CA2437401C - Jacobian group element adder - Google Patents

Jacobian group element adder Download PDF

Info

Publication number
CA2437401C
CA2437401C CA002437401A CA2437401A CA2437401C CA 2437401 C CA2437401 C CA 2437401C CA 002437401 A CA002437401 A CA 002437401A CA 2437401 A CA2437401 A CA 2437401A CA 2437401 C CA2437401 C CA 2437401C
Authority
CA
Canada
Prior art keywords
ideal
vector
monomial
field
alpha
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CA002437401A
Other languages
French (fr)
Other versions
CA2437401A1 (en
Inventor
Seigo Arita
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Publication of CA2437401A1 publication Critical patent/CA2437401A1/en
Application granted granted Critical
Publication of CA2437401C publication Critical patent/CA2437401C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic

Abstract

A Jacobian group element adder that can calculate addition in a Jacobian group of a Cab curve at a high speed, and can enhance practicality of the Cab curve is provided.
An algebraic curve parameter file A 10, and Groebner bases I1 and I2 of ideals of a coordinate ring of an algebraic curve designated by this file A are input into an ideal composition section 11 to perform arithmetic of producing a Groebner basis J of an ideal product of the ideal generated by I1 and ideal generated by I2. In a first ideal reduction section 12, arithmetic is performed of producing a Groebner basis J* of an ideal that is smallest in a monomial order designated by the file A
among ideals equivalent to an inverse ideal of an ideal that J in the coordinate ring of the algebraic curve designated by the file A generates. In a second ideal reduction section 13, arithmetic is performed of producing a Groebner basis J** of an ideal that is smallest in the monomial order designated by the file A among ideals equivalent to an inverse ideal of an ideal that this J*
generates to output it.

Description

CA 02437401 2007-04-24 }

JACOHIAN GROUP BLEMENT ADDER
FIELD OF THE INVENTION

The present invention relates to a Jacobian group element adder, and more particularly technology for discrete logarithmic cryptography employing a Jacobian group of an algebraic curve (hereinafter, referred to as algebraic curve cryptography) that is a kind of the discrete logarithmic cryptography, which is cryptography technology as information security technology.

BACKGRODND OF THE INVENTION

It is an elliptic curve cryptography that has come in practice most exceedingly among the algebraic curve cryptography. However, an elliptic curve for use in the elliptic curve cryptography is a very special one as compared with a general algebraic curve. There is the apprehension that an aggressive method of exploiting its specialty would be discovered in the near future. For this, so as to secure safety more reliably, a general algebraic curve of which specialty is lower is desirably employed.

Cab curve cryptography is known as an algebraic curve cryptography capable of employing a more general algebraic curve as mentioned above.

The Cab curve cryptography, however, is less employed in the industrial field as compared with the elliptic curve cryptography. Its main reason is that the conventional additive algorithm in the Jacobian group of the conventional Cab curve is tens of times slower than additive algorithm in the Jacobian group of the elliptic curve, and as a result, process efficiency of encryption/decryption in the Cab curve cryptography is remarkably inferior as compared with the elliptic curve cryptography, which was shown in " Jacobian Group Additive algorithm of Cab Curve and its Application to Discrete Logarithmic Cryptography" by Seigo Arita, Japanese-version collection of The Institute of Electronics, Information and Communication Engineers, Vol. J82-A, No.8, pp.1291-1299, 1999.

Also, another additive algorithm in the Jacobian group of the Cab curve was proposed in " A Fast Jacobian Group Arithmetic Scheme for Algebraic Curve Cryptography" by Ryuichi Harasawa, and Joe Suzuki, Vol. E84-A No.1, pp.130-139, 2001 as well; however, even though an asymptotic calculation quantity of algorithm was given, no execution speed data in a packaging experiment was shown, and, also, no report on the packaging experimerit by a third party was provided, and the extent to which the execution speed can practically be achieved is uncertain.

As seen from the foregoing, non-efficiency of the additive algorithm in the Jacobian group of the Cab curve prevents the cryptography of the above curve from coming in practice, which gives rise to the necessity of executing addition in the Jacobian group of the Cab curve at a high speed.
SUMIARY OF THE INVENTION

The present invention has been accomplished in consideration of such problems.

It is an object of the present invention to provide a Jacobian group element adder that enables the additive algorithm in the Jacobian group of the Ca,, curve to be executed at a high speed.
The Jacobian group element adder in accordance with the present invention, which is an arithmetic unit for executing addition in a Jacobian group of an algebraic curve defined by a polynomial defined over a finite field that is Y3+ a oX9+ a 1XY2+ a 2XZY+ a 3X3+ a 4Y2+ a 5XY+ a 6X2+ a 7Y+ a 8X+ a 9 or YZ+ a oX5+ a 1X2Y+ a zX 4+ a 3XY+ a 4X3+ a 5Y+ a 6X2+ a 7X+ a 8 or YZ+ a oX7+ a 1X3Y+ a 2X6+ a 3XzY+ a 4X5+ a 5XY+ a 6X9+ a 7Y+ a 8X3+ a 9XZ+ a loX+all, is characterized in comprising:

means for inputting an algebraic curve parameter file having an order of a field of definition, a monomial order, and a coefficient list described as a parameter representing said algebraic curve;
means for inputting Groebner bases Il and 12 of ideals of the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, which represent elements of said Jacobian group;

ideal composition means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of a producing Groebner basis J of the ideal which is a product of the ideal that the Groebner basis I1 generates, and the ideal that the Groebner basis 12 generates;

first ideal reduction means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J* of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J generates;
and second ideal reduction means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J** of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J* generates to output it.

It is another object of the present invention to provide a record medium having a program recorded for causing an information processing unit configuring an arithmetic unit for executing addition in a Jacobian group of an algebraic curve defined by a polynomial defined over a finite field that is Y3+aQX4+a1XY2 +a2 X2Y+a3X3 +a4Y2+a5XY+a6X2 +a7Y+OC8X+a9 or Y2 +aQX5+011X2Y+a2X4+a3XY+a4 X3+a5Y+a6X2+a7X+a8 or Y2+aOX7 +a1X3Y+a2X6+a3X2Y+a4X5+a5XY+a6X4+a7Y+a8X3+a9X2+a10X+a11 to perform a process of inputting an algebraic curve parameter file having an order of a field of definition, a monomial order, and a coefficient list described as a parameter representing the algebraic curve; a process of inputting Groebner bases Iland I2of ideals of the coordinate ring of the algebraic curve designated by the algebraic curve parameter file, the Groebner bases representing an element of the Jacobian group; an ideal composition process of, in the coordinate ring of the algebraic curve designated by the algebraic curve parameter file, performing arithmetic of producing a Groebner basis J of an ideal which is a product of the ideal that the Groebner basis Ilgenerates, and an ideal - 5a -that the Groebner basis Izgenerates; a first ideal reduction process of, in the coordinate ring of the algebraic curve designated by the algebraic curve parameter file, performing arithmetic of producing a Groebner basis J* of the ideal, which is smallest in the monomial order designated by the algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J generates;

and a second ideal reduction process of, in the coordinate ring of the algebraic curve designated by the algebraic curve parameter file, performing arithmetic of producing a Groebner basis J** of the ideal, which is smallest in the monomial order designated by the algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J* generates, to output it, the record medium being readable by the information processing unit.

- 5b -[Cab curve and its Jacobian group]

The Cab curve C to be treated in the present invention is a nonsingular plane curve to be defined by a polynomial F(X,Y) having the following formula for two natural numbers a and b that are relatively prime.
F( X, Y)=Ya+c Xb+ y ci, j X1Yi Here, indexes i and j in the above equation, which are natural numbers equal to or more than zero, vary in a range of ai+bj<ab. Also, suppose that c and ci,j are elements of a defining field k, and that c is not zero.
The Cab curve C has a unique point at infinity P. , and the polynomials Y and X have a unique b-order pole and a-order pole at P. respectively. Set a group subtended by divisors of degree 0 on the Cab curve C to D, (k), and set a group composed of principal divisors to P,(k).

A Jacobian group J,(k) of which the additive algorithm is required to be found in the present invention is defined as J, (k)=D, (k) /P,:: (k) On the other hand, let R=k[X,Y]/F be the coordinate ring of the Cab curve C, it follows that the ring R becomes an integrally-closed integral domain, which is a Dedekind domain, because the Cab curve C is nonsingular by definition. Thus, all of the fractional ideals of the ring R that is not zero compose a group IR(k). Set a subgroup by subtended by the principal ideal of the ring R
to PR(k), then an ideals class group HR(k) of the ring R
is defined as HR(k)=IR(k) /PR(k) As a rule, it is known that, for the nonsingular algebraic curve, the divisor on the curve can be identified with the ideal of the coordinate ring, and that its Jacobian group and the ideal class group are of intrinsic isomorphism. In particular, a Jacobian group Jc(k) of the Cab curve C and the ideal class group HR(k) of the coordinate ring R are of intrinsic isomorphism. The ideal is more convenient than the divisor for packaging algorithm, whereby, hereinafter, the Jacobian group JC(k) of the Cab curve C is treated as the ideal class group HR(k) of the coordinate ring R.

[Preparation relating to a Groebner basis]

Since the Groebner basis of the ideal is employed in calculation of which an object is the ideal class group HR(k), a preparation relating hereto is made in this chapter. As a rule, for a polynomial ring S=k [X1r ..., Xn] , an order '<' among its monomials, if it is compatible with a product, that is, M1<Ni2 always yields M1M3, is called a monomial order. In this chapter, from now on, suppose an arbitrary monomial order '<' is given to a polynomial ring S.

For a polynomial f in S, call the largest monomial in the monomial order '<' that appears in f a leading monomial of f, which is denoted by LM(f). Also, for an ideal I, LM(I) denotes an ideal that is generated by leading monomials of the polynomial belonging to I
generates by LM(I).

For an ideal I=(fl,...,fs) of S that is generated by a polynomials when {fl,..., fs} meets IM(I)=(LM(fl),...,LM(fs) ), {fl,...,fs} is called a Groebner basis of the ideal I. For the ideal I of the polynomial ring S, the entirety 0(I) of the monomial (or its multi degree) 0(I) that does not belong to LM(I) is called a delta set of I. When (multi degrees of) monomials in L (I) are plotted, a convex set appears, and a lattice point encircling its convex set corresponds to the leading monomial of an element of the Groebner basis of I. Also, 0(I) subtends the basis of a vector space S/I over k.

The ideal I of an the coordinate ring R=S/F of a nonsingular affine algebraic curve C can be identified with the ideal of the polynomial ring S-:.hat includes a defining ideal F of the curve C. Thus, for the ideal of the coordinate ring R as well, as mentioned above, Groebner basis can be considered. For a zero-dimensional ideal I (that is, a set of zeros of I is a finite set) of _ g -the coordinate ring R=S/F, call a dimension of a vector space S/I over k an order of the ideal I, which is denoted by S(I). Immediately from definition, it can be seen that S(I) is equivalent to the order of the set 0(I). Also, by assumption of being nonsingular, it follows that c~(IJ) (I) cS ( J) . When I= ( f) is a principal ideal of R, then 6 ( I)=-vP_ ( f), where vP- (f) represents a valuation of the polynomial f at P~.

[Additive algorithm on Jacobian group of Cab curve, part 1]
Now think about the coordinate ring R=k[X,Y]/F of the Cab curve C defined by the polynomial F(X,Y). Regard the monomial of two variables X'"Y"as a function on the curve C, and call the monomial order obtained by ordering the monomials based on the size of a pole order-vP.(X' Y') at P_ a Cab order. Here, in the case that the pole orders at P_ thereof are the same, the monomial with the larger is supposed to be larger. Hereinafter, the Cab order is employed as the monomial order of the coordinate ring R of the Cob curve C. For the ideal I of the coordinate ring R, let fi be the non-zero polynomial with the smallest leading monomial among the polynomials in I. Furthermore, let I*= (fr) : I (= {gE=_R I g ' IC (fz) } ) =

Now, it can be easily shown that, when I and J are arbitrary (integral) ideals of the coordinate ring R, then (1) 1 and I** are linearly equivalent, (2) I**, which is an (integral) ideal equivalent to I, has the smallest order among ideals equivalent to I, and (3) if I and J are equivalent, then I*=J*, in particular, I**=(I**)**. For an ideal I of the coordinate ring R, when I**=(I), we call I

a reduced ideal. From the above-mentioned equations (1) and (3), an arbitrary ideal is equivalent to the unique reduced ideal. That is, the reduced ideals compose a representative system of the ideal classes. This property is not limited to the Cab order, and holds also in the event of having employed an arbitrary monomial order;
however, in the event of having employed the Cab order, from the above-mentioned equation (2), the reduced ideal has the property of becoming an ideal of which the order is the smallest among the equivalent ideals. This is advantageous in packaging the algorithm. Using reduced ideal as a representative system of the ideal classes, we obtain additive algorithm on Jacobian of Cab curve, mentioned below.

[Additive algorithm on Jacobian group 11 Inputs: reduced ideals I. and 12 of the coordinate ring R

Output: a reduced ideal 13 equivalent to an ideal product I1 = 12 1. J_Ii ' 12 2 . J*<--( fJ) : J

3. I3- (fJ*) J*

[Classification of ideals]

So as to realize the above-mentionedadditive algorithm on Jacobian group 1 as a program that is efficient, and yet is easy to package, the ideals that appear during execution of the additive algorithm 1 are classified. Hereinafter, for simplification, explanation is made with a C34 curve (that is, the Cab curve with a=3, and b=4) taken as an object; however, for the general Cab curve as well, the matter is similar. A genus of the C34 curve is 3, whereby the order of the ideal that appears during execution of the additive algorithm 1 is equal to or less than 6. The Groebner bases in their C34 orders are classified as follows order by order. However, from now on, even though a defining equation F of the C34 curve C
appears in the Groebner basis of the ideal, F is omitted, and is not expressed. Also, coefficients ai, bj, and ck of each polynomial constructing the Groebner basis are all elements of k.

(Ideal of order 6) Suppose I is an ideal of order 6 of the coordinate ring R. By definition of the order, V=R/I is a six-dimensional vector space over the defining field k. When six points that the ideal I represents are at a "generalized" position, six monomials from the beginning in the C34 order 1, X, Y, X2 , XY, and Y2 are linearly independent at these six points. That is, the monomials 1, X, Y, X2, XY, and Y2 compose a basis of the vector space V.
At this time, we call such an ideal I an ideal of a type 61.

As a rule, a delta set L (I) of the ideal I can be identified with the basis of the vector space V, whereby the delta set of the ideal I of a type 61 becomes A ( I )= {(0.0). (1:0). (0,1)r (2.0)r (1.1). (0,2)}
The lattice points encircling these are (0,3),(1,2),(2,1),(3,0)} . Thus, the Groebner basis of the ideal I of a type 61 takes the following form.

The Groebner basis of the ideal of a type 61=
{X3+a6Y2+a5XY+a4 X2+a3Y+a2X+a1r X2Y+b6Y2+b5XY+b4X2+b3Y+b2X+b1, XY2+C6Y2+C5XY+C4X2+C3Y+C2X+C1 }

These three polynomials correspond to the lattice points (3,0), (2,1), and (1,2) respectively (The lattice point (0,3) corresponds to the defining equation F). As a rule, six monomials 1, X, Y, X2, XY, and Y 2 are not always linearly independent at the six points that the ideal I
represents, i.e. in the vector space V.

So, next, we study the case in which five monomials from the beginning in the C34 order 1, X, Y, X2, and XY are linearly independent in V, and the sixth monomial Y2 is represented by a linear combination of them. By assumption, 0(I) is a convex set of order 6 that includes { (0, 0) , (1, 0) , (0, 1) , (2, 0) , (1, 1) } , and does not include (2,0). Thus, it becomes either of A (I)=

{(0,0), (1,0), (0,1), (2,0), (1,1), (2,1)} , or z, (I)= {(0,0), (1,0), (0,1), (2,0), (1,1), (3,0)} . When (I) is the former, call I an ideal of a type 62, and in the event that it is the latter, call I an ideal of type 63.

The lattice point set encircling 0(I) is {(0,2),(3,0)} when I is of type 62, and is (0,2),(2,1),(4,0)} when I is of type 63. Thus, the Groebner basis becomes the following. The Groebner basis of the ideal of a type 62=

{Y2 +a5XY+a4X2 +a3Y+a2X+a1r X3+b5XY+b4X2+b3Y+b2X+bi}

These two polynomials correspond to the lattice points (0,2), and (3,0) respectively.

The Groebner basis of the ideal of a type 63=
{ y2+a5XY+a4X2+a3Y+a2X+a1, X2 Y+b6X3+b5XY+b4X2+b3Y+b2X+b1 }

These two polynomials correspond to the lattice points (0,2), and (2,1) respectively.

Although the polynomial, which corresponds to the lattice point (4,0), originally exists in the Groebner basis of the ideal of a type 63; it was omitted since from the defining equation F, and an equation f=Y2+a5XY+a4X2+a3Y+a2X+a1 that corresponds to the lattice point (0,2), it can be immediately calculated as F-Yf.

Next, suppose four monomials from the beginning 1, X, Y, and X2 are linearly independent in V, and that the fifth monomial XY is represented by a linear combination thereof. That is, z~ (I) includes { ( 0 , 0 ) , ( 1 , 0 ) , ( 0 , 1 ) ,(2, 0) }, and does not include (1,1).Here, assume A (I) does not includes (0,2), then there is no other choice but L (I)=(0,0), (1,0), (0,1), (2,0), (3,0), (4,0)} so that A (I) has order 6. As it is, by assumption, I includes a polynomial f=Y2+... of which the leading term is Yz. As a result, (4,0) does not belong to 0( I) because Yf-F=X4+.., belongs to I. That is contradictory. From the foregoing, it can be seen that A (I) is sure to include (0,2), then A(I)= {(0,0), (1,0), (0,1), (2,0), (0,2), (3,0)} . At this time, call I an ideal of a type 64.

The lattice point set encircling the delta set L~(I) of the ideal I of a type 64 is {(0,3),(l,1),(4,0)} . Thus the Groebner basis of the ideal I of a type 64 becomes the following.

The Groebner basis of the ideal of a type 64=
{XY+a4Xz+a3Y+aZX+a1, X4+b6 X3+b5Y2+b4X2+b3Y+b2X+bl}

These two equations correspond to the lattice points (l,l), and (4,0) respectively (The lattice point (0,3) corresponds to the defining equation F).

Next, suppose three monomials from the beginning 1, X, and Y in the C34 order are linearly independent in V=R/I, and that the fourth monomial X2 is represented by a linear combination thereof. At this time, since a polynomial f of which the leading term is X2 is included in the ideal I, the delta set becomes L (I) = 1 (0.0), (1,0), (0,1). (1.1). (0, 2) 0 (1.2)}

and the lattice point set encircling these becomes {(0,3),(2,0)} , whereby I becomes a monomial ideal to be generated in f. At this time, call I an ideal of a type 65.

The Groebner basis of the ideal of a type 65=
{X2+a3Y+a2X+a, }

The above equation corresponds to the lattice point (2,0) (The lattice point (0,3) corresponds to the defining equation F) There is no possibility that, from deg((f)o)=-vp-(f)=4<6, the polynomial f of which the leading term is (a term equal to or lower than) Y disappears simultaneously at six points that correspond to the ideal I of order 6.
Thus, three monomials 1, X, and Y from the beginning are always linearly independent in V=R/I, and above, the classification of the ideal of order 6 was completed.
(Ideal of order 5) Suppose I is an ideal of order 5 of coordinate ring R.
The ideal of order 5 is also classified into a type 51 to a type 54 similarly to the ideal of order 6, as mentioned below.

