WO2023228408A1 - Parameter generation system, parameter generation method, and parameter generation program - Google Patents

Parameter generation system, parameter generation method, and parameter generation program Download PDF

Info

Publication number
WO2023228408A1
WO2023228408A1 PCT/JP2022/021752 JP2022021752W WO2023228408A1 WO 2023228408 A1 WO2023228408 A1 WO 2023228408A1 JP 2022021752 W JP2022021752 W JP 2022021752W WO 2023228408 A1 WO2023228408 A1 WO 2023228408A1
Authority
WO
WIPO (PCT)
Prior art keywords
parameter generation
prime number
integer
parameter
prime
Prior art date
Application number
PCT/JP2022/021752
Other languages
French (fr)
Japanese (ja)
Inventor
勇輔 相川
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2022/021752 priority Critical patent/WO2023228408A1/en
Publication of WO2023228408A1 publication Critical patent/WO2023228408A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Definitions

  • the present disclosure relates to a parameter generation system, a parameter generation method, and a parameter generation program.
  • the realization of large-scale quantum computers will jeopardize the public key cryptosystems currently in use.
  • the public key cryptosystem include the RSA (registered trademark, Rivest-Shamir-Adleman) cryptosystem and the elliptic curve cryptosystem. Therefore, the challenge is to construct a public key cryptosystem that can withstand decoding by quantum computers.
  • a group of public key cryptosystems that are configured to withstand decoding by quantum computers are collectively called quantum-resistant cryptography.
  • Lattice cryptography, multivariable polynomial cryptography, code cryptography, etc. are known as candidates for quantum-resistant computer cryptography, and homogeneous mapping cryptography using elliptic curves and homogeneous mapping is also considered to be one of the leading candidates. .
  • Non-Patent Document 1 describes a homogeneous map that uses a prime number p having a special form and a hypersingular elliptic curve defined on a finite field whose characteristic is the prime number p.
  • the essential idea of Non-Patent Document 1 is to efficiently calculate a homogeneous mapping whose domain is a given hypersingular elliptic curve and a hypersingular elliptic curve in the range of the homogeneous mapping using the particularity of the prime number p.
  • this method uses data of this homogeneous mapping as a private key and uses an elliptic curve indicating the range of the homogeneous mapping as a public key.
  • the key sharing method configured in this manner is called the SIDH (Supersingular Isogeny Diffie-Hellman) method.
  • Non-Patent Document 2 If the shape of the prime number p is extremely special and the structure of the autohomomorphic ring of the supersingular elliptic curve that is the domain is known, then the secret key generated by using the supersingular elliptic curve as the domain is It is pointed out in Non-Patent Document 2 that calculation can be performed efficiently. However, since the shape of the prime number p pointed out in Non-Patent Document 2 is special, it is currently not considered that the prime number p will be used for applications.
  • the l-supersingular homogeneous map graph is an (l+1)-regular undirected graph defined by making the vertices an isomorphism of supersingular elliptic curves and the edges being l-order homogeneous mappings.
  • l is a relatively small prime number such as 2 or 3.
  • the key generation method in the SIDH method is a random walk that moves with probability 1/(l+1) on an (l+1)-homogeneous mapping graph, and is formulated as a random walk with a fixed number of steps.
  • the format of the prime number p is unique to the SIDH system, and the remainder when the prime number p is divided by 4 is 1.
  • the private key corresponds to the path of the random walk
  • the public key corresponds to the end point of the random walk. From a cryptographic point of view, it is desirable that there is a one-to-one correspondence between the route and the end point.
  • the present disclosure aims to generate a key in which there are no multiple paths to the end point of a random walk with a fixed number of steps in key generation in the SIDH system.
  • the parameter generation system includes: A parameter generation system that generates parameters for generating keys using the Supersingular Isogeny Diffie-Hellman method,
  • the prime number l A and the prime number l B are two different prime numbers, the integer e A and the integer e B are two integers that satisfy [Equation 1], and the value p is generated by performing the operation shown in [Equation 2].
  • a calculation number generation unit calculates the largest integer f A among the integers f A that satisfy [Equation 3] as a parameter indicating the number of calculations of the homogeneous mapping in the method.
  • a key parameter generation device is provided.
  • FIG. 1 is a diagram showing an example of a system configuration of a parameter generation system 100 according to Embodiment 1.
  • FIG. 1 is a diagram showing an example of a hardware configuration of a prime parameter generation device 200 according to Embodiment 1.
  • FIG. 1 is a flowchart showing the operation of the parameter generation system 100 according to the first embodiment.
  • FIG. 3 is a diagram showing an example of the hardware configuration of a prime parameter generation device 200 according to a modification of the first embodiment.
  • FIG. 1 shows an example of a system configuration of a parameter generation system 100 according to this embodiment.
  • the parameter generation system 100 generates parameters for generating keys using the SIDH (Supersingular Isogeny Diffie-Hellman) encryption method.
  • the parameter generation system 100 includes a prime parameter generation device 200 and a key parameter generation device 300, as shown in FIG.
  • the key parameter generation device 300 is also called a public key calculation parameter generation device.
  • the prime parameter generation device 200 and the key parameter generation device 300 may be integrally configured as appropriate.
  • the key parameter generation device 300 executes processing based on the value generated by the prime number parameter generation device 200, and outputs the value of the number of homogeneous mapping calculations, which is a parameter when calculating a public key, as a result of the processing.
  • the prime parameter generation device 200 is a device that generates data and executes an algorithm to process the generated data.
  • the prime number parameter generation device 200 includes a small prime number generation section 201, a parameter information generation section 202, a calculation section 203, and a primality determination section 204.
  • the small prime number generation unit 201 generates two different prime numbers.
  • the value of the prime number generated by the small prime number generation unit 201 is relatively small, such as 2 or 3.
  • the parameter information generation unit 202 generates a set of two integers according to the two prime numbers generated by the small prime number generation unit 201 and the security parameter.
  • the parameter information generation section 202 is also called a prime parameter information generation section.
  • the primality determination unit 204 performs primality determination on the value obtained by the calculation unit 203.
  • the key parameter generation device 300 is a device that receives the value generated by the prime parameter generation device 200 as input, generates data based on the input, and executes an algorithm to process the generated data.
  • the key parameter generation device 300 includes a calculation count generation section 301.
  • the calculation number generation unit 301 is also called a homogeneous mapping calculation number generation unit.
  • the calculation number generation unit 301 calculates an integer according to a conditional expression using the value obtained by the prime number parameter generation device 200, and outputs the calculated integer.
  • FIG. 2 shows an example of the hardware configuration of the prime parameter generation device 200 according to the present embodiment.
  • the prime parameter generation device 200 consists of a computer.
  • the prime parameter generation device 200 may consist of multiple computers.
  • the prime parameter generation device 200 is a computer that includes hardware such as a processor 11, a memory 12, an auxiliary storage device 13, an input/output IF (Interface) 14, and a communication device 15. These pieces of hardware are appropriately connected via signal lines 19.
  • the processor 11 is an IC (Integrated Circuit) that performs arithmetic processing, and controls hardware included in the computer.
  • the processor 11 is, for example, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).
