TREA

INVERSE ELEMENT OPERATION APPARATUS AND COMPUTER READABLE MEDIUM

Follow

Information

  • Patent Application
  • 20230076400
  • Publication Number
    20230076400
  • Date Filed
    November 16, 2022
    3 years ago
  • Date Published
    March 09, 2023
    2 years ago
Information
Abstract
An acceptance unit (110) accepts an element a. A preliminary operation unit (120) calculates t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, and t7 that is equal to a computation result of (a0+a1)(a1−a2), using a0, a1, and a2. An inverse element operation unit (130) calculates b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, and t7. An output unit (140) generates and outputs an inverse element a−1, using b0, b1, and b2.
Description
TECHNICAL FIELD

The present disclosure relates to a technique that enables a fast multiplicative inverse element calculation in a subgroup of a finite field.


BACKGROUND ART

There are cryptographic algorithms that utilize operations on a finite field.


There may be a case in which by utilizing the properties of a subgroup of a finite field, the amount of computation for operations can be reduced, and as a result, a cryptographic algorithm can be made more efficient.


Pairing-based cryptography realizes various highly convenient functions by utilizing the properties of a pairing map which are bilinearity and non-degeneracy.


Computation of a pairing map is composed of operations on a finite field. Therefore, speeding up operations on a finite field is important in making pairing-based cryptography more efficient.


It is known that in Ate pairing or optimal Ate pairing, which are computation algorithms for pairing maps, an inverse element calculation and a squaring can be computed faster by utilizing the properties of a subgroup of a finite field, so that pairing-based cryptography can be made more efficient.


Computation of a pairing map requires an inverse element calculation as described below.


For a prime field Fp, extension fields (Fpn, Fpk) as described below will be considered. Each of the extension field Fpn and the extension field Fpk is the extension field of the prime field Fp. Each of the prime field Fp, the extension field Fpn, and the extension field Fpk is a finite field.






F
p
n
=F
p[v]/(vn−α),






F
p
k
=F
p
n[w]/(w3−v).


“k” is the smallest integer that satisfies r|(pk−1) for a prime number r and a prime number p. “k” satisfies k=3n for an integer n.


“α” is an element of the prime field Fp.


“v” is an element of the extension field Fpn that satisfies f(v)=0 for a polynomial f(X)=Xn−α that is irreducible on the prime field Fp.


“w” is an element of the extension field Fpk that satisfies g(w)=0 for a polynomial g(X)=X3−v that is irreducible on the extension field Fpn.


A set of elements of the extension field Fpk of order Φ3(pn) is called a cyclotomic subgroup. This set is denoted as GΦ3(pn). Note that Φm(x) means an m-th cyclotomic polynomial.


The element a of the set GΦ3(pn) is expressed by the following formula. Each of “a0”, “a1”, and “a2” is an element of the extension field Fpn.






a=a
0
+a
1
w+a
2
w
2


In this case, an inverse element a−1 of the element a of the set GΦ3(pn) can be calculated by two Frobenius operations and one multiplication on the extension field Fpk.


This indicates that an inverse element calculation on the set GΦ3(pn) can be computed faster than an inverse element calculation on the extension field Fpk.


Non-Patent Literature 1 indicates that an inverse element calculation on the set GΦ3(pn) is possible when “k=27”.


Furthermore, the inverse element a−1 is expressed by the following formula.






a
−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2


This formula includes three multiplications (a1a2, a0a1, a0a2) and three squarings (a02, a22, a12) on the extension field Fpn.


Non-Patent Literature 2 indicates that an inverse element calculation by this formula is possible when “k=9, 15, 27”.


CITATION LIST
Non-Patent Literature



  • Non-Patent Literature 1: X. Zhang and D. Lin, “Analysis of Optimum Pairing Products at High Security Levels,” INDOCRYPT 2012, LNCS 7668, pp. 412-430, 2012.

  • Non-Patent Literature 2: E. Fouotsa, N. El Mrabet and A. Pecha “Computing Optimal Ate Pairing on Elliptic Curves with Embedding Degree 9, 15 and 27,” IACR Cryptology ePrint Archive, 2016/1187, 2016.



SUMMARY OF INVENTION
Technical Problem

An inverse element calculation for a pairing map requires operations on a finite field, and the operations on the finite field are a bottleneck in making pairing-based cryptography more efficient.


In particular, multiplications and squarings among the operations on the finite field involve a large amount of computation in comparison with additions, subtractions, and fractional multiplications (½ multiplication, ¼ multiplication, etc.).