The Groebner basis of the ideal of a type 51=
{y2+a5XY+a4X2 +a3Y+a2X+a1r X3+b5XY+b4X2 +b3Y+b2X+b1t X2Y+C5XY+C4X2+C3Y+CZX+Cl}

The Groebner basis of the ideal of a type 52=
{XY+a4X2+a3Y+a2X+a1r Y2+b4X2+b3Y+b2X+by}

The Groebner basis of the ideal of a type 53=
{XY+a4X2+a3Y+a2X+a1, X3+b5Y2+b4X2+b3Y+b2X+bA}

Th.e Groebner basis of the ideal of a type 54=
{X2+a3Y+azX+a1r XY2+b5Y2+b4XY+b3Y+b2X+b1 }

(Ideal of order 4) The ideal I of order 4 is also classified into a type 41 to a type 44 similarly, as mentioned below.

The Groebner basis of the ideal of a type 41=

{XY+a4X2+a3Y+a2X+al, Y2+b4X2+b3Y+b2X+bl, X3 +c4X2 +c3Y+c2X+c1}
The Groebner basis of the ideal of a type 42=
{X2+a3Y+a2X+a1r XY+b3Y+b2X+b1}

The Groebner basis of the ideal of a type 43=
{Xz+a3Y+a2X+al, Y2 +b4XY+b3Y+b2X+b1 }

The Groebner basis of the ideal of a type 44=
{Y+azX+al}

(Ideal of order 3) The ideal I of order 3 is also classified into a type 31 to a type 33 similarly, as mentioned below.

The Groebner basis of the ideal of a type 31=

{X2+a3Y+azX+a1r XY+b3Y+b2X+bl, Y2+c3Y+c2X+c1}

The Groebner basis of the ideal of a type 32=
{ y+a2X+a1r X3+b3X' +bZX+bl }

The Groebner basis of the ideal of a type 33= {X+al}
(Ideal of order 2) The ideal I of order 2 is also classified into a type 21 and a type 22 similarly, as mentioned below.

The Groebner basis of the ideal of a type 21=
{ Y+aZX+al , X2+b2X+b1 }

The Groebner basis of the ideal of a type 22=
{X+al, Y2+b2Y+b1}

(Ideal of order 1) Needless to say, the ideal of order 1 is only of type 11, as mentioned below.

The Groebner basis of the ideal of a type 11=
{X+ai, Y+by}

[Remark]
Ideals of a type 65, 44, and 33 among the ideals mentioned above, which are a principal ideal, represent a unit element as a Jacobian group element. Also, the reduced ideal types among the ideal types mentioned above are only 31, 21, 22, and 11. For example, the reason why the ideal of a type 32 is not a reduced one is understood in a manner mentioned below.

Suppose I is an ideal of a type 32, then f2=Y+aZX+a1r thus 6 (I*) =-v-(fI) - cS (I) =4--3=1, thus, fI*=X+a', and b (I**) =-v.(fI*) -6(I*) =3-1=2 because I* is of type 11. The order thereof is different, whereby I#I**.

[additive algorithm on Jacobian group of the C34 curve, part 2]

Set the coordinate ring of the C34 curve C defined over a field k having the defining equation F to R=k[X,Y]/F. Now let the additive algorithm 1 take concrete shape more clearly for estimating its execution speed.

However, hereinafter, the order of the field k is supposed to be sufficiently large in consideration of an application to the discrete logarithmic cryptography.
(Composition operation 1) At first, study a first step of the additive algorithm 1 for different ideals I1 and 12, which is hereinafter referred to as a composition operation 1. That is, fJis to be found for an ideal product J=I;.=I2. To this end, the Groebner basis of the ideal product J should be found (since fj is its first element). The genus of the C34 curve is 3, whereby the order of the ideal Il or 12 is equal to or less than 3. Thus, its type is anyone of 11, 21, 22, 31, and 32. The case is mentioned here in which both of the ideals I1 and 12 are of type 31; however the other case is also similar.

We can Suppose I1 and 12 are selected at random from the Jacobian group, Then we have at almost every case, V(I1) nV(I2)=0 (1) Because the order of the field k is supposed to be sufficiently large. Here for the ideal I, a set of zero of I is denoted by V(I) ((~ represents an empty set). Also in the event that the condition (1) is not met, upon generating element R], and R2 that yields R1+R2=0, and calculating ( I-L+Rl )+( I2+R2 ) instead of ( I1+I2 ), then it boils down to the case in which the condition (1) holds.

Also, the case is very rare (a probability of 1/q or something like it when the size of the defining field k is taken as q) in which the condition (1) is not met, whereby only the case in which the condition (1) is met should be considered in evaluating efficiency of the algorithm.

Thereupon, hereinafter, assume that Il and 12 meet the condition (1).

Suppose J=I1 12 is a product of Il and 12 in R. Il and 12 are both ideals of order 3, whereby the order of J becomes 6. Thus, the type of J is anyone of 61, 62, 63, 64, and 65.

So as to decide which the type of J is, a linear relation should be found in a residue ring R/J among ten monomials 1, X, Y, X2, XY, Y2, X3, X2Y, XY2, and X4 (2) An ideal Ii(i=1,2) is of type 31, whereby [EQ. 1]
R/I, =k=1 k=Xmk=Y
m ~ v~m~

- 1.9 -From the condition (1), it follows that [EQ. 2]

RIJ = R/11 O+ R112 = 0+61 k m~(mmod(11), mmod(,2)) '--> V(n;) : v;,,2) where v(1)m:v(2) m is a six-dimensional vector over k to be obtained by connecting two vectors v`i)m(i=1,2). Thus, so as to find a linear relation in R/J among ten monomials mi in the equation (2), an intra-row linear relation of the following 10x6 matrix Mc should be found with vectors v(l)mi:v(2 mi(i=1,2,...,10) taken as a row.

[EQ. 3]

V(1) : V(2) V(1) : V(2) x x V(1) : V(2) Y Y
V (Xa V (X2) V(1) V(2) M - XY XY
C VY12 VY2) V(1) V(2) V(1) V(2) V(1) - V(2) X^ X^

As well known, the intra-row linear relation of the matrix MC is obtained by triangulating a matrix MC with row-reducing transformation, and this allows a type of the ideal J and its Groebner basis to be obtained. The details will be described in embodiments.

(Remark) In the event that the condition (1) does not hold for the ideals I1 and 12, the rank of the matrix M, becomes equal to or less than 5. In calculating the ideal product of I1 and 12, at first, assume that they meet the condition (1) for calculation, and as a result of the row-reducing transformation, if it becomes clear that the rank of the matrix Mc is equal to or less than 5, then the elements R1 and R2 that yields R1+R2=0 should be generated to calculate ( Il+Ri )+( I2+R2 ) instead of I1+I2 .

(Composition operation 2) Now study a first step of the additive algorithm 1 for the same ideals I1 =I, and I2=I of the coordinate ring R=k[X,Y]/F, which is hereinafter referred to as a composition operation 2. That is, for an ideal product J=I2, its Groebner basis is to be found for calculation of fJ. The case is mentioned in which the ideal I is of type 31; however the other case is also similar. The order of the field k is supposed to be sufficiently large, whereby no multiple point exists in V(I) in almost every case.

(3) Also, in evaluating efficiency of the algorithm, only the case should be considered in which the condition (3) is met. Hereinafter, assume that I meets the condition (3).
J=Iz is still an ideal of order 6, whereby, so as to calculate its Groebner basis, a linear relation should be found in the residue ring R/J among the monomials of the equation (1). The ideal I is of type 31, whereby [EQ. 4]
R/I=k=1 k=X k=Y
m i-> vm Also, from the condition (3), the necessary and sufficient condition for causing the polynomial f(C-R) to belong to J=I2 is fEI,fXFY-fYFXE I

(Here, for the polynomial f, fX denotes a differential of f with regard to X. As to fY as well, the matter is similar.) Thus, [EQ. 5]
R/J - R/I R/I = 0+61 k m ~--> (m mod(I), mXFY - mYFx mod(I)) F--> Vm ~ v(m F-m F
x õ ~ x) Where, vm:v(mx FY-mY FX) is a six-dimensional vector over k to be obtained by connecting two vectors vm and v(MX FY-mY Fx) .
After all, so as to find the above-mentioned linear relation, for ten monomials mi in the equation (1), a intra-row linear relation should be found of the following 10x6 matrix MD mentioned below with a six-dimensional vector vmi:v(mix FY-m.iy FX) over k taken as a row.
[EQ. 6]

Vi :0 VX V(Fv) VY V(-Fu) V Xz ' V(2FX) VXY ' V(-FXX+FYY) MC VY2 V(-2FY) VXa V(3FvXZ) VX2Y V(_FXX2 +2FYXY) VXYZ V(-2F,,XY+FyY2) VX' ' V(4FYX3) From now on, upon triangulating the matrix MD with the row-reducing transformation, the type of the ideal J and its Groebner basis can be obtained similarly to the composition operation 1.
(Remark) In the event that the condition (3) does not hold for the ideal I, the rank of the matrix MD becomes equal to or less than S. In calculating the Groebner basis of 12 , at first, assume that it meets the condition (3) for calculation, and as a result of the row-reducing transformation, if it becomes clear that the rank of the matrix MD is equal to or less than 5, then elements R1 and R2 that yields Rl+R2=0 should be generated to calculate ( I+R1) +( I+R2 ) ins tead of I+I.
(Reduction operation) Now study a second step (and a third step) of the additive algorithm 1, which is hereinafter referred to as a reduction operation. That is, for the ideal J of which the order is equal to or less than 6, the Groebner basis of J*=fJ:J is to be found. The case is mentioned below in which J is of type 61; however the other case is also similar.

J is of type 61, whereby its Groebner basis can be expressed by { f,1=X3+a6Y2+.,., g=X2Y+b6Y2+..., h=XYz+C6Y2+...}

By definition, J*=fJ:J, whereby 6 (J*) =-v. (fJ)-8 (J)=3.

Thus, it can be seen that J* becomes an ideal of a type 31 because J* is a reduced ideal. Thus so as to find its Groebner basis, for the monomial mi in 1, X, Y, XZ, XY, and Y2 (4) a linear relation E idim; should be found in which E idimig and Eidimih become zero simultaneously in R/fJ

From LM ( F) =Y3, LM ( f J) =X3, then [EQ. 7]
R/fjR=k=1 k=X+Ok=Ymk X20k=XYOk Y2ok X2YOk=XY20k X2Y2 f wi whereby, so as to find the above-mentioned linear relation, for each of six monomials mi in the equation (4), an intra-row linear relation should be found of the following 6x18 matrix MR with a 18-dimensional vector w(mi g) : w(mi h) over k to be obtained by connecting two vectors w(mi g) and w(mi h) taken as a row.

[EQ. 8]

Wg:Wh WXg=WXh MR WYg=WYh =
WXZg WX2h W XYg WXYh Wy2g Wy2h From now on, upon triangulating the matrix MR with the row-reducing transformation, the Groebner basis of the ideal J* can be obtained. However, as matter of fact, in almost every case, it is enough to triangulate not the matrix MR itself but a certain submatrix Mrof its 6x3.
This will be described in details in the next chapter.
(Arithmetic quantity of algorithm) An arithmetic quantity of the algorithm will be evaluated. Set the order of the defining field to q, then a random element of the Jacobian group is represented by the ideal of a type 31 apart from an exception of a probability of 1/q. Also, the result of the composition operations 1 and 2 for the ideal of a type 31 demonstrates that it becomes an ideal of a type 61 apart from an exception of a probability of 1/q. Thus, so as to evaluate the arithmetic quantity of the algorithm, the arithmetic quantity of the composition operations 1 and 2 at the time of having input the ideal of a type 31, and the arithmetic quantity of the reduction operation at the time of having input the ideal of a type 61 or a type 31 should be evaluated. Also, the arithmetic quantity of the algorithm is represented below with -che number of the times of multiplication and reciprocal arithmetic.

At first, the arithmetic quantity of the composition operation 1 is examined. Suppose that I, and 12 are ideals of type 31: then I1= {X2+a3Y+a2X+ai., XY+b3Y+b2X+b1r Y2+c3Y+c2X+cl }
I2= {X2+S3Y+s2X+s1r XY+t3Y+t2X+t1, Y2+u3Y+u2X+u1}

For the ideals I1 and 12, the matrix M, is expressed by [EQ. 9]

-al -a2 -a3 -Si -S2 -S3 -b1 -b2 -b3 -ti -t2 -t3 Mc =
-Ci -C2 -C3 -Ul --U2 -U3 8182 + 83b, -8, + SZ + a3b2 a2a3 + a3b3 SIS2 + Sgt~ -S, + Sz + S3t2 SZS3 +
S3t3 82b, + a3C1 a2b2 + 23C2 -a, + aZb3 +a3C3 8zti + S3U1 s2t2 + S3U2 -Si + S2t3 +

b1b2 +b3c, b2 +b3CZ -b5 + b2b3 +b3c3 Y2 +t3U1 tZ +t3U2 -tl +t2t3 +t3U3 elo,l eMz e10,a eio,4 el 0,5 et0,s wh.ere, elo, 1=a12-a1a22-2a2a3bi-a32c1 elo,2 =2ala2-a23-2a2a3b2-a32c2 e10,3 =2a1a3-a22a3-2a2a3b3-a32c3 e10,4 =s12-s1S22-2s2S3t -S32u1 e10, .5 =2 S1S2-S23-2 S2S3t2-S32u2 elp, y =2S1S3-S22S3-2S2S3t3-S32U3 From this, it can be seen that upon eliminating multiplicity successfully, the matrix M, can be constructed with at most 44-times multiplication.

Upon paying attention to the fact that the row-reduction transformation for the matrix M,' takes a formula having the first row to the third row thereof already row-reduction, and that its component is 0 or 1, it can be executed with three-times division and at most 6x6+6x5+6x4=90-times multiplication. From the foregoing, the arithmetic quantity of the composition operation 1 is at most three-times reciprocal arithmetic, and 134-times multiplication. Similarly, it can be seen that the arithmetic quantity of the composition operation 2 is at most three-times reciprocal. arithmetic, and 214-times multiplication. The arithmetic quantity is increased by the extent to which the matrix MD is more complex than M.

Next, the arithmetic quantity of the reduction operation at the time of having input the ideal of a type 61 is examined. Suppose J is an ideal of type 61: then J= {X3+a6Y2+a5XY+a4X2 +a3Y+a2X+a1i X2Y+b6Y2+b5XY+b4X2+b3Y+b2X+b1, XY2+c6Y2+cyXY+c4X2+c3Y+c2X+c1}
A 6x3 minor Mr obtained by taking a seventh column to a ninth column of the matrix MR for the ideal J becomes [EQ. 10]

-a4 - a5a6 + b5 -a5 - as + b6 0 b4 + a5b6 b5 + a 6 b 6 1 mr e41 e4 2 -a5 - a6 + b6 e51 e5 2 -a4 - 2a5a6 - aE -- b5 + c6b6 e6,1 e6,2 e6,3 where e4, 1=-a2+a42-a3a6+3a4a,5a6+a52a62 +b3-a3b4-a4b5-a5a6b5 e4, 2=-a3+a4a5+a52a6+2a4a62+a5a63-agb4-a5b5-a62b5 e5, 7_=-2a3a5+2aqa52-a2a6+a42aE+a53ay-a3a62+3a4a5a62'+'a52aE3+b2-a4b4-a5a6b4+a3b6-2a4a5bd-ay2a6b6 es, 2=-a2+a53-2a3a6+2a4a5ay+2a5za62+2a4a63+asa64+b3-a5b4-ag2b4-a52b6-a4ayb6-a5a6 2 by e6, 1=-2 a3a4-2 a2a5+3 a42a5- 4 a3a5a6+6a4ag2a6-a2a62+a4za6z+2a53a62-a3a6 3+3a4a5a63+a52a64+a5b3+a3b5-2a4a5b5-a52a6b5+a2b6-a42b6+a3a6b6-3a4a5a6b6-a52a62b6 e6,2=-2a3a5+2a4a52 -2a2a6+a42a6+2a5 3a6-3a3a62+5a4a5a62+3a52a63 +2 a 4 a 64+a5a 65+b2+a eb3 -a5'bg - a 4 a hb5- a 5a 62b5+a3b 6-a4 a5b6-a52 a yb 6-2a4a62b6-"a5a63b6 e6, 3=-a52-2a4ae-3a5a62-a64+b4+a6b5+a5b6+ah2b6 This leads to the result that, if a (2,2) component d=-as-a62+b6 of the matrix M,- is not zero, the rank of the matrix Mr becomes 3. Thus, when d*0, instead of the 6x18 matrix MR, the 6x3 matrix Mr should be employed that is its minor. It is acceptable to let d=t-0 in evaluating efficiency of the algorithm because the probability of d=0 is considered to be 1/q or somethina like it. From the above equation, it can be seen that upon eliminating multiplicity successfully, the matrix Mr can be constructed with at most 40-times multiplication. Upon paying attention to the fact that the matrix Mr is already a triangle matrix, and that (1,1) and (3,3) components thereof are 1, it can be seen that the row-reduction transformation for the matrix Mr' can be executed with at most one-time reciprocal arithmetic and 2x4+2x3=14-times multiplication. From the foregoing, the arithmetic quantity of the reduction operatiori at the time of inputting the ideal of a type 61 is at most one-time reciprocal arithmetic and 54-times multiplication. Also at the time of inputting the ideal of a type 31, from the similar consideration, it can be seen that the reduction operation requires most one-time reciprocal arithmetic and 16-times multiplication.

Upon summarizing the foregoing, it follows that the arithmetic quantity of the additive algorithm on Jacobian group of the present invention is one as shown in Fig. 16.

In Fig. 16, I and M represent the reciprocal arithmetic and the multiplication respectively. On the elliptic curve, the addition (of different elements) can. be executed with one-time reciprocal arithmetic and three-times multiplication, and the arithmetic of two-times multiple can be executed with one-time reciprocal arithmetic and four-times multiplication. However, so as to obtain a group of the same bit length, the bit length of the finite field requires three times as large arithmetic quantity as the case of the C34 curve does. Suppose that the arithmetic quantity of the reciprocal arithmetic is twenty times as large as that of the multiplication, and that the arithmetic quantity of the reciprocal arithmetic and the multiplication is on the order of a square of the bit length, then it can be seen that the addition on the C34 curve can be executed with 304/(23x9)-1.47 times as large arithmetic quantities as that on the elliptic cure can be done, and the arithmetic of two-times multiple 384/(24x9) =1.78 times.

BRIEF DESCRIPTION OF THE DRAWING

This and other objects, features and advantages of the present invention will become more apparent upon a reading of the following detaii.ed description and drawings, in which:

Fig. 1 is a block diagram illustrating an embodiment of the present invention;

Fig. 2 is a functional block diagram of an ideal composition section;

Fig. 3 is a functional block diagram of an ideal reduction section;

Fig. 4 is one specific example of an algebraic curve parameter file A for the C34 curve;

Fig. 5 is one specific example of an ideal type table for the C34 curve;

Fig. 6 is one specific example of a monomial list table for the C34 curve;

Fig. 7 is one specific example of a table for a Groebner basis construction for the C34 curve;

Fig. 8 is one specific example of the algebraic curve parameter file for the C27 curve;

Fig. 9 is one specific example of the ideal type table for the C27 curve;

Fig. 10 is one specific example of the monomial list table for the C2, curve;

Fig. 11 is one specific example of the table for a Groebner basis construction for the C27 curve;

Fig. 12 is one specific example of che algebraic curve parameter file for the C25 curve;

Fig. 13 is one specific example of the ideal type table for the C25 curve;

Fig. 14 is one specific example of the monomial list table for the C25 curve;

Fig. 15 is one specific example of the table for a Groebner basis construction table for the C25 curve; and Fig. 16 is a table illustrating the arithmetic quantity of the additive algorithm on Jacobian group in accordance with the present invention.

