JP2006235291A - Device and program for generating public key - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a public key to be used for an enciphering system which is highly resistant to Shamir attack and low-density attack and which is deciphered at high speed. <P>SOLUTION: A secret vector t is used as the public key of knapsack encryption using secret numbers P, w, and two private key vectors v<SP>0</SP>, v<SP>1</SP>, and public key vectors a, b are obtained from a<SB>i</SB>=wv<SP>ti</SP><SB>i</SB>modP and b<SB>i</SB>=wv<SP>1-ti</SP><SB>i</SB>modP. Here, v<SP>0</SP>is the random number vector of positive integer and v<SP>1</SP>is a superincreasing vector. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a novel knapsack cryptosystem, and more particularly, to a public key generating apparatus and a program therefor used therefor.

Merkle and Hellman have proposed a knapsack cipher (MH cipher) as a public key cipher that can be encrypted only by a product-sum operation and can be decrypted only by magnitude judgment and subtraction (Non-Patent Document 1). In knapsack cryptography, the public key vector a is a = (a ₁ , a ₂ , a ₃ ,..., A _n ), and the plaintext vector m is m = (m ₁ , m ₂ , m ₃ ,..., M _n ). In this case, the ciphertext C is a ₁ m ₁₊ a ₂ m ₂₊ a ₃ m ₃₊ ... + A _n m _n = C (1)
Ask for. However, it is known that the MH cipher can be easily deciphered by Shamir's attack (Non-Patent Document 2) and low-density attacks (Non-Patent Documents 3 to 5).

In Shamir's attack, the public key vector a in knapsack cryptography is changed from a super-increasing vector v to a = wv modP (2)
By using that which is guided by. Here, v is a super-increasing vector, and when the sum from the first term to the i term is S _i ,
v _{i + 1} > S _i (3)
Where P is a large prime number
P> S _n (4)
Meet. W is a secret number.
w∈Z ^* _P (5)
Z ^* _P is a multiplicative group consisting of positive integers of 1 or more and less than P.

In Shamir's attack, a public key vector a = (a ₁ , a ₂ , a ₃ ,..., A _n ) is a positive integer pair (w ′, P ′) and A ′ = {a _i w ′ It is found that modP ′} has a super-increasing sequence and the sum of a _i w ′ is less than or equal to P ′. It is known that the obtained A ′, w ′, and P ′ do not need to match the original secret key, and the ciphertext C can be decrypted by using the super-increasing sequence A ′.

The low-density attack is effective for attacks on low-density knapsack cryptography. The density of knapsack encryption has various definitions. Here, the density ρ is set to ρ = n / (Log ₂ C _max ) (6) so that the density is evaluated relatively low.
Define in. Here, n is a block length of the plaintext, which is a dimension such as a super increase vector or a public key vector, and Cmax is a maximum value of the ciphertext for the plaintext of the block length n. It is known that a low-density attack can decrypt a ciphertext when the density ρ is less than 0.9408 (Non-patent Document 5).

The inventors can perform encryption and decryption of knapsack cryptography at high speed and are not based on prime factor problems, discrete logarithm problems, elliptic discrete logarithm problems, etc. The improvement has been advanced focusing on the advantages of (Non-patent Documents 6 and 7). For example, in Non-Patent Document 6, knapsack cryptography is densified using sequential precoding, two secret key vectors v ₀ , v ₁ and two public key vectors a ₀ , a ₁ .

The Non-Patent Document 7, by using a small modulo P than S _n, the density of the knapsack cryptographic one or more. In this case, it has been found that the modulus P and the secret number w do not necessarily have to be relatively prime, and that the secret key vector v can be decrypted even if it does not have a partial increase. In this specification, most of the components of the vector are superincreasing, but some components, for example, less than n / 4, preferably less than n / 8, What may not have is called a quasi-super-increasing vector.

