WO2011030468A1 - Arithmetic device - Google Patents

Arithmetic device Download PDF

Info

Publication number
WO2011030468A1
WO2011030468A1 PCT/JP2009/066045 JP2009066045W WO2011030468A1 WO 2011030468 A1 WO2011030468 A1 WO 2011030468A1 JP 2009066045 W JP2009066045 W JP 2009066045W WO 2011030468 A1 WO2011030468 A1 WO 2011030468A1
Authority
WO
WIPO (PCT)
Prior art keywords
representation
expression
affine
finite field
multiplication
Prior art date
Application number
PCT/JP2009/066045
Other languages
French (fr)
Japanese (ja)
Inventor
智子 米村
博文 村谷
建司 大熊
泰知 磯谷
憲一郎 古田
嘉一 花谷
淳 新保
華恵 池田
雄一 駒野
Original Assignee
株式会社東芝
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社東芝 filed Critical 株式会社東芝
Priority to PCT/JP2009/066045 priority Critical patent/WO2011030468A1/en
Publication of WO2011030468A1 publication Critical patent/WO2011030468A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/38Methods or arrangements for performing computations using exclusively denominational number representation, e.g. using binary, ternary, decimal representation

Definitions

  • the present invention relates to an arithmetic device.
  • Non-Patent Document 1 a method for compressing the cryptographic system size in public key cryptography using an algebraic torus.
  • Methods for expressing an algebraic torus element include an affine expression, a projective expression, and an extended field expression (see, for example, Non-Patent Document 2).
  • affine representation is used for input / output and projection representation or extended field representation is used for computation in each step of key generation, encryption and decryption. For this reason, it is necessary to convert between each expression (expression conversion) before or after the operation.
  • the present invention has been made in view of the above, and an object of the present invention is to provide an arithmetic device capable of reducing the entire calculation amount including expression conversion and calculation.
  • the present invention provides an arithmetic unit, finite F p ⁇ mn (n: a positive integer, m: a positive integer, p: prime number) parts of the body F p ⁇ mr (r: a divisor of n and n / r ⁇ 3) for a projection expression representing an element whose norm map is 1, an arithmetic unit for performing a finite field F p ⁇ mn operation, and the finite field F p ⁇ mn Projection expression (h 0 , h 1 , ..., h n-1 ) (h i : element of finite field F p ⁇ m , 0 ⁇ i ⁇ n-1) Affine expression (c 0 , c 1 , ..., c ⁇ (n) -1 ) (c i : element of finite field F p ⁇ m , 0 ⁇ i ⁇ ⁇ representing to
  • the flowchart which shows the procedure of the expression conversion and arithmetic processing which the arithmetic unit 50 performs.
  • F p ⁇ m be a finite field in which the algebraic torus T n is defined.
  • p is a prime number
  • n and m are positive integers.
  • the symbol “ ⁇ ” represents a power and p ⁇ m represents p to the power of m.
  • F p ⁇ m represents a finite field with p ⁇ m elements.
  • An algebraic torus T n (F p ⁇ m ) is a group with ⁇ n (p ⁇ m) elements.
  • ⁇ n (X) is an nth circular polynomial (circumferential n equal polynomial).
  • the affine representation of the algebraic torus T n (F p ⁇ m ) is represented by the original set of ⁇ (n) F p ⁇ m .
  • ⁇ (x) is an Euler function.
  • the projection expression of the element g of the algebraic torus T n (F p ⁇ m ) is expressed as the following expression 1 or the inverse element of expression 1 using an element h with F p ⁇ mn .
  • the projective representation h is represented by an original set of n F p ⁇ m .
  • Equation 1 The meaning of Equation 1 will be described. From Hilbert's theorem 90, the norm map of F p ⁇ m with respect to F p ⁇ mr of F p ⁇ mn is 1 and the existence of an element h of F p ⁇ mn that satisfies Equation 1 is equivalent. On the other hand, the definition of the element g of the algebraic torus T n (F p ⁇ m ) is that the norm map of F p ⁇ md of g is 1 for all divisors of n.
  • c i is an element of F p ⁇ m , 0 ⁇ i ⁇ ⁇ (n) ⁇ 1.
  • Projective representation ( ⁇ , ⁇ , ⁇ ) (h 0 , h 1 , ..., h n-1 ) to affine representation (c 0 , c 1 , ..., c ⁇ (n) -1 ) transformation, either or both of F p ⁇ mr of inverse calculation once and F p ⁇ mr multiplication ceil (2 (r-1) / r) by performing times alpha / gamma and beta / gamma This is realized by extracting a 2 (r-1) F p ⁇ m original set as a part from a 2r original set representing the obtained calculation result by a predetermined method.
  • ceil () is a ceiling function.
  • the projection to act and projective representation the action of origin ⁇ 1 of Galois group Gal (F p ⁇ mn / F p ⁇ mr1), the origin ⁇ 2 of Galois group Gal (F p ⁇ mn / F p ⁇ mr2)
  • Two ways of expression are possible.
  • the amount of calculation for realizing the transformation from the projective representation (h 0 , h 1 , ..., h n-1 ) to the affine representation (c 0 , c 1 , ..., c ⁇ (n) -1 ) is Different in two ways of projection expression.
  • the amount of computation to realize the transformation from the projective representation to the affine representation is the inverse of the formula 2 or 2 (when using the conventional method), one F p ⁇ m3 inverse calculation and the multiplication of F p ⁇ m3 it is one, (when the system of the present embodiment) inverse in the case of formula 3 or formula 3, is multiplication one F p ⁇ reverse m2 original calculated once and F p ⁇ m2. Therefore, the calculation amount of the method of the present embodiment is smaller than the calculation amount of the conventional method.
  • the projection expression of the 6th order torus has a 3rd order vector (a 0 , a 1 , a 2 , b 0 , b 1 , b 2 ) as a second order torus on the third extension field.
  • a i and b i are elements of F p ⁇ m , 0 ⁇ i ⁇ 2.
  • the computation of the cubic extension field is performed, which is wasteful.
  • (c 0 , c 1 , c 2 ) (a 0 , a 1 , a 2 ) / (b 0 , b 1 , b 2 ) was calculated, and c 2 was discarded.
  • c i is an element of F p ⁇ m and 0 ⁇ i ⁇ 2.
  • the projection expression of the sixth-order torus includes a third-order vector triplet (a 0 , a 1 , b 0 , b 1 , b 2 , c 0 , c 1 ) is used.
  • a i , b i, and c i are elements of F p ⁇ m and 0 ⁇ i ⁇ 1. Then, when calculating the transformation from the projective representation to the affine representation (d 0 , d 1 ), the calculation can be performed only by the operation of the secondary extension field, and there is no waste.
  • (d 0 , d 1 ) (b 0 , b 1 ) / (c 0 , c 1 ) is calculated.
  • d i is an element of F p ⁇ m and 0 ⁇ i ⁇ 1. Therefore, in the present embodiment, it is possible to reduce the amount of calculation and reduce waste in conversion from the projective expression to the affine expression as compared with the conventional method.
  • the arithmetic device includes a control unit such as a CPU (Central Processing Unit) that controls the entire device, a ROM (Read Only Memory) that stores various data and various programs, and a RAM (Random Access Memory). Equipped with a storage unit, an auxiliary storage unit such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device for storing various data and various programs, and a bus connecting them, using a normal computer It has a hardware configuration.
  • a control unit such as a CPU (Central Processing Unit) that controls the entire device, a ROM (Read Only Memory) that stores various data and various programs, and a RAM (Random Access Memory). Equipped with a storage unit, an auxiliary storage unit such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device for storing various data and various programs, and a bus connecting them, using a normal computer It has a hardware configuration.
  • a control unit such as a CPU (Central Processing Unit) that controls the entire
  • FIG. 1 is a diagram illustrating a functional configuration of the arithmetic device 50.
  • the calculation device 50 includes an expression conversion unit 51 and a calculation unit 52. These units are generated on a main storage unit such as a RAM when the CPU program is executed.
  • the representation conversion unit 51 is a norm related to a subfield F p ⁇ mr (r: divisor of n: n / r ⁇ 3) of a finite field F p ⁇ mn (n: positive integer, m: positive integer, p: prime number).
  • the expression conversion unit 51 includes a first expression conversion unit 51A and a second expression conversion unit 51B.
  • the first representation conversion unit 51A converts the projection expression after the calculation performed by the calculation unit 52, which will be described later, into an affine expression, thereby substituting the subfield F p ⁇ md of the finite field F p ⁇ mn for all divisors d.
  • Each element c i of the affine expression (c 0 , c 1 ,..., C ⁇ (n) ⁇ 1 ) determined by the condition that the norm map for 1 is 1 is obtained. That is, the first representation conversion unit 51A applies a set of r elements h i of the projection representation (h 0 , h 1 ,..., H n-1 ) after the calculation performed by the calculation unit 52 to the first expression conversion unit 51A.
  • finite field F p ⁇ mr is determined by the condition that the norm map for the subfield F p ⁇ md of the finite field F p ⁇ mn is 1, and the affine representation (c 0 , c 1 ,..., C ⁇ (n) ⁇ 1 ) to obtain each element c i .
  • the second representation conversion unit 51B uses the affine representation (c ′ 0 , c ′ 1 ,..., C ′ ⁇ (n) ⁇ 1 ) (c ′) representing the n- th order algebraic torus T n (F p ⁇ m ).
  • the calculation unit 52 performs a finite operation that is an operation on the finite field F p ⁇ mn on the projection expression (h ′ 0 , h ′ 1 ,..., H ′ n ⁇ 1 ) converted by the expression conversion unit 51.
  • the calculation includes, for example, multiplication (including square), Frobenius map, and power.
  • constraint operations operations that are originally restricted
  • mixed operations are converted into an affine expression by the expression conversion unit 51 described above.
  • the arithmetic unit 50 uses each element c ′ i of the affine expression (c ′ 0 , c ′ 1 ,..., C ′ ⁇ (n) ⁇ 1 ) representing the n- th order algebraic torus T n (F p ⁇ m ).
  • finite field F p ⁇ mn projective representation norm mapping with respect to the partial body F p ⁇ mr represents the original is one of (h '0, h' 1 , ⁇ , h ' Each element h ′ i of n ⁇ 1 ) is obtained (step S1).
  • the arithmetic unit 50 performs a finite field F p ⁇ mn operation on the projection expression (h ′ 0 , h ′ 1 ,..., H ′ n ⁇ 1 ) obtained in step S1 (step S2). ). Thereafter, the arithmetic unit 50 calculates all of n for the set of r elements h i of the projection expression (h 0 , h 1 ,..., H n ⁇ 1 ) calculated in step S2.
  • the finite field F p ⁇ mr is determined by the condition that the norm map of the subfield F p ⁇ md of the finite field F p ⁇ mn is 1 for the divisor d of, and the affine representation (c 0 , c 1 , ... , c ⁇ (n) ⁇ 1 ), each element c i is obtained (step S3).
  • the amount of calculation for converting from a projective representation to an affine representation is smaller than that of the conventional method.
  • the conversion from the affine representation to the projective representation may increase the amount of calculation compared to the conventional method.
  • the amount of calculation that increases in this case is smaller than the amount of calculation that can be reduced compared to the conventional method when converting from a projective representation to an affine representation. For this reason, the total calculation amount including expression conversion and calculation can be suppressed.
  • g ⁇ (p ⁇ 4m + p ⁇ 2m + 1) 1
  • an affine representation of T 6 (F p ⁇ m ) is obtained.
  • the mapping for converting from the affine representation to the projective representation is expressed by Equation 4.
  • a mapping for converting from the projective representation to the affine representation is expressed by Equation 5.
  • Equation 5 The right side of Equation 5 is an element of F (p ⁇ m) ⁇ 3 , but it is sufficient to obtain only the constant term and the coefficient of y.
  • the mapping for converting from the affine representation to the projective representation may be a form in which c1 is multiplied by the numerator and denominator so that the inverse element does not have to be calculated.
  • FIG. 3 is a diagram illustrating the calculation cost for each expression conversion in the conventional method. Respectively I, M, S, F is the shown in the figure, the inverse element of F p ⁇ m, multiplication of F p ⁇ m, square F p ⁇ m, the computation cost of the Frobenius mapping F p ⁇ m. Also, B is the computational cost of multiplication between the original F p ⁇ constants belonging to m and F p ⁇ m. The calculation cost of B depends on how to take parameters d and w.
  • Equation 16 can be rewritten as Equation 17, and Equation 17 can be solved.
  • Equation 20 A mapping for converting from the projective representation to the affine representation is expressed by Equation 20.
  • mapping for converting from the affine representation to the projective representation may be a form in which b1 is multiplied by the numerator and denominator so that the inverse element does not have to be calculated.
  • FIG. 4 is a diagram illustrating the calculation cost for each expression conversion in the present embodiment. .
  • the operations of the extended field type and the extended field type are normal operations. Of these operations, a case where the karatsuba method is used for multiplication will be described.
  • the expansion field type and affine type operations are mixed operations, and the affine type and affine type operations are constraint operations. It is assumed that the mapping for converting from the affine representation to the projective representation is expressed by Expression 25. Further, a mapping for converting from the projective expression to the affine expression is represented by Expression 26.
  • the multiplication result of the expanded field type ( ⁇ , ⁇ ) and the affine type ( ⁇ , 1) is ( ⁇ + ⁇ d, ⁇ + ⁇ ).
  • the multiplication result of the affine type ( ⁇ , 1) and the affine type ( ⁇ , 1) is ( ⁇ + d, ⁇ + ⁇ ).
  • Equation 28 If the conversion from the affine representation to the projected representation ( ⁇ / c 0 , 1 / c 0 ) is expressed by Equation 28, the calculation cost is I + 4M + 2S + B + A.
  • the conversion to the sixth extension field can be realized by replacing elements and multiplying by a constant, and the calculation cost is 3B considering that it is not necessary to calculate multiplication for zero elements.
  • the multiplication result is expressed by Equation 29.
  • Toom-Cook method can be modified to calculate with much less A than the M + 4S and Toom-Cook methods.
  • Expression 31 is expression 32.
  • the Frobenius mapping result of the affine type ( ⁇ , 1) is ( ⁇ ⁇ p, d ⁇ ⁇ (p-1) / 2 ⁇ ).
  • the calculation cost is 3F + 2B.
  • the normal operation of the finite field F p ⁇ mn operation will be described.
  • a case where the karatsuba method is used for multiplication will be described.
  • the multiplication result of the expansion field type ( ⁇ , ⁇ , ⁇ ) and the expansion field type ( ⁇ , ⁇ , ⁇ ) is represented by a vector 52.
  • 18M + 9B + 57A is obtained as in the case of multiplication in a normal operation.
  • the expansion body type ( ⁇ , ⁇ , ⁇ ) and the expansion body type ( ⁇ , ⁇ , ⁇ ) are converted into the sixth expansion field, respectively.
  • the multiplication result is expressed by Expression 33.
  • mapping for converting from the affine expression to the projective expression is expressed by Expression 37.
  • a mapping for converting from the projective expression to the affine expression is represented by Expression 38.
  • a multiplication result of the expansion field type ( ⁇ , ⁇ , ⁇ ) and the affine type ( ⁇ , ⁇ , 1) is represented by a vector 39.
  • 2 (6M + 2B + 14A) + (3M + B + 5A) + 3B + 14A 15M + 8B + 47A.
  • the multiplication result of the affine type ( ⁇ , ⁇ , 1) and the affine type ( ⁇ , ⁇ , 1) is represented by a vector 40.
  • 2 (3M + B + 10A) + (3M + 4A) + 2B + 13A 9M + 4B + 37A.
  • the affine type ( ⁇ / a 0 , ⁇ / a 0 , 1 / a 0 ) and the affine type ( ⁇ / d 0 , ⁇ / d 0 , 1 / d 0 ) are converted into sixth-order extensions, respectively.
  • a 0 + a 1 x.
  • the conversion from the affine representation to the projective representation ( ⁇ / a 0 , ⁇ / a 0 , 1 / a 0 ) is expressed by Equation 42, the calculation cost is I + 7M + 2S + 3B + 2A.
  • the conversion to the sixth extension field can be realized by replacing elements and multiplying by a constant, and the calculation cost is 3B considering that it is not necessary to calculate multiplication for zero elements.
  • the multiplication result is expressed by Expression 43.
  • Equation 44 The square result of the affine type ( ⁇ , ⁇ , 1) is expressed by Equation 44.
  • Equation 45 the secondary expansion of the third expansion by replacing the elements.
  • FIG. 5 is a diagram illustrating the calculation cost for each F p ⁇ mn operation in the conventional method.
  • FIG. 6 is a diagram exemplifying a calculation cost for each F p ⁇ mn operation according to the present embodiment.
  • the expansion type ( ⁇ , ⁇ ) in FIG. 5 is a calculation cost for a normal calculation.
  • the affine type ( ⁇ , c 1 ) and the affine type ( ⁇ , 1) are calculation costs for the constraint operation.
  • the mixing ( ⁇ , ⁇ ) ( ⁇ , f1) and the mixing ( ⁇ , ⁇ ) ( ⁇ , 1) are calculation costs for the mixing operation.
  • the expanded field type ( ⁇ , ⁇ , ⁇ ) in FIG. 6 is a calculation cost for a normal calculation.
  • the affine type ( ⁇ , ⁇ , b 1 ) and the affine type ( ⁇ , ⁇ , 1) are calculation costs for the constraint calculation.
  • the mixing ( ⁇ , ⁇ , ⁇ ) ( ⁇ , ⁇ , e 1 ) and the mixing ( ⁇ , ⁇ , ⁇ ) ( ⁇ , ⁇ , 1) are calculation costs for the mixing operation.
  • the calculation cost according to the present embodiment may be larger, the amount that increases compared to the conventional method can be calculated from the projection expression with reference to FIGS. It is smaller than the amount that can reduce the calculation cost for conversion to the affine representation. For this reason, according to this Embodiment, the whole calculation cost including expression conversion and a calculation can be reduced compared with the past.
  • B win-1 means that the subscript of B is win-1.
  • a sequence in which 2 ⁇ j digits in binary representation are arranged for each digit of the index a is represented by concatenation of table entries.
  • j is a non-negative integer.
  • the series 11001101 is expressed as 11 ⁇ 00 ⁇ 1101.
  • Each digit in the sequence corresponds to each digit in p-adic.
  • the arithmetic unit calculates T 11 ⁇ ⁇ ⁇ 4 (T 1101 ) for 1 1 00 1 10 1.
  • the calculation result corresponding to the 2 ⁇ j digit series is A j .
  • the arithmetic unit calculates the square of A j from the larger j , multiplies A j ⁇ 2 by the next A j-1 , and calculates the square of the result, (A j ⁇ 2 * A j ⁇ 1 ) It repeats multiplying ⁇ 2 and the next A j-2 and calculating the square of the result.
  • 0 ⁇ j ⁇ ceil (log 2 (p))-1 and ceil (x) are ceiling functions that return the smallest integer greater than or equal to x.
  • the main part of the maximum calculation cost of table generation is [T1] Multiplication in the (win-1) times algebraic torus for the input element g and the Frobenius map of the element g, [T2] Multiplication in the (2 ⁇ (win-1) -win) algebraic torus for the input g and the Frobenius map of the entry already in the table.
  • the main part of the calculation cost of this calculation is determined by the index a, the window width win, and the expansion order m of the foundation.
  • the number of multiplications of [M3] corresponds to the operation of multiplying Aj.
  • [M4] is the square in the algebraic torus of (ceil (log 2 (p))-1) intermediate results.
  • the computing device 50 in the present embodiment uses the Karatsuba method.
  • An example of the calculation cost when executing the power calculation will be described.
  • the computational cost of the input transformation of the input element g is I + 2M + 2S + 3B + A: 2 rows and 2 columns affine projective transformation [T1] to [T2] of the algebraic torus in FIG.
  • Multiplication cost in algebraic torus between table entries is 9M + 4B + 37A per time: 2-row 4-column affine type multiplication (Karatsuba method) in the upper diagram of FIG.
  • Multiplication in an algebraic torus of intermediate results and table entries is an algebraic torus of a general projection expression and a projection expression in which 2 elements are 0 and 1 element is 1 out of 6 Fp ⁇ m elements.
  • Type multiplication (Toom-Cook method) [T3] Representation conversion of table entries is a maximum of (2 ⁇ (win-1) -1) times, and the calculation cost of I + 21M + 10B + 39A per time: 5-row 2-column projection affine transformation of FIG. is there. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ⁇ m elements. [M1] Calculation cost of 5M + 3B per time: 3-row 4-column affine type multiplication (Toom-Cook method) in the upper diagram of FIG.
  • An example of the calculation cost in the case of executing the power calculation using will be described.
  • [T1]-[T2] 7M + 3B calculation cost per time 3-row 4-column affine in FIG.
  • Type multiplication (Toom-Cook method) [T3] Representation conversion of table entries is a maximum of (2 ⁇ (win-1) -1) times, and the calculation cost of I + 8M + 3B + 10A per time: 5-row 2-column projection affine transformation of FIG. is there. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ⁇ m elements.
  • various programs executed by the computing device 50 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network.
  • the various programs are recorded in a computer-readable recording medium such as a CD-ROM, a flexible disk (FD), a CD-R, a DVD (Digital Versatile Disk), etc. in a file that can be installed or executed. It may be configured to be provided as a computer product.
  • the arithmetic unit 50 performs the processing of steps S1 to S3, but may perform steps S1 to S2 or steps S2 to S3.
  • the processing of step S3 is performed by the information processing device connected to the arithmetic device 50.
  • the processing of step S1 is performed by the information processing device connected to the arithmetic device 50, and the result is obtained.
  • the arithmetic unit 50 may perform steps S2 to S3 for the projection expression.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Complex Calculations (AREA)