DESCRIPTION OF THE INVENTION

Embodiments of the present invention will be explained below in details by employing the accompanied drawings.
Fig. 1 is a functional block diagram of the embodiment of the present invention, and the Fig. 2 is a block diagram illustrating an example of the ideal composition section of Fig. 1. Fig. 3 is a block diagram illustrating an example of a first and a second ideal reduction section of Fig. 1.

At first, the embodiment of the case in which the C34 curve was employed is shown. In this embodiment, the algebraic curve parameter file of Fig. 4 is employed as an algebraic curve parameter file, the ideal type table of Fig. 5 as an ideal type table, the monomial list table of Fig. 6 as an monomial list table, and the table for a Groebner basis construction of Fig. 7 as a table for a Groebner basis construction respectively.

In a Jacobian group element adder of Fig. 1, suppose the Groebner bases I1= {X2+726Y+836X+355,XY+36Y+428X+477,Y2 +764Y+425X+865}
and 12= {X2+838Y+784X+97,XY+602Y+450X+291,Y2+506Y+524X+497}

were input of the ideal of the coordinate ring of the algebraic curve designated by an algebraic curve parameter file A, which represents an element of the Jacobian group of the C39 curve designated by an algebraic curve parameter file A 16 and an algebraic curve parameter file A of Fig. 4.

At first, an ideal composition section 11, which takes the above-mentioned algebraic curve parameter file A, and the above-mentioned Groebner bases I1 and 12 as an input, operates as follows according to a flow of a process of the functional block shown in Fig. 2. At first, the ideal composition section 11 makes a reference to an ideal type table 25 of Fig. 5 in an ideal type classification section 21 of Fig. 2, retrieves a record in which the ideal type described in an ideal type field accords with the type of the input ideal I1 for obtaining a_fourteenth record, and acquires a value N1=31 of an ideal type number field and a value d1=3 of an order field of the fourteenth record.

Similarly, the ideal composition section 11 retrieves a record in which the ideal type accords with the type of the input ideal 12 for obtaining the fourteenth record, and acquires a value N2=31 of the ideal type number field and a value d2=3 of the order field of the fourteenth record.

Next, the ideal composition section 11 calculates the sum d3=dl+d2=6 of said values d1=3 and d2=3 of said order field in a monomial vector generation section 22, makes a reference to a monomial list table 26, retrieves a record of which the value of the order field is said d3=6 for obtaining a first record, and acquires a list 1, X, Y, X2, XY, Y2, X3, X2Y, XY2, and X4 of the monomial described in the monomial list field of the first record.

I1 and 12 are different, whereby a remainder to be attained by dividing Mi by Tlfor each of Mi (1<=i<=10) in said list 1, X, Y, X2, XY, Y2, X3, X2Y, XY2, and X4 of said monomial is calculated to obtained a polynomial a(1) +a (1) 2X+a (1) 3Y, to arrange its coefficients in order of the monomial order 1, X, Y, ... of the algebraic curve parameter file A. and to generate a vector (a(l)l,a(1) 2ia(i) 3) Furthermore, a remainder to be attained by dividing Mi by 12 is calculated to obtain a polynomial b"',+b'1'2X+b")3Y, to arrange its coefficients in order of the monomial order 1, X, Y, ... of the algebraic curve parameter file A, to generate a vector (b ")l, b'1'2, b('-)3), and to connect the above-mentioned two vectors for generating a vector vi=
ti> (i) (i) ~~) ria (i) (a 1ia 2ra 3rb lib 2rb 3) That is, divide M1=1 by I1: then 1=0 = (X2+726Y+836X+355)+0 = (XY+36Y+428X+477)+0 =
(Y2+746Y+425X+865)+1 whereby, 1 is obtained as a remainder to generate a vector (1, 0, 0). Divide M1=1 by 12: then 1=0 = (X2+838Y+784X+97)+0 = (XY+602Y+450X+291)+0 =
(Y2+506Y+524X+497)+1 whereby, 1 is obtained as a remainder to generate a vector (1,0,0). These two vectors are connected to generate a vector v,= (1, 0, 0, 1, 0, 0) .

Next, divide M2=X by I1: then X=0 (X2+726Y+836X+355) +0 = (XY+36Y+428X+477 ) +0 =
(Y2+746Y+425X+865) +X

whereby, X is obtained as a remainder to generate a vector (0, 1, 0). Divide M2=X by 12: then 1=0 = (X2+838Y+784X+97)+0 (XY+602Y+450X+291) +0 =
(Y2+506Y+524X+497)+X

whereby, X is obtained as a remainder to generate a vector (0,1,0). These two vectors are connected to generate a vector v2= (0, 1, 0, 0, 1, 0) .

Next, divide M3=Y by I1: then Y=0 = (X2+726Y+836X+355) +0 = (XY+36Y+428X+477) +0 =
(Y2+746Y+425X+865)+Y

whereby, Y is obtained as a remainder to generate a vector (0, 0, 1) . Divide M3=Y by 12: then Y=0 = (X2+838Y+784X+97 ) +0 = (XY+602Y+450X+291) +0 =
(Y2+506Y+524X+497)+Y

whereby, Y is obtained as a remainder to generate a vector (0,0,1). These two vectors are connected to generate a vector v3=(0,0,1,0,0,1) .

Next, divide M4=X2 by I,: then X2=1 (X2 +726Y+836X+355 ) +0 = (XY+36Y+428X+477 ) +0 (y2+746Y+425X+865)+654+173X+283Y
whereby, 654+173X+283Y is obtained as a remainder to generate a vector (654,173,283). Divide M4=X2 by 12: then X2=1 = (X2+838Y+784X+97 ) +0 (XY+602Y+450X+291) +0 (y2+506Y+524X+497)+912+225X+171Y, whereby, 912+225X+171Y is obtained as a remainder to generate a vector (912,225,171). These two vectors are connected to generate a vector v4= ( 654, 173, 283, 912, 225, 171) .

Next, divide M5=XY by Il: then XY=O = (X2+726Y+836X+355) +1 = (XY+36Y+428X+477) +0 =
(Y2+746Y+425X+865)+532+581X+973Y

whereby, 532+581X+973Y is obtained as a remainder to generate a vector (532,581,973). Divide M5=XY by 12: then XY=O = (X2+838Y+784X+97)+1 = (XY+602Y+450X+291)+0 (Y2+506Y+524X+497)+718+559X+407Y, whereby, 718+559X+407Y is obtained as a remainder to generate a vector (718,559,407). These two vectors are connected to generate a vector v5= (532, 581, 973, 718, 559, 407 ).
Next, divide M6=Y2 by Il: then Y 2=0 (X2+726Y+836X+355) +0 = (XY+36Y+428X+477 ) +1 =

(Y2+746Y+425X+865)+144+584X+263Y, whereby, 144+584X+263Y is obtained as a remainder to generate a vector (144,584,263). Divide M6=Y2 by 12: then YZ=O = (X2+838Y+784X+97 ) +0 = (XY+602Y+450X+291) +1 (Y2+506Y+524X+497)+512+485X+503Y, whereby, 512+485X+503Y is obtained as a remainder to generate a vector (512,485,503). These two vectors are connected to generate a vector v6= (144, 584, 263, 512, 485, 503) .

Next, divide M7 =X3 by I:1: then X3=(173+X) = (X2+726Y+836X+355)+283 = (XY+36Y+428X+477)+0 (Y2 +746Y+425X+865)+349+269X+429Y, whereby, 349+269X+429Y is obtained as a remainder to generate a vector (349, 269, 429) . Divide M-~=X3 by 12: then X3= (255+X) = (X2+838Y+784X+97 ) +~.71 (XY+602Y+450X+291) +0 =

(y2+506Y+524X+497)+53+821X+109Y, whereby, 53+821X+109Y is obtained as a remainder to generate a vector. (53,821,109). These two vectors are connected to generate a vector v7=(349,269,429,53,821,109).

Next, divide M8=X2 Y by I1: then X2Y=Y = (X2+726Y+836X+355) +173 = (XY+36Y+428X+477 ) +283 (Y2+746Y+425X+865) +609+418X+243Y, whereby, 609+418X+243Y is obtained as a remainder to generate a vector (609,418,243). Divide M8=X2Y by 12: then X2Y=Y = (X2+838Y+784X+97)+225 = (XY+602Y+450X+291)+171 =

(Y2+506Y+524X+497)+888+856X+916Y, whereby, 888+856X+916Y is obtained as a remainder to generate a vector (888,856,916). These two vectors are connected to generate a vector v8=(609,418,243,888,856,916).
Next, divide M9=XY2 by I1: then XY2=0 (X2+726Y+836X+355) + (581+Y) = (XY+36Y+428X+477 ) +973 =
(Y2+746Y+425X+865)+199+720X+418Y, whereby, 199+720X+418Y is obtained as a remainder to generate a vector (199, 720, 418) Divide M9=XY2 by 12: then XY2=0 = (X2+838Y+784X+97) + (559+Y) = (XY+602Y+450X+291) +407 =
(Y2+506Y+524X+497)+310+331X+91Y, whereby, 310+331X+91Y is obtained as a remainder to generate a vector (310,331,91). These two vectors are connected to generate a vector vg=(199,720,418,310,331,91).
Next, divide M10=X4 by Il: then X4=(313+173X+X2+283Y) (X2+726Y+836X+355)+45 (XY+36Y+428X+477)+378=(Y2+746Y+425X+865)+554+498X+143Y
whereby, 554+498X+143Y is obtained as a remainder to generate a vector (554, 498, 143) . Divide M10=X4 by 12: then X4=(78+225X+X2+171Y) = (X2+838Y+784X+97)+266 =
(XY+602Y+450X+291)+989=(Y2+506Y+524X+497)+643+522X+107Y, whereby, 643+522X+107Y is obtained as a remainder to generate a vector (643,522,107). These two vectors are connected to generate a vector vlo=(554,498,143,643,522,107). Above, the process of the ideal composition section 11 in the monomial vector generation section 22 is finished.

Next, in a basis construction section 23, the ideal composition section 11 inputs ten six-dimensional vectors Vl' V2i V3r VG, v5, Vy, v7, vg, vg, and Vlo generated in the monomial vector generation section 22 into a linear-relation derivation section 24, and obtains a plurality of 10-dimensional vectors ml, m.2, ... as an output. The linear-relation derivation section 24 derives a linear relation of the vectors, which were input, employing a discharging method. The discharging method is a well-known art, whereby, as to an operation of the linear-relation derivation section 24, only its outline is shown below.

The linear-relation derivation section 24 firstly arranges the ten six-dimensional vectors vl, vz, v3, v4v v5e v6, v7, v8, v9, and vio, which were input, in order for constructing a 10x6 matrix [EQ. 11]

M~ - 532 581 973 718 559 407 Next, the linear-relation derivation section 24 connects a 10-dimensional unity matrix to a matrix MC to obtain [EQ. 12]

M~ = 144 584 263 512 485 503 0 0 0 0 0 1 0 0 0 0 Next, the linear-relation derivation section 24 triangulates a matrix M ' c by adding a constant multiple of an i-th row to an ( i+l )-th ( i=1, 2, ...6) row to a tenth row to obtain the following matrix m [EQ. 13]

m=

As well known, the vector that is composed of a seventh component and afterward of the seventh row to the tenth row of the matrix m is a vector { (IC11,1rm1,2....,ml,n) , (m2,1,m2,2i-..,m2,n) ,...} representing a linearly-independent linear dependence relation Ei10mjiv2=0(j=1,2,...) of all of the ten six-dimensional vectors vl, v2i v3r V4r V5, V6r v7, v8, vg, and vlo that were input. The linear-relation derivation section 24 outputs a vector m1= (28,132,31,271,469,166,1,0,0,0) that is composed of the seventh component and afterward of the seventh row of the matrix m, a vector m2=(856,618,747,909,132,636,0,1,0,0) that is composed of the seventh component and afterward of the eighth row of the matrix m, and a vector m3=(652,322,240,978,826,846,0,0,1,0) that is composed of the seventh component and afterward of the ninth row of the matrix m, and a vector m4=(333,346,980,935,824,614,0,0,0,1) that is composed of the seventh component and afterward of the tenth row of the matrix m. Now return to the explanation of the process of the ideal composition section 11 in the basis construction section 23.

Next, the ideal composition section 11 makes a reference to a table 27 for a Groebner basis construction of Fig. 7, and retrieves a record, of which the value of the order field is said value d3=6, and in which a vector of which the components that correspond to all component numbers described in the component riumber list field are all zero does not lie in said plurality of said vectors m1= (28, 132, 31, 271, 469, 166, 1, 0, 0, 0) , m2 = (856, 618, 747, 909, 132, 636, 0, 1, 0, 0) , m3= (652, 322, 240, 978, 826, 846, 0, 0, 1, 0) , and m4=(333,346,980,935,824,614,0,0,0,1). The value of the order field of a first record is 6, and a vector, of which the component number lists 7, 8, 9, and 10 of the first record are all zero, does not lie in the vectors ml, m2r m3, and m4r whereby the first record is obtained as a retrieval result Furthermore, the value of a first vector type of the first record is (*,*,*,*,*,*,1,0,0,0)(A code * is interpreted as representing any number), which coincides with the vector m1=(28,132,31,271,469,166,1,0,0,0), whereby the vector ml is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y 2, X3, X2Y, XYz, and X4 of the algebraic curve parameter file A to generate a polynomial f,=28+132X+31Y+271X2+469XY+166Y2+X3 Similarly, the value of a second vector type of the first record is code * is interpreted as representing any number), which coincides with the vector m2= (856, 618, 747, 909, 132, 636, 0, 1, 0, 0) , whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y 2, X3, XZY, XY2, and X4 of the algebraic curve parameter file A to generate a polynomial f2=856+618X+747Y+909X2+132XY+636Y2+X2Y.

Similarly, the value of a third vector type of the first record is code * is interpreted as representing any number), which coincides with the vector m3=(652,322,240,978,826,846,0,0,1,0), whereby the vector m3 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, X3, XZY, XYZ, and X4 of the algebraic curve parameter file A to generate a polynomial f3=652+322X+240Y+978X2+826XY+846Y2+XY2. Finally, the ideal composition section 11 constructs a set J= {fl,f2,f3} of the polynomial to output it. Above, the operation of the ideal composition section 11 is finished.

Next, the first ideal reduction section 12, which takes as an input the algebraic curve parameter file A of Fig. 4, and the Groebner basis J= {28+132X+31Y+271X2+4 69XY+166Y2+X3, 856+618X+747Y+909X2+132XY+636Y2+X2Y, 652+322X+240Y+978X2+826XY+846Y2+XY2 }

that the ideal composition section 11 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3.

At first, the ideal reduction section 12 makes a reference to an ideal type table 35 of Fig. 5 in an ideal type classification section 31 of Fig. 3, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal J for obtaining a first record, and acquires a value N=61 of the ideal type number field and a value d=3 of the reduction order field of the first record. Next, the ideal reduction section 12 confirms that said value d=3 is not zero, makes a reference to a monomial list table 36 in a polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=3 for obtaining a fourth record, and acquires a list 1, X, Y, X2, XY, Y2, and X3 of the monomial described in the monomial list field of the fourth record.

Furthermore, the ideal reduction section 12 acquires a first element f=28+132X+31Y+271X2 +469XY+166Y2+X3, a second element g=856+618X+747Y+909X2+132XY+636Y2+X2Y, and a third element h=652+322X+240Y+978X2+826XY+846Y2+XY2 of J in the polynomial vector generation section 32, regards a coefficient list 0, 7, 0, 0, 0, 0, 0, 0, 0, 1, and. 1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, YZ, X3, XZY, XY2, X4, and Y3 of the algebraic curve parameter file A, and generates a defining polynomial F=Y3+X'+7X.

Next, for each Mi(1<=i<=7) in said list 1, X, Y, X2, XY, Yz, and X3 of said monomial, the ideal reduction section 12 calculates a remainder equation ri of a product Mi=g of Mi and the polynomial g by the polynomials f and F in the polynomial vector generation section 32, arranges its coefficients in order of the monomial order 1, X, Y, of the algebraic curve parameter fi_le A, and generates a vector w(l),. Furthermore, the ideal reduction section 12 calculates a remainder equation si of a product Mi=h of M;.

and the polynomial h by the polynomials f and F, arranges its coefficient in order of the monomial order 1, X, Y, of the algebraic curve parameter file A, and generates a vector w(1) zr and connects the above-mentioned two vectors w(1)1 and w(1) 2 for generating a vector vi.

That is, at first, for a first monomial M1=1, divide 1 g=856+618X+747Y+909Xz+132XY+636Y2+XzY by f=28+132X+31Y+271X2 +469XY+166Y2+X3 and F=Y3+X4+7X: then g=0 = f+0 = F+856+618X+747Y+909X2+132XY+636Y2+X2Y, whereby a remainder 856+618X+747Y+909X2+132XY+636Y2+X2Y is obtained to generate a vector w(1)1= (856, 618, 747, 909, 132, 636, 1, 0, 0) .

Also, divide 1=h =652+322X+240Y+978X2+826XY+846Y2+XY2 by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then h=0 = f+0 F+652+322X+240Y+978X2+826XY+846Y2+XY2, whereby a remainder 652+322X+240Y+978X2+826XY+846Y2+XY2 is obtained to generate a vector w(1) 2=(652,322,240,978,826,846,0,1,0).

And, the vectors w(1)1 and w(l'2 are connected to obtain a vector v1= (856, 618, 747, 909, 132, 636, 1, 0, 0, 652, 322, 240, 978, 826, 846, 0,1,0).

Next, for a second monomial M2=X, divide Xg=X ( 856+618X+747Y+909XZ+132XY+636Y2+X2Y) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then Xg=(319+166Y+Y)f+843F+149+667X+220X2+173Y+235XY+709X2Y
+492Y2+863XY2, whereby a remainder 149+667X+220X2+173Y+235XY+709X2Y+492Y2+863XY2 is obtained to generate a vector w(2) 1= (149, 667, 173, 220, 235, 492, 709, 863, 0) .

Also, divide Xh=X(652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and. F=Y3+X4+7X:

Xh=978f+0=F+868+708X+651X2+961Y+653XY+826X2Y+
101Y2+846XY2+X2Y2, whereby a remainder 868+708X+651X2+961Y+653XY+826X2Y+101Y2+846XY2+X2Y2 is obtained to generate a vector w(2) 2= (868, 708, 961, 651, 653, 101, 826, 846, i) . And, the vectors w(2) 1 and w(2) 2 are connected to obtain a vector v2=(149,667,173,220,235,492 709,863,0,868,708,961,651,653, 101, 826, 846, 1) .

Next, for a third monomial M3=Y, divide Yg=Y(856+618X+747Y+909X2+132XY+636Y2+X2Y) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X:

Yg=(826+373X)f+636F+79+179X+357X2+475Y+216XY+529X2Y+855Y2 +772XY2+X2Y2, whereby a remainder 79+179X+357X2 +475Y+216XY+529X2Y+855Y2+772XY2+X2Y2 is obtained to generate a vector w(3)1= (79, 179, 475, 357, 216, 855, 529, 772, 1) o Also, divide Yh=Y(652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then Yh=(327+595X+1008X2+469Y)f+(685+X)F+934+966X+358X2+590Y
+694XY+473X2 Y+31Y2+939XY2+166X2Y2 whereby a remainder 934+966X+358X2+590Y+694XY+473X2Y+31Y2+939XY2+166X2Y2 is obtained to generate a vector w(3) 2= (934, 966, 590, 358, 694, 31, 473, 939, 166) . And, the vectors w(3) 1 and w(3) 2 are connected to obtain a vector v3= (79, 179, 475, 357, 216, 855, 529, 772, 1, 934, 966, 590, 358, 694, 3 1, 473, 939, 166) .