An object of the present disclosure is to make it possible to reduce the amount of computation for an inverse element calculation for a pairing map.


Solution to Problem

An inverse element operation apparatus of the present disclosure calculates an inverse element a−1 of an element a.


The element a is expressed by a=a0+a1w+a2w2.


The inverse element a−1 is expressed by a−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2.


The inverse element operation apparatus includes


an acceptance unit to accept the element a;


a preliminary operation unit to calculate t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, and t7 that is equal to a computation result of (a0+a1)(a1−a2), using a0, a1, and a2;


an inverse element operation unit to calculate b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, and t7; and


an output unit to generate and output the inverse element a−1, using b0, b1, and b2.


Advantageous Effects of Invention

According to the present disclosure, squarings on a finite field for calculating an inverse element a−1 can be reduced from three times to twice. That is, the amount of computation required for an inverse element calculation for a pairing map can be reduced. As a result, pairing-based cryptography can be made more efficient.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 is a configuration diagram of an inverse element operation apparatus 100 in a first embodiment;



FIG. 2 is a configuration diagram of a preliminary operation unit 120 in the first embodiment;



FIG. 3 is a configuration diagram of an inverse element operation unit 130 in the first embodiment;



FIG. 4 is a flowchart of an inverse element operation method in the first embodiment;



FIG. 5 is a flowchart of a preliminary operation process (S120) in the first embodiment;



FIG. 6 is a flowchart of an inverse element operation process (S130) in the first embodiment;



FIG. 7 is a hardware configuration diagram of the inverse element operation apparatus 100 in the first embodiment;



FIG. 8 is a configuration diagram of an inverse element operation apparatus 200 in a second embodiment;



FIG. 9 is a configuration diagram of a preliminary operation unit 220 in the second embodiment;



FIG. 10 is a configuration diagram of an inverse element operation unit 230 in the second embodiment;



FIG. 11 is a flowchart of an inverse element operation method in the second embodiment;



FIG. 12 is a flowchart of a preliminary operation process (S220) in the second embodiment;



FIG. 13 is a flowchart of an inverse element operation process (S230) in the second embodiment; and



FIG. 14 is a hardware configuration diagram of the inverse element operation apparatus 200 in the second embodiment.





DESCRIPTION OF EMBODIMENTS

In the embodiments and drawings, the same elements or corresponding elements are denoted by the same reference sign. Description of an element denoted by the same reference sign as that of an element that has been described will be omitted or simplified as appropriate. Arrows in diagrams mainly indicate flows of data or flows of processing.


First Embodiment

An embodiment in which an inverse element a−1 of an element a of a cyclotomic subgroup is calculated will be described based on FIGS. 1 to 7.


*** Description of Configuration ***


Based on FIG. 1, a configuration of an inverse element operation apparatus 100 will be described.


The inverse element operation apparatus 100 is a computer that includes hardware such as a processor 101, a memory 102, an auxiliary storage device 103, a communication device 104, and an input/output interface 105. These hardware components are connected with one another through signal lines.


The processor 101 is an IC that performs operational processing and controls other hardware components. For example, the processor 101 is a CPU.


IC is an abbreviation for Integrated Circuit.


CPU is an abbreviation for Central Processing Unit.


The memory 102 is a volatile or non-volatile storage device. The memory 102 is also called a main storage device or a main memory. For example, the memory 102 is a RAM. Data stored in the memory 102 is saved in the auxiliary storage device 103 as necessary.


RAM is an abbreviation for Random Access Memory.


The auxiliary storage device 103 is anon-volatile storage device. For example, the auxiliary storage device 103 is a ROM, an HDD, or a flash memory. Data stored in the auxiliary storage device 103 is loaded into the memory 102 as necessary.


ROM is an abbreviation for Read Only Memory.


HDD is an abbreviation for Hard Disk Drive.


The communication device 104 is a receiver and a transmitter. For example, the communication device 104 is a communication chip or a NIC.


NIC is an abbreviation for Network Interface Card.


The input/output interface 105 is a port to which an input device and an output device are connected. For example, the input/output interface 105 is a USB terminal, the input device is a keyboard and a mouse, and the output device is a display.


USB is an abbreviation for Universal Serial Bus.


The inverse element operation apparatus 100 includes elements such as an acceptance unit 110, a preliminary operation unit 120, an inverse element operation unit 130, and an output unit 140. These elements are realized by software.


The auxiliary storage device 103 stores an inverse element operation program to cause a computer to function as the acceptance unit 110, the preliminary operation unit 120, the inverse element operation unit 130, and the output unit 140. The inverse element operation program is loaded into the memory 102 and executed by the processor 101.


The auxiliary storage device 103 further stores an OS. At least part of the OS is loaded into the memory 102 and executed by the processor 101.


The processor 101 executes the inverse element operation program while executing the OS.


OS is an abbreviation for Operating System.


Input data and output data of the inverse element operation program are stored in a storage unit 190.


The memory 102 functions as the storage unit 190. However, a storage device such as the auxiliary storage device 103, a register in the processor 101, and a cache memory in the processor 101 may function as the storage unit 190 in place of the memory 102 or together with the memory 102.


The inverse element operation apparatus 100 may include a plurality of processors as an alternative to the processor 101.


The inverse element operation program can be recorded (stored) in a computer readable format in a non-volatile recording medium such as an optical disc or a flash memory.


Based on FIG. 2, a configuration of the preliminary operation unit 120 will be described.


The preliminary operation unit 120 includes elements such as a squaring unit 121, a first multiplication unit 122, an addition unit 123, a subtraction unit 124, and a second multiplication unit 125. The functions of these elements will be described later.


Based on FIG. 3, a configuration of the inverse element operation unit 130 will be described.


The inverse element operation unit 130 includes elements such as a first operation unit 131, a second operation unit 132, and a third operation unit 133. The functions of these elements will be described later.


*** Description of Preliminary Conditions ***


Preliminary conditions for an inverse element calculation by the inverse element operation apparatus 100 will be described.


“p” is a prime number.


“Fp” is a field whose number of elements is p.


“k” and “n” are integers that satisfy k=3n.


Each of “Fpn” and “Fpk” is an extension field of the field Fp.


“α” is an element of the field Fp.


The extension field Fpn and the extension field Fpk are expressed by the following formulas.






F
p
n
=F
p[v]/(vn−α),






F
p
k
=F
p
n[w]/(w3−v).


“GΦ3(pn)” is a set of elements of the extension field Fpk with order Φ3(pn), and is called a cyclotomic subgroup. Note that Φm(x) is an m-th cyclotomic polynomial.


“α” is an element of the set GΦ3(pn). That is, “a” is the element of the cyclotomic subgroup.


“a−1” is an inverse element of the element a.


Each of “a0”, “a1”, and “a2” is an element of the extension field Fpn.


The element a is expressed by the following formula.






a=a
0
+a
1
w+a
2
w
2
∈GΦ3(pn)


The inverse element “a−1” is expressed by the following formula.






a
−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2


*** Description of Operation ***


A procedure for operation of the inverse element operation apparatus 100 is equivalent to an inverse element operation method. The procedure for operation of the inverse element operation apparatus 100 is also equivalent to a procedure for processing by the inverse element operation program.


Based on FIG. 4, the inverse element operation method will be described.


In step S110, the acceptance unit 110 accepts an element a.


For example, the element a is transmitted to the inverse element operation apparatus 100 from a pairing mapping apparatus that performs operations of pairing mapping or a pairing-based cryptographic apparatus that performs operations of pairing-based cryptography. Then, the acceptance unit 110 receives the element a.


For example, the element a is input to the inverse element operation apparatus 100 by a user. Then, the acceptance unit 110 accepts the element a that has been input.


The element a includes a0, a1, and a2 and is expressed by the following formula.






a=a
0
+a
1
w+a
2
w
2


In step S120, the preliminary operation unit 120 calculates t1, t2, t3, t4, and t7, using a0, a1, and a2, where


t1 is a computation result of a02,


t2 is a computation result of a22,


t3 is a computation result of a0a1,


t4 is a computation result of a1a2, and


t7 is equal to a computation result of (a0+a1)(a1−a2).


A computation result of X is a value obtained by computing X.


Y that is equal to a computation result of X is the same value as the value obtained by computing X, and is obtained without computing X.


Details of step S120 will be described later.


In step S130, the inverse element operation unit 130 calculates b0, b1, and b2, using t1, t2, t3, t4, and t7, where


b0 is equal to a computation result of a02−a1a2v,


b1 is equal to a computation result of a22v−a0a1, and


b2 is equal to a computation result of a12−a0a2.


Details of step S130 will be described later.


In step S140, the output unit 140 outputs an inverse element a−1.


For example, the output unit 140 transmits the inverse element a−1 to the transmission source of the element a. Alternatively, the output unit 140 writes the inverse element a−1 in a recording medium specified by the user.


The inverse element a−1 is the inverse element of the element a and is expressed by the following formula.






a
−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2


Based on FIG. 5, a preliminary operation process (S120) will be described.


In step S121, the squaring unit 121 performs a squaring using a0. Specifically, the squaring unit 121 computes a02. By this, t1 is calculated.


This t1 is a computation result of a02 and is expressed as indicated below.






t
1
←a
0
2


In step S122, the squaring unit 121 performs a squaring using a2. Specifically, the squaring unit 121 computes a22. By this, t2 is calculated.


This t2 is a computation result of a22 and is expressed as indicated below.






t
2
←a
2
2


In step S123, the first multiplication unit 122 performs a multiplication using a0 and a1. Specifically, the first multiplication unit 122 computes a0a1. By this, t3 is calculated.


This t3 is a computation result of a0a1 and is expressed as indicated below.






t
3
←a
0
a
1


In step S124, the first multiplication unit 122 performs a multiplication using a1 and a2. Specifically, the first multiplication unit 122 computes a1a2. By this, t4 is calculated.


This t4 is a computation result of a1a2 and is expressed as indicated below.






t
4
←a
1
a
2


In step S125, the addition unit 123 performs an addition using a0 and a1. Specifically, the addition unit 123 computes a0+a1. By this, t5 is calculated.


This t5 is a computation result of a0+a1 and is expressed as indicated below.






t
5
←a
0
+a
1


In step S126, the subtraction unit 124 performs a subtraction using a1 and a2. Specifically, the subtraction unit 124 computes a1−a2. By this, t6 is calculated.


This t6 is a computation result of a1−a2 and is expressed as indicated below.






t
6
←a
1
−a
2


In step S127, the second multiplication unit 125 performs a multiplication using t5 and t6. Specifically, the second multiplication unit 125 computes t5t6. By this, t7 is calculated.


This t7 is a computation result of t5t6 and is expressed as indicated below.






t
7
←t
5
t
6=(a0+a1)(a1−a2)


Based on FIG. 6, an inverse element operation process (S130) will be described.


In step S131, the first operation unit 131 performs a subtraction using t1 and t4.


Specifically, the first operation unit 131 multiplies t4 by v to calculate t4v. Then, the first operation unit 131 computes t1−t4v. “v” is a predetermined value.


By this, b0 is calculated.


This b0 is a computation result of t1−t4v and is expressed as indicated below.






b
0
←t
1
−t
4
v=a
0
2
−a
1
a
2
v


In step S132, the second operation unit 132 performs a subtraction using t2 and t3.


Specifically, the second operation unit 132 multiplies t2 by v to calculate t2v. Then, the second operation unit 132 computes t2v−t3.


By this, b1 is calculated.


This b1 is a computation result of t2v−t3 and is expressed as indicated below.






b
1
←t
2
v−t
3
=a
2
2
v−a
0
a
1


In step S133, the third operation unit 133 performs an addition and a subtraction using t3, t4, and t7. Specifically, the third operation unit 133 computes t7−t3+t4. By this, b2 is calculated.


This b2 is a computation result of t7−t3+t4 and is expressed as indicated below.












b
2



t
7


-

t
3

+

t
4


=




(



a


0

+


a


1


)



(


a
1

-

a
2


)


-


a
0



a
1


+


a
1



a
2









=




a
0



a
1


-


a
0



a
2


+

a
1
2

-


a
1



a
2


-


a
0



a
1


+


a
1



a
2









=



a
1
2

-


a
0



a
2










*** Description of Effects of the First Embodiment ***


By the first embodiment, squarings on a finite field for calculating an inverse element a−1 can be reduced from three times to twice. That is, an inverse element calculation can be speeded up. As a result, pairing-based cryptography can be made more efficient.


*** Supplement to the First Embodiment ***


Based on FIG. 7, a hardware configuration of the inverse element operation apparatus 100 will be described.


The inverse element operation apparatus 100 includes processing circuitry 109.


The processing circuitry 109 is hardware that realizes the acceptance unit 110, the preliminary operation unit 120, the inverse element operation unit 130, and the output unit 140.


The processing circuitry 109 may be dedicated hardware, or may be the processor 101 that executes programs stored in the memory 102.


When the processing circuitry 109 is dedicated hardware, the processing circuitry 109 is, for example, a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, an ASIC, an FPGA, or a combination of these.


ASIC is an abbreviation for Application Specific Integrated Circuit.


FPGA is an abbreviation for Field Programmable Gate Array.


The inverse element operation apparatus 100 may include a plurality of processing circuits as an alternative to the processing circuitry 109.


In the processing circuitry 109, some functions may be realized by dedicated hardware, and the rest of the functions may be realized by software or firmware.


As described above, the functions of the inverse element operation apparatus 100 can be realized by hardware, software, firmware, or a combination of these.


Second Embodiment

With regard to an embodiment in which an inverse element a1 of an element a of a cyclotomic subgroup is calculated, differences from the first embodiment will be mainly described based on FIGS. 8 to 14.


*** Description of Configuration ***


Based on FIG. 8, a configuration of an inverse element operation apparatus 200 will be described.


The inverse element operation apparatus 200 is equivalent to the inverse element operation apparatus 100 in the first embodiment.


The inverse element operation apparatus 200 is a computer that includes hardware such as a processor 201, a memory 202, an auxiliary storage device 203, a communication device 204, and an input/output interface 205. These hardware components are connected with one another through signal lines.


The processor 201 is an IC that performs operational processing and controls other hardware components. For example, the processor 201 is a CPU.


The memory 202 is a volatile or non-volatile storage device. The memory 202 is also called a main storage device or a main memory. For example, the memory 202 is a RAM. Data stored in the memory 202 is saved in the auxiliary storage device 203 as necessary.


The auxiliary storage device 203 is anon-volatile storage device. For example, the auxiliary storage device 203 is a ROM, an HDD, or a flash memory. Data stored in the auxiliary storage device 203 is loaded into the memory 202 as necessary.


The communication device 204 is a receiver and a transmitter. For example, the communication device 204 is a communication chip or a NIC.


The input/output interface 205 is a port to which an input device and an output device are connected. For example, the input/output interface 205 is a USB terminal, the input device is a keyboard and a mouse, and the output device is a display.


The inverse element operation apparatus 200 includes elements such as an acceptance unit 210, a preliminary operation unit 220, an inverse element operation unit 230, and an output unit 240. These elements are realized by software.


The auxiliary storage device 203 stores an inverse element operation program to cause a computer to function as the acceptance unit 210, the preliminary operation unit 220, the inverse element operation unit 230, and the output unit 240. The inverse element operation program is loaded into the memory 202 and executed by the processor 201.


The auxiliary storage device 203 further stores an OS. At least part of the OS is loaded into the memory 202 and executed by the processor 201.


The processor 201 executes the inverse element operation program while executing the OS.


Input data and output data of the inverse element operation program are stored in a storage unit 290.


The memory 202 functions as the storage unit 290. However, a storage device such as the auxiliary storage device 203, a register in the processor 201, and a cache memory in the processor 201 may function as the storage unit 290 in place of the memory 202 or together with the memory 202.


The inverse element operation apparatus 200 may include a plurality of processors as an alternative to the processor 201.


The inverse element operation program can be recorded (stored) in a computer readable format in a non-volatile recording medium such as an optical disc or a flash memory.


Based on FIG. 9, a configuration of the preliminary operation unit 220 will be described.


The preliminary operation unit 220 includes elements such as a first squaring unit 221, a multiplication unit 222, a first fractional multiplication unit 223, an operation unit 224, a second squaring unit 225, and a second fractional multiplication unit 226. The functions of these elements will be described later.


Based on FIG. 10, a configuration of the inverse element operation unit 230 will be described.


The inverse element operation unit 230 includes elements such as a first operation unit 231, a second operation unit 232, and a third operation unit 233. The functions of these elements will be described later.


*** Description of Preliminary Conditions ***


Preliminary conditions for an inverse element calculation by the inverse element operation apparatus 200 are the same as the preliminary conditions in the first embodiment.


*** Description of Operation ***


A procedure for operation of the inverse element operation apparatus 200 is equivalent to an inverse element operation method. The procedure for operation of the inverse element operation apparatus 200 is also equivalent to a procedure for processing by the inverse element operation program.


Based on FIG. 11, the inverse element operation method will be described.


In step S210, the acceptance unit 210 accepts an element a.






a=a
0
+a
1
w+a
2
w
2


Step S210 is the same as step S110 in the first embodiment.


In step S220, the preliminary operation unit 220 calculates t1, t2, t3, t4, t7, and t8, using a0, a1, and a2, where


t1 is a computation result of a02,


t2 is a computation result of a22,


t3 is a computation result of a0a1,


t4 is a computation result of a1a2,


t7 is equal to a computation result of a02+a12+a22/4+2a0a1−a0a2−a1a2, and


t8 is equal to a computation result of a22/4.


Details of step S220 will be described later.


In step S230, the inverse element operation unit 230 calculates b0, b1, and b2, using t1, t2, t3, t4, t7, and t8, where


b0 is equal to a computation result of a02−a1a2v,


b1 is equal to a computation result of a22v−a0a1, and


b2 is equal to a computation result of a12−a0a2.


Details of step S230 will be described later.


In step S240, the output unit 140 outputs an inverse element a−1.






a
−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2


Step S240 is the same as step S140 in the first embodiment.


Based on FIG. 12, a preliminary operation process (S220) will be described.


In step S221, the first squaring unit 221 performs a squaring using a0.


Specifically, the first squaring unit 221 computes a02. By this, t1 is calculated.


This t1 is a computation result of a02 and is expressed as indicated below.






t
1
←a
0
2


In step S222, the first squaring unit 221 performs a squaring using a2. Specifically, the first squaring unit 221 computes a22. By this, t2 is calculated.


This t2 is a computation result of a22 and is expressed as indicated below.






t
2
←a
2
2


In step S223, the multiplication unit 222 performs a multiplication using a0 and a1. Specifically, the multiplication unit 222 computes a0a1. By this, t3 is calculated.


This t3 is a computation result of a0a1 and is expressed as indicated below.






t
3
←a
0
a
1


In step S224, the multiplication unit 222 performs a multiplication using a1 and a2. Specifically, the multiplication unit 222 computes a1a2. By this, t4 is calculated.


This t4 is a computation result of a1a2 and is expressed as indicated below.






t
4
←a
1
a
2


In step S225, the first fractional multiplication unit 223 performs a ½ multiplication using a2. Specifically, the first fractional multiplication unit 223 computes a2/2. By this, t5 is calculated.


This t5 is a computation result of a2/2 and is expressed as indicated below.






t
5
←a
2/2


In step S226, the operation unit 224 performs an addition and a subtraction using a0, a1, and t5. Specifically, the operation unit 224 computes a0+a1−t5. By this, t6 is calculated.


This t6 is a computation result of a0+a1−t5 and is expressed as indicated below.






t
6
←a
0
+a
1
−t
5
=a
0
+a
1
−a
2/2


In step S227, the second squaring unit 225 performs a squaring using t6. Specifically, the second squaring unit 225 computes t62. By this, t7 is calculated.


This t7 is a computation result of t62 and is expressed as indicated below.











t
7



t
6
2


=



(


a
0

+

a
1

-


a
2

/
2


)

2







=



a
0
2

+


a
0



a
1


-


a
0



a
2

/
2

+


a
0



a
1


+

a
1
2

-


a
1



a
2

/
2

-


a
1



a
2

/
2

+


a
2
2

/
4








=



a
0
2

+

a
1
2

+


a
2
2

/
4

+

2


a
0



a
1


-


a
0



a
2


-


a
1



a
2










In step S228, the second fractional multiplication unit 226 performs a ¼ multiplication using t2. Specifically, the second fractional multiplication unit 226 computes t2/4. By this, t8 is calculated.


This t8 is a computation result of t2/4 and is expressed as indicated below.






t
8
←t
2/4=a22/4


Based on FIG. 13, an inverse element operation process (S230) will be described.


In step S231, the first operation unit 231 performs a subtraction using t1 and t4.


Specifically, the first operation unit 131 multiplies t4 by v to calculate t4v. Then, the first operation unit 131 compute t1−t4v.


By this, b0 is calculated.


This b0 is a computation result of a02−a1a2v and is expressed as indicated below.






b
0
←t
1
−t
4
v=a
0
2
−a
1
a
2
v


In step S232, the second operation unit 232 performs a subtraction using t2 and t3.


Specifically, the second operation unit 132 multiplies t2 by v to calculate t2v. Then, the second operation unit 132 computes t2v−t3.


By this, b1 is calculated.


This b1 is a computation result of t2v−t3 and is expressed as indicated below.






b
1
←t
2
v−t
3
=a
2
2
v−a
0
a
1


In step S233, the third operation unit 233 performs an addition and subtractions using t1, t3, t4, t7, and t8. Specifically, the third operation unit 233 computes t7−t1−t8−2t3+t4. By this, b2 is calculated.


