JP2002215022A - Finite field data recording medium, finite field data operation method, its device, and its program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To quickly process the operation of a finite field GF(2m) in bulk by software. SOLUTION: The j-th bit, for example, the fourth bit a2,4 (0<=j<m) of the i-th element, for example, the second element (0<=i<w) out of w elements a0 to aw-1 of the field GF(2m) shown in Figure 1A is arranged in the (i=4)th bit of the (j=4)th word as shown in Figure 1B to convert the w elements to m words of w bits per word. One word is the processing unit of a computer. Operation is performed with data converted in this manner.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an operation on a finite field of characteristic 2 used in information security technology and coding technology,
In particular, the present invention relates to a finite field data recording medium, a finite field data calculation method, and a finite field data calculation method applied to elliptic cryptography configured using operations on elliptic curves.

[0002]

2. Description of the Related Art In recent years, with the development of the Internet and the like, various types of information have been exchanged using a public line. Since the public line can be used by anyone, the relay information can be easily eavesdropped or falsified. Information security technology is effective to counter malicious acts such as eavesdropping. Conventionally, among information security technologies, exponentiation modular exponentiation has often been used for realizing a public key system. In recent years, however, the number of information to be kept secret, called a key, can be reduced, and the speed is high. Attention has been paid to a method using a group formed by elliptic curves on a finite field, that is, elliptic encryption.

An elliptic curve used for encryption is an elliptic curve E / GF defined on a finite field GF (q) called a definition field.
The group E (GF) of (q) consisting of GF (q ^m ) rational points
(Q ^m )) (q is a power of a prime number and m is 1 or more) in most cases. Group E of elliptic curves (GF (q ^m ))
Is performed by the four arithmetic operations of the finite field GF (q ^m ). In other words, performing a finite field operation at high speed leads to speeding up of elliptic encryption. On the other hand, the document “Biham:“ AF
ast New DES Implementation in Software, ”pp. 260-2
72, Fast Software Encryption, 4th International Work
shop, FSE'97, Lecture Notes in Computer Science 126
7, 1997 "(hereinafter referred to as Document B) proposes a method for realizing the processing of the common key block cipher DES by software at high speed. DES is a cipher designed to be processed at high speed by hardware. Considering that a DES is implemented by a 64-bit CPU, even though there are instructions that can process 64 bits simultaneously, 64 bits such as 6 bits or 4 bits are used. Only a very small number of bits can be processed compared to the number of bits, and the performance of a 64-bit CPU cannot be conventionally utilized. In Document B, the 64-bit CPU is regarded as a 64-parallel SIMD type 1-bit CPU.
By processing all data at once, 64
It has succeeded in utilizing the performance of the bit CPU. Later, this method came to be called the bit slice method.

[0004]

SUMMARY OF THE INVENTION Used for elliptic cryptography
Conventionally, as a finite field, q = 2 which is advantageous in hardware
Or in the case where m = 1 and q is a prime number
Combination has been used mainly. Q = 2 in software
Various methods have been proposed for realizing
Performance may be significantly reduced compared to hardware implementation.
there were. Therefore, if q = 2, that is, a finite characteristic 2
When processing elliptic cryptography using a field on a server, etc.
Is special because it requires a large amount of finite field arithmetic operations.
Requires hardware and is handled by software only
It was difficult. That is, the finite field GF (2^m) Element
Can be represented by a bit string of length m. In other words,
Modulo w-bit CPU ([A] is the smallest integer greater than A
), The finite field GF (2 ^mW) elements are necessary
The element stored in [m / w] registers and memory is w
It was juxtaposed. For example, the finite field GF (2¹⁶³) (M = 1
63) are 64 processing units of CPU as shown in FIG.
If one word has w = 64 bits, the elements of each finite field
Is divided into three registers of one word (64 bits)
Are stored respectively. Therefore, the third register has
29 bits for the part containing the most significant bit stored
Is wasted, and doing unnecessary calculations
Become. In the case of multiplication of elements of a finite field, for example, 1
Extract one bit from word register and operate
However, it is necessary to shift or un-
The process was troublesome because it was executed by executing the command.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a data structure recording medium, a finite field data calculation method and a finite field data calculation method capable of processing a large number of finite fields of characteristic 2 in large quantities and at high speed by software. is there.