  • the prime parameter generation device 200 may include a plurality of processors in place of the processor 11. A plurality of processors share the role of the processor 11.
  • the memory 12 is typically a volatile storage device, and a specific example is a RAM (Random Access Memory). Memory 12 is also called main storage or main memory. The data stored in the memory 12 is stored in the auxiliary storage device 13 as necessary.
  • RAM Random Access Memory
  • the auxiliary storage device 13 is typically a nonvolatile storage device, and specific examples include a ROM (Read Only Memory), an HDD (Hard Disk Drive), or a flash memory. Data stored in the auxiliary storage device 13 is loaded into the memory 12 as needed.
  • the memory 12 and the auxiliary storage device 13 may be configured integrally.
  • the input/output IF 14 is a port to which an input device and an output device are connected.
  • the input/output IF 14 is, for example, a USB (Universal Serial Bus) terminal.
  • Specific examples of the input device include a keyboard and a mouse.
  • a specific example of the output device is a display.
  • the communication device 15 is a receiver and a transmitter.
  • the communication device 15 is, for example, a communication chip or a NIC (Network Interface Card).
  • Each part of the prime parameter generation device 200 may use the input/output IF 14 and the communication device 15 as appropriate when communicating with other devices.
  • the auxiliary storage device 13 stores a parameter generation program.
  • the parameter generation program is a program that causes a computer to realize the functions of each part of the parameter generation system 100.
  • the parameter generation program is loaded into memory 12 and executed by processor 11.
  • the functions of each part included in the prime number parameter generation device 200 are realized by software.
  • the storage device includes, as a specific example, at least one of the memory 12, the auxiliary storage device 13, a register within the processor 11, and a cache memory within the processor 11. Note that data and information may have the same meaning.
  • the storage device may be independent of the computer.
  • the functions of the memory 12 and the auxiliary storage device 13 may be realized by other storage devices.
  • the parameter generation program may be recorded on a computer-readable nonvolatile recording medium.
  • Specific examples of the nonvolatile recording medium include an optical disk or a flash memory.
  • the parameter generation program may be provided as a program product.
  • the hardware configuration of the key parameter generation device 300 may be similar to the hardware configuration of the prime parameter generation device 200.
  • the operating procedure of the parameter generation system 100 corresponds to a parameter generation method.
  • the parameter generation method is a general term for methods corresponding to the operation procedures of each device constituting the parameter generation system 100.
  • a program that realizes the operation of the parameter generation system 100 corresponds to a parameter generation program.
  • the parameter generation program is a general term for programs that realize the operations of each device constituting the parameter generation system 100.
  • FIG. 3 is a flowchart illustrating an example of parameter generation processing by the parameter generation system 100. The parameter generation process will be explained using FIG. 3.
  • the small prime number generation unit 201 generates a prime number lA and a prime number lB , which are two different prime numbers.
  • the values of the prime number l A and the prime number l B are relatively small, such as 2 or 3.
  • Step S402 The parameter information generating unit 202 generates an integer e A and an integer e B , which are two integers that satisfy [Equation 101], using a preset security parameter ⁇ .
  • Step S403 The arithmetic unit 203 uses (l A , l B ) generated by the small prime number generation unit 201 and (e A , e B ) generated by the parameter information generation unit 202, as shown in [Equation 102]. , the value p is generated by performing operations consisting of exponentiation, multiplication, and subtraction.
  • Step S404 The primality determination unit 204 determines whether the value p generated by the calculation unit 203 is a prime number. When the value p is a prime number, the small prime number generation unit 201 inputs the prime number lA to the key parameter generation device 300, and the primality determination unit 204 inputs the value p to the key parameter generation device 300. If the value p is not a prime number, the prime parameter generation device 200 returns to step S401 and repeats the same process.
  • Step S405 The calculation number generation unit 301 receives as input the value p and the prime l A generated by the prime parameter generation device 200, and based on the input, calculates the maximum integer f A among the integers f A that satisfy the inequality shown in [Equation 103]. Output.
  • the value p is a prime number. That is, when the generated value p is a prime number, the calculation number generation unit 301 uses the maximum integer f A among the integers f A satisfying [Equation 103] as a parameter indicating the number of calculations of the homogeneous mapping in the SIDH method . Calculate.
  • the f A calculations are formulated as a random walk starting from the supersingular elliptic curve E on the l A -homogeneous map graph, and the path of the formulated random walk corresponds to the secret key, and the path The hypersingular elliptic curve that is the end point of corresponds to the public key.
  • the key when there are multiple routes to reach this public key, as described in the problem of this application, the key can be restored more easily than when there is only one route to reach this public key.
  • the parameter of the number of homogeneous mapping calculations is set to e A times, so that the uniqueness of the route cannot be guaranteed.
  • the value f A obtained by this embodiment as the parameter for the number of homogeneous mapping calculations, the uniqueness of the route can be guaranteed. Therefore, according to the present embodiment, it is possible to generate parameters for performing key generation with relatively high security in the SIDH method.
  • the configuration of the prime number p which is the characteristic of the finite field used when constructing the SIDH instance, and the number of steps of the random walk should be appropriately adjusted. Collisions between multiple random walks can be prevented by adjusting the value to a value that is appropriate.
  • FIG. 4 shows an example of the hardware configuration of the prime parameter generation device 200 according to this modification.
  • the prime parameter generation device 200 includes a processing circuit 18 in place of the processor 11, the processor 11 and the memory 12, the processor 11 and the auxiliary storage device 13, or the processor 11, the memory 12, and the auxiliary storage device 13.
  • the processing circuit 18 is hardware that implements at least a portion of each unit included in the prime number parameter generation device 200.
  • Processing circuit 18 may be dedicated hardware or may be a processor that executes a program stored in memory 12.
  • the processing circuit 18 may be, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuit), or an FPGA (Field Programmable Gate Array) or a combination thereof.
  • the prime parameter generation device 200 may include a plurality of processing circuits that replace the processing circuit 18. The plurality of processing circuits share the role of the processing circuit 18.
  • prime parameter generation device 200 some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
  • the processing circuit 18 is implemented, for example, by hardware, software, firmware, or a combination thereof.
  • the processor 11, memory 12, auxiliary storage device 13, and processing circuit 18 are collectively referred to as a "processing circuitry.” That is, the functions of each functional component of the prime parameter generation device 200 are realized by processing circuitry.
  • the key parameter generation device 300 may also have the same configuration as this modification.
  • Embodiment 1 has been described, a plurality of parts of this embodiment may be implemented in combination. Alternatively, this embodiment may be partially implemented. In addition, this embodiment may be modified in various ways as necessary, and may be implemented as a whole or in part in any combination. Note that the embodiments described above are essentially preferable examples, and are not intended to limit the present disclosure, its applications, and the scope of use. The procedures described using flowcharts and the like may be changed as appropriate.

