する場合は、候補値を冪値として設定する。ここ では、一例として、乱数生成部 11021と、ノ、ミング重み判定部 11022とを備える。 [0089] As shown in FIG. 3, secret key generation section 1102 generates a threshold value used in the power-residue calculation for positive integer c and modulus n, and uses the generated threshold value as a secret key. . At this time, a candidate value that is a candidate for the saddle value is generated, and it is determined whether or not the hamming weight of the candidate value is within a predetermined range. To do. Here, as an example, a random number generation unit 11021 and a no-ming weight determination unit 11022 are provided.
[0090] 乱数生成部 11021は、乱数 kを生成する。  The random number generation unit 11021 generates a random number k.
[0091] ノ、ミング重み判定部 11022は、乱数 kのハミング重みを求め、そのハミング重みが 予め与えられた所定値 tl以上、 th未満であるか否かを判定する。ノ、ミング重みは、乱 数 kをビット列にしたときの、ビットの値が 1であるビットの個数である。例えば、 5のハミ ング重みは 5のビット列が" 101"であることから 2である。  [0091] The mingming weight determination unit 11022 calculates the hamming weight of the random number k, and determines whether the hamming weight is equal to or greater than a predetermined value tl and less than th. The ming weight is the number of bits whose bit value is 1 when the random number k is a bit string. For example, a Hamming weight of 5 is 2 because the 5 bit string is "101".
[0092] そして、秘密鍵生成部 1102は、乱数生成部 11021において、乱数 kを生成する。  Then, secret key generation section 1102 generates random number k in random number generation section 11021.
ノ、ミング重み判定部 11022において、乱数 kのハミング重みが tl以上 th未満である かを判定し、 tl以上 th未満であれば、乱数 k (候補値)を秘密鍵 d (冪値)として設定す る。それ以外は、乱数生成部 11021の処理に戻る。  In the ming weight determination unit 11022, it is determined whether the humming weight of the random number k is greater than or equal to tl and less than th. The Otherwise, the process returns to the random number generation unit 11021.
[0093] ここで、 tlについては、秘密鍵の総当り攻撃に対する安全性レベルに基づき決定す る。具体的には、例えば、 nのビット数が 1024の場合には、 "28Qく C (1024, x) "とな るような Xを tlとすればよい。ここで、 C (x, y)は x個力 y個を選ぶ組合せの数であり、 下記の数式( 1 4)で示される。 [0094] [数 5] [0093] Here, tl is determined based on the security level against the brute force attack of the secret key. Specifically, for example, when the number of bits of n is 1024, X that becomes “2 8Q C (1024, x)” may be tl. Here, C (x, y) is the number of combinations to select x power y, and is expressed by the following formula (14). [0094] [Equation 5]
(1-4) C(x, y)=x!/{(x-y)! XY!} (1-4) C (x, y) = x! / {(X-y)! XY!}
[0095] また、 thについては、例えば、予め定める第 2のべき乗剰余演算部 12032 (後述する 。)の処理時間の上限値より決定する。第 2のべき乗剰余演算部 12032において、乗 算 Mulの演算回数は、 "len— l +w(d) "である。乗算 Mulの計算時間を TMulとす るとき、第 2のべき乗剰余演算部 12032の処理時間は、 "(len— l +w(d) ) XTMul "である。処理時間の上限値を THとすると、 " (len- l +th) XTMuKTH"より、 "th <TH/TMul-len+ 1"を満たす値に thを設定すればよ!、。 [0095] Also, th is determined, for example, from the upper limit value of the processing time of a predetermined second power residue calculation unit 12032 (described later). In second power residue calculation section 12032, the number of multiplication Mul operations is “len−l + w (d)”. When the calculation time of the multiplication Mul is TMul, the processing time of the second power residue calculation unit 12032 is “(len−l + w (d)) XTMul”. If TH is the upper limit of processing time, set th to a value satisfying "th <TH / TMul-len + 1" from "(len-l + th) XTMuKTH"!
[0096] 続いて、本実施の形態における端末装置 A1200の構成について説明する。 [0096] Next, the configuration of terminal apparatus A1200 in the present embodiment will be described.
[0097] 図 4は、本実施の形態における端末装置 A1200の構成を示す図である。図 4に示 されるように、端末装置 A1200は、送信部 1201と、暗号ィ匕部 1202と、署名生成部 1 203と、第 1の秘密鍵格納部 1204と、第 1の公開鍵格納部 1205と、第 2の公開鍵格 納部 1206とを備える。 FIG. 4 is a diagram showing a configuration of terminal apparatus A1200 in the present embodiment. As shown in FIG. 4, terminal device A1200 includes transmission unit 1201, encryption unit 1202, signature generation unit 1203, first secret key storage unit 1204, and first public key storage unit. 1205 and a second public key storage unit 1206 are provided.
[0098] 送信部 1201は、通信路 1400を介して、データを端末装置 B1300へ送信する。  Transmitting section 1201 transmits data to terminal apparatus B 1300 via communication path 1400.
[0099] 暗号ィ匕部 1202は、第 1のメッセージ mlを第 2の公開鍵格納部 1206に格納されて いる端末装置 B1300の公開鍵 nB, eBを用いて、暗号化し暗号文 clを生成する。 [0099] Encryption unit 1202 encrypts first message ml using public key nB, eB of terminal device B1300 stored in second public key storage unit 1206 to generate ciphertext cl .
[0100] 署名生成部 1203は、第 2のメッセージ m2に対し、第 1の秘密鍵格納部 1204に格 納されて ヽる端末装置 A1200の秘密鍵 dAと、第 1の公開鍵格納部 1205に格納さ れている端末装置 A1200の公開鍵の一部である nAを用いて、署名データ Sを生成 する。ここでは、 RSA署名方式に基づいて、署名データ Sを生成する。 [0100] For the second message m2, the signature generation unit 1203 stores the secret key dA of the terminal device A1200 stored in the first secret key storage unit 1204 and the first public key storage unit 1205. Signature data S is generated using nA, which is a part of the public key of terminal device A1200 stored. Here, signature data S is generated based on the RSA signature method.
[0101] 第 1の秘密鍵格納部 1204は、端末装置 A1200の秘密鍵 dAを格納する。 [0101] First secret key storage section 1204 stores secret key dA of terminal device A1200.
[0102] 第 1の公開鍵格納部 1205は、端末装置 A1200の公開鍵 nA, eAを格納する。 [0102] First public key storage section 1205 stores public keys nA and eA of terminal device A1200.
[0103] 第 2の公開鍵格納部 1206は、端末装置 B1300の公開鍵 nB, eBを格納する。 The second public key storage unit 1206 stores the public keys nB and eB of the terminal device B1300.
[0104] 続いて、本実施の形態における暗号ィ匕部 1202の詳細構成について説明する。 [0104] Next, the detailed configuration of the encryption key unit 1202 in the present embodiment will be described.
[0105] 図 4に示されるように、暗号ィ匕部 1202は、第 1のべき乗剰余演算部 12021を備える [0105] As shown in FIG. 4, encryption key unit 1202 includes first power residue calculation unit 12021.
[0106] 第 1のべき乗剰余演算部 12021は、入力値 x、下記の数式(1— 5)で示される e、お よび nに対して、 "xe mod n"を計算する。 [0106] The first power-residue calculating unit 12021 has an input value x, e represented by the following mathematical formula (1-5), Calculate "x e mod n" for n and n.
[0107] [数 6] [0107] [Equation 6]
(1-5)
Figure imgf000017_0001
(1-5)
Figure imgf000017_0001
=e0+e1X2+e2X22+〜+elen_1X2ien-1 = e 0 + e 1 X2 + e 2 X2 2 + ~ + e len _ 1 X2i en - 1
[0108] ここで、 lenは dのビット数、 " X "は整数の乗算、 "xy"は xの y乗を示して 、る。 Here, len is the number of bits of d, “X” is an integer multiplication, and “x y ” is x to the power of y.
[0109] 第 1のべき乗剰余演算部 12021の計算方法のフローチャートを図 5に示す。 FIG. 5 shows a flowchart of the calculation method of the first power residue calculation unit 12021.
[0110] 図 5は、本実施の形態における第 1のべき乗剰余演算部 12021の計算方法のフロ 一チャートを示す図である。図 5に示されるように、第 1のべき乗剰余演算部 12021 は、下記のステップ(S101)〜(S107)の処理を行う。 FIG. 5 is a diagram showing a flow chart of the calculation method of first power residue calculation unit 12021 in the present embodiment. As shown in FIG. 5, the first power-residue calculating unit 12021 performs the following steps (S101) to (S107).
[0111] (S101) :"i^len-2, z x"を行い、変数 iおよび変数 zを初期化する。 [0111] (S101): "i ^ len-2, z x" is performed to initialize variable i and variable z.
[0112] (S102) :"z^Sqr(z) mod n"を行い、変数 zを更新する。 [0112] (S102): "z ^ Sqr (z) mod n" is performed to update the variable z.
[0113] (S103) :"e = l"であるか否かを判定し、否である場合には(S103:e≠ 1)、ステツ プ(S 105)を行う。 (S103): It is determined whether or not “e = 1”, and if not (S103: e ≠ 1), step (S105) is performed.
[0114] (S104):判定した結果、 "e = l"である場合には(S103:e = l)、 "z Mul(z, c) mod n"を行い、変数 zを更新する。  (S104): If “e = 1” is determined as a result of the determination (S103: e = 1), “z Mul (z, c) mod n” is performed, and the variable z is updated.
[0115] (S105):"i^i-1"^TV\変数 iを更新する。 [0115] (S105): "i ^ i-1" ^ TV \ Variable i is updated.
[0116] (S106) :"iく 0"であるか否かを判定し、否の場合には(S106:i≥0)、ステップ(S [0116] (S106): It is determined whether or not "i is 0". If not (S106: i≥0), step (S
102)以降のステップを繰り返し行う。 102) Repeat the following steps.
[0117] (S107):判定した結果、 "iく 0"である場合には(S106:i<0)、変数 zの値を出力 し、終了する。 [0117] (S107): If the result of determination is “i <0” (S106: i <0), the value of variable z is output and the process ends.
[0118] ここで、 Sqr(x)は、 xの 2乗算を実行した結果を示す。また、 Mul(x, y)は、 xと yの 乗算を実行した結果を示す。  [0118] Here, Sqr (x) represents the result of performing x multiplication by two. Mul (x, y) indicates the result of multiplying x and y.
[0119] そして、暗号ィ匕部 1202は、第 1のべき乗剰余演算部 12021において、 xとして第 1 のメッセージ mlを入力し、 eとして公開鍵の一部である eBを入力し、 nとして公開鍵 の一部である nBを入力して、 "mleB mod nB"を計算し、その結果を暗号文 clとす る。 [0119] Then, in the first power residue calculation unit 12021, the encryption key unit 1202 inputs the first message ml as x, inputs eB which is a part of the public key as e, and makes it public as n Input nB that is part of the key, calculate "ml eB mod nB", and use the result as ciphertext cl.
[0120] 続いて、本実施の形態における署名生成部 1203の詳細構成について説明する。 [0121] 図 4に示されるように、署名生成部 1203は、ハッシュ計算部 12031と、第 2のべき 乗剰余演算部 12032とを備える。 Next, a detailed configuration of signature generation section 1203 in the present embodiment will be described. As shown in FIG. 4, signature generation section 1203 includes hash calculation section 12031 and second power residue calculation section 12032.
[0122] 第 1のハッシュ計算部 12031は、第 2のメッセージ m2に対するハッシュ値 hを計算 する。ここで、使用するノヽッシュ関数は、ノヽッシュ値力ら対応するハッシュ関数の入力 値を求めることが困難であるという一方向性を持っているものであればよい。例えば、 SHA— 1ハッシュ関数である。一方向性ハッシュ関数については、上記の参考文献 1の 189〜195ページに詳しく説明されている。  [0122] The first hash calculator 12031 calculates a hash value h for the second message m2. Here, the Noush function to be used only needs to have one-way property that it is difficult to obtain the input value of the hash function corresponding to the Nosh value. For example, the SHA-1 hash function. The one-way hash function is described in detail on pages 189 to 195 of Reference 1 above.
[0123] 第 2のべき乗剰余演算部 12032は、入力値 x、下記の数式(1— 6)で示される d、お よび nに対して、 "xd mod n"を計算する。 Second power-residue calculating unit 12032 calculates “x d mod n” for input value x, d indicated by the following mathematical formula (1-6), and n.
[0124] [数 7]  [0124] [Equation 7]
(1-6) 0=∑6tX2 0または l:i=0,l,"',len-l} (1-6) 0 = ∑6 t X2 0 or l: i = 0, l, "', len-l}
=d0+d1X2+d.X22+---)-d|en_1X2len-1 = d 0 + d 1 X2 + d.X2 2 + ---)-d | en _ 1 X2 len - 1
[0125] 第 2のべき乗剰余演算部 12032の計算方法のフローチャートを図 6に示す。 FIG. 6 shows a flowchart of the calculation method of the second power residue calculation unit 12032.
[0126] 図 6は、本実施の形態における第 2のべき乗剰余演算部 12032の計算方法のフロ 一チャートを示す図である。図 6に示されるように、第 2のべき乗剰余演算部 12032 は、下記のステップ(S 111)〜(S 117)の処理を行う。 FIG. 6 is a diagram showing a flow chart of a calculation method of second power residue calculation unit 12032 in the present embodiment. As shown in FIG. 6, the second power residue calculation unit 12032 performs the following steps (S 111) to (S 117).
[0127] (Sill) :"i^len-2, z x"を行い、変数 iおよび変数 zを初期化する。 [0127] (Sill): Perform "i ^ len-2, z x" to initialize the variable i and the variable z.
[0128] (S112) :"z^Mul(z, z) mod n"を行い、変数 zを更新する。 [0128] (S112): "z ^ Mul (z, z) mod n" is performed to update the variable z.
[0129] (S113) :"d = l"であるか否かを判定し、否である場合には(S113:d≠l)、ステツ プ(S 115)を行う。 (S113): It is determined whether or not “d = l”. If not (S113: d ≠ l), step (S115) is performed.