Abstract

A representation transforming unit (51) performs transformations between a projection representation (h0, h1,..., hn-1)(where hi is an element of a finite field Fp^m, and 0 = i = n-1), which represents the elements for which the norm map related to a subfield Fp^mr of a finite field Fp^mn (where n is a positive integer, m is a positive integer, p is a prime number, r is a submultiple of n, and n/r = 3) is "1", and an affine representation (c0, c1,..., cf(n)-1) (where ci is an element of the finite field Fp^m, and 0 = i = f(n)-1) which represents an n-th-order algebraic torus Tn(Fp^m). An arithmetic unit (52) performs a finite field Fp^mn arithmetic for the projection representation (h0, h1,..., hn-1) as transformed by the representation transforming unit (51).

Description

演算装置Arithmetic unit
 本発明は、演算装置に関する。 The present invention relates to an arithmetic device.
 近年、事前の鍵共有なしに安全な通信を実現する公開鍵暗号技術では、暗号系サイズの増大が問題になっている。このような背景から、代数的トーラスを用いて公開鍵暗号における暗号系サイズを圧縮する方法が提案されている(例えば非特許文献1参照)。代数的トーラスの元を表現する方法には、アフィン表現、射影表現及び拡大体表現がある(例えば非特許文献2参照)。代数的トーラス公開鍵暗号において、鍵生成、暗号化及び復号の各ステップで、入出力にはアフィン表現、演算には射影表現または拡大体表現が用いられる。このため、演算の前又は後に、各表現間の変換を行う(表現変換)必要がある。 In recent years, an increase in the size of the encryption system has become a problem in public key encryption technology that realizes secure communication without prior key sharing. Against this background, a method for compressing the cryptographic system size in public key cryptography using an algebraic torus has been proposed (see Non-Patent Document 1, for example). Methods for expressing an algebraic torus element include an affine expression, a projective expression, and an extended field expression (see, for example, Non-Patent Document 2). In algebraic torus public key cryptography, affine representation is used for input / output and projection representation or extended field representation is used for computation in each step of key generation, encryption and decryption. For this reason, it is necessary to convert between each expression (expression conversion) before or after the operation.
 しかし、変換前の表現及び変換後の表現の組み合わせによっては、表現変換の計算量が多くなり、表現変換及び演算を含む全体の計算量が多大になる恐れがあった。 However, depending on the combination of the expression before conversion and the expression after conversion, the calculation amount of the expression conversion increases, and there is a fear that the total calculation amount including the expression conversion and the calculation becomes large.
 本発明は、上記に鑑みてなされたものであって、表現変換及び演算を含む全体の計算量を削減可能な演算装置を提供することを目的とする。 The present invention has been made in view of the above, and an object of the present invention is to provide an arithmetic device capable of reducing the entire calculation amount including expression conversion and calculation.
 上述した課題を解決し、目的を達成するために、本発明は、演算装置であって、有限体Fp^mn(n:正整数、m:正整数、p:素数)の部分体Fp^mr(r:nの約数でn/r≧3)に関するノルム写像が1である元を表す射影表現に対して、有限体Fp^mn演算を行う演算部と、前記有限体Fp^mn演算後の射影表現(h0,h1,・・・,hn-1)(hi:有限体Fp^mの元、0≦i≦n-1)を、n次代数的トーラスTn(Fp^m)を表すアフィン表現(c0,c1,・・・,cφ(n)-1)(ci:有限体Fp^mの元、0≦i≦φ(n)-1)に変換する第1表現変換部とを備えることを特徴とする。 To solve the above problems and achieve the object, the present invention provides an arithmetic unit, finite F p ^ mn (n: a positive integer, m: a positive integer, p: prime number) parts of the body F p ^ mr (r: a divisor of n and n / r ≧ 3) for a projection expression representing an element whose norm map is 1, an arithmetic unit for performing a finite field F p ^ mn operation, and the finite field F p ^ mn Projection expression (h 0 , h 1 , ..., h n-1 ) (h i : element of finite field F p ^ m , 0 ≦ i ≦ n-1) Affine expression (c 0 , c 1 , ..., c φ (n) -1 ) (c i : element of finite field F p ^ m , 0 ≦ i ≦ φ representing torus T n (F p ^ m ) (n) -1) and a first expression conversion unit.
 本発明によれば、表現変換及び演算を含む全体の計算量を削減可能になる。 According to the present invention, it is possible to reduce the overall calculation amount including expression conversion and calculation.
一実施の形態の演算装置50の機能的構成を例示する図。The figure which illustrates the functional structure of the arithmetic unit 50 of one embodiment. 演算装置50の行う表現変換及び演算処理の手順を示すフローチャート。The flowchart which shows the procedure of the expression conversion and arithmetic processing which the arithmetic unit 50 performs. 従来の方式における各表現変換にかかる計算コストを例示する図。The figure which illustrates the calculation cost concerning each expression conversion in the conventional system. 一実施の形態における各表現変換にかかる計算コストを例示する図。The figure which illustrates the calculation cost concerning each expression conversion in one embodiment. 従来の方式における各演算にかかる計算コストを例示する図。The figure which illustrates the calculation cost concerning each calculation in the conventional system. 一実施の形態にかかる各演算にかかる計算コストを例示する図。The figure which illustrates the calculation cost concerning each calculation concerning one embodiment.
 以下に添付図面を参照して、この発明にかかる演算装置の一実施の形態を詳細に説明する。 Hereinafter, an embodiment of an arithmetic device according to the present invention will be described in detail with reference to the accompanying drawings.
[第1の実施の形態]
 まず、本実施の形態にかかる代数的トーラスにおける演算の数学的準備について説明する。代数的トーラスTnが定義される有限体をFp^mとする。ここで、pは素数、nとmは正整数とする。記号「^」はべき乗を表し、p^mはpのm乗を表す。Fp^mは要素数がp^mの有限体を表す。代数的トーラスTn(Fp^m)は要素数がΦn(p^m)の群である。ここで、Φn(X)は第n円分多項式(円周n等分多項式)である。 [First embodiment]
First, mathematical preparations for operations in the algebraic torus according to the present embodiment will be described. Let F p ^ m be a finite field in which the algebraic torus T n is defined. Here, p is a prime number, and n and m are positive integers. The symbol “^” represents a power and p ^ m represents p to the power of m. F p ^ m represents a finite field with p ^ m elements. An algebraic torus T n (F p ^ m ) is a group with Φ n (p ^ m) elements. Here, Φ n (X) is an nth circular polynomial (circumferential n equal polynomial).
 代数的トーラスTn(Fp^m)のアフィン表現はφ(n)個のFp^mの元の組で表される。ここで、φ(x)はオイラー関数である。代数的トーラスTn(Fp^m)の元gの射影表現を、Fp^mnのある元hを用いて以下の式1または式1の逆元として表す。 The affine representation of the algebraic torus T n (F p ^ m ) is represented by the original set of φ (n) F p ^ m . Here, φ (x) is an Euler function. The projection expression of the element g of the algebraic torus T n (F p ^ m ) is expressed as the following expression 1 or the inverse element of expression 1 using an element h with F p ^ mn .
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 ここで、σはGalois群Gal(Fp^mn/Fp^mr)の生成元であり、Frobenius写像π:x →x^(p^m)とi=0,1,…,n/r-1からあるiを用いてσ=π^ir、rはnの約数とする。一般に射影表現hはn個のFp^mの元の組で表される。 Where σ is the generator of Galois group Gal (F p ^ mn / F p ^ mr ), and Frobenius map π: x → x ^ (p ^ m) and i = 0,1,…, n / r Σ = π ^ ir using r from -1, r is a divisor of n. In general, the projective representation h is represented by an original set of n F p ^ m .
 式1の意味を説明する。Hilbertの定理90より、Fp^mnの元gのFp^mrに関するノルム写像が1であることと、数1を満たすFp^mnの元hが存在することは同値である。一方、代数的トーラスTn(Fp^m)の元gの定義は、nの全ての約数dについてgのFp^mdに関するノルム写像が1となることである。式1はFp^mnの元gのd=rなる特定のノルム写像が1であることを示しているので、代数的トーラスTn(Fp^m)の元gとなるためには全てのd≠rなるノルム写像が1となる条件をhに課さなければならない。 The meaning of Equation 1 will be described. From Hilbert's theorem 90, the norm map of F p ^ m with respect to F p ^ mr of F p ^ mn is 1 and the existence of an element h of F p ^ mn that satisfies Equation 1 is equivalent. On the other hand, the definition of the element g of the algebraic torus T n (F p ^ m ) is that the norm map of F p ^ md of g is 1 for all divisors of n. Equation 1 shows that the specific norm map of d = r of the element g of F p ^ mn is 1, so that to be an element g of the algebraic torus T n (F p ^ m ) The condition that the norm map of d ≠ r is 1 must be imposed on h.
 例えば、n=2*r、rが2と異なる素数の場合を考える。2次拡大の基底を{1,x}、Fp^mrのある元をα,βとすると、h=α+βxと表される。Gal(Fp^mn/Fp^mr)={1,π^r}となるので、σ=π^rである。Fp^mrの元は、このσを作用させても不変である。この場合、射影表現は以下の式2又は式2の逆元となる。 For example, consider a case where n = 2 * r and r is a prime number different from 2. If the basis of quadratic expansion is {1, x} and the element with F p ^ mr is α, β, it is expressed as h = α + βx. Since Gal (F p ^ mn / F p ^ mr ) = {1, π ^ r}, σ = π ^ r. The element of F p ^ mr is unchanged even when this σ is applied. In this case, the projection expression is an inverse element of Expression 2 or Expression 2 below.
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 代数的トーラスTn(Fp^m)の元gとなるためには、Fp^m2に関するノルム写像が1となる条件をhに課す。そのような(α,β)についてFp^mrの元δをそれぞれにかけた(αδ,βδ)も同じ代数的トーラスの元gを表す。この性質が射影表現と呼ばれる理由である。射影表現hは2個のFp^mrの元の組(α,β)=(h0,h1,・・・,hn-1)で表される。ここで、hiはFp^mの元、0≦i≦n-1。 In order to be an element g of an algebraic torus T n (F p ^ m ), the condition that the norm map for F p ^ m2 is 1 is imposed on h. (Αδ, βδ) obtained by multiplying the element δ of F p ^ mr with respect to such (α, β) also represents the element g of the same algebraic torus. This is the reason why it is called projective expression. The projection expression h is represented by the original set (α, β) = (h 0 , h 1 ,..., H n-1 ) of two F p ^ mr . Here, h i is an element of F p ^ m , 0 ≦ i ≦ n−1.
 (α/β,1)についてFp^m2に関するノルム写像が1となる条件を解くと、α/βを表すr個の元の組はその一部分である(r-1)個のFp^mの元の組で決まる。これがアフィン表現である。射影表現(α,β)=(h0,h1,・・・,hn-1)からアフィン表現(c0,c1,・・・,cφ(n)-1)への変換は、Fp^mrの逆元計算1回とFp^mrの乗算1回を行うことでα/βを計算し、得られた計算結果を表すr個の元の組からその一部分である(r-1)個のFp^mの元の組を決められた方法で抜き出すことで実現される。ここで、ciはFp^mの元、0≦i≦φ(n)-1。 Solving for the condition that the norm map for F p ^ m2 is 1 for (α / β, 1), the r original pairs representing α / β are part of (r-1) F p ^ Determined by the original set of m . This is the affine expression. Projection representation (α, β) = (h 0 , h 1 , ..., h n-1 ) to affine representation (c 0 , c 1 , ..., c φ (n) -1 ) is computes F p ^ mr of inverse calculation once and F p ^ mr multiplied once by performing the alpha / beta, a portion thereof from the r pieces of the original set representing the calculation result obtained ( It is realized by extracting the original set of r-1) F p ^ m by a predetermined method. Here, c i is an element of F p ^ m , 0 ≦ i ≦ φ (n) −1.
 例えば、n=3*r、rが3と異なる素数の場合を考える。3次拡大の基底を{1,y,y^2}、Fp^mrのある元をα,β,γとすると、h=α+βy+γy^2と表される。Gal(Fp^mn/Fp^mr)={1,π^r,π^2r}となるので、σ=π^rまたはσ=π^2rである。Fp^mrの元は、このσを作用させても不変である。この場合、射影表現は以下の式3又は式3の逆元となる。 For example, consider a case where n = 3 * r and r is a prime number different from 3. If the basis of the third-order expansion is {1, y, y ^ 2} and the element with F p ^ mr is α, β, γ, it is expressed as h = α + βy + γy ^ 2. Since Gal (F p ^ mn / F p ^ mr ) = {1, π ^ r, π ^ 2r}, σ = π ^ r or σ = π ^ 2r. The element of F p ^ mr is unchanged even when this σ is applied. In this case, the projection expression is an inverse element of the following Expression 3 or Expression 3.
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 代数的トーラスTn(Fp^m)の元gとなるためには、Fp^m3に関するノルム写像が1となる条件をhに課す。(α/γ,β/γ,1)についてFp^m3に関するノルム写像が1となる条件を解くと、α/γとβ/γを表す2r個のFp^mの元の組はその一部分である2(r-1)個のFp^mの元の組で決まる。これがアフィン表現である。射影表現(α,β,γ)=(h0,h1,・・・,hn-1)からアフィン表現(c0,c1,・・・,cφ(n)-1)への変換は、Fp^mrの逆元計算1回とFp^mrの乗算ceil(2(r-1)/r)回を行うことでα/γとβ/γのどちらか一方または両方を計算し、得られた計算結果を表す2r個の元の組からその一部分である2(r-1)個のFp^mの元の組を決められた方法で抜き出すことで実現される。ここで、ceil()は天井関数である。 In order to be an element g of the algebraic torus T n (F p ^ m ), the condition that the norm map for F p ^ m3 is 1 is imposed on h. Solving the condition that the norm map for F p ^ m3 is 1 for (α / γ, β / γ, 1), the original set of 2r F p ^ m representing α / γ and β / γ is It is determined by the original set of 2 (r-1) F p ^ m parts. This is the affine expression. Projective representation (α, β, γ) = (h 0 , h 1 , ..., h n-1 ) to affine representation (c 0 , c 1 , ..., c φ (n) -1 ) transformation, either or both of F p ^ mr of inverse calculation once and F p ^ mr multiplication ceil (2 (r-1) / r) by performing times alpha / gamma and beta / gamma This is realized by extracting a 2 (r-1) F p ^ m original set as a part from a 2r original set representing the obtained calculation result by a predetermined method. Here, ceil () is a ceiling function.
 例えば、n=r1*r2、r1とr2は互いに異なる素数の場合を考える。この場合、Galois群Gal(Fp^mn/Fp^mr1)の生成元σ1を作用させる射影表現と、Galois群Gal(Fp^mn/Fp^mr2)の生成元σ2を作用させる射影表現の2通りが考えられる。射影表現(h0,h1,・・・,hn-1)からアフィン表現(c0,c1,・・・,cφ(n)-1)への変換を実現する計算量は、2通りの射影表現で異なる。Galois群Gal(Fp^mn/Fp^mr1)の生成元σ1を作用させる射影表現ではFp^mr1の逆元計算1回とFp^mr1の乗算ceil((r2-1)(r1-1)/r1)回、Galois群Gal(Fp^mn/Fp^mr2)の生成元σ2を作用させる射影表現ではFp^mr2の逆元計算1回とFp^mr2の乗算ceil((r1-1)(r2-1)/r2)回である。そこで、表現変換の計算量の少ない射影表現を選択して用いることが可能となる。 For example, consider the case where n = r1 * r2 and r1 and r2 are different prime numbers. In this case, the projection to act and projective representation the action of origin σ1 of Galois group Gal (F p ^ mn / F p ^ mr1), the origin σ2 of Galois group Gal (F p ^ mn / F p ^ mr2) Two ways of expression are possible. The amount of calculation for realizing the transformation from the projective representation (h 0 , h 1 , ..., h n-1 ) to the affine representation (c 0 , c 1 , ..., c φ (n) -1 ) is Different in two ways of projection expression. Galois group Gal (F p ^ mn / F p ^ mr1) of F p ^ mr1 of inverse calculation once a projective representation of the action of origin σ1 and F p ^ mr1 multiplication ceil ((r2-1) (r1 -1) / r1) times, multiplication of Galois group Gal (F p ^ mn / F p ^ mr2) in projective representation exerting origin σ2 of F p ^ mr2 of inverse calculation once and F p ^ mr2 ceil ((r1-1) (r2-1) / r2) times. Therefore, it is possible to select and use a projective expression with a small amount of expression conversion.
 例えば、n=2*3の場合を考える。この場合、従来の射影表現は2次代数的トーラスT2(Fp^mr),r=3とされ、式2又は式2の逆元であった。一方、本実施の形態にかかる射影表現はFp^mnのFp^mr,r=2または3に関するノルム写像が1である元であり、r=2に対応する式3又は式3の逆元とすることも可能である。射影表現からアフィン表現への変換を実現する計算量は、式2又は式2の逆元のとき(従来の方式のとき)、Fp^m3の逆元計算1回とFp^m3の乗算1回であり、式3又は式3の逆元のとき(本実施の形態の方式のとき)、Fp^m2の逆元計算1回とFp^m2の乗算1回である。従って、従来の方式の計算量と比較して本実施の形態の方式の計算量が少ない。 For example, consider the case of n = 2 * 3. In this case, the conventional projective expression is a second-order algebraic torus T 2 (F p ^ mr ), r = 3, which is an inverse element of Equation 2 or Equation 2. On the other hand, the projection expression according to the present embodiment is an element in which the norm mapping of F p ^ mn with respect to F p ^ mr , r = 2 or 3 is 1, and the inverse of Expression 3 or Expression 3 corresponding to r = 2 It can also be the original. The amount of computation to realize the transformation from the projective representation to the affine representation is the inverse of the formula 2 or 2 (when using the conventional method), one F p ^ m3 inverse calculation and the multiplication of F p ^ m3 it is one, (when the system of the present embodiment) inverse in the case of formula 3 or formula 3, is multiplication one F p ^ reverse m2 original calculated once and F p ^ m2. Therefore, the calculation amount of the method of the present embodiment is smaller than the calculation amount of the conventional method.