Next, for a fourth monomial M4=X2, divide X2g=
X2(856+618X+747Y+909X2+132XY+636Y2+X2Y) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then X2g=(645+969X+166X2+709Y+XY)f+(359+843X)F+102+241X+394X2 513Y+647XY+683X2Y+103Y2+1004XY2+863X2Y2, whereby a remainder 102+241X+394X2+513Y+647XY+683X2Y+103Y2+1004XY2+863X2Y2 is obtained to generate a vector w(4)1= (102, 241, 513, 394, 647, 103, 683, 1004, 863) .
Also, divide X2h=X2(652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then X2 h= (725+16X+782X2+754Y+166XY+Y2) f+ (930+227X+843Y) F+889 +260X+560X2+809Y+425XY+552XZY+535Y2+671XY2+763X2Y2, whereby a remainder 889+260X+560X2+809Y+425XY+552X2Y+535Y2+671XY2+763X2Y2 is obtained to generate a vector w(4) 2=(889,260,809,560,425,535,552,671,763). And, the vectors w(4) 1 and w(4) 2 are connected to obtain a vector v4=(102,241,513,394,647,103,683,1004,863,889,260,809,560, 425,535,552,671,763).

Next, for a fifth monomial M5=XY, divide XYg=XY(856+618X+747Y+909X2+132XY+636Y2+X2Y) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then XYg=(95+3X+146X2+457Y+166XY+Y2)f+(791+863X+843Y)F+367+X
+54X2+403Y+361XY+276X2Y+305Y2+600XY2+689X2Y2, whereby a remainder 367+X+54X2+403Y+361XY+276XZY+305Y2+600XY2+689X2Y2 is obtained to generate a vector w(5)1= (367, 1, 403, 54, 361, 305, 276, 600, 689) .
Also, divide XYh=XY(652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then XYh= (804+648X+246X2+1008X3+629Y+782XY+166Y2) f+ (421+25X+X2 +696Y)F+695+924X+289X2+851Y+210XY+321X2 Y+802Y2+522XY2+278X2 Y2, whereby a remainder 695+924X+289X2+851Y+210XY+321X2Y+802Y2 +522XY2+278X2Y2 is obtained to generate a vector w'5) 2=(695,924,851,289,210,802,321,522,278). And, the vectors w(5) 1 and w(5) 2 are connected to obtain a vector v5= (367, 1, 403, 54, 361, 305, 276, 600, 689, 695, 924, 851, 289, 210, 802,321,522,278).

Next, for a sixth monomial M6=Y2 , divide YZg=Y2(856+618X+747Y+909X2+132XY+636Yz+XZY) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then Y2g= ( 687+214X+320X2+1008X3+77Y+14 6XY+166Y2 ) f+ (981+960X+X2 +323Y)F+944+384X+956X2+763Y+737XY+925X2Y+859Y2+416XY2 +814XZY2, whereby a remainder 944+384X+956X2+7 63Y+737XY+925XZY+859Y2+416XY2+814X2Y2 is obtained to generate a vector w(6)1= ( 944, 384, 763, 956, 737, 859, 925, 416, 814) .
Also, divide Y2h=Y2 (652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2 +469XY+166Y2+X3 and F=Y3+X4+7X: then Y2h= (260+17X+731X2+843X3+382Y+246XY+1008X2Y+782Y2) f (369+868X+166X2+186Y+XY)F+792+963X+643X2+415Y+539XY+887X2Y+
438Y2 +102XY2+363X2Y2 whereby a remainder 792+963X+643X2+415Y+539XY+887X2Y+43812+102XY2+363X2Y2 is obtained to generate a vector w(6) 2= (792, 963, 415, 643, 539, 438, 887, 102, 363) . And, the vectors w(6) 1 and w(6) 2 are connected to obtain a vector v6=(944,384,763,956,737,859,925,416,814,792,963,415,643, 539,438,887,102,363).

Finally, for a seventh monomial M7=X3, divide X3g=X3(856+618X+747Y+909X2+132XY+636Y2+X2Y) by f=28+132X+31Y+271X2+469XY+166Y2+X3 and F=Y3+X4+7X: then X3g= ( 323+583X+814X2+166X3+96Y+68 9XY+X2Y+8 63Y2 ) f+ (698+514X
+843X2+20Y)F+37+730X+831X2+416Y+136XY+55X2Y+971Y2+398XY2 +5X2Y2, whereby a remainder 37+730X+831X2+416Y+136XY+55X2Y+971Y2 +398XY2+5X2Y2 is obtained to generate a vector w(7)1= (37, 730, 416, 831, 136, 971, 55, 398, 5) .
Also, divide X3h=X3 (652+322X+240Y+978X2+826XY+846Y2+XY2) by f=28+132X+31Y+271X2 +469XY+166Y2+X3 and F=Y3+X4+7X: then X3h=(449+750X+363X2+782X3+102Y+278XY+166X2Y+763Y2+XY2) f+(784 +583X+227X2+476Y+843XY)F+545+9X+173X2+378Y+902XY+16X2Y
+831Yz+820XY2+909X2Y2, whereby a remainder 545+9X+173X2+378Y+902XY+16X2Y+831Y2+820XY2+909X2Y2 .is obtained to generate a vector w(7) 2=(545, 9, 378, 173, 902, 831, 16, 820, 909) . And, the vectors w(') , and w(') 2 are connected to obtain a vector v7=(37,730,416,831,136,971,55,398,5,545,9,378,173,902,831, 16,820,909). Above, the process of the first ideal reduction section 12 in the polynomial vector generation section 32 is finished.

Next, in a basis construction section 33, the first ideal reduction section 12 inputs seven 18-dimensional vectors vl, v2r v3v v4, vs, v6, and v7i generated in the polynomial vector generation section 32 into a linear-relation derivation section 34, and obtains a plurality of seven-dimensional vectors ml, m2r ... as an output. The linear-relation derivation section 34 derives a linear relation of the vectors, which were input, employing a discharging method. The discharging method belongs to a known art, whereby as to an operation of the linear-relation derivation section 34, only its outline is shown below.

The linear-relation derivation section 34 firstly arranges the seven 18-dimensional vectors vl, vZ, v3r v4, v5r v6i and v-7, which were input, in order for constructing a 7x18 matrix [EQ. 14) MR = 102 241 513 394 647 103 683 1004 863 889 260 809 560 425 535 552 671 763 Next, the linear-relation derivation section 34 connects a seventh-dimensional unity matrix to the matrix MR to construct [EQ. 151 M'R = 102 241 513 394 647 103 6831004 863 889 260 809 560 425 535 552 671 763 Next, the linear-relation derivation section 34 triangulates a matrix M Rby adding a constant multiple of an i-th row to an (i+l)-th row (i=1,2,and 3) to a seventh row to obtain the following matrix m..

[EQ. 16]

m= 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 982 226 146 1 0 0 0 As well known, the vector that is composed of a nineteenth component and afterward of a fourth row to a seventh row of the matrix m is a vector {(ml,1,m1,2,===.mi,7), (m2,i,m2,2,...,m2,7) ,..,} representing a linearly-i.ndependent linear dependence relation Zi'mjivi=0 (j=1, 2,...) of all of the seven 18-dimensional vectors vl, v2r v3, v4, vs, v6i and v7 that were input. The linear-relation derivation section 34 outputs a vector m1=(982,226,146,1,0,0,0) that is composed of the nineteenth component and afterward of the fourth row of the matrix m, a vector m2=(449,79,320,0,1,0,0) that is composed of the nineteenth component and afterward of the fifth row of the matrix m, and a vector m3=(544,564,195,0,0,1,0) that is composed of the nineteenth component and afterward of the sixth row of the matrix m, and a vector m4=(79,930,1004,0,0,0,1) that is composed of the nineteenth component and afterward of the seventh row of the matrix m.

Now return to the explanation of the process of the first ideal reduction section 12 in the basis construction section 33. Next, this ideal reduction section 12 makes a reference to a table 37 for a Groebner basis construction of Fig. 7, and retrieves a record, of which the value of the order field is said value d=3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1=(982,226,146,1,0,0,0), m2=(449,79,320,0,1,0,0), m3= (544, 564, 195, 0, 0, 1, 0) , and m4= (79, 930, 1004, 0, 0, 0, 1) .
The value of the order field of a fourteenth record is 3, and a vector, of which the components that correspond to the component number lists 4, 5, 6, and 7 of the fourteenth record are all zero, does not lie in the vectors ml, m2r m3v and m4r whereby the fourteenth record is obtained as a retrieval result Furthermore, the value of the first vector type of the fourteenth record is (*,*,*,1,0,0,0)(A code * is interpreted as representing any number), which coincides with the vector m1=(982,226,146,1,0,0,0), whereby the vector mti is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, and X3 of the algebraic curve parameter file A to generate a polynomial f1=982+226X+146Y+X2.

Similarly, the value of the second vector type of the fourteenth record is (*,*,*,0,1,0,0) (A code * is interpreted as representing any number), which coincides with the vector m2=(449,79,320,0,1,0,0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, YZ, and X3 of the algebraic curve parameter file A to generate a polynomial f2=449+79X+320Y+XY.

Similarly, the value of the third vector type of the fourteen record is (*,*,*,0,0,1,0)(A code * is interpreted as representing any number), which coincides with the vector m3= ( 544, 564, 195, 0, 0, 1, 0), whereby the vector m3 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, and X3 of the algebraic curve parameter file A to generate a polynomial f3=544+564X+195Y+Y2.

Finally, the ideal reduction section 12 constructs a set J*= {f1=982+226X+146Y+X2rf2=449+79X+320Y+XY, f3=544+564X+195Y+Y2 } of the polynomial to output it. Above, the operation of the first ideal reduction section 12 is finished.

Next, a second ideal reduction section 13, which takes as an input the algebraic curve parameter file A 30 of Fig.
4, and the Groebner basis J*= {982+226X+146Y+X2,449+79X+320Y+XY,544+564X+195Y+Y2}

that the first ideal reduction section 12 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3. At first, in the ideal type classification section 31 of Fig. 3, the second ideal reduction section 13 makes a reference to the ideal type table 35 of Fig. 5, retrieves a record in which'the ideal type described in the ideal type field accords with the type of the input ideal J* for obtaining a fourteenth record, and acquires a value N=31 of the ideal type number field and a value d=3 of the reduction order field of the fourteenth record.

Next, the ideal reduction section 13 confirms that said value d=3 is not zero, makes a reference to the monomial list table 36 in the polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=3 for obtaining a fourth record, and acquires a list 1, X, Y, X2, XY, Y2, and X3 of the monomial described in the monomial list field of the fourth record.

Furthermore, the ideal reduction section 13 acquires a first element f=982+226X+146Y+X2, a second element g=449+79X+320Y+XY, and a third element h=544+564X+195Y+Y2 of J*, regards a coefficient list 0,7,0,0,0,0,0,0,0,1,1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y 2, X3, XZY, XY2, X4, and Y3 of the algebraic curve parameter file A, and generates a defining polynomial F=Y3+X4+7X.

Next, for each of Mi(1<=i<=7) in said list 1, X, Y, X2, XY, Y2, and X3 of said monomial, the ideal reduction section 13 calculates a remainder equation ri of a product Mj g of Mi and the polynomial g by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, Y, ... of the algebraic curve parameter file A, and generates a vector w(1)1. Furthermore, the ideal reduction section 13 calculates a remainder equation si of a product Mi h of Mi and the polynomial h by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, Y, of the algebraic curve parameter file A, and generates a vector w(') 2, and connects the above-mentioned two vectors w''-'1 and w(1) 2 for generating a vector vi.

That is, at first, for a first monomial M1=1, divide 1 g=449+79X+320Y+XY by f=982+226X+146Y+X2 and F=Y3+X4+7X,:then g=0 f+0=F+449+79X+320Y+XY, whereby a remainder 449+79X+320Y+XY is obtained to generate a vector w(1)1= (449, 79, 320, 1, 0, 0) . Also, divide 1- h=544+564X+195Y+Y2 by f=982+226X+146Y+X2 and F=Y3+X4+7X: then .- 56-h=0=f+0 F+544+564X+195Y+Y`', whereby a remainder 544+564X+195Y+Y2 is obtained to generate a vector w(1) 2= (544, 564, 195, 0, 1, 0) . And, the vectors w(1)1, and w(1) 2 are connected to obtain a vector v1=(449,79,320,1,0,0,544,564,195,0,1,0) .
Next, for a second monomial M2=X, divide Xg=X(449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X:
then Xg=(79+Y)f+0=F+115+757X+601Y+94XY+863YZ, whereby a remainder 115+757X+601Y+94XY+863Y2 is obtained to generate a vector w(2) 1= (115, 757, 601, 94, 863, 0) .

Also, divide Xh=X(544+564X+195Y+Y2) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then Xh=564f+0=F+93+214X+394Y+195XY+XY2, whereby a remainder 93+214X+394Y+195XY+XY2 is obtained to generate a vector w(2) 2= ( 93, 214, 394, 195, 0, 1) . And, the vectors w(2) 1 and w(2) 2 are connected to obtain a vector v2=(115,757,601,94,863,0,93,214,394,195,0,1).

Next, for a third monomial M3=Y, divide Yg=Y(449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X:
then Yg=O = f+0 = F+449Y+79XY+320Y2+XY2, whereby a remainder 449Y+79XY+320Y2+XY2 is obtained to generate a vector w(3) 1= (0, 0, 449, 79, 320, 1) .

Also, divide Yh=Y(544+564X+195Y+Y2) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then Yh=(356+226X+1008X2+146Y)f+1=F+531+305X+942Y+157XY+68Y2, whereby a remainder 531+305X+942Y+157XY+68Y2 is obtained to generate a vector w(3'2=(531,305,942,157,68,0). And, the vectors w(3) 1 and w(3) 2 are connected to obtain a vector v3= (0, 0, 449, 79, 320, 1, 531, 305, 942, 157, 68, 0) .

Next, for a fourth monomial M4=X2, divide X2g=X2(449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then XZg=(757+79X+94Y+XY)f+0 = F+259+563X+988Y+546XY+402Y2+863XY2, whereby a remainder 259+563X+988Y+546XY+402Y2+863XY2 is obtained to generate a vector w(4) i= (259, 563, 988, 546, 402, 863) .

Also, divide X2h=X2(544+564X+195Y+Y2) by f=982+226X+146Y+X2 and F=Y3+X9+7X: then X2h= (706+865X+146X2+68Y+Y2) f+863F+900+27X+669Y+611XY+189Y2+
783XY2, whereby a remainder 900+27X+669Y+611XY+189Y2 +783XY2 is obtained to generate a vector w(4) 2=(900, 27, 669, 611, 189, 783) . And, the vectors w(4) 1 and w(4) 2 are connected to obtain a vector v4= (259, 563, 988, 546, 402, 863,. 900, 27, 669, 611, 189, 783) .
Next, for a fifth monomial M5=XY, divide XYg=XY(449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then XYg=(492+301X+146X2+961Y+Y2)f+863F+167+875X+529Y+648XY+981 Y2+94XY2 whereby a remainder 167+875X+529Y+648XY+981Y2+94XY' is obtained to generate a vector w(5)1= (167, 875, 529, 648, 981, 94) .
Also, divide XYh=XY(544+564X+195Y+y2) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then XYh=(305+356X+226X2+1008X3+157Y+146XY)f+XF+163+213X+69Y+77 5XY+285Y2+68XY2, whereby a remainder 163+213X+69Y+775XY+285Y2+68XYZ is obtained to generate a vector w(5) 2= (163, 213, 69, 775, 285, 68) . And, the vectors w(5) and w(5) 2 are connected to obtain a vector v5= (167, 875, 529, 648, 981, 94, 163, 213, 69, 775, 285, 68) .
Next, for a sixth monomial M6=Y2, divide Y2g=Y2(449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then Y2g=(208+28X+915X2+1008X3+908Y+146XY)f+(320+X)F+571+949X+20 2Y+482XY+60Y2+961XY2, whereby a remainder 571+949X+202Y+482XY+60Y2+961XY2 is obtained to generate a vector w(6)1=(571,949,202,482,60,961) .

Also, divide Y2 h=Y2(544+564X+195Y+y2) by f=982+226X+146Y+X' and F=Y3+X4+7X: then Y2h=(1001+233X+941X2+194Y+226XY+1008X2Y+146Y2) f+(68+Y) F+793 +560X+352Y+881XY+378Y2+157XY2, whereby a remainder 793+560X+352Y+881XY+378Y2+157XY2 is obtained to generate a vector w(6) 2=(793,560,352,881,378,157). And, the vectors w(6) 1 and w(6) 2 are connected to obtain a vector v6=(571,949,202,482,60,961,793,560,352,881,378,157).

Finally, for a seventh monomial M7 =X3, divide X3g=X3 (449+79X+320Y+XY) by f=982+226X+146Y+X2 and F=Y3+X4+7X:
then X3g= (370+198X+961X2+926Y+94XY+X2Y+86312) f+127F+909+548X+243 Y+460XY+104Y2+1O1XY2, whereby a remainder 909+548X+243Y+460XY+104Y2+lOlXY2 is obtained to generate a vector w(')1=(909,548,243,460,104,101).

Also, divide X3h=X3(544+564X+195Y+Y2) by f=982+226X+146Y+X2 and F=Y3+X4+7X: then X3h= (834+283X+157X2+146X3+52Y+68XY+783Y2+XY2) f+ (708+863X) F+
320+866X+720Y+225XY+432Y2+815XY2, whereby a remainder 320+866X+720Y+225XY+432Y2+815XY2 is obtained to generate a vector w(') 2=(320,866,720,225,432,815). And, the vectors w(7) 1 and w(7) 2 are connected to obtain a vector v7=(909,548,243,460,104,101,320,866,720,225,432,815).

Above, the process of the second ideal reduction section 13 reduction section 13 in the polynomial vector generation section 32 is finished.

Next, in the basis construction section 33, the second ideal reduction section 13 inputs seven 12-dimensional vectors vl, v2, v3, vq, v5r ve, and v7 generated in the polynomial vector generation section 32 into the linear-relation derivation section 34, and obtains a plurality of seven-dimensional vectors m, m2, ... as an output. The linear-relation derivation section 34 derives a linear relation of the vectors, which were input, employing a discharging method. The discharging method belongs to a known art, whereby as to an operation of the linear-relation derivation section 34, only its outline is shown below.

The linear-relation derivation section 34 firstly arranges the seven 12-dimensional vectors vl, v2r v3, v4.
v5, v6, and v-7, which were input, in order for constructing a 7x12 matrix [EQ. 17]

MR = 259 563 988 546 402 863 900 27 669 611 189 783 Next, the linear-relation derivation section 34 connects a seventh-dimensional unity matrix to the matrix MRto construct [EQ. 18]

M'R =; 259 563 988 546 402 863 900 27 669 611 189 783 0 0 0 1 0 0 0 Next, the linear-relation derivation section 34 triangulates a matrix M'Rby adding a constant multiple of an i-th row to an (i+1)-th row (i=1,2,and 3) to a seventh row to obtain the following a matrix m.

[EQ. 19]

m= 0 0 0 0 0 0 0 0 0 0 0 0 982 226 146 1 0 0 0 As well known, the vector that is composed of a thirteenth component and afterward of a fourth row to a seventh row of the matrix m is a vector {(ml,l,ma_,2,...,ml,,,) , (m2,1,m2,2,...,m2,n) ,...} representing a linearly-independent linear dependence relation Ei'mj ivi=0(j=1,2,...) of all of the seven 12-dimensional vectors vl, v2r v3, v4, v5, v6, and v7 that were input. The linear-relation derivation section 34 outputs a vector m1=(982,226,146,1,0,0,0) that is composed of the thirteenth component and afterward of the fourth row of the matrix m, a vector m2=(53,941,915,0,1,0,0) that is composed of the thirteenth component and afterward of the fifth row of the matrix m, and a vector m3=(394,852,48,0,0,1,0) that is composed of the thirteenth component and afterward of the sixth row of the matrix m, and a vector m4=(382,194,908,0,0,0,1) that is composed of the thirteenth component and afterward of the seventh row of the matrix m.