[0130] (S114):判定した結果、 "d = l"である場合には(S113:d = l)、 "z Mul(z, c) mod n"を行い、変数 zを更新する。  (S114): If “d = 1” is determined as a result of the determination (S113: d = 1), “z Mul (z, c) mod n” is performed, and the variable z is updated.
[0131] (S115) :"i^i— 1"を行い、変数 iを更新する。 [0131] (S115): “i ^ i—1” is performed to update the variable i.
[0132] (S116) :"i<0"であるか否かを判定し、否である場合には(S116:i≥0)、ステツ プ(S 112)以降のステップを繰り返し行う。  (S116): It is determined whether or not “i <0”. If not (S116: i≥0), the steps after step (S112) are repeated.
[0133] (S117):判定した結果、 "iく 0 "である場合には(S116:i<0)、変数 zの値を出力 し、終了する。 [0134] ここで、ステップ (S112)では、 zの 2乗剰余を計算すればよいが、本実施の形態 1 では、同じ数の乗算を実行し剰余を取るように明示的に「乗算」を使用する。これは、 2乗算と乗算は一般に計算処理が異なり、 2乗算の方が乗算より高速であるが、ここ では 2乗算の計算処理ではなぐ同じ数の乗算の計算処理で、 2乗算を実現すること を意味する。 [0133] (S117): If the result of determination is "i <0" (S116: i <0), the value of variable z is output and the process ends. [0134] Here, in step (S112), the square remainder of z may be calculated, but in Embodiment 1, the "multiplication" is explicitly performed so that the same number of multiplications are performed and the remainder is taken. use. This is because calculation is generally different between multiplication by two and multiplication is faster than multiplication by two. Here, the multiplication by the same number of multiplications by the calculation by two multiplications is realized. Means.
[0135] 上記の第 2のべき乗剰余演算部 12032では、ステップ(S 112)において必ず乗算 を len— 1回実行する。しかし、ステップ(S 114)において、乗算は dのハミング重みで ある w(d)に対し、 w(d)回実行する。これにより、トータルの演算回数は" len— 1 +w (d) "回となる。  In the second power residue calculation unit 12032 described above, the multiplication is always executed len−1 times in step (S 112). However, in step (S114), multiplication is executed w (d) times for w (d) which is the Hamming weight of d. As a result, the total number of computations is “len− 1 + w (d)” times.
[0136] 署名生成部 1203は、まず、ノヽッシュ計算部 12031において、第 2のメッセージ m2 に対するノ、ッシュ値 hを計算する。次に、第 2のべき乗剰余演算部 12032において、 Xとしてハッシュ値 h、 dとして秘密鍵 dA、 nとして公開鍵の一部である nAを入力して、 "hdA mod nA"を計算し、その結果を署名データ Sとする。 First, signature generation section 1203 calculates a no-shash value h for second message m 2 at noush calculation section 12031. Next, in the second power residue calculation unit 12032, the hash value h is input as X, the secret key dA is input as d, and nA that is a part of the public key is input as n, thereby calculating “h dA mod nA”. The result is signature data S.
[0137] 続いて、本実施の形態における端末装置 B1300の構成について説明する。 [0137] Next, the configuration of terminal apparatus B1300 in the present embodiment will be described.
[0138] 図 7は、本実施の形態における端末装置 B1300の構成を示す図である。図 7に示 されるように、端末装置 B1300は、受信部 1301と、復号化部 1302、署名検証部 13 03と、第 2の秘密鍵格納部 1304と、第 2の公開鍵格納部 1305と、第 1の公開鍵格 納部 1306とを備える。 FIG. 7 is a diagram showing a configuration of terminal apparatus B1300 in the present embodiment. As shown in FIG. 7, the terminal device B 1300 includes a receiving unit 1301, a decrypting unit 1302, a signature verifying unit 1303, a second secret key storage unit 1304, and a second public key storage unit 1305. And a first public key storage unit 1306.
[0139] 受信部 1301は、通信路 1400を介して、データを端末装置 A1200から受信する。  The receiving unit 1301 receives data from the terminal device A1200 via the communication path 1400.
[0140] 復号ィ匕部 1302は、第 2の秘密鍵格納部 1304に格納されている端末装置 B 1300 の秘密鍵 dBと、第 2の公開鍵格納部 1305に格納されて 、る公開鍵の一部である nB を用いて、暗号文 clを復号化し復号文 ml 'を生成する。 [0140] The decryption key unit 1302 stores the secret key dB of the terminal device B 1300 stored in the second secret key storage unit 1304 and the public key stored in the second public key storage unit 1305. Using nB which is a part, decrypt ciphertext cl and generate decrypted text ml '.
[0141] 署名検証部 1303は、第 1の公開鍵格納部 1305に格納されている端末装置 A120[0141] The signature verification unit 1303 is the terminal device A120 stored in the first public key storage unit 1305.
0の公開鍵 eAを用いて、署名データ Sが第 2のメッセージ m2の正しい署名であるか を検証する。 Using the public key eA of 0, verify that the signature data S is the correct signature of the second message m2.
[0142] 第 2の秘密鍵格納部 1304は、端末装置 B 1300の秘密鍵 dBを格納する。  [0142] Second secret key storage section 1304 stores secret key dB of terminal apparatus B 1300.
[0143] 第 2の公開鍵格納部 1305は、端末装置 B1300の公開鍵 nB, eBを格納する。 The second public key storage unit 1305 stores the public keys nB and eB of the terminal device B1300.
[0144] 第 1の公開鍵格納部 1306は、端末装置 A1200の公開鍵 nA, eAを格納する。 [0145] 続いて、本実施の形態における復号ィ匕部 1302の詳細構成について説明する。 The first public key storage unit 1306 stores the public keys nA and eA of the terminal device A1200. [0145] Next, a detailed configuration of decryption unit 1302 in the present embodiment will be described.
[0146] 図 7に示されるように、復号ィ匕部 1302は、第 2のべき乗剰余演算部 13021を備える [0146] As shown in Fig. 7, decryption unit 1302 includes second power residue calculation unit 13021.
[0147] 第 2のべき乗剰余演算部 13021は、端末装置 A1200の署名生成部 1203に含ま れる第 2のべき乗剰余演算部 12032と同一の機能を有することにより、説明を省略す る。 The second power residue calculation unit 13021 has the same function as the second power residue calculation unit 12032 included in the signature generation unit 1203 of the terminal device A1200, and thus description thereof is omitted.
[0148] そして、復号ィ匕部 1302は、第 2のべき乗剰余演算部 13021において、 xとして暗号 文 cl、 dとして秘密鍵 dB、 nとして公開鍵の一部である nBを入力して、 "cldB mod nB"を計算し、その結果を復号文 ml,とする。 Then, the decryption unit 1302 inputs the ciphertext cl as x, the secret key dB as d, and nB which is a part of the public key as n in the second power residue calculation unit 13021. cl dB mod nB "is calculated, and the result is the decrypted text ml.
[0149] 復号化方法につ!、ては、 RSA暗号方式の" (2)暗号文を生成する処理"を用いる。 [0149] Regarding the decryption method, the RSA encryption method "(2) Processing for generating ciphertext" is used.
[0150] 続いて、本実施の形態における署名検証部 1303の詳細構成について説明する。 [0150] Next, the detailed configuration of signature verification section 1303 in the present embodiment will be described.
[0151] 図 7に示されるように、署名検証部 1303は、ハッシュ計算部 13031と、第 1のべき 乗剰余演算部 13032と、署名判定部 13033とを備える。 As shown in FIG. 7, signature verification section 1303 includes hash calculation section 13031, first power residue calculation section 13032, and signature determination section 13033.
[0152] ノ、ッシュ計算部 13031は、端末装置 A1200の署名生成部 1203に含まれるハツシ ュ計算部 12031と同一の機能を有することにより、説明を省略する。 Since the node calculation unit 13031 has the same function as the hash calculation unit 12031 included in the signature generation unit 1203 of the terminal device A1200, the description thereof is omitted.
[0153] 第 1のべき乗剰余演算部 13032は、端末装置 A1200の暗号化部 1202に含まれ る第 1のべき乗剰余演算部 12021と同一の機能を有することにより、説明を省略する [0153] First power residue calculation unit 13032 has the same function as first power residue calculation unit 12021 included in encryption unit 1202 of terminal apparatus A1200, and thus the description thereof is omitted.
[0154] 署名判定部 13033は、ハッシュ計算部 13031で計算したハッシュ値 hと、第 1のべ き乗剰余演算部 13032で計算した検証値 h'が等しいか否かを判定する。 The signature determination unit 13033 determines whether or not the hash value h calculated by the hash calculation unit 13031 and the verification value h ′ calculated by the first power residue calculation unit 13032 are equal.
[0155] そして、署名検証部 1303は、まず、ノ、ッシュ計算部 13031において、第 2のメッセ ージ m2に対するハッシュ値 hを計算する。次に、第 1のべき乗剰余演算部 13032に おいて、 Xとして署名データ S、 eとして公開鍵の一部である eA、 nとして公開鍵の一 部である nAを入力して、" SeA mod nA"を計算し、その結果を検証値 とする。署 名判定部 13033において、ノ、ッシュ値 hと検証値 h,が等しいか否かを確認する。等 しい場合は、正しい署名として OKを出力し、等しくない場合は、正しくない署名とし て NGを出力する。 [0155] Then, signature verification section 1303 first calculates hash value h for second message m2 in node calculation section 13031. Next, in the first power residue calculation unit 13032, the signature data S is input as X, eA which is a part of the public key as e, and nA which is a part of the public key as n, and “S eA mod nA "is calculated, and the result is used as the verification value. In the signature judgment unit 13033, it is confirmed whether or not the hush value h and the verification value h are equal. If they are equal, OK is output as a correct signature, and NG is output as an incorrect signature if they are not equal.
[0156] 続いて、本実施の形態における暗号システム 1000の動作について説明する。 [0157] 暗号システム 1000の動作は、鍵発行を行う「鍵発行時」と、端末装置 A1200と端 末装置 B1300間の暗号通信を行う「暗号通信時」の動作力 なる。 Next, the operation of the cryptographic system 1000 in the present embodiment will be described. [0157] The operation of the cryptographic system 1000 is an operating force for "key issuance" for issuing a key and for "cipher communication" for performing cipher communication between the terminal device A1200 and the terminal device B1300.
[0158] 「鍵発行時」は、鍵発行サーバ 1100において、端末装置 A1200及び端末装置 B1 300の秘密鍵と公開鍵を生成し、それぞれの装置に格納する。「暗号通信時」は、入 力である第 1のメッセージ ml及び第 2のメッセージ m2に対し、端末装置 A1200にお いて、第 1のメッセージ mlの暗号文と、第 2のメッセージ m2の署名データを生成し、 端末装置 B 1300へ通信路 1400を介して送信し、端末装置 B 1300にお 、て受信し て、復号化及び署名検証を行い、復号文 ml 'と署名検証結果 (OKまたは NG)を出 力する。  [0158] At the time of “key issuance”, the key issuing server 1100 generates secret keys and public keys of the terminal device A1200 and the terminal device B1300, and stores them in the respective devices. At the time of “encryption communication”, the ciphertext of the first message ml and the signature data of the second message m2 are received in the terminal device A1200 for the input first message ml and second message m2. Is transmitted to the terminal device B 1300 via the communication path 1400, received by the terminal device B 1300, decrypted and signed, and decrypted text ml 'and the signature verification result (OK or NG ) Is output.
[0159] 以下、「鍵発行時」のフローチャートを図 8、「暗号通信時」のフローチャートを図 9に 示す。  [0159] In the following, a flowchart of "at the time of key issuance" is shown in FIG.
[0160] 図 8は、本実施の形態における暗号システム 1000の鍵発行時の動作を示す図で ある。図 8に示されるように、鍵発行時には、鍵発行サーバ 1100は、素数生成部 110 1において、素数 pA, qAを生成する(S201)。秘密鍵生成部 1102において、秘密 鍵 dAを生成する(S202)。公開鍵生成部 1103において、 "nA=pAX qA"を求め、 "eA=dA— 1 mod nA"を計算する(S203)。鍵設定部 1104において、端末装置 A 1200の第 1の秘密鍵格納部 1204に秘密鍵 dAを格納する(S204)。端末装置 A12 00の第 1の公開鍵格納部 1205に nA, eAを公開鍵として格納する(S 205)。端末装 置 B 1300の第 1の公開鍵格納部 1306に nA, eAを格納する(S206)。 [0160] Fig. 8 is a diagram showing an operation at the time of key issuance of the cryptographic system 1000 according to the present embodiment. As shown in FIG. 8, at the time of key issuance, the key issuing server 1100 generates prime numbers pA and qA in the prime number generation unit 110 1 (S201). The secret key generation unit 1102 generates a secret key dA (S202). The public key generation unit 1103 calculates “nA = pAX qA” and calculates “eA = dA− 1 mod nA” (S203). The key setting unit 1104 stores the secret key dA in the first secret key storage unit 1204 of the terminal device A 1200 (S204). NA and eA are stored as public keys in the first public key storage unit 1205 of the terminal device A1200 (S205). NA and eA are stored in the first public key storage unit 1306 of the terminal device B 1300 (S206).