Abstract

A parameter generation system (100) comprising a key parameter generation device (300) provided with a calculation count generation unit (301), the parameter generation system (100) generating a parameter for generating a key through supersingular isogeny Diffie-Hellman (SIDH) protocol. The calculation count generation unit (301) calculates the highest integer fA from among integers fA that satisfy formula 3 as a parameter indicating the number of calculations performed for a homogeneous map in the SIDH protocol when a generated value p is a prime number, where a prime number lA and a prime number lB are two mutually different prime numbers, an integer eA and an integer eB are two integers that satisfy formula 1, and the value p is generated by performing the computations indicated in formula 2.

Description

パラメータ生成システム、パラメータ生成方法、及びパラメータ生成プログラムParameter generation system, parameter generation method, and parameter generation program
 本開示は、パラメータ生成システム、パラメータ生成方法、及びパラメータ生成プログラムに関する。 The present disclosure relates to a parameter generation system, a parameter generation method, and a parameter generation program.
 互いに同種である2つの楕円曲線が与えられたときに、与えられた2つの楕円曲線の間の同種写像を求める問題は同種写像問題と呼ばれ、同種写像問題を解くことは計算量的に困難と考えられている。しかしながら、楕円曲線が1つ与えられたときに、与えられた楕円曲線を定義域とする同種写像と、当該同種写像の値域における曲線とを計算することは効率的に可能である。 When two elliptic curves that are the same as each other are given, the problem of finding a homogeneous mapping between the two given elliptic curves is called a homogeneous mapping problem, and solving a homogeneous mapping problem is computationally difficult. It is believed that. However, when one elliptic curve is given, it is possible to efficiently calculate a homogeneous mapping whose domain is the given elliptic curve and a curve in the range of the homogeneous mapping.
 大規模な量子コンピュータの実現によって、現在主に利用されている公開鍵暗号方式は危殆化するという事実が分かっている。公開鍵暗号方式は、具体例としてRSA(登録商標、Rivest-Shamir-Adleman)暗号方式及び楕円曲線暗号方式である。そのため、量子コンピュータによる解読にも耐え得る公開鍵暗号方式の構成が課題となっている。
 量子コンピュータによる解読にも耐え得るよう構成された公開鍵暗号方式群は総称して耐量子計算機暗号と呼ばれる。耐量子計算機暗号の候補として、格子暗号、多変数多項式暗号、及び符号暗号等が知られており、楕円曲線と同種写像とを利用した同種写像暗号もその有力な候補の1つと考えられている。 It is known that the realization of large-scale quantum computers will jeopardize the public key cryptosystems currently in use. Specific examples of the public key cryptosystem include the RSA (registered trademark, Rivest-Shamir-Adleman) cryptosystem and the elliptic curve cryptosystem. Therefore, the challenge is to construct a public key cryptosystem that can withstand decoding by quantum computers.
A group of public key cryptosystems that are configured to withstand decoding by quantum computers are collectively called quantum-resistant cryptography. Lattice cryptography, multivariable polynomial cryptography, code cryptography, etc. are known as candidates for quantum-resistant computer cryptography, and homogeneous mapping cryptography using elliptic curves and homogeneous mapping is also considered to be one of the leading candidates. .
 同種写像問題を安全性の根拠とする形で構成される暗号方式群は総称して同種写像暗号と呼ばれる。同種写像暗号の具体的な構成として、非特許文献1では、特殊形をしている素数pと、素数pを標数とする有限体上で定義される超特異楕円曲線とを利用する同種写像問題をベースにした鍵共有プロトコルを提案している。非特許文献1の本質的なアイデアは、与えられた超特異楕円曲線を定義域とする同種写像と、当該同種写像の値域における超特異楕円曲線とを素数pの特殊性によって効率的に計算することができるために、この同種写像のデータを秘密鍵として用い、同種写像の値域を示す楕円曲線を公開鍵とする方法である。このようにして構成された鍵共有方式はSIDH(Supersingular Isogeny Diffie-Hellman)方式と呼ばれる。 A group of cryptographic schemes that are constructed based on the homogeneous mapping problem as the basis for security are collectively called homogeneous mapping ciphers. As a specific configuration of the homogeneous map encryption, Non-Patent Document 1 describes a homogeneous map that uses a prime number p having a special form and a hypersingular elliptic curve defined on a finite field whose characteristic is the prime number p. We propose a problem-based key agreement protocol. The essential idea of Non-Patent Document 1 is to efficiently calculate a homogeneous mapping whose domain is a given hypersingular elliptic curve and a hypersingular elliptic curve in the range of the homogeneous mapping using the particularity of the prime number p. Therefore, this method uses data of this homogeneous mapping as a private key and uses an elliptic curve indicating the range of the homogeneous mapping as a public key. The key sharing method configured in this manner is called the SIDH (Supersingular Isogeny Diffie-Hellman) method.
 素数pの形が極めて特殊であり、定義域となる超特異楕円曲線の自己準同型環の構造が判明している場合、その超特異楕円曲線を定義域とすることにより生成された秘密鍵を効率的に計算することができるということが非特許文献2で指摘されている。しかしながら、非特許文献2の指摘にある素数pの形は特殊なものであるため、当該素数pが応用上使用されることは現状考えられていない。 If the shape of the prime number p is extremely special and the structure of the autohomomorphic ring of the supersingular elliptic curve that is the domain is known, then the secret key generated by using the supersingular elliptic curve as the domain is It is pointed out in Non-Patent Document 2 that calculation can be performed efficiently. However, since the shape of the prime number p pointed out in Non-Patent Document 2 is special, it is currently not considered that the prime number p will be used for applications.
 l-超特異同種写像グラフとは、頂点を超特異楕円曲線の同型類とし、辺をl次の同種写像とすることにより定義される(l+1)-正則無向グラフである。ここで、lは2又は3等の比較的小さな素数である。SIDH方式における鍵の生成方法は(l+1)-同種写像グラフ上において確率1/(l+1)で推移するランダムウォークであって、ステップ数が固定されたランダムウォークにより定式化される。SIDH方式において、素数pの形式はSIDH方式に固有であり、素数pを4で割ったときの余りは1である。また、SIDH方式においてy^2=x^3+xで定義される超特異楕円曲線が始点として用いられる。グラフ的な観点から見れば、秘密鍵はランダムウォークの経路に当たり、公開鍵はランダムウォークの終点に当たる。暗号学的な観点から、当該経路と当該終点とは1対1で対応していることが望ましい。 The l-supersingular homogeneous map graph is an (l+1)-regular undirected graph defined by making the vertices an isomorphism of supersingular elliptic curves and the edges being l-order homogeneous mappings. Here, l is a relatively small prime number such as 2 or 3. The key generation method in the SIDH method is a random walk that moves with probability 1/(l+1) on an (l+1)-homogeneous mapping graph, and is formulated as a random walk with a fixed number of steps. In the SIDH system, the format of the prime number p is unique to the SIDH system, and the remainder when the prime number p is divided by 4 is 1. Furthermore, in the SIDH method, a super-singular elliptic curve defined by y^2=x^3+x is used as a starting point. From a graphical perspective, the private key corresponds to the path of the random walk, and the public key corresponds to the end point of the random walk. From a cryptographic point of view, it is desirable that there is a one-to-one correspondence between the route and the end point.
 ここで、ある公開鍵を終点とする経路が複数存在する場合において当該ある公開鍵を暗号システムにおいて利用したとき、全数探索又は中間一致攻撃等により2つの超特異楕円曲線間の経路が比較的高い確率で求まるという事実がある。また、この事実と、SIDH方式において利用している始点の曲線の自己準同型環が既知のものであるという事実とから、公開鍵である超特異楕円曲線の自己準同型環も効率的に計算することができる。従って、この2つの超特異楕円曲線間の全ての経路を計算することができる。そして、計算した経路の中に秘密鍵が存在する。
 従って、SIDH方式において、1つの公開鍵に対応する秘密鍵が複数ある場合に暗号システムの安全性が低下するという課題がある。 Here, when there are multiple paths ending with a certain public key, when that certain public key is used in a cryptographic system, the path between two supersingular elliptic curves is relatively high due to exhaustive search or match-in-the-middle attack, etc. There is a fact that it is determined by probability. In addition, based on this fact and the fact that the autohomomorphic ring of the starting point curve used in the SIDH method is already known, it is possible to efficiently calculate the autohomomorphic ring of the supersingular elliptic curve that is the public key. can do. Therefore, all paths between these two hypersingular elliptic curves can be calculated. Then, the secret key exists in the calculated route.
Therefore, in the SIDH method, there is a problem that the security of the cryptographic system deteriorates when there are a plurality of private keys corresponding to one public key.
 本開示は、SIDH方式における鍵の生成において、ステップ数が固定されたランダムウォークの終点に帰着する経路が複数存在しないような鍵を生成することを目的する。 The present disclosure aims to generate a key in which there are no multiple paths to the end point of a random walk with a fixed number of steps in key generation in the SIDH system.
