WO2012046805A1 - Dispositif de compression d'informations de point rationnel, procédé de compression d'informations de point rationnel et programme de compression d'informations de point rationnel - Google Patents

Dispositif de compression d'informations de point rationnel, procédé de compression d'informations de point rationnel et programme de compression d'informations de point rationnel Download PDF

Info

Publication number
WO2012046805A1
WO2012046805A1 PCT/JP2011/073098 JP2011073098W WO2012046805A1 WO 2012046805 A1 WO2012046805 A1 WO 2012046805A1 JP 2011073098 W JP2011073098 W JP 2011073098W WO 2012046805 A1 WO2012046805 A1 WO 2012046805A1
Authority
WO
WIPO (PCT)
Prior art keywords
rational point
rational
point
mod
information compression
Prior art date
Application number
PCT/JP2011/073098
Other languages
English (en)
Japanese (ja)
Inventor
野上保之
森川良孝
出田哲也
Original Assignee
国立大学法人岡山大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国立大学法人岡山大学 filed Critical 国立大学法人岡山大学
Priority to JP2012537756A priority Critical patent/JP5769263B2/ja
Publication of WO2012046805A1 publication Critical patent/WO2012046805A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction

Definitions

  • the present invention relates to a rational point information compression apparatus, a rational point information compression method, and a rational point information compression program in elliptic curve cryptography and pairing cryptography.
  • the present invention relates to a rational point information compression apparatus, rational point information compression method, and rational point information compression program in elliptic curve cryptography and pairing cryptography when the embedding degree of a rational point group is 1.
  • authentication processing is required to confirm that the user of the service is an appropriate user, not impersonation or a fictitious person, and a highly reliable authentication method.
  • electronic authentication technology based on public key cryptography using a public key and a secret key is often used.
  • the authentication device does not authenticate using the user's personal information, but uses multiple users as a group and uses a group signature indicating that they belong to this group.
  • a group signature technique has been proposed in which authentication is performed without specifying a person, thereby enabling authentication without accumulating personal information in an authentication apparatus.
  • Pairing is a function of two inputs and one output defined on an elliptic curve.
  • the input uses two rational points on the elliptic curve and the output uses a finite field element.
  • This pairing has bilinearity for two inputs. For example, rational points on an elliptic curve defined with P on prime field F p, as rational points on an elliptic curve defined with Q over k-th extension field F p k, and inputs the P and Q larger when the original z body F * p k is output, z of ab-th power is outputted by entering the a times of P and b times Q.
  • the Tate pairing calculation method defined on the elliptic curve is used as the pairing calculation to reduce the calculation load
  • a technique for speeding up the process has been proposed.
  • pairing curves primary pairing curves with prime orders of 160 bits or more.
  • An efficient elliptic curve is used. The present inventors have so far applied for the calculation in the extension field, the calculation of the elliptic curve cryptography, and the pairing calculation from the mathematical structure of the foundation. Both of these improve the efficiency of pairing ciphers with prime orders.
  • Non-Patent Document 1 a method using a pairing curve having a composite order of more than 2000 bits with an embedding degree of rational point group of 1 and a new application has also been proposed (for example, Non-Patent Document 1). reference.).
  • the conventional techniques for improving the efficiency of pairing ciphers with prime orders are not immediately applicable to the pairing with large composite orders targeted by the present invention.
  • the pairing curve of the composite order is placed in a special situation such that the embedding degree is 1, and therefore, it has become necessary to propose a new high-speed method considering this.
  • the reason why the embedding order is 1 is that the embedding order is 1 that is most suitable for balancing the strength and efficiency for ensuring the necessary and sufficient encryption strength of the pairing cipher.
  • the embedding order is increased, the encryption strength is too high, and the efficiency in realizing it is deteriorated.
  • Non-Patent Document 2 and Patent Document 1 are known as rational point compression methods.
  • Patent Document 1 discloses a method of compressing the two rational points on the finite field F q and the extension field F q k by ellipse addition and restoring the original rational point by projection at the reception destination.
  • the additive group E (F p ) has an embedding degree of 1,
  • the CPU of the electronic computer is An input means for inputting a rational point P ′ and storing it in the storage means;
  • the CPU of the electronic computer is caused to function as a rational point subgroup specifying means, and the rational point P ′ is read from the storage means, and by the self-homogeneous map ⁇ , Identify the subgroups G 1 and G 2 that are sets of the rational points P and Q that satisfy
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the additive group E (F p ) has an embedding degree of 1, An input step of causing the CPU of the electronic computer to function as an input means, inputting a rational point P ′ and storing it in the storage means, The CPU of the electronic computer is caused to function as a rational point subgroup specifying means, and the rational point P ′ is read from the storage means, and by the self-homogeneous map ⁇ , Identify the subgroups G 1 and G 2
  • the composite order r satisfies r