[0161] さらに、鍵発行サーバ 1100は、素数生成部 1101において、素数 pB, qBを生成す る(S207)。秘密鍵生成部 1102において、秘密鍵 dBを生成する(S 208)。公開鍵 生成部 1103において、" nB=pB X qB"を求め、" eB = dB— 1 mod nB"を計算する (S209)。鍵設定部 1104において、端末装置 B1300の第 2の秘密鍵格納部 1304 に秘密鍵 dBを格納する(S210)。端末装置 B1300の第 2の公開鍵格納部 1305に n B, eBを公開鍵として格納する(S211)。端末装置 A1200の第 2の公開鍵格納部 12 06に nB, eBを格納する(S212)。そして、終了する。 Furthermore, the key issuing server 1100 generates prime numbers pB and qB in the prime number generation unit 1101 (S207). The secret key generation unit 1102 generates a secret key dB (S208). The public key generation unit 1103 calculates “nB = pB X qB” and calculates “eB = dB— 1 mod nB” (S209). In the key setting unit 1104, the secret key dB is stored in the second secret key storage unit 1304 of the terminal device B1300 (S210). N B and eB are stored as public keys in the second public key storage unit 1305 of the terminal device B 1300 (S211). NB and eB are stored in the second public key storage unit 12 06 of the terminal device A1200 (S212). And it ends.
[0162] 図 9は、本実施の形態における暗号システム 1000の暗号通信時の動作を示す図 である。図 9に示されるように、暗号通信時には、端末装置 A1200は、暗号ィ匕部 120 2において、第 1のメッセージ mlの暗号文 clを生成する(S301)。署名生成部 1203 において、第 2のメッセージ m2の署名データ Sを生成する(S302)。送信部 1201に おいて、暗号文 cl、第 2のメッセージ m2と署名データ Sを端末装置 B 1300へ通信路 1400を介して送信する(S303)。 [0162] Fig. 9 is a diagram showing an operation during cryptographic communication of the cryptographic system 1000 according to the present embodiment. As shown in FIG. 9, at the time of encrypted communication, the terminal device A1200 uses the encryption key unit 120. In 2, the ciphertext cl of the first message ml is generated (S301). The signature generation unit 1203 generates the signature data S of the second message m2 (S302). Transmitter 1201 transmits ciphertext cl, second message m2 and signature data S to terminal device B 1300 via communication path 1400 (S303).
[0163] これに対して、端末装置 B1300は、受信部 1301において、暗号文 cl、第 2のメッ セージ m2と署名データ Sを受信する(S304)。復号ィ匕部 1302において、暗号文 cl を復号化して復号文 ml 'を取得する(S305)。署名検証部 1303において、署名デ ータ Sを検証する(S306)。署名データ Sが第 2のメッセージの正し 、署名であれば( S306 : Sは正しい)、署名検証結果を OK(S307)、正しくない署名であれば(S306 : Sは不正)、署名検証結果を NGとする(S308)。 [0163] On the other hand, terminal apparatus B1300 receives ciphertext cl, second message m2 and signature data S at receiving section 1301 (S304). In the decryption key unit 1302, the ciphertext cl is decrypted to obtain the decrypted text ml ′ (S305). The signature verification unit 1303 verifies the signature data S (S306). If the signature data S is correct and the signature of the second message (S306: S is correct), the signature verification result is OK (S307), and if it is not correct (S306: S is invalid), the signature verification result Is NG (S308).
[0164] そして、端末装置 B1300は、復号文 ml 'と署名検証結果を出力する(S309)。 Then, terminal apparatus B 1300 outputs the decrypted text ml ′ and the signature verification result (S309).
[0165] 以上説明したように、実施の形態 1における暗号システム 1000では、鍵発行サー ノ 1100において、 tl以上 th未満のハミング重みを持つ秘密鍵 dA, dBを生成し、生 成した秘密鍵 dAを端末装置 A1200、秘密鍵 dBを端末装置 B 1300で使用する。端 末装置 A1200、端末装置 B1300では、秘密鍵 dA、 dBをそれぞれ用いて、冪乗剰 余演算を行う。その冪乗剰余演算は、第 2のべき乗剰余演算部 12032で 2乗算を同 じ数の乗算で実現することにより実行する。したがって、 2乗算と乗算の順序を解析す る電力解析攻撃で、秘密鍵 dA, dBを解析することが困難である。さらに、秘密鍵 dA , dBのハミング重みを tl以上になるよう鍵発行サーバ 1100で生成しており、さらに tl は秘密鍵の総当り攻撃に要する処理時間が nの素因数分解に要する処理時間より 大きくなるよう設定されているため、演算回数力 秘密鍵の探索空間を狭める攻撃に 対しても本実施の形態 1の端末装置 A 1200, B 1300は安全である。 [0165] As described above, in the cryptographic system 1000 according to Embodiment 1, the key issuing server 1100 generates the secret key dA, dB having a Hamming weight not less than tl and less than th and generated the secret key dA. Is used by terminal device A1200, and secret key dB is used by terminal device B 1300. Terminal device A1200 and terminal device B1300 perform power-residue calculation using secret keys dA and dB, respectively. The power-residue calculation is executed by realizing the second multiplication by the same number of multiplications in the second power-residue calculation unit 12032. Therefore, it is difficult to analyze the secret key dA, dB by a power analysis attack that analyzes the order of two multiplications and multiplications. Furthermore, the key issuing server 1100 generates the Hamming weight of the secret key dA, dB so that it is greater than or equal to tl, and tl is longer than the processing time required for factoring the prime factor of n. Therefore, the terminal devices A 1200 and B 1300 of the first embodiment are safe against an attack that narrows the search space for the secret power of the number of operations.
[0166] (実施の形態 2) [Embodiment 2]
次に、本発明に係わる実施の形態 2について、図面を参照しながら説明する。  Next, Embodiment 2 according to the present invention will be described with reference to the drawings.
[0167] 本実施の形態における冪値生成装置は、下記 (a)〜(c)に示される特徴を備える。 [0167] The threshold value generating apparatus according to the present embodiment includes the characteristics shown in the following (a) to (c).
[0168] (a)生成機能は、予め与えられる冪値 d、冪乗剰余演算の法 n、乱数!:、およびカー マイケル関数え(n)またはオイラー関数 φ (n)を用いて、 d+r X λ (η)または d+r X φ (η)を候補値として生成する。 [0169] (b)冪値生成装置は、冪値を使用して冪乗剰余演算を行う冪乗剰余演算機能を備 える。 [0168] (a) The generation function has a given value d, a power-residue modulus n, a random number! And d + r X λ (η) or d + r X φ (η) are generated as candidate values using the Carmichael function (n) or Euler function φ (n). [0169] (b) The power generation device has a power-residue calculation function for performing power-residue calculation using the power.
[0170] (c)冪値生成装置は、冪値を格納する冪値格納機能を備え、冪乗剰余演算機能は 、冪乗剰余演算を実行するたびに、冪値格納機能に格納されている冪値を使用する  [0170] (c) The threshold value generating apparatus has a threshold value storing function for storing a threshold value, and the power residue calculation function is stored in the threshold value storing function every time the power residue calculation is executed. Use saddle value
[0171] 以上の点を踏まえて本実施の形態における冪値生成装置について説明する。なお 、実施の形態 1における構成要素と同一の構成要素については、同一の参照符号を 付して説明を省略する。また、ここでは、冪値生成装置は、冪値を秘密鍵として用い、 冪乗剰余演算を行って暗号文を復号化する復号装置や、冪値を秘密鍵として用い、 冪乗剰余演算を行って署名データを生成する署名生成装置などとする。 [0171] Based on the above points, the threshold value generating apparatus according to the present embodiment will be described. Note that the same constituent elements as those in the first embodiment are denoted by the same reference numerals, and description thereof is omitted. Also, here, the saddle value generating device uses the saddle value as a secret key, performs a power surplus operation, decrypts the ciphertext, and uses the saddle value as a secret key to perform a power surplus operation. A signature generation device that generates signature data.
[0172] 図 10は、本実施の形態における暗号システムの構成を示す図である。図 10に示さ れるように、暗号システム 2000は、鍵発行サーバ 2100と、端末装置 A2200と、端末 装置 B2300と、通信路 1400とカゝら構成される。ここで、端末装置 A2200は、冪値を 秘密鍵として用い、冪乗剰余演算を行って署名データを生成する冪値生成装置、す なわち、署名生成装置である。端末装置 B2300は、冪値を秘密鍵として用い、冪乗 剰余演算を行って暗号文を復号化する冪値生成装置、すなわち、復号装置である。  FIG. 10 is a diagram showing a configuration of the cryptographic system in the present embodiment. As shown in FIG. 10, the cryptographic system 2000 includes a key issuing server 2100, a terminal device A 2200, a terminal device B 2300, and a communication path 1400. Here, the terminal device A 2200 is a threshold value generating device that generates signature data by performing a power residue calculation using the threshold value as a secret key, that is, a signature generating device. The terminal device B2300 is a threshold value generating device that decrypts a ciphertext by performing a power residue operation using the threshold value as a secret key, that is, a decryption device.
[0173] 暗号システム 2000は、端末装置 A2200と端末装置 B2300用の秘密鍵及び公開 鍵からなる鍵対を鍵発行サーバ 2100で生成し、端末装置 A2200、端末装置 B230 0のそれぞれへ生成した鍵対を発行する。さら〖こ、端末装置 A2200では、第 1のメッ セージを暗号ィ匕し、また、第 2のメッセージの署名を生成し、端末装置 B2300へ通信 路 1400を介して送信する。端末装置 B2300では、通信路 1400を介して、第 1のメッ セージの暗号文、第 2のメッセージ及びその署名データを受信して、上記暗号文を 復号化し、第 1のメッセージの復号文を得て、第 2のメッセージの署名データを検証 する。  The cryptographic system 2000 generates a key pair consisting of a secret key and a public key for the terminal device A 2200 and the terminal device B 2300 using the key issuing server 2100, and generates the key pair generated for each of the terminal device A 2200 and the terminal device B 2300. Issue. Further, the terminal device A2200 encrypts the first message, generates a signature of the second message, and transmits it to the terminal device B2300 via the communication path 1400. The terminal device B2300 receives the ciphertext of the first message, the second message, and its signature data via the communication path 1400, decrypts the ciphertext, and obtains the decrypted text of the first message. To verify the signature data of the second message.
[0174] 暗号システム 2000では、実施の形態 1と同様に、 RSA暗号方式及び RSA署名方 式が使用されている。  [0174] In the cryptographic system 2000, the RSA encryption method and the RSA signature method are used as in the first embodiment.
[0175] 続いて、本実施の形態における鍵発行サーバ 2100の構成について説明する。  Subsequently, the configuration of the key issuing server 2100 in the present embodiment will be described.
[0176] 図 11は、本実施の形態における鍵発行サーバ 2100の構成を示す図である。図 11 に示されるように、鍵発行サーバ 2100は、鍵発行サーバ 1100と比べて、下記(1)〜 (3)の点が異なる。 FIG. 11 is a diagram showing a configuration of the key issuing server 2100 in the present embodiment. Fig 11 As shown in FIG. 4, the key issuing server 2100 differs from the key issuing server 1100 in the following points (1) to (3).
[0177] (1)秘密鍵生成部 1102の代わりに、秘密鍵生成部 2102を備える。  (1) A secret key generation unit 2102 is provided instead of the secret key generation unit 1102.
[0178] 秘密鍵生成部 2102は、素数生成部 1101で生成した素数 p, qと、 "e= 17"に対し て、 "d=e— 1 mod L"を計算する。ここで、 "L = LCM (p— 1, q— 1),,であり、 "e mod L"は eの mod Lでの逆元である。なお、 eは 17だけでなぐ例えば、 "216+ 1" であってもよい。 The secret key generation unit 2102 calculates “d = e− 1 mod L” for the prime numbers p and q generated by the prime number generation unit 1101 and “e = 17”. Here, "L = LCM (p— 1, q— 1),” and “e mod L” is the inverse element of e at mod L. Note that e is only 17 and for example, “2 It may be 16 + 1 ".
[0179] (2)公開鍵生成部 1103の代わりに、公開鍵生成部 2103を備える。  (2) A public key generation unit 2103 is provided instead of the public key generation unit 1103.
[0180] 公開鍵生成部 2103は、素数 p, qの積 nを計算し、さらに、 "e= 17"とし、 n, eを公 開鍵とする。 Public key generation section 2103 calculates product n of prime numbers p and q, further sets “e = 17”, and uses n and e as public keys.
[0181] (3)鍵設定部 1104の代わりに、鍵設定部 2104を備える。  (018) A key setting unit 2104 is provided instead of the key setting unit 1104.
[0182] 鍵設定部 2104は、素数生成部 1101で生成した素数 p, qと、秘密鍵生成部 2102 で生成した dを秘密鍵として、端末装置 A2200もしくは端末装置 B2300の秘密鍵格 納部に格納する。さらに、公開鍵生成部 2103で生成した nと eを公開鍵として、端末 装置 A2200もしくは端末装置 B2300の公開鍵格納部に格納する。  [0182] The key setting unit 2104 uses the primes p and q generated by the prime number generation unit 1101 and d generated by the secret key generation unit 2102 as a secret key in the secret key storage unit of the terminal device A2200 or the terminal device B2300. Store. Further, n and e generated by the public key generation unit 2103 are stored as public keys in the public key storage unit of the terminal device A2200 or the terminal device B2300.
[0183] 続いて、本実施の形態における端末装置 A2200の構成について説明する。 Next, the configuration of terminal apparatus A 2200 in the present embodiment will be described.
[0184] 図 12は、本実施の形態における端末装置 A2200の構成を示す図である。図 12に 示されるように、端末装置 A2200は、端末装置 A1200と比べて、下記(1)〜(4)の 点が異なる。 FIG. 12 is a diagram showing a configuration of terminal apparatus A2200 in the present embodiment. As shown in FIG. 12, the terminal device A2200 differs from the terminal device A1200 in the following points (1) to (4).
