JP2006078751A - Preliminary computing method for requested computing of public key code - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a preliminary computing method for requested computing of a public key code such as an RSA requiring no power calculation, and to make many client devices practical as PKI tokens. <P>SOLUTION: A client device 1 which implements the preliminary computing method for requested computing of the RSA code comprises a central processing unit and main storage device 2 and a storage device 3. The storage device 3 is stored with pieces of FP[1] to PF[γ] and SP[1] to SP[γ] of power information by the present invention together with the same information with conventional arts. The client device 1 only perform multiplication processing of the power information without performing power operations by repeating processes of steps 104 and 105 to calculate pieces fp and sp of preliminary computing information. The requested computing performed thereafter is only performed by a server device as well as the conventional arts. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a pre-calculation method for request calculation of public key cryptography, and more particularly to a pre-calculation method for request calculation of power calculation executed at the time of decryption or signature of public key cryptography among cryptographic techniques.

  The public key encryption request calculation method is a processing time in which a client device that stores a secret key requests a server device that does not store a secret key to perform a power calculation process while protecting the secret key. This is a distributed calculation method executed for the purpose of shortening. That is, the request calculation causes the server apparatus to execute a part of the power calculation process to be executed by the client apparatus without leaking the secret key from the client apparatus to the server apparatus. The public key encryption request calculation pre-calculation method is a calculation method executed on the client device before the ciphertext to be decrypted or the message to be signed is input, that is, before the public key encryption request calculation is executed.

  As a conventional technique related to a public key encryption request calculation method, for example, a technique described in Non-Patent Document 1 is known. This prior art relates to a request calculation method for RSA encryption, and by changing RSA key information and residue group of RSA encryption into key information and group of public key encryption using a group such as elliptic curve encryption. It can be applied to a request calculation method for public key cryptography.

  FIG. 3 is a diagram for explaining a prior calculation method for request calculation of RSA encryption according to the prior art, and a prior calculation method for request calculation according to the prior art will be described with reference to FIG. In FIG. 3, 1 is a client device, 2 is a central processing unit and main storage device, and 3 is a storage device.

  A client apparatus 1 that executes a pre-calculation method for RSA cipher request calculation includes a central processing unit / main storage unit 2 and a storage unit 3.

  The storage device 3 includes RSA public key information e, n, RSA private key information d, RSA private key bisection information fd, sd, RSA private key multi-partition information D [1] to D [α], First exponent information FE [1] to FE [α], second exponent information SE [1] to SE [α], and security parameters α and β are stored.

  Where φ (n) is the Euler function value of the RSA public key information n, D [1] to D [α] are integer values from 1 to φ (n) −1, FE [1] to FE [α], and SE [1] to SE [α] are integer values of 0 or more and β−1 or less, and d = fd × sd mod φ (n), fd = Σ (1 ≦ i ≦ α) (D [i] × FE [ i]) mod φ (n), sd = Σ (1 ≦ i ≦ α) (D [i] × SE [i]) mod φ (n).

  Next, the operation of the prior calculation method for RSA encryption request calculation according to the prior art will be described with reference to the flow shown in the central processing unit / main storage unit 2 in FIG. This process is a process that needs to be executed every time before executing the RSA encryption request calculation method.

(1) The processing device of the client device 1 first reads the RSA public key information n and the RSA secret key bisection information sd from the storage device 3 (step 301).

(2) Next, a random integer value of 1 or more and n-1 or less is substituted for the pre-calculation information fp (step 302).

(3) Next, fp ^ (-sd) mod n is substituted for the pre-calculation information sp. However, fp ^ (-sd) is a value of fp raised to the power of (-sd) (step 303).

(4) The pre-calculation information fp and sp obtained by the processing of steps 302 and 303 are written in the storage device 3 (step 304).

  The above is the pre-computation executed by the client device 1, and the client device 1 requests the server device for computation after performing this pre-calculation.

  FIG. 4 is a diagram for explaining a request calculation method for RSA encryption according to the prior art. Next, a request calculation method according to the prior art will be described with reference to FIG. In FIG. 4, 2 'is a central processing unit and main storage device, 4 is a server device, and other reference numerals are the same as those in FIG.

