Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
JP4585372B2 - Pairing calculation device, pairing calculation method, and pairing calculation program - Google Patents
[go: Go Back, main page]

JP4585372B2 - Pairing calculation device, pairing calculation method, and pairing calculation program - Google Patents

Pairing calculation device, pairing calculation method, and pairing calculation program Download PDF

Info

Publication number
JP4585372B2
JP4585372B2 JP2005134313A JP2005134313A JP4585372B2 JP 4585372 B2 JP4585372 B2 JP 4585372B2 JP 2005134313 A JP2005134313 A JP 2005134313A JP 2005134313 A JP2005134313 A JP 2005134313A JP 4585372 B2 JP4585372 B2 JP 4585372B2
Authority
JP
Japan
Prior art keywords
finite field
miller
pseudo
finite
pairing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
JP2005134313A
Other languages
Japanese (ja)
Other versions
JP2006309068A (en
Inventor
鉄太郎 小林
和麻呂 青木
文学 星野
秀樹 今井
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
NTT Inc USA
Original Assignee
Nippon Telegraph and Telephone Corp
NTT Inc USA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp, NTT Inc USA filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2005134313A priority Critical patent/JP4585372B2/en
Publication of JP2006309068A publication Critical patent/JP2006309068A/en
Application granted granted Critical
Publication of JP4585372B2 publication Critical patent/JP4585372B2/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Description

本発明は、楕円曲線上の演算、特にセキュリティ技術を実現するための演算を利用した装置、方法、およびプログラムに関する。   The present invention relates to an apparatus, a method, and a program using an operation on an elliptic curve, in particular, an operation for realizing a security technique.

楕円曲線のペアリングを用いたID−base暗号や短署名長デジタル署名を実現する方法が提案されている(特許文献1)。
Tateペアリングによる暗号や署名の概要を図1に示す。有限体GF(p)上で定義される楕円をE/GF(p)とする。楕円E/GF(p)上のGF(p)有理点をP(x、y)、楕円E/GF(p)上のGF(p)有理点をQ(x、y)とする。Tateペアリングでは、PとQを入力とし、Millerアルゴリズムによって有限体GF(p)上の元fを出力し、さらにべき乗演算によってfを(p−1)/m乗することで有限体GF(p)上の元eへ写像し、出力する。ここで、pは素数または素数のべき乗、mは素数かつP、Q、eの位数、kはm|(p−1)を満足する最小の整数、mは(p−1)の約数ではない、かつpとmの最大公約数は1である。 A method of realizing ID-base encryption using elliptic curve pairing or a short signature digital signature has been proposed (Patent Document 1).
An outline of encryption and signature by Tate pairing is shown in FIG. Let the ellipse defined on the finite field GF (p) be E / GF (p). Let GF (p) rational point on the ellipse E / GF (p) be P (x, y), and GF (p k ) rational point on the ellipse E / GF (p) be Q (x Q , y Q ). . In Tate pairing, P and Q are input, an element f on a finite field GF (p k ) is output by the Miller algorithm, and f is raised to the power of (p k −1) / m by a power operation. Map to element e on GF (p k ) and output. Here, p is a prime number or a power of a prime number, m is a prime number and the order of P, Q, and e, k is the smallest integer that satisfies m | (p k −1), and m is a factor of (p−1). It is not a number, and the greatest common divisor of p and m is 1.

図2はTateペアリングを用いたペアリング演算装置1000の機能構成例を示している。図1に示した処理を行うため、Millerアルゴリズムを用いて入力PとQを有限体GF(p)上の元fに変換して出力するMiller演算装置30と、べき乗演算によって入力fを有限体GF(p)上の元eに写像して出力するべき乗演算装置20から構成されている。
Tateペアリングで90%の計算量を占めるMiller演算装置30の内部構成例を図3に、処理フロー例を図4に示す。Miller演算装置30は、制御部100、代入部200、楕円上点生成部400、楕円加算部500、入出力部600、GF(p)乗算部700、GF(p)逆元部850、および記録部190から構成される。制御部100は、以下に示す処理フローに沿った処理を実行するために他の構成部を制御する。また、記録部190はハードディスク等の不揮発性のメモリでもよいし、一連の計算を行う間だけ一時的に記録する揮発性のメモリでもよい。また、組み合わせてもよい。 FIG. 2 shows a functional configuration example of a pairing arithmetic device 1000 using Tate pairing. In order to perform the processing shown in FIG. 1, a Miller arithmetic unit 30 that converts and outputs inputs P and Q to elements f on a finite field GF (p k ) using the Miller algorithm and a finite input f by a power operation. The power calculation unit 20 is to be mapped to the element e on the field GF (p k ) and output.
FIG. 3 shows an example of the internal configuration of the Miller arithmetic unit 30 occupying a calculation amount of 90% in Tate pairing, and FIG. 4 shows an example of the processing flow. The Miller arithmetic device 30 includes a control unit 100, an assignment unit 200, an elliptical point generation unit 400, an ellipse addition unit 500, an input / output unit 600, a GF (p k ) multiplication unit 700, a GF (p k ) inverse element unit 850, And a recording unit 190. The control unit 100 controls other components in order to execute processing according to the processing flow shown below. The recording unit 190 may be a non-volatile memory such as a hard disk or a volatile memory that temporarily records only during a series of calculations. Moreover, you may combine.

入出力部600にm、P、Qが入力されると、m、P、Qを記録部190に記録する(S700)。次に代入部200で、TにPを、Fに1を代入し、記録部190に記録する(S710)。楕円上点生成部400で、S≠PかつS≠Qの条件を満足する有限体GF(p)上で定義される楕円上の点S(∈E/GF(p))を生成し、記録部190に記録する(S720)。Sは条件を満足する点であれば、あらかじめ定めてもいいし、ランダムに生成してもよい。楕円加算部500で、記録部190からQとSを読み取り、Q’(=Q+S)を計算し、記録部190に記録する(S730)。代入部200で、log(m)−1の小数点以下を切り上げた整数をnに代入し、記録部190に記録する(S740)。制御部100は、記録部190からnを読み取り、n<0か否かを確認し、Yesの場合にはステップS910に進み、Noの場合にはステップS760に進む(S750)。Yesの場合、入出力部600は、記録部190からFを読み取り、出力し(S910)、Millerアルゴリズムによる演算が終了する。Noの場合、楕円加算部500は、記録部190からTを読み取り、2Tを計算し、記録部190に記録する(S760)。GF(p)乗算部700は、Q’、S、T、2Tを記録部190から読み取り、l(x,y)=0をTと2Tとを結ぶ直線、l(x,y)=0を2TとOとを結ぶ直線として、l(Q’)、l(Q’)、l(S)、l(S)を計算し、記録部190に記録する(S770)。ただし、l(Q’)とは、Q’のx座標とy座標とを、l(x,y)に代入した値である。なお、Sを有限体GF(p)の元から選定すると(この場合、残りのk−1個の有限体GF(p)の元は0である。)、l(S)、l(S)の計算は省略でき、以降のステップでl(S)、l(S)を省略できる。次に、代入部200は、記録部190から2Tを読み取り、Tに2Tの値を代入し、Tを記録部190に記録する(S780)。GF(p)逆元部850で、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S790)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、 When m, P, and Q are input to the input / output unit 600, m, P, and Q are recorded in the recording unit 190 (S700). Next, the assigning unit 200 substitutes P for T and 1 for F, and records the result in the recording unit 190 (S710). The point on the ellipse 400 generates a point S (∈E / GF (p k )) on the ellipse defined on the finite field GF (p k ) that satisfies the conditions S ≠ P and S ≠ Q. The data is recorded in the recording unit 190 (S720). S may be determined in advance or may be randomly generated as long as it satisfies the conditions. The ellipse addition unit 500 reads Q and S from the recording unit 190, calculates Q ′ (= Q + S), and records it in the recording unit 190 (S730). In the assigning unit 200, an integer obtained by rounding up the decimal point of log (m) -1 is substituted into n and recorded in the recording unit 190 (S740). The control unit 100 reads n from the recording unit 190 and confirms whether or not n <0. If Yes, the process proceeds to step S910, and if No, the process proceeds to step S760 (S750). In the case of Yes, the input / output unit 600 reads and outputs F from the recording unit 190 (S910), and the calculation by the Miller algorithm ends. In the case of No, the ellipse addition unit 500 reads T from the recording unit 190, calculates 2T, and records it in the recording unit 190 (S760). The GF (p k ) multiplication unit 700 reads Q ′, S, T, and 2T from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and 2T, l 2 (x, y) Assuming = 0 as a straight line connecting 2T and O, l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190 (S770). . However, l 1 (Q ′) is a value obtained by substituting the x and y coordinates of Q ′ into l 1 (x, y). If S is selected from elements of a finite field GF (p) (in this case, the elements of the remaining k−1 finite fields GF (p) are 0), l 1 (S), l 2 ( The calculation of S) can be omitted, and l 1 (S) and l 2 (S) can be omitted in the subsequent steps. Next, the assigning unit 200 reads 2T from the recording unit 190, assigns a value of 2T to T, and records T in the recording unit 190 (S780). The GF (p k ) inverse element 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S790). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,