[0185] (1)署名生成部 1203の代わりに、署名生成部 2203を備える。  (1) A signature generation unit 2203 is provided instead of the signature generation unit 1203.
[0186] 署名生成部 2203は、第 2のメッセージ m2に対し、第 1の使用秘密鍵格納部 2208 に格納されている使用秘密鍵 dA,と、第 1の公開鍵格納部 1205に格納されている 公開鍵の一部である nAを用いて、署名データ Sを生成する。署名生成方法について は、 RSA署名方式の(2)署名生成の処理を用いる。ここで、使用秘密鍵 dA,は、秘 密鍵 dAから生成され、端末装置 A2200内だけで使用される秘密鍵 (以下、第 1の使 用秘密鍵とも呼称する。)である。 [0186] The signature generation unit 2203 stores the used secret key dA stored in the first used secret key storage unit 2208 and the first public key storage unit 1205 for the second message m2. The signature data S is generated using nA that is part of the public key. For the signature generation method, use the (2) signature generation process of the RSA signature method. Here, the used secret key dA is a secret key generated from the secret key dA and used only within the terminal device A 2200 (hereinafter also referred to as a first used secret key).
[0187] (2)第 1の秘密鍵格納部 1204の代わりに、第 1の秘密鍵格納部 2204を備える。 (2) A first secret key storage unit 2204 is provided instead of the first secret key storage unit 1204.
[0188] 第 1の秘密鍵格納部 2204は、端末装置 A2200の秘密鍵 pA, qA, dAを格納する [0189] (3)第 1の使用秘密鍵生成部 2207を新たに備える。 [0188] The first secret key storage unit 2204 stores the secret keys pA, qA, dA of the terminal device A2200. (3) A first use secret key generation unit 2207 is newly provided.
[0190] 第 1の使用秘密鍵生成部 2207は、第 1の秘密鍵格納部 2204に格納されている秘 密鍵 pA, qA, dAを用いて、冪乗剰余演算で使用する使用秘密鍵 dA'を一度だけ 生成し、第 1の使用秘密鍵格納部 2208に格納する。  [0190] The first used secret key generation unit 2207 uses the secret keys pA, qA, dA stored in the first secret key storage unit 2204 to use the used secret key dA 'Is generated only once and stored in the first used secret key storage unit 2208.
[0191] (4)第 1の使用秘密鍵格納部 2208を新たに備える。  (4) A first use private key storage unit 2208 is newly provided.
[0192] 第 1の使用秘密鍵格納部 2208は、冪乗剰余演算で使用する使用秘密鍵 dA'を格 納する。  [0192] The first used secret key storage unit 2208 stores the used secret key dA 'used in the power-residue calculation.
[0193] 続いて、本実施の形態における署名生成部 203の詳細構成について説明する。  [0193] Next, a detailed configuration of the signature generation unit 203 in the present embodiment will be described.
[0194] 図 12に示されるように、署名生成部 2203は、ハッシュ計算部 22031と、第 2のべき 乗剰余演算部 22032とを備える。 As shown in FIG. 12, signature generation section 2203 includes hash calculation section 22031 and second power residue calculation section 22032.
[0195] ノ、ッシュ計算部 22031は、実施の形態 1におけるハッシュ計算部 12031と同一の 機能を有することにより、説明を省略する。 Since the hash calculation unit 22031 has the same function as the hash calculation unit 12031 in the first embodiment, the description thereof is omitted.
[0196] 第 2のべき乗剰余演算部 22032は、実施の形態 1における第 2のべき乗剰余演算 部 12032と同一の機能を有することにより、説明を省略する。 [0196] Second power residue calculation unit 22032 has the same function as second power residue calculation unit 12032 in the first embodiment, and a description thereof will be omitted.
[0197] そして、署名生成部 2203は、まず、ノ、ッシュ計算部 22031において、第 2のメッセ ージ m2に対するハッシュ値 hを計算する。次に、第 2のべき乗剰余演算部 22032に おいて、 Xとしてハッシュ値 h、 dとして使用秘密鍵 dA'、 nとして公開鍵の一部である nThen, signature generation section 2203 first calculates hash value h for second message m 2 at node calculation section 22031. Next, in the second power residue calculation unit 22032, X is a hash value h, d is a used secret key dA ′, and n is a part of the public key n
Aを入力して、" hdA' mod nA"を計算し、その結果を署名データ Sとする。 Input A, calculate “h dA 'mod nA”, and set the result as signature data S.
[0198] 続いて、本実施の形態における第 1の使用秘密鍵生成部 2207の詳細構成につい て説明する。 Next, a detailed configuration of the first used secret key generation unit 2207 in the present embodiment will be described.
[0199] 図 12に示されるように、第 1の使用秘密鍵生成部 2207は、正整数 cと法 nとに対す る冪乗剰余演算に使用される冪値を生成し、生成した冪値を第 1の使用秘密鍵とし て使用する。このとき、冪値の候補となる候補値を生成し、候補値のハミング重みが 所定の範囲内に属する力否かを判定し、所定の範囲内に属する場合は、候補値を 冪値として設定する。ここでは、一例として、乱数生成部 22071と、使用秘密鍵候補 生成部 22072と、ノ、ミング重み判定部 22073とを備える。  [0199] As shown in FIG. 12, the first used secret key generation unit 2207 generates a threshold value used in the power-residue calculation for the positive integer c and modulus n, and generates the generated threshold value. Is used as the first used private key. At this time, a candidate value that is a candidate for the threshold value is generated, it is determined whether the hamming weight of the candidate value is within a predetermined range, and if it is within the predetermined range, the candidate value is set as the threshold value To do. Here, as an example, a random number generation unit 22071, a used secret key candidate generation unit 22072, and a ming weight determination unit 22073 are provided.
[0200] 乱数生成部 22071は、正整数である乱数 rを生成する。乱数のビット数は、例えば 、 32である。 [0200] The random number generation unit 22071 generates a random number r that is a positive integer. The number of bits of the random number is, for example, 32.
[0201] 使用秘密鍵候補生成部 22072は、乱数 rと秘密鍵 pA, qA, dAを用いて、下記の 数式(2— 1)で示される使用秘密鍵候補 dA'を生成する。  [0201] Use secret key candidate generation section 22072 generates use secret key candidate dA 'represented by the following equation (2-1) using random number r and secret keys pA, qA, dA.
[0202] [数 8] [0202] [Equation 8]
(2-1) dA'=dA+rX A CnA) (2-1) dA '= dA + rX A CnA)
[0203] [数 9] [0203] [Equation 9]
(2-2) λ (nA) = LCM(pA-l,qA-l) (2-2) λ (nA) = LCM (pA-l, qA-l)
[0204] ここで、上記の数式(2— 1)および数式(2— 2)で示される λ (ηΑ)は、カーマイケル 関数である。なお、カーマイケル関数え(ηΑ)の代わりに、下記の数式(2— 3)で示さ れるオイラー関数 φ (ηΑ)であってもよい。 [0204] Here, λ (ηΑ) shown in the above equations (2-1) and (2-2) is a Carmichael function. Instead of the Carmichael function (ηΑ), the Euler function φ (ηΑ) represented by the following equation (2-3) may be used.
[0205] [数 10]  [0205] [Equation 10]
(2-4) φ (ηΑ)=(ρΑ-1) X (qA-1) (2-4) φ (ηΑ) = (ρΑ-1) X (qA-1)
[0206] ノ、ミング重み判定部 22073は、使用秘密鍵候補 dA'のノ、ミング重みが予め与えら れた所定値 tl以上、 th未満であるかを判定する。 [0206] The ming weight determination unit 22073 determines whether the ming weight of the used secret key candidate dA 'is equal to or greater than a predetermined value tl and less than th.
[0207] そして、第 1の使用秘密鍵生成部 2207は、乱数生成部 22071において、乱数 rを 生成する。使用秘密鍵候補生成部 22072において、乱数 rと秘密鍵 pA, qA, dAを 用いて、使用秘密鍵候補 dA,を計算する。ノ、ミング重み判定部 22073において、使 用秘密鍵候補 dA'のノ、ミング重みが tl以上 th未満であるかを判定し、 tl以上 th未満 であれば、使用秘密鍵候補 dA' (候補値)を第 1の使用秘密鍵 (冪値)として設定し、 第 1の使用秘密鍵格納部 2208に格納する。それ以外は、乱数生成部 22071の処 理に戻る。  Then, first use secret key generation section 2207 generates random number r in random number generation section 22071. The used secret key candidate generation unit 22072 calculates a used secret key candidate dA, using the random number r and the secret keys pA, qA, dA. The ming weight determination unit 22073 determines whether the ming weight of the used secret key candidate dA ′ is greater than or equal to tl and less than th. If it is greater than or equal to tl and less than th, the used secret key candidate dA ′ (candidate value) ) Is set as the first used secret key (value) and stored in the first used secret key storage unit 2208. Otherwise, the process returns to the random number generation unit 22071.
[0208] tlは、秘密鍵の総当り攻撃に対する安全性レベルに基づき決定する。  [0208] tl is determined based on the security level against the brute force attack of the secret key.
[0209] 具体的には、例えば、 nのビット数が 1024の場合、 "28Q< C (1024, x) "となるよう な Xを tlとすればよい。ここで、 C (x, y)は x個力も y個を選ぶ組合せの数であり、数式[0209] Specifically, for example, when the number of bits of n is 1024, X that satisfies "2 8Q <C (1024, x)" may be set to tl. Where C (x, y) is the number of combinations that select x and y forces.
(1 4)で示される。 [0210] thは、例えば、予め定める第 2のべき乗剰余演算部 22032の処理時間の上限値よ り決定する。第 2のべき乗剰余演算部 22032において、乗算 Mulの演算回数は、 "le n— l +w(d) "である。乗算 Mulの計算時間を TMulとするとき、第 2のべき乗剰余演 算部 22032の処理時間は、 " (len- l +w(d) ) XTMul"である。処理時間の上限値 を THとすると、 "(len— 1 +th) XTMuKTH"より、 "thく TH/TMul— len+ 1"を 満たす値に thを設定すればょ ヽ。 It is indicated by (1 4). [0210] th is determined from, for example, a predetermined upper limit value of the processing time of the second power residue calculating unit 22032, which is determined in advance. In second power residue calculation section 22032, the number of operations of multiplication Mul is “le n−l + w (d)”. When the calculation time of the multiplication Mul is TMul, the processing time of the second power residue calculation unit 22032 is “(len−l + w (d)) XTMul”. If TH is the upper limit of the processing time, set th to a value that satisfies "th> TH / TMul—len + 1" from "(len— 1 + th) XTMuKTH".
[0211] ここで、秘密鍵の一部である dAと使用秘密鍵 dA,の関係について説明する。  [0211] Here, the relationship between dA, which is a part of the secret key, and the used secret key dA will be described.
[0212] 上記のように使用秘密鍵 dA,を生成したとき、 "dA' =dA+r X λ (nA) "または、 " dA' =dA+r X φ (nA) "を満たす。任意の nAと互いに素である正整数 xに対し、下 記の数式(2—4)および数式(2— 5)を満たすことがオイラーの定理より!/、える。  When the used secret key dA is generated as described above, “dA ′ = dA + r X λ (nA)” or “dA ′ = dA + r X φ (nA)” is satisfied. Euler's theorem satisfies the following formulas (2-4) and (2-5) for any nA and a positive integer x that is relatively prime.
[0213] [数 11]  [0213] [Equation 11]
(2- 4)χ λ (πΑ) = 1 [0214] [数 12] (2-4) χ λ ( πΑ ) = 1 [0214] [ Equation 12]
(2-5)χ Ψ (ηΑ) = 1 (2-5) χ Ψ ( ηΑ ) = 1
[0215] そのため、下記の数式(2— 6)で示されるように、第 2のメッセージ m2の mod nA において dA,乗したものと、 dA乗したものが等しい。なお、 φ (nA)の場合について も同様である。 [0215] Therefore, as indicated by the following mathematical formula (2-6), the power of dA in the mod nA of the second message m2 is equal to the power of dA. The same is true for φ (nA).
[0216] [数 13]  [0216] [Equation 13]
(2-6 m2dA'=m2(dA+rx A(nA)) (2-6 m2 dA '= m2 ( dA + rx A ( nA ))
=(m2dA) x (m2A (nA〕) r = (m2 dA ) x (m2 A ( nA )) r
= m2dA mod nA = m2 dA mod nA
[0217] したがって、秘密鍵 dAを用いて生成した署名データと、本実施の形態のように使用 秘密鍵 dA'を用いて生成した署名データは等しくなる。これにより、公開鍵は変えず に、使用秘密鍵 dA'を秘密鍵 dAの代わりに使用しても問題なく署名生成が行える。 Therefore, the signature data generated using the secret key dA is equal to the signature data generated using the used secret key dA ′ as in the present embodiment. As a result, the signature can be generated without any problem even if the used secret key dA 'is used instead of the secret key dA without changing the public key.
[0218] 続いて、本実施の形態における端末装置 B2300の構成について説明する。 [0218] Next, the configuration of terminal apparatus B2300 in the present embodiment will be described.
[0219] 図 13は、本実施の形態における端末装置 Bの構成を示す図である。図 13に示され るように、端末装置 B2300は、端末装置 B1300と比べて、下記(1)〜(4)の点が異 なる。 [0219] FIG. 13 is a diagram showing a configuration of terminal apparatus B in the present embodiment. Shown in Figure 13 As described above, the terminal device B2300 differs from the terminal device B1300 in the following points (1) to (4).
[0220] (1)復号ィ匕部 1302の代わりに、復号ィ匕部 2302を備える。  (1) A decoding key unit 2302 is provided instead of the decoding key unit 1302.