This b2 is a computation result of t7−t1−t8−2t3+t4 and is expressed as indicated below.












b
2



t
7


-

t
1

-

t
8

-

2


t
3


+

t
4


=



a
0
2

+

a
1
2

+


a
2
2

/
4

+

2


a
0



a
1


-


a
0



a
2


-











a
1



a
2


-

a
0
2

-


a
2
2

/
4

-

2


a
0



a
1


+


a
1



a
2









=



a
1
2

-


a
0



a
2










*** Effects of the Second Embodiment ***


By the second embodiment, multiplications on a finite field for calculating an inverse element a−1 can be reduced from three times to twice. That is, an inverse element calculation can be speeded up. As a result, pairing-based cryptography can be made more efficient.


*** Supplement to the Second Embodiment *** Based on FIG. 14, a hardware configuration of the inverse element operation apparatus 200 will be described.


The inverse element operation apparatus 200 includes processing circuitry 209.


The processing circuitry 209 is hardware that realizes the acceptance unit 210, the preliminary operation unit 220, the inverse element operation unit 230, and the output unit 240.


The processing circuitry 209 may be dedicated hardware, or may be the processor 201 that executes programs stored in the memory 202.


When the processing circuitry 209 is dedicated hardware, the processing circuitry 209 is, for example, a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, an ASIC, an FPGA, or a combination of these.


The inverse element operation apparatus 200 may include a plurality of processing circuits as an alternative to the processing circuitry 209.


In the processing circuitry 209, some functions may be realized by dedicated hardware, and the rest of the functions may be realized by software or firmware.


As described above, the functions of the inverse element operation apparatus 200 can be realized by hardware, software, firmware, or a combination of these.


*** Supplement to the Embodiments ***


Each of the embodiments is an example of a preferred embodiment and is not intended to limit the technical scope of the present disclosure. Each of the embodiments may be implemented partially or may be implemented in combination with another embodiment. The procedures described using the flowcharts or the like may be changed as appropriate.


Each “unit” that is an element of the inverse element operation apparatus (100, 200) may be interpreted as “process” or “step”.


REFERENCE SIGNS LIST


100: inverse element operation apparatus, 101: processor, 102: memory, 103: auxiliary storage device, 104: communication device, 105: input/output interface, 109: processing circuitry, 110: acceptance unit, 120: preliminary operation unit, 121: squaring unit, 122: first multiplication unit, 123: addition unit, 124: subtraction unit, 125: second multiplication unit, 130: inverse element operation unit, 131: first operation unit, 132: second operation unit, 133: third operation unit, 140: output unit, 190: storage unit, 200: inverse element operation apparatus, 201: processor, 202: memory, 203: auxiliary storage device, 204: communication device, 205: input/output interface, 209: processing circuitry, 210: acceptance unit, 220: preliminary operation unit, 221: first squaring unit, 222: multiplication unit, 223: first fractional multiplication unit, 224: operation unit, 225: second squaring unit, 226: second fractional multiplication unit, 230: inverse element operation unit, 231: first operation unit, 232: second operation unit, 233: third operation unit, 240: output unit, 290: storage unit.

Claims
  • 1. An inverse element operation apparatus to calculate an inverse element a−1 of an element a, the element a being expressed by a=a0+a1w+a2w2,the inverse element a−1 being expressed by a−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2,the inverse element operation apparatus comprisingprocessing circuitry to:accept the element a;calculate t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, and t7 that is equal to a computation result of (a0+a1)(a1−a2), using a0, a1, and a2;calculate b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, and t7; andgenerate and output the inverse element a−1, using b0, b1, and b2.
  • 2. The inverse element operation apparatus according to claim 1, wherein the processing circuitry performs a squaring using a0 to calculate t1 that is the computation result of a02, performs a squaring using a2 to calculate t2 that is the computation result of a22,performs a multiplication using a0 and a1 to calculate t3 that is the computation result of a0a1, performs a multiplication using a1 and a2 to calculate t4 that is the computation result of a1a2,performs an addition using a0 and a1 to calculate t5 that is a computation result of a0+a1,performs a subtraction using a1 and a2 to calculate t6 that is a computation result of a1−a2, andperforms a multiplication using t5 and t6 to calculate t7 that is equal to the computation result of (a0+a1)(a1−a2).
  • 3. The inverse element operation apparatus according to claim 2, wherein the processing circuitry calculates t7 by computing t5t6.
  • 4. The inverse element operation apparatus according to claim 1, wherein the processing circuitry performs a subtraction using t1 and t4 to calculate b0 that is equal to the computation result of a02−a1a2v,performs a subtraction using t2 and t3 to calculate b1 that is equal to the computation result of a22v−a0a1, andperforms an addition and a subtraction using t3, t4, and t7 to calculate b2 that is equal to the computation result of a12−a0a2.
  • 5. The inverse element operation apparatus according to claim 4, wherein the processing circuitry calculates b0 by computing t1−t4v,calculates b1 by computing t2v−t3, andcalculates b2 by computing t7−t3+t4.
  • 6. A non-transitory computer readable medium storing an inverse element operation program to calculate an inverse element a−1 of an element a, the element a being expressed by a=a0+a1w+a2w2,the inverse element a−1 being expressed by a−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2,the inverse element operation program causing a computer to execute:an acceptance process of accepting the element a;a preliminary operation process of calculating t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, and t7 that is equal to a computation result of (a0+a1)(a1−a2), using a0, a1, and a2;an inverse element operation process of calculating b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, and t7; andan output process of generating and outputting the inverse element a−1, using b0, b1, and b2.
  • 7. An inverse element operation apparatus to calculate an inverse element a−1 of an element a, the element a being expressed by a=a0+a1w+a2w2,the inverse element a−1 being expressed by a−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2,the inverse element operation apparatus comprisingprocessing circuitry to:accept the element a;calculate t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, t7 that is equal to a computation result of a02+a12+a22/4+2a0a1−a0a2−a1a2, and Is that is equal to a computation result of a22/4, using a0, a1, and a2;calculate b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, t7, and t8; andgenerate and output the inverse element a−1, using b0, b1, and b2.
  • 8. The inverse element operation apparatus according to claim 7, wherein the processing circuitry performs a squaring using a0 to calculate t1 that is the computation result of a02, performs a squaring using a2 to calculate t2 that is the computation result of a22,performs a multiplication using a0 and a1 to calculate t3 that is the computation result of a0a1, performs a multiplication using a1 and a2 to calculate t4 that is the computation result of a1a2,performs a ½ multiplication using a2 to calculate t5 that is a computation result of a2/2,performs an addition and a subtraction using a0, a1, and t5 to calculate t6 that is equal to a computation result of a0+a1−a2/2,performs a squaring using t6 to calculate t7 that is equal to the computation result of a02+a12+a22/4+2a0a1−a0a2−a1a2, andperforms a ¼ multiplication using t2 to calculate t8 that is equal to the computation result of a22/4.
  • 9. The inverse element operation apparatus according to claim 8, wherein the processing circuitry calculates t6 by computing a0+a1−t5,calculates t7 by computing t62, andcalculates t8 by computing t2/4.
  • 10. The inverse element operation apparatus according to claim 7, wherein the processing circuitry performs a subtraction using t1 and t4 to calculate b0 that is equal to the computation result of a02−a1a2v,performs a subtraction using t2 and t3 to calculate b1 that is equal to the computation result of a22v−a0a1, andperforms an addition and a subtraction using t1, t3, t4, t7, and t8 to calculate b2 that is equal to the computation result of a12−a0a2.
  • 11. The inverse element operation apparatus according to claim 10, wherein the processing circuitry calculates b0 by computing t1−t4v,calculates b1 by computing t2v−t3, andcalculates b2 by computing t7−t1−t8−2t3−t4.
  • 12. A non-transitory computer readable medium storing an inverse element operation program to calculate an inverse element a−1 of an element a, the element a being expressed by a=a0+a1w+a2w2,the inverse element a−1 being expressed by a−1=(a02−a1a2v)+(a22v−a0a1)w+(a12−a0a2)w2,the inverse element operation program causing a computer to execute:an acceptance process of accepting the element a;a preliminary operation process of calculating t1 that is a computation result of a02, t2 that is a computation result of a22, t3 that is a computation result of a0a1, t4 that is a computation result of a1a2, t7 that is equal to a computation result of a02+a12+a22/4+2a0a1−a0a2−a1a2, and t8 that is equal to a computation result of a22/4, using a0, a1, and a2;an inverse element operation process of calculating b0 that is equal to a computation result of a02−a1a2v, b1 that is equal to a computation result of a22v−a0a1, and b2 that is equal to a computation result of a12−a0a2, using t1, t2, t3, t4, t7, and t8; andan output process of generating and outputting the inverse element a−1, using b0, b1, and b2.
CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of PCT International Application No. PCT/JP2020/026860, filed on Jul. 9, 2020, which is hereby expressly incorporated by reference into the present application.

Continuations (1)
Number Date Country
Parent PCT/JP2020/026860 Jul 2020 US
Child 17987977 US