  The request calculation according to the prior art is executed by connecting the client apparatus 1 and the server apparatus 4, and the client apparatus 1 that executes the RSA encryption request calculation method includes a central processing unit and main storage device 2 and a storage device 3. The server device 4 is configured by a central processing unit and main storage device 2 ′. The storage device 3 stores information after execution of the RSA encryption request calculation pre-calculation method described in FIG.

  In the following description, x is ciphertext information to be decrypted or message information to be signed, and z is decryption result information or signature result information.

(1) First, the processing device of the client device 1 starts from the storage device 3 with the RSA public key information n, the RSA private key multi-partition information D [1] to D [α], and the first exponent information FE [1] to FE [α], second exponent information SE [1] to SE [α], security parameter α, and pre-calculation information fp, sp are read (step 401).

(2) Next, the client device 1 transmits x, n, D [1] to D [α] to the server device 4 (step 402).

(3) For 1 ≦ i ≦ α, the server device 4 substitutes x ^ D [i] mod n for the first basis information FB [i], and sets the first basis information FB [1] to FB [α]. Is calculated (step 403).

(4) Thereafter, the server device 4 transmits the first base information FB [1] to FB [α] calculated in Step 403 to the client device 1 (Step 404).

(5) Upon receiving the first basis information FB [1] to FB [α], the client device 1 adds fp × Π (1 ≦ i ≦ α) (FB [i] ^ FE [i] to the intermediate result information y. ) Mod n is substituted to calculate intermediate result information y (step 405).

(6) The client device 1 transmits the intermediate result information y calculated in step 405 to the server device 4 (step 406).

(7) For 1 ≦ i ≦ α, the server device 4 substitutes y ^ D [i] mod n for the second base information SB [i], and sets the second base information SB [1] to SB [α]. Is calculated (step 407).

(8) The server device 4 transmits the second base information SB [1] to SB [α] calculated in Step 407 to the client device 1 (Step 408).

(9) When the client apparatus 1 receives the second basis information SB [1] to SB [α] from the server apparatus 4, sp × Π (1 ≦ i ≦ α) (SB [i] ^ SE [i ] Mod n is substituted (step 409).

  According to the RSA encryption request calculation method according to the prior art as described above, the power calculation executed at the time of decryption or signature of the RSA encryption can be correctly executed, and this can be confirmed as follows. .

z = sp × Π (1 ≦ i ≦ α) (SB [i] ^ SE [i]) mod n
= Sp × Π (1 ≦ i ≦ α) (y ^ D [i] ^ SE [i]) mod n
= Sp × y ^ {Σ (1 ≦ i ≦ α) (D [i] × SE [i])} mod n
= Sp * y ^ sd mod n
= Sp × {fp × Π (1 ≦ i ≦ α) (FB [i] ^ FE [i])} ^ sd mod n
= Sp × fp ^ sd × {Π (1 ≦ i ≦ α) (FB [i] ^ FE [i])} ^ sd m od n
= {Π (1 ≦ i ≦ α) (FB [i] ^ FE [i])} ^ sd mod n
= {Π (1 ≦ i ≦ α) (x ^ D [i] ^ FE [i])} ^ sd mod n
= X ^ {Σ (1 ≦ i ≦ α) (D [i] × FE [i])} ^ sd mod n
= X ^ fd ^ sd mod n
= X ^ (fd × sd) mod n
= X ^ d mod n
Even when the RSA encryption request calculation is performed by the conventional technology as described above, the RSA private key information d is not leaked from the client device to the server device. This is because if the security parameters α and β are increased, the number of combinations of the first exponent information FE [1] to FE [α] and the second exponent information SE [1] to SE [α] becomes enormous. This is because the server device cannot acquire the first exponent information FE [1] to FE [α] and the second exponent information SE [1] to SE [α]. For example, if the value of the security parameter α is 16 and the value of β is 16, the number of combinations of the first exponent information FE [1] to FE [α] and the second exponent information SE [1] to SE [α]. Becomes 2 ^ 128.