[0221] 復号ィ匕部 2302は、第 2の使用秘密鍵格納部 2308に格納されている端末装置 B2 300の使用秘密鍵 dB'と、第 2の公開鍵格納部 1305に格納されている公開鍵の一 部である nBを用いて、暗号文 clを復号化し復号文 ml 'を生成する。ここで、使用秘 密鍵 dB'は、秘密鍵 dBから生成され、端末装置 B2300内だけで使用される秘密鍵( 以下、第 2の使用秘密鍵とも呼称する。)である。  [0221] The decryption key unit 2302 includes the used secret key dB 'of the terminal device B2 300 stored in the second used secret key storage unit 2308 and the public key stored in the second public key storage unit 1305. Using nB, which is a part of the key, the ciphertext cl is decrypted to generate a decrypted text ml '. Here, the used secret key dB ′ is a secret key generated from the secret key dB and used only in the terminal apparatus B 2300 (hereinafter also referred to as a second used secret key).
[0222] (2)第 2の秘密鍵格納部 1304の代わりに、第 2の秘密鍵格納部 2304を備える。 (2) A second secret key storage unit 2304 is provided instead of the second secret key storage unit 1304.
[0223] 第 2の秘密鍵格納部 2304は、端末装置 B2300の秘密鍵 pB, qB, dBを格納する [0223] Second secret key storage section 2304 stores secret keys pB, qB, dB of terminal device B2300
[0224] (3)第 2の使用秘密鍵生成部 2307を新たに備える。 (3) A second use secret key generation unit 2307 is newly provided.
[0225] 第 2の使用秘密鍵生成部 2307は、第 2の秘密鍵格納部 2304に格納されている秘 密鍵 pB, qB, dBを用いて、冪乗剰余演算で使用する使用秘密鍵 dB'を一度だけ生 成し、第 2の使用秘密鍵格納部 2308に格納する。  [0225] The second used secret key generation unit 2307 uses the secret key pB, qB, dB stored in the second secret key storage unit 2304 to use the used secret key dB used in the power-residue calculation dB 'Is generated only once and stored in the second used secret key storage unit 2308.
[0226] (4)第 2の使用秘密鍵格納部 2308を新たに備える。  (4) A second used secret key storage unit 2308 is newly provided.
[0227] 第 2の使用秘密鍵格納部 2308は、冪乗剰余演算で使用する使用秘密鍵 dB'を格 納する。  [0227] The second used secret key storage unit 2308 stores the used secret key dB 'used in the power-residue calculation.
[0228] 続いて、本実施の形態における復号ィ匕部 2302の詳細構成について説明する。  [0228] Next, a detailed configuration of decoding section 2302 in the present embodiment will be described.
[0229] 図 13に示されるように、復号ィ匕部 2302は、第 2のべき乗剰余演算部 23021を備え る。 As shown in FIG. 13, decryption unit 2302 includes second power residue calculation unit 23021.
[0230] 第 2のべき乗剰余演算部 23021は、実施の形態 1における第 2のべき乗剰余演算 部 13021と同一の機能を有していることにより、説明を省略する。  [0230] The second power residue calculation unit 23021 has the same function as the second power residue calculation unit 13021 in Embodiment 1, and thus the description thereof is omitted.
[0231] そして、復号化部 2302は、第 2のべき乗剰余演算部 23021において、 xとして暗号 文 cl、 dとして使用秘密鍵 dB'、 nとして公開鍵の一部である nBを入力して、 "cldB' mod nB"を計算し、その結果を復号文 ml,とする。 [0231] Then, the decryption unit 2302 inputs the ciphertext cl as x, the used secret key dB 'as x, and nB that is a part of the public key as n in the second power residue calculation unit 23021, "cl dB 'mod nB" is calculated, and the result is the decrypted text ml.
[0232] 続いて、本実施の形態における第 2の使用秘密鍵生成部 2307の詳細構成につい て説明する。 [0233] 図 13に示されるように、第 2の使用秘密鍵生成部 2307は、正整数 cと法 nに対する 冪乗剰余演算に使用される冪値を生成し、生成した冪値を第 2の使用秘密鍵として 使用する。このとき、冪値の候補となる候補値を生成し、候補値のハミング重みが所 定の範囲内に属する力否かを判定し、所定の範囲内に属する場合は、候補値を冪 値として設定する。ここでは、一例として、乱数生成部 23071と、使用秘密鍵候補生 成咅 23072と、ノ、ミング重み半 IJ定咅 23073とを備える。 [0232] Next, a detailed configuration of the second used secret key generation unit 2307 in the present embodiment will be described. [0233] As shown in Fig. 13, the second used secret key generation unit 2307 generates a threshold value used for the power-residue calculation for the positive integer c and modulus n, and the generated threshold value is the second value. Use as a private key. At this time, a candidate value that is a candidate for the threshold value is generated, it is determined whether the hamming weight of the candidate value is within a predetermined range, and if it is within the predetermined range, the candidate value is set as the threshold value. Set. Here, as an example, a random number generation unit 23071, a used secret key candidate generation unit 23072, and a half-ming weight half IJ definition 23073 are provided.
[0234] 乱数生成部 23071は、正整数である乱数 rを生成する。乱数のビット数は、例えば 、 32である。  [0234] The random number generation unit 23071 generates a random number r that is a positive integer. The number of bits of the random number is, for example, 32.
[0235] 使用秘密鍵候補生成部 23072は、乱数 rと秘密鍵 pB, qB, dBを用いて、下記の 数式(2— 7)で示される使用秘密鍵候補 dB'を生成する。  Use secret key candidate generation section 23072 generates use secret key candidate dB ′ represented by the following equation (2-7) using random number r and secret keys pB, qB, dB.
[0236] [数 14] [0236] [Equation 14]
(2-7)dB'=dB+rx λ (ηΒ) (2-7) dB '= dB + rx λ (ηΒ)
[0237] [数 15] [0237] [Equation 15]
(2-8) λ (nB) = LCM(pB-l,qB-l) (2-8) λ (nB) = LCM (pB-l, qB-l)
[0238] ここで、 λ (ηΒ)はカーマイケル関数である。なお、カーマイケル関数 λ (ηΒ)の代 わりに、下記の数式(2— 9)で示されるオイラー関数 φ (ηΒ)であってもよい。 Where λ (ηΒ) is the Carmichael function. Instead of the Carmichael function λ (ηΒ), the Euler function φ (ηΒ) represented by the following equation (2-9) may be used.
[0239] [数 16] [0239] [Equation 16]
(2-9) (ηΒ)=(ρΒ-1) Χ (ςΒ-1) (2-9) (ηΒ) = (ρΒ-1) Χ (ςΒ-1)
[0240] ノ、ミング重み判定部 23073は、使用秘密鍵候補 dB'のハミング重みが予め与えら れた所定値 tl以上、 th未満であるかを判定する。 [0240] The ming weight determination section 23073 determines whether the hamming weight of the used secret key candidate dB 'is greater than or equal to a predetermined value tl and less than th.
[0241] そして、第 2の使用秘密鍵生成部 2307は、乱数生成部 23071において、乱数 rを 生成する。使用秘密鍵候補生成部 23072において、乱数 rと秘密鍵 pB, qB, dBを 用いて、使用秘密鍵候補 dB'を計算する。ノ、ミング重み判定部 23073において、使 用秘密鍵候補 dB'のハミング重み力 ¾1以上 th未満であるかを判定し、 tl以上 th未満 であれば、使用秘密鍵候補 dB' (候補値)を第 2の使用秘密鍵 (冪値)として設定し、 第 2の使用秘密鍵格納部 2308に格納する。それ以外は、乱数生成部 23071の処 理に戻る。 Then, second used secret key generation section 2307 generates random number r in random number generation section 23071. The used secret key candidate generation unit 23072 calculates the used secret key candidate dB ′ using the random number r and the secret keys pB, qB, dB. In the ming weight determination unit 23073, it is determined whether the hamming weight power of the used secret key candidate dB ′ is ¾1 or more and less than th, and if it is tl or more and less than th, the used secret key candidate dB ′ (candidate value) is determined. Set it as the second private key (low value) Stored in the second used secret key storage unit 2308. Otherwise, the process returns to the random number generator 23071.
[0242] ここで、秘密鍵の一部である dBと使用秘密鍵 dB'の関係にっ 、て説明する。  [0242] Here, the relationship between dB, which is a part of the secret key, and the used secret key dB 'will be described.
[0243] 上記のように使用秘密鍵 dB,を生成したとき、 "dB' =dB+r X λ (nB) "または、 "d B' =dB+rX (nB) "を満たす。任意の nBと互いに素である正整数 xに対し、下記 の数式(2—10)および数式(2—11)を満たすことがオイラーの定理より!/、える。 When the used secret key dB is generated as described above, “dB ′ = dB + r X λ (nB)” or “d B ′ = dB + rX (nB)” is satisfied. Euler's theorem satisfies the following formulas (2-10) and (2-11) for any nB and a positive integer x that is relatively prime.
[0244] [数 17] [0244] [Equation 17]
(2-10)χλ(πΒ) = 1 (2-10) χ λ ( πΒ ) = 1
[0245] [数 18] [0245] [Equation 18]
(2-11)χΦ(πΒ) = 1 (2-11) χΦ ( πΒ ) = 1
[0246] そのため、下記の数式(2— 12)で示されるように、暗号文 clの mod nBにおいて d B,乗したものと、 dB乗したものが等しい。なお、 φ (nB)の場合についても同様であ る。 [0246] Therefore, as shown in the following formula (2-12), the power of dB in mod nB of the ciphertext cl is equal to the power of dB. The same is true for φ (nB).
[0247] [数 19]  [0247] [Equation 19]
(2-l2)cldB'='"1 dB+rX λ (nB) (2-l2) cl dB '='"1 dB + rX λ (nB)
= (CldB) X (Cl A (nB〕) r = (Cl dB ) X (Cl A ( nB )) r
=cldB mod nB したがって、秘密鍵 dBを用いて生成した復号文と、本実施の形態のように使用秘 密鍵 dB'を用いて生成した復号文は等しくなる。これにより、公開鍵は変えずに、使 用秘密鍵 dB'を秘密鍵 dBの代わりに使用しても問題なく復号ィ匕が行える。 = cl dB mod nB Therefore, the decrypted text generated using the secret key dB is equal to the decrypted text generated using the used secret key dB ′ as in the present embodiment. As a result, decryption can be performed without any problem even if the used private key dB ′ is used instead of the private key dB without changing the public key.
[0248] 続いて、本実施の形態における暗号システム 200の動作について説明する。 [0248] Next, the operation of the cryptographic system 200 in the present embodiment will be described.
[0249] 暗号システム 2000の動作は、鍵発行を行う「鍵発行時」と、端末装置 A2200にお いて第 1の使用秘密鍵を生成する「第 1の使用秘密鍵生成時」と、端末装置 B2300 において第 2の使用秘密鍵を生成する「第 2の使用秘密鍵生成時」と、端末装置 A2 200と端末装置 B2300間の暗号通信を行う「暗号通信時」の動作力もなる。 [0249] The operation of the cryptographic system 2000 is as follows: "When issuing a key" for issuing a key, "When generating a first used secret key" for generating a first used secret key in the terminal device A2200, In B2300, the operation power is “at the time of generating the second used secret key” for generating the second used secret key and “at the time of encrypted communication” for performing the encrypted communication between the terminal device A2 200 and the terminal device B2300.
[0250] 「鍵発行時」は、鍵発行サーバ 2100において、端末装置 A2200及び端末装置 B2 300の秘密鍵と公開鍵を生成し、それぞれの装置に格納する。「第 1の使用秘密鍵 生成時」は、端末装置 A2200において、端末装置 A2200の秘密鍵から第 1の使用 秘密鍵を生成する。「第 2の使用秘密鍵生成時」は、端末装置 B2300において、端 末装置 B2300の秘密鍵から第 2の使用秘密鍵を生成する。「暗号通信時」は、入力 である第 1のメッセージ ml及び第 2のメッセージ m2に対し、端末装置 A2200におい て、第 1のメッセージ mlの暗号文と、第 2のメッセージ m2の署名データを生成し、端 末装置 B2300へ通信路 1400を介して送信し、端末装置 B2300にお 、て受信して 、復号化及び署名検証を行い、復号文 ml 'と署名検証結果 (OKまたは NG)を出力 する。 [0250] When the key is issued, the key issuing server 2100 uses the terminal device A2200 and the terminal device B2 300 private keys and public keys are generated and stored in each device. In “when the first used secret key is generated”, the terminal device A2200 generates the first used secret key from the secret key of the terminal device A2200. In “when the second used secret key is generated”, the terminal device B2300 generates the second used secret key from the secret key of the terminal device B2300. At the time of “encryption communication”, the ciphertext of the first message ml and the signature data of the second message m2 are generated in the terminal device A2200 for the first message ml and the second message m2 that are input. The data is transmitted to the terminal device B2300 via the communication path 1400, received by the terminal device B2300, decrypted and signed, and the decrypted text ml 'and the signature verification result (OK or NG) are output. To do.
[0251] 以下、「鍵発行時」のフローチャートを図 14、「第 1の使用秘密鍵生成時」のフロー チャートを図 15、「第 2の使用秘密鍵生成時」のフローチャートを図 16、「暗号通信時 」のフローチャートを図 17に示す。  [0251] Fig. 14 shows the flowchart for "when issuing a key", Fig. 15 shows the flowchart for "when generating a first used secret key", and Fig. 16 shows the flowchart for "when generating a second used secret key". Fig. 17 shows the flowchart for "Cryptographic communication".
[0252] 図 14は、本実施の形態における暗号システム 2000の鍵発行時の動作を示す図で ある。図 14に示されるように、鍵発行時には、鍵発行サーバ 2100は、素数生成部 11 01において、素数 pA, qAを生成する(S401)。秘密鍵生成部 2102において、秘密 鍵 dAを生成する(S402)。公開鍵生成部 2103において、 "nA=pAX qA"を求め、 eAを計算する(S403)。鍵設定部 2104において、端末装置 A2200の第 1の秘密 鍵格納部 2204に秘密鍵 pA, qA, dAを格納する(S404)。端末装置 A2200の第 1 の公開鍵格納部 1205に nA, eAを公開鍵として格納する(S405)。端末装置 B230 0の第 1の公開鍵格納部 1306に nA, eAを格納する(S406)。  FIG. 14 is a diagram showing an operation at the time of key issuance of the cryptographic system 2000 in the present embodiment. As shown in FIG. 14, at the time of key issuance, the key issuing server 2100 generates prime numbers pA and qA in the prime number generation unit 1101 (S401). The secret key generation unit 2102 generates a secret key dA (S402). The public key generation unit 2103 calculates “nA = pAX qA” and calculates eA (S403). In the key setting unit 2104, the secret keys pA, qA, dA are stored in the first secret key storage unit 2204 of the terminal device A2200 (S404). NA and eA are stored as public keys in the first public key storage unit 1205 of the terminal device A2200 (S405). NA and eA are stored in the first public key storage unit 1306 of the terminal device B2300 (S406).