Figure 0004585372
を計算し、Fの値として記録部190に記録する(S810)。制御部100は、記録部190からmとnを読み取り、mのn番目のビットが1かを確認し、Yesの場合にはステップS830へ進み、Noの場合にはステップS900へ進む(S820)。Yesの場合、楕円加算部500で、記録部190からT、Pを読み取り、T+Pを計算し、記録部190に記録する(S830)。GF(p)乗算部700は、Q’、S、T、P,T+Pを記録部190から読み取り、l(x,y)=0をTとPとを結ぶ直線、l(x,y)=0をT+PとOとを結ぶ直線とし、l(Q’)、l(Q’)、l(S)、l(S)を計算して、記録部190に記録する(S840)。代入部200は、記録部190からT+Pを読み取り、TにT+Pを代入し、Tを記録部190に記録する(S850)。GF(p)逆元部850は、記録部190からl(Q’)、l(S)を読み取り、l(Q’)−1、l(S)−1を計算し、記録部190に記録する(S860)。GF(p)乗算部700は、記録部190からF、l(Q’)、l(S)、l(Q’)−1、l(S)−1を読み取り、
Figure 0004585372
 Is recorded in the recording unit 190 as a value of F (S810). The control unit 100 reads m and n from the recording unit 190 and checks whether the nth bit of m is 1. If Yes, the process proceeds to step S830, and if No, the process proceeds to step S900 (S820). . In the case of Yes, the ellipse addition unit 500 reads T and P from the recording unit 190, calculates T + P, and records it in the recording unit 190 (S830). The GF (p k ) multiplication unit 700 reads Q ′, S, T, P, T + P from the recording unit 190, and l 1 (x, y) = 0 is a straight line connecting T and P, l 2 (x, y) = 0 is a straight line connecting T + P and O, and l 1 (Q ′), l 2 (Q ′), l 1 (S), and l 2 (S) are calculated and recorded in the recording unit 190. (S840). The assigning unit 200 reads T + P from the recording unit 190, substitutes T + P for T, and records T in the recording unit 190 (S850). The GF (p k ) inverse element unit 850 reads l 2 (Q ′) and l 1 (S) from the recording unit 190 and calculates l 2 (Q ′) −1 and l 1 (S) −1 . Recording is performed in the recording unit 190 (S860). The GF (p k ) multiplication unit 700 reads F, l 1 (Q ′), l 2 (S), l 2 (Q ′) −1 , l 1 (S) −1 from the recording unit 190,

Figure 0004585372
を計算し、Fの値として記録部190に記録する(S890)。ステップS820でNoと判断した場合とステップS890が終了した場合、代入部200は、記録部190からnを読み取り、n−1をnに代入し、nを記録部190に記録する(S900)。次にステップS750に戻り、ステップS750の判断がYesとなるまで処理が繰り返される。
特開2004-177673号公報
Figure 0004585372
 Is recorded in the recording unit 190 as the value of F (S890). When it is determined No in step S820 and when step S890 is completed, the assignment unit 200 reads n from the recording unit 190, substitutes n−1 for n, and records n in the recording unit 190 (S900). Next, the process returns to step S750, and the process is repeated until the determination in step S750 becomes Yes.
JP 2004-177673 A

ペアリングの演算に必要な演算量は通常の楕円演算にくらべると非常に大きいため、その演算速度が遅いことが問題になっている。Tateペアリングを実現する場合、その処理時間のほとんどは上記のようにMillerのアルゴリズムであり、特許文献1でもMillerのアルゴリズムの高速化の検討が行われている。これらの高速化の方法は、超特異曲線という特殊な曲線の場合の高速演算法など、楕円曲線の性質に着眼して高速化を行っているものが多かった。
本発明が解決しようとする課題も、ペアリングの演算速度の高速化である。 Since the amount of calculation required for the pairing calculation is very large compared to the normal elliptic calculation, the problem is that the calculation speed is slow. When realizing Tate pairing, most of the processing time is Miller's algorithm as described above, and Patent Document 1 also discusses speeding up Miller's algorithm. Many of these speeding-up methods are speeding up focusing on the properties of elliptic curves, such as a high-speed calculation method in the case of a special curve called a super singular curve.
The problem to be solved by the present invention is also to increase the calculation speed of pairing.

本発明では、有限体の性質を用いて高速化を行う。図5に本発明による演算の高速化の原理を示す。Tateペアリングでは、有限体GF(p)上の元fをべき乗演算により有限体GF(p)上の元eに写像するが、次の条件を満足する有限体GF(p)上の元f’も、べき乗演算により有限体GF(p)上の元eに写像する。
f’=rf ただし、rは有限体GF(pk/2)上の元 (1)
そこで、本発明ではkが偶数の場合に、この有限体の性質を利用し、Millerアルゴリズムよりも計算量が少ないアルゴリズム(以下、「擬似Millerアルゴリズム」という。)で、元f’を求め、元f’をべき乗演算することで元eを求める。 In the present invention, speeding up is performed using the properties of a finite field. FIG. 5 shows the principle of high-speed operation according to the present invention. Tate The pairing, while mapping the original f on the finite field GF (p k) based on e on the finite field GF by exponentiation (p k), the finite field GF (p k) above satisfies the following condition: Is also mapped to the element e on the finite field GF (p k ) by a power operation.
f ′ = rf where r is an element on the finite field GF ( pk / 2 ) (1)
Therefore, in the present invention, when k is an even number, the property of this finite field is used, and an element f ′ is obtained by an algorithm having a smaller calculation amount than the Miller algorithm (hereinafter referred to as “pseudo Miller algorithm”). The element e is obtained by calculating the power of f ′.

擬似Millerアルゴリズムでは、Millerアルゴリズムで逆元を求める処理を、少ない計算量で求められる逆元のr倍の元(以下、「擬似逆元」という。)を求める処理に置き換える。具体的には、kが偶数であり、Lが有限体GF(p)上の元の場合、 In the pseudo Miller algorithm, the process of obtaining an inverse element using the Miller algorithm is replaced with a process of obtaining an element that is r times the inverse element obtained with a small amount of calculation (hereinafter referred to as “pseudo inverse element”). Specifically, when k is an even number and L is an element on a finite field GF (p k ),

Figure 0004585372
を擬似逆元として使用する。
ここで、正規基底表現の場合には、Lのpk/2乗は、Lを2つの有限体GF(pk/2)上の元LとLに分割し、LとLとを入れ替えることで実現できる。また、多項式基底表現の場合には、L(∈GF(p))のpk/2乗は、Lを2つの有限体GF(pk/2)上の元LとLに分割し、L−uと−Lとを合成することで実現できる。ここで、u(∈GF(pk/2))は最小多項式の係数として定まる定数であり、通常0や±1などの小さい数を用いることが多い。
Figure 0004585372
 Is used as a pseudo inverse element.
Here, in the case of a regular basis expression, L p k / 2 means that L is divided into elements L 0 and L 1 on two finite fields GF (p k / 2 ), and L 0 and L 1 This can be achieved by replacing Also, in the case of polynomial basis representation, p ( k / 2 ) of L (εGF (p k )) divides L into elements L 0 and L 1 on two finite fields GF (p k / 2 ). and it can be realized by combining the L 0 -u 1 L 1 and -L 1. Here, u 1 (∈GF (p k / 2 )) is a constant determined as a coefficient of the minimum polynomial, and usually a small number such as 0 or ± 1 is often used.