 本開示に係るパラメータ生成システムは、
 Supersingular Isogeny Diffie-Hellman方式により鍵を生成するためのパラメータを生成するパラメータ生成システムであって、
 素数l及び素数lを互いに異なる2つの素数とし、整数e及び整数eを[数1]を満たす2つの整数とし、値pを[数2]に示す演算を行うことにより生成された値としたとき、
Figure JPOXMLDOC01-appb-M000010
Figure JPOXMLDOC01-appb-M000011
  生成された値pが素数である場合に、前記方式における同種写像の計算回数を示すパラメータとして、[数3]を満たす整数fのうち最大の整数fを算出する計算回数生成部
Figure JPOXMLDOC01-appb-M000012
 を備える鍵パラメータ生成装置
を備える。 The parameter generation system according to the present disclosure includes:
A parameter generation system that generates parameters for generating keys using the Supersingular Isogeny Diffie-Hellman method,
The prime number l A and the prime number l B are two different prime numbers, the integer e A and the integer e B are two integers that satisfy [Equation 1], and the value p is generated by performing the operation shown in [Equation 2]. When the value is
Figure JPOXMLDOC01-appb-M000010
Figure JPOXMLDOC01-appb-M000011
 When the generated value p is a prime number, a calculation number generation unit calculates the largest integer f A among the integers f A that satisfy [Equation 3] as a parameter indicating the number of calculations of the homogeneous mapping in the method.
Figure JPOXMLDOC01-appb-M000012
 A key parameter generation device is provided.
 本開示に係る整数fに関して、SIDH方式の公開鍵を求める際に、超特異楕円曲線Eを始点としてl次の同種写像をf回繰り返し計算することにより、経路の唯一性が保証される。従って、本開示によれば、SIDH方式における鍵の生成において、ステップ数が固定されたランダムウォークの終点に帰着する経路が複数存在しないような鍵を生成することができる。 Regarding the integer fA according to the present disclosure, when calculating the public key of the SIDH method, the uniqueness of the path is guaranteed by repeatedly calculating the homogeneous mapping of degree lA with the hypersingular elliptic curve E as the starting point fA times. Ru. Therefore, according to the present disclosure, in generating a key in the SIDH method, it is possible to generate a key that does not have multiple paths leading to the end point of a random walk with a fixed number of steps.
実施の形態1に係るパラメータ生成システム100のシステム構成例を示す図。1 is a diagram showing an example of a system configuration of a parameter generation system 100 according to Embodiment 1. FIG. 実施の形態1に係る素数パラメータ生成装置200のハードウェア構成例を示す図。1 is a diagram showing an example of a hardware configuration of a prime parameter generation device 200 according to Embodiment 1. FIG. 実施の形態1に係るパラメータ生成システム100の動作を示すフローチャート。1 is a flowchart showing the operation of the parameter generation system 100 according to the first embodiment. 実施の形態1の変形例に係る素数パラメータ生成装置200のハードウェア構成例を示す図。FIG. 3 is a diagram showing an example of the hardware configuration of a prime parameter generation device 200 according to a modification of the first embodiment.
 実施の形態の説明及び図面において、同じ要素及び対応する要素には同じ符号を付している。同じ符号が付された要素の説明は、適宜に省略又は簡略化する。図中の矢印はデータの流れ又は処理の流れを主に示している。また、「部」を、「回路」、「工程」、「手順」、「処理」又は「サーキットリー」に適宜読み替えてもよい。 In the description of the embodiments and the drawings, the same elements and corresponding elements are denoted by the same reference numerals. Descriptions of elements labeled with the same reference numerals will be omitted or simplified as appropriate. Arrows in the figure mainly indicate the flow of data or processing. Furthermore, "unit" may be read as "circuit," "process," "procedure," "process," or "circuitry" as appropriate.
 実施の形態1.
 以下、本実施の形態について、図面を参照しながら詳細に説明する。 Embodiment 1.
Hereinafter, this embodiment will be described in detail with reference to the drawings.
***構成の説明***
 図1は、本実施の形態に係るパラメータ生成システム100のシステム構成例を示している。パラメータ生成システム100は、暗号方式であるSIDH(Supersingular Isogeny Diffie-Hellman)方式により鍵を生成するためのパラメータを生成する。
 パラメータ生成システム100は、図1に示すように、素数パラメータ生成装置200と、鍵パラメータ生成装置300とを備える。鍵パラメータ生成装置300は、公開鍵計算パラメータ生成装置とも呼ばれる。素数パラメータ生成装置200及び鍵パラメータ生成装置300は、適宜一体的に構成されていてもよい。
 鍵パラメータ生成装置300は、素数パラメータ生成装置200によって生成された値に基づいて処理を実行し、処理の実行結果として公開鍵を計算する際のパラメータである同種写像計算回数の値を出力する。 ***Explanation of configuration***
FIG. 1 shows an example of a system configuration of a parameter generation system 100 according to this embodiment. The parameter generation system 100 generates parameters for generating keys using the SIDH (Supersingular Isogeny Diffie-Hellman) encryption method.
The parameter generation system 100 includes a prime parameter generation device 200 and a key parameter generation device 300, as shown in FIG. The key parameter generation device 300 is also called a public key calculation parameter generation device. The prime parameter generation device 200 and the key parameter generation device 300 may be integrally configured as appropriate.
The key parameter generation device 300 executes processing based on the value generated by the prime number parameter generation device 200, and outputs the value of the number of homogeneous mapping calculations, which is a parameter when calculating a public key, as a result of the processing.
 素数パラメータ生成装置200は、データを生成し、生成したデータに対する処理を行うアルゴリズムを実行する装置である。素数パラメータ生成装置200は、小素数生成部201と、パラメータ情報生成部202と、演算部203と、素数判定部204とを備える。 The prime parameter generation device 200 is a device that generates data and executes an algorithm to process the generated data. The prime number parameter generation device 200 includes a small prime number generation section 201, a parameter information generation section 202, a calculation section 203, and a primality determination section 204.
 小素数生成部201は、互いに異なる2つの素数を生成する。ここで、小素数生成部201が生成する素数の値は2又は3のように比較的小さい。 The small prime number generation unit 201 generates two different prime numbers. Here, the value of the prime number generated by the small prime number generation unit 201 is relatively small, such as 2 or 3.
 パラメータ情報生成部202は、小素数生成部201によって生成された2つの素数及びセキュリティパラメータに応じて2つの整数の組を生成する。パラメータ情報生成部202は、素数パラメータ情報生成部とも呼ばれる。 The parameter information generation unit 202 generates a set of two integers according to the two prime numbers generated by the small prime number generation unit 201 and the security parameter. The parameter information generation section 202 is also called a prime parameter information generation section.
 演算部203は、小素数生成部201及びパラメータ情報生成部202によって生成された値に対して決定的な演算を施す。 The calculation unit 203 performs a definitive calculation on the values generated by the small prime number generation unit 201 and the parameter information generation unit 202.
 素数判定部204は、演算部203によって得られた値に対して素数判定を行う。 The primality determination unit 204 performs primality determination on the value obtained by the calculation unit 203.
 鍵パラメータ生成装置300は、素数パラメータ生成装置200により生成された値を入力として受け付け、入力に基づいてデータを生成し、生成したデータに対する処理を行うアルゴリズムを実行する装置である。鍵パラメータ生成装置300は、計算回数生成部301を備える。計算回数生成部301は、同種写像計算回数生成部とも呼ばれる。 The key parameter generation device 300 is a device that receives the value generated by the prime parameter generation device 200 as input, generates data based on the input, and executes an algorithm to process the generated data. The key parameter generation device 300 includes a calculation count generation section 301. The calculation number generation unit 301 is also called a homogeneous mapping calculation number generation unit.
 計算回数生成部301は、素数パラメータ生成装置200によって得られた値を用いて条件式に従い整数を算出し、算出した整数を出力する。 The calculation number generation unit 301 calculates an integer according to a conditional expression using the value obtained by the prime number parameter generation device 200, and outputs the calculated integer.
 図2は、本実施の形態に係る素数パラメータ生成装置200のハードウェア構成例を示している。素数パラメータ生成装置200はコンピュータから成る。素数パラメータ生成装置200は複数のコンピュータから成ってもよい。 FIG. 2 shows an example of the hardware configuration of the prime parameter generation device 200 according to the present embodiment. The prime parameter generation device 200 consists of a computer. The prime parameter generation device 200 may consist of multiple computers.
 素数パラメータ生成装置200は、本図に示すように、プロセッサ11と、メモリ12と、補助記憶装置13と、入出力IF(Interface)14と、通信装置15等のハードウェアを備えるコンピュータである。これらのハードウェアは、信号線19を介して適宜接続されている。 As shown in this figure, the prime parameter generation device 200 is a computer that includes hardware such as a processor 11, a memory 12, an auxiliary storage device 13, an input/output IF (Interface) 14, and a communication device 15. These pieces of hardware are appropriately connected via signal lines 19.
 プロセッサ11は、演算処理を行うIC(Integrated Circuit)であり、かつ、コンピュータが備えるハードウェアを制御する。プロセッサ11は、具体例として、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、又はGPU(Graphics Processing Unit)である。
 素数パラメータ生成装置200は、プロセッサ11を代替する複数のプロセッサを備えてもよい。複数のプロセッサはプロセッサ11の役割を分担する。 The processor 11 is an IC (Integrated Circuit) that performs arithmetic processing, and controls hardware included in the computer. The processor 11 is, for example, a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).
The prime parameter generation device 200 may include a plurality of processors in place of the processor 11. A plurality of processors share the role of the processor 11.
 メモリ12は、典型的には揮発性の記憶装置であり、具体例としてRAM(Random Access Memory)である。メモリ12は、主記憶装置又はメインメモリとも呼ばれる。メモリ12に記憶されたデータは、必要に応じて補助記憶装置13に保存される。 The memory 12 is typically a volatile storage device, and a specific example is a RAM (Random Access Memory). Memory 12 is also called main storage or main memory. The data stored in the memory 12 is stored in the auxiliary storage device 13 as necessary.
 補助記憶装置13は、典型的には不揮発性の記憶装置であり、具体例として、ROM(Read Only Memory)、HDD(Hard Disk Drive)、又はフラッシュメモリである。補助記憶装置13に記憶されたデータは、必要に応じてメモリ12にロードされる。
 メモリ12及び補助記憶装置13は一体的に構成されていてもよい。 The auxiliary storage device 13 is typically a nonvolatile storage device, and specific examples include a ROM (Read Only Memory), an HDD (Hard Disk Drive), or a flash memory. Data stored in the auxiliary storage device 13 is loaded into the memory 12 as needed.
The memory 12 and the auxiliary storage device 13 may be configured integrally.
 入出力IF14は、入力装置及び出力装置が接続されるポートである。入出力IF14は、具体例として、USB(Universal Serial Bus)端子である。入力装置は、具体例として、キーボード及びマウスである。出力装置は、具体例として、ディスプレイである。 The input/output IF 14 is a port to which an input device and an output device are connected. The input/output IF 14 is, for example, a USB (Universal Serial Bus) terminal. Specific examples of the input device include a keyboard and a mouse. A specific example of the output device is a display.
 通信装置15は、レシーバ及びトランスミッタである。通信装置15は、具体例として、通信チップ又はNIC(Network Interface Card)である。 The communication device 15 is a receiver and a transmitter. The communication device 15 is, for example, a communication chip or a NIC (Network Interface Card).
 素数パラメータ生成装置200の各部は、他の装置等と通信する際に、入出力IF14及び通信装置15を適宜用いてもよい。 Each part of the prime parameter generation device 200 may use the input/output IF 14 and the communication device 15 as appropriate when communicating with other devices.
 補助記憶装置13はパラメータ生成プログラムを記憶している。パラメータ生成プログラムは、パラメータ生成システム100が備える各部の機能をコンピュータに実現させるプログラムである。パラメータ生成プログラムは、メモリ12にロードされて、プロセッサ11によって実行される。素数パラメータ生成装置200が備える各部の機能は、ソフトウェアにより実現される。 The auxiliary storage device 13 stores a parameter generation program. The parameter generation program is a program that causes a computer to realize the functions of each part of the parameter generation system 100. The parameter generation program is loaded into memory 12 and executed by processor 11. The functions of each part included in the prime number parameter generation device 200 are realized by software.
 パラメータ生成プログラムを実行する際に用いられるデータと、パラメータ生成プログラムを実行することによって得られるデータ等は、記憶装置に適宜記憶される。素数パラメータ生成装置200の各部は記憶装置を適宜利用する。記憶装置は、具体例として、メモリ12と、補助記憶装置13と、プロセッサ11内のレジスタと、プロセッサ11内のキャッシュメモリとの少なくとも1つから成る。なお、データと情報とは同等の意味を有することもある。記憶装置は、コンピュータと独立したものであってもよい。
 メモリ12及び補助記憶装置13の機能は、他の記憶装置によって実現されてもよい。 Data used when executing the parameter generation program, data obtained by executing the parameter generation program, etc. are appropriately stored in the storage device. Each part of the prime number parameter generation device 200 uses a storage device as appropriate. The storage device includes, as a specific example, at least one of the memory 12, the auxiliary storage device 13, a register within the processor 11, and a cache memory within the processor 11. Note that data and information may have the same meaning. The storage device may be independent of the computer.
The functions of the memory 12 and the auxiliary storage device 13 may be realized by other storage devices.
 パラメータ生成プログラムは、コンピュータが読み取り可能な不揮発性の記録媒体に記録されていてもよい。不揮発性の記録媒体は、具体例として、光ディスク又はフラッシュメモリである。パラメータ生成プログラムは、プログラムプロダクトとして提供されてもよい。
 鍵パラメータ生成装置300のハードウェア構成は、素数パラメータ生成装置200のハードウェア構成と同様であってもよい。 The parameter generation program may be recorded on a computer-readable nonvolatile recording medium. Specific examples of the nonvolatile recording medium include an optical disk or a flash memory. The parameter generation program may be provided as a program product.
The hardware configuration of the key parameter generation device 300 may be similar to the hardware configuration of the prime parameter generation device 200.
***動作の説明***
 パラメータ生成システム100の動作手順はパラメータ生成方法に相当する。パラメータ生成方法は、パラメータ生成システム100を構成する各装置における動作手順に対応する方法の総称である。また、パラメータ生成システム100の動作を実現するプログラムはパラメータ生成プログラムに相当する。パラメータ生成プログラムは、パラメータ生成システム100を構成する各装置の動作を実現するプログラムの総称である。 ***Operation explanation***
The operating procedure of the parameter generation system 100 corresponds to a parameter generation method. The parameter generation method is a general term for methods corresponding to the operation procedures of each device constituting the parameter generation system 100. Further, a program that realizes the operation of the parameter generation system 100 corresponds to a parameter generation program. The parameter generation program is a general term for programs that realize the operations of each device constituting the parameter generation system 100.
 図3は、パラメータ生成システム100によるパラメータ生成処理の一例を示すフローチャートである。図3を用いてパラメータ生成処理を説明する。 FIG. 3 is a flowchart illustrating an example of parameter generation processing by the parameter generation system 100. The parameter generation process will be explained using FIG. 3.
(ステップS401)
 小素数生成部201は、互いに異なる2つの素数である素数l及び素数lを生成する。ここで、素数l及び素数lの値は2又は3のように比較的小さい。 (Step S401)
The small prime number generation unit 201 generates a prime number lA and a prime number lB , which are two different prime numbers. Here, the values of the prime number l A and the prime number l B are relatively small, such as 2 or 3.
(ステップS402)
 パラメータ情報生成部202は、あらかじめ設定されているセキュリティパラメータλを用いて、[数101]を満たす2つの整数である整数e及び整数eを生成する。 (Step S402)
The parameter information generating unit 202 generates an integer e A and an integer e B , which are two integers that satisfy [Equation 101], using a preset security parameter λ.
Figure JPOXMLDOC01-appb-M000013
Figure JPOXMLDOC01-appb-M000013
(ステップS403)
 演算部203は、小素数生成部201によって生成された(l,l)と、パラメータ情報生成部202によって生成された(e,e)とを用いて、[数102]に示すように、べき乗算、乗算、及び減算から成る演算を行うことにより値pを生成する。 (Step S403)
The arithmetic unit 203 uses (l A , l B ) generated by the small prime number generation unit 201 and (e A , e B ) generated by the parameter information generation unit 202, as shown in [Equation 102]. , the value p is generated by performing operations consisting of exponentiation, multiplication, and subtraction.
Figure JPOXMLDOC01-appb-M000014
Figure JPOXMLDOC01-appb-M000014
(ステップS404)
 素数判定部204は、演算部203によって生成された値pが素数であるか否かを判定する。値pが素数である場合、小素数生成部201は素数lを鍵パラメータ生成装置300に入力し、素数判定部204は値pを鍵パラメータ生成装置300に入力する。値pが素数ではない場合、素数パラメータ生成装置200はステップS401に戻り同様の処理を繰り返す。 (Step S404)
The primality determination unit 204 determines whether the value p generated by the calculation unit 203 is a prime number. When the value p is a prime number, the small prime number generation unit 201 inputs the prime number lA to the key parameter generation device 300, and the primality determination unit 204 inputs the value p to the key parameter generation device 300. If the value p is not a prime number, the prime parameter generation device 200 returns to step S401 and repeats the same process.
(ステップS405)
 計算回数生成部301は、素数パラメータ生成装置200により生成された値p及び素数lを入力として受け取り、入力に基づいて[数103]に示す不等式を満たす整数fのうち最大の整数fを出力する。ここで、値pは素数である。即ち、計算回数生成部301は、生成された値pが素数である場合に、SIDH方式における同種写像の計算回数を示すパラメータとして、[数103]を満たす整数fのうち最大の整数fを算出する。 (Step S405)