 即ち、従来では、6次トーラスの射影表現には、3次拡大体上の2次トーラスとして、3次ベクトル2つ組(a0,a1,a2,b0,b1,b2)を用いていた。ここで、aiとbiはFp^mの元、0≦i≦2。しかし、射影表現からアフィン表現(c0,c1)への変換を計算する際に、3次拡大体の演算を行うので無駄があった。具体的には(c0,c1,c2)=(a0,a1,a2)/(b0,b1,b2)を計算し、c2は捨てていた。ここで、ciはFp^mの元、0≦i≦2。 That is, conventionally, the projection expression of the 6th order torus has a 3rd order vector (a 0 , a 1 , a 2 , b 0 , b 1 , b 2 ) as a second order torus on the third extension field. Was used. Here, a i and b i are elements of F p ^ m , 0 ≦ i ≦ 2. However, when calculating the transformation from the projective representation to the affine representation (c 0 , c 1 ), the computation of the cubic extension field is performed, which is wasteful. Specifically, (c 0 , c 1 , c 2 ) = (a 0 , a 1 , a 2 ) / (b 0 , b 1 , b 2 ) was calculated, and c 2 was discarded. Here, c i is an element of F p ^ m and 0 ≦ i ≦ 2.
 一方、本実施の形態においては、6次トーラスの射影表現に、2次拡大体上の3次トーラスとして、2次ベクトル3つ組(a0,a1,b0,b1,b2,c0,c1)を用いる。ここで、aiとbiとciはFp^mの元、0≦i≦1。そして、射影表現からアフィン表現(d0,d1)への変換を計算する際に、2次拡大体の演算のみで計算でき無駄がない。具体的には、(d0,d1)=(b0,b1)/(c0,c1)を計算する。ここで、diはFp^mの元、0≦i≦1。従って、本実施の形態においては、射影表現からアフィン表現への変換について、従来の方式に比べて、無駄を省いて計算量を少なくすることができるのである。 On the other hand, in the present embodiment, the projection expression of the sixth-order torus includes a third-order vector triplet (a 0 , a 1 , b 0 , b 1 , b 2 , c 0 , c 1 ) is used. Here, a i , b i, and c i are elements of F p ^ m and 0 ≦ i ≦ 1. Then, when calculating the transformation from the projective representation to the affine representation (d 0 , d 1 ), the calculation can be performed only by the operation of the secondary extension field, and there is no waste. Specifically, (d 0 , d 1 ) = (b 0 , b 1 ) / (c 0 , c 1 ) is calculated. Here, d i is an element of F p ^ m and 0 ≦ i ≦ 1. Therefore, in the present embodiment, it is possible to reduce the amount of calculation and reduce waste in conversion from the projective expression to the affine expression as compared with the conventional method.
 同様にして、3種類以上の素数や平方が含まれるnに対しても射影表現が構成できる。即ち、n=r1*r2*r3(r1,r2,r3:素数)又はn=r4*r4(r4:正整数)であるnに対しても同様にして射影表現が構成できる。 Similarly, a projective expression can be configured for n including three or more prime numbers or squares. That is, the projection expression can be similarly configured for n where n = r1 * r2 * r3 (r1, r2, r3: prime number) or n = r4 * r4 (r4: positive integer).
 次に、本実施の形態にかかる演算装置のハードウェア構成について説明する。本実施の形態の演算装置は、装置全体を制御するCPU(Central Processing Unit)等の制御部と、各種データや各種プログラムを記憶するROM(Read Only Memory)やRAM(Random Access Memory)等の主記憶部と、各種データや各種プログラムを記憶するHDD(Hard Disk Drive)やCD(Compact Disk)ドライブ装置等の補助記憶部と、これらを接続するバスとを備えており、通常のコンピュータを利用したハードウェア構成となっている。 Next, the hardware configuration of the arithmetic device according to this embodiment will be described. The arithmetic device according to the present embodiment includes a control unit such as a CPU (Central Processing Unit) that controls the entire device, a ROM (Read Only Memory) that stores various data and various programs, and a RAM (Random Access Memory). Equipped with a storage unit, an auxiliary storage unit such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device for storing various data and various programs, and a bus connecting them, using a normal computer It has a hardware configuration.
 このようなハードウェア構成において、演算装置のCPUが主記憶部や補助記憶部に記憶された各種プログラムを実行することにより実現される各種機能について説明する。図1は、演算装置50の機能的構成を例示する図である。演算装置50は、表現変換部51と、演算部52とを有する。これらの各部は、CPUのプログラム実行時にRAMなどの主記憶部上に生成されるものである。 In such a hardware configuration, various functions realized by the CPU of the arithmetic unit executing various programs stored in the main storage unit and the auxiliary storage unit will be described. FIG. 1 is a diagram illustrating a functional configuration of the arithmetic device 50. The calculation device 50 includes an expression conversion unit 51 and a calculation unit 52. These units are generated on a main storage unit such as a RAM when the CPU program is executed.
 表現変換部51は、有限体Fp^mn(n:正整数、m:正整数、p:素数)の部分体Fp^mr(r:nの約数でn/r≧3)に関するノルム写像が1である元を表す射影表現(h0,h1,・・・,hn-1)(hi:有限体Fp^mの元、0≦i≦n-1)とn次代数的トーラスTn(Fp^m)を表すアフィン表現(c0,c1,・・・,cφ(n)-1)(ci:有限体Fp^mの元、0≦i≦φ(n)-1)との間の変換を行う。具体的には、表現変換部51は、第1表現変換部51Aと、第2表現変換部51Bとを有する。第1表現変換部51Aは、後述する演算部52が行う演算後の射影表現をアフィン表現に変換することにより、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件により定まるアフィン表現(c0,c1,・・・,cφ(n)-1)の各要素ciを得る。即ち、第1表現変換部51Aは、演算部52が行う演算後の射影表現(h0,h1,・・・,hn-1)の各要素hiのr個からなる組に対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件により定まる有限体Fp^mr演算を行い、アフィン表現(c0,c1,・・・,cφ(n)-1)の各要素ciを得る。第2表現変換部51Bは、n次代数的トーラスTn(Fp^m)を表すアフィン表現(c’0,c’1,・・・,c’φ(n)-1)(c’i:有限体Fp^mの元、0≦i≦φ(n)-1)の各要素c’iに対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件と、n次拡大を構成するための法多項式及び基底とにより定まる有限体Fp^m演算を行い、演算部52が行う演算の対象となる射影表現(h’0,h’1,・・・,h’n-1)の各要素h’iを得る。演算部52は、表現変換部51が変換を行った射影表現(h’0,h’1,・・・,h’n-1)に対して、有限体Fp^mnにおける演算である有限体Fp^mn演算を行う。演算とは、例えば、乗算(平方を含む)、Frobenius写像、べき乗などである。また、各演算には、通常の演算(通常演算)と、射影表現の一部の要素又は部分体Fp^m’の元を含む全ての要素を用いた、部分体Fp^m’の元に制限された演算(制約演算という)と、通常演算と制約乗算とが混合した演算(混合演算という)とがある。演算後の射影表現は、上述の表現変換部51によってアフィン表現に変換される。 The representation conversion unit 51 is a norm related to a subfield F p ^ mr (r: divisor of n: n / r ≧ 3) of a finite field F p ^ mn (n: positive integer, m: positive integer, p: prime number). Projective representation (h 0 , h 1 , ..., h n-1 ) (h i : element of finite field F p ^ m , 0 ≦ i ≦ n-1) and nth order Affine expression (c 0 , c 1 , ..., c φ (n) -1 ) (c i : element of finite field F p ^ m , 0 ≦ i representing algebraic torus T n (F p ^ m ) Conversion between ≦ φ (n) -1). Specifically, the expression conversion unit 51 includes a first expression conversion unit 51A and a second expression conversion unit 51B. The first representation conversion unit 51A converts the projection expression after the calculation performed by the calculation unit 52, which will be described later, into an affine expression, thereby substituting the subfield F p ^ md of the finite field F p ^ mn for all divisors d. Each element c i of the affine expression (c 0 , c 1 ,..., C φ (n) −1 ) determined by the condition that the norm map for 1 is 1 is obtained. That is, the first representation conversion unit 51A applies a set of r elements h i of the projection representation (h 0 , h 1 ,..., H n-1 ) after the calculation performed by the calculation unit 52 to the first expression conversion unit 51A. For all divisors of n, finite field F p ^ mr is determined by the condition that the norm map for the subfield F p ^ md of the finite field F p ^ mn is 1, and the affine representation (c 0 , c 1 ,..., C φ (n) −1 ) to obtain each element c i . The second representation conversion unit 51B uses the affine representation (c ′ 0 , c ′ 1 ,..., C ′ φ (n) −1 ) (c ′) representing the n- th order algebraic torus T n (F p ^ m ). i : For each element c ' i of the element 0 ≤ i ≤ φ (n) -1) of the finite field F p ^ m , subfield F of the finite field F p ^ mn for all divisors d Projective representation that is the target of the operation performed by the operation unit 52 by performing the finite field F p ^ m operation determined by the condition that the norm map for p ^ md is 1, the modulus polynomial and the base for constructing the nth-order expansion Each element h ′ i of (h ′ 0 , h ′ 1 ,..., h ′ n−1 ) is obtained. The calculation unit 52 performs a finite operation that is an operation on the finite field F p ^ mn on the projection expression (h ′ 0 , h ′ 1 ,..., H ′ n−1 ) converted by the expression conversion unit 51. Perform field F p ^ mn operation. The calculation includes, for example, multiplication (including square), Frobenius map, and power. Also, for each operation, the normal operation (normal operation) and the partial field F p ^ m ' using all elements including elements of the projection expression or elements of the partial field F p ^ m' There are operations that are originally restricted (referred to as constraint operations) and operations that are a mixture of normal operations and constraint multiplication (referred to as mixed operations). The calculated projection expression is converted into an affine expression by the expression conversion unit 51 described above.
 次に、本実施の形態にかかる演算装置50の行う表現変換及び演算処理の手順について図2を用いて説明する。演算装置50は、n次代数的トーラスTn(Fp^m)を表すアフィン表現(c’0,c’1,・・・,c’φ(n)-1)の各要素c’iに対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件と、n次拡大を構成するための法多項式及び基底とにより定まる有限体Fp^m演算を行い、有限体Fp^mnの部分体Fp^mrに関するノルム写像が1である元を表す射影表現(h’0,h’1,・・・,h’n-1)の各要素h’iを得る(ステップS1)。次いで、演算装置50は、ステップS1で得られた射影表現(h’0,h’1,・・・,h’n-1)に対して、有限体Fp^mn演算を行う(ステップS2)。その後、演算装置50は、ステップS2で演算を行った射影表現(h0,h1,・・・,hn-1)の各要素hiのr個からなる組に対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件により定まる有限体Fp^mr演算を行い、アフィン表現(c0,c1,・・・,cφ(n)-1)の各要素ciを得る(ステップS3)。 Next, the procedure of expression conversion and arithmetic processing performed by the arithmetic device 50 according to the present embodiment will be described with reference to FIG. The arithmetic unit 50 uses each element c ′ i of the affine expression (c ′ 0 , c ′ 1 ,..., C ′ φ (n) −1 ) representing the n- th order algebraic torus T n (F p ^ m ). For all divisors of n, it is determined by the condition that the norm map for the subfield F p ^ md of the finite field F p ^ mn is 1, and the modulus polynomial and basis for constructing the n-th order expansion performs a finite field F p ^ m calculation, finite field F p ^ mn projective representation norm mapping with respect to the partial body F p ^ mr represents the original is one of (h '0, h' 1 , ···, h ' Each element h ′ i of n−1 ) is obtained (step S1). Next, the arithmetic unit 50 performs a finite field F p ^ mn operation on the projection expression (h ′ 0 , h ′ 1 ,..., H ′ n−1 ) obtained in step S1 (step S2). ). Thereafter, the arithmetic unit 50 calculates all of n for the set of r elements h i of the projection expression (h 0 , h 1 ,..., H n−1 ) calculated in step S2. The finite field F p ^ mr is determined by the condition that the norm map of the subfield F p ^ md of the finite field F p ^ mn is 1 for the divisor d of, and the affine representation (c 0 , c 1 , ... , c φ (n) −1 ), each element c i is obtained (step S3).
 以上のような構成によれば、射影表現からアフィン表現への変換について、従来の方式に比べて計算量が少なくなる。但し、アフィン表現から射影表現への変換については、従来の方式と比べて計算量が多くなる恐れがある。しかし、この場合に多くなる計算量は、射影表現からアフィン表現に変換する場合に従来の方式と比べて少なくできる計算量より、小さい。このため、表現変換及び演算を含む全体の計算量を抑制することができる。 According to the configuration described above, the amount of calculation for converting from a projective representation to an affine representation is smaller than that of the conventional method. However, the conversion from the affine representation to the projective representation may increase the amount of calculation compared to the conventional method. However, the amount of calculation that increases in this case is smaller than the amount of calculation that can be reduced compared to the conventional method when converting from a projective representation to an affine representation. For this reason, the total calculation amount including expression conversion and calculation can be suppressed.
[第2の実施の形態]
 次に、演算装置の第2の実施の形態について説明する。なお、上述の第1の実施の形態と共通する部分については、同一の符号を使用して説明したり、説明を省略したりする。 [Second Embodiment]
Next, a second embodiment of the arithmetic device will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.
 本実施の形態においては、法多項式を固定した例について説明する。まず、従来の方式について説明する。ここでは、n=6とし、F((p^m)^3)^2)=F(p^m)^3[x]/(f2(x)),F(p^m)^3=Fp^m[y]/(f3(y))として、2次拡大の法多項式を、f2(x)=x2-d,d∈Fp^mとし、3次拡大の法多項式を、f3(y)=y3-w,w∈Fp^mとする。そして、射影表現T2(F(p^m)^3)を得た後、n=6の全ての約数dについて有限体Fp^m6の部分体Fp^mdに関するノルム写像が1となる条件として、g^(p^4m+p^2m+1)=1を解くとT6(Fp^m)のアフィン表現が得られる。ここで、アフィン表現から射影表現へ変換するための写像は、式4で表される。射影表現からアフィン表現へ変換するための写像は、式5で表される。 In this embodiment, an example in which a modulus polynomial is fixed will be described. First, a conventional method will be described. Here, n = 6 and F ((p ^ m) ^ 3) ^ 2) = F (p ^ m) ^ 3 [x] / (f 2 (x)), F (p ^ m) ^ 3 = F p ^ m [y] / (f 3 (y)), the quadratic expansion polynomial is f 2 (x) = x 2 -d, d∈F p ^ m , and the cubic expansion method Let the polynomial be f 3 (y) = y 3 -w, w∈F p ^ m . Then, after obtaining the projective representation T 2 (F (p ^ m) ^ 3 ), the norm map for the subfield F p ^ md of the finite field F p ^ m6 is 1 for all divisors of n = 6. By solving for g ^ (p ^ 4m + p ^ 2m + 1) = 1, an affine representation of T 6 (F p ^ m ) is obtained. Here, the mapping for converting from the affine representation to the projective representation is expressed by Equation 4. A mapping for converting from the projective representation to the affine representation is expressed by Equation 5.
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 式5の右辺は、F(p^m)^3の元となるが、定数項とyの係数のみを得れば良い。アフィン表現から射影表現へ変換するための写像は、逆元を計算しなくても済むようc1を分子と分母とにかけた形としても良い。図3は、従来の方式における各表現変換にかかる計算コストを例示する図である。同図に示されるI,M,S,Fはそれぞれ、Fp^mの逆元、Fp^mの乗算、Fp^mの平方、Fp^mのFrobenius写像の計算コストである。また、Bは、Fp^mに属する定数とFp^mの元の間の乗算の計算コストである。Bの計算コストはパラメータd,wの取り方によって異なる。 The right side of Equation 5 is an element of F (p ^ m) ^ 3 , but it is sufficient to obtain only the constant term and the coefficient of y. The mapping for converting from the affine representation to the projective representation may be a form in which c1 is multiplied by the numerator and denominator so that the inverse element does not have to be calculated. FIG. 3 is a diagram illustrating the calculation cost for each expression conversion in the conventional method. Respectively I, M, S, F is the shown in the figure, the inverse element of F p ^ m, multiplication of F p ^ m, square F p ^ m, the computation cost of the Frobenius mapping F p ^ m. Also, B is the computational cost of multiplication between the original F p ^ constants belonging to m and F p ^ m. The calculation cost of B depends on how to take parameters d and w.
 一方、本実施の形態においては、射影表現T3(F(p^m)^2)を得た後、n=6の全ての約数dについて有限体Fp^m6の部分体Fp^mdに関するノルム写像が1となる条件として、g^(p^3m+1)=1を解く。以下の式6が成り立つので、σ=π^2 or π^4である。ここでは、σ=π^2を用いる。ノルムについて、以下の式7が成り立つ。 On the other hand, in the present embodiment, projective representation T 3 (F (p ^ m ) ^ 2) After obtaining the partial bodies of the finite field F p ^ m6 for all divisor d of n = 6 F p ^ Solving g ^ (p ^ 3m + 1) = 1 as a condition for the norm mapping for md to be 1. Since the following formula 6 holds, σ = π ^ 2 or π ^ 4. Here, σ = π ^ 2 is used. For the norm, the following equation 7 holds.
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
 g∈F(p^m)^6のF(p^m)^2に関するノルムが1という条件はgがT3(F(p^m)^2)となる条件と等しい(式8参照)即ち、式9が成立する。 The condition that the norm is 1 for F (p ^ m) ^ 2 in g∈F (p ^ m) ^ 6 is equal to the condition that g is T 3 (F (p ^ m) ^ 2 ) (see Equation 8) That is, Expression 9 is established.
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
 このとき、F((p^m)^2)^3)=F(p^m)^2[y]/(f3(y)),F(p^m)^2=Fp^m[x]/(f2(x))として、2次拡大の法多項式を、f2(x)=x2-d,d∈Fp^mとし、3次拡大の法多項式を、f3(y)=y2-w,w∈Fp^mとする。式9を具体的に書くと式10となる。T6(Fp^m)を得るためにg^(p^3m+1)=1の解となる(α,β,γ)を求める。 F ((p ^ m) ^ 2) ^ 3) = F (p ^ m) ^ 2 [y] / (f 3 (y)), F (p ^ m) ^ 2 = F p ^ m As [x] / (f 2 (x)), the quadratic expansion polynomial is f 2 (x) = x 2 -d, d∈F p ^ m and the cubic expansion polynomial is f 3 (y) = y 2 −w, w∈F p ^ m . When Equation 9 is specifically written, Equation 10 is obtained. In order to obtain T 6 (F p ^ m ), (α, β, γ) which is a solution of g ^ (p ^ 3m + 1) = 1 is obtained.
Figure JPOXMLDOC01-appb-M000007
Figure JPOXMLDOC01-appb-M000007