Now return to the explanation of the process of the second ideal reduction section 13 in the basis construction section 33. Next, the second ideal reduction section 13 makes a reference to a table 37 for a Groebner basis construction of Fig. 7, and retrieves a record, of which the value of the order field is said value d=3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors ml=(982,226,146,1,0,0,0), m2=(53,941,915,0,1,0,0), m3=(394,852,48,0,0,1,0), and m4=(382,194,908,0,0,0,1). The value of the order field of a fourteenth record is 3, and a vector, of which the component that correspond to the component number lists 4, 5, 6, and 7 of the fourteenth record are all zero, does not lie in the vectors m1r m2, m3, and m4, whereby the fourteenth record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the fourteenth record is (*,*,*,1,0,0,0)(A code * is interpreted as representing any number), which coincides with the vector m1=( 82,226,146,1,0,0,0), whereby the vector ml is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, and X3 of the algebraic curve parameter file A to generate a polynomial f1=982+226X+146Y+X2.

Similarly, the value of the second vector type of the fourteenth record is (*,*,*,0,1,0,0)(A code * is interpreted as representing any number), which coincides with the vector m2=(53,941,915,0,1,0,0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, and X3 of the algebraic curve parameter file A to generate a polynomial f2=53+941X+915Y+XY.

Similarly, the value of the third vector type of the fourteen record is (*,*,*,0,0,1,0)(A code * is interpreted as representing any number), which coincides with the vector m3=(394,852,48,0,0,1,0), whereby the vector m3 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, Y, X2, XY, Y2, and X3 of the algebraic curve parameter file A to generate a polynomial f3=394+852X+48Y+Y2. Finally, the ideal reduction section , 13 constructs a set J**= {f1=982+226X+146Y+X2 f2=53+941X+915Y+XY,f3=394+852X+48Y+YZ} of the polynomial to output it. Above, the operation of the second ideal reduction section 13 is finished.

Finally, in the Jacobian group element adder of Fig. 1, the Groebner basis J**= {982+226X+146Y+X2, 53+941X+915Y+XY,394+852X+48Y+Y2} , which the second ideal reduction section 13 output, is output from an output apparatus.

Next, the embodiment of the case will be shown in which the C27 curve was employed. In this embodiment, the algebraic curve parameter file of Fig. 8 is employed as an algebraic curve parameter file, the ideal type table of Fig. 9 as an ideal type table, the monomial list table of Fig. 10 as an monomial list table, and the table for a Groebner basis construction of Fig. 11 as a table for a Groebner basis construction respectively.

In the Jacobian group element adder of Fig. 1, suppose Groebner bases I1= 168 9+623X+130X2+X3, 5 68+590X+971X2+Y}
and 12= {689+623X+130XZ+X', 568+.590X+971X2+Y}

were input of the ideal of the coordinate ring of the algebraic curve designated by the algebraic curve parameter file A, which represents an element of the Jacobian group of the C27 curve designated by the algebraic curve parameter file A 16 and the algebraic curve parameter file A of Fig. 8.

At first, an ideal composition section 11, which takes the algebraic curve parameter file A of Fig. 8, and the above-mentioned Groebner bases Il and 12 as an input, operates as follows according to a flow of the process of the functional block shown in Fig. 2. At first, the ideal composition section 11 makes a reference to the ideal type table of Fig. 9 in the ideal type classification section 21 of Fig. 2, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal I1 for obtaining an eleventh record, and acquires a value N1=31 of the ideal type number field and a value d1=3 of the order field of the eleventh record.
Similarly, the ideal composition section 11 retrieves a record in which the ideal type accords with the type of the input ideal 12 for obtaining the eleventh record, and acquires a value N2=31 of the ideal type number field and a value d2=3 of the order field of the eleventh record.

Next, the ideal composition section 11 calculates the sum d3=d1+d2=6 of said values d1=3 and d2=3 of said order field in the monomial vector generation section 22, makes a reference to the monomial list table, retrieves a record of which the value of the order field is said d3=6 for obtaining a first record, and acquires a list 1, X, X2, X3, Y, X4, XY, X5, X2Y, and X6 of the monomial described in the monomial list field of the first record. I1 and 12 are equivalent, whereby a remainder to be attained by dividing Mi by Il for each of M; (1<=i<=10) in said list 1, X, X2, X3, Y, X4, XY, X5, X2Y, and X6 of said monomial is calculated to obtain a polynomial a i l+a (i) 2X+a (i) 3X2, to arrange its coefficients in order of the monomial order 1, X, X2, ... of the algebraic curve parameter file A, and to generate a vector w(i)l- (aWl, a(1) 2, a(i) 3) e Furthermore, the ideal composition section 11 regards a coefficient list 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, and 1 described in the algebraic curve parameter file A of Fig.
8 as a coefficient row of each monomial of the monomial order 1, X, X2, X3, Y, X4, XY, X', X'Y, X6, X3Y, X-7, and Y2 described in the algebraic curve parameter file A of Fig.

8, constructs a defining polynomial F=Y2+X7 +7X, when a differential of a polynomial N1 with respect to its X is expressed by DX(M), and a differential of a polynomial M
with respect to its Y is expressed by Dy(M), calculates a remainder to be attained by dividing a polynomial DX(Mi)DY(F)-DY(Mi)DX(F) by I1i obtains a polynomial b(l) 1+b(1'2X+ b"-) 3 X2 , arranges its coefficients in order of the monomial order 1, X, Xz, ... of the algebraic curve parameter file A, generates a vector w`1) z=(b`l) l,b(l) 2rb(1) 3), and connect the above-mentioned two vectors w(l)- and w(1) for eneratin a vector vi=(a(l a(1) a(i b() b'i) b(i)g g 1r 7_r 3r lr 2r 3)=
That is, divide Ml =1 by I1; then 1=0 = ( 689+623X+130X2+X3) +0 (568+590X+971X2+Y) +1, whereby, 1 is obtained as a remainder to generate a vector w`1' 1= (1, 0, 0). Furthermore, divide DX (1) DY (F) -DY (1) DX (F) =0 by I1: then 0, whereby 0 is obtained as a remainder to generate a vector w(1) 2= (0, 0, 0) . w(l) l and w(1) 2 are connected to generate a vector v,=(1,0,0,0,0,0) Next, divide M2=X by I1 . then X=0 = ( 689+623X+130X2+X3) +0 = (568+590X+971X2+Y) +X, whereby, X is obtained as a remainder to generate a vector w(2) 1= ( 0, 1, 0). Furthermore, divide DX(X) DY(F) -DY(X) DX(F)=DY(F)=2Y by I1: then 2Y=0 =( 689+623X+130X2+X3) +2 ( 568+590X+971X2+Y) +882+838X+76X2, whereby 882+838X+76X2 is obtained as a remainder to generate a vector w(2) 2= (882, 838, 76) . w(2) 1 and w(2) 2 are connected to generate a vector v2=(0,1,0,882,838,76).

Next, divide M3=X2 by Il: then X2=0 ( 689+623X+130X2+X3) +0 ( 568+590X+971X2+Y) +XZ, whereby, X2 is obtained as a remainder to generate a vector w(3)1= (0, 0, 1) . Furthermore, divide Dy (Xz) DY (F) -DY (Xz) DX (F) =4XY by I1: then 4XY=152 ( 689+623X+130X2+X3) +4X (568+590X+971X2+Y) +208+905X
+78X2, whereby 208+905X+78X2 is obtained as a remainder to generate a vector wt372=(208, 905 78) . w(3) 1 and w(3) 2 are connected to generate a vector v3=(0,0,1,208,905,78).
Next, divide M4=X3 by I,: then X3=1 =(689+623X+130X2+X3) +0 (568+590X+971X2+Y)+320+386X+879X2, whereby, 320+386X+879X2 is obtained as a remainder to generate a vector w ( 4 ) 1= ( 3 2 0 , 386, 8 7 9 ) . Furthermore, divide DX (X3) DY (F) -DY (X3) DX (F) =6X2Y by I1: then 6X2Y=(117+228X) (689+623X+130X2+X3)+6X2(568+590X+9"71X2+Y) +107+69X+778X2, whereby 107+69X+778X2 is obtained as a remainder to generate a vector w(4) 2=(10"7, 69, 778) . w(4) 1 and w(4) 2 are connected to generate a vector v4= (320, 386, 879, 107, 69, 778) .

Next, divide M5=Y by Il: then Y=0 (689+623X+130X2+X3) +1 (568+590X+971X2+Y) +441+419X+38X2, whereby, 441+419X+38X2 is obtained as a remainder to generate a vector w`5)1=(441,419,38). Furthermore, divide DX (Y) DY ( F) -DY (Y) Dx ( F) =-Dx( F) =1002+1002Xh by Il, then 1002+1002X6= ( 865+78X+910X2+1002X3) ( 689+623X+130X2+X3) +0 (568+590X+971X2+Y)+327+655X+1004X2, whereby 327+655X+1004X2 is obtained as a remainder to gerierate a vector w(5) 2= (327, 655, 1004) . w(') and w(5)2 are connected to generate a vector v5=(441,419,38,327,655,1004).

Next, divide M6=X4 by I]_: then X4=(879+X) (689+623X+130X2+X3)+0 (568+590X+971X2+Y) +778+590X+133X2, whereby, 7'78+590X+133X2 is obtained as a remainder to generate a vector w(6) 1=(778,590,133).

Furthermore, divide DX (X4 ) D, (F) -Dy (X9 ) DX (F) =8X3Y by Il :
then 8X3Y= (200+840X+8Y) (689+623X+130X'+X3) + (542+61X+978X2) (568+590X+971X2+Y)+322+653X+781X2, whereby 322+653X+781X2 is obtained as a remainder to generate a vector w(6'2=(322,653,781) . w(6'1 and w(6) 2 are connected to generate a vector vE=(778,590,133,322,653,781).

Next, divide M7=XY by Il: then XY=38 ( 689+623X+130X2+X3) +X (568+590X+971XZ+Y) +52+983X+524X2, whereby, 52+983X+524 X2 is obtained as a remainder to generate a vector w(7)l=(52,983,524). Furthermore, divide DX (XY) DY (F) -DY (XY) DX (F) =1002X+1002X7 +2Y2 by I1r then.
1002X+1002X'+2Y2= (24+726X+78X2+910X3+1002X4) (689+623X+130X2+X3) + (882+838X+76X2+2Y) (568+590X+9`71X2+Y) +105+954X+813X2, whereby 105+954X+813X2 is obtained as a remainder to generate a vector w(') 2= (105, 954, 813 ). w"'' and w`') 2 are connected to generate a vector v7= (52, 983, 524, 105, 954, 813) .

Next, divide Ms=X' by I1: then X5= (133+879X+X2) ( 689+623X+130X2+X3) +0 _ (568+590X+971X2+Y) +182+657X+453X2, whereby, 182+657X+453X2 is obtained as a remainder to generate a vector w(8)1=(182,657,453).
Furthermore, divide DX (X5) DY (F) -DY (X~') DX (F) =10X4Y by Il :

then 10X4Y=(912+90X+718Y+10XY)(689+623X+130X2+X3)+(717+855X
+321X2) (568+590X+971X2+Y)+619+878X+281X?, whereby 619+878X+281X2 is obtained as a remainder to generate a vector w(8) z=(619,878,281) . w(8)1 and w(8) 2 are connected to generate a vector v8=(182,657,453,619,878,281).

Next, divide My=X2Y by Il: then X2Y= ( 524+38X) ( 689+623X+130X2+X3) +X2 ( 568+590X+971X2+Y) +186 +516X+466X2, whereby, 186+516X+466X2 is obtained as a remainder to generate a vector w(9)1= (186, 516, 466) .
Furthermore, divide DX (X2Y) DY ( F ) -DY (XzY) DX (F) =1002X2+1002X8+4XY2 by I1: then 1002X2+1002X8+4XY2=(892+941X+865X2+78X3+910X4+1002X5+152Y) (689+623X+130X2+X3) + (208+905X+78X2+4XY) (568+590X+971XZ+Y) +811+600X+123X2, whereby 811+600X+123X2 is obtained as a remainder to generate a vector w(g) 2= (811, 600, 123) . w(g) and w(g) 2 are connected to generate a vector vg=(186,516,466,811,600,123).

Next, divide M1Q=X6 by I1: then X6= (453+133X+879X2+X3) (689+623X+130X`+X3) +0=(568+590X+971X2+Y)+673+483X+289X2, whereby, 673+483X+289X2 is obtained as a remainder to generate a vector w(10) 1=(673,483,289) . Furthermore, divide DX(X6)DY(F)-DY(X6)DX(F)=12XSY by Ii: then 12X5Y=(985+732X+587Y+458XY+12X2Y)(689+623X+130X2+X3) +(166+821X+391X2)(568+590X+971X2+Y)+950+741X+201X2, whereby 950+741X+201X2 is obtained as a remainder to generate a vector w('0) 2= (950, 741, 201) . w(10)1 and w(10) 2 are connected to generate a vector vlo=(673,483,289,950,741,201). Above, the process of the ideal composition section 11 in the monomial vector generation section 22 is finished.

Next, in the basis construction section 23, the ideal composition section 11 inputs ten six-dimensional vectors V1, V2r V3, V4, V5, Vo, V7, Vg, Vg, and, vlp generated in the monomial vector generation section 22 into the linear-relation derivation section 24, and obtains a plurality of 10-dimensional vectors m1r m2, ... as an output. The linear-relation derivation section 24 derives a linear relation of the vectors, which were input, e:mploying the discharging method. The discharging method belongs to a known art, whereby, as to an operation of the linear-relation derivation section 24, only its outline is shown below. The linear-relation derivation section 24 firstly arranges the ten six-dimensional vectors vl, v2r v3, v4, v5, v6, v7, v8, v9r and, vlo which were input, in order for constructing a 10x6 matrix [EQ. 20]

_ 441 419 38 327 655 1004 Mc 778 590 133 322 653 781 Next, the linear-relation derivation section 24 connects a 10-dimensional unity matrix to the matrix MC to obtain [EQ. 21]

M' -~ 778 590 133 322 653 781 0 0 0 0 0 1 0 0 0 0 Next, the linear-relation derivation section 24 triangulates a matrix M c by adding a constant multiple of an i-th row to an ( i+l )-th row ( i=1_ P 2,..., 6) to a tenth row to obtain the following a matrix m.

[EQ. 22]

m-As well known, the vector that is composed of a seventh component and afterward of a seventh row to a tenth row of the matrix m is a vector {(mZ,l,ml,2,...,ml,n) , (m2, l, m2,2, ..., m2,n) ,...} representing a linearly-independent linear dependence relation Ei10m,ivi=0 (j=1, 2,...) of all of the ten six-dimensional vectors vl, v2r v3, V4, vs, v6, v~, v8, v9, and, v10 that were input. The linear-relation derivation section 24 outputs a vector ml=(699,601,688,281,217,287,1,0,0,0) that is composed of the seventh component and afterward of the seventh row of the matrix m, a vector m2=(193,959,364,180,550,43,0,1,0,0) that is composed of the seventh component and afterward of the eighth row of the matrix m, and. a vector m3=(780,667,96,50,897,327,0,0,1,0) that is composed of the seventh component and afterward of the ninth row of the matrix m, and a vector m4=(761,727,417,523,278,912,0,0,0,1) that is composed of the seventh component and afterward. of the tenth row of the matrix m. Now return to the explanation of the process of the ideal composition section 11 in the basis construction section 23.

Next, the ideal composition section 11 makes a reference to the table for a Groebner basis construction of Fig. 11, and retrieves a record, of which the value of the order field is said value d3=6, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors ml=(699,601,688,281,217,287r1,0,0,0), m2= (193, 959, 364, 180, 550, 43, 0, 1, 0, 0) , m3= (780, 667, 96, 50, 897, 327, 0, 0, 1, 0) , and m4=(761,727,417,523,278,912,0,0,0,1). The value of the order field of the first record is 6, and a vector, of which the components correspond to the component number lists 7, 8, 9, and 10 of a first record are all zero, does not lie in the vectors ml, m2r m3s and m4r whereby the first record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the first record is (*,*,*,*,*,*,1,0,0,0)(A code * is interpreted as representing any number), which coincides with the vector m1= ( 699, 601, 688, 281, 217, 287, 1, 0, 0, 0), whereby the vector m1 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, XY, X5, XZY, and X6 of the algebraic curve parameter file A to generate a polynomial f1=699+601X+688X2+281X3+217Y+287X4+XY.

Similarly, the value of the second vector type of the first record is code * is interpreted as representing any number), which coincides with the vector m2=(193,959,364,180,,550,43,0,1,0,0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, XY, X5, XZY, and X6 of the algebraic curve parameter file A to generate a polynomial f2=193+959X+364X2+180X3+550Y+43X4+X5. The value of the third vector type of the first record is null, whereby it is neglected. Finally, the ideal composition section 11 constructs a set J= { fl, f2} =
1699+601X+688X2+281X3+217Y+287X4+XY,193+959X+364X2+180X3 +550Y+43X4+X5} of the polynomial to output it. Above, the operation of the ideal composition section 11 is finished.

Next, the first ideal reduction section 12, which takes as an input the algebraic curve parameter file A of Fig. 8, and the Groebner basis J= {699+601X+688X2+281X3 +217Y+287X4+XY, 193+959X+364X2+180X3+550Y+43X4+X5}

that the ideal composition section 11 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3.

At first, in the ideal type classification section 31 of Fig. 3, the ideal reduction section 12 makes a reference to the ideal type table of Fig. 9, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal J for obtaining a first record, and acquires a value N=61 of the ideal type number field and a value d=3 of the reduction order field of the first record. Next, the ideal reduction section 12 confirms that said value d=3 is not zero, makes a reference to the monomial list table of Fig. 10 in the polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=3 for obtaining a fourth record, and acquires a list 1, X, X2, X3, Y, X4, and XY of the monomial described in the monomial list field of the fourth record.

Furthermore, the ideal reduction section 12 acquires a first element f=699+601X+688X2 +281X3+217Y+284X4+XY of J, and a second element g=193+959X+364X2+180X3+550Y+43X4+X5(A
third element does not lie in J, whereby a third polynomial h is not employed), regards a coefficient list - 76_ 0,7,0,0,0,0,0,0,0,0,0,1,1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, XY, X5, X'Y, X6, X3Y, x 7 and Y2 of the algebraic curve parameter file A, and generates a defining polynomial F=Y2+X7+7X.

Next, for each of Mi(1<=i<=7) in said list 1, X, X2, X3, Y, x 4 and XY of said monomial, the ideal reduction section 12 calculates a remainder equation ri of a product Mi g of Mi and the polynomial g by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, X2, X3, Y, XG, XY, X5, X2Y, X6, X3Y, and X7 of the algebraic curve parameter file A, and generates a vector vi. That is, at first, for a first monomial M1=1, divide 1=g=193+959X+364X2+180X3+550Y+43X4+X5 by f=699+601X+688X2+281X3+217Y+287X4+XY and F=Y2+X7 +7X: then g=0 = f+0 = F+193+959X+364X2+180X3+550Y+43X4+ X5, whereby a remainder 193+959X+364X2+180X3+550Y+43X4+X5 is obtained to generate a vector v1=(193,959,364,180,550,43,0,1,0,0,0,0).