The calculation number generation unit 301 receives as input the value p and the prime l A generated by the prime parameter generation device 200, and based on the input, calculates the maximum integer f A among the integers f A that satisfy the inequality shown in [Equation 103]. Output. Here, the value p is a prime number. That is, when the generated value p is a prime number, the calculation number generation unit 301 uses the maximum integer f A among the integers f A satisfying [Equation 103] as a parameter indicating the number of calculations of the homogeneous mapping in the SIDH method . Calculate.
Figure JPOXMLDOC01-appb-M000015
Figure JPOXMLDOC01-appb-M000015
***実施の形態1の効果の説明***
 本実施の形態によれば、標数がpである有限体において定義された超特異楕円曲線E:y^2=x^3+xを公開パラメータとして持つ暗号方式であるSIDH方式において鍵交換を行う際に、ユーザAは本実施の形態によって得られたパラメータfを用いて、超特異楕円曲線Eを始点として、l次の同種写像をf回繰り返し計算する。
 このとき、このf回の計算はl-同種写像グラフ上の超特異楕円曲線Eを始点とするランダムウォークとして定式化され、定式化されたランダムウォークの経路が秘密鍵に対応し、経路の終点である超特異楕円曲線が公開鍵に対応する。 ***Explanation of effects of Embodiment 1***
According to this embodiment, when performing key exchange in the SIDH method, which is a cryptographic method that has a supersingular elliptic curve E:y^2=x^3+x defined in a finite field with characteristic p as a public parameter, Then, using the parameter f A obtained according to the present embodiment, user A repeatedly calculates a homogeneous mapping of order l A times f A times using the supersingular elliptic curve E as a starting point.
At this time, the f A calculations are formulated as a random walk starting from the supersingular elliptic curve E on the l A -homogeneous map graph, and the path of the formulated random walk corresponds to the secret key, and the path The hypersingular elliptic curve that is the end point of corresponds to the public key.
 ここで、この公開鍵に到達する経路が複数存在する場合、本願の課題において述べたように、この公開鍵に到達する経路が唯一である場合と比較して鍵の復元が容易である。従来の方法では、同種写像計算回数パラメータをe回とするため、経路の唯一性を保証することができなかった。しかしながら、本実施の形態によって得られる値fを同種写像計算回数パラメータとして用いることにより、経路の唯一性を保証することができる。
 従って、本実施の形態によれば、SIDH方式において安全性が比較的高い鍵生成を行うためのパラメータを生成することができる。また、SIDH鍵共有方式における鍵の生成方法において本実施の形態を利用する場合、SIDHのインスタンスを構成する際に利用する有限体の標数である素数pの構成とランダムウォークのステップ数を適切な値に調整することにより複数のランダムウォークの衝突を防ぐことができる。 Here, when there are multiple routes to reach this public key, as described in the problem of this application, the key can be restored more easily than when there is only one route to reach this public key. In the conventional method, the parameter of the number of homogeneous mapping calculations is set to e A times, so that the uniqueness of the route cannot be guaranteed. However, by using the value f A obtained by this embodiment as the parameter for the number of homogeneous mapping calculations, the uniqueness of the route can be guaranteed.
Therefore, according to the present embodiment, it is possible to generate parameters for performing key generation with relatively high security in the SIDH method. In addition, when using this embodiment in the key generation method in the SIDH key agreement system, the configuration of the prime number p, which is the characteristic of the finite field used when constructing the SIDH instance, and the number of steps of the random walk should be appropriately adjusted. Collisions between multiple random walks can be prevented by adjusting the value to a value that is appropriate.
 なお、前述したように、特定の曲線を始点とするランダムウォークであって、同種写像グラフにおけるランダムウォークの経路と、経路の終点である曲線との関係は暗号の安全性に関わる。一方、本実施の形態によれば、1つの終点に至る複数の経路が存在することにより生じる安全性上の課題を解決する方法を提供することができる。 As mentioned above, it is a random walk that starts from a specific curve, and the relationship between the path of the random walk in the homogeneous mapping graph and the curve that is the end point of the path is related to the security of the encryption. On the other hand, according to the present embodiment, it is possible to provide a method for solving the safety problem caused by the existence of a plurality of routes leading to one end point.
***他の構成***
<変形例1>
 図4は、本変形例に係る素数パラメータ生成装置200のハードウェア構成例を示している。
 素数パラメータ生成装置200は、プロセッサ11、プロセッサ11とメモリ12、プロセッサ11と補助記憶装置13、あるいはプロセッサ11とメモリ12と補助記憶装置13とに代えて、処理回路18を備える。
 処理回路18は、素数パラメータ生成装置200が備える各部の少なくとも一部を実現するハードウェアである。
 処理回路18は、専用のハードウェアであってもよく、また、メモリ12に格納されるプログラムを実行するプロセッサであってもよい。 ***Other configurations***
<Modification 1>
FIG. 4 shows an example of the hardware configuration of the prime parameter generation device 200 according to this modification.
The prime parameter generation device 200 includes a processing circuit 18 in place of the processor 11, the processor 11 and the memory 12, the processor 11 and the auxiliary storage device 13, or the processor 11, the memory 12, and the auxiliary storage device 13.
The processing circuit 18 is hardware that implements at least a portion of each unit included in the prime number parameter generation device 200.
Processing circuit 18 may be dedicated hardware or may be a processor that executes a program stored in memory 12.
 処理回路18が専用のハードウェアである場合、処理回路18は、具体例として、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ASIC(Application Specific Integrated Circuit)、FPGA(Field Programmable Gate Array)又はこれらの組み合わせである。
 素数パラメータ生成装置200は、処理回路18を代替する複数の処理回路を備えてもよい。複数の処理回路は、処理回路18の役割を分担する。 When the processing circuit 18 is dedicated hardware, the processing circuit 18 may be, for example, a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, an ASIC (Application Specific Integrated Circuit), or an FPGA (Field Programmable Gate Array) or a combination thereof.
The prime parameter generation device 200 may include a plurality of processing circuits that replace the processing circuit 18. The plurality of processing circuits share the role of the processing circuit 18.
 素数パラメータ生成装置200において、一部の機能が専用のハードウェアによって実現されて、残りの機能がソフトウェア又はファームウェアによって実現されてもよい。 In the prime parameter generation device 200, some functions may be realized by dedicated hardware, and the remaining functions may be realized by software or firmware.
 処理回路18は、具体例として、ハードウェア、ソフトウェア、ファームウェア、又はこれらの組み合わせにより実現される。
 プロセッサ11とメモリ12と補助記憶装置13と処理回路18とを、総称して「プロセッシングサーキットリー」という。つまり、素数パラメータ生成装置200の各機能構成要素の機能は、プロセッシングサーキットリーにより実現される。
 鍵パラメータ生成装置300についても、本変形例と同様の構成であってもよい。 The processing circuit 18 is implemented, for example, by hardware, software, firmware, or a combination thereof.
The processor 11, memory 12, auxiliary storage device 13, and processing circuit 18 are collectively referred to as a "processing circuitry." That is, the functions of each functional component of the prime parameter generation device 200 are realized by processing circuitry.
The key parameter generation device 300 may also have the same configuration as this modification.
***他の実施の形態***
 実施の形態1について説明したが、本実施の形態のうち、複数の部分を組み合わせて実施しても構わない。あるいは、本実施の形態を部分的に実施しても構わない。その他、本実施の形態は、必要に応じて種々の変更がなされても構わず、全体としてあるいは部分的に、どのように組み合わせて実施されても構わない。
 なお、前述した実施の形態は、本質的に好ましい例示であって、本開示と、その適用物と、用途の範囲とを制限することを意図するものではない。フローチャート等を用いて説明した手順は適宜変更されてもよい。 ***Other embodiments***
Although Embodiment 1 has been described, a plurality of parts of this embodiment may be implemented in combination. Alternatively, this embodiment may be partially implemented. In addition, this embodiment may be modified in various ways as necessary, and may be implemented as a whole or in part in any combination.
Note that the embodiments described above are essentially preferable examples, and are not intended to limit the present disclosure, its applications, and the scope of use. The procedures described using flowcharts and the like may be changed as appropriate.
 11 プロセッサ、12 メモリ、13 補助記憶装置、14 入出力IF、15 通信装置、18 処理回路、19 信号線、100 パラメータ生成システム、200 素数パラメータ生成装置、201 小素数生成部、202 パラメータ情報生成部、203 演算部、204 素数判定部、300 鍵パラメータ生成装置、301 計算回数生成部。 11 processor, 12 memory, 13 auxiliary storage device, 14 input/output IF, 15 communication device, 18 processing circuit, 19 signal line, 100 parameter generation system, 200 prime parameter generation device, 201 small prime generation section, 202 parameter information generation section , 203 calculation unit, 204 primality determination unit, 300 key parameter generation device, 301 calculation number generation unit.

