JP2002215024A - Knapsack type public key cryptographic system, public key generation method and device therefor, and program and recording medium therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accelerate processing speed. SOLUTION: Elements Pij (i=1 to n) are generated from an integer ring OK of an algebraic number field K, from which prime ideals p1 to ph, generators gj (j=1 to h) of OK/pj (except zero), and pj are removed, in accordance with the integer ring OK of the field K and integers n, k, and h (101), and aij satisfying pij=gjaijmodpj is calculated (103), and p=p1.p2.....ph is obtained (102), and g=(g1 to gh) and ai=(ai1 to aih) are synthesized by a Chinese remainder theorem to generate an integer d, and hi=(ai+)mod(N(P)-2) (N(P) is the norm of P) is calculated to obtain a public key bi.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a knapsack type public key cryptosystem, a method and apparatus for generating the public key, a program thereof, and a recording medium thereof.

[0002]

2. Description of the Related Art Public key cryptosystems are categorized by their security concerns. Examples of such problems include a prime factorization problem, a discrete logarithm problem, and a knapsack problem. Among these problems, Markle-He is a public key cryptosystem that uses the knapsack problem as a source of security.
There are llmar ciphers and Chor-Rivest ciphers, and there have been reports of successful attacks on any of them. It is known that the operation speed in these key generation processes is very slow.

[0003]

SUMMARY OF THE INVENTION It is an object of the present invention to provide a new public key cryptosystem which uses the knapsack problem as a source of security, is difficult to decipher, and has a high processing speed including key generation processing. An object of the present invention is to provide a public key generation method and a device thereof.

[0004]

According to the present invention, a random number p
_ij(I = 1,..., N, j = 1,..., H) and a random number g_i,
p _jFor p_ij≡g_j ^aij(Modp_jA)_ijCalculate
Then a_i= (A_i1, ..., a_{i h}) Using the Chinese Remainder Theorem
Calculation and recovery of the discrete logarithm performed in the key generation process.
Signal processing speeds up. That is, conventionally, p_i= G_i ^ai
A that satisfies (modi)_i Was calculated directly because
It takes a long time to calculate and a_i The shorter the
It becomes weak.

Further, the security of the system is enhanced by converting a plaintext of length [log _n C _k ] into a binary sequence having a length n and a Hamming weight k.

[0006]

DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of a public key cryptosystem used in the present invention will be described with reference to the drawings. This system includes a key generation device, an encryption device, and a decryption device. Key generation apparatus :( Figure 1) K algebraic body, O _K of K integers ring, n, k, and h is an integer to. n is an number of articles of the ring of integers O _K, a large value, e.g. 1000, k is for example about 200, h is, for example, about 10. n and k are made public.

FIG. 1 shows an embodiment of a public key generation device according to the present invention. K, O _K , n, k, and h are input from an input unit 100 such as a keyboard, and these values are temporarily stored in a storage unit 110, and then are extracted and input to a random number generator 101. The random number generator 101 h number of prime ideals p ₁ of O _K, ..., a p _h against 1 <j <h the full to each j, the group of (O _K / p _j) (except for zero) The generation element g _j , that is, g ₁ ,..., G _h is defined as an element p from O _K / p _j excluding p _j for each i, j satisfying 1 < i < n, 1 < j < h. _ij, in other words _{p 11, ..., p 1h,} p 21, ..., p 2h, ......,
p _n1, ..., to generate a p _nh.

[0008] prime ideal p _1, ..., p _h multipliers 102 is input to these AND p = p _1, ... p _h is obtained. The _{p 1, ..., p h1,} g 1, ..., g h, p 11, ..., p 1h, p 21,
, P _2h ,..., _Pn1 ... _Pnh are input to the discrete logarithmic calculator 103, and p _ij ≡g _j for each i, j satisfying 1 < i < n, 1 < j < h. _{^{aij (modp j) ... (1}} ) a ij that satisfies is calculated.

Further, g ₁ ,..., G _h , a _ij (i = 1,
, N, j = 1, 2,..., H) are input to the synthesizer 104 according to the Chinese remainder theorem, and for each i satisfying 1 < i < n, g = (g ₁ ,. _{, g h) a i = (} a i1, ..., g that satisfies _{a ih), a 1, ...} , a n is calculated. Random number generator 1
05, an integer d is generated, and d, a _i , and p are input to the adder 106, and for each i satisfying 1 < i < n, b _i = (a _i + d) mod (N (p) -2) ... (2 ) is calculated and finally the public key b _1, ..., b _n are output,
Be published. p, p _ij , and g are secret keys, which are secretly stored in the storage unit 110 together with the random number d. The integer d may be, for example, about 0 to N (p) -1 or more, and d may be generated from the random number generator 101. Encryption :( Figure 2) the cryptographic unit in the storage unit 200 as shown in FIG. 2, public information n, k, the public key b _1, ..., b _n are stored. The length of the input plaintext M is [log _n C _k ]. log is about 2, _n C _k is the number of combinations for extracting k from n, and [A] is A
Represents the minimum integer above.