 上記(α,β,γ)についてδ∈F(p^m)^2をそれぞれかけた(αδ,βδ,γδ)も同じ元gを表す。この性質が射影表現と呼ばれる理由である。射影表現(α,β,γ)の代表点を(α/γ,β/γ,1)又は(α/β,1,0)とする(式11a~11c)。 (Αδ, βδ, γδ) obtained by multiplying (α, β, γ) by δ∈F (p ^ m) ^ 2 respectively represents the same element g. This is the reason why it is called projective expression. The representative point of the projection expression (α, β, γ) is set to (α / γ, β / γ, 1) or (α / β, 1,0) (Equations 11a to 11c).
Figure JPOXMLDOC01-appb-M000008
Figure JPOXMLDOC01-appb-M000008
 次に、式11a~11cについてg^(p^3m+1)=1を解くとT6(Fp^m)のアフィン表現が得られる。 Next, when g ^ (p ^ 3m + 1) = 1 is solved for Expressions 11a to 11c, an affine representation of T 6 (F p ^ m ) is obtained.
 γ=0,β≠0のとき、α/β=α´とすると、式12を解くことになるが、これは、式13となることを意味する。しかしこれは、f3(y)の既約性に矛盾する。よって解なし。 When γ = 0 and β ≠ 0, if α / β = α ′, Equation 12 is solved, which means that Equation 13 is obtained. However, this contradicts the irreducibility of f 3 (y). Therefore, there is no solution.
Figure JPOXMLDOC01-appb-M000009
Figure JPOXMLDOC01-appb-M000009
 γ≠0のとき、α/γ=α´,α/γ=β´とすると、式14を解くことになるが、これは、式15となることを意味する。f3(y)の既約性により、式16が得られる。 When γ ≠ 0 and α / γ = α ′ and α / γ = β ′, Equation 14 is solved, which means that Equation 15 is obtained. Due to the irreducibility of f 3 (y), Equation 16 is obtained.
Figure JPOXMLDOC01-appb-M000010
Figure JPOXMLDOC01-appb-M000010
 α´=a0+a1x,β´=b0+b1xとすると、式16は式17に書き換えられるので、式17を解けば良い。 Assuming that α ′ = a 0 + a 1 x and β ′ = b 0 + b 1 x, Equation 16 can be rewritten as Equation 17, and Equation 17 can be solved.
Figure JPOXMLDOC01-appb-M000011
Figure JPOXMLDOC01-appb-M000011
 例えば、a0,a1をb0,b1で表すと、式18となる。ここで、b1≠0である。何故ならば、b1=0とすると、b0^3=wとなり、f3(y)の既約性w^((p^m-1)/3)≠1と矛盾するからである。 For example, when a 0 and a 1 are represented by b 0 and b 1 , Expression 18 is obtained. Here, b 1 ≠ 0. This is because if b 1 = 0, b 0 ^ 3 = w, which contradicts the irreducibility w ^ ((p ^ m-1) / 3) ≠ 1 of f 3 (y).
Figure JPOXMLDOC01-appb-M000012
Figure JPOXMLDOC01-appb-M000012
 よって、アフィン表現から射影表現へ変換するための写像は、式19により表される。 Therefore, the mapping for converting from the affine representation to the projective representation is expressed by Equation 19.
Figure JPOXMLDOC01-appb-M000013
  射影表現からアフィン表現へ変換するための写像は、式20で表される。
Figure JPOXMLDOC01-appb-M000013
 A mapping for converting from the projective representation to the affine representation is expressed by Equation 20.
Figure JPOXMLDOC01-appb-M000014
Figure JPOXMLDOC01-appb-M000014
 尚、アフィン表現から射影表現へ変換するための写像は、逆元を計算しなくても済むようb1を分子と分母とにかけた形としても良い。 Note that the mapping for converting from the affine representation to the projective representation may be a form in which b1 is multiplied by the numerator and denominator so that the inverse element does not have to be calculated.
 図4は、本実施の形態における各表現変換にかかる計算コストを例示する図である。     FIG. 4 is a diagram illustrating the calculation cost for each expression conversion in the present embodiment. .
[第3の実施の形態]
 次に、演算装置の第3の実施の形態について説明する。なお、上述の第1の実施の形態又は第2の実施の形態と共通する部分については、同一の符号を使用して説明したり、説明を省略したりする。 [Third embodiment]
Next, a third embodiment of the arithmetic device will be described. In addition, about the part which is common in the above-mentioned 1st Embodiment or 2nd Embodiment, it demonstrates using the same code | symbol or abbreviate | omits description.
 本実施の形態においては、法多項式を固定して、有限体Fp^mn演算として、乗算、平方、Frobenius写像を行なう例について説明する。まず、従来の方式について説明する。上述の第2の実施の形態と同様に、n=6とし、F((p^m)^3)^2)=F(p^m)^3[x]/(f2(x)),F(p^m)^3=Fp^m[y]/(f3(y))として、2次拡大の法多項式を、f2(x)=x2-d,d∈Fp^mとし、3次拡大の法多項式を、f3(y)=y2-w,w∈Fp^mとする。 In the present embodiment, an example will be described in which the modulus polynomial is fixed and multiplication, square, and Frobenius mapping are performed as the finite field F p ^ mn operation. First, a conventional method will be described. As in the second embodiment, n = 6 and F ((p ^ m) ^ 3) ^ 2) = F (p ^ m) ^ 3 [x] / (f 2 (x)) , F (p ^ m) ^ 3 = F p ^ m [y] / (f 3 (y)), the quadratic expansion polynomial is f 2 (x) = x 2 -d, d∈F p Let ^ m be the third-order expansion polynomial, f 3 (y) = y 2 −w, w∈F p ^ m .
 まず、有限体Fp^mn演算の通常演算について説明する。拡大体型と拡大体型の演算が通常演算である。この演算のうち、乗算について、karatsuba法を用いる場合について説明する。拡大型(α,β)と拡大型(γ,δ)との乗算結果は、式21により表され、(αγ+βδd, βγ+αδ)となる。αγ,βδ,(α+β)(γ+δ)を計算するので、計算コストは、3(6M+2B+14A)+3B+15A=18M+9B+57Aである。 First, the normal operation of the finite field F p ^ mn operation will be described. The operations of the extended field type and the extended field type are normal operations. Of these operations, a case where the karatsuba method is used for multiplication will be described. The multiplication result of the expansion type (α, β) and the expansion type (γ, δ) is expressed by Equation 21 and becomes (αγ + βδd, βγ + αδ). Since αγ, βδ, (α + β) (γ + δ) is calculated, the calculation cost is 3 (6M + 2B + 14A) + 3B + 15A = 18M + 9B + 57A.
Figure JPOXMLDOC01-appb-M000015
Figure JPOXMLDOC01-appb-M000015
 次に、乗算について、Toom-Cook法を用いる場合について説明する。拡大型(α,β)と拡大型(γ,δ)とをそれぞれ6次拡大体に変換する。乗算結果は、式22により表される。 Next, the case where the Toom-Cook method is used for multiplication will be described. The expansion type (α, β) and the expansion type (γ, δ) are each converted into a sixth-order expansion field. The multiplication result is expressed by Equation 22.
Figure JPOXMLDOC01-appb-M000016
Figure JPOXMLDOC01-appb-M000016
 e0,…,e10を求めるために、sに11通りの値を代入し、11本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し、11Mとなる。また、6次拡大の法多項式が2項式であればs^6以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は5Bとなる。 In order to find e 0 ,..., e 10 , 11 values are substituted for s and 11 simultaneous equations are solved. The assigned left side corresponds to the multiplication on the basic field, and becomes 11M. If the sixth-order expansion polynomial is binomial, constants remain after dividing by s ^ 6 by the modulus, and the multiplication of the constant on the fundamental field is 5B.
 次に、平方について、Complex法を用いる場合について説明する。拡大体型(α,β)の平方結果は、式23により表され、(α^2+β^2*d,2αβ)となり、α^2+β^2*d=(α+β)(α+βd)-(1+d)αβを計算する。このため、計算コストは2(6M+2B+14A)+6B+12A=12M+10B+40Aである。 Next, the case of using the Complex method for square will be described. The squared result of the extended field type (α, β) is expressed by Equation 23 and becomes (α ^ 2 + β ^ 2 * d, 2αβ), and α ^ 2 + β ^ 2 * d = (α + β) (α + βd)-(1 + d) αβ is calculated. Therefore, the calculation cost is 2 (6M + 2B + 14A) + 6B + 12A = 12M + 10B + 40A.
Figure JPOXMLDOC01-appb-M000017
Figure JPOXMLDOC01-appb-M000017
 次に、平方について、Toom-Cook法を用いる場合について説明する。乗算の場合の基礎体上乗算を基礎体上平方に変えれば良い。 Next, the case where the Toom-Cook method is used for square will be described. What is necessary is just to change the multiplication on the basic field in the case of multiplication to the square on the basic field.
 次に、Frobenius写像について説明する。拡大体型(α,β)のFrobenius写像結果は式24により表され、(α^p+β^p*d^(p^1)/2)となり、計算コストは2(3F+2B)+3B=6F+7Bである。 Next, the Frobenius map will be explained. The Frobenius mapping result of the extended field type (α, β) is expressed by Equation 24 and becomes (α ^ p + β ^ p * d ^ (p ^ 1) / 2), and the calculation cost is 2 (3F + 2B) + 3B = 6F + 7B.
Figure JPOXMLDOC01-appb-M000018
Figure JPOXMLDOC01-appb-M000018
 次に、有限体Fp^mn演算の混合演算および制約演算について説明する。拡大体型とアフィン型の演算が混合演算であり、アフィン型とアフィン型の演算が制約演算である。アフィン表現から射影表現に変換するための写像は、式25により表されるとする。また、射影表現からアフィン表現に変換するための写像は、式26により表されるとする。 Next, the mixed operation and the constraint operation of the finite field F p ^ mn operation will be described. The expansion field type and affine type operations are mixed operations, and the affine type and affine type operations are constraint operations. It is assumed that the mapping for converting from the affine representation to the projective representation is expressed by Expression 25. Further, a mapping for converting from the projective expression to the affine expression is represented by Expression 26.
Figure JPOXMLDOC01-appb-M000019
Figure JPOXMLDOC01-appb-M000019
 まず、乗算について、Karatsuba法を用いる場合について考える。拡大体型(α,β)とアフィン型(δ,1)との乗算結果は、(αδ+βd,βδ+α)となる。計算コストは2(6M+2B+14A)+3B+6A=12M+7B+34Aである。 First, consider the case of using the Karatsuba method for multiplication. The multiplication result of the expanded field type (α, β) and the affine type (δ, 1) is (αδ + βd, βδ + α). The calculation cost is 2 (6M + 2B + 14A) + 3B + 6A = 12M + 7B + 34A.
 アフィン型(α,1)とアフィン型(δ,1)の乗算結果は(αδ+d,δ+α)となる。計算コストは(6M+2B+14A)+ 4A=6M+2B+18Aである。 The multiplication result of the affine type (α, 1) and the affine type (δ, 1) is (αδ + d, δ + α). The calculation cost is (6M + 2B + 14A) + 4A = 6M + 2B + 18A.
 次に、乗算について、Toom-Cook法を用いる場合について考える。拡大体型(α,β)とアフィン型(δ/f0,1/f0)をそれぞれ6次拡大体へ変換する。ここでδ=f0+f1y+f2y2とする。アフィン型をこのように変形した理由は、6次拡大体の基底に変換する際に定数項が1となるためである。乗算結果は、式27により表される。 Next, consider the case of using the Toom-Cook method for multiplication. The expansion field type (α, β) and the affine type (δ / f0, 1 / f0) are converted to the sixth expansion field, respectively. Here, δ = f0 + f1y + f2y2. The reason for transforming the affine type in this way is that the constant term becomes 1 when converted to the base of the sixth-order extension field. The multiplication result is expressed by Expression 27.
Figure JPOXMLDOC01-appb-M000020
Figure JPOXMLDOC01-appb-M000020
 g2,・・・,g9を求めるためにsに8通りの値を代入し、8本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し8Mとなる。また、6次拡大の法多項式が2項式であればs^6 以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は4Bとなる。アフィン型(α/c0,1/c0)とアフィン型(δ/f0,1/f0)とをそれぞれ6次拡大体へ変換する。ここでα=c0+c1y+c2y^2とする。アフィン表現から射影表現(α/c0,1/c0)への変換は式28により表されるとすると、計算コストはI+4M+2S+B+Aである。6次拡大体への変換は要素の入れ替えと定数による乗算で実現でき、0の要素に対する乗算は計算しなくて良いことを考慮すると計算コストは3Bである。乗算結果は、式29により表される。 To find g 2 , ..., g 9 , substitute 8 values for s and solve 8 simultaneous equations. The assigned left side corresponds to the multiplication on the basic field and becomes 8M. Also, if the sixth-order expansion polynomial is binomial, constants remain after s ^ 6 divided by the modulus polynomial, and the multiplication of the constant on the fundamental field is 4B. The affine type (α / c 0 , 1 / c 0 ) and the affine type (Δ / f 0 , 1 / f 0 ) are each converted into a sixth-order extension field. Here, α = c 0 + c 1 y + c 2 y ^ 2. If the conversion from the affine representation to the projected representation (α / c 0 , 1 / c 0 ) is expressed by Equation 28, the calculation cost is I + 4M + 2S + B + A. The conversion to the sixth extension field can be realized by replacing elements and multiplying by a constant, and the calculation cost is 3B considering that it is not necessary to calculate multiplication for zero elements. The multiplication result is expressed by Equation 29.
Figure JPOXMLDOC01-appb-M000021
Figure JPOXMLDOC01-appb-M000021
 g4,・・・,g8を求めるためにsに5通りの値を代入し、5本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し5Mとなる。また、6次拡大の法多項式が2項式であればs^6以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は3Bとなる。 In order to find g 4 ,..., g 8 , five values are substituted into s, and five simultaneous equations are solved. The assigned left side corresponds to the multiplication on the basic field and becomes 5M. If the sixth-order expansion polynomial is binomial, constants remain after dividing s ^ 6 by the normal polynomial, and the multiplication of the constant on the fundamental field is 3B.
 次に、平方について、Karatsuba法を用いる場合について考える。アフィン型(α,1)の平方結果は、(α^2+d,2α)となる。c1c2w=c0^2+d/3を用いて基礎体上平方を1回省略できる。Karatsuba法を用いると、計算コストは(5S+B+9A)+4A=5S+B+13Aである。これはα^2が式30により計算できるからである。 Next, consider the case of using the Karatsuba method for squares. The square result of the affine type (α, 1) is (α ^ 2 + d, 2α). c 1 c 2 w = c 0 ^ 2 + d / 3 can be used to omit the square on the basal body once. Using Karatsuba method, the calculation cost is (5S + B + 9A) + 4A = 5S + B + 13A. This is because α ^ 2 can be calculated by Equation 30.
Figure JPOXMLDOC01-appb-M000022
Figure JPOXMLDOC01-appb-M000022
 次に、平方について、Toom-Cook法を用いる場合について考える。アフィン型(α/c0,1/c0)の平方は、乗算の場合の基礎体上乗算を基礎体上平方に変えれば良い。c1c2w=c0^2+d/3を用いて基礎体上平方を1回省略できる可能性がある。しかし、変換後のこれらの項a2a4,a3^2が登場するg6はts=(1+a2s^2+a3s^3+a4s^4)^2にs=±1,∞を代入したt1,t?1,t∞とa2^2を用いて計算できる。基礎体上乗算としてa2a3またはa3a4を計算すれば、Toom-Cook法を変形して、M+4SとToom-Cook法に比べかなり少ないAで計算できる。式31について、式32である。 Next, consider the case of using the Toom-Cook method for squares. For the square of the affine type (α / c 0 , 1 / c 0 ), the multiplication on the basic field in the case of multiplication may be changed to the square on the basic field. There is a possibility that the square on the basal body can be omitted once using c 1 c 2 w = c 0 ^ 2 + d / 3. However, g 6 where these converted terms a 2 a 4 and a 3 ^ 2 appear is s = (1 + a 2 s ^ 2 + a 3 s ^ 3 + a 4 s ^ 4) ^ 2 It can be calculated using t 1 , t ? 1 , t∞ and a 2 ^ 2 with = ± 1, ∞ assigned. If a 2 a 3 or a 3 a 4 is calculated as a multiplication on the fundamental field, the Toom-Cook method can be modified to calculate with much less A than the M + 4S and Toom-Cook methods. Expression 31 is expression 32.
Figure JPOXMLDOC01-appb-M000023
Figure JPOXMLDOC01-appb-M000023
 次に、Frobenius写像について説明する。アフィン型(α,1)のFrobenius写像結果は(α^p,d^{(p-1)/2})となる。計算コストは3F+2Bである。 Next, the Frobenius map will be explained. The Frobenius mapping result of the affine type (α, 1) is (α ^ p, d ^ {(p-1) / 2}). The calculation cost is 3F + 2B.
 次に、本実施の形態において、法多項式を固定し、有限体Fp^mn演算として、乗算、平方、Frobenius写像を行なう例について説明する。尚、上述の第2の実施の形態と同様に、n=6とし、F((p^m)^2)^3)=F(p^m)^2[y]/(f3(y)),F(p^m)^2=Fp^m[x]/(f2(x))として、2次拡大の法多項式を、f2(x)=x2-d,d∈Fp^mとし、3次拡大の法多項式を、f3(y)=y2-w,w∈Fp^mとして法多項式を固定する。 Next, in the present embodiment, an example will be described in which a modulus polynomial is fixed and multiplication, square, and Frobenius mapping are performed as a finite field F p ^ mn operation. As in the second embodiment, n = 6 and F ((p ^ m) ^ 2) ^ 3) = F (p ^ m) ^ 2 [y] / (f3 (y) ), F (p ^ m) ^ 2 = F p ^ m [x] / (f2 (x)), the quadratic expansion polynomial is f 2 (x) = x 2 -d, d∈F p Let ^ m be the third-order expansion polynomial, and fix the polynomial by f 3 (y) = y 2 -w, w∈F p ^ m .
 まず、有限体Fp^mn演算の通常演算について説明する。乗算について、karatsuba法を用いる場合について説明する。拡大体型(α,β,γ)と拡大体型(δ,ε,ζ)との乗算結果は、ベクトル52により表される。計算コストは6(3M+B+5A)+4B+28A=18M+10B+58Aである。要素を入れ替えて3次拡大の2次拡大として計算すると、通常の演算における乗算の場合と同じく18M+9B+57Aとなる。 First, the normal operation of the finite field F p ^ mn operation will be described. A case where the karatsuba method is used for multiplication will be described. The multiplication result of the expansion field type (α, β, γ) and the expansion field type (δ, ε, ζ) is represented by a vector 52. The calculation cost is 6 (3M + B + 5A) + 4B + 28A = 18M + 10B + 58A. When the elements are exchanged and calculated as the secondary expansion of the tertiary expansion, 18M + 9B + 57A is obtained as in the case of multiplication in a normal operation.
 次に、乗算について、Toom-Cook法を用いる場合について説明する。拡大体型(α,β,γ)と拡大体型(δ,ε,ζ)とをそれぞれ6次拡大体に変換する。乗算結果は、式33により表される。 Next, the case where the Toom-Cook method is used for multiplication will be described. The expansion body type (α, β, γ) and the expansion body type (δ, ε, ζ) are converted into the sixth expansion field, respectively. The multiplication result is expressed by Expression 33.
Figure JPOXMLDOC01-appb-M000024
Figure JPOXMLDOC01-appb-M000024