Next, for a second monomial M2=X, divide Xg=X (193+959X+364Xz+180X3+550Y+43X4+X5) by f=699+601X+688X2 +281X3+217Y+287X4+XY and F=Y2+X7+7X: then Xg=550f+0 F+988+595X+934X2+191X3+743X4+43X5+X6+721Y, whereby a remainder 988+595X+934X2+191X3+743X4+43XS+X6+721Y
is obtained to generate a vector v2=(988,595,934,191,721,743,0,43,0,1,0,0).

Next, for a third monomial M3=X2, divide X2g=X2 (193+959X+364X2+180X3+550Y+43X'+XS) by f=699+601X+688X2+281X3+217Y+287X4+XY and F=Y2+X'+7X: then X2g= (721-+-550X) f+0 = F+521+528Y+975X2+133X3+109X4+743X5 +43X6+X'+947Y, whereby a remainder 521+528X+975X2+133X3+109X4+743X-5+43XI+X7+947Y is obtained to generate a vector V3 =(521, 528, 975, 133, 947, 109, 0, 743, 0, 43, 0, 1.) .
Next, for a fourth monomial M4=X3, divide X3g=X3 (193+959X+364X2+180X3+550Y+43X4+X5) by f=699+601X+688X2+281X3 +217Y+287X4+XY and F=Y2+X7 +7X: then X3g=(200+969X+101X2+287X3+1008Y)f+(217+X)F+ 451+78X+481X2 +791X3+389X4+924X5+527X6+195X7 +686Y, whereby a remainder 451+78X+481Xz+791X3+389X4+924X5+527X6+195X'+686Y is obtained to generate a vector v4= (451, 78, 481, 791, 686, 389, 0, 924, 0, 527, 0, 195) .
Next, for a fifth monomial M5=Y, divide Yg=Y (193+959X+364X2+180X3+550Y+43X4+X5) by f=699+601X+688X2+281X3+217Y+287X4+XY and F=Y2+X7 +7X: then Yg=(884+712X+316X2+195X3+X4+287Y)f+(829+722X)F+601+459X+217 X2+14X3+965X4+924X5+130X6+438X7 +253Y, whereby a remainder 601+459X+217X2+14X3+965X4+924X5+130X6+438X7+253Y is obtained to generate a vector v5=(601,459,217,14,253,965,0,924,0,130,0,438).
Next, for a sixth monomial M6=X'l , divide X4g=X4 (193+959X+364X2+180X3+550Y+43X4+X5) by f=699+601X+688X2 +281X3+217Y+287X4+XY and F=Y2+X'+7X: then X4g= (317+128X+188X2+571X3+287X4+814Y+1008XY) f+ ( 946+412X+X2) F+397+954X+514X2+891X3+255X4+901X5+173X6+906X7+922Y, whereby a remainder 397+954X+514X2+891X3+255X4+901X5+173X6+906X7+922Y is obtained to generate a vector v6= (397, 954, 514, 891, 922, 255, 0, 901, 0, 173, 0, 906) .
Finally, for a seventh monomia=_ M7=XY, divide XYg=XY(193+959X+364X2+180X3+550Y+43X4+X5) by f=699+601X+688X2+281X3+217Y+287X4+XY and F=Y2+X7 +7X: then XYg=(992+536X+805X2+906X3+195X4+X5+571Y+287XY)f+(200+258X
+722X2) F+784+420X+871X2+113X3+933X4+749X5+153X6+112X7+88Y, whereby a remainder 784+420X+871X2+113X3+933X9+749X5+153XE+112X7+88Y is obtained to generate a vector v7=(784,420,871,113,88,933,0,749,0,153,0,112). Above, the process of the second ideal reduction section 12 in the polynomial vector generation section 32 is finished.

Next, in the basis constructiorl section 33, the second ideal reduction section 12 inputs seven 12-dimensional vectors vi, v2r v3a v,x, v5r vy, and v7 generated irl the polynomial vector generation section 32 into the linear-relation derivation section 34, and obtains a plurality of seven-dimensional vectors ml, m2v ... as an output.

The linear-relation derivation section 34 derives a linear relation of the vectors, which were input, employing the discharging method. The discharging method belongs to a known art, whereby, as to an operation of the linear-relation derivation section 34, only its outline is shown below. The linear-relation derivation section 34 firstly arranges the seven 12-dimensional vectors vl, v2r v3r v4, v5, v6, and v7, which were in.put, in order for constructing a 7x12 matrix [EQ. 23]

MR = 451 78 481 791 686 389 0 924 0 527 0 195 Next, the linear-relation derivation section 34 connects a seven-dimensional unity matrix to the matrix MR
to construct [EQ. 24]

M'R = 451 78 481 791 686 389 0 924 0 527 0 195 0 0 0 1 0 0 0 Next, the linear-relation derivation section 34 triangulates a matrix M'Rby adding a constant multiple of an i-th row to an (i+l)-th row (i=1,2,3) to a seventh row to obtain the following a matrix m.

[EQ. 25]

m= 0 0 0 0 0 0 0 0 0 0 0 0 804 795 814 1 0 0 0 As well known, the vector that is composed o:f a thirteenth component and afterward of a fourth row to a seventh row of the matrix m is a vector {(m1,1,m1n2,...,m1,7) , (m2,1,m2,2,...,m2,-~ ) ,...} representing a linearly-independent linear dependence relation E i-17mjiv1=0 (j=1,2,...) of all of the seven 12-dimensional vectors v1r v2v v3r v4v v5, v6, and v7 that were input. The linear-relation derivation section 34 outputs a vector m1=(804,795,814,1,0,0,0) that is composed of the thirteen component and afterward of the fourth row of the matrix m, a vector m2=(522,542,571,0,1,0,0) that is composed of the thirteenth component and afterward of the fifth row of the matrix m, and a vector m3=(385,443,103,0,0,1,0) that is composed of the thirteenth component and afterward of the sixth row of the matrix m, and a vector m4=(12,627,897,0,0,0,1) that is composed of the thirteen component and afterward of the seventh row of the matrix m.
Now return to the explanation of the process of the first ideal reduction section 12 in the basis construction section 33. Next, this second ideal reduction section 12 makes a reference to the table for a Groebner basis construction of Fig. 11, retrieves a record of which the value of the order field is said value d=3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1=(804,795,814,1,0,0,0), m2=(522,542,571,0,1,0,0), m3=(385,443,103,0,0,1,0), and m4=(12,627,897,0,0,0,1). The value of the order field of an eleventh record is 3, and a vector, of which the components that correspond to the component number lists 4, 5, 6, and 7 of the eleventh record are all zero, does not lie in the vectors ml, m2e m3, and m4r whereby the eleventh record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the eleventh record is (*,*,*,1,0,0,0) (A code * is interpreted as representing any number), which coincides with the vector m,=(804,795,814,1,0,0,0), whereby the vector m, is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, and XY of the algebraic curve parameter file A to generate a polynomial f1=804+795X+814X2+X3.

Similarly, the value of the second vector type of the eleventh record is (*,*,*,0,1,0,0)(A code * is interpreted as representing any number), which coincides with the vector m2=(522,542,571,0,1,0,0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, and XY of the algebraic curve parameter file A to generate a polynomial f2=522+542X+571X2+Y. The value of the third vector type of the eleventh record is null, whereby it is neglected.

Finally, the ideal reduction section 12 constructs a set J*= { fl, f2} ={80q+795X+814X2+X3, 522+542X+571X2+Y } of the polynomial to output it. Above, the operation of the first ideal reduction section 12 is finished.

Next, the second ideal reduction section 13, which takes as an input the algebraic curve parameter file A of Fig. 8, and the Groebner basis J*= { fl, f2} = {804+795X+814X2+X3, 522+542X+571X2+Y }

that the first ideal reduction section 12 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3. At first, the ideal reduction section 13 makes a reference to the ideal type table of Fig. 9 in the ideal type classification section 31 of Fig. 3, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal J* for obtaining an eleventh record, and acquires a value N=31 of the ideal type number field and a value d=3 of the reduction order field of the eleventh record.

Next, the ideal reduction section 13 confirms that said value d=3 is not zero, makes a reference to the monomial list table of Fig. 10 in the polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=3 for obtaining a fourth record, and acquires a list 1, X, X2, X3, Y, X4, and XY of the monomial described in the monomial list field of the fourth record. Furthermore, the ideal reduction section 13 acquires a first element f=804+795X+814X2+X3, and a second element g=522+542X+571X2+Y of J* (A third element does not lie in J*, whereby a third polynomial h is not employed), regards a coefficient list 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, and 1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, XY, X5, XZY, X6, X3Y, X7 and YZ of the algebraic curve parameter file A, and generates a defining polynomial F=Y2+X7 +7X.

Next, for each of Mi (1<=i<=7 ) in said list 1, X, X2, X3, Y, X4 and XY of said monomial, the ideal reduction section 13 calculates a remainder equation ri of a product Mi g of Mi and the polynomial g by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, X2, X3, Y, X4, XY, X5, XZY, X6, X3Y, and X7 of the algebraic curve parameter file A, and generates a vector vi. That is, at first, for a first monomial M1=1, divide 1 g=522+542X+571X2+Y by f=804+795X+814X2 +X3 and F=Y`+X7 +7X:
then g=0 f+0=F+522+542X+571X2+Y, whereby a remainder 522+542X+571X2+Y is obtained to generate a vector v1= (522, 542, 571, 0, 1, 0, 0, 0, 0) .

Next, for a second monomial M2=:X, divide Xg=X(522+542X+571X2+Y) by f=804+795X+814X2+X3 and F=Y2+X7+7X: then Xg=571f+0 F+11+627X+897X2+XY, whereby a remainder 11+627X+897X2+XY is obtained to generate a vector v2=(11,627,897,0,0,0,1,0,0) .

Next, for a third monomial M3=X2 , divide X2g=X2 (522+542X+571X2+Y) by f=804+795X+814X2+X3 and F=Y2+X'+7X: then X2g=(897+571X)f+0 F+247+259X+985X2+X2Y, whereby a remainder 247+259X+985 X2+X2y is obtained to generate a vector v3= (247, 259, 985, 0,, 0, 0, 0, 0, 1) .
Next, for a fourth monomial M4=X3, divide X3g=X3 (522+542X+571X2+Y) by f=804+795X+814X2+X3 and F=Y2+X'+7X: then X3g= ( 985+897X+571X2+Y) f+0 F+125+156X

+624X2+205Y+214XY+195X2Y, whereby a remainder 125+156X+624X2+205Y+214XY+195X2Y is obtained to generate a vector v4=(125,156,624,0,205,0,214,0,195).

Next, for a fifth monomial M5=Y, divide Yg=Y (522+542X+571X2+Y) by f=804+795X+814X2+X3 and F=Y2+X7+7X: then Yg=(486+348X+103X2+814X3+1008X4)f +1 F+748+780X+665X2+522Y+542XY+571X2Y, whereby a remainder 748+780X+665X2+522Y+542XY+571X2Y is obtained to generate a vector v5=(748,780,665,0,522,0,542,0,571).

Next, for a sixth monomial M6=X4, divide X4g=X4(522+542X+571X2+Y) by f=804+795X+814X2+X3 and F=Y2+X7+7X: then X4g= ( 624+985X+897X2+571X3+195Y+XY) f+0 F+786+473X+756X2+624Y+566XY+906X2Y, whereby a remainder 786+473X+756X2+624Y+566XY+906X2Y is obtained to generate a vector vd= (786, 473, 756, 0, 624, 0, 566, 0, 906) .

Finally, for a seventh monomial M7=XY, divide XYg=XY(522+542X+571X2+Y by L=804+795X+814X7+X3 and F=Y2+X7 +7X : then XYg=(665+486X+348X2+103X3+814X4+1008X5+571Y)f+XF+110+789X+
294X2+11Y+627XY+897X2Y, whereby a remainder 110+789X+294X2+11Y+627XY+897X2Y is obtained to generate a vector v7=(110,789,294,0,11,0,627,0,897). Above, the process of the second ideal reduction section 13 in the polynomial vector generation section 32 is finished.

Next, in the basis construction section 33, this ideal reduction section 13 inputs seven nine-dimensional vectors vl, vZ, v3i v4r v5, v6, and v-, generated in the polynomial vector generation section 32 into the linear-relation derivation section 34, and obtains a plurality of seven-dimensional vectors m1r m2, ... as an output. The linear-relation derivation section 34 derives a linear relation of the vectors, which were input, employing the discharging method. The discharging method belongs to a known art, whereby, as to the operation of the linear-relation derivation section 34, only its outline is shown below.

The linear-relation derivation section 34 firstly arranges the seven nine-dimensional vectors vl, v2, v3r v4, v5i v6, and v~, which were input, in order for constructing a 7x9 matrix [EQ. 26]

MR = 125 156 624 0 205 0 214 0 195 Next, the linear-relation derivation section 34 connects a seven-dimensional unity matrix to the matrix MR
to construct [EQ. 27]

M'R = 125 156 624 0 205 0 214 0 195 0 0 0 1 0 0 0 Next, the linear-relation derivation section 34 triangulates a matrix M'Rby adding a constant multiple of an i-th row to an (i+1)-th row (i.=1,2,3) to a seventh row to obtain the following matrix m.

[EQ. 28]

m= 0 0 0 0 0 0 0 0 0 804 795 814 1 0 0 0 As well known, the vector that is composed of a tenth component and afterward of a fourth row to a seventh row of the matrix m is a vector { (iTl1,lrTCl1,2.....m1,n) , (Il't2,i,m2,2r=--.ITl2,n) r....1 representing a linearly-independent linear dependence relation yi'm1iv;,=0(j=1,2,...) of all of the seven 12-dimensional vectors v1, v2, v3, v4r Vs, v6, and v7 that were input. The linear-relation derivation section 34 outputs a vector ml=(804,795,814,1,0,0,0) that is composed of the tenth component and afterward of the fourth row of the matrix m, a vector m2=(487,467,438,0,1,0,0) that is composed of the tenth component and afterward of the fifth row of the matrix m, and a vector m3=(385,443,103,0,0,1,0) that is composed of the tenth component and afterward of the sixth row of the matrix m, and a vector m4= ( 998, 382, 112, 0, 0, 0, 1) that is composed of the tenth component and afterward of the seventh row of the matrix m.

Now return to the explanation of the process of the second ideal reduction section 13 in the basis construction section 33. Next, this ideal reduction section 13 makes a reference to the table for a Groebner basis construction of Fig. 11, retrieves a record, of which the value of the order field is said value d=3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors ml=(804,795,814,1,0,0,0), m2=(487, 467, 438, 0, 1, 0, 0), m3=(385, 443, 103, 0, 0, 1, 0) , and m4=(998,382,112,0,0,0,1). The value of the order field of an eleventh record is 3, and a vector, of which the component number lists 4, 5, 6, and 7 of the eleventh record are all zero, does not lie in the vectors ml, m2, m3s and m4r whereby the eleventh record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the eleventh record is (*,*,*,1s0,0,0)(A code * is interpreted as representing any number), which coincides with the vector ml=(804,795,814,1,0,0,0), whereby the vector ml is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, and XY of the algebraic curve parameter file A to generate a polynomial f1=804+795X+814X2+X3.

Similarly, the value of the second vector type of the eleventh record is (*,*,*,0,1,0,0)(A code * is interpreted as representing any number), which coincides with the vector m2=(487,467,438,0,1,0,0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, X3, Y, X4, and XY of the algebraic curve parameter file A to generate a polynomial f2=487+467X+438X2+Y. The value of the third vector type of the eleventh record is null, whereby it is neglected.

Finally, the ideal reduction section 13 constructs a set J**= { f1, fz} ={804+795X+814X2+X3, 487+467X+438X2+Y} of the polynomial to output it. Above, the operation of the second ideal reduction section 13 is finished. Finally, in the Jacobian group adder of Fig. 1, the Groebner basis J**= {804+795X+814X2+X3,487+467X+438X2+Y} , which the ideal reduction section 13 output, is output from the output apparatus.

Next, the embodiment of the case will be shown in which the C25 curve was employed. In this embodiment, the algebraic curve parameter file of Fig. 12 is employed as an algebraic curve parameter file, -the ideal type table of Fig. 13 as an ideal type table, the monomial list table of Fig. 14 as an monomial list table, and the table for a Groebner basis construction of Fig. 15 as a table for a Groebner basis construction respectively.

In the Jacobian group element adder of Fig. 1, suppose Groebner bases I1= {729+88X+X2, 475+124X+Y}
and 12= {180+422X+X2, 989+423X+Y }

were input of the ideal of the coordinate ring of the algebraic curve designated by the algebraic curve parameter file A, which represents an element of the Jacobian group of the C25 curve designated by the algebraic curve parameter file A 16 and the algebraic curve parameter file A of Fig. 12.

At first, the ideal composition section 11, which takes the algebraic curve parameter file A of Fig. 12, and the above-mentioned Groebner bases Il and 12 as an input, operates as follows according to a flow of the process of the functional block shown in Fig. 2. The ideal composition section 11 firstly makes a reference to the ideal type table of Fig. 13 in the ideal type classification section 21 of Fig. 2, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal I1 for obtaining a sixth record, and acquires a value N1=21 of the ideal type number field and a value d1=2 of the order field of the sixth record. Similarly, the ideal composition section 11 retrieves a record in which the ideal type accords with the type of the input ideal 12 for obtaining the sixth record, and acquires a value N2=21 of the ideal type number field and a value d2=2 of the order field of the sixth record.

Next, the ideal composition section 11 calculates the sum d3=dl+d2=4 of said values d1=2 and d2=2 of said order field in the monomial vector generation section 22, makes a reference to the monomial list table of Fig. 14, retrieves a record of which the value of the order field is said d3=4 for obtaining the first record, and acquires a list of the monomial 1, X, X2, Y, X3, XY, and X4 described in the monomial list field of the first record.
I1 and IZ are different, whereby a remainder to be attained by dividing Mi by Il for each of Mi (1<=i<=7 ) in said list 1, X, X2, Y, X3, XY, and X4 of said monomial is calculated to obtained a polynomial a(')1+a(i) 2X, to arrange its coefficients in order of the monomial order 1, X, ... of the algebraic curve parameter file A, and to generate a vector w`~~ 1= ( a l, a (i) Z) Furthermore, the ideal composition section 11 calculates a remainder to be attained by dividing Mi by 12, obtains a polynomial b(1)1+b'1) 2 X, arranges its coefficients in order of the monomial order 1, X, ... of the algebraic curve parameter file A, generates a vector w(1) 2= (b")1,b(1)2) , and connects the above-mentioned two vectors w('-)1 and w(1) 2 for generating a vector v;=(a(l)l,a(`) ,,b"' 1,b'''2) . That is, divide M1=1 by Il: then 1=0 (729+88X+X2) +0 (475+124X+Y) +1, whereby 1 is obtained as a remainder to generate a vector w(1)1= (1, 0). Furthermore, divide Ml =1 by 12: then 1=0=(180+422X+X2)+0=(989+423X+Y)+1, whereby 1 is obtained as a remainder to generate a vector w ( 1 ) 2=(1, 0) . w(1) 1 and w(1) 2 are connected to generate a vector v1=(1,0,1,0) Next, divide M2=X by Il n then X=0=(729+88X+Xz)+0=(475+124X+Y)+X, whereby, X is obtained as a remainder to generate a vector w(z) 1=(0,1).

Furthermore, divide M2=X by 12: then X=0=(180+422X+X2)+0=(989+423X+Y)+X, whereby X is obtained as a remainder to generate a vector w(2) ?= ( 0, 1) . w(') 1 and w(2) 2 are connected to generate a vector v2= (0, 1, 0, 1) Next, divide M3=X2 by I_ : then X2=1 = (729+88X+X2)+0 = (475+124X+Y)+280+921X, whereby, 280+921X is obtained as a remainder to generate a vector w(')1=(280, 921) . Furthermore, divide M3=X2 by 12: then x 2=1 = (180+422X+X2)+0 = (989+423X+Y)+829+587X, whereby 829+587X is obtained as a remainder to generate a vector w(3) 2=(829,587). w(3'1 and w(3) 2 are connected to generate a vector v3=(280,921,829,587).