The plaintext M is converted by the plaintext converter 201 into a Hamm
n-bit binary sequence m with ing weight k (the number of 1s is k)
= (M ₁ , m ₂ ,..., _Mn ). This conversion performs the following from i = 1 to n, for example, where k is k. If M> _ni C _q, and 1 m _i, M- _ni C
The _q-1 is M, the q-1 and q, M> unless _ni C _q, the m _i and 0. However q> 0 to the _q C ₀ = _0, and q> 1 to ₀ C _q = _0. This binary sequence m,
The public key b _i is input to the adder 202, and c = Σ _{i = 1} ⁿ m _i b _i ... calculation of (3) is performed, the ciphertext c is output. Decoding process (FIG. 3) FIG. 3 shows a decoding device. The storage unit 300 stores p, p _ij , p
_j , g, k, and d are stored. Entered cipher text c
, K, d, and p are input to the subtractor 301, and r = (c−kd) mod (N (p) −2) (4) N (p) calculates the norm of p. The calculation results r, g, and p are input to the power calculator 302, and u = g ^r mod p (5) is calculated. The calculation result u and p _i , j, and p _j are input to the inspection device 303, and the inspection device 303 outputs Ham with the length n.
A binary sequence m = (m ₁ ,..., m _n ) having a ming weight k is given by
For each j satisfying 1 < j < n, p _ij is u mod p _j
Is divisible by m ₁ = 1, otherwise m _i =
It is set to 0. Thus, the binary sequence m is decoded. The decoded binary string m is transmitted to the intermediate decrypted text converter 304 by n,
Input together with k, m = (m ₁ ,..., m _n ) is converted into plaintext M, and decrypted plaintext M is output. In this conversion, for example, M is set to 0, q is set to h, and the following is performed from i = 1 to n.

If _mi is 1, M + _pi C _{q is set} to M, and q
Let -1 be q. By substituting equation (4) into equation (5), u≡g ^c−hd mod p... (6), and from equation (3), the exponent of g is Σ _{i = 1} ⁿ m _i b _i −k d, and from equation (2), b _i = (a _i + d), and since k in the binary sequence m are 1, the index of g is Σ _{i = 1} ⁿ a m _i b _i mod p. By substituting this exponent into equation (5) and transforming it into the form of a product of exponents, u≡Πi _{= 1} ⁿ (g ^ai ) ^mi mod p. From the relationship of equation (1), u≡Π _{i = 1} ⁿ p _i ^mi . Therefore, if u _ij is divisible by p _ij , then m _i = 1; otherwise, m _i = 0, and the binary sequence m is decoded.

The public key generation device shown in FIG. 1, the encryption device shown in FIG. 2, and the decryption device shown in FIG. 3 can be operated by causing a computer to execute a program. That is, for example, the public key generation device causes the computer to execute the public key generation program by using a computer including an input unit, an output unit, a storage unit 110, a program memory storing a public key generation program, a CPU (microprocessor), and the like. Public key g _i
Can also be generated.

[0013]

According to the present invention, in the key generation processing,
Using Chinese Remainder Theorem for Calculation of Discrete Logarithm
It is faster. In addition, we use the Chinese surplus theorem.
This speeds up the decoding process. In other words,
A₁, ..., a_nIs directly calculated by the discrete logarithm calculation of equation (1).
I was asking. For example, if h is 10, a_iIs 100 and
It is very long to find such a large index.
It takes a long time. Therefore a_iIf the value of
It is easy to be done. However, according to the present invention, a_ij
Because it is divided into _ijIs, for example, about ten,
Relatively easily a_ijAnd can also ask for Chinese
According to the remainder theorem, a_i= (A_i1, ..., a_ihRelatively easy
And speed up as a whole.
And can be strong against attacks.

In the encryption process and the decryption process, the length [l
og ( _k ⁿ )] into a binary string of length n and Hamming weight k, it is possible to sufficiently increase the density, which is an indicator of the security of the knapsack cipher, and therefore, from the plain text It can withstand low-density attacks that directly search for ciphertext.

[Brief description of the drawings]

FIG. 1 is a diagram showing an example of a functional configuration of a public key generation device in a system of the present invention.

FIG. 2 is a diagram showing a functional configuration example of an encryption device in the system of the present invention.

FIG. 3 is a diagram showing an example of a functional configuration of a decoding device in the system of the present invention.

Claims (5)