(x,y)(∈GF(p))は、k個の有限体GF(p)上の元を並べて表現されるが、Millerアルゴリズムで、l(x,y)を乗算する代わりに、k個の有限体GF(p)上の元の中に0である元を含むl(x,y)のr倍の有限体GF(p)上の元を乗算すれば、値が0の有限体GF(p)上の元の乗算は0であることは明確なため、省略できる。そこで図6に示す方法により、値が0である有限体GF(p)上の元を含むl(x,y)のr倍の元を求める。l(x,y)は、
L=aX+b (4)
と表現できる。たとえばXを有限体GF(p)上の元として、元Xを図6のように2つの有限体GF(p)上の元XとXとに分割し、式(4)の両辺に、有限体GF(p)上の元c(=X −1)を掛ける。L’=cLとすると、L’は図6に示すように値が0の有限体GF(p)上の元を2つ含んだ元であり、かつ式(1)を満足する。したがって、l(x,y)を乗算する代わりに、cl(x,y)を乗算すれば(以下、「擬似乗算」という。)、べき乗演算による写像は同じ点となるが、計算量を少なくできる。 l 2 (x, y) (∈GF (p k )) is expressed by arranging elements on k finite fields GF (p) side by side, and is multiplied by l 2 (x, y) by Miller algorithm. Instead, by multiplying elements on a finite field GF (p k ) that is r times l 2 (x, y) including elements that are 0 among the elements on k finite fields GF (p), Since it is clear that the original multiplication on the finite field GF (p) with a value of 0 is 0, it can be omitted. Therefore, by the method shown in FIG. 6, an element that is r times l 2 (x, y) including elements on a finite field GF (p) having a value of 0 is obtained. l 2 (x, y) is
L = aX + b (4)
Can be expressed as For example, if X is an element on a finite field GF (p 6 ), the element X is divided into elements X 1 and X 0 on two finite fields GF (p 3 ) as shown in FIG. Both sides are multiplied by an element c (= X 1 −1 ) on the finite field GF (p 3 ). When L ′ = cL, L ′ is an element including two elements on a finite field GF (p) having a value of 0 as shown in FIG. 6 and satisfies the expression (1). Therefore, if cl 2 (x, y) is multiplied instead of l 2 (x, y) (hereinafter referred to as “pseudo multiplication”), the mapping by the power operation is the same point, but the amount of calculation Can be reduced.

次に、L’の擬似逆元を求める場合を示す。擬似逆元を求めるときは、上記のようにL’を2つの有限体GF(pk/2)上の元L’とL’に分割するが、正規基底の場合も多項式基底の場合も、L’に値が0の有限体GF(p)上の元が含まれていれば、L’の擬似逆元にも値が0の有限体GF(p)上の元がそのまま含まれることになる。したがって、Lの割り算を行う場合にも、L’を求め、L’の擬似逆元を求めた上で、乗算することで、計算量を削減できる。 Next, a case where a pseudo inverse element of L ′ is obtained will be described. When obtaining a pseudo inverse element, L ′ is divided into elements L 0 ′ and L 1 ′ on two finite fields GF (p k / 2 ) as described above. also, 'if the value in the include finite GF (p) on the original 0, L 1' L 1 is finite GF (p) on the original value to the pseudo-inverse is 0 neat Will be included. Therefore, even when L is divided, the amount of calculation can be reduced by obtaining L ′, obtaining the pseudo inverse element of L ′, and multiplying.

本発明によれば、楕円曲線上のTateペアリング演算において、kが偶数である場合に、有限体の性質を用いて、E/GF(p)からGF(p)への写像の高速化を行うことができる。また、本発明は、特殊な楕円曲線の性質を用いず高速化を行うことができる。さらに、任意の標数の楕円曲線に適用することが可能であり、応用範囲が広い。 According to the present invention, in a Tate pairing operation on an elliptic curve, when k is an even number, a high-speed mapping from E / GF (p k ) to GF (p k ) is performed using the property of a finite field. Can be made. Further, the present invention can increase the speed without using special elliptic curve properties. Furthermore, it can be applied to an elliptic curve of an arbitrary characteristic and has a wide application range.

以下では、説明の重複を避けるため同じ機能を有する構成部や同じ処理を行う処理ステップには同一の番号を付与し、説明を省略する。
[第1実施形態]
図7に本発明のペアリング演算装置の機能構成例を示す。図2との違いはMiller演算装置30の代わりに、擬似Miller演算装置10が備えられていることである。擬似Miller演算装置10は、上記の擬似逆元と擬似乗算を行うことで、擬似Millerアルゴリズムを実現する装置である。擬似Miller演算装置10の内部構成例を図8に、擬似Miller演算装置10の処理フローを図9に示す。図8と図3との違いは、図8の記録部150に記録するデータの種類が、図3の記録部190に記録するデータの種類と異なるものがあること、擬似逆元を計算するためにGF(p)逆元部850が擬似GF(p)逆元部800に置き換えられたこと、擬似乗算のためにc生成部300と擬似GF(p)乗算部900が追加されたことである。まず、図4の説明中での「記録部190への記録」または「記録部190からの読み取り」は、図9では「記録部150への記録」または「記録部150からの読み取り」と読み替える。その他の図9の処理フローと図4の処理フローとの違いは、以下のとおりである。 Below, in order to avoid duplication of description, the same number is given to the structural part which has the same function, and the process step which performs the same process, and description is abbreviate | omitted.
[First Embodiment]
FIG. 7 shows a functional configuration example of the pairing arithmetic device of the present invention. The difference from FIG. 2 is that a pseudo Miller arithmetic device 10 is provided instead of the Miller arithmetic device 30. The pseudo Miller arithmetic device 10 is a device that realizes a pseudo Miller algorithm by performing pseudo multiplication with the above pseudo inverse element. An internal configuration example of the pseudo Miller arithmetic device 10 is shown in FIG. 8, and a processing flow of the pseudo Miller arithmetic device 10 is shown in FIG. 8 is different from FIG. 3 in that the type of data recorded in the recording unit 150 in FIG. 8 is different from the type of data recorded in the recording unit 190 in FIG. The GF (p k ) inverse element 850 is replaced with a pseudo GF (p k ) inverse element 800, and a c generator 300 and a pseudo GF (p k ) multiplier 900 are added for pseudo multiplication. That is. First, “recording to the recording unit 190” or “reading from the recording unit 190” in the description of FIG. 4 is replaced with “recording to the recording unit 150” or “reading from the recording unit 150” in FIG. . The other differences between the processing flow of FIG. 9 and the processing flow of FIG. 4 are as follows.