[0253] さらに、鍵発行サーバ 2100は、素数生成部 1101において、素数 pB, qBを生成す る(S407)。秘密鍵生成部 2102において、秘密鍵 dBを生成する(S408)。公開鍵 生成部 2103において、 "nB=pB X qB"を求め、 eBを計算する(S409)。鍵設定部 2104において、端末装置 B2300の第 2の秘密鍵格納部 2304に秘密鍵 pB, qB, d Bを格納する(S410)。端末装置 B2300の第 2の公開鍵格納部 1305に nB, eBを公 開鍵として格納する(S411)。端末装置 A2200の第 2の公開鍵格納部 1206に nB, eBを格納する(S412)。そして、終了する。  Furthermore, the key issuing server 2100 generates prime numbers pB and qB in the prime number generation unit 1101 (S407). The secret key generation unit 2102 generates a secret key dB (S408). The public key generation unit 2103 calculates “nB = pB X qB” and calculates eB (S409). The key setting unit 2104 stores the secret keys pB, qB, and dB in the second secret key storage unit 2304 of the terminal device B2300 (S410). NB and eB are stored as public keys in the second public key storage unit 1305 of the terminal device B2300 (S411). NB and eB are stored in the second public key storage unit 1206 of the terminal device A2200 (S412). And it ends.
[0254] 図 15は、本実施の形態における端末装置 A2200の第 1の使用秘密鍵生成時の動 作を示す図である。図 15に示されるように、第 1の使用秘密鍵生成時には、端末装 置 A2200は、第 1の使用秘密鍵生成部 2207において、乱数 rを生成し (S421)、生 成した乱数 rと第 1の秘密鍵格納部 2204に格納されている秘密鍵 pA, qA, dAとを 用いて、使用秘密鍵候補 dA'を計算する(S422)。計算して得られた使用秘密鍵候 補 dA,のノヽミング重みが tl以上、 th未満である場合は(S423: Yes)、使用秘密鍵候 補 dA'を第 1の使用秘密鍵として第 1の使用秘密鍵格納部 2208に格納する(S424 )。一方、ノ、ミング重みが tl以上、 th未満でない場合は(S423 :No)、乱数 rを生成す る処理 (S421)から再度実行する。 FIG. 15 shows the operation at the time of generating the first used secret key of terminal device A 2200 in the present embodiment. It is a figure which shows work. As shown in FIG. 15, when the first used secret key is generated, the terminal device A 2200 generates a random number r in the first used secret key generation unit 2207 (S421). Using the secret keys pA, qA, dA stored in the one secret key storage unit 2204, a secret key candidate dA ′ to be used is calculated (S422). If the nominating weight of the used secret key candidate dA, obtained by calculation is greater than or equal to tl and less than th (S423: Yes), the first used secret key is used as the first secret key used dA '. Is stored in the used secret key storage unit 2208 (S424). On the other hand, when the ming weight is not less than tl and less than th (S423: No), the process is again executed from the process (S421) for generating the random number r.
[0255] 図 16は、本実施の形態における端末装置 B2300の第 2の使用秘密鍵生成時の動 作を示す図である。図 16に示されるように、第 2の使用秘密鍵生成時には、端末装 置 B2300は、第 2の使用秘密鍵生成部 2307において、乱数 rを生成し (S431)、生 成した乱数 rと第 2の秘密鍵格納部 2304に格納されている秘密鍵 pB, qB, dBとを用 いて、使用秘密鍵候補 dB'を計算する (S432)。計算して得られた使用秘密鍵候補 dB' のノ、ミング重みが tl以上、 th未満である場合は(S433 : Yes)、使用秘密鍵候補 dB'を第 2の使用秘密鍵として第 2の使用秘密鍵格納部 2308に格納する(S434)。 一方、ノ、ミング重みが tl以上、 th未満でない場合は(S433 :No)、乱数 rを生成する 処理 (S431)から再度実行する。  [0255] FIG. 16 is a diagram showing an operation when the second used secret key is generated by terminal apparatus B2300 in the present embodiment. As shown in FIG. 16, when generating the second used secret key, the terminal device B 2300 generates a random number r in the second used secret key generation unit 2307 (S431), and the generated random number r and Using the secret keys pB, qB, dB stored in the second secret key storage unit 2304, a secret key candidate dB ′ is calculated (S432). If the value of the used secret key candidate dB 'obtained by calculation is greater than or equal to tl and less than th (S433: Yes), the second used secret key is used as the second used secret key. It is stored in the used secret key storage unit 2308 (S434). On the other hand, if the ming weight is not less than tl and less than th (S433: No), the process is again executed from the process (S431) for generating the random number r.
[0256] 図 17は、本実施の形態における暗号システム 2000の暗号通信時の動作を示す図 である。図 17に示されるように、暗号通信時には、端末装置 A2200は、暗号化部 12 02において、第 1のメッセージ mlの暗号文 clを生成する(S501)。署名生成部 220 3において、第 2のメッセージ m2の署名データ Sを生成する(S502)。送信部 1201 において、暗号文 cl、第 2のメッセージ m2と署名データ Sを端末装置 B2300へ通信 路 1400を介して送信する(S503)。  [0256] FIG. 17 is a diagram showing an operation at the time of cryptographic communication of the cryptographic system 2000 in the present embodiment. As shown in FIG. 17, at the time of encrypted communication, the terminal device A 2200 generates the ciphertext cl of the first message ml in the encryption unit 1202 (S501). The signature generation unit 2203 generates the signature data S of the second message m2 (S502). Transmitter 1201 transmits ciphertext cl, second message m2 and signature data S to terminal device B2300 via communication path 1400 (S503).
[0257] これに対して、端末装置 B2300は、受信部 1301において、暗号文 cl、第 2のメッ セージ m2と署名データ Sを受信する(S504)。復号ィ匕部 2302において、暗号文 cl を復号化して復号文 ml 'を取得する(S505)。署名検証部 1303において、署名デ ータ Sを検証する(S506)。署名データ Sが第 2のメッセージの正し 、署名であれば( S506 : Sは正しい)、署名検証結果を OK(S507)、正しくない署名であれば(S506 : Sは不正)、署名検証結果を NGをとする(S508)。 On the other hand, terminal apparatus B 2300 receives ciphertext cl, second message m 2 and signature data S at receiving section 1301 (S 504). In the decryption key section 2302, the ciphertext cl is decrypted to obtain the decrypted text ml ′ (S505). The signature verification unit 1303 verifies the signature data S (S506). If the signature data S is correct and the signature of the second message (S506: S is correct), the signature verification result is OK (S507), and if the signature is incorrect (S506: S is invalid), and the signature verification result is NG (S508).
[0258] そして、端末装置 B2300は、復号文 ml 'と署名検証結果を出力する(S509)。  Then, the terminal device B 2300 outputs the decrypted text ml ′ and the signature verification result (S509).
[0259] 以上説明したように、実施の形態 2における暗号システム 2000では、端末装置 A2 200及び端末装置 B2300にお 、て、 tl以上 th未満のハミング重みを持つ使用秘密 鍵 dA' , dB'を生成し、生成した使用秘密鍵 dA'を端末装置 A2200の署名生成部 2 203、使用秘密鍵 dB'を端末装置 B2300の復号化部 2302で使用する。端末装置 A2200、端末装置 B2300では、使用秘密鍵 dA'、 dB'をそれぞれ用いて、冪乗剰 余演算を行う。その冪乗剰余演算は、第 2のべき乗剰余演算部 22032、第 2のべき 乗剰余演算部 23021で 2乗算を同じ数の乗算で実現することにより実行する。  [0259] As described above, in the cryptographic system 2000 according to the second embodiment, in the terminal device A2 200 and the terminal device B2300, the used secret keys dA ′ and dB ′ having a hamming weight not less than tl and less than th are used. The generated private key dA ′ is generated and used by the signature generation unit 2203 of the terminal device A2200, and the used private key dB ′ is used by the decryption unit 2302 of the terminal device B2300. The terminal device A2200 and the terminal device B2300 perform the power-residue calculation using the used secret keys dA ′ and dB ′, respectively. The power-residue calculation is executed by realizing the second multiplication by the same number of multiplications in the second power-residue calculating unit 22032 and the second power-residue calculating unit 23021.
[0260] したがって、 2乗算と乗算の順序を解析する電力解析攻撃で、秘密鍵 dA, dBを解 析することが困難である。さらに、使用秘密鍵 dA' , dB'のノ、ミング重みを tl以上にな るよう端末装置 A2200及び端末装置 2300で生成しており、さらに tlは秘密鍵の総 当り攻撃に要する処理時間が nの素因数分解に要する処理時間より大きくなるよう設 定されているため、演算回数から秘密鍵の探索空間を狭める攻撃に対しても本実施 の形態 2の端末装置 A2200、端末装置 B2300は安全である。  [0260] Therefore, it is difficult to analyze the secret key dA, dB by a power analysis attack that analyzes the order of two multiplications and multiplications. In addition, the terminal device A2200 and the terminal device 2300 generate the ming weights of the used secret keys dA 'and dB' to be tl or more, and tl is the processing time required for the brute force attack of the secret key n Therefore, the terminal device A2200 and terminal device B2300 of the second embodiment are safe even against attacks that narrow the secret key search space from the number of computations. .
[0261] すなわち、図 18に示されるように、従来の冪乗剰余演算に使用される冪値は、ハミ ング重みが小さ力つたり大き力つたりして生成される場合がある。そして、ノ、ミング重 みが小さいと、安全性が低くなり、ハミング重みが大きいと、計算時間が長くなる。  That is, as shown in FIG. 18, the threshold value used in the conventional power-residue calculation may be generated when the humming weight is small or large. If the weight is small, the safety is low. If the Hamming weight is large, the calculation time is long.
[0262] これに対して、図 19に示されるように、本発明の冪乗剰余演算に使用される冪値は 、ノ、ミング重みが一定の範囲に収まるように生成される。そして、一定の範囲内にハミ ング重みが収まるため、安全であり、計算時間も長くならない。  On the other hand, as shown in FIG. 19, the power value used in the power-residue calculation of the present invention is generated so that the weighting weights are within a certain range. And since the Hamming weights fall within a certain range, it is safe and the calculation time is not prolonged.
[0263] これによつて、実施の形態 1における鍵発行サーバ 1100や実施の形態 2における 端末装置 A2200、端末装置 B2300などは、単純電力解析攻撃に対して RSA暗号 の安全性が確保されて!、る。  [0263] As a result, the key issuing server 1100 in the first embodiment and the terminal device A2200, the terminal device B2300, etc. in the second embodiment ensure the security of the RSA encryption against a simple power analysis attack! RU
[0264] なお、 512ビットの冪値 dに対して、使用秘密鍵 d,のハミング重みが tl= 15以上の 数の中で最小になる乱数 rを 8ビットの範囲で探索し、使用秘密鍵 d'を生成してもよ い。図 20は、このような使用秘密鍵 d,を生成したときの乗算回数の出現頻度をプロッ トしたグラフである。このグラフから、本発明の適用後は、適用前よりも 20回程度乗算 回数が削減され、 3%程度、計算時間が高速になっていることが示されている。 [0264] For the 512-bit threshold value d, a random number r that minimizes the Hamming weight of the used secret key d, among the numbers with tl = 15 or more, is searched in the 8-bit range, and the used secret key d 'may be generated. Fig. 20 is a graph plotting the frequency of occurrence of multiplication when such a used secret key d is generated. From this graph, after application of the present invention, it is multiplied about 20 times before application. It is shown that the number of times is reduced, and calculation time is about 3% faster.
[0265] (変形例) [0265] (Modification)
上記に説明した実施の形態は、本発明の実施の一例であり、本発明はこの実施の 形態に何ら限定されるものではなぐその旨を逸脱しな 、範囲にぉ 、て種々なる態様 で実施し得るものである。例えば、以下(1)〜( 14)のような場合も本発明に含まれる  The embodiment described above is an example of the implementation of the present invention, and the present invention is not limited to this embodiment in any way, and can be implemented in various modes without departing from the scope of the invention. It is possible. For example, the following cases (1) to (14) are also included in the present invention.
[0266] (1)実施の形態 1及び 2にお 、て、鍵発行サーバは、生成した公開鍵及び秘密鍵 を端末装置 Aおよび端末装置 Bのそれぞれの第 1の秘密鍵格納部、第 2の秘密鍵格 納部、第 1の公開鍵格納部、第 2の公開鍵格納部に直接、格納して発行しているが、 通信路または記録媒体を介して発行してもよ 、。 (1) In Embodiments 1 and 2, the key issuing server sends the generated public key and secret key to the first secret key storage unit and the second secret key of the terminal device A and the terminal device B, respectively. The private key storage unit, the first public key storage unit, and the second public key storage unit are directly stored and issued, but may be issued via a communication channel or a recording medium.
