Abstract: A modular multiplication processing apparatus is provided that can process modular multiplication of data exceeding a bit length which a coprocessor can readily process, by using the coprocessor based upon Montgomery multiplication In the modular multiplication processing apparatus, data to be subjected to modular multiplication is decomposed, and the decomposed data elements are transformed into a form suitable for Montgomery multiplication, respectively. Further, after respective data elements are transformed to have sizes that can be inputted into a coprocessor, Montgomery multiplication is repeatedly performed in the coprocessor. A remainder of Montgomery multiplication of an original bit length is restored from the obtained remainder.

Abstract: A technique for efficient encryption for use with devices such as smartcards restricted in memory resource, including a calculation unit for reconstructing a large number of small primes, a sieving unit for checking the divisibility of an integer by small primes, a recoding unit for changing the representation of an integer, and a primality testing unit. The sieving unit eliminates “bad” candidates by checking their divisibility by small primes reconstructed by the calculation unit. The primality of the remaining candidates is tested using the primality testing unit. The primality testing unit uses the recoding unit to change the representation of prime candidates. The primality testing unit performs a primality test using the representation after change.

Abstract: A system and method for authentication and digital signatures on memory-only supports, comprising a read-once memory unit storing secret arrays, whose contents are destroyed upon reading, a standard memory unit storing encrypted arrays, tree data authenticating the encrypted arrays to one single public key, and a certificate of the public key issued by a certificate authority. The memory support sends its public key and certificate to a verifier, receives a challenge which is signed by elements from secret arrays in the read-once memory. The verifier system checks the authenticity of the data revealed from the read-once memory by encrypting it and comparing the result to one of the encrypted arrays, and verifies that the encrypted array authenticates to the public key using tree data. Finally, the verifier checks the authenticity of the public key using the certificate.

Abstract: A modular multiplication processing apparatus is provided that can process modular multiplication of data exceeding a bit length which a coprocessor can readily process, by using the coprocessor based upon Montgomery multiplication In the modular multiplication processing apparatus, data to be subjected to modular multiplication is decomposed, and the decomposed data elements are transformed into a form suitable for Montgomery multiplication, respectively. Further, after respective data elements are transformed to have sizes that can be inputted into a coprocessor, Montgomery multiplication is repeatedly performed in the coprocessor. A remainder of Montgomery multiplication of an original bit length is restored from the obtained remainder.

Abstract: A modular multiplication processing apparatus is provided that can process modular multiplication of data exceeding a bit length which a coprocessor can process, by using the coprocessor based upon Montgomery multiplication In the modular multiplication processing apparatus, data to be subjected to modular multiplication is decomposed, and the decomposed data elements are transformed into a form suitable for Montgomery multiplication, respectively. Further, after respective data elements are transformed to have sizes that can be inputted into a coprocessor, Montgomery multiplication is repeatedly performed in the coprocessor. A remainder of Montgomery multiplication of an original bit length is restored from the obtained remainder.

Abstract: A privacy-preserving scalar product calculation system is provided. A first unit linearly transforms an n-dimensional vector Va into an n-dimensional vector based on a scalar value based on a random number Wi and a random number Rj to calculate a remainder by dividing each element of the linearly transformed n-dimensional vector by a random number Mi, and transmits an n-dimensional converted vector X including each of the remainders as its element to the second unit, the second unit calculates an inner product value Z based on the received n-dimensional converted vector X and an n-dimensional vector Vb, and transmits the inner product value Z to the first unit, and the first unit further calculates, based on a reciprocal of the scalar value and the receive inner product value, a scalar value and which calculates a remainder by dividing the scalar value by the random number Mi.

Abstract: A technique which contributes to materialization of efficient encryption even with devices such as smartcards restricted in memory resource is provided. The system for generating cryptographic keys includes: a calculation unit for reconstructing a large number of small primes, a sieving unit for checking the divisibility of an integer by small primes, a recoding unit for changing the representation of an integer, a primality testing unit. First, the sieving unit eliminates “bad” candidates by checking their divisibility by small primes reconstructed by the calculation unit. After that, the primality of the remaining candidates is tested using the primality testing unit. The primality testing unit uses the recoding unit to change the representation of prime candidates. The primality testing unit performs a primality test using the representation after change. Thus, the number of operations for the primality test can be decreased without further memory requirements.

Abstract: A system and method for authentication and digital signatures on memory-only supports, comprising a read-once memory unit storing secret arrays, whose contents are destroyed upon reading, a standard memory unit storing encrypted arrays, tree data authenticating the encrypted arrays to one single public key, and a certificate of the public key issued by a certificate authority. The memory support sends its public key and certificate to a verifier, receives a challenge which is signed by elements from secret arrays in the read-once memory. The verifier system checks the authenticity of the data revealed from the read-once memory by encrypting it and comparing the result to one of the encrypted arrays, and verifies that the encrypted array authenticates to the public key using tree data. Finally, the verifier checks the authenticity of the public key using the certificate.

Abstract: A decryption method of decrypting a plaintext m from a secret exponent d, a public key n, and a ciphertext c includes steps of converting the ciphertext c into a randomized ciphertext t, a step of converting the randomized ciphertext t into a randomized plaintext u, and steps of converting the randomized plaintext u into the plaintext m.