ステップS730とステップS740との間に、ステップS110とS120とを追加している。ステップS110では、c生成部300が、Q’のx座標であるX’(∈GF(p))をXとXに2分割し、X −1を計算し、cの値として記録部150に記録する。ステップS120では、Q’の座標を(X’,Y’)とすると、GF(p)乗算部700が、(cX’,cY’)を計算し、Q”として記録部150に記録する。
ステップS770は、ステップS130に置き換えられる。ステップS130では、GF(p)乗算部700が、Q”、S、T、2Tを記録部150から読み取り、l(x,y)=0をTと2Tとを結ぶ直線、l(x,y)=0を2TとOとを結ぶ直線として、l(Q”)、l(Q”)、l(S)、l(S)を計算し、記録部150に記録する。 Steps S110 and S120 are added between step S730 and step S740. In step S110, c generator 300, 'X Q is x-coordinate of the' Q a (∈GF (p k)) is divided into two X 1 and X 0, calculates the X 1 -1, the values of c Is recorded in the recording unit 150. In step S120, assuming that the coordinates of Q ′ are (X Q ′, Y Q ′), the GF (p k ) multiplier 700 calculates (cX Q ′, cY Q ′), and records it as Q ″. To record.
Step S770 is replaced with step S130. In step S130, the GF (p k ) multiplication unit 700 reads Q ″, S, T, and 2T from the recording unit 150, and l 1 (x, y) = 0 is a straight line connecting T and 2T, l 2 ( l 1 (Q ″), l 2 (Q ″), l 1 (S), l 2 (S) are calculated as x, y) = 0 as a straight line connecting 2T and O, and recorded in the recording unit 150 To do.

ステップS790とステップS810は、ステップS140〜S160に置き換える。ステップS140では、擬似GF(p)逆元部800が、記録部150からl(Q”)、l(S)を読み取り、l(Q”)の擬似逆元とl(S)の擬似逆元を計算し、記録部150に記録する。ステップS150では、擬似GF(p)乗算部900が、記録部150からl(Q”)、l(Q”)の擬似逆元を読み取り、 Steps S790 and S810 are replaced with steps S140 to S160. In step S140, the pseudo GF (p k) inverse element unit 800, the recording unit 150 l 2 (Q "), l read 1 (S), l 2 (Q " pseudo inverse and l 1 of) (S ) Is calculated and recorded in the recording unit 150. In step S150, the pseudo GF (p k ) multiplication unit 900 reads pseudo inverse elements of l 1 (Q ″) and l 2 (Q ″) from the recording unit 150,

Figure 0004585372
を計算し、Fの値として記録部150に記録する。
ステップS840は、ステップS170に置き換えられる。ステップS170では、
GF(p)乗算部700が、Q”、S、T、P,T+Pを記録部150から読み取り、l(x,y)=0をTとPとを結ぶ直線、l(x,y)=0をT+PとOとを結ぶ直線とし、l(Q”)、l(Q”)、l(S)、l(S)を計算して、記録部150に記録する。
Figure 0004585372
 Is recorded in the recording unit 150 as the value of F.
Step S840 is replaced with step S170. In step S170,
The GF (p k ) multiplication unit 700 reads Q ″, S, T, P, T + P from the recording unit 150, and l 1 (x, y) = 0 is a straight line connecting T and P, l 2 (x, y) = 0 is a straight line connecting T + P and O, and l 1 (Q ″), l 2 (Q ″), l 1 (S), l 2 (S) are calculated and recorded in the recording unit 150. .

ステップS860とステップS880は、ステップS180〜S200に置き換える。ステップS180では、擬似GF(p)逆元部800が、記録部150からl(Q”)、l(S)を読み取り、l(Q”)の擬似逆元とl(S)の擬似逆元を計算し、記録部150に記録する。ステップS190では、擬似GF(p)乗算部900が、記録部150からl(Q”)、l(Q”)の擬似逆元を読み取り、 Steps S860 and S880 are replaced with steps S180 to S200. In step S180, the pseudo GF (p k) inverse element unit 800, the recording unit 150 l 2 (Q "), l read 1 (S), l 2 (Q " pseudo inverse and l 1 of) (S ) Is calculated and recorded in the recording unit 150. In step S190, the pseudo GF (p k ) multiplication unit 900 reads pseudo inverse elements of l 1 (Q ″) and l 2 (Q ″) from the recording unit 150,

Figure 0004585372
を計算し、Fの値として記録部150に記録する。
なお、本発明でもSを有限体GF(p)の元から選定すると(この場合、残りのk−1個の有限体GF(p)の元は0である。)、l(S)、l(S)の計算や演算を省略できる。
このように変更した処理フローによって、Millerアルゴリズムよりも計算量を少なくし、有限体GF(p)上の元f’を求めることができる。
[第2実施形態]
本実施形態では、第1実施形態の図8中に示した擬似GF(p)逆元部800の内部構成について示す。入力S(∈GF(p))の擬似逆元の計算では、kを偶数としたことを利用して、逆元S−1を求めるのではなく、逆元S−1のr(∈GF(pk/2))倍であるSのpk/2乗を求めている。正規基底の場合には、入力Sのpk/2乗は、Sを2つの有限体GF(pk/2)上の元SとSに分割し、SとSとを入れ替えることで実現できる。
Figure 0004585372
 Is recorded in the recording unit 150 as the value of F.
In the present invention, when S is selected from elements of a finite field GF (p) (in this case, the elements of the remaining k−1 finite fields GF (p) are 0), l 1 (S), Calculation and calculation of l 2 (S) can be omitted.
With the processing flow thus changed, the calculation amount can be reduced as compared with the Miller algorithm, and the element f ′ on the finite field GF (p k ) can be obtained.
[Second Embodiment]
In the present embodiment, an internal configuration of the pseudo GF (p k ) inverse element unit 800 shown in FIG. 8 of the first embodiment is shown. In the calculation of the pseudo inverse element of the input S (∈GF (p k )), the inverse element S −1 is not obtained using the fact that k is an even number, but r (∈GF) of the inverse element S −1. ( Pk / 2 )) times S to the pk / 2 power. In the case of a normal basis, p k / 2 of the input S divides S into elements S 0 and S 1 on two finite fields GF (p k / 2 ) and swaps S 0 and S 1. This can be achieved.

図10に正規基底の場合の擬似GF(p)逆元部800の機能構成例を、図11に処理フローを示す。擬似GF(p)逆元部800は、分割部810と置換合成部820から構成されている。分割部810は、有限体GF(p)上の元Sが入力されると、Sを2つの有限体GF(pk/2)の元SとSに分割する(S810)。置換合成部820では、分割された元SとSとを入れ替えて合成することでSの擬似逆元を生成し(S820)、Sの擬似逆元を出力する(S830)。
このように元を入れ替えるだけで擬似逆元を求めることができるため、割り算と比較すると大幅な計算量の削減が期待できる。
[変形例]
第2実施形態では、正規基底の場合の擬似GF(p)逆元部800について示したが、本変形例では、多項式基底の場合を示す。多項式基底の場合には、入力S(∈GF(p))のpk/2乗は、Sを2つの有限体GF(pk/2)上の元SとSに分割し、S−uと−Sとを合成することで実現できる。ここで、u(∈GF(pk/2))は多項式基底における最小多項式f(x)=x+ux+uの一次の係数であって、0や±1などの小さい値を用いることが多い。 FIG. 10 shows a functional configuration example of the pseudo GF (p k ) inverse element 800 in the case of a normal basis, and FIG. 11 shows a processing flow. The pseudo GF (p k ) inverse element unit 800 includes a dividing unit 810 and a replacement combining unit 820. When the element S on the finite field GF (p k ) is input, the dividing unit 810 divides S into two elements S 0 and S 1 of the finite field GF (p k / 2 ) (S810). The replacement combining unit 820 generates a pseudo inverse element of S by exchanging the divided elements S 0 and S 1 and combining them (S 820), and outputs a pseudo inverse element of S (S 830).
Since the pseudo inverse element can be obtained simply by replacing the elements in this way, a significant reduction in the amount of calculation can be expected as compared with division.
[Modification]
In the second embodiment, the pseudo GF (p k ) inverse element portion 800 in the case of a normal basis has been shown. However, in this modification, the case of a polynomial basis is shown. In the case of a polynomial basis, the p k / 2 power of the input S (∈GF (p k )) splits S into elements S 0 and S 1 on two finite fields GF (p k / 2 ), S 0 -u 1 This can be realized by combining S 1 and -S 1 . Here, u 1 (∈GF (p k / 2 )) is a first-order coefficient of the minimum polynomial f (x) = x 2 + u 1 x + u 0 in the polynomial basis, and uses a small value such as 0 or ± 1. There are many cases.

多項式基底の場合の擬似GF(p)逆元部800’を図12に、処理フローを図13に示す。擬似GF(p)逆元部800’は、分割部810、記録部860、乗算部870、減算部880、合成部890から構成されている。記録部860にはあらかじめu(∈GF(pk/2))を記録しておく。分割部810は、有限体GF(p)上の元Sが入力されると、Sを2つの有限体GF(pk/2)の元SとSに分割する(S810)。乗算部870は、記録部860に記録されたuと分割部810の出力であるSとを掛けることで、uを得る(S840)。減算部880では、分割部810の出力であるSから乗算部870の出力であるuを引き、S−uを得る(S850)。合成部890では、減算部880からの出力であるS−uと分割部810の出力であるSから、S−uと−Sとを合成してSの擬似逆元を求め(S860)、Sの擬似逆元を出力する(S830)。 FIG. 12 shows the pseudo GF (p k ) inverse element 800 ′ in the case of a polynomial basis, and FIG. 13 shows the processing flow. The pseudo GF (p k ) inverse element unit 800 ′ includes a dividing unit 810, a recording unit 860, a multiplying unit 870, a subtracting unit 880, and a combining unit 890. In the recording unit 860, u 1 (εGF (p k / 2 )) is recorded in advance. When the element S on the finite field GF (p k ) is input, the dividing unit 810 divides S into two elements S 0 and S 1 of the finite field GF (p k / 2 ) (S810). The multiplying unit 870 multiplies u 1 recorded in the recording unit 860 and S 1 that is the output of the dividing unit 810 to obtain u 1 S 1 (S 840). The subtraction unit 880 subtracts u 1 S 1 output from the multiplication unit 870 from S 0 output from the division unit 810 to obtain S 0 -u 1 S 1 (S850). The synthesis unit 890, the S 1 which is the output of the S 0 -u 1 S 1 and the split portion 810 which is the output from the subtraction unit 880, the S by synthesizing the S 0 -u 1 S 1 and -S 1 A pseudo inverse element is obtained (S860), and a pseudo inverse element of S is output (S830).

このように元を分割と1回の乗算、減算、および合成で擬似逆元を求めることができるため、割り算と比較すると大幅な計算量の削減が期待できる。
[第3実施形態]
本実施形態では、第1実施形態の図8中に示した擬似GF(p)乗算部900の内部構成について示す。値が0の有限体GF(p)上の元を含むようにステップS110とS120でQ”を求めたので、l(Q”)は値が0の有限体GF(p)上の元を含んでおり、その数は、k/2−1個である。そこで、l(Q”)またはl(Q”)擬似逆元の乗算では、k/2+1個の有限体GF(p)上の元の掛算を繰り返せばよい。 In this way, since the pseudo inverse element can be obtained by dividing the element and performing multiplication, subtraction, and synthesis once, it can be expected to greatly reduce the amount of calculation compared to division.
[Third Embodiment]
In the present embodiment, an internal configuration of the pseudo GF (p k ) multiplication unit 900 shown in FIG. 8 of the first embodiment is shown. Since Q ″ is obtained in steps S110 and S120 so as to include elements on the finite field GF (p) whose value is 0, l 2 (Q ″) is the element on the finite field GF (p) whose value is 0. The number is k / 2-1. Therefore, in the multiplication of l 2 (Q ″) or l 2 (Q ″) pseudo inverse element, it is only necessary to repeat the original multiplication on k / 2 + 1 finite fields GF (p).

擬似GF(p)乗算部900の内部構成例を図14に示す。乗算範囲を変更した乗算部910では、上記のようにl(Q”)またはl(Q”)の擬似逆元の計算範囲j=1〜kをj=1〜1+k/2に変更し、乗算を行う。図15に、処理フローを示す。ただし、処理フロー中に示しているαi+jは、桁(乗算の結果を表現する複数の有限体GF(p)上の元のどの元に加算するのかを示している。)
k=6での計算量の評価
有限体GF(p)上の元の掛算の計算量をM、有限体GF(p)上の元の掛算の計算量をMとする。加算の計算量および定数倍は乗算の計算量にくらべ十分に小さいので、説明を簡単にするため、本評価では無視し、一般的に乗算の方法として知られている教科書法とKaratsuba法についてk=6の場合の評価を行う。 An example of the internal configuration of the pseudo GF (p k ) multiplier 900 is shown in FIG. In the multiplication unit 910 that has changed the multiplication range, the calculation range j = 1 to k of the pseudo inverse element of l 2 (Q ″) or l 2 (Q ″) is changed to j = 1 to 1 + k / 2 as described above. , Perform multiplication. FIG. 15 shows a processing flow. However, α i + j shown in the processing flow indicates a digit (which element is added to a plurality of finite fields GF (p) expressing the result of multiplication)
Evaluation of Computation Amount when k = 6 Assume that the computation amount of the original multiplication on the finite field GF (p k ) is M k and the computation amount of the original multiplication on the finite field GF (p) is M. Since the amount of addition and constant multiplication are sufficiently smaller than the amount of multiplication, for the sake of simplicity, they are ignored in this evaluation, and the textbook method and the Karatsuba method, which are generally known as multiplication methods, are k. = 6 is evaluated.

一般的に教科書法では、M=4M、M=9M、M=36Mの関係であり、Karatsuba法では、M=3M、M=6M、M=18Mである。多項式基底の逐次拡大により、通常の有限体GF(p)上の元は6つの有限体GF(p)上の元で表されるが、擬似乗算のl2(Q”)は、6つの有限体GF(p)上の元のうち2つが0となり、それを利用して通常の乗算よりも少ない計算量で乗算を行う。
l2(Q”)と有限体GF(p)上の元との擬似乗算での計算量M’は、教科書法の場合、M’=24Mとなる。次にKaratsuba法の場合を検討する。有限体GF(p)上の元は、有限体GF(p)上の元3つで表現できるが、そのうち1つが3回の乗算で全て0となるため、それを利用して通常の乗算より少ない計算量で乗算できる。「2項多項式×3項多項式」の乗算は、教科書法では6回の単項乗算となるが、Toom-Cook法を用いると4回の単項乗算で可能である(M.Gonda, K.Matsuo, K.Aoki, J.Chao, and S.Tsujii, “Improvements of addition algorithm on genus 3 hyperelliptic curves and their implementations”, Vol.II, 3A3-1, pp.995-1000, January 2004.)。したがって、Karatsuba法とToom-Cook法とを組み合わせると、M’=3M’、M’=4M、M’=12Mとなる。上記のように、教科書法でもKaratsuba法でも擬似乗算を用いることで、計算量は通常の乗算の2/3となる。 Generally, in the textbook method, M 6 = 4M 3 , M 3 = 9M, and M 6 = 36M, and in the Karatsuba method, M 6 = 3M 3 , M 3 = 6M, and M 6 = 18M. By successive expansion of the polynomial basis, an element on the normal finite field GF (p 6 ) is represented by an element on the six finite fields GF (p), but l2 (Q ″) of the pseudo multiplication is six finite fields. Two of the elements on the field GF (p) are 0, and are used to perform multiplication with a smaller amount of calculation than normal multiplication.
The amount of computation M 6 ′ in the pseudo multiplication of l2 (Q ″) and an element on the finite field GF (p 6 ) is M 6 ′ = 24 M in the textbook method. Next, the case of the Karatsuba method is examined. An element on the finite field GF (p 3 ) can be expressed by three elements on the finite field GF (p), but one of them becomes 0 by three multiplications, Multiply “binary polynomial x ternary polynomial” is 6 unary multiplications in the textbook method, but using the Toom-Cook method is possible with 4 unary multiplications. (M.Gonda, K.Matsuo, K.Aoki, J.Chao, and S.Tsujii, “Improvements of addition algorithm on genus 3 hyperelliptic curves and their implementations”, Vol.II, 3A3-1, pp.995- 1000, January 2004.). Therefore, when the Karatsuba method and the Toom-Cook method are combined, M 6 ′ = 3M 3 ′, M 3 ′ = 4 M, and M 6 ′ = 12 M. As described above, by using pseudo multiplication in both the textbook method and the Karatsuba method, the amount of calculation becomes 2/3 of the normal multiplication.