Claims (4)

  1.  Supersingular Isogeny Diffie-Hellman方式により鍵を生成するためのパラメータを生成するパラメータ生成システムであって、
     素数l及び素数lを互いに異なる2つの素数とし、整数e及び整数eを[数1]を満たす2つの整数とし、値pを[数2]に示す演算を行うことにより生成された値としたとき、
    Figure JPOXMLDOC01-appb-M000001
    Figure JPOXMLDOC01-appb-M000002
      生成された値pが素数である場合に、前記方式における同種写像の計算回数を示すパラメータとして、[数3]を満たす整数fのうち最大の整数fを算出する計算回数生成部
    Figure JPOXMLDOC01-appb-M000003
     を備える鍵パラメータ生成装置
    を備えるパラメータ生成システム。     A parameter generation system that generates parameters for generating keys using the Supersingular Isogeny Diffie-Hellman method,
    The prime number l A and the prime number l B are two different prime numbers, the integer e A and the integer e B are two integers that satisfy [Equation 1], and the value p is generated by performing the operation shown in [Equation 2]. When the value is
    Figure JPOXMLDOC01-appb-M000001
    Figure JPOXMLDOC01-appb-M000002
     When the generated value p is a prime number, a calculation number generation unit calculates the largest integer f A among the integers f A that satisfy [Equation 3] as a parameter indicating the number of calculations of the homogeneous mapping in the method.
    Figure JPOXMLDOC01-appb-M000003
     A parameter generation system comprising a key parameter generation device.
  2.  前記パラメータ生成システムは、さらに、
     前記素数l及び前記素数lを生成する小素数生成部と、
     前記整数e及び前記整数eを生成するパラメータ情報生成部と、
     前記素数lと、前記素数lと、前記整数eと、前記整数eとを用いて前記値pを生成する演算部と、
     生成された前記値pが素数であるか否かを判定する素数判定部と
    を備える素数パラメータ生成装置
    を備える請求項1に記載のパラメータ生成システム。     The parameter generation system further includes:
    a small prime number generation unit that generates the prime number lA and the prime number lB ;
    a parameter information generation unit that generates the integer eA and the integer eB ;
    an arithmetic unit that generates the value p using the prime number lA , the prime number lB , the integer eA, and the integer eB ;
    The parameter generation system according to claim 1, further comprising a prime parameter generation device including a primality determination unit that determines whether the generated value p is a prime number.
  3.  Supersingular Isogeny Diffie-Hellman方式により鍵を生成するためのパラメータを生成するパラメータ生成方法であって、
     素数l及び素数lを互いに異なる2つの素数とし、整数e及び整数eを[数4]を満たす2つの整数とし、値pを[数5]に示す演算を行うことにより生成された値としたとき、
    Figure JPOXMLDOC01-appb-M000004
    Figure JPOXMLDOC01-appb-M000005
      コンピュータが、生成された値pが素数である場合に、前記方式における同種写像の計算回数を示すパラメータとして、[数6]を満たす整数fのうち最大の整数fを算出するパラメータ生成方法
    Figure JPOXMLDOC01-appb-M000006
    A parameter generation method for generating parameters for generating a key using the Supersingular Isogeny Diffie-Hellman method, the method comprising:
    The prime number l A and the prime number l B are two different prime numbers, the integer e A and the integer e B are two integers that satisfy [Equation 4], and the value p is generated by performing the operation shown in [Equation 5]. When the value is
    Figure JPOXMLDOC01-appb-M000004
    Figure JPOXMLDOC01-appb-M000005
     A parameter generation method in which a computer calculates the largest integer f A among integers f A that satisfy [Equation 6] as a parameter indicating the number of calculations of homogeneous mapping in the above method when the generated value p is a prime number.
    Figure JPOXMLDOC01-appb-M000006
     .
  4.  Supersingular Isogeny Diffie-Hellman方式により鍵を生成するためのパラメータを生成するコンピュータである鍵パラメータ生成装置が実行するパラメータ生成プログラムであって、
     素数l及び素数lを互いに異なる2つの素数とし、整数e及び整数eを[数7]を満たす2つの整数とし、値pを[数8]に示す演算を行うことにより生成された値としたとき、
    Figure JPOXMLDOC01-appb-M000007
    Figure JPOXMLDOC01-appb-M000008
      生成された値pが素数である場合に、前記方式における同種写像の計算回数を示すパラメータとして、[数9]を満たす整数fのうち最大の整数fを算出する計算回数生成処理
    Figure JPOXMLDOC01-appb-M000009
     を前記鍵パラメータ生成装置に実行させるパラメータ生成プログラム。     A parameter generation program executed by a key parameter generation device, which is a computer that generates parameters for generating keys using the Supersingular Isogeny Diffie-Hellman method,
    The prime number l A and the prime number l B are two different prime numbers, the integer e A and the integer e B are two integers that satisfy [Equation 7], and the value p is generated by performing the operation shown in [Equation 8]. When the value is
    Figure JPOXMLDOC01-appb-M000007
    Figure JPOXMLDOC01-appb-M000008
     When the generated value p is a prime number, a calculation number generation process for calculating the maximum integer f A among the integers f A that satisfy [Equation 9] as a parameter indicating the number of calculations of the homogeneous mapping in the above method.
    Figure JPOXMLDOC01-appb-M000009
     A parameter generation program that causes the key parameter generation device to execute.
PCT/JP2022/021752 2022-05-27 2022-05-27 Parameter generation system, parameter generation method, and parameter generation program WO2023228408A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/021752 WO2023228408A1 (en) 2022-05-27 2022-05-27 Parameter generation system, parameter generation method, and parameter generation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/021752 WO2023228408A1 (en) 2022-05-27 2022-05-27 Parameter generation system, parameter generation method, and parameter generation program