[0267] (2)実施の形態 1にお 、て、秘密鍵 dを決定した後、 eを決定して 、るが、実施の形 態 2のように eを決定した後、 dを決定してもよい。その場合は、実施の形態 2の端末装 置 A2200及び端末装置 B2300で行って 、るように、カーマイケル関数またはォイラ 一関数を用いて、秘密鍵 dのハミング重み力 ¾1以上 th未満となるように補正してもよ ヽ 。また、実施の形態 2においても、 eを固定せず、秘密鍵 dを決定した後、 eを決定する としてちよい。  [0267] (2) In Embodiment 1, after determining the secret key d, e is determined. However, after e is determined as in Embodiment 2, d is determined. May be. In that case, the Hamming weighting force of the secret key d is ¾1 or more and less than th using the Carmichael function or the Euler function, as is done in the terminal device A2200 and the terminal device B2300 of the second embodiment. You can correct it to ヽ. Also in the second embodiment, e may be determined after fixing the secret key d without fixing e.
[0268] (3)実施の形態 2において、使用秘密鍵 dA' , dB'は、暗号通信時に毎回生成さ れるとしてもよい。すなわち、秘密鍵の代わりに冪乗剰余演算に使用される使用秘密 鍵を、端末装置で冪乗剰余演算が実行されるたびに変更するとしてもよい。このとき 、乱数を使用して、使用秘密鍵のハミング重みが一定の範囲に収まるように使用秘密 鍵を生成する。  (3) In Embodiment 2, the used secret keys dA ′ and dB ′ may be generated every time during encrypted communication. That is, the used secret key used for the power residue calculation instead of the secret key may be changed every time the power residue calculation is executed in the terminal device. At this time, the used secret key is generated using random numbers so that the Hamming weight of the used secret key falls within a certain range.
[0269] 例えば、図 21に示されるように、署名生成部 3203は、第 1の使用秘密鍵生成部 32 07を含み、冪乗剰余演算が実行されるたびに更新される使用秘密鍵 dA'を使用し て署名生成処理を実行するとしてもよ ヽ。  [0269] For example, as shown in FIG. 21, the signature generation unit 3203 includes a first used secret key generation unit 3207, and is used every time a modular exponentiation operation is performed. You can also use to generate the signature generation process.
[0270] ここで、第 1の使用秘密鍵生成部 3207は、第 2のべき乗剰余演算部 32032で冪乗 剰余演算が実行されるたびに、使用秘密鍵 dA'を生成する。このとき、実施の形態 2 における第 1の使用秘密鍵生成部 2207と同様に、秘密鍵 dAを用いて、 tl以上 th未 満のハミング重みを持つ使用秘密鍵 dA'を生成する。第 2のべき乗剰余演算部 320 32は、冪乗剰余演算を実行するたびに生成される使用秘密鍵 dA'を使用して、実 施の形態 2における第 2のべき乗剰余演算部 22032と同様に冪乗剰余演算を実行 する。 Here, the first used secret key generation unit 3207 generates the used secret key dA ′ every time the second power residue calculation unit 32032 executes the power residue calculation. At this time, similarly to the first used secret key generation unit 2207 in the second embodiment, the secret key dA is used to generate a used secret key dA ′ having a hamming weight not less than tl and less than th. Second power residue calculation unit 320 32 uses the used secret key dA ′ generated each time the power-residue calculation is executed, and performs the power-residue calculation in the same way as the second power-residue calculation unit 22032 in the second embodiment.
[0271] また、図 22に示されるように、復号化部 3302は、第 2の使用秘密鍵生成部 3307を 含み、冪乗剰余演算が実行されるたびに更新される使用秘密鍵 dB'を使用して復号 化処理を実行するとしてもよ 、。  [0271] Also, as shown in FIG. 22, the decryption unit 3302 includes a second used secret key generation unit 3307, and uses the used secret key dB ′ that is updated each time a power-residue operation is performed. You may use it to perform the decryption process.
[0272] ここで、第 2の使用秘密鍵生成部 3307は、第 2のべき乗剰余演算部 33021で冪乗 剰余演算が実行されるたびに、使用秘密鍵 dB'を生成する。このとき、実施の形態 2 における第 2の使用秘密鍵生成部 2307と同様に、秘密鍵 dBを用いて、 tl以上 th未 満のノ、ミング重みを持つ使用秘密鍵 dB'を生成する。第 2のべき乗剰余演算部 330 21は、冪乗剰余演算を実行するたびに生成された使用秘密鍵 dA'を使用して、実 施の形態 2における第 2のべき乗剰余演算部 23021と同様に冪乗剰余演算を実行 する。  Here, the second used secret key generating unit 3307 generates the used secret key dB ′ every time the second power residue calculating unit 33021 executes the power residue calculation. At this time, similarly to the second used secret key generation unit 2307 in the second embodiment, the secret key dB is used to generate a used secret key dB ′ having a ming weight of less than tl and less than th. The second power residue calculation unit 33021 uses the used secret key dA ′ generated each time the power residue calculation is performed, and is similar to the second power residue calculation unit 23021 in the second embodiment. Performs power-residue operation.
[0273] または、使用秘密鍵 dA' , dB'は、鍵発行時の処理後に一度のみ生成されるとして ちょい。  [0273] Or, it is assumed that the used private keys dA 'and dB' are generated only once after the process of key issuance.
[0274] (4)実施の形態 1及び 2では、暗号方式として RSA暗号、冪乗剰余演算を実行する 暗号方式、例えば、 ElGamal暗号としてもよい。 ElGamal暗号では、秘密鍵は冪値 x とし、公開鍵はシステム全体に予め与えられた素数 pと 1から p—1までのいずれかの 整数である gを用いて" gx mod p"を計算して得る。これらの秘密鍵及び公開鍵の 生成は鍵発行サーバにて実施する。このとき、実施の形態 1の秘密鍵生成部 1102 では、端末装置 B1300用に生成した乱数 kを ElGamal暗号の秘密鍵 Xとしてもよ 、。 また、実施の形態 2の秘密鍵生成部 2102では、端末装置 B2300用に生成した乱数 kを ElGamal暗号の秘密鍵 Xとし、第 2の使用秘密鍵生成部 2307では、 "gx> mod P"の位数を qとしたとき、 "x' =x+r X q"としてハミング重みが tl以上 th未満となるま で、乱数 rを生成し、ノ、ミング重み力 ¾1以上 th未満となる x'を使用秘密鍵として生成し てもよい。 (4) In Embodiments 1 and 2, RSA encryption may be used as the encryption method, or an encryption method that performs a power-residue operation, for example, ElGamal encryption. In ElGamal cryptography, the secret key is a value x, and the public key is "g x mod p" using the prime p given in advance in the whole system and g which is an integer from 1 to p—1. And get. These secret keys and public keys are generated by the key issuing server. At this time, the secret key generation unit 1102 of the first embodiment may use the random number k generated for the terminal device B 1300 as the secret key X of the ElGamal encryption. Also, in the secret key generation unit 2102 of the second embodiment, the random number k generated for the terminal device B2300 is set as the ElGamal encryption secret key X, and in the second use secret key generation unit 2307, “g x> mod P” If the order of is q, "x '= x + r X q" and a random number r is generated until the Hamming weight is greater than or equal to tl and less than th. 'May be generated as a used private key.
[0275] (5)本発明は、冪値をハミング重み力 ¾1以上 th未満となるように生成し、その冪値を 用いて冪乗剰余演算を行う冪値生成装置であってもよい。この冪値生成装置は、 D H (Diffie— Hellman)鍵共有または、 DSA(Digital Signature Algorithm)署 名方式で使用してもよい。 [0275] (5) The present invention may be a threshold value generating device that generates a threshold value so as to be a Hamming weight force ¾1 or more and less than th, and performs a power-residue calculation using the threshold value. This threshold generator is D H (Diffie-Hellman) key agreement or DSA (Digital Signature Algorithm) signature method may be used.
[0276] (6)上記の各装置は、具体的には、マイクロプロセッサ、 ROM (Read Only Me mory)、 RAM (Random Access Memory)、ノヽードデイスクユニット、ティスフ。レ ィユニット、キーボード、マウスなど力も構成されるコンピュータシステムである。 RAM またはハードディスクユニットには、コンピュータプログラムが記憶されている。マイクロ プロセッサが、コンピュータプログラムにしたがって動作することにより、各装置は、そ の機能を達成する。ここでコンピュータプログラムは、所定の機能を達成するために、 コンピュータに対する指令を示す命令コードが複数個組み合わされて構成されたも のである。 (6) Specifically, each of the above devices is a microprocessor, a ROM (Read Only Memory), a RAM (Random Access Memory), a node disk unit, and a Tisf. It is a computer system that also includes power such as a ray unit, keyboard, and mouse. A computer program is stored in the RAM or hard disk unit. Each device achieves its functions through the microprocessor's operation according to the computer program. Here, the computer program is configured by combining a plurality of instruction codes indicating instructions for the computer in order to achieve a predetermined function.
[0277] (7)上記の各装置を構成する構成要素の一部または全部は、 1個のシステム LSI ( Large Scale Integration:大規模集積回路)から構成されているとしてもよい。シ ステム LSIは、複数の構成部を 1個のチップ上に集積して製造された超多機能 LSIで あり、具体的には、マイクロプロセッサ、 ROM、 RAMなどを含んで構成されるコンビ ユータシステムである。 RAMには、コンピュータプログラムが記憶されている。マイク 口プロセッサ力 コンピュータプログラムにしたがって動作することにより、システム LSI は、その機能を達成する。  (7) A part or all of the constituent elements constituting each of the above devices may be constituted by one system LSI (Large Scale Integration). A system LSI is an ultra-multifunctional LSI that is manufactured by integrating multiple components on a single chip. Specifically, it is a computer system that includes a microprocessor, ROM, RAM, and so on. It is. A computer program is stored in the RAM. Microprocessor power The system LSI achieves its functions by operating according to the computer program.
[0278] (8)上記の各装置を構成する構成要素の一部または全部は、各装置に脱着可能 な ICカードまたは単体のモジュール力も構成されているとしてもよい。 ICカードまたは モジュールは、マイクロプロセッサ、 ROM, RAMなどから構成されるコンピュータシ ステムである。 ICカードまたはモジュールは、上記の超多機能 LSIを含むとしてもよい 。マイクロプロセッサが、コンピュータプログラムにしたがって動作することにより、 IC力 ードまたはモジュールは、その機能を達成する。この ICカードまたはこのモジュール は、耐タンパ性を有するとしてもよい。  [0278] (8) A part or all of the components constituting each of the above devices may be configured as an IC card that can be attached to and detached from each device or a single module force. An IC card or module is a computer system composed of a microprocessor, ROM, RAM, and so on. The IC card or module may include the above-mentioned super multifunctional LSI. The IC card or module achieves its functions by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.
[0279] (9)本発明は、上記に示す方法であるとしてもよい。また、これらの方法をコンビュ ータにより実現するコンピュータプログラムであるとしてもよいし、コンピュータプロダラ ムカもなるディジタル信号であるとしてもよ 、。  (9) The present invention may be the method described above. Also, it may be a computer program that realizes these methods by a computer, or it may be a digital signal that also serves as a computer program.
[0280] (10)また、本発明は、コンピュータプログラムまたはディジタル信号をコンピュータ 読み取り可能な記録媒体、例えば、フレキシブルディスク、ハードディスク、 CD-RO[0280] (10) The present invention also provides a computer program or a digital signal stored in a computer. A readable recording medium such as a flexible disk, hard disk, CD-RO
M、 MO、 DVD, DVD-ROM, DVD -RAM, BD (Blu— ray Disc)、半導体メ モリなどに記録したものとしてもよい。また、これらの記録媒体に記録されているデイジ タル信号であるとしてもよ!/、。 It may be recorded on M, MO, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray Disc), semiconductor memory, or the like. It may also be a digital signal recorded on these recording media! /.
[0281] (11)また、本発明は、コンピュータプログラムまたはディジタル信号を、電気通信回 線、無線または有線通信回線、インターネットを代表とするネットワーク、データ放送 等を経由して伝送するものとしてもよい。 [0281] (11) Further, the present invention may transmit a computer program or a digital signal via a telecommunication line, a wireless or wired communication line, a network represented by the Internet, a data broadcast, or the like. .
[0282] (12)また、本発明は、マイクロプロセッサとメモリを備えたコンピュータシステムであ つて、メモリは、コンピュータプログラムを記憶しており、マイクロプロセッサは、コンビュ ータプログラムにしたがって動作するとしてもよい。 [0282] (12) Further, the present invention may be a computer system including a microprocessor and a memory, wherein the memory stores a computer program, and the microprocessor operates according to the computer program.
[0283] (13)また、プログラムまたはディジタル信号を記録媒体に記録して移送すること〖こ より、またはプログラムまたはディジタル信号をネットワーク等を経由して移送すること により、独立した他のコンピュータシステムにより実施するとしてもよ 、。  [0283] (13) Also, the program or digital signal may be recorded on a recording medium and transferred, or the program or digital signal may be transferred via a network or the like by another independent computer system. You can do it.
[0284] (14)上記実施の形態及び上記変形例をそれぞれ組み合わせるとしてもよ!/、。  [0284] (14) The above embodiment and the above modifications may be combined! /, Respectively.
産業上の利用可能性  Industrial applicability
[0285] 本発明は、暗号処理を実行する際の電力消費量を計測することで、暗号モジユー ルに埋め込まれている暗号鍵を解析する攻撃方法に対して安全な暗号装置などとし て、禾 IJ用することができる。 [0285] The present invention can be used as an encryption device that is safe against an attack method that analyzes an encryption key embedded in an encryption module by measuring the power consumption when executing encryption processing. Can be used for IJ.