  • the second calculation step calculates the rational point P and the rational point Q, respectively.
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the composite order r satisfies r
  • the present invention when transmitting information on rational points P and Q, information on rational points R obtained by performing elliptic addition of rational points P and rational points Q is transmitted, and information on rational points R is decomposed at the receiving destination. Then, the information on the rational points P and Q is restored, and the information amount of the rational points to be transmitted / received can be compressed in half.
  • the calculation required for this decomposition and restoration is approximately one scalar multiplication per rational point pair. As a result, it is possible to improve efficiency when transmitting / receiving rational point information via a network such as the Internet.
  • FIG. 1 is a schematic diagram of an information compression apparatus according to an embodiment of the present invention. It is the block diagram which illustrated the whole structure of the information compression apparatus on the client apparatus concerning embodiment of this invention. It is the block diagram which illustrated the whole structure of the information compression device on the authentication server concerning embodiment of this invention. It is the figure which illustrated the functional structure of the rational point subgroup specific
  • a pairing curve to which the results of the present invention can be applied must satisfy the following conditions.
  • E / F p : y 2 x 3 + ax + b, a ⁇ F p b ⁇ F p
  • E (F p): additive group of rational points of the elliptic curve defined on a finite field F p of characteristic p forms, r: E (F p) of order #E (F p) composite number that divides the, E [r]: set of rational points whose order is the composite number r, ⁇ : self-homogeneous mapping for rational points, t: Trace of Frobenius map, [j]: Map that multiplies rational points by j, G: G E [r] ⁇ Ker ( ⁇ ), defined as a set of rational points satisfying ( ⁇ is an integer).
  • y represents that x is divisible by y.
  • CM Complex Multiplication
  • O indicates a point at infinity.
  • G 1 be a rational point subgroup generated by such P.
  • Equation (16) for the 4th order is the same as that for the 3rd order and will not be described.
  • Equation (22) for the 6th order is the same as that for the 3rd order and will not be described.
  • the rational point information compression apparatus, compression method, and compression program of the present invention when the embedding degree of the rational point group is 1, the rational point subgroups G 1 and G 2 are specified, and the two rational points P ⁇ G 1 , G ⁇ G 2 is transmitted, and rational points R, which are compressed by elliptically adding rational points P and Q, are transmitted.
  • Decomposition / restoration into original rational point information P and Q at the reception destination is performed using the above-described characteristics of G 1 and G 2 .
  • the fourth, third, and sixth orders will be described. In both cases, rational point information can be decomposed and restored with a single scalar multiplication.
  • ⁇ 6 -1 is a condition that is a multiple of 3. That is, 3 -1 multiplication for the rational point T is as follows.
  • FIG. 1 is a schematic diagram of a rational point information compression apparatus according to an embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating the overall configuration of the rational point information compression device 100 on the client device according to the embodiment of the present invention.
  • FIG. 3 is a block diagram illustrating the overall configuration of the rational point information compression apparatus 200 on the authentication server according to the embodiment of the present invention.
  • a program for identifying the above-described rational point subgroup from a given pairing curve when performing authentication processing of a digital group signature by an authentication server and a client device configured with a required electronic computer Only the program portion for restoring rational point information will be described.
  • the calculation of the rational point subgroup and the calculation of rational point information restoration are not limited to the case where the calculation is performed by the authentication server or the client device, but at least a device including a calculation unit such as a CPU and a storage unit. Any device can be used.
  • an electronic computer 10 constituting an authentication server or client device includes a CPU 11 that executes arithmetic processing, various programs such as a rational point subgroup specifying program, a rational point information restoring program, a pairing arithmetic program, and the like.
  • a storage device 12 such as a hard disk that stores data used in these programs, and a RAM that allows these programs to be expanded and executed, and temporarily stores data generated as a result of the execution of these programs
  • a memory device 13 composed of the above.
  • 14 is a bus.
  • the electronic computer 10 constituting the authentication server is connected to a telecommunication line 20 such as the Internet, and can receive the signature data of the digital group signature transmitted from the client device 30 connected to the telecommunication line 20.
  • a telecommunication line 20 such as the Internet
  • 15 is an input / output unit of the electronic computer 10.
  • FIG. 2 shows the rational point information compression apparatus 100 on the client apparatus.
  • the rational point information compression apparatus 100 includes a rational point subgroup specifying unit 110, an authentication data generation unit 120, a rational point information compression unit 130, and an input / output unit 140.
  • a client device that generates digital group signature data specifies rational point subgroups G 1 and G 2 from a given pairing curve (rational point subgroup specifying unit 110).