[0006]

The operation of a finite field of characteristic 2 is
Because it is suitable for hardware, the bit slice method
More efficient processing can be realized by software.
Wear. The present invention enables processing by the bit slice method.
The data structure is devised in order to perform The invention
Is represented by m bits as shown in FIG. 1A, for example.
Restricted field GF (2 ^m) W elements a₀, a₁, ..., a_wTo
The ith (0 ≦ i <w) GF (2^m) Element j bit
(G) (0 ≦ j <m) as shown in FIG.
It is placed at the i-th bit of the code. For example, i = 2 in FIG. 1A
The element a_TwoJ = fourth bit a of_2,4 Figure 2B
Located at the i = 2 bit of the j = fourth word in
You. That is, each element a₀, ..., a_w-1According to the j-th bit of
Thus, w bits of the j-th word are configured.

Here, for i and j, one GF
As long as they are arranged at the same bit position in the word for each element of (2 ^m ), there is no problem in any combination. In other words, the elements a _0, ..., at each j-th bit of a _w-1, it is not necessary to configure the j-th word, the elements a _0, ..., each j-th bit of a _w-1, any of the May be placed in words. However, the bit arrangement order in that word is
Always be constant. This can be generally expressed as a ₀ , ..., a
_w−1 is replaced by w bits a _{p (w−1)} , j, a _{p at} each bit position j (0 ≦ j <m) using the permutation p of {0, 1,. _(w-2) , j,..., a _{p (0)} , j may be arranged as one word out of m words.

Here, m is an integer of 1 or more, but usually 8
For example, 160 to 256 are often used in the field of cryptography, and w is an integer of 1 or more. However, even if the value is equal to or slightly smaller than the number of bits of one word as a processing unit of a computer to be used. Often, in general, 32 or 64 at present, and more recently 128 are also used. According to the present invention, since the w elements of the finite field GF (2 ^m ) are converted into m words in which w bits are assigned to one word, processing by the bit slice method is possible.
Software processing can be performed efficiently.

[0009]

DESCRIPTION OF THE PREFERRED EMBODIMENTS In a computer, for example, as shown in FIG. 2, after data is input via an input / output interface 11 and temporarily stored in a memory 12, a program in a program memory 13 is transferred to a CPU (or a CPU). (Processor) 14 and often outputs the result to the outside via the input / output interface 11. At this time, in this embodiment, the CPU 14 executes the conversion program in the conversion program memory 15 to convert the w elements of the finite field GF (2 ^m ) in the memory 12 into the elements a _{0 ,.} Each j-th bit of _-1 is arranged in any one of m words. For example, the data shown in FIG. 1A is converted into the data shown in FIG.
And using the converted data in the memory 16,
The program in the memory 13 is executed. It is assumed that the program in this case is described so as to be suitable for the converted data. The processing result is subjected to an inverse conversion program as necessary, and is returned to data of m bits and w elements and output to the outside.

In this case, the memory 16 may constitute a finite field data recording medium according to the present invention, and the memory 16 may store a plurality of data converted as described above. In the following embodiment of the present invention, the j-th bit (0 ≦ j <m) of the i-th (0 ≦ i <w) element as shown in FIG. 1 is used for w elements GF (2 ^m ). ) Is the j-th word i
Assume that it is arranged at the bit (a _j [i]). Also, in principle, the present invention is applicable to all calculation methods available in hardware regardless of the following embodiments. That is, the calculation method by hardware can be easily realized by software according to the present invention. It is. First Embodiment [Addition] The sum C of data A and B obtained by converting GF (2 ^m ) data of each w elements into m-word data is represented by C _j ← A _j (+) B _j For j = 0, 1,..., m−1, (+) is obtained by exclusive OR for each bit. The number of calculations in this case is m. According to the conventional data format, it becomes w × [m / w], and the number of calculations is reduced by the amount corresponding to the rounding up of m / w below the decimal point.

Second Embodiment [Square / Normal Basis] w elements of GF (2 ^m ) are represented by a regular basis.
That is, the generator i of the normal basis is used, and the i-th element is Σ
_{When j = 0} ^m-1 A _j [i] (α ² ) ^j , the square B is 1
Since it is only a cyclic shift of bits, it can be obtained by B _j ← A _j-1modm j = 0, 1,..., _M -1. That is, the data of the (j−1) m-th word may be moved to the j-th word. This means that when the result of the square is used in the subsequent operation, the cyclic shift is merely a replacement of the subscript indicating which word, so if the program is described so as to process the subscript appropriately, the calculation amount is 0. A square operation can be realized. In conventional data, it is necessary to execute a 1-bit cyclic shift instruction, that is, a calculation is required. For example, when C = A ² + B is obtained, C _j ← A _j-1modm (+) B _j j = 0, 1 _,.
Can be calculated for each of the words, and can be obtained with the same calculation amount as the addition. Here, the normal base is given, but a polynomial base and other bases can be used although the calculation efficiency is slightly lowered.