 g0,・・・,g10を求めるためにsに11通りの値を代入し、11本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し11Mとなる。また、6次拡大の法多項式が2項式であればs^6以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は5Bとなる。 In order to find g 0 ,..., g 10 , 11 values are substituted into s and 11 simultaneous equations are solved. The assigned left side corresponds to multiplication on the basic field and becomes 11M. If the sixth-order expansion polynomial is binomial, constants remain after dividing by s ^ 6 by the modulus, and the multiplication of the constant on the fundamental field is 5B.
 次に、平方について、Complex法を用いる場合について説明する。拡大体型(α,β,γ)の平方結果は、ベクトル34により表される。要素を入れ替えて3次拡大の2次拡大として計算すると、通常の演算における平方の場合と同じく12M+10B+40Aとなる。 Next, the case of using the Complex method for square will be described. The squared result of the extension field type (α, β, γ) is represented by the vector 34. When the elements are exchanged and calculated as the secondary expansion of the tertiary expansion, 12M + 10B + 40A is obtained as in the case of the square in the normal calculation.
Figure JPOXMLDOC01-appb-M000025
Figure JPOXMLDOC01-appb-M000025
 次に、平方について、Toom-Cook法を用いる場合について説明する。乗算の場合の基礎体上乗算を基礎体上平方に変えればよい。 Next, the case where the Toom-Cook method is used for square will be described. The multiplication on the basic field in the case of multiplication may be changed to the square on the basic field.
 次に、Frobenius写像について説明する。拡大体型(α,β,γ)のFrobenius写像結果は、p mod 3=1のとき、式35により、ベクトル36に表される。計算コストは3(2F+B)+4B=6F+7Bである。 Next, the Frobenius map will be explained. The Frobenius mapping result of the expansion field type (α, β, γ) is expressed in the vector 36 by Expression 35 when p mod 3 = 1. The calculation cost is 3 (2F + B) + 4B = 6F + 7B.
Figure JPOXMLDOC01-appb-M000026
Figure JPOXMLDOC01-appb-M000026
 次に、混合演算及び制約演算について説明する。尚、アフィン表現から射影表現に変換するための写像は、式37により表されるとする。また、射影表現からアフィン表現に変換するための写像は、式38により表されるとする。 Next, mixed operations and constraint operations will be described. It is assumed that the mapping for converting from the affine expression to the projective expression is expressed by Expression 37. Further, a mapping for converting from the projective expression to the affine expression is represented by Expression 38.
Figure JPOXMLDOC01-appb-M000027
Figure JPOXMLDOC01-appb-M000027
 まず、乗算について、Karatsuba法を用いる場合について考える。拡大体型(α,β,γ)とアフィン型(δ,ε,1)との乗算結果は、ベクトル39により表される。計算コストは5(3M+B+5A)+4B+24A=15M+9B+49Aである。要素を入れ替えて3次拡大の2次拡大として計算すると、2(6M+2B+14A)+(3M+B+5A)+3B+14A=15M+8B+47Aとなる。 First, consider the case of using the Karatsuba method for multiplication. A multiplication result of the expansion field type (α, β, γ) and the affine type (δ, ε, 1) is represented by a vector 39. The calculation cost is 5 (3M + B + 5A) + 4B + 24A = 15M + 9B + 49A. When the elements are exchanged and calculated as the secondary expansion of the tertiary expansion, 2 (6M + 2B + 14A) + (3M + B + 5A) + 3B + 14A = 15M + 8B + 47A.
Figure JPOXMLDOC01-appb-M000028
Figure JPOXMLDOC01-appb-M000028
 アフィン型(α,β,1)とアフィン型(δ,ε,1)との乗算結果は、ベクトル40により表される。計算コストは3(3M+B+5A)+2B+18A=9M+5B+33Aである。要素を入れ替えて3次拡大の2次拡大として計算すると、2(3M+B+10A)+(3M+4A)+2B+13A=9M+4B+37Aとなる。 The multiplication result of the affine type (α, β, 1) and the affine type (δ, ε, 1) is represented by a vector 40. The calculation cost is 3 (3M + B + 5A) + 2B + 18A = 9M + 5B + 33A. When replacing the elements and calculating as the secondary expansion of the third expansion, 2 (3M + B + 10A) + (3M + 4A) + 2B + 13A = 9M + 4B + 37A.
Figure JPOXMLDOC01-appb-M000029
Figure JPOXMLDOC01-appb-M000029
 次に、乗算について、Toom-Cook法を用いる場合について考える。拡大体型(α,β,γ)とアフィン型(δ/d0,ε/d0,1/d0)とをそれぞれ6次拡大体へ変換する。ここでδ=d0+d1xとする.アフィン型をこのように変形した理由は、6次拡大体の基底に変換する際に定数項が1となるためである。乗算結果は、式41により表される。 Next, consider the case of using the Toom-Cook method for multiplication. The expansion field type (α, β, γ) and the affine type (δ / d 0 , ε / d 0 , 1 / d 0 ) are converted into sixth-order expansion fields, respectively. Here δ = d 0 + d 1 x. The reason for transforming the affine type in this way is that the constant term becomes 1 when converted to the base of the sixth-order extension field. The multiplication result is expressed by Equation 41.
Figure JPOXMLDOC01-appb-M000030
Figure JPOXMLDOC01-appb-M000030
 g1,・・・,g9を求めるためにsに9通りの値を代入し、9本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し9Mとなる。また、6次拡大の法多項式が2項式であればs^6以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は4Bとなる。 To find g 1 , ..., g 9 , 9 values are substituted into s and 9 simultaneous equations are solved. The assigned left side corresponds to the multiplication on the basic field and becomes 9M. If the sixth-order expansion polynomial is binomial, constants remain after dividing s ^ 6 by the modulus, and the multiplication of the constant on the fundamental field is 4B.
 アフィン型(α/a0,β/a0,1/a0)とアフィン型(δ/d0,ε/d0,1/d0)をそれぞれ6次拡大体へ変換する。ここでα=a0+a1xとする。アフィン表現から射影表現(α/a0,β/a0,1/a0)への変換は式42により表されるとすると、計算コストはI+7M+2S+3B+2Aである。6次拡大体への変換は要素の入れ替えと定数による乗算で実現でき、0の要素に対する乗算は計算しなくて良いことを考慮すると計算コストは3Bである。乗算結果は、式43により表される。 The affine type (α / a 0 , β / a 0 , 1 / a 0 ) and the affine type (δ / d 0 , ε / d 0 , 1 / d 0 ) are converted into sixth-order extensions, respectively. Here, α = a 0 + a 1 x. If the conversion from the affine representation to the projective representation (α / a 0 , β / a 0 , 1 / a 0 ) is expressed by Equation 42, the calculation cost is I + 7M + 2S + 3B + 2A. The conversion to the sixth extension field can be realized by replacing elements and multiplying by a constant, and the calculation cost is 3B considering that it is not necessary to calculate multiplication for zero elements. The multiplication result is expressed by Expression 43.
Figure JPOXMLDOC01-appb-M000031
Figure JPOXMLDOC01-appb-M000031
 g2,・・・,g8を求めるためにsに7通りの値を代入し、7本の連立方程式を解く。代入された左辺が基礎体上乗算に相当し7Mとなる。また、6次拡大の法多項式が2項式であればs^6以降は法多項式で割った際に定数が残り、基礎体上定数の乗算は3Bとなる。 In order to find g 2 ,..., g 8 , 7 values are substituted into s and 7 simultaneous equations are solved. The assigned left side corresponds to the multiplication on the base field and becomes 7M. If the sixth-order expansion polynomial is binomial, constants remain after dividing s ^ 6 by the normal polynomial, and the multiplication of the constant on the fundamental field is 3B.
 次に、平方について、Complex法を用いる場合について考える。アフィン型(α,β,1)の平方結果は、式44により表される。要素を入れ替えて3次拡大の2次拡大として、平方結果は、式45により表される。計算コストは(3M+B+10A)+(3M+B+5A)+4B+7A=6M+6B+22Aとなる。 Next, consider the case of using the Complex method for square. The square result of the affine type (α, β, 1) is expressed by Equation 44. The square result is expressed by Equation 45 as the secondary expansion of the third expansion by replacing the elements. The calculation cost is (3M + B + 10A) + (3M + B + 5A) + 4B + 7A = 6M + 6B + 22A.
Figure JPOXMLDOC01-appb-M000032
Figure JPOXMLDOC01-appb-M000032
 次に、平方について、Karatsuba法を用いる場合について考える。また、a0,a1,b0,b1の間に成り立つ関係式を用いると、式46のように整理できる。計算コストは5M+S+5B+18Aとなる。 Next, consider the case of using the Karatsuba method for squares. Further, if a relational expression established between a 0 , a 1 , b 0 , and b 1 is used, it can be arranged as shown in Expression 46. The calculation cost is 5M + S + 5B + 18A.
Figure JPOXMLDOC01-appb-M000033
Figure JPOXMLDOC01-appb-M000033
 次に、平方について、Toom-Cook法を用いる場合について考える。(α/a0,β/a0,1/a0)の平方は、乗算の場合の基礎体上乗算を基礎体上平方に変えれば良い。a0b0-a1b1+w/2=0とb0^2-b1^2d+2a0=0を用いて基礎体上平方を2回省略できる可能性がある。式47について、Toom-Cook法を変形して、式48となる。つまり、アフィン型の各要素に成り立つ関係式は2個目のみをg2の計算に用いただけである。計算コストは2M+4SとToom-Cook法に比べかなり少ないAで計算できる。 Next, consider the case of using the Toom-Cook method for squares. The square of (α / a 0 , β / a 0 , 1 / a 0 ) may be changed from the multiplication on the base field in the case of multiplication to the square on the base field. There is a possibility that the square on the basal body can be omitted twice by using a 0 b 0 -a 1 b 1 + w / 2 = 0 and b 0 ^ 2-b 1 ^ 2d + 2a 0 = 0. With respect to Expression 47, the Toom-Cook method is transformed into Expression 48. That is, the relational expression holds for each element of the affine type is only using only two eyes in the calculation of g 2. Computation cost can be calculated with much less A than 2M + 4S and Toom-Cook method.
Figure JPOXMLDOC01-appb-M000034
Figure JPOXMLDOC01-appb-M000034
 次に、Frobenius写像について説明する。アフィン型(α,β,1)のFrobenius写像結果は、p mod 3=1のとき、上述のベクトル36により表される。計算コストは2(2F+B)+2B=4F+4B である。 Next, the Frobenius map will be explained. The affine type (α, β, 1) Frobenius mapping result is represented by the vector 36 described above when p mod 3 = 1. The calculation cost is 2 (2F + B) + 2B = 4F + 4B.
Figure JPOXMLDOC01-appb-M000035
Figure JPOXMLDOC01-appb-M000035
 図5は、従来の方式における各Fp^mn演算にかかる計算コストを例示する図である。図6は、本実施の形態にかかる各Fp^mn演算にかかる計算コストを例示する図である。尚、図5における拡大体型(α,β)は、通常演算についての計算コストである。アフィン型(α,c1)及びアフィン型(α,1)は、制約演算についての計算コストである。混合(α,β)(δ,f1)及び混合(α,β)(δ,1)は、混合演算についての計算コストである。図6における拡大体型(α,β,γ)は、通常演算についての計算コストである。アフィン型(α,β,b1)及びアフィン型(α,β,1)は、制約演算についての計算コストである。混合(α,β,γ)(δ,ε,e1)及び混合(α,β,γ)(δ,ε,1)は、混合演算についての計算コストである。図5~6に示されるように、本実施の形態にかかる計算コストの方が多くなる場合もあるが、従来の方式に比べて多くなる量は、図3~4を参照すると、射影表現からアフィン表現への変換にかかる計算コストを削減できる量より小さい。このため、本実施の形態によれば、表現変換及び演算を含む全体の計算コストを、従来に比べて削減することができる。 FIG. 5 is a diagram illustrating the calculation cost for each F p ^ mn operation in the conventional method. FIG. 6 is a diagram exemplifying a calculation cost for each F p ^ mn operation according to the present embodiment. Note that the expansion type (α, β) in FIG. 5 is a calculation cost for a normal calculation. The affine type (α, c 1 ) and the affine type (α, 1) are calculation costs for the constraint operation. The mixing (α, β) (δ, f1) and the mixing (α, β) (δ, 1) are calculation costs for the mixing operation. The expanded field type (α, β, γ) in FIG. 6 is a calculation cost for a normal calculation. The affine type (α, β, b 1 ) and the affine type (α, β, 1) are calculation costs for the constraint calculation. The mixing (α, β, γ) (δ, ε, e 1 ) and the mixing (α, β, γ) (δ, ε, 1) are calculation costs for the mixing operation. As shown in FIGS. 5 to 6, although the calculation cost according to the present embodiment may be larger, the amount that increases compared to the conventional method can be calculated from the projection expression with reference to FIGS. It is smaller than the amount that can reduce the calculation cost for conversion to the affine representation. For this reason, according to this Embodiment, the whole calculation cost including expression conversion and a calculation can be reduced compared with the past.
[第4の実施の形態]
 次に、演算としてべき乗を行う場合について説明する。例えば、代数的トーラスTn(Fp^m)において、n=6について説明する。また、テーブル作成装置(不図示)が作成したテーブルを用いて、べき乗を計算する場合について説明する。べき乗の計算は、乗算、平方及びFrobenius写像を組み合わせて行なう。まず、このようなべき乗の計算をKaratsuba法を用いて行なう例について説明する。 [Fourth Embodiment]
Next, a case where exponentiation is performed as a calculation will be described. For example, in the algebraic torus T n (F p ^ m ), n = 6 will be described. A case where the power is calculated using a table created by a table creation device (not shown) will be described. The power calculation is performed by combining multiplication, square, and Frobenius mapping. First, an example in which such a power calculation is performed using the Karatsuba method will be described.
 ここでべき乗g^aを計算する演算について従来の技術と比較しながら説明する。指数aはp進表現で入力されるか、aのp進展開を計算してp進表現を得る。次に、p進表現された指数aの各桁の2進表現を得る。指数aのp進表現の各桁において、2進表現の同一桁を並べた系列を得る。得られた長さ2m、ceil(log2(p))個の系列について、ウィンドウ幅win以内の1で始まり1で終わる系列を全て抽出しテーブルのエントリとする。または、テーブルのエントリとしてウィンドウ幅win以内の全ての可能性を事前計算しておく。テーブル作成装置は、例えば、第3番の系列11に対してはT11=g×φ(g)、第11番の系列1101に対してはT1101=g×φ^1(g)×φ^3(g)を計算してテーブルに保持する。尚、系列の表記では、先頭がp^0に対応しp^1, p^2,・・・として通常と逆に表記しているので注意が必要である。つまり、第k番の系列B0 B1 B2B3・・・Bi・・・Bwin-1に対してTB0 B1 B2 B3・・・Bi・・・Bwin-1iφ^(Bi*i)(g)と計算して保持する。ここでBwin-1はBの添え字がwin-1の意味とする。 Here, an operation for calculating the power g ^ a will be described in comparison with the conventional technique. The exponent a is input in p-adic expression or the p-adic expansion of a is calculated to obtain a p-adic expression. Next, a binary representation of each digit of the exponent a expressed in p-adic is obtained. For each digit of the p-adic representation of the exponent a, a sequence in which the same digit of the binary representation is arranged is obtained. With respect to the obtained 2m long ceil (log 2 (p)) sequences, all sequences starting with 1 and ending with 1 within the window width win are extracted and set as table entries. Alternatively, precalculate all possibilities within the window width win as table entries. The table creation device, for example, T 11 = g × φ (g) for the third series 11 and T 1101 = g × φ ^ 1 (g) × φ for the 11th series 1101 Calculate ^ 3 (g) and store it in the table. It should be noted that in the notation of series, the beginning corresponds to p ^ 0 and is written as p ^ 1, p ^ 2,. That is, for the k-th sequence B 0 B 1 B 2 B 3 ... B i ... B win-1 , T B0 B1 B2 B3 ... Bi ... Bwin-1 = Π i φ ^ Calculate and hold (B i * i) (g). Here, B win-1 means that the subscript of B is win-1.
 本計算では、まず、指数aの各桁において2進表現における2^j桁を並べた系列をテーブルのエントリの連結で表現する。ここでjは非負整数である。例えば系列11001101を11・00・1101と表現する。系列の各桁はp進の各桁に対応する。演算装置は、例えば、11・00・1101に対してはT11×φ^4(T1101)を計算する。2^j桁の系列に対応する計算結果をAjとする。そして、演算装置は、jの大きい方からAjの平方を計算し、Aj^2と次のAj-1を乗算しその結果の平方を計算し、(Aj^2*Aj-1)^2と次のAj-2を乗算しその結果の平方を計算することを繰り返す。0≦j≦ceil(log2(p))-1、ceil(x)はx以上の最小の整数を返す天井関数である。 In this calculation, first, a sequence in which 2 ^ j digits in binary representation are arranged for each digit of the index a is represented by concatenation of table entries. Here j is a non-negative integer. For example, the series 11001101 is expressed as 11 · 00 · 1101. Each digit in the sequence corresponds to each digit in p-adic. For example, the arithmetic unit calculates T 11 × φ ^ 4 (T 1101 ) for 1 1 00 1 10 1. The calculation result corresponding to the 2 ^ j digit series is A j . Then, the arithmetic unit calculates the square of A j from the larger j , multiplies A j ^ 2 by the next A j-1 , and calculates the square of the result, (A j ^ 2 * A j− 1 ) It repeats multiplying ^ 2 and the next A j-2 and calculating the square of the result. 0 ≦ j ≦ ceil (log 2 (p))-1 and ceil (x) are ceiling functions that return the smallest integer greater than or equal to x.
 計算コストについて、テーブルの生成の計算コストの最大値の主要部分は、
[T1]入力された元gと元gのFrobenius写像に対する(win-1)回の代数的トーラスにおける乗算、
[T2]入力された元gとテーブルに既にあるエントリのFrobenius写像に対する(2^(win-1)-win)回の代数的トーラスにおける乗算
である。 Regarding the calculation cost, the main part of the maximum calculation cost of table generation is
[T1] Multiplication in the (win-1) times algebraic torus for the input element g and the Frobenius map of the element g,
[T2] Multiplication in the (2 ^ (win-1) -win) algebraic torus for the input g and the Frobenius map of the entry already in the table.
 本計算の計算コストの主要部分は、指数aとウィンドウ幅winと基礎体の拡大次数mで決まる。f(a, win, m)回の代数的トーラスにおける乗算の内訳として、
[M1]テーブルのエントリ同士の代数的トーラスにおける乗算ceil(log2(p))回、
[M2]中間結果とテーブルのエントリの代数的トーラスにおける乗算(f(a, win, m)-2ceil(log2(p))+1)回、
[M3]の乗算回数はAjを掛け合わせる操作に対応する、
[M4](ceil(log2(p))-1)回の中間結果の代数的トーラスにおける平方
である。 The main part of the calculation cost of this calculation is determined by the index a, the window width win, and the expansion order m of the foundation. As a breakdown of multiplication in f (a, win, m) algebraic torus,