なお、本発明のすべての実施形態は、上記の処理手順の全部または一部を、コンピュータと当該コンピュータを動作させるプログラムによっても実行することができる。また、当該プログラムはコンピュータ読み取り可能な記録媒体に記録しておき、必要に応じてコンピュータに読み取らせて実行することも可能である。
[計算量の評価]
机上評価
Millerのアルゴリズムでの楕円加算部分、楕円二倍部分の計算量をそれぞれTADD、TDBLとすると、計算量は以下のようになる。Millerのアルゴリズム全体の計算量TMillerは、nをlog(m)+1の小数点以下を切り上げた整数として、
TMiller=(n/2)TADD+nTDBL
となる。有限体GF(p)上の元の掛算の計算量をM、自乗の計算量をS、有限体GF(p)上の元の掛算の計算量をM、自乗の計算量をSとすると、従来の方法(特許文献1)では、
TADD=2M+(3k+10)M+3S
TDBL=2M+2S+(3k+7)M+6S
となる。ただし、有限体GF(p)上の元fの分母と分子を別々に求めた場合である。 In all the embodiments of the present invention, all or a part of the above-described processing procedure can be executed by a computer and a program for operating the computer. Further, the program can be recorded on a computer-readable recording medium, and can be read and executed by a computer as necessary.
[Evaluation of computational complexity]
Desk evaluation
When the calculation amounts of the ellipse addition part and the ellipse double part in Miller's algorithm are TADD and TDBL, respectively, the calculation quantities are as follows. The calculation amount TMmiller of Miller's algorithm is as follows: n is an integer obtained by rounding up the decimal point of log (m) +1.
TMiller = (n / 2) TADD + nTDBL
It becomes. The original multiplication complexity on the finite field GF (p k ) is M k , the square calculation quantity is S k , the original multiplication complexity on the finite field GF (p) is M, and the square calculation quantity is S Then, in the conventional method (Patent Document 1),
TADD = 2M k + (3k + 10) M + 3S
TDBL = 2M k + 2S k + (3k + 7) M + 6S
It becomes. However, this is the case where the denominator and numerator of the element f on the finite field GF (p k ) are obtained separately.

擬似逆元を使用した楕円加算部分TADD’、楕円二倍部分の計算量TDBL’は、
TADD’=2M+(3k+10)M+3S
TDBL’=2M+S+(3k+7)M+6S
となる。また、逆元の計算量がほぼ0となるため、有限体GF(p)上の元fの分母と分子とを別々に求める必要がなくなる。これにより、余分な演算を削減できる。
擬似乗算を使用した楕円加算部分TADD”、楕円二倍部分の計算量TDBL”は、Mの片方を擬似乗算の場合の計算量M’に置き換えることができるので、
TADD”=M+M’+(3k+10)M+3S
TDBL”=M+M’+S+(3k+7)M+6S
となる。 The ellipse addition part TADD ′ using the pseudo inverse element and the calculation amount TDBL ′ of the ellipse double part are:
TADD ′ = 2M k + (3k + 10) M + 3S
TDBL ′ = 2M k + S k + (3k + 7) M + 6S
It becomes. In addition, since the calculation amount of the inverse element is almost 0, it is not necessary to separately obtain the denominator and the numerator of the element f on the finite field GF (p k ). Thereby, an extra calculation can be reduced.
Since the ellipse addition part TADD ″ using the pseudo multiplication and the calculation amount TDBL ″ of the ellipse double part can replace one of M k with the calculation amount M k ′ in the case of the pseudo multiplication,
TADD "= Mk + Mk '+ (3k + 10) M + 3S
TDBL "= M k + M k '+ S k + (3k + 7) M + 6S
It becomes.

したがって、計算量の削減が期待できることが分かる。
実験
本発明の効果を確認するため、コンピュータ上で本発明のプログラムと従来の方法でのプログラムとを動作させ、比較した。言語はgcc version3.3.3、OSはFreeBSD 5.2.1、多倍長ライブラリはGNU MP ver.4.1.4、CPUはAMD Opteron(TM) Processor 248 (2.2Ghz)、パラメータはM.Scott and P.Barreto, “Generating more MNT elliptic curves”, Cryptology ePrint Archive 2004/058, available form http://eprint.iacr.org/2004/058に示されているものを使用した。p=625852803282871856053922297323874661378036491717(16bit)、k=6、m=208617601094290618684641029477488665211553761021、a=−3、b=423976005090848776334332509669574781621802740510である。 Therefore, it can be seen that a reduction in calculation amount can be expected.
Experiments In order to confirm the effect of the present invention, the program of the present invention and the program of the conventional method were run on a computer and compared. Language is gcc version 3.3.3, OS is FreeBSD 5.2.1, Multiple-length library is GNU MP ver.4.1.4, CPU is AMD Opteron (TM) Processor 248 (2.2Ghz), Parameters are M. Scott and P. Barreto , “Generating more MNT elliptic curves”, Cryptology ePrint Archive 2004/058, available form http://eprint.iacr.org/2004/058. p = 625852803282871856053922297323874661378036491717 (16 bits), k = 6, m = 208617601094290618684641029477488665211553761021, a = -3, b = 423976005090848776334332509669574781621802740510.

その結果、従来のMillerのアルゴリズム1回の実行時間が11.22msに対して、本発明の擬似Millerのアルゴリズム1回の実行時間は9.03msであり、24%高速化できた。   As a result, the execution time for one Miller algorithm in the conventional method is 11.22 ms, while the execution time for one pseudo Miller algorithm of the present invention is 9.03 ms, which is 24% faster.

Tateペアリング演算の概要を示す図。The figure which shows the outline | summary of Tate pairing calculation. Tateペアリングを用いたペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing calculating device using Tate pairing. Miller演算装置の内部構成例を示す図。The figure which shows the internal structural example of a Miller arithmetic unit. Millerアルゴリズムの処理フローを示す図。The figure which shows the processing flow of a Miller algorithm. 擬似Millerのアルゴリズムを用いた演算の高速化の原理を示す図。The figure which shows the principle of the speeding-up of a calculation using the pseudo Miller algorithm. 擬似乗算により乗算回数が少なくするための前処理の概要を示す図。The figure which shows the outline | summary of the pre-processing for reducing the frequency | count of multiplication by pseudo multiplication. 擬似Millerアルゴリズムを用いたペアリング演算装置の機能構成例を示す図。The figure which shows the function structural example of the pairing arithmetic unit using a pseudo Miller algorithm. 擬似Miller演算装置の機能構成例を示す図。The figure which shows the function structural example of a pseudo Miller arithmetic unit. 擬似Millerアルゴリズムの処理フローを示す図。The figure which shows the processing flow of a pseudo Miller algorithm. 正規基底での擬似逆元演算部の機能構成例を示す図。The figure which shows the function structural example of the pseudo inverse element calculating part in a normal basis. 正規基底での擬似逆元演算部の処理フローを示す図。The figure which shows the processing flow of the pseudo inverse element operation part in a normal basis. 多項式基底での擬似逆元演算部の機能構成例を示す図。The figure which shows the function structural example of the pseudo | simulation inverse element calculating part in a polynomial basis. 多項式基底での擬似逆元演算部の処理フローを示す図。The figure which shows the processing flow of the pseudo | simulation inverse element operation part in a polynomial basis. 擬似乗算部の機能構成例を示す図。The figure which shows the function structural example of a pseudo multiplication part. 擬似乗算部の処理フローを示す図。The figure which shows the processing flow of a pseudo multiplication part.

Claims (13)

pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算装置において、
PとQから有限体上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 0004585372
 を用いるアルゴリズムに変更して、PとQから有限体GF(p)上の元f’を求める擬似Miller演算部と、
前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像するべき乗演算部と、
を備えるペアリング演算装置。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the device
Instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm, the Miller algorithm for obtaining the element f on the finite field from P and Q is used.
Figure 0004585372
 A pseudo Miller operation unit for obtaining an element f ′ on a finite field GF (p k ) from P and Q,
A power calculator that maps the element f ′ obtained by the pseudo Miller calculator to the element e (P, Q) on the finite field GF (p k ) by a power calculation;
A pairing arithmetic device comprising: pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算装置において、
rを有限体GF(pk/2)上の元とする場合に、
PとQから有限体上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lを積算する代わりに、
有限体GF(p)の元L’を、L’を表現するk個の有限体GF(p)上の元の少なくとも1つの値が0 かつ L’=rL
を満足する元から選定し、L’を積算するアルゴリズムに変更して、PとQから有限体GF(p)上の元f’を求める擬似Miller演算部と、
前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像するべき乗演算部と、
を備えるペアリング演算装置。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the device
When r is an element on a finite field GF ( pk / 2 ),
Instead of accumulating the element L on the finite field GF (p k ) used in the Miller algorithm for the Miller algorithm for obtaining the element f on the finite field from P and Q,
If the element L ′ of the finite field GF (p k ) is at least one value of 0 on the k finite fields GF (p) representing L ′ and L ′ = rL
A pseudo Miller computing unit that selects an element satisfying the following, changes to an algorithm that integrates L ′, and obtains an element f ′ on a finite field GF (p k ) from P and Q;
A power calculator that maps the element f ′ obtained by the pseudo Miller calculator to the element e (P, Q) on the finite field GF (p k ) by a power calculation;
A pairing arithmetic device comprising: pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算装置において、
rを有限体GF(pk/2)上の元とする場合に、
PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 0004585372
 を用いること、
Millerアルゴリズム内で用いる有限体GF(p)上の元Lを積算する代わりに、
有限体GF(p)の元L’を、L’を表現するk個の有限体GF(p)上の元の少なくとも1つの値が0 かつ L’=rL
を満足する元から選定し、L’を積算するアルゴリズムに変更して、有限体GF(p)上の元f’を求めることを特徴とする擬似Miller演算部と、
前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像するべき乗演算部と、
を備えるペアリング演算装置。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the device
When r is an element on a finite field GF ( pk / 2 ),
A Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 0004585372
 Using
Instead of accumulating the elements L on the finite field GF (p k ) used in the Miller algorithm,
If the element L ′ of the finite field GF (p k ) is at least one value of 0 on the k finite fields GF (p) representing L ′ and L ′ = rL
A pseudo Miller operation unit characterized in that an element f ′ on a finite field GF (p k ) is obtained by selecting an element satisfying the above and changing to an algorithm for accumulating L ′;
A power calculator that maps the element f ′ obtained by the pseudo Miller calculator to the element e (P, Q) on the finite field GF (p k ) by a power calculation;
A pairing arithmetic device comprising: 請求項2または3記載のペアリング演算装置において、
aとbが整数、有限体GF(p)の元Xが有限体GF(pk/2)の2つの元XとXとを用いて表されており、有限体GF(p)上の元LがL=aX+bと表現できる場合に、
L’=X −1Lとする擬似Miller演算部
を備えるペアリング演算装置。 In the pairing arithmetic device according to claim 2 or 3,
a and b are integers, based on X are represented by using the two elements X 0 and X 1 of the finite field GF (p k / 2) of the finite field GF (p k), finite GF (p k ) When the above element L can be expressed as L = aX + b,
A pairing operation device including a pseudo Miller operation unit that sets L ′ = X 1 −1 L. 請求項1、3または4のいずれかに記載のペアリング演算装置において、
有限体GF(p)の元Sが正規基底を用いて有限体GF(pk/2)の2つの元SとSとで表される場合に、
とSとを置き換えることで擬似逆元を求める擬似Miller演算部
を備えるペアリング演算装置。 In the pairing arithmetic device according to any one of claims 1, 3 and 4,
When the original S of the finite field GF (p k) is represented by the two elements S 0 and S 1 of the finite field GF using normal basis (p k / 2),
Pairing computation device comprising a pseudo Miller calculation unit for obtaining the pseudo-inverse element by replacing the S 0 and S 1. 請求項1、3または4のいずれかに記載のペアリング演算装置において、
有限体GF(p)の元Sが、多項式基底を用いて有限体GF(pk/2)の2つの元S、S、および最小多項式f(x)=x+ux+uで表される場合に、
−uと−Sとを合成することで擬似逆元を求める擬似Miller演算部
を備えるペアリング演算装置。 In the pairing arithmetic device according to any one of claims 1, 3 and 4,
Original S of a finite field GF (p k) are finite GF (p k / 2) of the two elements S 0, S 1, and the minimum polynomial f (x) = x 2 + u 1 x + u 0 by using a polynomial basis Is represented by
A pairing arithmetic device comprising a pseudo Miller arithmetic unit for obtaining a pseudo inverse element by combining S 0 -u 1 S 1 and -S 1 . pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算方法において、
擬似Miller演算部で、PとQから有限体上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 0004585372
 を用いるアルゴリズムに変更して、PとQから有限体GF(p)上の元f’を求め、
べき乗演算部で、前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する
ことを特徴とするペアリング演算方法。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the method
In the pseudo Miller arithmetic unit, a Miller algorithm for obtaining an element f on a finite field from P and Q is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 0004585372
 Is changed to an algorithm using, and an element f ′ on a finite field GF (p k ) is obtained from P and Q,
A pairing calculation method characterized in that the power calculation unit maps the element f ′ obtained by the pseudo Miller calculation unit to the element e (P, Q) on the finite field GF (p k ) by a power calculation. pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算方法において、
rを有限体GF(pk/2)上の元とする場合に、
擬似Miller演算部で、PとQから有限体上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lを積算する代わりに、
有限体GF(p)の元L’を、L’を表現するk個の有限体GF(p)上の元の少なくとも1つの値が0 かつ L’=rL
を満足する元から選定し、L’を積算するアルゴリズムに変更して、PとQから有限体GF(p)上の元f’を求め、
べき乗演算部で、前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する
ことを特徴とするペアリング演算方法。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the method
When r is an element on a finite field GF ( pk / 2 ),
Instead of accumulating the element L on the finite field GF (p k ) used in the Miller algorithm for the Miller algorithm for obtaining the element f on the finite field from P and Q in the pseudo Miller arithmetic unit,
If the element L ′ of the finite field GF (p k ) is at least one value of 0 on the k finite fields GF (p) representing L ′ and L ′ = rL
Is selected from elements satisfying the above, and the algorithm is changed to an algorithm for accumulating L ′, and an element f ′ on the finite field GF (p k ) is obtained from P and Q,
A pairing calculation method characterized in that the power calculation unit maps the element f ′ obtained by the pseudo Miller calculation unit to the element e (P, Q) on the finite field GF (p k ) by a power calculation. pは素数または素数のべき乗、kは偶数であって、有限体GF(p)上の楕円曲線上の点Pと有限体GF(p)上の楕円曲線上の点Qを入力とし、入力された点から有限体GF(p)上の元を求め、求めた有限体上の元を有限体GF(p)上の元e(P,Q)に写像し、出力するペアリング演算方法において、
rを有限体GF(pk/2)上の元とする場合に、
擬似Miller演算部で、PとQから有限体GF(p)上の元fを求めるMillerアルゴリズムを、Millerアルゴリズム内で用いる有限体GF(p)上の元Lの逆元の代わりに
Figure 0004585372
 を用いる過程と、
Millerアルゴリズム内で用いる有限体GF(p)上の元Lを積算する代わりに、
有限体GF(p)の元L’を、L’を表現するk個の有限体GF(p)上の元の少なくとも1つの値が0 かつ L’=rL
を満足する元から選定し、L’を積算するアルゴリズムに変更して、有限体GF(p)上の元f’を求める過程と、
べき乗演算部で、前記擬似Miller演算部で求めた元f’を有限体GF(p)上の元e(P,Q)にべき乗演算により写像する過程と
を有することを特徴とするペアリング演算方法。 p is a prime number or a power of a prime number, k is an even number, and a point P on an elliptic curve on a finite field GF (p) and a point Q on an elliptic curve on a finite field GF (p k ) are input. A pairing operation for obtaining an element on a finite field GF (p k ) from the obtained points, mapping the obtained element on the finite field to an element e (P, Q) on the finite field GF (p k ), and outputting the result In the method
When r is an element on a finite field GF ( pk / 2 ),
A Miller algorithm for obtaining an element f on a finite field GF (p k ) from P and Q by a pseudo Miller arithmetic unit is used instead of the inverse element of the element L on the finite field GF (p k ) used in the Miller algorithm.
Figure 0004585372
 The process of using
Instead of accumulating the elements L on the finite field GF (p k ) used in the Miller algorithm,
If the element L ′ of the finite field GF (p k ) is at least one value of 0 on the k finite fields GF (p) representing L ′ and L ′ = rL
And a process for obtaining an element f ′ on a finite field GF (p k ) by changing to an algorithm that integrates L ′,
And a process of mapping the element f ′ obtained by the pseudo Miller operation unit to the element e (P, Q) on the finite field GF (p k ) by a power operation. Calculation method. 請求項8または9記載のペアリング演算方法において、
aとbが整数、有限体GF(p)の元Xを表現するk個の有限体GF(p)上の元を2つに分割してできる有限体GF(pk/2)の2つの元をXとXとし、有限体GF(p)上の元LがL=aX+bと表現できる場合に、
擬似Miller演算部で、L’=X −1Lとする
ことを特徴とするペアリング演算方法。 In the pairing calculation method according to claim 8 or 9,
2 a and b are integers, the finite field GF of (p k) of the original X a representing the k finite field GF (p) finite based can be divided into two on the GF (p k / 2) If one element is X 0 and X 1 and the element L on the finite field GF (p k ) can be expressed as L = aX + b,
In the pseudo Miller calculation unit, L ′ = X 1 −1 L 請求項7、9または10のいずれかに記載のペアリング演算方法において、
有限体GF(p)の元Sを表現するk個の有限体GF(p)上の元を2つに分割してできる有限体GF(pk/2)の2つの元をSとSとする場合に、
擬似Miller演算部で、SとSとを置き換えることで擬似逆元を求める
ことを特徴とするペアリング演算方法。 The pairing calculation method according to claim 7, 9 or 10,
Two elements of a finite field GF (p k / 2 ) obtained by dividing an element on k finite fields GF (p) expressing the element S of the finite field GF (p k ) into two are denoted by S 0 . If S 1
A pairing calculation method characterized in that a pseudo inverse element is obtained by replacing S 0 and S 1 in a pseudo Miller calculation unit. 請求項7、9または10のいずれかに記載のペアリング演算方法において、
有限体GF(p)の元Sが多項式基底であり、k個の有限体GF(p)上の元を2つに分割してできる有限体GF(pk/2)の2つの元をSとS、多項式基底ごとに定まる有限体GF(pk/2)上の元をuとする場合に、
擬似Miller演算部で、S−uと−Sとを合成することで擬似逆元を求める
ことを特徴とするペアリング演算方法。 The pairing calculation method according to claim 7, 9 or 10,
An element S of a finite field GF (p k ) is a polynomial basis, and two elements of a finite field GF (p k / 2 ) formed by dividing an element on k finite fields GF (p) into two S 0 and S 1 , where u 1 is an element on a finite field GF (p k / 2 ) determined for each polynomial basis,
A pairing calculation method, wherein a pseudo inverse element is obtained by combining S 0 -u 1 S 1 and -S 1 in a pseudo Miller calculation unit. 請求項1から6のいずれかに記載のペアリング演算装置をコンピュータにより実現するペアリング演算プログラム。   A pairing calculation program for realizing the pairing calculation device according to claim 1 by a computer.
JP2005134313A 2005-05-02 2005-05-02 Pairing calculation device, pairing calculation method, and pairing calculation program Expired - Lifetime JP4585372B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2005134313A JP4585372B2 (en) 2005-05-02 2005-05-02 Pairing calculation device, pairing calculation method, and pairing calculation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2005134313A JP4585372B2 (en) 2005-05-02 2005-05-02 Pairing calculation device, pairing calculation method, and pairing calculation program

Publications (2)

Publication Number Publication Date
JP2006309068A JP2006309068A (en) 2006-11-09
JP4585372B2 true JP4585372B2 (en) 2010-11-24

Family

ID=37476000

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2005134313A Expired - Lifetime JP4585372B2 (en) 2005-05-02 2005-05-02 Pairing calculation device, pairing calculation method, and pairing calculation program

Country Status (1)

Country Link
JP (1) JP4585372B2 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6610277B2 (en) 2016-01-15 2019-11-27 富士通株式会社 Shared key generation program, shared key generation method, and information processing terminal
JP7402191B2 (en) * 2021-03-03 2023-12-20 Kddi株式会社 Multiplication device, multiplication method and multiplication program

Also Published As

Publication number Publication date
JP2006309068A (en) 2006-11-09

Similar Documents

Publication Publication Date Title
Aysu et al. Low-cost and area-efficient FPGA implementations of lattice-based cryptography
Tuitman Counting points on curves using a map to 𝐏¹
WO2016046949A1 (en) Method for calculating elliptic curve scalar multiplication
CN101061526B (en) Encryption computing device
JP6621813B2 (en) Electronic computing device for performing obfuscated arithmetic
Lai et al. Elixir: High-throughput cost-effective dual-field processors and the design framework for elliptic curve cryptography
JP2018503113A (en) Electronic computing device for performing obfuscated operations
Wang et al. Optimized hardware-software co-design for Kyber and Dilithium on RISC-V SoC FPGA
JPWO2006030496A1 (en) Elliptic curve cryptography calculation device, calculation method of calculation device using elliptic curve, and program for causing computer to execute scalar multiplication of points on elliptic curve
JP2006227562A (en) Cryptographic processing operation method, cryptographic processing apparatus, and computer program
JP4585372B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
Reddy et al. Mnhoka-ppa efficient m-term non-homogeneous hybrid overlap-free karatsuba multiplier for gf (2 n) polynomial multiplier
Askanazi et al. Polynomial invariants of graphs on surfaces
Ni et al. Finite Dehn surgeries on knots in S3
Fournaris et al. Affine coordinate binary edwards curve scalar multiplier with side channel attack resistance
Lopez et al. Sum-of-products Evaluation Schemes with Fixed-Point arithmetic, and their application to IIR filter implementation
JP4580274B2 (en) Pairing calculation device, pairing calculation method, and pairing calculation program
EP4447383A1 (en) Number theoretic transform with parallel coefficient processing
JP4630132B2 (en) Pairing calculation method, apparatus and program using the method
KR102184189B1 (en) Method for computing 4-isogeny on twisted edwards curves
JP5289571B2 (en) Arithmetic unit
JP4630117B2 (en) Multi-pairing calculation method, pairing comparison method, apparatus using the same, and program
Ibrahim et al. High-performance, low-power architecture for scalable radix 2 montgomery modular multiplication algorithm
JP2006330495A (en) Pairing calculation method, apparatus and program using the method
JP5858938B2 (en) Calculation apparatus, calculation system, calculation method

Legal Events

Date Code Title Description
RD03 Notification of appointment of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7423

Effective date: 20070323

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20070810

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20100824

A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20100903

R150 Certificate of patent or registration of utility model

Ref document number: 4585372

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

Free format text: JAPANESE INTERMEDIATE CODE: R150

FPAY Renewal fee payment (event date is renewal date of database)

Free format text: PAYMENT UNTIL: 20130910

Year of fee payment: 3

S531 Written request for registration of change of domicile

Free format text: JAPANESE INTERMEDIATE CODE: R313531

R350 Written notification of registration of transfer

Free format text: JAPANESE INTERMEDIATE CODE: R350

EXPY Cancellation because of completion of term