However, as it is clear from many known attack methods, knapsack cryptography needs to be further secured.
RC Merkle, ME Hellman: “Hiding information and Signatures in trapdoor knapsacks,” IEEE, Trans. Inf. Theory, IT-24 (5), pp.525.530, 1978. A. Shamir: “A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystems,” Proc. Crypto'82, LNCS, pp. 279.288, Springer-Verlag, Berlin, 1982. EF Brickell: “Solving low density knapsacks,” Proc. Crypto'83, LNCS, pp. 25.37, Springer-Verlag, Berlin, 1984. JC Lagarias, AM Odlyzko: “Solving low density Subset Sum problems,” J. Assoc. Comp. Math., Vol.32, pp.229.246, Preliminary Version in Proc. 24th IEEE, 1985. MJ Coster, BA LaMacchia, AM Odlyzko, CP Schnorr: “An improved low-density subset sum algorithm,” Proc. Eurocrypto'91, LNCS, pp. 54.67. Springer-Verlag, Berlin, 1991. T. Hattori, Y. Murakami, and M. Kasahara, “Proposal of a few addition ciphers using precoding”, 2001 Proceedings of Symposium on Information Theory and Its Applications, pp.351-354, Dec.2001 Takeshi Nasako, Atsuko Yokoyama, and Yuji Murakami, “Proposal of High Density Method and Search Decryption Method by Reduction of Knapsack Cryptography” 2004 Proceedings of Symposium on Information Theory and Its Applications, pp.123-126, Dec.2004

  An object of the present invention is to provide a public key used for realizing an encryption system that is highly resistant to Shamir attacks and low-density attacks and that can be decrypted at high speed.

The present invention relates to a public key generating apparatus for knapsack encryption using secret numbers P and w and at least two secret key vectors v ⁰ and v ¹ (v ⁰ and v ¹ are n-dimensional vectors, respectively). , Using secret n-dimensional data t = (t ₁ , t ₂ ,..., T _n ), depending on t _i , ^{one of} v ⁰ _i and v ¹ _i is x _i and the other is x ^* _i Assuming that at least two n-dimensional public key vectors a and b are i = 1 to n, a = (a ₁ , a ₂ ,..., A _n ), b = (b ₁ , b ₂ ,. _n ))
a _i = wf _i (x _i ) modP (7)
_{^{b i = wg i (x *}} i) modP (8)
It is characterized by providing means for creating as follows.

Preferably, the public key vectors a and b and the reversible precoding H defined as a transformation satisfying the following expression are used as a public key for encrypting the plaintext vector m into the ciphertext C using C = ma + m ^* b. And
The order between precoding is set as i = 1 to n.
H = (H ₁ , H ₂ ,..., H _n ) (9)
m _i ^* = H _i (m ₁ , m ₂ ,..., m _i ) (10)
m _i = H _i (m ₁ , m ₂ ,..., m _i ^* ) (11)
i is a parameter that determines the order between precoding, and therefore the order at the time of decoding, and does not determine the order in the plaintext vector m.

Note that in other than reversible precoding, for example, sequential coding (sequential coding) used in Non-Patent Document 6, m _i = H _i (m ₁ , m ₂ ,..., M _i ^* ) does not hold for some _i ^. If something is used, decoding becomes difficult. In this _{case, m i = H i (m} 1, m 2, ..., m i *) for the part that is not established, needs to be decoded to estimate the _{m i} occurs.

For example, one of the secret key vectors v ⁰ and v ¹ is a random vector, and the other is a quasi-super-increasing vector defined by the following conditions. This is a secret key of a type that uses super-increasing properties, and is a development of the secret key of Non-Patent Document 1.
When v ¹ is a quasi-super-increasing vector, i + j = n + 1 and j = 1 to n of 3n / 4 or more, more preferably 7n / 8 or more of j,
The sum from 1 to _j−1 of both components of v ⁰ and v ¹ is defined as S _j−1 .
v ¹ _j > S _j−1 + v ⁰ _j (12)
(However, if you want to ^{v 1} and the quasi-super-increase _{^{vector, v 0 j> S j-}} 1 + v 1 j) (12 ')

The secret key vectors v ⁰ and v ¹ are, for example, that one component is an even number, the other component is an odd number, and f _i = 2 ⁱ⁻¹ x _i (13)
g _i = 2 ⁱ⁻¹ x ^* _i (14)
May be satisfied. However, one of x _i and x ^* _i is v ⁰ and the other is v ¹ . This is a secret key based on odd and even numbers (Non-Patent Document 6).