[M1] Multiplying ceil (log 2 (p)) times in the algebraic torus between table entries,
[M2] Multiplication (f (a, win, m) -2ceil (log 2 (p)) + 1) times in the algebraic torus of the intermediate result and the table entry,
The number of multiplications of [M3] corresponds to the operation of multiplying Aj.
[M4] is the square in the algebraic torus of (ceil (log 2 (p))-1) intermediate results.
 従来の技術(n=2*r、r=3、3次拡大の法多項式をf3(y)=y^3-wとする場合)で、制約演算におけるKaratsuba法を用いてべき乗の計算を実行する場合の計算コストの例について説明する。
[T0]入力された元gの表現変換の計算コストはI+M+S+B+A:図3の2行2列アフィン射影変換
[T1]~[T2]代数的トーラスにおける乗算は1回あたり6M+2B+18Aの計算コスト:図5上図の2行4列アフィン型乗算(Karatsuba法)
[T3]テーブルのエントリの表現変換の計算コストは最大(2^(win-1)-1)回で、1回あたりFp^mrの逆元1回とFp^mrの乗算1回、逆元計算にItoh-Tsujii法を用いるとI+21M+10B+39A:図3の5行2列射影アフィン変換
である。テーブルのエントリは全て、6個のFp^mの元のうち2要素を0、1要素を1とする射影表現とする。
[M1]テーブルのエントリ同士の代数的トーラスにおける乗算の計算コストは1回あたり6M+2B+18A:図5上図の2行4列アフィン型乗算(Karatsuba法)
[M2]中間結果とテーブルのエントリの代数的トーラスにおける乗算は、一般の射影表現と6個のFp^mの元のうち2要素を0、1要素を1とする射影表現との代数的トーラスにおける乗算なので1回あたり12M+7B+34Aの計算コスト:図5下図の2行3列混合乗算(Karatsuba法)
[M3]中間結果同士の代数的トーラスにおける乗算は一般の射影表現同士なので1回あたり18M+9B+57Aの計算コスト:図5上図の2行3列拡大体型乗算(Karatsuba法)
[M4]一般の射影表現同士の代数的トーラスにおける平方なのでComplex法を用いると1回あたり12M+10B+40Aの計算コスト:図5上図の4行3列拡大体型平方
である。 With the conventional technique (when n = 2 * r, r = 3, and the third-order expansion law polynomial is f 3 (y) = y ^ 3-w), the power is calculated using the Karatsuba method in the constraint operation. An example of calculation cost in the case of execution will be described.
[T0] The computational cost of the input transformation of the input element g is I + M + S + B + A: the multiplication in the 2-by-2 affine projection transformation [T1] to [T2] algebraic torus in FIG. Calculation cost of 6M + 2B + 18A per: 2 rows 4 columns affine type multiplication (Karatsuba method)
[T3] Maximum computational cost representation conversion table entry (2 ^ (win-1) -1) times, per F p ^ mr of inverse once and F p ^ mr multiplication once, When the Itoh-Tsujii method is used for the inverse element calculation, I + 21M + 10B + 39A: the 5-row 2-column projection affine transformation of FIG. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ^ m elements.
[M1] The calculation cost of multiplication in the algebraic torus between entries in the table is 6M + 2B + 18A: 2 rows 4 columns affine type multiplication (Karatsuba method) in the upper diagram of FIG.
[M2] Multiplication in an algebraic torus of intermediate results and table entries is an algebraic torus of a general projection expression and a projection expression in which 2 elements are 0 and 1 element is 1 out of 6 Fp ^ m elements. The calculation cost of 12M + 7B + 34A per time because it is a multiplication in 2: 3 rows mixed multiplication (Karatsuba method) in the lower figure of Fig. 5
[M3] Since the multiplication in the algebraic torus between the intermediate results is a general projection expression, the calculation cost of 18M + 9B + 57A per time: 2 rows and 3 columns expansion field multiplication (Karatsuba method) in the upper diagram of FIG.
[M4] Since it is a square in an algebraic torus between general projection expressions, if the Complex method is used, the calculation cost of 12M + 10B + 40A per time is the 4 × 3 expanded field square in the upper diagram of FIG.
 次に、本実施の形態(n=3*r、r=2、2次拡大の法多項式をf2(x)=x^2-dとする場合)における演算装置50がKaratsuba法を用いてべき乗の計算を実行する場合の計算コストの例について説明する。
[T0]入力された元gの表現変換の計算コストはI+2M+2S+3B+A:図4の2行2列アフィン射影変換
[T1]~[T2]代数的トーラスにおける乗算は1回あたり9M+4B+37Aの計算コスト:図6上図の2行4列アフィン型乗算(Karatsuba法)
[T3]テーブルのエントリの表現変換の計算コストは最大(2^(win-1)-1)回で、1回あたりFp^mrの逆元1回とFp^mrの乗算1回、逆元計算にItoh-Tsujii法を用いるとI+8M+3B+10A:図4の5行2列射影アフィン変換
である。テーブルのエントリは全て、6個のFp^mの元のうち2要素を0、1要素を1とする射影表現とする。
[M1]テーブルのエントリ同士の代数的トーラスにおける乗算の計算コストは1回あたり9M+4B+37A:図6上図の2行4列アフィン型乗算(Karatsuba法)
[M2]中間結果とテーブルのエントリの代数的トーラスにおける乗算は、一般の射影表現と6個のFp^mの元のうち2要素を0、1要素を1とする射影表現との代数的トーラスにおける乗算なので1回あたり15M+8B+47Aの計算コスト:図6下図の2行3列混合乗算(Karatsuba法)
[M3]中間結果同士の代数的トーラスにおける乗算は一般の射影表現同士なので1回あたり18M+9B+57Aの計算コスト:図6上図の2行3列拡大体型乗算(Karatsuba法)
[M4]一般の射影表現同士の代数的トーラスにおける平方なのでComplex法を用いると1回あたり12M+10B+40Aの計算コスト:図6上図の4行3列拡大体型平方
である。 Next, the computing device 50 in the present embodiment (when n = 3 * r, r = 2, and the quadratic expansion polynomial is f 2 (x) = x ^ 2-d) uses the Karatsuba method. An example of the calculation cost when executing the power calculation will be described.
[T0] The computational cost of the input transformation of the input element g is I + 2M + 2S + 3B + A: 2 rows and 2 columns affine projective transformation [T1] to [T2] of the algebraic torus in FIG. Calculation cost of 9M + 4B + 37A per: 2 rows 4 columns affine type multiplication (Karatsuba method)
[T3] Maximum computational cost representation conversion table entry (2 ^ (win-1) -1) times, per F p ^ mr of inverse once and F p ^ mr multiplication once, When the Itoh-Tsujii method is used for inverse element calculation, it is I + 8M + 3B + 10A: the 5-row 2-column projection affine transformation of FIG. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ^ m elements.
[M1] Multiplication cost in algebraic torus between table entries is 9M + 4B + 37A per time: 2-row 4-column affine type multiplication (Karatsuba method) in the upper diagram of FIG.
[M2] Multiplication in an algebraic torus of intermediate results and table entries is an algebraic torus of a general projection expression and a projection expression in which 2 elements are 0 and 1 element is 1 out of 6 Fp ^ m elements. The calculation cost of 15M + 8B + 47A per time because it is multiplication in 2: 3 rows mixed multiplication (Karatsuba method) in the lower figure of Fig. 6
[M3] Since the multiplication in the algebraic torus between the intermediate results is between the general projection expressions, the calculation cost of 18M + 9B + 57A per time: 2 rows 3 columns expansion field multiplication (Karatsuba method) in the upper diagram of FIG.
[M4] Since it is a square in the algebraic torus between general projection expressions, if the Complex method is used, the calculation cost of 12M + 10B + 40A per time is the 4 × 3 expanded field square in the upper diagram of FIG.
 次に、上述の代数的トーラスにおけるべき乗の計算を、Toom-Cook法を用いて行なう例について説明する。 Next, an example of calculating the power in the algebraic torus using the Toom-Cook method will be described.
 従来の技術(n=2*r、r=3、3次拡大の法多項式をf3(y)=y^3-wとする場合)で、制約演算におけるToom-Cook法を用いてべき乗の計算を実行する場合の計算コストの例について説明する。
[T0]I+4M+S+B+A:図3の4行2列アフィン射影変換
[T1]~[T2]1回あたり5M+3Bの計算コスト:図5上図の3行4列アフィン型乗算(Toom-Cook法)
[T3]テーブルのエントリの表現変換は最大(2^(win-1)-1)回で、1回あたりI+21M+10B+39Aの計算コスト:図3の5行2列射影アフィン変換
である。テーブルのエントリは全て、6個のFp^mの元のうち2要素を0、1要素を1とする射影表現とする。
[M1]1回あたり5M+3Bの計算コスト:図5上図の3行4列アフィン型乗算(Toom-Cook法)
[M2]一般の射影表現と6個のFp^mの元のうち2要素を0、1要素を1とする射影表現との代数的トーラスにおける乗算なので1回あたり8M+4Bの計算コスト:図5下図の3行3列混合乗算(Toom-Cook法)
[M3]一般の射影表現同士なので1回あたり11M+5Bの計算コスト:図5上図の3行3列拡大体型乗算(Toom-Cook法)
[M4]一般の射影表現同士の代数的トーラスにおける平方なので1回あたり11S+5Bの計算コスト:図5上図の5行3列拡大体型平方(Toom-Cook法)
である。 In the conventional technique (when n = 2 * r, r = 3, and the cubic polynomial of the third -order expansion is f 3 (y) = y ^ 3-w), the power is raised using the Toom-Cook method in the constraint calculation An example of the calculation cost when executing the calculation will be described.
[T0] I + 4M + S + B + A: 4 rows and 2 columns affine projective transformation in FIG. 3 [T1] to [T2] 5M + 3B calculation cost per time: 3 rows and 4 columns affine in the upper diagram of FIG. Type multiplication (Toom-Cook method)
[T3] Representation conversion of table entries is a maximum of (2 ^ (win-1) -1) times, and the calculation cost of I + 21M + 10B + 39A per time: 5-row 2-column projection affine transformation of FIG. is there. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ^ m elements.
[M1] Calculation cost of 5M + 3B per time: 3-row 4-column affine type multiplication (Toom-Cook method) in the upper diagram of FIG.
[M2] Multiplication in algebraic torus with general projection expression and projection expression with 2 elements of 0 and 1 element of 6 F p ^ m elements, so calculation cost of 8M + 4B per time: Figure 3 lower row 3-by-3 mixed multiplication (Toom-Cook method)
[M3] Calculation cost of 11M + 5B per time because they are general projection expressions: 3-row 3-column expansion field type multiplication (Toom-Cook method)
[M4] Since it is a square in an algebraic torus between general projection expressions, the calculation cost of 11S + 5B per time: 5-row, 3-column expanded body square (Toom-Cook method) in the upper diagram of FIG.
It is.
 次に、本実施の形態(n=3*r、r=2、2次拡大の法多項式をf2(x)=x^2-dとする場合)における演算装置50がToom-Cook法を用いてべき乗の計算を実行する場合の計算コストの例について説明する。
[T0]I+7M+2S+3B+2A:図4の4行2列アフィン射影変換
[T1]~[T2]1回あたり7M+3Bの計算コスト:図6上図の3行4列アフィン型乗算(Toom-Cook法)
[T3]テーブルのエントリの表現変換は最大(2^(win-1)-1)回で、1回あたりI+8M+3B+10Aの計算コスト:図4の5行2列射影アフィン変換
である。テーブルのエントリは全て、6個のFp^mの元のうち2要素を0、1要素を1とする射影表現とする。
[M1]1回あたり7M+3Bの計算コスト:図6上図の3行4列アフィン型乗算(Toom-Cook法)
[M2]、一般の射影表現と6個のFp^mの元のうち2要素を0、1要素を1とする射影表現との代数的トーラスにおける乗算なので1回あたり9M+4Bの計算コスト:図6下図の3行3列混合乗算(Toom-Cook法)
[M3]一般の射影表現同士なので1回あたり11M+5Bの計算コスト:図6上図の3行3列拡大体型乗算(Toom-Cook法)
[M4]一般の射影表現同士の代数的トーラスにおける平方なので1回あたり11S+5Bの計算コスト:図6上図の5行3列拡大体型平方(Toom-Cook法)
である。 Next, the calculation device 50 in this embodiment (n = 3 * r, r = 2, when the quadratic expansion polynomial is set to f 2 (x) = x ^ 2-d) uses the Toom-Cook method. An example of the calculation cost in the case of executing the power calculation using will be described.
[T0] I + 7M + 2S + 3B + 2A: 4-row 2-column affine projective transformation in FIG. 4 [T1]-[T2] 7M + 3B calculation cost per time: 3-row 4-column affine in FIG. Type multiplication (Toom-Cook method)
[T3] Representation conversion of table entries is a maximum of (2 ^ (win-1) -1) times, and the calculation cost of I + 8M + 3B + 10A per time: 5-row 2-column projection affine transformation of FIG. is there. All entries in the table are projected expressions with 2 elements being 0 and 1 element being 1 among 6 F p ^ m elements.
[M1] 7M + 3B calculation cost per time: 3 rows by 4 columns affine multiplication (Toom-Cook method)
[M2] is a multiplication in an algebraic torus between a general projection expression and a projection expression with 2 elements of 0 and 1 element out of 6 F p ^ m elements, so it costs 9M + 4B each time : 3-by-3 mixed multiplication (Toom-Cook method)
[M3] 11M + 5B calculation cost per time because it is a general projection expression: 3-row 3-column expansion field type multiplication (Toom-Cook method) in the upper diagram of FIG.
[M4] Since it is a square in the algebraic torus between general projection expressions, the calculation cost of 11S + 5B per time: 5-row, 3-column expanded body type square (Toom-Cook method) in the upper diagram of FIG.
It is.
 以上のように、本実施の形態によれば、乗算、平方及びFrobenius写像を組み合わせて行なうべき乗についても、表現変換及び演算を含む全体の計算コストを、従来に比べて削減することができる。具体的な数値として、ceil(log2(p))=13、aは700ビット程度、win=5、 m=27、のとき、平均でf(a, win, m)=118.72である。尚、Aは、I,M,S,Bに比べて非常に小さい値であるため、ここでは考慮にいれずに全体の計算コストを計算する。Toom-Cook法を用いてべき乗計算を実行する場合、従来の技術では全体の計算コストは(I+4M+S+B)+(5M+3B)*(2win-1-1)+(I+21M+10B)*(2win-1-1)+(5M+3B)*ceil(log2(p))+(8M+4B)*(f(a, win, m)-2ceil(log2(p))+1)+(11M+5B)*(ceil(log2(p))-1)+(11S+5B)*(ceil(log2(p))-1)=2win-1I+(26*2win-1+8f(a, win, m)-25)M+(11ceil(log2(p))-10)S+(13*2win-1+4f(a, win, m)+5ceil(log2(p))-18)B=16I+1340.76M+133S+729.88Bである。一方、本実施の形態においては全体の計算コストは(I+7M+2S+3B)+(7M+3B)*(2win-1-1)+(I+8M+3B)*(2win-1-1)+(7M+3B)*ceil(log2(p))+(9M+4B)*(f(a, win, m)-2ceil(log2(p))+1)+(11M+5B)*(ceil(log2(p))-1)+(11S+5B)*(ceil(log2(p))-1)=2win-1I+(15*2win-1+9f(a, win, m)-10)M+(11ceil(log2(p))-9)S+(6*2win-1+4f(a, win, m)+5ceil(log2(p))-9)B=16I+1298.48M+134S+626.88Bとなり、従来に比べて42.28M-S+103Bだけ削減することができる。 As described above, according to the present embodiment, it is possible to reduce the overall calculation cost including expression conversion and calculation for the power to be combined with multiplication, square, and Frobenius mapping, as compared with the prior art. As a specific numerical value, when ceil (log 2 (p)) = 13, a is about 700 bits, win = 5, m = 27, f (a, win, m) = 118.72 on average. Since A is a very small value compared with I, M, S, and B, the entire calculation cost is calculated without taking into consideration here. When performing exponentiation using the Toom-Cook method, the total calculation cost is (I + 4M + S + B) + (5M + 3B) * (2 win-1 -1) + (I + 21M + 10B) * (2 win-1 -1) + (5M + 3B) * ceil (log 2 (p)) + (8M + 4B) * (f (a, win, m) -2ceil (log 2 (p)) + 1) + (11M + 5B) * (ceil (log 2 (p))-1) + (11S + 5B) * (ceil (log 2 (p))-1) = 2 win-1 I + (26 * 2 win-1 + 8f (a, win, m) -25) M + (11ceil (log 2 (p))-10) S + (13 * 2 win-1 + 4f (a, win, m) + 5ceil (log 2 (p))-18) B = 16I + 1340.76M + 133S + 729.88B. On the other hand, in this embodiment, the total calculation cost is (I + 7M + 2S + 3B) + (7M + 3B) * (2 win-1 -1) + (I + 8M + 3B) * (2 win- 1 -1) + (7M + 3B) * ceil (log 2 (p)) + (9M + 4B) * (f (a, win, m) -2ceil (log 2 (p)) + 1) + (11M + 5B) * (ceil (log 2 (p))-1) + (11S + 5B) * (ceil (log 2 (p))-1) = 2 win-1 I + (15 * 2 win-1 + 9f (a, win, m) -10) M + (11ceil (log 2 (p))-9) S + (6 * 2 win-1 + 4f (a, win, m) + 5ceil (log 2 (p))- 9) B = 16I + 1298.48M + 134S + 626.88B, which can be reduced by 42.28M-S + 103B compared to the conventional case.
[変形例]
 なお、本発明は前記実施形態そのままに限定されるものではなく、実施段階ではその要旨を逸脱しない範囲で構成要素を変形して具体化できる。また、前記実施形態に開示されている複数の構成要素の適宜な組み合わせにより、種々の発明を形成できる。例えば、実施形態に示される全構成要素から幾つかの構成要素を削除してもよい。さらに、異なる実施形態にわたる構成要素を適宜組み合わせてもよい。また、以下に例示するような種々の変形が可能である。 [Modification]
Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined. Further, various modifications as exemplified below are possible.
 上述した各実施の形態において、演算装置50で実行される各種プログラムを、インターネット等のネットワークに接続されたコンピュータ上に格納し、ネットワーク経由でダウンロードさせることにより提供するように構成しても良い。また当該各種プログラムを、インストール可能な形式又は実行可能な形式のファイルでCD-ROM、フレキシブルディスク(FD)、CD-R、DVD(Digital Versatile Disk)等のコンピュータで読み取り可能な記録媒体に記録してコンピュータプロダクトとして提供するように構成しても良い。 In each of the above-described embodiments, various programs executed by the computing device 50 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network. The various programs are recorded in a computer-readable recording medium such as a CD-ROM, a flexible disk (FD), a CD-R, a DVD (Digital Versatile Disk), etc. in a file that can be installed or executed. It may be configured to be provided as a computer product.
 上述した各実施の形態において、演算装置50は、ステップS1~S3の処理を行うようにしたが、ステップS1~S2又はステップS2~S3を行うものであっても良い。前者の場合、ステップS3の処理を、演算装置50に接続される情報処理装置が行い、後者の場合、ステップS1の処理を、演算装置50に接続される情報処理装置が行い、この結果得られる射影表現に対して演算装置50がステップS2~S3を行えば良い。 In each of the above-described embodiments, the arithmetic unit 50 performs the processing of steps S1 to S3, but may perform steps S1 to S2 or steps S2 to S3. In the former case, the processing of step S3 is performed by the information processing device connected to the arithmetic device 50. In the latter case, the processing of step S1 is performed by the information processing device connected to the arithmetic device 50, and the result is obtained. The arithmetic unit 50 may perform steps S2 to S3 for the projection expression.
50 演算装置
51 表現変換部
52 演算部 50 arithmetic unit 51 expression conversion unit 52 arithmetic unit

Claims (6)

  1.  有限体Fp^mn(n:正整数、m:正整数、p:素数)の部分体Fp^mr(r:nの約数でn/r≧3)に関するノルム写像が1である元を表す射影表現に対して、有限体Fp^mn演算を行う演算部と、
     前記有限体Fp^mn演算後の射影表現(h0,h1,・・・,hn-1)(hi:有限体Fp^mの元、0≦i≦n-1)を、n次代数的トーラスTn(Fp^m)を表すアフィン表現(c0,c1,・・・,cφ(n)-1)(ci:有限体Fp^mの元、0≦i≦φ(n)-1)に変換する第1表現変換部とを備える
    ことを特徴とする演算装置。     An element whose norm map is 1 for a subfield F p ^ mr (r: divisor of n, n / r ≧ 3) of a finite field F p ^ mn (n: positive integer, m: positive integer, p: prime number) An arithmetic unit that performs a finite field F p ^ mn operation on the projective representation that represents
    Projective representation (h 0 , h 1 ,..., H n-1 ) (h i : element of finite field F p ^ m , 0 ≦ i ≦ n−1) after the finite field F p ^ mn operation , An affine representation (c 0 , c 1 , ..., c φ (n) -1 ) (c i : element of a finite field F p ^ m , representing an n-th order algebraic torus T n (F p ^ m ) And a first expression conversion unit that converts 0 ≦ i ≦ φ (n) −1).
  2.  前記第1表現変換部は、前記有限体Fp^mn演算後の前記射影表現を前記アフィン表現に変換することにより、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件により定まるアフィン表現(c0,c1,・・・,cφ(n)-1)の各要素ciを得る
    ことを特徴とする請求項1に記載の演算装置。     The first representation conversion unit by converting the projective representation of the finite field F p ^ mn after operation on the affine representation, part of finite F p ^ mn for all divisor d of n F p 2. Each element c i of an affine expression (c 0 , c 1 ,..., c φ (n) −1 ) determined by a condition that a norm map regarding ^ md is 1 is obtained. Arithmetic unit.
  3. (射影アフィン変換の演算例)
     前記第1表現変換部は、前記有限体Fp^mn演算後の前記射影表現(h0,h1,・・・,hn-1)の各要素hiのr個からなる組に対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件により定まる有限体Fp^mr演算を行い、アフィン表現(c0,c1,・・・,cφ(n)-1)の各要素ciを得る
    ことを特徴とする請求項2に記載の演算装置。     (Projection affine transformation calculation example)
    The first representation conversion unit applies a set of r elements h i of the projection representation (h 0 , h 1 ,..., H n-1 ) after the finite field F p ^ mn operation. Then, for all divisors of n, finite field F p ^ mr operation determined by the condition that norm mapping for subfield F p ^ md of finite field F p ^ mn is 1 is performed, and affine representation (c 0 , c The arithmetic unit according to claim 2, wherein each element c i of 1 ,..., C φ (n) −1 ) is obtained.
  4.  n次代数的トーラスTn(Fp^m)を表すアフィン表現(c’0,c’1,・・・,c’φ(n)-1)(c’i:有限体Fp^mの元、0≦i≦φ(n)-1)を、演算部が行う演算の対象となる射影表現(h’0,h’1,・・・,h’n-1)(h’i:有限体Fp^mの元、0≦i≦n-1)に変換する第2表現変換部を更に備える
    ことを特徴とする請求項1乃至3のいずれか一項に記載の演算装置。     An affine expression (c ' 0 , c' 1 , ..., c ' φ (n) -1 ) (c' i : finite field F p ^ m representing the n-th order algebraic torus T n (F p ^ m ) , 0 ≤ i ≤ φ (n) -1), the projection expression (h ' 0 , h' 1 , ..., h ' n-1 ) (h' i The arithmetic unit according to any one of claims 1 to 3, further comprising: a second representation conversion unit that converts the element into a finite field Fp ^ m , 0≤i≤n-1).
  5.  前記第2表現変換部は、前記アフィン表現(c’0,c’1,・・・,c’φ(n)-1)の各要素c’iに対して、nの全ての約数dについて有限体Fp^mnの部分体Fp^mdに関するノルム写像が1となる条件と、n次拡大を構成するための法多項式及び基底とにより定まる有限体Fp^m演算を行い、前記有限体Fp^mn演算の対象となる前記射影表現(h’0,h’1,・・・,h’n-1)の各要素h’iを得る
    ことを特徴とする請求項4に記載の演算装置。     The second representation conversion unit performs all divisors of n for each element c ′ i of the affine representation (c ′ 0 , c ′ 1 ,..., C ′ φ (n) −1 ). Perform the finite field F p ^ m operation determined by the condition that the norm map for the subfield F p ^ md of the finite field F p ^ mn is 1, the modulus polynomial and base to construct the nth-order expansion, and 5. Each element h ′ i of the projection expression (h ′ 0 , h ′ 1 ,..., H ′ n−1 ) to be subjected to a finite field F p ^ mn operation is obtained. The computing device described.
  6.  r次拡大及びn/r次拡大の法多項式はそれぞれ2項式であり、基底はそれぞれ多項式基底又は擬多項式基底である
    ことを特徴とする請求項5に記載の演算装置。     6. The arithmetic apparatus according to claim 5, wherein the r-order expansion and n / r-order expansion polynomials are each binomial, and the bases are respectively polynomial bases or pseudo-polynomial bases.
PCT/JP2009/066045 2009-09-14 2009-09-14 Arithmetic device WO2011030468A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/066045 WO2011030468A1 (en) 2009-09-14 2009-09-14 Arithmetic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2009/066045 WO2011030468A1 (en) 2009-09-14 2009-09-14 Arithmetic device

Publications (1)

Publication Number Publication Date
WO2011030468A1 true WO2011030468A1 (en) 2011-03-17

Family

ID=43732153

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/066045 WO2011030468A1 (en) 2009-09-14 2009-09-14 Arithmetic device

Country Status (1)

Country Link
WO (1) WO2011030468A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013195453A (en) * 2012-03-15 2013-09-30 Toshiba Corp Arithmetic unit
US8934631B2 (en) 2010-12-09 2015-01-13 Kabushiki Kaisha Toshiba Decompressing apparatus and compressing apparatus

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
KARL RUBIN ET AL.: "Tours-Based Cryptography", LECTURE NOTES IN COMPUTER SCIENCE, vol. 2729, 22 December 2003 (2003-12-22), pages 349 - 365 *
MARTEN VAN DIJK ET AL.: "Asymptotically Optimal Communication for Torus-Based Ctyptography", LECTURE NOTES IN COMPUTER SCIENCE, vol. 3152, 21 October 2004 (2004-10-21), pages 157 - 178 *
MARTEN VAN DIJK ET AL.: "Practical Cryptography in High Dimensional Tori", LECTURE NOTES IN COMPUTER SCIENCE, vol. 3494, 27 May 2005 (2005-05-27), pages 234 - 250 *
STEVEN GALBRAITH: "Disguising tori and elliptic curves", CYPTOLOGY EPRINT ARCHIVE, 20 July 2006 (2006-07-20), Retrieved from the Internet <URL:http://eprint.iacr.org/2006/248> *
TAICHI ISOGAI ET AL.: "Daisuteki Torus-jo no Angokei ni Okeru Enzan Hyogen no Sentaku", PROCEEDINGS OF THE 31ST SYMPOSIUM ON INFORMATION THEORY AND ITS APPLICATIONS, - 30 September 2008 (2008-09-30), pages 269 - 274 *
TAICHI ISOGAI ET AL.: "Daisuteki Torus-jo no Angokei ni Okeru Kosoku Bekijo Enzanho", THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS GIJUTSU HOKOKU, 10 December 2008 (2008-12-10), pages 53 - 60 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8934631B2 (en) 2010-12-09 2015-01-13 Kabushiki Kaisha Toshiba Decompressing apparatus and compressing apparatus
JP2013195453A (en) * 2012-03-15 2013-09-30 Toshiba Corp Arithmetic unit

Similar Documents

Publication Publication Date Title
Joux et al. The number field sieve in the medium prime case
JP6083234B2 (en) Cryptographic processing device
Pornin et al. More efficient algorithms for the NTRU key generation using the field norm
US7921145B2 (en) Extending a repetition period of a random sequence
Dartois et al. SQISignHD: new dimensions in cryptography
Van Der Hoeven et al. On the bit-complexity of sparse polynomial and series multiplication
Cohn et al. Ideal forms of Coppersmith's theorem and Guruswami-Sudan list decoding
Shoufan et al. A novel cryptoprocessor architecture for the McEliece public-key cryptosystem
Bruinier et al. Class polynomials for nonholomorphic modular functions
Jackson et al. The Lawrence–Krammer–Bigelow representations of the braid groups via Uq (sl2)
JP7031682B2 (en) Secret calculator, system, method, program
Bellaïche et al. Level 1 Hecke algebras of modular forms modulo
Takayasu et al. General bounds for small inverse problems and its applications to multi-prime RSA
WO2011030468A1 (en) Arithmetic device
JP5289571B2 (en) Arithmetic unit
WO2023074133A1 (en) Cryptographic processing device, cryptographic processing method, and cryptographic processing program
JP6321216B2 (en) Matrix / key generation device, matrix / key generation system, matrix combination device, matrix / key generation method, program
Sarkar et al. A unified polynomial selection method for the (tower) number field sieve algorithm
Barbulescu et al. Improvements to the number field sieve for non-prime finite fields
Gaudry Integer factorization and discrete logarithm problems
Arce-Nazario et al. Multidimensional linear complexity analysis of periodic arrays
KR100954843B1 (en) Method and Apparatus of elliptic curve cryptographic operation based on block indexing on sensor mote and Recording medium using by the same
Mourrain et al. Toric border basis
JP5554357B2 (en) Arithmetic unit
US20240039698A1 (en) Encryption processing device and encryption processing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09849245

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09849245

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP