The present invention relates to security technology in a computer network, and particularly relates to a method and an apparatus for cryptographic processing in an elliptic curve cryptosystem and a recording medium.
An elliptic curve cryptosystem is a kind of public key cryptosystem proposed by N. Koblitz and V. S. Miller. The public key cryptosystem generally includes information called a public key, which may be made open to the public, and information called a private key, which must be kept secret. The public key is used for encryption or signature verification of a given message, and the private key is used for decryption or signature generation of the given message. The private key in the elliptic curve cryptosystem depends on a scalar value. In addition, the security of the elliptic curve cryptosystem results from difficulty in solving an elliptic curve discrete logarithm problem. Here, the elliptic curve discrete logarithm problem means a problem of obtaining a scalar value d when there are provided a point P which is on an elliptic curve and a point dP which is a scalar multiple of the point P. Herein, any point on the elliptic curve designates a set of numbers satisfying a definition equation of the elliptic curve. An operation using a virtual point called a point at infinity as an identity element, that is, addition on the elliptic curve is defined for all points on the elliptic curve. Then, addition of a point to the point itself on the elliptic curve is particularly called doubling on the elliptic curve. A scalar multiplication designates that an addition is applied to a point a specific number of times. A scalar multiplied point designates the result of the scalar multiplication, and a scalar value designates the number of times.
The difficulty in solving the elliptic curve discrete logarithm problem has been established theoretically while information associated with secret information such as the private key or the like may leak out in cryptographic processing in real mounting. Thus, there has been proposed an attack method of so-called power analysis in which the secret information is decrypted on the basis of the leak information.
An attack method in which change in voltage is measured in cryptographic processing using secret information such as DES (Data Encryption Standard) or the like, so that the process of the cryptographic processing is obtained and the secret information is inferred on the basis of the obtained process is disclosed in P. Kocher, J. Jaffe and B. Jun Differential Power Analysis, Advances in Cryptology: Proceedings of CRYPTO '99, LNCS 1666, Springer-Verlag, (1999) pp. 388-397. This attack method is called DPA (Differential Power Analysis).
An elliptic curve cryptosystem to which the above-mentioned attack method is applied is disclosed in J. Coron, Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems: Proceedings of CHES '99, LNCS 1717, Springer-Verlag, (1999) pp. 292-302. In the elliptic curve cryptosystem, encryption, decryption, signature generation and signature verification of a given message have to be carried out with elliptic curve operations. Particularly, calculation of scalar multiplication on an elliptic curve is used in cryptographic processing using a scalar value as secret information.
On the other hand, P. L. Montgomery, Speeding the Pollard and Elliptic Curve Methods of Factorization, Math. Comp. 48 (1987) pp. 243-264 discloses that by use of a Montgomery-form elliptic curve BY2=X3+AX2+X (A, BεFp), operations can be executed at a higher speed than by use of an elliptic curve called a Weierstrass-form elliptic curve which is in general use. This results from the fact that calculation time of addition and doubling is shortened by use of a Montgomery-form elliptic curve in the following scalar multiplication calculation method. That is, in the scalar multiplication calculation method, a pair of points (2mP, (2m+1)P) or a pair of points ((2m+1)P, (2m+2)P) is repeatedly calculated from a pair of points (mP, (m+1)P) on an elliptic curve dependently on the value of a specific bit of a scalar value.
In addition, J. Lopez and R. Dahab, Fast Multiplication on Elliptic Curve over GF(2m) without Precomputation, Cryptographic Hardware and Embedded Systems: Proceedings of CHES '99, LNCS 1717, Springer-Verlag, (1999) pp. 316-327 discloses a scalar multiplication calculation method in which a scalar multiplication calculation method in a Montgomery-form elliptic curve is applied also to an elliptic curve defined on a finite field of characteristic 2; an addition method and a doubling method for use in the scalar multiplication calculation method. In the scalar multiplication calculation method, calculation time of addition and doubling is shortened. Accordingly, scalar multiplication calculation can be executed at a higher speed than in a general scalar multiplication calculation method in an elliptic curve defined on a finite field of characteristic 2.
As one of measures against DPA attack on elliptic curve cryptosystems, a method using randomized projective coordinates is disclosed in J. Coron, Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems: Proceedings of CHES '99, LNCS 1717, Springer-Verlag, (1999) pp. 292-302. This is a measure against an attack method of observing whether a specific value appears or not in scalar multiplication calculation, and inferring a scalar value from the observing result. That is, by multiplication with a random value, the appearance of such a specific value is prevented from being inferred.
In the above-mentioned background-art elliptic curve cryptosystem, attack by power analysis such as DPA or the like was not taken into consideration. Therefore, to relieve the attack by power analysis, extra calculation, or the like, other than necessary calculation had to be carried out in cryptographic processing using secret information so as to weaken the dependence of the process of the cryptographic processing and the secret information on each other. Thus, time required for the cryptographic processing increased so that cryptographic processing efficiency was lowered conspicuously in a computer such as an IC card, or the like, which was slow in calculation speed, a server managing an enormous number of cryptographic processes, or the like. In addition, the dependence of cryptographic processing process and secret information on each other cannot be cut off perfectly. In addition, if priority was given to the cryptographic processing efficiency, the cryptosystem was apt to come under attack by power analysis so that there was a possibility that secret information leaks out.