  • signature data is generated (authentication data generation unit 120), and a pair of rational points P ⁇ G 1 and Q ⁇ G 2 constituting the signature data is elliptically added to compress to rational point R (rational point information compression) Part 130).
  • the signature data is transmitted from the input / output unit 140 to the authentication server.
  • FIG. 3 shows a rational point information compression apparatus 200 on the authentication server.
  • the rational point information compression apparatus 200 includes an input / output unit 210, a rational point information restoration unit 220, an authentication processing unit 230, an authentication result data generation unit 240, a rational point information compression unit 250, And an input / output unit 260.
  • the electronic computer 10 constituting the authentication server when the signature data of the digital group signature is transmitted from the client device 30, the signature data is received via the input / output unit 210, and the received signature data is temporarily stored in the memory device 13.
  • the pairing computation program is launched to execute the pairing computation (Authentication processing unit 230).
  • authentication result data is generated (authentication result data generation unit 240), rational point pair information is compressed (rational point information compression unit 250), and transmitted to the client device via the input / output unit 260. ing.
  • FIG. 4 is a diagram exemplifying a functional configuration of the rational point subgroup specifying unit 110 realized by executing a predetermined program by the apparatus shown in FIG.
  • FIG. 7 is a flowchart of a rational point subgroup specifying program that performs processing of the rational point subgroup specifying unit.
  • the electronic computer 10 a rational point subgroup that enables efficient self-homogeneous mapping is specified based on the flowchart shown in FIG. That is, the input rational point group is converted into a rational point in a specific rational point subgroup.
  • the electronic computer 10 functions as a rational point subgroup specifying means.
  • the third case will be described.
  • step T1 a general rational point P ′ given from the outside and stored in the storage means by the input means is read.
  • step T2 constant operation unit 112
  • ⁇ 2 + ⁇ + 1 ⁇ 0 (mod r) shown in Expression (3) is obtained by using the characteristic p and finite number r of the finite field stored in the register 119 in advance.
  • ⁇ ( ⁇ 1) that satisfies ⁇ 3 ⁇ 1 (mod p) shown in Expression (4b) are set.
  • step T3 self-homogeneous mapping operation unit 113
  • step T4 rational point calculation unit 114
  • P ⁇ (P ′) + ( ⁇ + 1) P ′ in equation (6) is calculated.
  • step T7 determination unit 115
  • Q O (point at infinity).
  • Q is the error return can not identify the two subgroups in the case of O (probability is about 1/2 2000.).
  • step T8 P and Q are stored in the storage means.
  • the set of P becomes the rational point subgroup G 1 and the set of Q becomes the rational point subgroup G 2 .
  • Equation (14) ⁇ 2 + 1 ⁇ 0 (mod r)
  • Formula (15b): ⁇ (P ′) :( x, y) ⁇ ( ⁇ x, ⁇ y), ( ⁇ 4 1, ⁇ , ⁇ 2 ( ⁇ 1) ⁇ F p )
  • Equation (17): P ⁇ (P ′) + ⁇ P ′
  • Expression (18): Q ⁇ (P ′) + ( ⁇ ⁇ ) P ′
  • Equation (20b): ⁇ (P ') :( x, y) ⁇ ( ⁇ x, -y), ( ⁇ 3 1, ⁇ ( ⁇ 1) ⁇ F p ),
  • Formula (23): P ⁇ (P ′) + ( ⁇
  • FIG. 5 is a diagram exemplifying a functional configuration of the rational point information restoration unit 220 that is realized by executing a predetermined program by the apparatus shown in FIG.
  • FIG. 6 is a flowchart of a rational point restoration program that performs the processing of the rational point information restoration unit (fourth case).
  • the rational points P and Q are obtained from the rational point R based on the flowchart shown in FIG.
  • the electronic computer 10 functions as a second calculation means.
  • the fourth-order case will be described.
  • the 2 -1 multiplication performs the following algorithm.
  • step 1 perform the [ ⁇ 4/2] multiplication of rational points T 1, is substituted into T.
  • step 2 the self-homogeneous mapping ⁇ 4 of T obtained in step 1 is executed, and a rational point T 1 is added and substituted into T.
  • the return value is T and the process returns.
  • the 3 -1 multiplication in the third case executes the following algorithm.
  • [2 ( ⁇ 3 +1) / 3] multiplication of the rational point T 1 is executed and substituted for T.
  • step 2 the T automorphism map ⁇ 3 obtained in step 1 is executed, and a rational point T 1 is added and substituted into T.
  • the return value is T and the process returns.
  • step 3 the rational point T 2 is multiplied by [ ⁇ 3 ] and assigned to T 2 .
  • T 2 , T 1 , -R are elliptically added and substituted for T 1 .
  • step 5 the algorithm shown in [Table 3] is executed to obtain P with a minus sign.
  • step 6 R and -P are elliptically added to obtain Q.
  • step 7 P and Q are returned as return values.
  • step 1 [2 ( ⁇ 6 ⁇ 1) / 3] multiplication of the rational point T 1 is executed and substituted for T.
  • step 2 the self-homogeneous map ⁇ 6 of T obtained in step 1 is executed, and a rational point T 1 is added and substituted into T.
  • step 3 the return value is T and the process returns.
  • step 2 the rational point T 1 is doubled, and then -R is elliptically added and substituted for T 2 .
  • step 3 the rational point T 2 is multiplied by [ ⁇ 6 ] and substituted into T 2 .
  • step 4 T 2 , -T 1 , -R are elliptically added and substituted for T 1 .
  • step 5 the algorithm of [Table 5] is executed to obtain P with a minus sign.
  • step 6 R and -P are elliptically added to obtain Q.
  • step 7 P and Q are returned as return values.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Computational Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Algebra (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)

Abstract

La présente invention concerne un dispositif de compression d'informations de point rationnel, un procédé de compression d'informations de point rationnel et un programme de compression d'informations de point rationnel qui compriment et restaurent des informations de point rationnel pour un groupe de points rationnels avec un degré intégré de 1. Avec un groupe additif formé de points rationnels sur une courbe elliptique définie dans un champ fini Fp d'une caractéristique P et appelée E(Fp), et avec des ensembles de points rationnels ayant un ordre numérique composite r, c'est-à-dire, des sous-groupes du groupe additif, appelés G1 = E(Fp)[r] et G2 = E(Fp)[r], des points rationnels P ∈ G1 et Q ∈ G2 sont comprimés dans le point rationnel R par la formule R = P + Q lorsqu'ils sont transmis, et le point rationnel R est factorisé et restauré dans les points rationnels P et Q dans l'extrémité de réception, raccourcissant de cette façon la longueur des données impliquées dans l'émission et la réception.
PCT/JP2011/073098 2010-10-08 2011-10-06 Dispositif de compression d'informations de point rationnel, procédé de compression d'informations de point rationnel et programme de compression d'informations de point rationnel WO2012046805A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2012537756A JP5769263B2 (ja) 2010-10-08 2011-10-06 有理点情報圧縮装置、有理点情報圧縮方法及び有理点情報圧縮プログラム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2010228250 2010-10-08
JP2010-228250 2010-10-08

Publications (1)

Publication Number Publication Date
WO2012046805A1 true WO2012046805A1 (fr) 2012-04-12