Abstract: A contents control method for controlling a process on the receiving side which is applied to contents transmitted from the transmitting side to the receiving side, includes a step of adding, when a predetermined block of the transmitted contents is an area where control information for controlling the process substance on the receiving side which is applied to the contents is added, the control information to the block. The method also includes a step of receiving a process designation concerning the transmitted contents, and a step of applying, when user information stored in a receiving side apparatus which receives the transmitted contents, or information concerning the receiving side apparatus satisfies conditions corresponding to the received process designation in the control information added to the block of the contents, a process corresponding to the process designation to the received block.

Abstract: Using the same secret key for different secret operations in the frame of public key cryptosystems raises security problems because attackers can gain statistical information about the secret key. Indeed, when randomization techniques are used, the same secret key is randomized differently for every new operation, and since information leakage sums up, eventually, the attacker is able to recover the secret key. A system and method for using the same secret key of a public key cryptosystem several times comprising a recoding method which can generate several distinct representations for the secret key, where one representation is chosen as recoded secret according to a selection data. In addition, the pair consisting of the secret key and selection data is uniquely defined, resulting in the same recoded secret for every new encryption operation. As a consequence, information leakage does not sum up and the secret key can be securely re-used.

Abstract: A signature system in which size of data to be transmitted is small and data can be processed efficiently in a Merkle signature system having high security. A processing part 112 of a smartcard 110 divides a message to be signed into groups of specific numbers of bits, starting from the first bit of the message. Then, respective partial one-time signatures of the groups are generated by encrypting each group by a one-way function processing part 112c. The partial one-time signatures are sequentially outputted to a verification apparatus through a interface part 113.

Abstract: In scalar multiplication method in which a point on an elliptic curve is randomized, but yet scalar multiplication can be calculated by the computational cost as much as that without randomization, an operation is carried out upon a point randomized and a point not randomized in a scalar multiplication method to calculate a scalar-multiplied point from a scalar value and a point on an elliptic curve. The result of the operation is randomized while the computational cost becomes as much as that without randomization.

Abstract: A message authentication technology capable of securing against side channel attack is provided. In a message authentication code generating device for calculating a message authentication code for a message from the message, a process in which disturbance information is generated from a temporary use numerical value, a process in which a conversion message is calculated from the message; and a process in which the message authentication code is calculated from the disturbance information and the conversion message are performed. In the process of calculating the message authentication code, process information is disturbed or concealed by the disturbance information. Therefore, the message authentication which is secure against side channel attack can be realized.

Abstract: A modular multiplication processing apparatus is provided that can process modular multiplication of data exceeding a bit length which a coprocessor can process, by using the coprocessor based upon Montgomery multiplication. In the apparatus, data to be subjected to modular multiplication is decomposed, and the decomposed data elements are respectively transformed into a form suitable for Montgomery multiplication. After respective data elements are transformed to have sizes that can be inputted into a coprocessor, Montgomery multiplication is repeatedly performed in the coprocessor. A remainder of Montgomery multiplication of an original bit length is restored from the obtained remainder.

Abstract: A cryptographic processing method in which dependence of cryptographic processing process and secret information on each other is cut off; and in which, when a scalar multiplied point is calculated from a scalar value and a point on an elliptic curve in an elliptic curve cryptosystem, a value of a bit of the scalar value is judged; and in which operations on the elliptic curve are executed a predetermined times and in a predetermined order without depending on the judged value of the bit.

Abstract: A decryption method of decrypting a plaintext m from a secret exponent d, a public key n, and a ciphertext c includes steps of converting the ciphertext c into a randomized ciphertext t, a step of converting the randomized ciphertext t into a randomized plaintext u, and steps of converting the randomized plaintext u into the plaintext m. The steps of converting into the ciphertext t include a step of generating a random number r and steps of converting into the ciphertext t by using the random number r and an integer s derived from the random number r. The step of converting into the randomized plaintext u includes a step of computing the plaintext u by using a value derived from the secret exponent d. The steps of converting into the plaintext m include a step of multiplying the plaintext u by the integer s.

Abstract: It is an object of the present invention to provide a method and an apparatus for generating a safe normal form elliptic curve transformable to a Montgomery type elliptic curve as well as to provide an elliptic curve cryptosystem and a storage medium therefor. To achieve the above object, conditions concerning a curve order are extracted from criteria for transformability of a normal form elliptic curve to a Montgomery type elliptic curve and are given in a curve parameter generator incorporating a transformability judgement unit. Furthermore, to generate a curve having a cofactor of 4, the condition whether a curve order is divisible by 8 is given.

Abstract: There is provided a method for recovering the complete coordinate of the scalar-multiplied point from partial information of the scalar-multiplied point given in a fast scalar multiplication method. Thereby, during calculation of the scalar-multiplied point in an elliptic curve defined on a finite field with characteristic of 5 or more, first the fast scalar multiplication method is used to give the partial information of the scalar-multiplied point, and the complete coordinate of the scalar-multiplied point is recovered from the result and outputted, so that the complete coordinate can be given at a high speed.

Abstract: In the computation of a multi-scalar multiplication kP+lQ that becomes necessary when performing the signature verification by the elliptic curve digital signature algorithm (ECDSA), there is provided a simultaneous method that implements a signed computation method as well as a speeding-up of the precomputation. Concretely, in a multi-scalar multiplication computation method for computing a multi-scalar multiplied point from a plurality of scalar values and a plurality of points positioned on an elliptic curve, when computing a predetermined number of points on the elliptic curve in the precomputation, there occur plural inversions. At this time, these plurality of inversions are computed by once inversion and plural multiplications. Moreover, the scalar values are represented as signed sequences, i.e., sequences of 0, 1, and −1. Finally, using these sequences, the multi-scalar multiplication is computed by a simultaneous method.