[Claims] 1. An algebraic field K, an integer ring O of K_K, The integer n,
k and h are input and O_kH elementary ideals p₁, ..., p_hAnd generate p₁, ..., p_hTo obtain p, and 1<j<For each j that satisfies h, the group O_K/ P_j(But
The origin g of 0) _jGenerates 1<i<n, 1<j<For each i, j that satisfies h, p_j
O excluding_KEx p from_ijGenerates 1<i<n, 1<j<For each i, j that satisfies h, p_ij
≡g_j ^aij(Mod p_jA)_ijG = (g₁,…, G_h) A_i= (A_i1,…, A_ihG, a that satisfies₁, ..., a_n, Generate an integer random number d, and 1<i<For each i that satisfies n, b_i= (A_i+ D) mo
d (N (p) -2) (N (p) represents the norm of p)
To calculate the public key b_iAnd make p and g private keys
Public key generator and length [log_nC_k] Is input, and (_nC_kIs n
[A] is the smallest number greater than A
Integer) integer k and public key b_iAnd M are Hamming with length n
(Humming) Binary sequence m = (m₁, M_Two,
…, M_n), And the ciphertext c = Σ_{i = 1} ⁿm_ib_iEncryptor that generates and outputs
And k, d and secret keys p, g, and the ciphertext c is input, and r = (c−kd) mod (N (p) −
2), and u = g^rmodp, a binary sequence m = (m having length n and Hamming weight k
₁,…, M_n) To 1<j<For each j that satisfies n, p
_ijBut umodp_jM if divisible by_i= 1 and so
M if not_i= 0, and a decoder that converts the m into a plaintext M
Knapsack type public key cryptosystem. 2. A public key generation method for knapsack type public key cryptography, wherein an integer ring of algebraic fields K and K is O _K , n, k and h are integers, and h prime ideals p of O _K are provided. _1, ..., a p _h generated from a random number generator, generated from 1 <j <for fully to each j a h, a random number generator to generate original g _j of the group O _K / p _j (but not including 0) and, 1 <i <n, 1 < original p _ij generated from the random number generator from the i, O _K, excluding the p _j for j satisfying j <h respectively, 1 <i <n, 1 < j For each i, j that satisfies < h, a _ij that satisfies p _ij ≡g _j ^aij (modp _j ) is calculated by the arithmetic means, and g = (g ₁ ,..., G _{h) a i = (a i1} , ..., a ih) the full to g, a _1, ..., obtained by calculation means a _n, generated from the random number generator the integer d, 1 <i < For full to each i the _{b i = (a i + d} ) mod
(N (p) -2) is calculated by the calculating means, and the public key b _{i is} calculated.
A knapsack-type public key generation method characterized by obtaining 3. An integer ring of an algebraic field K is represented by O _K, and n, k,
The h is an _{integer, K, O K, n,} k, h is input, h pieces of prime ideals p ₁ of O _K, ..., with respect to p _h and, 1 <j <fully to each j and h,
The generator g _{j of the} group O _K / p _j (except 0) and 1 <
i <n, 1 <j <against each Mitsurusu ij h, p _j
The original p _ij from O _K excluding a random number generator for generating the integer d, 1 <i <n, 1 <j <p ij for full to each ij a h, g
_i , p _j are input, a discrete logarithm calculation amount for calculating and outputting a _ij ^satisfying p _ij ≡g _j ^aij mod p _j , and g _i (i = 1,..., h), a _ij (i = 1, ..., n, j = 1,
..., h) is input, and g = (g
_{1, ..., g h),} a i = (a i1, ..., and Chinese remainder theorem combiner for calculating a _ih), respectively, d and _{a i (i = 1, ...} , n), N (p) Is input and (N
(P) denotes the norm of _{p) b i = (a i} + d) mod (N (p) -2) and calculates the public key _{b i (i = 1, ...} , an adder to obtain a n) A knapsack type public key generation device provided. 4. A computer for generating a public key of a knapsack-type public key cryptosystem, wherein a computer is an algebraic field K, an integer ring of _K is O _K , n, k, h are integers, and h prime elements of O _K are used. Means for generating ideals p ₁ ,..., _Ph by random numbers; for each j satisfying 1 < j < h, generate generator g _j of group O _K / p _j (but not including 0) by random numbers means, 1 <i <n, 1 <j < respective i satisfying each h, means for generating a random number to the original p _ij from O _K excluding the p _j for j, 1 <i <n, 1 <j < fully to the h respectively ^{_{i, p ij ≡g j aij (}} modp j) means for calculating a full to a _ij About j, by synthesis by the Chinese remainder _{theorem, g = (g 1, ...} , g h) a _{i = (a i1, ...,} a ih) the full to g, a _1, ..., means for calculating the a _n, means for generating a random number integer d, 1 i <public key for each full to the _{n i b i = (a i} +
d) A means for calculating mod (N (p) -2). A knapsack-type public key generation program for functioning as 5. A computer for generating a public key of a knapsack type public key cryptosystem, wherein a computer is an algebraic field K, an integer ring of _K is O _K , n, k, h are integers, and h prime elements of O _K are provided. Means for generating ideals p ₁ ,..., _Ph by random numbers; for each j satisfying 1 < j < h, generate generator g _j of group O _K / p _j (but not including 0) by random numbers means, 1 <i <n, 1 <j < respective i satisfying each h, means for generating a random number to the original p _ij from O _K excluding the p _j for j, 1 <i <n, 1 <j < fully to the h respectively ^{_{i, p ij ≡g j aij (}} modp j) means for calculating a full to a _ij About j, by synthesis by the Chinese remainder _{theorem, g = (g 1, ...} , g h) a _{i = (a i1, ...,} a ih) the full to g, a _1, ..., means for calculating the a _n, means for generating a random number integer d, 1 i <public key for each full to the _{n i b i = (a i} +
d) A computer-readable recording medium that records a knapsack-type public key generation program for functioning as a means for calculating mod (N (p) -2).