The present invention also provides a public key generation program for knapsack encryption using secret numbers P and w and at least two secret key vectors v ⁰ and v ¹ (v ⁰ and v ¹ are n-dimensional vectors, respectively). , Using secret n-dimensional data t = (t ₁ , t ₂ ,..., T _n ), one of v ⁰ _i and v ¹ _i is set to x _i and the other is set to x ^* according to t _i ^. _{For i} , at least two n-dimensional public key vectors a and b are for i = 1 to n.
a = (a ₁ , a ₂ ,..., a _n ), b = (b ₁ , b ₂ ,..., b _n ))
a _i = wf _i (x _i ) modP
_{^{b i = wg i (x *}} i) modP
It is characterized in that an instruction for creating as is provided.

  In this specification, the description related to the public key creation device also applies to the public key creation program as it is, while the description related to the public key creation program also applies to the public key creation device.

In the embodiment, the public key is determined so that it can be decrypted without estimating m and m ^*. However, as described in Non-Patent Document 7, in the knapsack encryption, the intermediate plaintext M is finally estimated while estimating a part of the plaintext. It can be decoded by selecting the one that becomes 0. For this reason, the conditions regarding the public key are gentler than those described in the embodiments. For example, in order to increase resistance to low density attacks, the method P can be made smaller than the embodiment. The case of reducing than the S _n P, although it is preferred that P and w are relatively prime, but not limited thereto. In the present invention, at least two secret vectors are used, and it is made secret by data t whether each component of the public key vectors a and b is derived from v ⁰ or v ¹ , thereby increasing the encryption strength. When the public key vector and the secret key vector are each two vectors, the data t is, for example, t∈ {0,1} ^n. However, when the public key vector and the secret key vector are each four vectors, for example, each of t The component is, for example, an element of S ₄ (fourth order symmetry group).

In the present invention, shuffling by t is performed between two public key vectors a and b and secret key vectors v ⁰ and v ¹ . Therefore, Shamir's attack using a super-increasing sequence is difficult unless an element corresponding to the super-increasing sequence can be extracted from the public key vectors a and b. Further, when compared with Non-Patent Document 6, there is no regularity such that the public key vector a is derived from an even component vector and b is derived from an odd component vector. Therefore, it is difficult to establish an attack using the super-increase or even-oddity of the secret key vector.

  In the present invention, since the encryption density can be 1 or more, it is difficult to establish a low-density attack. Moreover, in the present invention, a technique such as decoding while estimating plaintext is not necessary in principle. Therefore, it is possible to provide a public key for a cryptographic communication system that is secure and can be encrypted and decrypted at high speed.

In the present invention of claim 2, depending on t _i m _i, m _i ^* either is obtained during decoding, moreover either m _i, Which m _i ^* of the obtained at the decoding side is known. When used herein, the reversible precoding, m _i, can also be obtained other by any is obtained of m _i ^*, it is not necessary to estimate the value such as m _i at the time of decoding, the decoding is facilitated. Other functions and effects will become apparent from the examples.

  In the following, an optimum embodiment for carrying out the present invention will be shown.

  1 to 3 show an outline of the embodiment, and FIGS. 4 to 7 show details of the embodiment. 8 and 9 illustrate the encryption strength in the embodiment, and FIGS. 10 to 13 show modifications. 14 and 15 show modifications in which four secret key vectors and four public key vectors are provided. The description relating to the outline of the embodiment in FIGS. 1 to 3 also applies to each modification as it is.

  1 to 3, reference numeral 2 denotes an encryption communication device system, in which a plurality of encryption communication devices 4 and 6 are connected by an insecure communication path such as the Internet, and the encryption communication devices 4 and 6 are the same here, Hereinafter, for convenience of explanation, the encryption communication device 4 will be described. The cryptographic communication devices 4 and 6 use computer resources and are realized by hardware and software, and data handled is electronic data.

  A communication interface 10 serves as an interface with the Internet and the like, and the secret key storage unit 12 stores a secret key. The public key creation unit 14 creates and stores a public key from the secret key, and publishes the public key to the communication partner encryption communication device 6 via the Internet. The decryption unit 16 decrypts the received ciphertext C, and the encryption unit 18 encrypts the plaintext m.

  The cryptographic communication device 4 stores, for example, a key creation program 20, a decryption program 22, and an encryption program 24. The key creation program 20 includes a secret key creation command 30 and a public key creation command 32. The operations of these programs 20 to 24 and the instructions 30 and 32 are the same as those of the secret key storage unit 12 to the encryption unit 18.

FIG. 4 shows details of the secret key and the public key. The secret key vectors v ⁰ and v ¹ are n-dimensional vectors, v ⁰ is a random vector whose components are positive integers, and v ¹ is a super-increasing vector in the sense defined by (12). In FIG. 1 to FIG. 9, decoding is performed in descending order for i, and i corresponds to the variable j in the claims. i means the order of decoding in the increment vector or lossless precoding, and does not mean the order in the plaintext vector. If necessary, after the decryption in the embodiment, substitution between elements with a plaintext vector is performed to obtain a final plaintext. The sum of both components v ⁰ and v ^{1 from} 1 to _i−1 is S _i−1 .
v ¹ _i > S _i−1 + v ⁰ _i (12)
Note that which of v ⁰ and v ¹ is called a super-increasing vector and which is called a random number vector is merely a matter of terminology. Here, the bit length of each component of v ⁰ is set to r bits or less, and r is 64, for example. P is large numbers are preferred to S _n in prime, as shown in Non-patent Document 7 may be a number less than S _n, also not limited to a prime number. w is the number of secret, preferably a 1 to less than P, the case of P <S _n, and the P and w may have a common divisor. Further, as in Non-Patent Document 7, when decoding while estimating a part of the component of plaintext m, v ¹ may be a quasi-super-increasing vector, and 3n / 4 or more, preferably 7n / 8, of the component. It is sufficient that at least one piece satisfies the super-increasing property. t is a secret vector whose component is 0 or 1, for example, and each component is randomly selected as 0 or 1.

The public key consists of two vectors a and b (both are n-dimensional) and lossless precoding H, and each element of a and b is defined by (15) and (16). Here, v ^ti _i and v ^1-ti _i do not mean v _{i to} the ti power or (1-ti) power, but must be ^{one of} v ⁰ _i and v ¹ _i according to the value of ti. Means.
a _i = wv ^ti _i modP (15)
b _i = wv ^1−ti _i modP (16)
(15), (16) a, the original b are v Sadamari at ^0, v ¹ of either the original, and v ^0, v or is defined by ^one of either the original to be an impossible estimated random Means. Therefore, the definition of each element of a and b can be generalized as (7) and (8). Here, f _i and g _i are functions determined for each value of _i , where ^{one of} v ⁰ _i and v ¹ _i is x _i and the other is x ^* _i .
a _i = wf _i (x _i ) modP (7)
_{^{b i = wg i (x *}} i) modP (8)

H is a set of reversible precoding defined by (9) to (11), and is simply referred to as reversible precoding H or the like here. Here, i = 1 to n.
H = (H ₁ , H ₂ ,..., H _n ) (9)
m _i ^* = H _i (m ₁ , m ₂ ,..., m _i ) (10)
m _i = H _i (m ₁ , m ₂ ,..., m _i ^* ) (11)
However, as in Non-Patent Document 7, when decoding is performed while estimating the value of plaintext m, some elements of H, for example, less than n / 4 elements, preferably less than n / 8 elements, Does not have to be satisfied. Coding that satisfies (9) and (10) (it is not necessary to satisfy (11)) is called sequential precoding.

As an example of lossless precoding, there is one that satisfies (17) as shown in FIG.
H _i = H _i-1 (m ₁ , m ₂ ,..., M _{i- 1} ) (+) m _i (17)
Further, two precoding G ⁰ _i and G ¹ _i based on the Kian-Gray inverse transform shown in FIG. 5 are reversible precoding, respectively. The meaning of using reversible precoding will be described. For example, starting with i = 1 to decode sequentially until _i-1, m i _* depending on the value of the next ^ti, or m ⁱ is obtained. Here Whichever is obtained of m _i ^* and m ^i, to ensure that it is possible to obtain the m ⁱ is the role of the reversible precoding. Note the meaning of _m ^{i *} and ^{m i} is shown in FIG.

The encryption procedure is shown in FIG.
m ^* = H (m) (18)
As
C = ma + m ^* b (19)
Thus, the ciphertext C is obtained. The plaintext m is an n-dimensional vector, and the ciphertext C is obtained by adding the product-sum operation results of two public key vectors a and b and m and m ^* . The maximum value of the ciphertext C for the n-dimensional plaintext vector m is Cmax, and the cipher density ρ is defined by (6).
ρ = n / (Log ₂ C _max ) (6)

FIG. 7 shows a decoding algorithm. The intermediate plaintext M is obtained by (20) in accordance with the knapsack cryptography. When (P, w) = p> 1, P / p is used instead of P so that the inverse element of (w / p) in the multiplicative ring modulo P / p is w ^−1. And good.
M = w ⁻¹ C modP (20)

Then using the excess increase of the ^{v 1,} and 1 _m ^{i ti} with M ≧ ^v _{1 i.} Since the value of ti is known, m ¹ _i or m ⁰ _i is determined from this, and since H is lossless precoding, both m ¹ _i and m ⁰ _i are obtained. This procedure is executed from i = n to i = 1, and whether the decoding is correct or not can be finally checked by checking whether M = 0 holds.

FIG. 8 schematically shows the encryption density ρ in the embodiment. In Non-Patent Document 1 knapsack cipher, for the super-increasing property and P> S _n of secret key vector v, Log ₂ Cmax is greater than n, the low-density attack is established. In the density evaluation regarding the low density attack, in the embodiment, the numerator of the density ρ is 2n instead of n, and ρ ≧ 1 is established. For example, if each ^element of v ⁰ is about 64 bits and n is 128, each element of v ¹ can be set to 64 bits or more and about 191 bits. Therefore, P can be set to about 192 bits, and the density ρ can be set to about 1.3, for example. For this reason, low density attacks are generally not possible.

Fig. 9 shows the resistance to Shamir attacks. In the embodiment, {a _i }, {b _i } are not derived from the super-increasing sequence due to the shuffling by t. So Shamir's attack is basically not possible. If tε {0,1} ⁿ is known, Shamir's attack is possible, but it is extremely difficult to estimate a vector t in which 0 and 1 are arranged at random. Therefore, Shamir attacks are extremely difficult.

FIG. 10 to FIG. 13 show modifications in which the even component vector v ⁰ and the odd component vector v ¹ are used as secret key vectors. As specific examples of (13) and (14), intermediate secret keys b ⁰ and b ¹ are determined by (21) and (22). Further, according to FIG. 10, a secret number P and a secret number w which are preferably prime numbers are determined. Next, a public key vector a ⁰ (corresponding to b in the embodiment) and a public key vector a ¹ (corresponding to a in the embodiment) are determined according to FIG. Similarly to the embodiment, a reversible precoding H is determined and used as a public key.
b ⁰ _i = 2 ^i-1 v ⁰ _i (21)
b ¹ _i = 2 ^i-1 v ¹ _i (22)

When encryption is performed as shown in FIG. 12, the intermediate plaintext M can be decrypted as shown in FIG. 13 in order from the first bit of the plaintext m to the nth bit. For example, when i = 1, M is an odd number. When t1 = 1, b ¹ ₁ defines a ¹ ₁ and therefore m ¹ ₁ (the first component of the plaintext vector m) is 1. Here, when t1 = 0, b ¹ ₁ defines a ⁰ _1, and therefore m ⁰ ₁ (the first component of m ^* = H (m)) is 1. Each time processing for one i is completed, the remainder is halved and the next i is processed. When processing for i = n is completed, M = 0 should be obtained. Note that m = (m ¹ ₁ , m ¹ ₂ ,..., M ¹ _n ) and m ^* = (m ⁰ ₁ , m ⁰ ₂ ,..., M ⁰ _n ).

Even in this modification, the encryption density can be 1 or more. In addition, shuffle is performed using a secret vector t so that the use of the even-component vector v ⁰ and the odd-component vector v ¹ does not give a clue to decoding.

FIG. 14 and FIG. 15 show examples using four secret key vectors v ^{0 to} v ³ and four public key vectors a ^{0 to} a ³ . A secret n-dimensional vector t is determined in which each component is a compatible ti of (0, 1, 2, 3). By changing the order of v ⁰ _i to v ³ _i by using the i-th component ti of t, public key vectors a ^{0 to} a ³ are determined corresponding to a ⁰ _{i to} a ³ _i . Further, for example, v ³ and v ¹ are super-increasing vectors in the meaning of FIG. The plaintext vector m is converted into two plaintext vectors m ¹ and m ³ by reversible transformation F, and the plaintext vector m ⁰ and m ² is determined by two lossless precoding H ₁ and H ₂ . And it encrypts like the lower part of FIG.

In decryption, the intermediate plaintext M is obtained as shown in FIG. 15, and decrypted in the order from the highest i = n to i = 1. For example, if i = n and M ≧ v ³ _n , the compatible t _n is known, so the term corresponding to v ³ _n is determined by one of m ⁰ _{n to} m ³ _n . The other one of m ⁰ _{n to} m ³ _n is determined by reversible precoding H ₁ or H ₂ . Next, the terms corresponding to two known components in m ⁰ _{n to} m ³ _n are subtracted in the same manner as in FIG. Based on whether M after subtraction is M ≧ v ¹ _n , a term corresponding to one v ¹ _n of the remaining two components is obtained, and the last term is obtained by using the property of lossless precoding. Note that various encryption procedures and decryption procedures other than those shown in FIGS. 14 and 15 are possible when using the four secret key vectors and the public key vector.

In the embodiment, encryption and decryption can be performed at high speed, the security of knapsack cryptography can be maintained even if the quantum computer is put into practical use in the future, and the attacks against Shamir attacks and low density attacks are maintained. It is possible to provide a public key cryptosystem with increased durability, and to provide a public key creation device, a creation program, a creation method, and the like.

Block diagram of the cryptographic communication system of the embodiment Block diagram of encryption communication apparatus of embodiment Block diagram of the key creation program in the embodiment The figure which shows the private key and public key in an Example The figure which shows the reversible precoding used in the Example The figure which shows the encryption algorithm in an Example The figure which shows the decoding algorithm in an Example The figure which shows the density of a ciphertext in an Example (left side) and the conventional example (right side) of MH system Diagram showing resistance to Shamir attacks in the example Diagram showing the secret key creation algorithm used in the variation The figure which shows the creation algorithm of the public key in the modification The figure which shows the encryption algorithm in the modification The figure which shows the decoding algorithm in a modification Four private key vectors ^{v 0, v 1, v} diagram showing an outline of modification with ^{2, v 3} The figure which shows the decoding algorithm in the modification of FIG.

Explanation of symbols

2 Cryptographic Communication Systems 4 and 6 Cryptographic Communication Device 10 Communication Interface 12 Secret Key Storage Unit 14 Public Key Creation Unit 16 Decryption Unit 18 Encryption Unit 20 Key Creation Program 22 Decryption Program 24 Encryption Program 30 Secret Key Creation Instruction 32 Public Key Creation order

Claims (8)

In a public key generating apparatus for knapsack encryption using secret numbers P and w and at least two secret key vectors v ⁰ and v ¹ (v ⁰ and v ¹ are n-dimensional vectors, respectively)
Using secret n-dimensional data t = (t ₁ , t ₂ ,..., T _n ), one of v ⁰ _i and v ¹ _i is set to x _i and the other is set to x ^* _i according to t _i. ,
For at least two n-dimensional public key vectors a and b for i = 1 to n,
a = (a ₁ , a ₂ ,..., a _n ), b = (b ₁ , b ₂ ,..., b _n ))
a _i = wf _i (x _i ) modP
_{^{b i = wg i (x *}} i) modP
A public key creating apparatus, characterized in that means for creating a public key is provided. The public key vectors a and b and the reversible precoding H defined as a transformation satisfying the following expression are used as public keys for encrypting the plaintext vector m into the ciphertext C by C = ma + m ^* b. The public key generation apparatus according to claim 1, wherein
The order between precoding is set as i = 1 to n.
H = (H ₁ , H ₂ ,..., H _n )
m _i ^* = H _i (m ₁ , m ₂ ,..., m _i )
m _i = H _i (m ₁ , m ₂ ,..., m _i ^* ) 3. The public key generating apparatus according to claim 1, wherein one of the secret key vectors v ⁰ and v ¹ is a random vector, and the other is a quasi-super-increasing vector defined by the following conditions.
When v ¹ is a quasi-super-increasing vector, i + j = n + 1 and j = 1 to n of 3n / 4 or more j,
The sum of both components v ⁰ and v ^{1 from} 1 to _j−1 is S _j−1 , and v ¹ _j > S _j−1 + v ⁰ _j
(However, if you want to ^{v 1} and the quasi-super-increase _{^{vector, v 0 j> S j-}} 1 + v 1 j) Each component of the secret key vector v ⁰ , v ¹ is an even number, the other component is an odd number, and f _i = 2 ⁱ⁻¹ x _i
g _i = 2 ⁱ⁻¹ x ^* _i
The public key creation device according to claim 1 or 2, characterized in that In a program for creating a public key for knapsack cryptography using secret numbers P and w and at least two secret key vectors v ⁰ and v ¹ (v ⁰ and v ¹ are each an n-dimensional vector),
Using secret n-dimensional data t = (t ₁ , t ₂ ,..., T _n ), one of v ⁰ _i and v ¹ _i is set to x _i and the other is set to x ^* _i according to t _i. ,
For at least two n-dimensional public key vectors a and b for i = 1 to n,
a = (a ₁ , a ₂ ,..., a _n ), b = (b ₁ , b ₂ ,..., b _n ))
a _i = wf _i (x _i ) modP
_{^{b i = wg i (x *}} i) modP
A public key creation program, characterized in that an instruction for creating a public key is provided. The public key vectors a and b and the reversible precoding H defined as a transformation satisfying the following expression are used as public keys for encrypting the plaintext vector m into the ciphertext C by C = ma + m ^* b. The public key creation program according to claim 5, wherein:
The order between precoding is set as i = 1 to n.
H = (H ₁ , H ₂ ,..., H _n )
m _i ^* = H _i (m ₁ , m ₂ ,..., m _i )
m _i = H _i (m ₁ , m ₂ ,..., m _i ^* ) The public key creation program according to claim 5 or 6, wherein one of the secret key vectors v ⁰ and v ¹ is a random vector, and the other is a quasi-super-increasing vector defined by the following conditions.
When v ¹ is a quasi-super-increasing vector, i + j = n + 1 and j = 1 to n of 3n / 4 or more j,
The sum of both components v ⁰ and v ^{1 from} 1 to _j−1 is S _j−1 , and v ¹ _j > S _j−1 + v ⁰ _j
(However, if you want to ^{v 1} and the quasi-super-increase _{^{vector, v 0 j> S j-}} 1 + v 1 j) Each component of the secret key vector v ⁰ , v ¹ is an even number, the other component is an odd number, and f _i = 2 ⁱ⁻¹ x _i
g _i = 2 ⁱ⁻¹ x ^* _i
The public key creation program according to claim 5 or 6, characterized in that:

Images