Next, divide M4=Y by I1: then Y=0 = (729+88X+X2) +1 = (475+124X+Y)+534+885X, whereby 534+885X is obtained as a remainder to generate a vector w(4)1=(534,885) . Furthermore, divide M4=Y by 12: then Y=0=(180+422X+X2)+1=(989+423X+Y)+20+586X, whereby 20+586X
is obtained as a remainder to generate a vector w(4) 2= (20, 586) , w(4) 1 and w(4) 2 are connected to generate a vector v4= (534, 885, 20, 586) .

Next, divide M5=X3 by Il: then X3= (921+X) (729+88X+X2) +0 ^ (475+124X+Y) +585+961X, whereby 585+961X is obtained as a remainder to generate a vector w(5) 1=(585,961) .

Furthermore, divide M5=X3 by 12: then X3=(587+X)(180+422X+X2)+0 (989+423X+Y)+285+320X, whereby 285+320X is obtained as a remainder to generate a vector w(5) 2=(285,320). w(5) 1 and w(5) 2 are connected to generate a vector v5=(585,961,285,320). Next, divide M6=XY by I1: then XY=885 (729+88X+X2) +X = (475+124X+Y) +595+347X, whereby 595+347X is obtained as a remainder to generate a vector w(6}-=(595,347) .

Furthermore, divide M6=XY by 12: then XY=586(180+422X+X2)+X(989+423X+Y)+465+942X, whereby 465+942X is obtained as a remainder to generate a vector w(6) 2=(465,942). w(6) 1 and w(6) 2 are connected to generate a vector v6= (595, 347, 465, 942) .

Finally, divide M7=X4 by I1: then X4= ( 961+921X+X2) (729+88X+X2) +0 (475+124X+Y) +686+773X, whereby, 686+773X is obtained as a remainder to generate a vector w'') 1= ( 686, 773 ). Furthermore, divide M-7=X4 by 12 :

then X4=(320+587X+X2) (180+422X+X2)+0 = (989+423X+Y)+922+451X, whereby 922+451X is obtained as a remainder to generate a vector w(') 2= (922, 451) , w(7) 1 and w(7) 2 are connected to generate a vector v7=(686,773,922,451). Above, the process of the ideal composition section 11 in the monomial vector generation section 22 is finished.

Next, in the basis construction section 23, the ideal composition section 11 inputs seven four-dimensional vectors vl, v2r v3, v4, v5, v6, and v7 generated in the monomial vector generation section 22 into the linear-relation derivation section 24, and obtains a plurality of seven-dimensional vectors ml, m2r ... as an output. The linear-relation derivation section 24 derives a linear relation of the vectors, which were input, employing the discharging method. The discharging method belongs to a known art, whereby, as to the operation of the linear-relation derivation section 24, only its outline is shown below. The linear-relation derivation section 24 firstly arranges the seven four-dilClensional vectors vl, v2r V3s v4r v5, v6i and v7, which were input, in order for constructing a 7x4 matrix [EQ. 29]

Mc = 534 885 20 586 Next, the linear-relation derivation section 24 connects a seven-dimensional unity matrix to the matrix Mc to obtain [EQ. 30]

M'~ = 534 885 20 586 0 0 0 1 0 0 0 Next, the linear-relation derivation section 24 triangulates a matrix M'C by adding a constant multiple of an i-th row to an (i+l)-th row (i=1,2,...,4) to a seventh row to obtain the following a matrix m.
[EQ. 31]

m= 0 0 0 548 744 789 363 1 0 0 0 As well known, the vector that is composed of a fifth component and afterward of a fifth row to a seventh row of the matrix m is a vector { (ml,lrml,2r...rm1,7) r (m2,lrm2,2,...rm2,7) r...} representing a linearly-independent linear dependence relation Zi-17mjivi=0 (j=1, 2,...) of all of the seven four-dimensional vectors vl, v2, v;, v4, v5, v6r and v7 that were input.

The linear-relation derivation section 24 outputs a vector m1=(444,709,900,42,1,0,0) that is composed of the fifth component and afterward of the fifth row of the matrix m, a vector m2= ( 969, 716, 940, 619, 0, 1, 0) that is composed of the fifth component and afterward of the sixth row of the matrix m, and a vector m3=(635,230,807,778,0,0,1) that is composed of the fifth component and afterward of the seventh row of the matrix m.

Now return to the explanation of the process of the ideal composition section 11 in the basis construction section 23. Next, the ideal composition section 11 makes a reference to the table for a Groebner basis construction of Fig. 15, retrieves a record, of which the value of the order field is said value d3=4, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1=(444,709,900,42,1,0,0), m2=(969,716,940,619,0,1,0), and m3=(635,230,807,778,0,0,1). The value of the order field of a first record is 4, and a vector, of which the components that correspond to the component number lists, 5, 6, and 7 of the first record are all zero, does not lie in the vectors m1, m2m and m3i whereby the first record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the first record is (*,*,*,*,1,0,0)(A code * is interpreted as representing any number), which coincides with the vector ml= (444, 709, 900, 42, 1, 0, 0), whereby the vector ml is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, Y, X3, XY, and X4 of the algebraic curve parameter file A to generate a polynomial f1=444+709X+900X2+42Y+X3.

Similarly, the value of the second vector type of the first record is (*,*,*,*,0,1,0)(A code * is interpreted as representing any number), which coin.cides with the vector m2= ( 969, 716, 940, 619, 0, 1, 0), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, Y, X3, XY, and X4 of the algebraic curve parameter file A to generate a polynomial f2=969+716X+940X2+619Y+XY. The value of the third vector type of the first record is null, whereby it is neglected.
Finally, the ideal composition section 11 constructs a set J= { fi, f2} = {444+709X+900X2 +42Y+X3, 969+716X+940X2+619Y+XY}
of the polynomial to output it. Above, the operation of the ideal composition section 11 is finished.

Next, the first ideal reduction section 12, which takes as an input the algebraic curve parameter file A of Fig. 12, and the Groebner bases J= {444+709X+900X2 +42Y+X3,969+716X+940X2+619Y+XY} that the ideal composition section 11 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3. At first, the first ideal reduction section 12 makes a reference to the ideal type table of Fig. 12 in the ideal type classification section 31 of Fig.
3, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal J for obtaining a first record, and acquires a value N=41 of the ideal type number field. and a value d=2 of the reduction order field of the first record.

Next, the ideal reduction section 12 confirms that said value d=2 is not zero, makes a-reference to the monomial list table of Fig. 14 in the polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=2 for obtaining a third record, and acquires a list 1, X, X2, and Y of the monomial described in the monomial list field of the third record. Furthermore, the ideal reductior1 section 12 acquires a first element f=444+709X+900X2+42Y+X3, and a second element g=969+716X+940X2 +619Y+XY of J (A third element does not lie in J, whereby a third polynomial h is not employed), regards a coefficient list 0, 7, 0, 0, 0, 0, 0, 0, 1, and 1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, X2, Y, X3, XY, X4, X2Y, X5, and Y2 of the algebraic curve parameter file A, and generates a defining polynomial F=Y2+X5+7X.

Next, for each of Mi(1<=i<=4) in sai.d list 1, X, X2 and Y of said monomial, the ideal reduction section 12 calculates a remainder equation ri of a product Mi=g of Mi and the polynomial g by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, x 2, Y, X3, XY, X4, and X2Y of the algebraic curve parameter file A, and generates a vector vi. That is, at first, for a first monomial M1=1, divide 1=
g=969+716X+940X2+619Y+XY by f=444+709X+900X2+42Y+X3 and F=Y2+X5+7X : then g=0=f+0 F+969+716X+940X2+619Y+XY, whereby a remainder 969+716X+940X2+619Y+XY is obtained to generate a vector v1= (969, 716, 940, 619, 0, 1, 0, 0).

Next, a second monomial M2=X, divide Xg=X(969+716X+940X2+619Y+XY) by f=444+709X+900X2+42Y+X3 and F=Y2+X5+7X: then Xg=940f+0 F+366+449X+258X2+880Y+619XY+X2Y, whereby a remainder 366+449X+258X2+880Y+619XY+X2Y is obtained to generate a vector v2= (366, 449, 258, 880, 0, 619, 0, 1) .

Next, a third monomial M3= X2 , divide XZg=X2(969+716X+940X2+619Y+XY) by f=444+709X+900X2+42Y+X3 and F=Y2+X5+7X: then X2g=(297+473X+42X2+Y) f+967F+311+462X+199X2+199Y+614XY+982X2Y, whereby a remainder 311+462X+199X2+199Y+614XY+982X2Y is obtained to generate a vector v3=(311,462,199,199,0,614,0,982).
Finally, a fourth monomial M4=Y, divide Yg=Y(969+716X+940X2+619Y+XY) by f=444+709X+900X2+42Y+X3 and F=Y2+X5+7X: then Yg=(994+625X+27X2+1008X3+42Y)f +(873+X)F+606+463X+322X2+104Y+183XY+348X2Y, whereby a remainder 606+463X+322X2+104Y+183XY+348X2Y is obtained to generate a vector v4=(606,463,322,104,0,183,0,348). Above, the process of the ideal reduction section 12 in the polynomial vector generation section 32 is finished.

Next, in the basis construction section 33, the first ideal reduction section 12 inputs four eight-dimensional vectors vi, v2r v3, and v4 generated in the polynomial vector generation section 32 into the linear-relation derivation section 34, and obtains a plurality of four-dimensional vectors ml, m2r ... as an output. The linear-relation derivation section 34 derives a. linear relation of the vectors, which were input, employing the discharging method. The discharging method belongs to a known art, whereby, as to the operation of the linear-relation derivation section 34, only its outline is shown below.

The linear-relation derivation section 34 firstly arranges the four eight-dimensional vectors vl, v2v v3r and, v4, which were input, in order for constructing a 4x8 matrix [EQ. 32]

_ 366 449 258 880 0 619 0 1 Next, the linear-relation derivation section 34 connects a four-dimensional unity matrix to the matrix MR
to construct [EQ. 33]

_ 366 449 258 880 0 619 0 1 0 1 0 0 Next, the linear-relation derivation section 34 triangulates a matrix M'Rby adding a constant multiple of an i-th row to an (i+l)-th row (i=1,2) to a fourth row to obtain the following matrix m.
[EQ. 34]

m=

0 0 0 0 0 0 0 0 312 661 0 1) As well known, the vector that is composed of a ninth component and afterward of a third row and a fourth row of the matrix m is a vector t(m1,1rm1,2r===rm1,4) r(m2,1rm2,2r-rm2,4) r==) representing a linearly-independent linear dependence relation Ei=14mjivi=0 (j=1, 2,...) of all of the four eight-dimensional vectors vl, v2r v3, and v4 that were input. The linear-relation derivation section 34 outputs a vector m1=(835,27,1,0) that is composed of the ninth component and afterward of the third row of the matrix m, and a vector m2=(312,661,0,1) that is composed of the ninth component and afterward of the fourth row of the matrix m.
Now return to the explanation of the process of the first ideal reduction section 12 in the basis corzstruction section 33. Next, the ideal reduction section 12 makes a reference to the table for a Groebner basis construction of Fig. 15, and retrieves a record, of which the value of the order field is said value d=2, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1= (835, 27, 1, 0) , and m2= (312, 661, 0, 1) . The value of the order field of a sixth record is 2, and a vector, of which the components that correspond to the component number lists 3 and 4 of the sixth record are all zero, does not lie in the vectors ml and m2, whereby the sixth record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the sixth record is (*,*,1,0)(A code * is interpreted as representing any number), which coincides with the vector m1=(835,27,1,0), whereby the vector m1 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, XZ, and Y of the algebraic curve parameter file A to generate a polynomial f1=835+27X+X2. Similarly, the value of the second vector type of the sixth record is (*,*,0,1)(A code * is interpreted as representing any number), which coincides with the vector m2=(312,661,0,1), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2,and Y of the algebraic curve parameter file A to generate a polynomial f2=312+661X+Y. The value of the third vector type of the sixth record is null, whereby it is neglected. Finally, the ideal reduction section 12 constructs a set J*= { fl, f2} ={835+27X+X2, 312+661X+Y} of the polynomial to output it. Above, the operation of the first ideal reduction section 12 is finished.

Next, the second ideal reduction section 13, which takes as an input the algebraic curve parameter file A of Fig. 12, and the Groebner basis J*= {fl,f2} =

{835+27X+X2,312+661X+Y} that the first ideal reduction section 12 output, operates as follows according to a flow of the process of the functional block shown in Fig. 3. At first, the second ideal reduction section 13 makes a reference to the ideal type table of Fig. 13 in the ideal type classification section 31 of Fig. 3, retrieves a record in which the ideal type described in the ideal type field accords with the type of the input ideal J* for obtaining a sixth record, and acquires a value N=21 of the ideal type number field and a value d=2 of the reduction order field of the sixth record.

Next, the ideal reduction section 13 confirms that said value d=2 is not zero, makes a reference to the monomial list table of Fig. 14 in the polynomial vector generation section 32, retrieves a record of which the value of the order field is said d=2 for obtaining a third record, and acquires a list 1, X, X2, and Y of the monomial described in the monomial list field of the third record. Furthermore, the ideal reduction section 13 acquires a first element f=835+27X+X2 , and a second element g=312+661X+Y of J* (A third element does not lie in J*, whereby a third polynomial h is not employed), regards a coefficient list 0, 7, 0, 0, 0, 0, 0, 0, 1, and 1 of the algebraic curve parameter file A as a column of the coefficient of each monomial of the monomial order 1, X, XZ, Y, X3, XY, x 4, XZY, X', and YZ of the algebraic curve parameter file A, and generates a defining polynomial F=Y2+X5+7X.

Next, for each of Mi(1<=i<=4) in said list 1, X, X2 and Y of said monomial, the ideal reduction section 13 calculates a remainder equation ri of a product Mi=g of Mi and the polynomial g by the polynomials f and F, arranges its coefficients in order of the monomial order 1, X, XZ, Y, X3, XY, X4, and X2Y of the algebraic curve parameter file A, and generates a vector vi. That is, at first, for a first monomial M1=1, divide 1 g=312+661X+Y by f=835+27X+X2 and F=Y2+X5+7X: then g=0 f+0 F+312+661X+Y, whereby a remainder 312+661X+Y is obtained to generate a vector v1=(312,661,0,1,0,0) .

Next, a second monomial M2=X, divide Xg=X(312+661X+Y) by f=835+27X+X2 and F=Y2+X5+7X: then Xg=661f+0 F+997+627X+XY, whereby a remainder 997+627X+XY is obtained to generate a vector v2=(997,627,0,0,0,1). Next, a third monomial M3= X2, divide X2 g= XZ(312+661X+Y) by f=835+27X+X2 and F=Y2+X5+7X: then X2g= ( 627+661X+Y) f+0 F+126+212X+174Y+982XY, whereby a remainder 126+212X+174Y+982XY is obtained to generate a vector v3=(126,212,0,174,0,982).

Finally, a fourth monomial M4=Y, divide Yg=Y(312+661X+Y) by f=835+27X+X2 and F=Y2+X5+7X: then Yg=(827+106X+27X2+1008X3)f+1=F+620+144X+312Y+661XY, whereby a remainder 620+144X+312Y+661XY is obtained to generate a vector v4=(620,144,0,312,0,661). Above, the process of the second ideal reduction section 13 in the polynomial vector generation section 32 is finished.
Next, in the basis construction section 33, this second ideal reduction section 13 inputs four six-dimensional vectors vl, v2r v3, and v4 generated in the polynomial vector generation section 32 into the linear-relation derivation section 34, and obtains a plurality of four-dimensional vectors ml, m2r ... as an output. The linear-relation derivation section 34 derives a linear relation of the vectors, which were input, employing the discharging method. The discharging method belongs to a known art, whereby, as to the operation of the linear-relation derivation section 34, only its outline is shown below.

The linear-relation derivation section 34 firstly arranges the four six-dimensional vectors vl, v2r v3, and, v4, which were input, in order for constructing a 4x6 matrix [EQ. 35]

2 0 MR = 126 212 0 174 0 982 Next, the linear-relation derivation section 34 connects a four-dimensional unity matrix to the matrix MR
to construct [EQ. 36]

_ 997 627 0 0 0 1 0 1 0 0 Next, the linear-relation derivation section 34 triangulates a matrix M Rby adding a constant multiple of an i-th row to an (i+l)-th row (i=1,2) to a fourth row to obtain the following matrix m.

[EQ. 37]

m=

As well known, the vector that is composed of a seventh component and afterward of a third row and a fourth row of the matrix m is a vector l (m1,1.m1,2r===rm1,4) r (m2,lom2,2r.==rm2,4) ,===} representing a linearly-independent linear dependence relation E i-14mjivi=0(j=1,2,...) of all of the four six-dimensional vectors vl, v2r v3, and v4 that were input.

The linear-relation derivation section 34 outputs a vector m1=(835,27,1,0) that is composed of the seventh component and afterward of the third row of the matrix m, and a vector m2=(697,348,0,1) that is composed of the seventh component and afterward of the fourth row of the matrix m. Now return to the explanation of the process of the ideal reduction section 13 in the basis construction section 33. Next, the ideal reduction section 13 makes a reference to the table for a Groebner basis construction of Fig. 15, retrieves a record, of which the valize of the order field is said value d=2, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1=(835,27,1,0), and m2=(697,348,0,1) . The value of the order field of a sixth record is 2, and a vector, of which the component number lists 3 and 4 of the sixth record are all zero, does not lie in the vectors ml, and m2v whereby the sixth record is obtained as a retrieval result.

Furthermore, the value of the first vector type of the sixth record is (*,*,1,0)(A code * is interpreted as representing any number), which coincides with the vector ml= ( 835, 27, 1, 0), whereby the vector m1 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2, and Y of the algebraic curve parameter file A to generate a polynomial f1=835+27X+X2. Similarly, the value of the second vector type of the sixth record is (*,*,0,1)(A code * is interpreted as representing any number), which coincides with the vector m2=(697,348,0,1), whereby the vector m2 is regarded as a column of the coefficient of each monomial of the monomial order 1, X, X2,and Y of the algebraic curve parameter file A to generate a polynomial f2=697+348X+Y. The value of the third vector type of the sixth record is null, whereby it is neglected. Finally, the ideal reduction section 13 constructs a set J**= { f1r f2} ={835+27X+X2, 697+348X+Y} of the polynomial to output it. Above, the operation of the ideal reduction section 13 is finished.

Finally, in the Jacobian group adder of Fig. 1, the Groebner basis J**= {835+27X+X2,697+348X+Y} , which the second ideal reduction section 13 output, is output from the output apparatus.

The effect exists: employment of the present invention allows the addition in the Jacobian group of the Cab curve to be calculated at a high speed, and practicality of the Cab curve to be enhanced.

The present invention has been described with reference to the preferred embodiments. However, it will be appreciated by those skilled in the relevant field that a number of other embodiments, differing from those specifically described, will also fall within the sprit and scope of the present invention. Accordingly, it will be understood that the invention is not intended to be limited to the embodiments described in the specification.
The scope of the invention is only limited by attached claims.