Publications (1)

Publication Number Publication Date
WO2023228408A1 true WO2023228408A1 (en) 2023-11-30

Family

ID=88918842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/021752 WO2023228408A1 (en) 2022-05-27 2022-05-27 Parameter generation system, parameter generation method, and parameter generation program

Country Status (1)

Country Link
WO (1) WO2023228408A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10218494B1 (en) * 2018-02-23 2019-02-26 ISARA Corporation Performing block form reductions modulo non-Mersenne primes in cryptographic protocols
WO2019077796A1 (en) * 2017-10-19 2019-04-25 三菱電機株式会社 Key sharing device, key sharing method, key sharing program, and key sharing system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019077796A1 (en) * 2017-10-19 2019-04-25 三菱電機株式会社 Key sharing device, key sharing method, key sharing program, and key sharing system
US10218494B1 (en) * 2018-02-23 2019-02-26 ISARA Corporation Performing block form reductions modulo non-Mersenne primes in cryptographic protocols

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
IKEMATSU YASUHIKO ET AL.: "Hybrid Meet-in-the-Middle Attacks for the Isogeny Path-Finding Problem", PROCEEDINGS OF THE 7TH ACM WORKSHOP ON ASIA PUBLIC-KEY CRYPTOGRAPHY, ACMPUB27, NEW YORK, NY, USA, 5 October 2020 (2020-10-05) - 6 October 2020 (2020-10-06), New York, NY, USA , pages 36 - 44, XP058479974, ISBN: 978-1-4503-7607-5, DOI: 10.1145/3384940.3388956 *
NUIDA, KOJI: "Post-Quantum Cryptography", 7 August 2020, MORIKITA PUBLISHING CO., LTD., JP, ISBN: 978-4-627-87211-0, article KOJI NUITA: "4.6 SIDH shared key system", pages: 153 - 160, XP009550890 *
RYOTA UDANI, KOUTAROU SUZUKI: "Efficient parallel computing method of isogeny based cryptography", IEICE TECHNICAL REPORT, ISEC, IEICE, JP, vol. 120, no. 411 (ISEC2020-54), 25 February 2021 (2021-02-25), JP, pages 81 - 85, XP009550882 *
TAKASHIMA, KATSUYUKI: "Post-quantum cryptography that even quantum computers cannot decipher, topic centered on supersingular isogeny", SHIMYURESHON - JAPAN SOCIETY FOR SIMULATION TECHNOLOGY.JOURNAL, NIHON SHIMYURESHON GAKKAI, TOKYO, JP, vol. 38, no. 1, 15 March 2019 (2019-03-15), JP , pages 42 - 50, XP009550891, ISSN: 0285-9947 *

Similar Documents

Publication Publication Date Title
Khalique et al. Implementation of elliptic curve digital signature algorithm
EP1993086B1 (en) Elliptical curve encryption parameter generation device, elliptical curve encryption calculation device, elliptical curve encryption parameter generation program, and elliptical curve encryption calculation program
US7908641B2 (en) Modular exponentiation with randomized exponent
JP2006145945A (en) Encryption processing operation method, encryption processing apparatus and computer program
Chuengsatiansup et al. PandA: Pairings and arithmetic
JP4690819B2 (en) Scalar multiplication calculation method and scalar multiplication calculation apparatus in elliptic curve cryptography
KR101223498B1 (en) Method for generating public key in elliptic curve cryptography and system for executing the method
Shankar et al. Cryptography with elliptic curves
WO2023228408A1 (en) Parameter generation system, parameter generation method, and parameter generation program
JP2007187908A (en) Modular exponentiation calculation device and method having tolerance to side-channel attack
JP4922139B2 (en) Key sharing method, first device, second device, and program thereof
KR20240004830A (en) Blind rotation for use in fully homomorphic encryption
Alecci et al. Pell hyperbolas in DLP–based cryptosystems
JP2005055488A (en) Scalar multiple calculating method in elliptic curve cryptosystem, device and program for the same
CN116601691A (en) Hidden information processing system and hidden information processing method
JP5038868B2 (en) Key sharing method, first device, second device, and program thereof
JP2010049211A (en) Apparatus and program for performing data compression processing using algebraic torus
JP4692022B2 (en) Scalar multiplication apparatus and program for elliptic curve cryptography
JP5506633B2 (en) Proxy calculation system, terminal device, proxy calculation device, proxy calculation method, and program
JP6777569B2 (en) Pairing arithmetic unit, pairing arithmetic method, and program
Yanlong Cryptanalysis of the cryptosystems based on the generalized hidden discrete logarithm problem
Goo et al. Reconfigurable real number field elliptic curve cryptography to improve the security
Lauter How to Keep Your Secrets in a Post-Quantum World
Dooms et al. Shaping Post-Quantum Cryptography: The Hidden Subgroup and Shift Problems
Kutas et al. Trapdoor DDH groups from pairings and isogenies

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22943808

Country of ref document: EP

Kind code of ref document: A1