Claims

請求の範囲 The scope of the claims
[1] 正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成する冪値生成装 置であって、  [1] A threshold value generating device for generating a threshold value used in the power-residue calculation for positive integer c and modulus n,
前記冪値の候補となる候補値を生成する生成手段と、  Generating means for generating candidate values that are candidates for the saddle value;
前記候補値のハミング重みが所定の範囲内に属する力否かを判定する判定手段と 前記判定手段で所定の範囲内に属すると判定された場合は、前記候補値を前記 冪値として設定する設定手段と  A determination unit that determines whether or not the hamming weight of the candidate value falls within a predetermined range; and a setting that sets the candidate value as the saddle value when the determination unit determines that the hamming weight is within the predetermined range. Means and
を備えることを特徴とする冪値生成装置。  An apparatus for generating saddle values, comprising:
[2] 前記生成手段は、予め与えられる冪値 d、前記冪乗剰余演算の法 n、乱数!:、およ びカーマイケル関数え(n)またはオイラー関数 φ (n)を用いて、 d+r X λ (η)または d+r X φ (η)を前記候補値として生成する [2] The generation means uses the power value d given in advance, the power-modulation remainder method n, the random number!:, And the Carmichael function (n) or the Euler function φ (n), and d + r X λ (η) or d + r X φ (η) is generated as the candidate value
ことを特徴とする請求項 1に記載の冪値生成装置。  The threshold value generating apparatus according to claim 1, wherein:
[3] 前記判定手段は、前記法 ηのビット数と所定の正整数との組合せを第 1の値とし、前 記冪値の総当り攻撃に対する安全性に基づ!、て決定された値を第 2の値とした場合 において、前記第 1の値が前記第 2の値を上回る条件で決定された前記所定の正整 数を前記所定の範囲における下限として判定する [3] The determination means uses a combination of the number of bits of the modulus η and a predetermined positive integer as a first value, and is a value determined based on the safety against the brute force attack of the above value! Is determined to be the lower limit of the predetermined range determined by the condition that the first value exceeds the second value.
ことを特徴とする請求項 1に記載の冪値生成装置。  The threshold value generating apparatus according to claim 1, wherein:
[4] 前記判定手段は、前記冪乗剰余演算の処理時間が所定の時間より小さくなる条件 で決定された正整数を前記所定の範囲における上限として判定する [4] The determination unit determines a positive integer determined under a condition that a processing time of the power-residue calculation is smaller than a predetermined time as an upper limit in the predetermined range.
ことを特徴とする請求項 1に記載の冪値生成装置。  The threshold value generating apparatus according to claim 1, wherein:
[5] 前記冪値生成装置は、さらに、前記冪値を使用して前記冪乗剰余演算を行う冪乗 剰余演算手段 [5] The power generation device further performs power residue calculation means for performing the power residue calculation using the power value.
を備えることを特徴とする請求項 1に記載の冪値生成装置。  The threshold value generating apparatus according to claim 1, comprising:
[6] 前記冪値生成装置は、さらに、前記冪値を格納する冪値格納手段を備え、 [6] The threshold value generating device further includes threshold value storage means for storing the threshold value,
前記冪乗剰余演算手段は、前記冪乗剰余演算を実行するたびに、前記冪値格納 手段に格納されている前記冪値を使用する  The power-residue calculating means uses the power value stored in the power-value storing means every time the power-residue operation is executed.
ことを特徴とする請求項 5に記載の冪値生成装置。 The threshold value generating apparatus according to claim 5, wherein:
[7] 前記設定手段は、前記冪乗剰余演算手段で前記冪乗剰余演算が実行されるたび に、前記冪値を更新する [7] The setting means updates the power value every time the power-residue calculation is executed by the power-residue calculating means.
ことを特徴とする請求項 5に記載の冪値生成装置。  The threshold value generating apparatus according to claim 5, wherein:
[8] 前記冪値生成装置は、さらに、前記冪値を秘密鍵として用い、前記秘密鍵と対をな す公開鍵を生成する公開鍵生成手段 [8] The threshold value generating device further uses the threshold value as a secret key to generate a public key pairing with the secret key.
を備えることを特徴とする請求項 1に記載の冪値生成装置。  The threshold value generating apparatus according to claim 1, comprising:
[9] 前記生成手段は、前記秘密鍵として用いられる前記冪値を RSA暗号方式に基づ いて生成する [9] The generation unit generates the threshold used as the secret key based on an RSA encryption method.
ことを特徴とする請求項 8に記載の冪値生成装置。  The threshold value generating apparatus according to claim 8, wherein:
[10] 前記冪乗剰余演算手段は、前記冪値を秘密鍵として用い、前記冪乗剰余演算を 行って暗号文を復号化する [10] The power-residue calculating means decrypts the ciphertext by performing the power-residue calculation using the power value as a secret key.
ことを特徴とする請求項 5に記載の冪値生成装置。  The threshold value generating apparatus according to claim 5, wherein:
[11] 前記冪乗剰余演算手段は、前記暗号文を RSA暗号方式に基づ 、て復号化する ことを特徴とする請求項 10に記載の冪値生成装置。 11. The threshold value generating apparatus according to claim 10, wherein the power-residue calculating unit decrypts the ciphertext based on an RSA encryption method.
[12] 前記冪乗剰余演算手段は、前記冪値を秘密鍵として用い、前記冪乗剰余演算を 行って署名データを生成する [12] The power-residue calculating unit generates signature data by performing the power-residue calculation using the power value as a secret key.
ことを特徴とする請求項 5に記載の冪値生成装置。  The threshold value generating apparatus according to claim 5, wherein:
[13] 前記冪乗剰余演算手段は、前記署名データを RSA署名方式に基づいて生成する ことを特徴とする請求項 12に記載の冪値生成装置。 13. The threshold value generating apparatus according to claim 12, wherein the power-residue calculating unit generates the signature data based on an RSA signature method.
[14] 正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成する冪値生成方 法であって、 [14] A threshold value generation method for generating a threshold value used in a power residue operation on a positive integer c and modulus n,
前記冪値の候補となる候補値を生成する生成ステップと、  Generating a candidate value that is a candidate for the threshold;
前記候補値のハミング重みが所定の範囲内に属する力否かを判定する判定ステツ プと、  A determination step for determining whether or not the hamming weight of the candidate value falls within a predetermined range;
前記判定ステップで所定の範囲内に属すると判定された場合は、前記候補値を前 記冪値として設定する設定ステップと  A setting step for setting the candidate value as the above-described value when it is determined in the determination step that it falls within a predetermined range;
を含むことを特徴とする冪値生成方法。  A threshold value generating method characterized by comprising:
[15] 正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成する集積回路であ つて、 [15] An integrated circuit that generates a power value used for a power-residue operation on positive integer c and modulus n. About
前記冪値の候補となる候補値を生成する生成手段と、  Generating means for generating candidate values that are candidates for the saddle value;
前記候補値のハミング重みが所定の範囲内に属する力否かを判定する判定手段と 前記判定手段で所定の範囲内に属すると判定された場合は、前記候補値を前記 冪値として設定する設定手段と  A determination unit that determines whether or not the hamming weight of the candidate value is within a predetermined range; and a setting that sets the candidate value as the saddle value when the determination unit determines that the hamming weight is within the predetermined range. Means and
を備えることを特徴とする集積回路。  An integrated circuit comprising:
[16] 正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成するプログラムを 記録したコンピュータ読み取り可能な記録媒体であって、  [16] A computer-readable recording medium recording a program for generating a power value used for a power-residue operation on a positive integer c and modulus n,
前記冪値の候補となる候補値を生成する生成ステップと、  Generating a candidate value that is a candidate for the threshold;
前記候補値のハミング重みが所定の範囲内に属する力否かを判定する判定ステツ プと、  A determination step for determining whether or not the hamming weight of the candidate value falls within a predetermined range;
前記判定ステップで所定の範囲内に属すると判定された場合は、前記候補値を前 記冪値として設定する設定ステップと  A setting step for setting the candidate value as the preceding value when it is determined in the determination step that the value falls within a predetermined range;
をコンピュータシステムに実行させるプログラムを記録したコンピュータ読み取り可 能な記録媒体。  A computer-readable recording medium on which a program for causing a computer system to execute is recorded.
[17] 正整数 cと法 nとに対する冪乗剰余演算に使用される冪値を生成するプログラムで あって、  [17] A program for generating a power value used in a power residue operation on a positive integer c and modulus n,
前記冪値の候補となる候補値を生成する生成ステップと、  Generating a candidate value that is a candidate for the threshold;
前記候補値のハミング重みが所定の範囲内に属する力否かを判定する判定ステツ プと、  A determination step for determining whether or not the hamming weight of the candidate value falls within a predetermined range;
前記判定ステップで所定の範囲内に属すると判定された場合は、前記候補値を前 記冪値として設定する設定ステップと  A setting step for setting the candidate value as the above-described value when it is determined in the determination step that it falls within a predetermined range;
をコンピュータシステムに実行させることを特徴とするプログラム。  A program characterized by causing a computer system to execute.
PCT/JP2006/303253 2005-03-28 2006-02-23 Power value generation device WO2006103851A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2005-092935 2005-03-28
JP2005092935 2005-03-28

Publications (1)

Publication Number Publication Date
WO2006103851A1 true WO2006103851A1 (en) 2006-10-05

Family

ID=37053119

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2006/303253 WO2006103851A1 (en) 2005-03-28 2006-02-23 Power value generation device

Country Status (1)

Country Link
WO (1) WO2006103851A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010262109A (en) * 2009-05-01 2010-11-18 Sony Corp Information processing apparatus, key update method, and program

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6459791B1 (en) * 1996-06-05 2002-10-01 Gemplus Public key cryptography method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6459791B1 (en) * 1996-06-05 2002-10-01 Gemplus Public key cryptography method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
COHEN G. ET AL: "How to Improve an Exponentiation Black-Box", LECTURE NOTES IN COMPUTER SCIENCE, vol. 1403, 8 June 1998 (1998-06-08), pages 211 - 220, XP003003382 *
MAMIYA H. ET AL: "Kotei Hamming Weight Hyogen ni yoru SPA Taisakuho", IEICE TECHNICAL REPORT, vol. 104, no. 731, 10 March 2005 (2005-03-10), pages 55 - 60, XP003003383 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010262109A (en) * 2009-05-01 2010-11-18 Sony Corp Information processing apparatus, key update method, and program

Similar Documents

Publication Publication Date Title
US7940927B2 (en) Information security device and elliptic curve operating device
US7961874B2 (en) XZ-elliptic curve cryptography with secret key embedding
US8027466B2 (en) Power analysis attack countermeasure for the ECDSA
US8160245B2 (en) Methods and apparatus for performing an elliptic curve scalar multiplication operation using splitting
US8265267B2 (en) Information security device
JPWO2005008955A1 (en) Tamper-resistant cryptographic processing using a personal key
JP2008252299A (en) Encryption processing system and encryption processing method
JP5648177B2 (en) Protection of prime generation against side channel attacks
EP1708081B1 (en) Method and device for calculating a Montgomery conversion parameter
EP2119100B1 (en) Methods and apparatus for performing an elliptic curve scalar multiplication operation using splitting
JPWO2006077651A1 (en) Encryption processor with tamper resistance against power analysis attacks
KR100652377B1 (en) A modular exponentiation algorithm, a record device including the algorithm and a system using the algorithm
EP0952697B1 (en) Elliptic curve encryption method and system
JP4626148B2 (en) Calculation method of power-residue calculation in decryption or signature creation
Raghunandan et al. Enhanced RSA algorithm using fake modulus and fake public key exponent
Kayode et al. Efficient RSA cryptosystem decryption based on Chinese remainder theorem and strong prime
CN1985458A (en) Enhanced natural Montgomery exponent masking
WO2006103851A1 (en) Power value generation device
Schmid ECDSA-application and implementation failures
KR101112570B1 (en) Apparatus and Method for digital signature immune to power analysis and fault attacks, and Recording medium thereof
Zahhafi et al. A DSA-like digital signature protocol
Rosly et al. Cryptographic computation using ElGamal algorithm in 32-bit computing system
Singaravelu et al. Cryptographic Overhead in Sensor Networks with HFE Scheme
KR100808953B1 (en) Modular multiplication method and smart card using the method
Khyoon Modification on the Algorithm of RSA Cryptography System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

NENP Non-entry into the national phase

Ref country code: JP

122 Ep: pct application non-entry in european phase

Ref document number: 06714393

Country of ref document: EP

Kind code of ref document: A1