Third Embodiment [Multiplication / Polynomial Base / Subject]
Writing] w GF (2^m) Elements are represented by polynomial basis
That is, GF (2^m) Is GF (2) [α] (α is G
The irreducible polynomial f (x) = Σ on F (2)_{j = 0} ^me_jx^j(E
_m= 1), and the i-th element of A is Σ_{j = 0}
^m-1A_j[I] α^jConsider the case Multiplication is a hardware
First, find the product of the polynomials, then
It is obtained by calculating mod f (x). Therefore C =
AB first, c '_j← (+) A_kB_h For j = 0, 1,..., 2m−2,... (1) is calculated. This equation shows that all k and h satisfy j = k + h.
About the combination of A_kB _hAnd add the result
Means that

For example, the multiplication of two polynomials is as shown in FIG. Is the sum of the results of calculating the d _k g _h for the combination of all the k and h satisfying k + h = 2 Looking at the example alpha ² of the coefficients of the calculation result. Such a relationship also holds for the other terms of α. Therefore, the calculation result c ′ _j of the equation (1) means that each coefficient of α ^j in A × B is obtained. Next, the modf (x) is calculated by the procedure shown in FIG. 3 by using c ′ _j thus obtained and e _j in the equation of f (x). First, j is initialized to 2m−2 (S1), k is set to 0 (S2), and c ′ _{j + km} ←
c ′ _{j + km} (+) c ′ _j e _k is calculated, and the result is c ′ _{j + km
j + km} (S3). Next, k is incremented by 1 and updated (S
4) If k is equal to or less than m (S5), step S3
If k is not less than m, j is decremented by 1 (S6),
If j is not less than m (S7), the process returns to step S2, and if j is not more than m, the process is terminated. C ′ _j thus obtained is C _j (0 ≦ j <m).

Conventionally, processing for selecting bits in a word is required, and processing for the selection is required. According to the converted data of the present invention, each bit of each word is , Corresponds to one bit of each element before conversion, and only by selecting a word, there is no need to select a bit in the word, and operations on the same bit position between the A and B elements are performed in parallel. This can be done at the same time, and the processing becomes simple. Here, a general case is given, but Karats is used as a basis in multiplication of a normal basis, another basis, or a polynomial.
Conventional hardware, such as the Uba method, a method using the fast Fourier transform (FFT), and a method using a three- or five-term equation as f (x) to calculate mod f (x) at high speed. With respect to the method of performing the computation, the computation can be efficiently performed by software by using the converted data of the present invention.

Fourth Embodiment [Conversion of Expression] A method for converting conventional data into data of the present invention is described in, for example, the document "May, Penna, Clark:" An Implementa
tion of Bitsliced DES on the Pentium MMX ^TM Process
or, ”pp.112-122, Information Security and Privacy, 5
th AustralasianConference, ACISP 2000, Lecture Notes
in Computer Science 1841, 2000, page 115. SWAPMOVE (A, B, N, M) T = ((A >> N) (+) B) &M; A >> N represents A shifted right by N bits. B = B (+) T; A = A (+) (T <<N); T << N indicates that T is shifted left by N bits. Is efficiently used when is used like the butterfly operation used in the fast Fourier transform.

For example, when w = 4 and m = 4, SWAPMOVE (a ₀ , a ₁ , 1,0101 ₍₂₎ ) SWAPMOVE (a ₂ , a ₃ , 1,0101 ₍₂₎ ) SWAPMOVE (a ₀ , a ₂ , 2,0011 ₍₂₎ ) SWAPMOVE (a ₁ , a ₃ , 2,0011 ₍₂₎ ).

When w = 8 and m = 8, SWAPMOVE (a ₀ , a ₁ , 1,01010101 ₍₂₎ ) SWAPMOVE (a ₂ , a ₃ , 1,01010101 ₍₂₎ ) SWAPMOVE (a ₄ , a _{5) , 1,01010101 (2)) SWAPMOVE (} a 6, a 7, 1, 01010101 (2)) SWAPMOVE (a 0, a 2, 2, 00110011 (2)) SWAPMOVE (a 1, a 3, 2, 00110011 ( _{2)) SWAPMOVE (a 4,} a 6, 2, 00110011 (2)) SWAPMOVE (a 5, a 7, 2, 00110011 (2)) SWAPMOVE (a 0, a 4, 4, 00001111 (2)) SWAPMOVE ( _{a 1, a 5, 4,} 00001111 (2)) SWAPMOVE (a 2, a 6, 4, 00001111 (2)) SWAPMOVE (a 3, a 7, 4, 00001111 (2) And it should be. Also, since the above transformation is equivalent to the inverse transformation,
The conversion from the conversion data of the present invention to the conventional data is also performed by S
It can be calculated similarly using WAPMOVE ().

[0018]

According to the present invention, for example, a square on a plurality of finite fields GF (2 ^m ) expressed by a normal basis can be realized with a software amount of 0 and no calculation amount. In addition, multiplication can also be efficiently performed because bit-wise processing has become possible. The larger the word length of the processor (CPU), the more efficiently the multiplication and the square of GF (2 ^m ) can be performed. For example, assuming that w = 64, multiplication can be performed about six times faster than the conventional technique using the converted data of the present invention. In an ordinary real device, it is more efficient to implement an elliptic operation on GF (2 ^m ) with Affine coordinates, but in a bit slice implementation using the transformed data of the present invention, it is more efficient to represent it in Projective coordinates. When implementing 163-bit elliptic curve cryptography on a Pentium III processor, it is theoretically more than twice as fast to implement using a bit slice implementation (Projective coordinate) than implementing using a normal real device method (Affine coordinate). Elliptical scalar multiplication can be performed.

[Brief description of the drawings]

FIG. 1A is a diagram showing a conventional data array, and FIG. 1B is a diagram showing a data array according to the present invention.

FIG. 2 is a diagram showing an example of a functional configuration of an apparatus according to the present invention.

FIG. 3 illustrates a multiplication process of conversion data according to the present invention;
5 is a flowchart illustrating an example of a calculation procedure of mod f (x).

FIG. 4 is a diagram showing a conventional state of storing data in a register for each word.

FIG. 5 is a diagram showing multiplication of two polynomials.

[Procedure amendment]

[Submission date] April 23, 2002 (2002.4.2
3)

[Procedure amendment 1]

[Document name to be amended] Statement

[Correction target item name] Name of invention

[Correction method] Change

[Correction contents]

Patent application title: Finite field data recording medium, finite field data calculation method and device , and program therefor

[Procedure amendment 2]

[Document name to be amended] Statement

[Correction target item name] Claims

[Correction method] Change

[Correction contents]

[Claims]

[Procedure amendment 3]

[Document name to be amended] Statement

[Correction target item name] 0001

[Correction method] Change

[Correction contents]

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an operation on a finite field of characteristic 2 used in information security technology and coding technology,
In particular finite data storage medium used in the constructed elliptic encryption using arithmetic on an elliptic curve, a finite field data computing method and apparatus, for the program.

Continued on the front page (72) Literature Hoshino Literature 2-3-1 Otemachi, Chiyoda-ku, Tokyo F-term in Nippon Telegraph and Telephone Corporation (reference) 5J104 AA25 JA25 NA16

Claims (3)

[Claims] 1. A computer-readable recording medium recorded by a computer, wherein the data is a finite field GF represented by m bits (m is an integer of 2 or more).
A = (a [0], a [1],..., A [m-1]) elements of (2 ^{m ′} ) (m ′ ≦ m) w (w is an integer of 2 or more) a ₀ , a _1, ..., a _w-1 is, {0,1, ..., w- 1} using the permutation p of, w bits for each bit position j of a (0 ≦ j <m) a p (0) [j ], A _{p (1)} [j],..., A _{p (w-1)} [j]
A finite field data recording medium recorded in a word. 2. A method for calculating finite field data by a computer, comprising: a finite field GF represented by m bits (m is an integer of 2 or more).
A = (a [0], a [1],..., A [m-1]) elements of (2 ^{m ′} ) (m ′ ≦ m) w (w is an integer of 2 or more) a ₀ , a ₁ ,..., A _w−1 are fetched from the memory, and w is used for each bit position j (0 ≦ j <m) of these w elements using the permutation p of {0, 1,. The bits a _{p (0)} [j], a _{p (1)} [j],..., A _{p (w−1)} [j] are each a word which is a processing unit of the computer, and m
Word data is stored in a memory, a desired operation is performed in units of words using at least one data similarly converted from the memory, and the operation result is stored in the memory. Finite field data calculation method. 3. An apparatus for computing finite field data by a computer, wherein an element a of a finite field GF (2 ^{m ′} ) (m ′ ≦ m) expressed by m bits (m is an integer of 2 or more) (a [0], a [ 1], ..., a [m-1]) w pieces (w is an integer of 2 or more) of a _0, a _1, ..., a a _w-1, each of its bit position j {0,1,
.., W−1}, using the permutation p, w bits a _{p (0)} [j], a _{p (1)} [j],..., A _{p (w−1)} [j] As one word, m
A finite field data operation device comprising: means for converting data into word data; and means for performing a desired operation on a word basis using at least one similarly converted data.