When the request calculation is not performed, the processing amount of the client device is one exponentiation calculation of the exponent part bit length of the bit length of the RSA private key information d. On the other hand, the processing amount of the client device when performing the request calculation method is exponentiation calculation 2α times of the exponent part bit length of the security parameter β. The processing amount of one power calculation with the bit length of the exponent part being L is almost equal to the processing amount of 1.5L multiplications. For example, if the bit length of the RSA private key information d is 1024, the bit length of the security parameter β is 4, and the bit length of the security parameter α is 16, the processing amount of the client device when the request calculation is not performed is 1536 times multiplication. The processing amount of the client apparatus when performing the request calculation is the processing amount of 192 multiplications. Therefore, the processing amount of the client apparatus can be greatly reduced by the above-described RSA encryption request calculation method according to the prior art.
“Information Theory and Its Application Series 4 Cryptography and Authentication”, Baifukan Co., Ltd., 1996, p. 114-115

  The prior calculation method of the RSA encryption request calculation according to the prior art described above is the process of step 303 described with reference to FIG. 3, in which the exponent part bit length is one power cycle calculation of the bit length of the RSA private key bisection information sd. Need to run. Since the bit length of the RSA private key bisection information sd is equal to the bit length of the RSA private key information d, the amount of pre-calculation of the request calculation of the RSA cipher request according to the prior art is that of the client apparatus in the case of no request calculation method It becomes equal to the processing amount. In addition, the result of this pre-calculation is transmitted to the server device and used for request calculation. However, if the same data is transmitted to the server device every time, the safety may be impaired. Before executing cryptographic request calculation, it is necessary to execute it every time.

  For this reason, the prior calculation method for RSA encryption request calculation according to the above-described prior art may cause a problem that some client devices cannot be used as a PKI token unless the processing amount is reduced. This is a particularly serious problem when the client device is a device with a small processing capability such as a portable device such as a mobile phone.

  An object of the present invention is to solve the problems of the prior art as described above, and to provide a pre-calculation method for request calculation of public key cryptography such as RSA cryptography and elliptic curve cryptography that does not require execution of power calculation. It is in.

  According to the present invention, the object is to provide a public key encryption request calculation pre-calculation method in which a client device performs pre-calculation in order to cause a server device to perform public key encryption request calculation. This is achieved by storing the power information that holds the same relationship as the set of pre-calculated information, and calculating the pre-calculated information by multiplying the power information randomly selected by the client device.

  More specifically, when the public key encryption is RSA encryption, the object is that the server apparatus is ciphertext information to be decrypted or message information to be signed, and the exponent part is RSA private key multi-partition information. The first base information is calculated by executing the power calculation, and the client device executes the power calculation in which the base portion is the first base information and the exponent portion is the first exponent information, and the pre-calculation information is further calculated. And the server device calculates the second base information by performing a power calculation with the base part being the intermediate result information and the exponent part being the RSA private key multi-partition information. The client device executes the power calculation with the bottom part being the second base information and the exponent part being the second exponent information, and further multiplying the precalculation information to obtain the decryption result information. Alternatively, for the RSA encryption request calculation method for calculating the signature result information, the storage information in the client device is stored in the storage device with the power information that satisfies the same relationship as the pre-calculation information set, This is achieved by the client device calculating pre-calculation information by multiplying randomly selected power information.

  According to the present invention, since it is not necessary to perform a power calculation in the pre-calculation of the public key encryption request calculation, it is possible to reduce the processing amount of the client device that performs the pre-calculation of the request calculation, and to ensure safety. Can be maintained. As a result, a larger number of client devices including a device having a small processing capability such as a mobile phone can be put into practical use as a PKI token.

  Embodiments of a pre-calculation method for public key encryption request calculation according to the present invention will be described below in detail with reference to the drawings.

  FIG. 1 is a diagram for explaining a pre-calculation method for request calculation of RSA encryption according to an embodiment of the present invention. With reference to FIG. 1, a pre-calculation method for request calculation according to an embodiment of the present invention will be described. The reference numerals in FIG. 1 are the same as those in FIG.

  The client device 1 that executes the pre-calculation method for the request calculation of the RSA encryption is composed of a central processing unit / main storage device 2 and a storage device 3 as in the case of the prior art. FIG. 3 shows only the configuration necessary for the description of the present invention. As is well known, the client device 1 has a CPU, a hard disk device, a main storage device, a display, a keyboard, a mouse, and communication control. An information processing apparatus such as a mobile phone, a PDA, a PC, or a workstation configured with a unit or the like may be used.

  The storage device 3 stores RSA public key information e, n, RSA private key information d, RSA private key bisection information fd, sd, and RSA private key multi-partition information D [1] to D [α]. First exponent information FE [1] to FE [α], second exponent information SE [1] to SE [α], security parameters α, β, γ, δ, and power information FP [1]. ~ FP [γ], SP [1] to SP [γ] are stored. The power information FP [1] to FP [γ] and SP [1] to SP [γ] are information calculated in advance for the present invention.

  Where φ (n) is the Euler function value of the RSA public key information n, D [1] to D [α] are integer values from 1 to φ (n) −1, FE [1] to FE [α], and SE [1] to SE [α] are integer values from 0 to β−1, and d = fd × sd mod φ (n), fd = Σ (1 ≦ i ≦ α) (D [i] × FE [ i]) mod φ (n), sd = Σ (1 ≦ i ≦ α) (D [i] × SE [i]) SP [i] = FP [i] ^ for mod φ (n), 1 ≦ i ≦ γ (−sd) mod n is assumed to hold.

  Next, the operation of the RSA encryption request calculation pre-calculation method according to the embodiment of the present invention will be described with reference to the flow shown in the central processing unit / main storage device 2 of FIG.

(1) First, the processing device of the client device 1 stores the RSA public key information n, the security parameters γ and δ, and the power information FP [1] to FP [γ] and SP [1] to SP from the storage device 3. [Γ] is read (step 101).

(2) Next, 1 is substituted into the pre-calculation information fp and 1 is also substituted into the pre-calculation information sp (step 102).

(3) Assign 1 to i and set to repeat the processing of steps 104 and 105 (step 103).

(4) Next, a random integer between 1 and γ is substituted for R [i] (step 104).

(5) Substitute fp × FP [R [i]] mod n for the pre-calculation information fp, and substitute sp × SP [R [i]] mod n for the pre-calculation information sp (step 105).

(6) By substituting i + 1 for i, it is determined whether i ≦ δ or not, and while i ≦ δ, the processing returns to step 104 and is repeated (step 106).

(7) The pre-calculation information fp, sp calculated in the above processing is written in the storage device 3, and the processing here ends (step 107).

  The request calculation after the above-described pre-calculation can be calculated by the server device as in the case of the prior art described with reference to FIG.

Next, the pre-calculation information fp, sp calculated by the RSA encryption request calculation pre-calculation method according to the embodiment of the present invention described above is calculated by the RSA encryption request calculation pre-calculation method according to the prior art. The fact that the information is similar to the information fp, sp will be described. sp = Π (1 ≦ i ≦ δ) (SP [R [i]]) mod n
= Π (1 ≦ i ≦ δ) (FP [R [i]] ^ (− sd)) mod n
= {Π (1 ≦ i ≦ δ) FP [R [i]]} ^ (− sd) mod n
= Fp ^ (-sd) mod n
The amount of pre-calculation of RSA cipher request calculation according to the above-described embodiment of the present invention is 2δ multiplications. The processing amount of the prior calculation of the request calculation of the RSA encryption according to the prior art is that the exponent part bit length is one power calculation of the bit length of the RSA private key bisection information sd. For example, assuming that the security parameter δ is 20 and the bit length of the RSA secret key bisection information sd is 1024, the processing amount of the pre-calculation of the RSA encryption request calculation in the embodiment of the present invention is the processing amount of 40 multiplications. Yes, the processing amount of the pre-calculation of RSA encryption request calculation in the prior art is the processing amount of 1536 multiplications. Thus, the RSA encryption request calculation pre-calculation method according to the embodiment of the present invention can reduce the processing amount of the client device.

  Further, even when the RSA encryption request calculation pre-calculation method according to the embodiment of the present invention is used, the RSA private key information d does not leak from the client device to the server device. This is because if the security parameters γ and δ are increased, the number of combinations of the pre-calculation information fp and sp becomes enormous and the server device cannot acquire the pre-calculation information fp and sp. For example, when the security parameter γ is 32 and δ is 20, the number of combinations of the pre-calculation information fp and sp is as large as 2 ^ 100.

  As described above, according to the embodiment of the present invention, it is possible to reduce the amount of pre-calculation processing for request calculation of public key encryption while maintaining security, and more client devices can be practically used as PKI tokens. Can be.

  In the embodiment of the present invention described above, the RSA key information and the remainder group of the RSA cipher are changed to the key information and group of the public key cipher that uses a group such as an elliptic curve cipher. This can be applied to a calculation pre-calculation method, which will be described next.

  FIG. 2 is a diagram for explaining a pre-calculation method for request calculation of elliptic curve cryptography according to another embodiment of the present invention. Referring to FIG. 2, a pre-calculation method for request calculation according to another embodiment of the present invention is described. explain. The reference numerals in FIG. 2 are the same as those in FIG. 3, and the client apparatus 1 that executes the pre-calculation method for the request calculation of elliptic curve cryptography is the central processing unit and main memory as in FIG. It comprises a device 2 and a storage device 3.

  The storage device 3 includes elliptic curve public key information E, G [1] to G [2], elliptic curve secret key information d, elliptic curve secret key bisection information fd, sd, and elliptic curve secret key multi-partition. Information D [1] to D [α], first index information FE [1] to FE [α], second index information SE [1] to SE [α], security parameters α, β, γ, δ and scalar multiplication information FP [1] to FP [γ], SP [1] to SP [γ] are stored.

  Where E is an elliptic curve, H is a cyclic group on the elliptic curve, | H | is the order of the cyclic group on the elliptic curve, G [1] to G [2] and FP [1] to FP [γ] and SP [1] to SP [γ] are points on the elliptic curve, d and fd and sd and D [1] to D [α] are integer values of 1 to | H | −1, and FE [1] to FE. [Α] and SE [1] to SE [α] are integer values of 0 or more and β−1 or less, and G [2] = d × G [1] and d = fd × sd in the calculation on the elliptic curve E. mod | H |, fd = Σ (1 ≦ i ≦ α) (D [i] × FE [i]) mod | H |, sd = Σ (1 ≦ i ≦ α) (D [i] × SE [i ]) It is assumed that SP [i] = FP [i] × (−sd) holds in the calculation on the elliptic curve E for mod | H |, 1 ≦ i ≦ γ.

  Next, the operation of the pre-calculation method for request calculation of elliptic curve cryptography according to another embodiment of the present invention will be described with reference to the flow shown inside the central processing unit / main storage unit 2 in FIG.

(1) The processing device of the client device 1 first stores the elliptic curve public key information E, the security parameters γ and δ, and the scalar multiplication information FP [1] to FP [γ] and SP [1] to SP from the storage device 3. SP [γ] is read (step 201).

(2) Next, the infinity point is substituted for the precalculation information fp, and the infinity point is substituted for the precalculation information sp (step 202).

(3) Assign 1 to i and set to repeat the processing of steps 204 and 205 (step 203).

(4) Next, a random integer between 1 and γ is substituted for R [i] (step 204).

(5) Substituting fp + FP [R [i]] by the calculation on the elliptic curve E into the precalculation information fp, and substituting sp + SP [R [i]] by the calculation on the elliptic curve E into the precalculation information sp (step) 205).

(6) i + 1 is substituted into i to determine whether i ≦ δ or not, and while i ≦ δ, the processing returns to step 204 and repeats the processing (step 206).

(7) The pre-calculation information fp, sp calculated in the above processing is written in the storage device 3, and the processing here is terminated (step 207).

It is a figure explaining the prior calculation method of the request calculation of RSA encryption by one Embodiment of this invention. It is a figure explaining the prior calculation method of the request calculation of elliptic curve encryption by other embodiment of this invention. It is a figure explaining the prior calculation method of the request calculation of RSA encryption by a prior art. It is a figure explaining the request calculation method of RSA encryption by a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Client device 2, 2 'Central processing unit and main storage device 3 Storage device 4 Server device

Claims (3)

  In a public key encryption request calculation pre-calculation method in which a client device performs pre-calculation in order to cause a server device to perform public key encryption request calculation, a relationship similar to a set of pre-calculation information in a storage device in the client device A pre-calculation method for request calculation of public key cryptography, wherein the pre-calculation information is calculated by storing the power information satisfying the above and multiplying the power information randomly selected by the client device.   The public key encryption request calculation pre-calculation method according to claim 1, wherein the public key encryption is an RSA encryption. 2. The public key encryption request calculation pre-calculation method according to claim 1, wherein the public key encryption is elliptic curve encryption.

Images