Family

ID=45927799

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2011/073098 WO2012046805A1 (fr) 2010-10-08 2011-10-06 Dispositif de compression d'informations de point rationnel, procédé de compression d'informations de point rationnel et programme de compression d'informations de point rationnel

Country Status (2)

Country Link
JP (1) JP5769263B2 (fr)
WO (1) WO2012046805A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008178035A (ja) * 2007-01-22 2008-07-31 Toshiba Corp 電子署名システム、装置及びプログラム
JP2009109772A (ja) * 2007-10-30 2009-05-21 Okayama Univ ペアリング演算装置、ペアリング演算方法、及びペアリング演算プログラム
WO2010024401A1 (fr) * 2008-08-29 2010-03-04 国立大学法人岡山大学 Dispositif de calcul d’appariement, procédé de calcul d’appariement et programme de calcul d’appariement
WO2010061951A1 (fr) * 2008-11-28 2010-06-03 国立大学法人岡山大学 Multiplicateur scalaire et programme de multiplication scalaire

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008178035A (ja) * 2007-01-22 2008-07-31 Toshiba Corp 電子署名システム、装置及びプログラム
JP2009109772A (ja) * 2007-10-30 2009-05-21 Okayama Univ ペアリング演算装置、ペアリング演算方法、及びペアリング演算プログラム
WO2010024401A1 (fr) * 2008-08-29 2010-03-04 国立大学法人岡山大学 Dispositif de calcul d’appariement, procédé de calcul d’appariement et programme de calcul d’appariement
WO2010061951A1 (fr) * 2008-11-28 2010-06-03 国立大学法人岡山大学 Multiplicateur scalaire et programme de multiplication scalaire

Also Published As

Publication number Publication date
JPWO2012046805A1 (ja) 2014-02-24
JP5769263B2 (ja) 2015-08-26

Similar Documents

Publication Publication Date Title
Jao et al. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
US8111826B2 (en) Apparatus for generating elliptic curve cryptographic parameter, apparatus for processing elliptic curve cryptograph, program for generating elliptic curve cryptographic parameter, and program for processing elliptic cyptograph
CN111162906B (zh) 一种基于茫然传输算法的协同秘密分享方法及装置、系统、介质
US7499544B2 (en) Use of isogenies for design of cryptosystems
Galbraith Elliptic curve Paillier schemes
US10673631B2 (en) Elliptic curve isogeny-based cryptographic scheme
US7961873B2 (en) Password protocols using XZ-elliptic curve cryptography
Paar et al. Introduction to public-key cryptography
Ti Fault attack on supersingular isogeny cryptosystems
Herranz Deterministic identity-based signatures for partial aggregation
US7961874B2 (en) XZ-elliptic curve cryptography with secret key embedding
US7853796B2 (en) Method, system and computer program for polynomial based hashing and message authentication coding with separate generation of spectrums
US9571274B2 (en) Key agreement protocol
EP1815636A1 (fr) Nouvelle fonction a sens unique avec trappe sur des courbes elliptiques, et leurs applications pour permettre le cryptage asymetrique avec des signatures plus courtes
Gu et al. New public key cryptosystems based on non‐Abelian factorization problems
Kaaniche et al. A novel zero-knowledge scheme for proof of data possession in cloud storage applications
Zhang et al. A general framework to design secure cloud storage protocol using homomorphic encryption scheme
Blocki et al. On the multi-user security of short schnorr signatures with preprocessing
CN112350827B (zh) 一种基于Koblitz曲线的加速标量乘计算的椭圆曲线加解密方法和系统
Shiraishi et al. A Server-Aided Computation Protocol Revisited for Confidentiality of Cloud Service.
Kiraz et al. An efficient ID-based message recoverable privacy-preserving auditing scheme
JP5769263B2 (ja) 有理点情報圧縮装置、有理点情報圧縮方法及び有理点情報圧縮プログラム
WO2012015047A1 (fr) Calcul d'appariement et multiplication scalaire d'intégration de degré 1 et point rationnel d'ordre composite sur une courbe elliptique
Mohapatra Signcryption schemes with forward secrecy based on elliptic curve cryptography
Heß et al. The magic of elliptic curves and public-key cryptography

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11830737

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012537756

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11830737

Country of ref document: EP

Kind code of ref document: A1