Claims (5)

1 A computer implemented Jacobian group element adder for efficiently expediting the additive algorithm in the Jacobian group element adder of a Cab curve cryptography, the Jacobian group element adder being an arithmetic unit for executing addition in a Jacobian group of an algebraic curve defined by a polynomial defined over a finite field that is Y3+ .alpha. 0X4+ .alpha. 1XY2 + .alpha. 2X2Y+ .alpha. 3X3+ .alpha. Y2+ .alpha.
5XY+ .alpha. 6X2+ .alpha. 7Y+ .alpha. 8X+ .alpha. 9 or Y2+ .alpha. 0X5+ .alpha. 1X2Y+ .alpha. 2X4+ .alpha. 3XY+ .alpha. 4 X3+ .alpha.
5Y+ .alpha. 6X2+ .alpha. 7X+ .alpha. 8 or Y2+ .alpha. 0X7+ .alpha. 1X3Y+ .alpha. 2X6+ .alpha. 3X2Y+ .alpha. 4X5+ .alpha.
5XY+ .alpha. 6X4+ .alpha.7Y+ .alpha. 8X3+ .alpha. 9X2+ .alpha.
10X+.alpha.11, said Jacobian group element adder comprising:

means for inputting an algebraic curve parameter file having an order of a field of definition, a monomial order, and a coefficient list described as a parameter representing said algebraic curve;

means for inputting Groebner bases I1 and I2 of ideals of the coordinatering of the algebraic curve designated by said algebraic curve parameter file, said Groebner bases representing elements of said Jacobian group;

ideal reduction means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J of the ideal which is a product of the ideal that the Groebner basis I1 generates, and the ideal that the Groebner basis 12 generates;

first ideal reduction means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J* of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J generates;
and second ideal reduction means for, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J** of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J* generates, to output it.
2 The Jacobian group element adder according to claim 1, wherein said ideal composition means has:

linear-relation derivation means for, for a plurality of vectors v1, v2, ..., and v n that were input, outputting a plurality of vectors {m1=(m1,1,m1,2,...,m1,n),m2=(m2,1,m2,2,...,m2,n),...} representing linear dependence relations .SIGMA.i m j,i v i=0 (j=1,2,...) of all of them employing a discharging method;

an ideal type table that is composed of a record number field, an ideal type number field, an order field, and an ideal type field;

a monomial list table that is composed of the record number field, the order field, and a monomial list field;
a table for a Groebner basis construction that is composed of the record number field, the order field, a component number list field, a first vector type field, a second vector type field, and a third vector type field;

ideal type classification means for acquiring said algebraic curve parameter file to make a reference to said ideal type table for each of Groebner bases I1 and I2 that were input, to retrieve a record in which the ideal type described in the ideal type field accords with the type of an input ideal I i(i=1,2), and to acquire a value Ni of the ideal type number field and a value di of the order field of the retrieved record;

monomial vector generation means for calculating a sum d3=d1+d2 of said values d1 and d2 of said order field to make a reference to said monomial list table for retrieving a record R of which a value of the order field is said d3, to acquire a list M1, M2, ... of the monomial described in said monomial list field of said record R, when I1 and I2 are different, to calculate a remainder equation r1 of dividing each said.monomial M i by I1, to generate a vector w(i)1 that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to calculate a remainder equation s i of dividing M i by 12, to generate a vector w(i) 2 that is composed of coefficients of the remainder equation s i according to the monomial order described in an algebraic curve parameter file A, to connect the above-mentioned two vectors w(i)1 and w(i)2 for generating a vector v i, also, when I1 and I2 are equal, to calculate a remainder equation r i of dividing each said monomial M i by I1, to generate a vector w(i)1 that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to construct a defining polynomial F employing the coefficient list and the monomial order described in said algebraic curve parameter file, when a differential of a polynomial M with regard to by its X is expressed by D X(M), and a differential of the polynomial M with regard to by its Y is expressed by D Y(M), to calculate a remainder equation si of dividing a polynomial D X (M i) D Y (F) -D Y (M i) D X (F) by I1, to generate a vector w(i) 2 that is composed of coefficients of the remainder equation s i according to the monomial order described in said algebraic curve parameter, file, and to connect the above-mentioned two vectors w(i)1 and w(i) 2 for generating a vector vi; and basis construction means for inputting said plurality of said vectors v1, v2, ... into said linear-relation derivation means, to acquire a plurality of vectors m1, m2, ... as an output, to make a reference to said table for a Groebner basis construction for retrieving a record R2, of which a value of the order field is said value d3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1, m2, ..., to select a vector m that accords with a first vector type of said record R2 from among said plurality of said vectors m1, m2, ..., to generate a polynomial f1 of which the coefficient is a value of a component of the vector m according to the monomial order described in said algebraic curve parameter file, hereinafter, similarly, to generate a polynomial f2 employing a vector that accords with a second vector type, and also a polynomial f3 employing a vector that accords with a third vector type, to obtain a set J= {f1,f2,f3} of the polynomial, and to output it as said Groebner basis J.
3 The Jacobian group element adder according to claim 1 or claim 2 , wherein each of said first and said second ideal reduction means has:

linear-relation derivation means for, for a plurality of vectors v1, v2, ..., and v n that were input, outputting a plurality of vectors {m1=(m1,1,m1,2,...,m1,n) -m2=(m2,1,m2,2,...,m2,n),...} representing linear dependence relations E i m j,i v i=0(j=1,2,...) of all of them employing a discharging method ;

an ideal type table that is composed of the record number field, the ideal type number field, a reduction order field, and the ideal type field;

a monomial list table that is composed of the record number field, the order field, and the monomial list field;

a table for a Groebner basis construction that is composed of the record number field, the order field, the component number list field, the first vector type field, the second vector type field, and the,third vector type field;

ideal type classification means for acquiring said algebraic curve parameter file to make a reference to said ideal type table, to retrieve a record in which the ideal type described in the ideal type field accords with the type of an input ideal J, to acquires a value N of the ideal type number field and a value d of the reduction order field of the retrieved record;

polynomial vector generation means for, when said d is zero, outputting the input ideal J as said Groebner basis J*, when said d is not zero, to make a reference to said monomial list table for retrieving a record R of which a value of the order field is said d, to acquire a list M1, M2, ... of the monomial described in the monomial list field of said record R, to construct a defining polynomial F
employing the coefficient list and the monomial order described in said algebraic curve parameter file, to acquire a first polynomial f, a second polynomial g, and a third polynomial h of the input ideal J, to calculate a remainder equation r i of a product Mi.cndot.g of each said monomial M i and the polynomial g by the polynomials f and F, to generate a vector w(i), that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to calculate a remainder equation s i of a product Mi.cndot.h of each said monomial M i and the polynomial h by the polynomials f and F, to generate a vector w(i) 2 that is composed of coefficients of the remainder equation s i according to the monomial order described in said algebraic curve parameter file, and to connect the above-mentioned two vectors w(i)1 and w(i) 2 for generating a vector v i;

and basis construction means for inputting said plurality of said vectors v1, v2, ... into said linear-relation derivation means, to obtain a plurality of vectors m1, m2, ... as an output, to make a reference to said table for a Groebner basis construction for retrieving a record R2 of which a value of the order field is said value d, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1, m2, ..., to select a vector m that accords with a first vector type of said record R2 from among said plurality of said vectors m1, m2, ..., to generate a polynomial f1 of which a coefficient is a value of the component of the vector m according to the monomial order described in said algebraic curve parameter file, hereinafter, similarly, to generate a polynomial f2 employing the vector that accords with a second vector type, and also a polynomial f3 employing the vector that accords with a third vector type, to obtain a set {f1, f2, f3} of the polynomial, and to output it as said Groebner basis J* or J**.
4 A record medium for efficiently expediting the additive algorithm in the Jacobian group element adder of a Cab curve cryptography, the record medium having a program recorded for causing an information processing unit configuring an arithmetic unit for executing addition in a Jacobian group of an algebraic curve defined by a polynomial defined over a finite field that is Y3+ .alpha. 0X4+ .alpha. 1XY2+ .alpha. 2X2Y+ .alpha. 3X3+ .alpha. 4Y2+ .alpha.
5XY+ .alpha. 6X2 + .alpha. 7Y+ .alpha. 8X+ .alpha. 9 or Y2+ .alpha. 0X5+ .alpha. 1X2Y+ .alpha. 2 X4+ .alpha. 3XY+ .alpha. 4X3+ .alpha.
5Y+ .alpha. 6X2+ .alpha. 7X+ .alpha. 8 or Y2+ .alpha. 0X7 + .alpha. 1X3Y+ .alpha. 2X6+ .alpha. 3X2Y+ .alpha. 4X5+
.alpha. 5XY+ .alpha. 6X9+ .alpha. 7Y+ .alpha. 8X3+ .alpha. 9X2+ .alpha.
10X+ .alpha. 11 to perform:

a process of inputting an algebraic curve parameter file having an order of a field of definition, a monomial order, and a coefficient list described as a parameter representing said algebraic curve;

a process of inputting Groebner bases I1 and I2 of ideals of the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, said Groebner bases representing an element of said Jacobian group;

an ideal composition process of, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J of an ideal which is a product of the ideal that the Groebner basis I1 generates, and an ideal that the Groebner basis 12 generates;

a first ideal reduction process of, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J* of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J generates;
and a second ideal reduction process of, in the coordinate ring of the algebraic curve designated by said algebraic curve parameter file, performing arithmetic of producing a Groebner basis J** of the ideal, which is smallest in the monomial order designated by said algebraic curve parameter file among the ideals equivalent to an inverse ideal of the ideal that the Groebner basis J* generates, to output it, said record medium being readable by said information processing unit.

The record medium according to claim 4, said record medium having a program recorded for causing said information processing unit to further perform in said ideal composition process:

a linear-relation derivation process of, for a plurality of vectors v1, v2, ..., and v n that were input, outputting a plurality of vectors {m1=(m1,1,m1,2,...,m1,n).m2= (m2,1,m2,2,...,m2,n),...} representing linear dependence relations .SIGMA. i m j, i v i = 0 (j=1, 2,...) of all of them employing a discharging method;

an ideal type classification process of acquiring said algebraic curve parameter file to make a reference to an ideal type table, which is composed of a record number field, an ideal type number field, an order field, and an ideal type field, for each of Groebner bases I1 and I2 that were input, to retrieve a record in which the ideal type described in the ideal type field accords with the type of an input ideal I i(i=1,2), and to acquire a value N i of the ideal type number field and a value d i of the order field of the retrieved record;

a monomial vector generation process of calculating a sum d3=d1+d2 of said values d1 and d2 of said order field to make a reference to a monomial list table, which is composed of the record number field, the order field, and a monomial list field, for retrieving a record R of which a value of the order field is said d3, to acquire a list M1, M2, ... of the monomial described in said monomial list field of said record R, when I1 and I2 are different, to calculate a remainder equation r i of dividing each said monomial M i by I 1, to generate a vector w(i)1 that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to calculate a remainder equation s i of dividing M i by I2, to generate a vector w(i)2 that is composed of coefficients of the remainder equation s i according to the monomial order described in an algebraic curve parameter file A, to connect the above-mentioned two vectors w(i)1 and w (i)2 for generating a vector v i, also, when I1 and I2 are equal, to calculate a remainder equation r i of dividing each said monomial M i by I1, to generate a vector w(i)1 that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to construct a defining polynomial F employing the coefficient list and the monomial order described in said algebraic curve parameter file, when a differential of a polynomial M with regard to by its X is expressed by D X(M), and a differential of the polynomial M with regard to by its Y
is expressed by D Y(M), to calculate a remainder equation s i of dividing a polynomial D x (M i) D y (F)-D y (M i)D x (F) by I1, to generate a vector w(i)2 that is composed of coefficients of the remainder equation s i according to the monomial order described in said algebraic curve parameter file, and to connect the above-mentioned two vectors w(i)1 and w (i)2 for generating a vector v i; and a basis construction process of obtaining a plurality of vectors m1, m2, ... output in said linear-relation derivation process, to make a reference to a table for a Groebner basis construction, which is composed of the record number field, the order field, a component number list field, a first vector type field, a second vector type field, and a third vector type field, for retrieving a record R2, of which a value of the order field is said value d3, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1, m2, ..., to select a vector m that accords with a first vector type of said record R2 from among said plurality of said vectors m1, m2, ..., to generate a polynomial f1 of which the coefficient is a value of a component of the vector m according to the monomial order described in said algebraic curve parameter file, hereinafter, similarly, to generate a polynomial f2 employing a vector that accords with a second vector type, and also a polynomial f3 employing a vector that accords with a third vector type, to obtain a set J= {f1,f2,f3} of the polynomial, and to output it as said Groebner basis J.
6 The record medium according to claim 4 or claim
5, said record medium having a program recorded for causing said information processing to further perform in each of said first and second ideal reduction processes:
a linear-relation derivation process of, for a plurality of vectors v1, v2, ..., and v n that were input, outputting a plurality of vectors {m1= (m1,1,m1,2,....m1,n), m2= (m2,1,m2,2,...,m2,n),...} representing linear dependence relations .SIGMA.i m j,i v i=0 (j=1,2,...) of all of them employing a discharging method ;

an ideal type classification process of acquiring said algebraic curve parameter file to make a reference to a ideal type table, which is composed of the record number field, the ideal type number field, a reduction order field, and the ideal type field, to retrieve a record in which the ideal type described in the ideal type field accords with the type of an input ideal J, and to acquire a value N of the ideal type number field and a value d of the reduction order field of the retrieved record;

a polynomial vector generation process of, when said d is zero, outputting the input ideal J as said Groebner basis J*, when said d is not zero, to make a reference to a monomial list table, which is composed of the record number field, the order field, and the monomial list field, for retrieving a record R of which a value of the order field is said d, to acquire a list M1, M2, ... of the monomial described in the monomial list field of said record R, to construct a defining polynomial F employing the coefficient list and the monomial order described in said algebraic curve parameter file, to acquire a first polynomial f, a second polynomial g, and a third polynomial h of the input ideal J, to calculate a remainder equation r i of a product M i.cndot.g of each said monomial M i and said polynomial g by the polynomials f and F, to generate a vector w (i)1 that is composed of coefficients of the remainder equation r i according to the monomial order described in said algebraic curve parameter file, furthermore to calculate a remainder equation s i of a product M i .cndot. h of each said monomial M i and the polynomial h by the polynomials f and F, to generate a vector w(i) 2 that is composed of coefficients of the remainder equation s i according to the monomial order described in said algebraic curve parameter file, and to connect the above-mentioned two vectors w(i)1 and w(i) 2 for generating a vector v i; and a basis construction process of obtaining a plurality of vectors m1, m2, ... output in said linear-relation derivation process to make a reference to a table for a Groebner basis construction, which is composed of the record number field, the order field, the component number list field, the first vector type field, the second vector type field, and the third vector type field, for retrieving a record R2 of which a value of the order field is said value d, and in which a vector of which the components that correspond to all component numbers described in the component number list field are all zero does not lie in said plurality of said vectors m1, m2, ..., to select a vector m that accords with a first vector type of said record R2 from among said plurality of said vectors m1, m2, ..., to generate a polynomial f1 of which a coefficient is a value of the component of the vector m according to the monomial order described in said algebraic curve parameter file, hereinafter, similarly, to generate a polynomial f2 employing the vector that accords with a second vector type, and also a polynomial f3 employing the vector that accords with a third vector type, to obtain a set {f1,f2,f3} of the polynomial, and to output it as said Groebner basis J* or J**.
CA002437401A 2002-08-21 2003-08-14 Jacobian group element adder Expired - Fee Related CA2437401C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2002240034A JP4304937B2 (en) 2002-08-21 2002-08-21 Jacobian group element adder
JPJP2002-240034 2002-08-21

Publications (2)

Publication Number Publication Date
CA2437401A1 CA2437401A1 (en) 2004-02-21
CA2437401C true CA2437401C (en) 2009-07-21

Family

ID=31884506

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002437401A Expired - Fee Related CA2437401C (en) 2002-08-21 2003-08-14 Jacobian group element adder

Country Status (3)

Country Link
US (1) US7197528B2 (en)
JP (1) JP4304937B2 (en)
CA (1) CA2437401C (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4752313B2 (en) * 2004-09-30 2011-08-17 ソニー株式会社 Cryptographic processing operation method, cryptographic processing apparatus, and computer program
JP2008203548A (en) * 2007-02-20 2008-09-04 Oki Electric Ind Co Ltd Key generating method using quadric hyperbolic curve group, decoding method, signature verification method, key stream generating method and device
US20090157788A1 (en) * 2007-10-31 2009-06-18 Research In Motion Limited Modular squaring in binary field arithmetic
US8401179B2 (en) * 2008-01-18 2013-03-19 Mitsubishi Electric Corporation Encryption parameter setting apparatus, key generation apparatus, cryptographic system, program, encryption parameter setting method, and key generation method
RU2010152794A (en) * 2010-12-24 2012-06-27 ЭлЭсАй Корпорейшн (US) METHOD AND DEVICE (OPTIONS) FOR CALCULATING THE OPERATION OF THE JACOBI LOGARITHM

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3292107B2 (en) * 1997-08-28 2002-06-17 日本電気株式会社 Double vector adder, double vector doubler and double vector integer multiplier
JP2000206879A (en) * 1999-01-14 2000-07-28 Internatl Business Mach Corp <Ibm> Device and method for operating group calculations of jacobi variety of hyperelliptic curve defined on galois field with two characteristics
US6611597B1 (en) * 1999-01-25 2003-08-26 Matsushita Electric Industrial Co., Ltd. Method and device for constructing elliptic curves
JP3551853B2 (en) * 1999-08-27 2004-08-11 日本電気株式会社 Secure parameter generation apparatus, generation method, and recording medium in algebraic curve cryptography having a definition equation of the form αYa + βXb + 1 = 0
US7020776B2 (en) * 2000-06-22 2006-03-28 Microsoft Corporation Cryptosystem based on a Jacobian of a curve
US7043015B2 (en) * 2002-10-31 2006-05-09 Microsoft Corporation Methods for point compression for Jacobians of hyperelliptic curves

Also Published As

Publication number Publication date
JP2004077948A (en) 2004-03-11
US7197528B2 (en) 2007-03-27
US20040039768A1 (en) 2004-02-26
JP4304937B2 (en) 2009-07-29
CA2437401A1 (en) 2004-02-21

Similar Documents

Publication Publication Date Title
Bardet et al. On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations
Smale Algorithms for solving equations
Gianni et al. Gröbner bases and primary decomposition of polynomial ideals
CA2881033A1 (en) Method and system for solving lagrangian dual of a constrained binary quadratic programming problem
Grimm et al. Moduli stabilization in asymptotic flux compactifications
WO2021149518A1 (en) Conversion device for secure computation, secure computation system, conversion method for secure computation, and conversion program for secure computation
CA2437401C (en) Jacobian group element adder
Doikov et al. Contracting proximal methods for smooth convex optimization
Comon et al. Identifiability of an X-rank decomposition of polynomial maps
Bertsimas et al. A new algebraic geometry algorithm for integer programming
Heath-Brown Counting rational points on algebraic varieties
CN103135989A (en) Callback function code generation method and device
Marco et al. Accurate polynomial interpolation by using the Bernstein basis
Shieh New resolution of finite fuzzy relation equations with max-min composition
US11157672B1 (en) System and method for determining hybrid-manufacturing process plans for integrated circuits based on satisfiability modulo difference logic solver
Acu et al. Composite Bernstein cubature
Cerna et al. Higher-Order Equational Pattern Anti-Unification [Preprint]
Cătinaş The bivariate Shepard operator of Bernoulli type
Du et al. The multiroute maximum flow problem revisited
Ziegler Gröbner bases and integer programming
Salahi et al. The complexity of self-regular proximity based infeasible IPMs
Brennan et al. Canonical degrees of Cohen-Macaulay Rings and Modules: a survey
González et al. Modular application of an integration by fractional expansion method to multiloop Feynman diagrams
Park et al. New block recombination for subquadratic space complexity polynomial multiplication based on overlap-free approach
Bläser et al. Complexity of the Bollobás–Riordan Polynomial. Exceptional Points and Uniform Reductions

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed